WIP: kommode: use disko to configure disks

Reviewed-on: #121

.gitea/workflows/build-topology-graph.yml

@@ -0,0 +1,32 @@
+name: "Build topology graph"
+on:
+  push:
+    branches:
+      - main
+jobs:
+  evals:
+    runs-on: debian-latest
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Install sudo
+      run: apt-get update && apt-get -y install sudo
+
+    - uses: https://github.com/cachix/install-nix-action@v31
+
+    - name: Configure Nix
+      run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+
+    - name: Build topology graph
+      run: nix build .#topology -L
+
+    - name: Upload topology graph
+      uses: https://git.pvv.ntnu.no/Projects/rsync-action@v2
+      with:
+        source: result/*.svg
+        quote-source: false
+        target: ${{ gitea.ref_name }}/topology_graph/
+        username: gitea-web
+        ssh-key: ${{ secrets.WEB_SYNC_SSH_KEY }}
+        host: pages.pvv.ntnu.no
+        known-hosts: "pages.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2QjfFB+city1SYqltkVqWACfo1j37k+oQQfj13mtgg"

.mailmap

@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
 
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
+Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
+
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
+
+Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>

.sops.yaml

@@ -7,6 +7,7 @@ keys:
   - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
   - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
   - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+  - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
 
   # Hosts
   - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
@@ -19,6 +20,7 @@ keys:
   - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
   - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
   - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_skrott age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
   - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
 
 creation_rules:
@@ -32,6 +34,7 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
       pgp:
       - *user_oysteikt
 
@@ -46,6 +49,7 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
       pgp:
       - *user_oysteikt
 
@@ -58,6 +62,7 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
       pgp:
       - *user_oysteikt
 
@@ -70,6 +75,7 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
       pgp:
       - *user_oysteikt
 
@@ -82,6 +88,7 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
       pgp:
       - *user_oysteikt
 
@@ -94,6 +101,7 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
       pgp:
       - *user_oysteikt
 
@@ -110,6 +118,7 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
       pgp:
       - *user_oysteikt
 
@@ -122,5 +131,18 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+
+  - path_regex: secrets/skrott/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_skrott
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt

README.md

@@ -4,7 +4,33 @@ This repository contains the NixOS configurations for Programvareverkstedet's se
 In addition to machine configurations, it also contains a bunch of shared modules, packages, and
 more.
 
-## Machines
+> [!WARNING]
+> Please read [Development - working on the PVV machines](./docs/development.md) before making
+> any changes, and [Secret management and `sops-nix`](./docs/secret-management.md) before adding
+> any credentials such as passwords, API tokens, etc. to the configuration.
+
+## Deploying to machines
+
+> [!WARNING]
+> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
+> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
+> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
+> migrations, you can not go back to the previous version without losing data.
+
+To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
+repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
+
+```bash
+# Run this while in the pvv-nixos-config directory
+sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
+```
+
+This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
+
+Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
+revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
+
+## Machine overview
 
 | Name                       | Type     | Description                                               |
 |----------------------------|----------|-----------------------------------------------------------|
@@ -17,6 +43,7 @@ more.
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
+| [skrott][skr]              | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 
 ## Documentation
@@ -33,4 +60,5 @@ more.
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
+[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

base/default.nix

@@ -10,26 +10,31 @@
     (fp /users)
     (fp /modules/snakeoil-certs.nix)
 
+    ./flake-input-exporter.nix
     ./networking.nix
     ./nix.nix
+    ./programs.nix
+    ./sops.nix
     ./vm.nix
-    ./flake-input-exporter.nix
 
     ./services/acme.nix
-    ./services/uptimed.nix
     ./services/auto-upgrade.nix
     ./services/dbus.nix
     ./services/fwupd.nix
     ./services/irqbalance.nix
+    ./services/journald-upload.nix
     ./services/logrotate.nix
     ./services/nginx.nix
     ./services/openssh.nix
+    ./services/polkit.nix
     ./services/postfix.nix
     ./services/prometheus-node-exporter.nix
     ./services/prometheus-systemd-exporter.nix
     ./services/promtail.nix
+    ./services/roowho2.nix
     ./services/smartd.nix
     ./services/thermald.nix
+    ./services/uptimed.nix
     ./services/userborn.nix
     ./services/userdbd.nix
   ];
@@ -37,6 +42,9 @@
   boot.tmp.cleanOnBoot = lib.mkDefault true;
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
+  boot.loader.systemd-boot.enable = lib.mkDefault true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
+
   time.timeZone = "Europe/Oslo";
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -45,21 +53,8 @@
     keyMap = "no";
   };
 
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    ripgrep
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-  ];
+  # Don't install the /lib/ld-linux.so.2 stub
+  environment.ldso32 = null;
 
   # .bash_profile already works, but lets also use .bashrc like literally every other distro
   # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -73,8 +68,6 @@
     fi
   '';
 
-  programs.zsh.enable = true;
-
   # security.lockKernelModules = true;
   security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
@@ -82,6 +75,14 @@
     Defaults lecture = never
   '';
 
+  # These are servers, sleep is for the weak
+  systemd.sleep.extraConfig = lib.mkDefault ''
+    AllowSuspend=no
+    AllowHibernation=no
+  '';
+
+  # users.mutableUsers = lib.mkDefault false;
+
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/nix.nix

@@ -37,4 +37,9 @@
       "unstable=${inputs.nixpkgs-unstable}"
     ];
   };
+
+  # Make builds to be more likely killed than important services.
+  # 100 is the default for user slices and 500 is systemd-coredumpd@
+  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
 }

base/programs.nix

@@ -0,0 +1,65 @@
+{ pkgs, lib, ... }:
+{
+  # We don't need fonts on headless machines
+  fonts.fontconfig.enable = lib.mkDefault false;
+
+  # Extra packags for better terminal emulator compatibility in SSH sessions
+  environment.enableAllTerminfo = true;
+
+  environment.systemPackages = with pkgs; [
+    # Debug dns outside resolvectl
+    dig
+
+    # Debug and find files
+    file
+
+    # Process json data
+    jq
+
+    # Check computer specs
+    lshw
+
+    # Scan for open ports with netstat
+    net-tools
+
+    # Grep for files quickly
+    ripgrep
+
+    # Copy files over the network
+    rsync
+
+    # Access various state, often in /var/lib
+    sqlite-interactive
+
+    # Debug software which won't debug itself
+    strace
+
+    # Download files from the internet
+    wget
+  ];
+
+  # Clone/push nix config and friends
+  programs.git.enable = true;
+
+  # Gitea gpg, oysteikt sops, etc.
+  programs.gnupg.agent.enable = true;
+
+  # Monitor the wellbeing of the machines
+  programs.htop.enable = true;
+
+  # Keep sessions running during work over SSH
+  programs.tmux.enable = true;
+
+  # Same reasoning as tmux
+  programs.screen.enable = true;
+
+  # Edit files on the system without resorting to joe(1)
+  programs.nano.enable = true;
+  # Same reasoning as nano
+  programs.vim.enable = true;
+  # Same reasoning as vim
+  programs.neovim.enable = true;
+
+  # Some people like this shell for some reason
+  programs.zsh.enable = true;
+}

base/services/acme.nix

@@ -8,8 +8,6 @@
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
   virtualisation.vmVariant = {
     security.acme.defaults.server = "https://127.0.0.1";
-    security.acme.preliminarySelfsigned = true;
-
     users.users.root.initialPassword = "root";
   };
-}
+}

base/services/auto-upgrade.nix

@@ -9,6 +9,8 @@ in
     enable = true;
     flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
+      "-L"
+
       "--refresh"
       "--no-write-lock-file"
       # --update-input is deprecated since nix 2.22, and removed in lix 2.90
@@ -26,7 +28,7 @@ in
 
   # workaround for https://github.com/NixOS/nix/issues/6895
   # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
     "current-system-flake-inputs.json".source
       = pkgs.writers.writeJSON "flake-inputs.json" (
         lib.flip lib.mapAttrs inputs (name: input:

base/services/journald-upload.nix

@@ -0,0 +1,24 @@
+{ config, lib, values, ... }:
+let
+  cfg = config.services.journald.upload;
+in
+{
+  services.journald.upload = {
+    enable = lib.mkDefault true;
+    settings.Upload = {
+      # URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
+      URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
+      ServerKeyFile = "-";
+      ServerCertificateFile = "-";
+      TrustedCertificateFile = "-";
+    };
+  };
+
+  systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+    ];
+  };
+}

base/services/nginx.nix

@@ -39,29 +39,38 @@
     SystemCallFilter = lib.mkForce null;
   };
 
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    listen = [
-      {
-        addr = "0.0.0.0";
-        extraParameters = [
-          "default_server"
-          # Seemingly the default value of net.core.somaxconn
-          "backlog=4096"
-          "deferred"
-        ];
-      }
-      {
-        addr = "[::0]";
-        extraParameters = [
-          "default_server"
-          "backlog=4096"
-          "deferred"
-        ];
-      }
-    ];
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
+  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
+    "_" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          extraParameters = [
+            "default_server"
+            # Seemingly the default value of net.core.somaxconn
+            "backlog=4096"
+            "deferred"
+          ];
+        }
+        {
+          addr = "[::0]";
+          extraParameters = [
+            "default_server"
+            "backlog=4096"
+            "deferred"
+          ];
+        }
+      ];
+      sslCertificate = "/etc/certs/nginx.crt";
+      sslCertificateKey = "/etc/certs/nginx.key";
+      addSSL = true;
+      extraConfig = "return 444;";
+    };
+
+    ${config.networking.fqdn} = {
+      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
+      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
+      addSSL = lib.mkDefault true;
+      extraConfig = lib.mkDefault "return 444;";
+    };
   };
 }

base/services/polkit.nix

@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+let
+  cfg = config.security.polkit;
+in
+{
+  security.polkit.enable = true;
+
+  environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
+    polkit.addAdminRule(function(action, subject) {
+        if(subject.isInGroup("wheel")) {
+            return ["unix-user:"+subject.user];
+        }
+    });
+  '';
+}

base/services/roowho2.nix

@@ -0,0 +1,12 @@
+{ lib, values, ... }:
+{
+  services.roowho2.enable = lib.mkDefault true;
+
+  systemd.sockets.roowho2-rwhod.socketConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      values.ipv4-space
+    ];
+  };
+}

base/services/smartd.nix

@@ -1,7 +1,9 @@
 { config, pkgs, lib, ... }:
 {
   services.smartd = {
-    enable = lib.mkDefault true;
+    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
+    #       hosts with disk passthrough.
+    enable = lib.mkDefault (!config.services.qemuGuest.enable);
     notifications = {
       mail = {
         enable = true;

base/sops.nix

@@ -0,0 +1,12 @@
+{ config, fp, lib, ... }:
+{
+  sops.defaultSopsFile = let
+    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
+  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
+
+  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
+    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
+    keyFile = "/var/lib/sops-nix/key.txt";
+    generateKey = true;
+  };
+}

base/vm.nix

@@ -11,5 +11,6 @@
   };
   config.virtualisation.vmVariant = {
     virtualisation.isVmVariant = true;
+    virtualisation.graphics = false;
   };
 }

docs/development.md

@@ -7,7 +7,7 @@ the links from the *Upstream documentation* section below, or in [Miscellaneous
 
 ## Editing nix files
 
-> [!WARN]
+> [!WARNING]
 > Before editing any nix files, make sure to read [Secret management and `sops-nix`](./secret-management.md)!
 > We do not want to add any secrets in plaintext to the nix files, and certainly not commit and publish
 > them into the common public.
@@ -156,27 +156,6 @@ nix build .#
 > built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
 > if this is the first time.
 
-### Deploying to machines
-
-> [!WARN]
-> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
-> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
-> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
-> migrations, you can not go back to the previous version without losing data.
-
-To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
-repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
-
-```bash
-# Run this while in the pvv-nixos-config directory
-sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
-```
-
-This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
-
-Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
-revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
-
 ### Forcefully reset to `main`
 
 If you ever want to reset a machine to the `main` branch, you can do so by running:

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "dibbler": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769400154,
+        "narHash": "sha256-K0OeXzFCUZTkCBxUDr3U3ah0odS/urtNVG09WDl+HAA=",
+        "ref": "main",
+        "rev": "8e84669d9bf963d5e46bac37fe9b0aa8e8be2d01",
+        "revCount": 230,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -21,6 +42,24 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1765835352,
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "gergle": {
       "inputs": {
         "nixpkgs": [
@@ -28,11 +67,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764868579,
-        "narHash": "sha256-rfTUOIc0wnC4+19gLVfPbHfXx/ilfuUix6bWY+yaM2U=",
+        "lastModified": 1767906545,
+        "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
         "ref": "main",
-        "rev": "9c923d1d50daa6a3b28c3214ad2300bfaf6c8fcd",
-        "revCount": 22,
+        "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
+        "revCount": 23,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
       },
@@ -50,11 +89,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1765760377,
-        "narHash": "sha256-2+lgzUjVas9hPSeWn52MwuX+iidMN4RkzkHo4vrGmR8=",
+        "lastModified": 1767906494,
+        "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
         "ref": "main",
-        "rev": "f340dc5b9c9f3b75b7aca41f56f8869b9e28cf8c",
-        "revCount": 58,
+        "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
+        "revCount": 61,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
       },
@@ -114,11 +153,11 @@
         "rust-overlay": "rust-overlay_2"
       },
       "locked": {
-        "lastModified": 1766407405,
-        "narHash": "sha256-UEJ8F8/oG70biWRrGbL5/aB7OXzzvnYs+jxkR07UHvA=",
+        "lastModified": 1767906976,
+        "narHash": "sha256-igCg8I83eO+noF00raXVJqDxzLS2SrZN8fK5bnvO+xI=",
         "ref": "main",
-        "rev": "e719840f72ca1b0cd169562a3a0de69899821de0",
-        "revCount": 16,
+        "rev": "626bc9b6bae6a997b347cdbe84080240884f2955",
+        "revCount": 17,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
       },
@@ -135,11 +174,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765904683,
-        "narHash": "sha256-uXM56y5n5GWpCiCNdKlTcCAy2IntgDB21c4gBDU30io=",
+        "lastModified": 1768749374,
+        "narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
         "ref": "main",
-        "rev": "6fae27b1659efb6774cf08a4e36ed29ab0e24105",
-        "revCount": 26,
+        "rev": "040294f2e1df46e33d995add6944b25859654097",
+        "revCount": 37,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
       },
@@ -156,11 +195,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743881366,
-        "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
+        "lastModified": 1767906352,
+        "narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
         "ref": "main",
-        "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
-        "revCount": 11,
+        "rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
+        "revCount": 13,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
       },
@@ -170,26 +209,63 @@
         "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
       }
     },
+    "nix-topology": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768955766,
+        "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
+        "owner": "oddlama",
+        "repo": "nix-topology",
+        "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "ref": "main",
+        "repo": "nix-topology",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1764806471,
-        "narHash": "sha256-Qk0SArnS83KqyS9wNt1YoTkkYKDraNrjRWKUtB9DKoM=",
-        "rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
+        "lastModified": 1768877948,
+        "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
+        "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.896.6707b1809330/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
         "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1765674936,
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1764854611,
-        "narHash": "sha256-MVzFp4ZKwdh6U1wy4fJe/GY3Hb4cvvyJbAZOhaeBQoo=",
-        "rev": "3a4b875aef660bbd148e86b92cffea2a360c3275",
+        "lastModified": 1768886240,
+        "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
+        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre906534.3a4b875aef66/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -224,11 +300,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765978548,
-        "narHash": "sha256-VDSPpw+/Mgo+JujoW12CRlkTs9o0tX/FEL2AR5kl5+Q=",
+        "lastModified": 1768636400,
+        "narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
         "ref": "main",
-        "rev": "961f021d27f86b2aedd16290dbf85bdd9d50fd42",
-        "revCount": 532,
+        "rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
+        "revCount": 573,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -238,8 +314,30 @@
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       }
     },
+    "qotd": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768684204,
+        "narHash": "sha256-TErBiXxTRPUtZ/Mw8a5p+KCeGCFXa0o8fzwGoo75//Y=",
+        "ref": "main",
+        "rev": "a86f361bb8cfac3845b96d49fcbb2faea669844f",
+        "revCount": 11,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
+      }
+    },
     "root": {
       "inputs": {
+        "dibbler": "dibbler",
         "disko": "disko",
         "gergle": "gergle",
         "greg-ng": "greg-ng",
@@ -248,13 +346,38 @@
         "minecraft-heatmap": "minecraft-heatmap",
         "minecraft-kartverket": "minecraft-kartverket",
         "nix-gitea-themes": "nix-gitea-themes",
+        "nix-topology": "nix-topology",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
         "pvv-nettsiden": "pvv-nettsiden",
+        "qotd": "qotd",
+        "roowho2": "roowho2",
         "sops-nix": "sops-nix"
       }
     },
+    "roowho2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_3"
+      },
+      "locked": {
+        "lastModified": 1768140181,
+        "narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
+        "ref": "main",
+        "rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
+        "revCount": 43,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
+      }
+    },
     "rust-overlay": {
       "inputs": {
         "nixpkgs": [
@@ -263,11 +386,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765680428,
-        "narHash": "sha256-fyPmRof9SZeI14ChPk5rVPOm7ISiiGkwGCunkhM+eUg=",
+        "lastModified": 1767840362,
+        "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "eb3898d8ef143d4bf0f7f2229105fc51c7731b2f",
+        "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
         "type": "github"
       },
       "original": {
@@ -297,6 +420,27 @@
         "type": "github"
       }
     },
+    "rust-overlay_3": {
+      "inputs": {
+        "nixpkgs": [
+          "roowho2",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767322002,
+        "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -304,11 +448,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766894905,
-        "narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=",
+        "lastModified": 1768863606,
+        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7",
+        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
         "type": "github"
       },
       "original": {

flake.nix

@@ -11,12 +11,18 @@
     disko.url = "github:nix-community/disko/v1.11.0";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
+    nix-topology.url = "github:oddlama/nix-topology/main";
+    nix-topology.inputs.nixpkgs.follows = "nixpkgs";
+
     pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=main";
     pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
 
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git?ref=main";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
+    dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
+    dibbler.inputs.nixpkgs.follows = "nixpkgs";
+
     matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -26,6 +32,9 @@
     minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
     minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
 
+    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
+    roowho2.inputs.nixpkgs.follows = "nixpkgs";
+
     greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
     greg-ng.inputs.nixpkgs.follows = "nixpkgs";
     gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
@@ -35,6 +44,9 @@
 
     minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
     minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
+
+    qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
+    qotd.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -57,57 +69,76 @@
   in {
     inputs = lib.mapAttrs (_: src: src.outPath) inputs;
 
-    pkgs = forAllSystems (system:
-      import nixpkgs {
-        inherit system;
-        config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-          [
-            "nvidia-x11"
-            "nvidia-settings"
-          ];
-      });
+    pkgs = forAllSystems (system: import nixpkgs {
+      inherit system;
+      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        [
+          "nvidia-x11"
+          "nvidia-settings"
+        ];
+    });
 
     nixosConfigurations = let
-      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-
       nixosConfig =
         nixpkgs:
         name:
         configurationPath:
-        extraArgs:
-        lib.nixosSystem (lib.recursiveUpdate
-        (let
-          system = "x86_64-linux";
-        in {
-          inherit system;
-
-          specialArgs = {
-            inherit unstablePkgs inputs;
-            values = import ./values.nix;
-            fp = path: ./${path};
-          } // extraArgs.specialArgs or { };
-
-          modules = [
-            configurationPath
-            sops-nix.nixosModules.sops
-          ] ++ extraArgs.modules or [];
-
-          pkgs = import nixpkgs {
-            inherit system;
+        extraArgs@{
+          localSystem ? "x86_64-linux", # buildPlatform
+          crossSystem ? "x86_64-linux", # hostPlatform
+          specialArgs ? { },
+          modules ? [ ],
+          overlays ? [ ],
+          enableDefaults ? true,
+          ...
+        }:
+        let
+          commonPkgsConfig = {
+            inherit localSystem crossSystem;
             config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
               [
                 "nvidia-x11"
                 "nvidia-settings"
               ];
-            overlays = [
+            overlays = (lib.optionals enableDefaults [
               # Global overlays go here
-            ] ++ extraArgs.overlays or [ ];
+              inputs.roowho2.overlays.default
+            ]) ++ overlays;
           };
-        })
+
+          pkgs = import nixpkgs commonPkgsConfig;
+          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
+        in
+        lib.nixosSystem (lib.recursiveUpdate
+        {
+          system = crossSystem;
+
+          inherit pkgs;
+
+          specialArgs = {
+            inherit inputs unstablePkgs;
+            values = import ./values.nix;
+            fp = path: ./${path};
+          } // specialArgs;
+
+          modules = [
+            {
+              networking.hostName = lib.mkDefault name;
+            }
+            configurationPath
+          ] ++ (lib.optionals enableDefaults [
+            sops-nix.nixosModules.sops
+            inputs.roowho2.nixosModules.default
+            self.nixosModules.rsync-pull-targets
+          ]) ++ modules;
+        }
         (builtins.removeAttrs extraArgs [
+          "localSystem"
+          "crossSystem"
           "modules"
           "overlays"
           "specialArgs"
+          "enableDefaults"
         ])
       );
 
@@ -116,7 +147,7 @@
     in {
       bakke = stableNixosConfig "bakke" {
         modules = [
-          disko.nixosModules.disko
+          inputs.disko.nixosModules.disko
         ];
       };
       bicep = stableNixosConfig "bicep" {
@@ -131,35 +162,32 @@
           inputs.pvv-calendar-bot.overlays.default
           inputs.minecraft-heatmap.overlays.default
           (final: prev: {
-            inherit (self.packages.${prev.system}) out-of-your-element;
+            inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
           })
         ];
       };
       bekkalokk = stableNixosConfig "bekkalokk" {
         overlays = [
           (final: prev: {
-            heimdal = unstablePkgs.heimdal;
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
             bluemap = final.callPackage ./packages/bluemap.nix { };
           })
           inputs.pvv-nettsiden.overlays.default
+          inputs.qotd.overlays.default
         ];
         modules = [
           inputs.pvv-nettsiden.nixosModules.default
           self.nixosModules.bluemap
-        ];
-      };
-      bob = stableNixosConfig "bob" {
-        modules = [
-          disko.nixosModules.disko
-          { disko.devices.disk.disk1.device = "/dev/vda"; }
+          inputs.qotd.nixosModules.default
         ];
       };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
       wenche = stableNixosConfig "wenche" { };
+      temmie = stableNixosConfig "temmie" { };
+      gluttony = stableNixosConfig "gluttony" { };
 
       kommode = stableNixosConfig "kommode" {
         overlays = [
@@ -167,7 +195,7 @@
         ];
         modules = [
           inputs.nix-gitea-themes.nixosModules.default
-          self.nixosModules.robots-txt
+          inputs.disko.nixosModules.disko
         ];
       };
 
@@ -201,6 +229,38 @@
       };
     }
     //
+    (let
+      skrottConfig = {
+        modules = [
+          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
+          inputs.dibbler.nixosModules.default
+        ];
+        overlays = [
+          inputs.dibbler.overlays.default
+          (final: prev: {
+            # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
+            atool = prev.emptyDirectory;
+            micro = prev.emptyDirectory;
+            ncdu = prev.emptyDirectory;
+          })
+        ];
+      };
+    in {
+      skrott = self.nixosConfigurations.skrott-native;
+      skrott-native = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "aarch64-linux";
+        crossSystem = "aarch64-linux";
+      });
+      skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "x86_64-linux";
+        crossSystem = "aarch64-linux";
+      });
+      skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "x86_64-linux";
+        crossSystem = "x86_64-linux";
+      });
+    })
+    //
     (let
       machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
       stableLupineNixosConfig = name: extraArgs:
@@ -212,11 +272,12 @@
 
     nixosModules = {
       bluemap = ./modules/bluemap.nix;
-      snakeoil-certs = ./modules/snakeoil-certs.nix;
-      snappymail = ./modules/snappymail.nix;
-      robots-txt = ./modules/robots-txt.nix;
       gickup = ./modules/gickup;
       matrix-ooye = ./modules/matrix-ooye.nix;
+      robots-txt = ./modules/robots-txt.nix;
+      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
+      snakeoil-certs = ./modules/snakeoil-certs.nix;
+      snappymail = ./modules/snappymail.nix;
     };
 
     devShells = forAllSystems (system: {
@@ -234,27 +295,86 @@
 
     packages = {
       "x86_64-linux" = let
-        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+        system = "x86_64-linux";
+        pkgs = nixpkgs.legacyPackages.${system};
       in rec {
         default = important-machines;
         important-machines = pkgs.linkFarm "important-machines"
-          (lib.getAttrs importantMachines self.packages.x86_64-linux);
+          (lib.getAttrs importantMachines self.packages.${system});
         all-machines = pkgs.linkFarm "all-machines"
-          (lib.getAttrs allMachines self.packages.x86_64-linux);
+          (lib.getAttrs allMachines self.packages.${system});
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
         bluemap = pkgs.callPackage ./packages/bluemap.nix { };
 
-        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
-      } //
+        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
+      }
+      //
+      # Mediawiki extensions
       (lib.pipe null [
         (_: pkgs.callPackage ./packages/mediawiki-extensions { })
         (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
         (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
       ])
-      // lib.genAttrs allMachines
-        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
+      //
+      # Machines
+      lib.genAttrs allMachines
+        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
+      //
+      # Skrott is exception
+      {
+        skrott = self.packages.${system}.skrott-native-sd;
+        skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
+        skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
+        skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
+        skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
+        skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
+      }
+      //
+      # Nix-topology
+      (let
+        topology' = import inputs.nix-topology {
+          pkgs = import nixpkgs {
+            inherit system;
+            overlays = [
+              inputs.nix-topology.overlays.default
+              (final: prev: {
+                inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
+              })
+            ];
+          };
+
+          specialArgs = {
+            values = import ./values.nix;
+          };
+
+          modules = [
+            ./topology
+            {
+              nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
+                modules = [
+                  inputs.nix-topology.nixosModules.default
+                  ./topology/service-extractors/greg-ng.nix
+                  ./topology/service-extractors/postgresql.nix
+                  ./topology/service-extractors/mysql.nix
+                  ./topology/service-extractors/gitea-runners.nix
+                ];
+              }) self.nixosConfigurations;
+            }
+          ];
+        };
+      in {
+        topology = topology'.config.output;
+        topology-png = pkgs.runCommand "pvv-config-topology-png" {
+          nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
+        } ''
+          mkdir -p "$out"
+          for file in '${topology'.config.output}'/*.svg; do
+            ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
+          done
+        '';
+      });
     };
   };
 }

hosts/bakke/configuration.nix

@@ -6,20 +6,13 @@
       ./filesystems.nix
     ];
 
-  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bakke";
   networking.hostId = "99609ffc";
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp2s0";
     address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.05";
 }

hosts/bakke/filesystems.nix

@@ -1,17 +1,17 @@
-{ config, pkgs, lib, ... }:
+{ pkgs,... }:
 {
   # Boot drives:
   boot.swraid.enable = true;
 
   # ZFS Data pool:
-  environment.systemPackages = with pkgs; [ zfs ];
   boot = {
     zfs = {
       extraPools = [ "tank" ];
       requestEncryptionCredentials = false;
     };
-    supportedFilesystems = [ "zfs" ];
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+    supportedFilesystems.zfs = true;
+    # Use stable linux packages, these work with zfs
+    kernelPackages = pkgs.linuxPackages;
   };
   services.zfs.autoScrub = {
     enable = true;

hosts/bakke/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/bekkalokk/configuration.nix

@@ -5,6 +5,7 @@
 
     (fp /base)
 
+    ./services/alps.nix
     ./services/bluemap.nix
     ./services/idp-simplesamlphp
     ./services/kerberos.nix
@@ -15,18 +16,9 @@
     ./services/webmail
     ./services/website
     ./services/well-known
+    ./services/qotd
   ];
 
-  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bekkalokk";
-
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp2s0";
     address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -34,7 +26,7 @@
 
   services.btrfs.autoScrub.enable = true;
 
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }

hosts/bekkalokk/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/bekkalokk/services/alps.nix

@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.alps;
+in
+{
+  services.alps = {
+    enable = true;
+    theme = "sourcehut";
+    smtps.host = "smtp.pvv.ntnu.no";
+    imaps.host = "imap.pvv.ntnu.no";
+    bindIP = "127.0.0.1";
+  };
+
+  services.nginx.virtualHosts."alps.pvv.ntnu.no" = lib.mkIf cfg.enable {
+    enableACME = true;
+    forceSSL = true;
+    kTLS = true;
+    locations."/" = {
+      proxyPass = "http://${cfg.bindIP}:${toString cfg.port}";
+    };
+  };
+}

hosts/bekkalokk/services/bluemap.nix

@@ -21,6 +21,7 @@ in {
       inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
     in {
       "verden" = {
+        extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
         settings = {
           world = vanillaSurvival;
           dimension = "minecraft:overworld";
@@ -32,12 +33,10 @@ in {
           };
           ambient-light = 0.1;
           cave-detection-ocean-floor = -5;
-          marker-sets = {
-            _includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
-          };
         };
       };
       "underverden" = {
+        extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
         settings = {
           world = vanillaSurvival;
           dimension = "minecraft:the_nether";
@@ -57,12 +56,10 @@ in {
           render-mask = [{
             max-y = 90;
           }];
-          marker-sets = {
-            _includes = [ (format.lib.mkInclude "${bluemap-export}/nether.hocon") ];
-          };
         };
       };
       "enden" = {
+        extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
         settings = {
           world = vanillaSurvival;
           dimension = "minecraft:the_end";
@@ -78,9 +75,6 @@ in {
           ambient-light = 0.6;
           remove-caves-below-y = -10000;
           cave-detection-ocean-floor = -5;
-          marker-sets = {
-            _includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
-          };
         };
       };
     };

hosts/bekkalokk/services/mediawiki/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, fp, config, values, ... }: let
   cfg = config.services.mediawiki;
 
   # "mediawiki"
@@ -34,6 +34,7 @@ in {
   services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
 
   sops.secrets = lib.pipe [
+    "mediawiki/secret-key"
     "mediawiki/password"
     "mediawiki/postgres_password"
     "mediawiki/simplesamlphp/postgres_password"
@@ -48,6 +49,24 @@ in {
     lib.listToAttrs
   ];
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.uploadsDir} = {
+      user = config.services.root;
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      # TODO: create new key on principal
+      enable = false;
+      publicKey = "";
+    };
+  };
+
   services.mediawiki = {
     enable = true;
     name = "Programvareverkstedet";
@@ -179,15 +198,15 @@ in {
 
   # Cache directory for simplesamlphp
   # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
     user = "mediawiki";
     group = "mediawiki";
     mode = "0770";
   };
 
-  users.groups.mediawiki.members = [ "nginx" ];
+  users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
 
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
     kTLS = true;
     forceSSL = true;
     enableACME = true;
@@ -233,4 +252,20 @@ in {
     };
 
   };
+
+  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
+    after = [ "sops-install-secrets.service" ];
+    serviceConfig = {
+      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
+      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+    };
+  };
+
+  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
+    after = [ "sops-install-secrets.service" ];
+    serviceConfig = {
+      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
+      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+    };
+  };
 }

hosts/bekkalokk/services/qotd/default.nix

@@ -0,0 +1,6 @@
+{
+  services.qotd = {
+    enable = true;
+    quotes = builtins.fromJSON (builtins.readFile ./quotes.json);
+  };
+}

hosts/bekkalokk/services/qotd/quotes.json

@@ -0,0 +1 @@
+["quote 1", "quote 2"]

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -3,13 +3,21 @@ let
   galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
   transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
-  users.users.${config.services.pvv-nettsiden.user} = {
-    useDefaultShell = true;
-
-    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
-    ];
+  # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${transferDir} = {
+      user = config.services.pvv-nettsiden.user;
+      rrsyncArgs.wo = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
+    };
   };
 
   systemd.paths.pvv-nettsiden-gallery-update = {

hosts/bekkalokk/services/well-known/default.nix

@@ -1,18 +1,25 @@
-{ ... }:
+{ lib, ... }:
 {
-  services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
-    "^~ /.well-known/" = {
-      alias = (toString ./root) + "/";
-    };
+  services.nginx.virtualHosts = lib.genAttrs [
+    "pvv.ntnu.no"
+    "www.pvv.ntnu.no"
+    "pvv.org"
+    "www.pvv.org"
+  ] (_: {
+    locations = {
+      "^~ /.well-known/" = {
+        alias = (toString ./root) + "/";
+      };
 
-    # Proxy the matrix well-known files
-    # Host has be set before proxy_pass
-    # The header must be set so nginx on the other side routes it to the right place
-    "^~ /.well-known/matrix/" = {
-      extraConfig = ''
-        proxy_set_header Host matrix.pvv.ntnu.no;
-        proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-      '';
+      # Proxy the matrix well-known files
+      # Host has be set before proxy_pass
+      # The header must be set so nginx on the other side routes it to the right place
+      "^~ /.well-known/matrix/" = {
+        extraConfig = ''
+          proxy_set_header Host matrix.pvv.ntnu.no;
+          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+        '';
+      };
     };
-  };
+  });
 }

hosts/bekkalokk/services/well-known/root/security.txt

@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
 Preferred-Languages: no, en
 
 Expires: 2032-12-31T23:59:59.000Z
-# This file was last updated 2024-09-14.
+# This file was last updated 2026-02-27.
 
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
+
+# Please note that we are a student organization, and unfortunately we do not
+# have a bug bounty program or offer monetary compensation for disclosure of
+# security vulnerabilities.

hosts/bicep/configuration.nix

@@ -15,16 +15,6 @@
     ./services/matrix
   ];
 
-  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bicep";
-
   #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     #matchConfig.Name = "enp6s0f0";
@@ -36,17 +26,9 @@
     anyInterface = true;
   };
 
-  # There are no smart devices
-  services.smartd.enable = false;
-
-  # we are a vm now
   services.qemuGuest.enable = true;
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-  services.sshguard.enable = true;
-
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }

hosts/bicep/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/bicep/services/git-mirrors/default.nix

@@ -66,6 +66,7 @@ in
       package = pkgs.callPackage (fp /packages/cgit.nix) { };
       group = "gickup";
       scanPath = "${cfg.dataDir}/linktree";
+      gitHttpBackend.checkExportOkFiles = false;
       settings = {
         enable-commit-graph = true;
         enable-follow-links = true;

hosts/bicep/services/matrix/coturn.nix

@@ -1,13 +1,6 @@
 { config, lib, fp, pkgs, secrets, values, ... }:
 
 {
-  sops.secrets."matrix/synapse/turnconfig" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/turnconfig";
-    owner = config.users.users.matrix-synapse.name;
-    group = config.users.users.matrix-synapse.group;
-    restartUnits = [ "coturn.service" ];
-  };
   sops.secrets."matrix/coturn/static-auth-secret" = {
     sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "coturn/static-auth-secret";
@@ -16,9 +9,18 @@
     restartUnits = [ "coturn.service" ];
   };
 
+  sops.templates."matrix-synapse-turnconfig" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+    content = ''
+      turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
+    '';
+    restartUnits = [ "matrix-synapse.target" ];
+  };
+
   services.matrix-synapse-next = {
     extraConfigFiles = [
-      config.sops.secrets."matrix/synapse/turnconfig".path
+      config.sops.templates."matrix-synapse-turnconfig".path
     ];
 
     settings = {

hosts/bicep/services/matrix/default.nix

@@ -1,19 +1,16 @@
 { config, ... }:
-
 {
-
   imports = [
     ./synapse.nix
     ./synapse-admin.nix
     ./element.nix
     ./coturn.nix
+    ./livekit.nix
     ./mjolnir.nix
+    ./well-known.nix
 
     # ./discord.nix
     ./out-of-your-element.nix
     ./hookshot
   ];
-
-
-
 }

hosts/bicep/services/matrix/element.nix

@@ -2,6 +2,13 @@
 let
   synapse-cfg = config.services.matrix-synapse-next;
 in {
+  services.pvv-matrix-well-known.client = {
+    "m.homeserver" = {
+      base_url = "https://matrix.pvv.ntnu.no";
+      server_name = "pvv.ntnu.no";
+    };
+  };
+
   services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
     enableACME = true;
     forceSSL = true;
@@ -9,10 +16,10 @@ in {
 
     root = pkgs.element-web.override {
       conf = {
-        default_server_config."m.homeserver" = {
-          base_url = "https://matrix.pvv.ntnu.no";
-          server_name = "pvv.ntnu.no";
-        };
+        # Tries to look up well-known first, else uses bundled config.
+        default_server_name = "matrix.pvv.ntnu.no";
+        default_server_config = config.services.pvv-matrix-well-known.client;
+
         disable_3pid_login = true;
 #        integrations_ui_url = "https://dimension.dodsorf.as/riot";
 #        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
@@ -30,6 +37,7 @@ in {
           # element call group calls
           feature_group_calls = true;
         };
+        default_country_code = "NO";
         default_theme = "dark";
         # Servers in this list should provide some sort of valuable scoping
         # matrix.org is not useful compared to matrixrooms.info,

hosts/bicep/services/matrix/hookshot/default.nix

@@ -14,6 +14,10 @@ in
     sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "hookshot/hs_token";
   };
+  sops.secrets."matrix/hookshot/passkey" = {
+    sopsFile = fp /secrets/bicep/matrix.yaml;
+    key = "hookshot/passkey";
+  };
 
   sops.templates."hookshot-registration.yaml" = {
     owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
   };
 
   systemd.services.matrix-hookshot = {
-    serviceConfig.SupplementaryGroups = [
-      config.users.groups.keys-matrix-registrations.name
-    ];
+    serviceConfig = {
+      SupplementaryGroups = [
+        config.users.groups.keys-matrix-registrations.name
+      ];
+      LoadCredential = [
+        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
+      ];
+    };
   };
 
   services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
     package = unstablePkgs.matrix-hookshot;
     registrationFile = config.sops.templates."hookshot-registration.yaml".path;
     settings = {
+      passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
+
       bridge = {
         bindAddress = "127.0.0.1";
         domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
         mediaUrl = "https://matrix.pvv.ntnu.no";
         port = 9993;
       };
+
       listeners = [
         {
           bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
           ];
         }
       ];
+
       generic = {
         enabled = true;
         outbound = true;

hosts/bicep/services/matrix/livekit.nix

@@ -0,0 +1,67 @@
+{ config, lib, fp, ... }:
+let
+  synapseConfig = config.services.matrix-synapse-next;
+  matrixDomain = "matrix.pvv.ntnu.no";
+  cfg = config.services.livekit;
+in
+{
+  sops.secrets."matrix/livekit/keyfile/lk-jwt-service" = {
+    sopsFile = fp /secrets/bicep/matrix.yaml;
+    key = "livekit/keyfile/lk-jwt-service";
+  };
+  sops.templates."matrix-livekit-keyfile" = {
+    restartUnits = [
+      "livekit.service"
+      "lk-jwt-service.service"
+    ];
+    content = ''
+      lk-jwt-service: ${config.sops.placeholder."matrix/livekit/keyfile/lk-jwt-service"}
+    '';
+  };
+
+  services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
+    "org.matrix.msc4143.rtc_foci" = [{
+      type = "livekit";
+      livekit_service_url = "https://${matrixDomain}/livekit/jwt";
+    }];
+  };
+
+  services.livekit = {
+    enable = true;
+    openFirewall = true;
+    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
+
+    # NOTE: needed for ingress/egress workers
+    # redis.createLocally = true;
+
+    # settings.room.auto_create = false;
+  };
+
+  services.lk-jwt-service = lib.mkIf cfg.enable {
+    enable = true;
+    livekitUrl = "wss://${matrixDomain}/livekit/sfu";
+    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
+  };
+
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
+
+  services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
+    locations."^~ /livekit/jwt/" = {
+      proxyPass = "http://localhost:${toString config.services.lk-jwt-service.port}/";
+    };
+
+    # TODO: load balance to multiple livekit ingress/egress workers
+    locations."^~ /livekit/sfu/" = {
+      proxyPass = "http://localhost:${toString config.services.livekit.settings.port}/";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_send_timeout 120;
+        proxy_read_timeout 120;
+        proxy_buffering off;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      '';
+    };
+  };
+}

hosts/bicep/services/matrix/synapse.nix

@@ -15,11 +15,34 @@ in {
     group = config.users.users.matrix-synapse.group;
   };
 
-  sops.secrets."matrix/synapse/user_registration" = {
+  sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
     sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/signing_key";
+    key = "synapse/user_registration/registration_shared_secret";
+  };
+  sops.templates."matrix-synapse-user-registration" = {
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;
+    content = ''
+      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
+    '';
+  };
+
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.settings.media_store_path} = {
+      user = config.services.root;
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      # TODO: create new key on principal
+      enable = false;
+      publicKey = "";
+    };
   };
 
   services.matrix-synapse-next = {
@@ -83,7 +106,7 @@ in {
       mau_stats_only = true;
 
       enable_registration = false;
-      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
+      registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
 
       password_config.enabled = true;
 
@@ -95,6 +118,32 @@ in {
         }
       ];
 
+      experimental_features = {
+        # MSC3266: Room summary API. Used for knocking over federation
+        msc3266_enabled = true;
+        # MSC4222 needed for syncv2 state_after. This allow clients to
+        # correctly track the state of the room.
+        msc4222_enabled = true;
+      };
+
+      # The maximum allowed duration by which sent events can be delayed, as
+      # per MSC4140.
+      max_event_delay_duration = "24h";
+
+      rc_message = {
+        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
+        # Note key sharing events are bursty
+        per_second = 0.5;
+        burst_count = 30;
+      };
+
+      rc_delayed_event_mgmt = {
+        # This needs to match at least the heart-beat frequency plus a bit of headroom
+        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
+        per_second = 1;
+        burst_count = 20;
+      };
+
       trusted_key_servers = [
         { server_name = "matrix.org"; }
         { server_name = "dodsorf.as"; }
@@ -132,21 +181,12 @@ in {
 
   services.redis.servers."".enable = true;
 
+  services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
+
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
   {
     kTLS = true;
   }
-  {
-    locations."/.well-known/matrix/server" = {
-      return = ''
-        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
-      '';
-      extraConfig = ''
-        default_type application/json;
-        add_header Access-Control-Allow-Origin *;
-      '';
-    };
-  }
   {
     locations."/_synapse/admin" = {
       proxyPass = "http://$synapse_backend";

hosts/bicep/services/matrix/well-known.nix

@@ -0,0 +1,44 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.pvv-matrix-well-known;
+  format = pkgs.formats.json { };
+  matrixDomain = "matrix.pvv.ntnu.no";
+in
+{
+  options.services.pvv-matrix-well-known = {
+    client = lib.mkOption {
+      type = lib.types.submodule { freeformType = format.type; };
+      default = { };
+      example = {
+        "m.homeserver".base_url = "https://${matrixDomain}/";
+      };
+    };
+
+    server = lib.mkOption {
+      type = lib.types.submodule { freeformType = format.type; };
+      default = { };
+      example = {
+        "m.server" = "https://${matrixDomain}/";
+      };
+    };
+  };
+
+  config = {
+    services.nginx.virtualHosts.${matrixDomain} = {
+      locations."= /.well-known/matrix/client" = lib.mkIf (cfg.client != { }) {
+        alias = format.generate "nginx-well-known-matrix-server.json" cfg.client;
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin *;
+        '';
+      };
+      locations."= /.well-known/matrix/server" = lib.mkIf (cfg.server != { }) {
+        alias = format.generate "nginx-well-known-matrix-server.json" cfg.server;
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin *;
+        '';
+      };
+    };
+  };
+}

hosts/bicep/services/mysql.nix

@@ -1,4 +1,8 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
+let
+  cfg = config.services.mysql;
+  dataDir = "/data/mysql";
+in
 {
   sops.secrets."mysql/password" = {
     owner = "mysql";
@@ -9,7 +13,6 @@
 
   services.mysql = {
     enable = true;
-    dataDir = "/data/mysql";
     package = pkgs.mariadb;
     settings = {
       mysqld = {
@@ -36,20 +39,34 @@
     }];
   };
 
-  services.mysqlBackup = {
+  services.mysqlBackup = lib.mkIf cfg.enable {
     enable = true;
     location = "/var/lib/mysql/backups";
   };
 
-  networking.firewall.allowedTCPPorts = [ 3306 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
 
-  systemd.services.mysql.serviceConfig = {
-    IPAddressDeny = "any";
-    IPAddressAllow = [
-      values.ipv4-space
-      values.ipv6-space
-      values.hosts.ildkule.ipv4
-      values.hosts.ildkule.ipv6
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
+    inherit (cfg) user group;
+    mode = "0700";
+  };
+
+  systemd.services.mysql = lib.mkIf cfg.enable {
+    after = [
+      "systemd-tmpfiles-setup.service"
+      "systemd-tmpfiles-resetup.service"
     ];
+
+    serviceConfig = {
+      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
+
+      IPAddressDeny = "any";
+      IPAddressAllow = [
+        values.ipv4-space
+        values.ipv6-space
+        values.hosts.ildkule.ipv4
+        values.hosts.ildkule.ipv6
+      ];
+    };
   };
 }

hosts/bikkje/configuration.nix

@@ -1,6 +1,6 @@
 { config, pkgs, values, ... }:
 {
-    networking.nat = {
+  networking.nat = {
     enable = true;
     internalInterfaces = ["ve-+"];
     externalInterface = "ens3";
@@ -25,6 +25,7 @@
       ];
 
       networking = {
+        hostName = "bikkje";
         firewall = {
           enable = true;
           # Allow SSH and HTTP and ports for email and irc
@@ -36,9 +37,11 @@
         useHostResolvConf = mkForce false;
       };
 
-      system.stateVersion = "23.11";
       services.resolved.enable = true;
+
+      # Don't change (even during upgrades) unless you know what you are doing.
+      # See https://search.nixos.org/options?show=system.stateVersion
+      system.stateVersion = "23.11";
     };
   };
-
 };

hosts/brzeczyszczykiewicz/configuration.nix

@@ -8,28 +8,14 @@
       ./services/grzegorz.nix
     ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "brzeczyszczykiewicz";
-
   systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
     matchConfig.Name = "eno1";
     address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  fonts.fontconfig.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/brzeczyszczykiewicz/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/georg/configuration.nix

@@ -8,24 +8,11 @@
       (fp /modules/grzegorz.nix)
     ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "georg";
-
   systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
     matchConfig.Name = "eno1";
     address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-
-
   services.spotifyd = {
     enable = true;
     settings.global = {
@@ -41,15 +28,9 @@
     5353 # spotifyd is its own mDNS service wtf
   ];
 
+  fonts.fontconfig.enable = true;
 
-
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/georg/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/gluttony/configuration.nix

@@ -0,0 +1,60 @@
+{
+  fp,
+  lib,
+  values,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    (fp /base)
+  ];
+
+  systemd.network.enable = lib.mkForce false;
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  boot.loader = {
+    systemd-boot.enable = false; # no uefi support on this device
+    grub.device = "/dev/sda";
+    grub.enable = true;
+  };
+  boot.tmp.cleanOnBoot = true;
+
+  networking =
+    let
+      hostConf = values.hosts.gluttony;
+    in
+    {
+      tempAddresses = "disabled";
+      useDHCP = false;
+
+      search = values.defaultNetworkConfig.domains;
+      nameservers = values.defaultNetworkConfig.dns;
+      defaultGateway.address = hostConf.ipv4_internal_gw;
+
+      interfaces."ens3" = {
+        ipv4.addresses = [
+          {
+            address = hostConf.ipv4;
+            prefixLength = 32;
+          }
+          {
+            address = hostConf.ipv4_internal;
+            prefixLength = 24;
+          }
+        ];
+        ipv6.addresses = [
+          {
+            address = hostConf.ipv6;
+            prefixLength = 64;
+          }
+        ];
+      };
+    };
+
+  services.qemuGuest.enable = true;
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
+}

hosts/gluttony/hardware-configuration.nix

@@ -0,0 +1,50 @@
+# Do not modify this file!  It was generated by 'nixos-generate-config'
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/mapper/pool-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D00A-B488";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 8 * 1024;
+    }
+  ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/ildkule/configuration.nix

@@ -7,13 +7,10 @@
 
       ./services/monitoring
       ./services/nginx
+      ./services/journald-remote.nix
     ];
 
-  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
+  boot.loader.systemd-boot.enable = false;
   boot.loader.grub.device = "/dev/vda";
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -23,7 +20,6 @@
   networking = let
     hostConf = values.hosts.ildkule;
   in {
-    hostName = "ildkule";
     tempAddresses = "disabled";
     useDHCP = lib.mkForce true;
 
@@ -42,13 +38,9 @@
     };
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # No devices with SMART
-  services.smartd.enable = false;
-
-  system.stateVersion = "23.11"; # Did you read the comment?
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.11";
 }

hosts/ildkule/services/journald-remote.nix

@@ -0,0 +1,58 @@
+{ config, lib, values, ... }:
+let
+  cfg = config.services.journald.remote;
+  domainName = "journald.pvv.ntnu.no";
+in
+{
+  security.acme.certs.${domainName} = {
+    webroot = "/var/lib/acme/acme-challenge/";
+    group = config.services.nginx.group;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${domainName} = {
+      forceSSL = true;
+      useACMEHost = "${domainName}";
+      locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
+    };
+  };
+
+  services.journald.upload.enable = lib.mkForce false;
+
+  services.journald.remote = {
+    enable = true;
+    settings.Remote = let
+      inherit (config.security.acme.certs.${domainName}) directory;
+    in {
+      ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
+      ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
+      TrustedCertificateFile = "-";
+    };
+  };
+
+  systemd.sockets."systemd-journal-remote" = {
+    socketConfig = {
+      IPAddressDeny = "any";
+      IPAddressAllow = [
+        "127.0.0.1"
+        "::1"
+        values.ipv4-space
+        values.ipv6-space
+      ];
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+  systemd.services."systemd-journal-remote" = {
+    serviceConfig = {
+      LoadCredential = let
+        inherit (config.security.acme.certs.${domainName}) directory;
+      in [
+        "key.pem:${directory}/key.pem"
+        "cert.pem:${directory}/cert.pem"
+      ];
+    };
+  };
+}

hosts/ildkule/services/monitoring/dashboards/mysql.json

@@ -1899,7 +1899,7 @@
       "dashes": false,
       "datasource": "$datasource",
       "decimals": 0,
-      "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool,  TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB ‘s internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
+      "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool,  TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB 's internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
       "editable": true,
       "error": false,
       "fieldConfig": {

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -19,15 +19,18 @@ in {
       (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-
       (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+
+      (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
 
       (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
       (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])

hosts/kommode/configuration.nix

@@ -4,21 +4,12 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     (fp /base)
+    ./disks.nix
 
     ./services/gitea
     ./services/nginx.nix
   ];
 
-  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "kommode"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -26,7 +17,9 @@
 
   services.btrfs.autoScrub.enable = true;
 
-  environment.systemPackages = with pkgs; [];
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.11";
 }

hosts/kommode/disks.nix

@@ -0,0 +1,80 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        type = "disk";
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            root = {
+              name = "root";
+              label = "root";
+              start = "1MiB";
+              end = "-5G";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # subvolumes = let
+                #   makeSnapshottable = subvolPath: mountOptions: let
+                #     name = lib.replaceString "/" "-" subvolPath;
+                #   in {
+                #     "@${name}/active" = {
+                #       mountPoint = subvolPath;
+                #       inherit mountOptions;
+                #     };
+                #     "@${name}/snapshots" = {
+                #       mountPoint = "${subvolPath}/.snapshots";
+                #       inherit mountOptions;
+                #     };
+                #   };
+                # in {
+                #   "@" = { };
+                #   "@/swap" = {
+                #     mountpoint = "/.swapvol";
+                #     swap.swapfile.size = "4G";
+                #   };
+                #   "@/root" = {
+                #     mountpoint = "/";
+                #     mountOptions = [ "compress=zstd" "noatime" ];
+                #   };
+                # }
+                # // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
+
+                # swap.swapfile.size = "4G";
+                mountpoint = "/";
+              };
+            };
+
+            swap = {
+              name = "swap";
+              label = "swap";
+              start = "-5G";
+              end = "-1G";
+              content.type = "swap";
+            };
+
+            ESP = {
+              name = "ESP";
+              label = "ESP";
+              start = "-1G";
+              end = "100%";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/kommode/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
@@ -13,21 +13,6 @@
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/86CD-4C23";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
-    ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction

hosts/kommode/services/gitea/customization/labels/projects.json

@@ -35,6 +35,12 @@
     "color": "#ed1111",
     "description": "Report an oopsie"
   },
+  {
+    "name": "developer experience",
+    "exclusive": false,
+    "color": "#eb6420",
+    "description": "Think about the developers"
+  },
   {
     "name": "disputed",
     "exclusive": false,

hosts/kommode/services/gitea/default.nix

@@ -193,109 +193,6 @@ in {
     };
   };
 
-  environment.robots-txt."gitea" = {
-    virtualHost = domain;
-    rules = [
-      {
-        pre_comment = ''
-          Gitea internals
-
-          See these for more information:
-          - https://gitea.com/robots.txt
-          - https://codeberg.org/robots.txt
-        '';
-        User-agent = "*";
-        Disallow = [
-          "/api/*"
-          "/avatars"
-          "/*/*/src/commit/*"
-          "/*/*/commit/*"
-          "/*/*/*/refs/*"
-          "/*/*/*/star"
-          "/*/*/*/watch"
-          "/*/*/labels"
-          "/*/*/activity/*"
-          "/vendor/*"
-          "/swagger.*.json"
-          "/repo/create"
-          "/repo/migrate"
-          "/org/create"
-          "/*/*/fork"
-          "/*/*/watchers"
-          "/*/*/stargazers"
-          "/*/*/forks"
-          "*/.git/"
-          "/*.git"
-          "/*.atom"
-          "/*.rss"
-        ];
-      }
-      {
-        pre_comment = "Language Spam";
-        Disallow = "/*?lang=";
-      }
-      {
-        pre_comment = ''
-          AI bots
-
-          Sourced from:
-          - https://www.vg.no/robots.txt
-          - https://codeberg.org/robots.txt
-        '';
-        User-agent = [
-          "AI2Bot"
-          "Ai2Bot-Dolma"
-          "Amazonbot"
-          "Applebot-Extended"
-          "Bytespider"
-          "CCBot"
-          "ChatGPT-User"
-          "Claude-Web"
-          "ClaudeBot"
-          "Crawlspace"
-          "Diffbot"
-          "FacebookBot"
-          "FriendlyCrawler"
-          "GPTBot"
-          "Google-Extended"
-          "ICC-Crawler"
-          "ImagesiftBot"
-          "Kangaroo Bot"
-          "Meta-ExternalAgent"
-          "OAI-SearchBot"
-          "Omgili"
-          "Omgilibot"
-          "PanguBot"
-          "PerplexityBot"
-          "PetalBot"
-          "Scrapy"
-          "SemrushBot-OCOB"
-          "Sidetrade indexer bot"
-          "Timpibot"
-          "VelenPublicWebCrawler"
-          "Webzio-Extended"
-          "YouBot"
-          "anthropic-ai"
-          "cohere-ai"
-          "cohere-training-data-crawler"
-          "facebookexternalhit"
-          "iaskspider/2.0"
-          "img2dataset"
-          "meta-externalagent"
-          "omgili"
-          "omgilibot"
-        ];
-        Disallow = "/";
-      }
-      {
-        Crawl-delay = "2";
-      }
-      {
-        Sitemap = "https://${domain}/sitemap.xml";
-      }
-    ];
-  };
-
   networking.firewall.allowedTCPPorts = [ sshPort ];
 
   systemd.services.gitea-dump = {

hosts/lupine/configuration.nix

@@ -9,12 +9,6 @@
   ];
 
   sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
 
   systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp0s31f6";
@@ -28,7 +22,7 @@
   # There are no smart devices
   services.smartd.enable = false;
 
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "25.05";
 }

hosts/lupine/hardware-configuration/lupine-1.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-2.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-3.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-4.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-5.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/shark/configuration.nix

@@ -6,33 +6,14 @@
       (fp /base)
     ];
 
-  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "shark"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/shark/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/skrott/configuration.nix

@@ -0,0 +1,112 @@
+{ config, pkgs, lib, modulesPath, fp, values, ... }: {
+  imports = [
+    (modulesPath + "/profiles/perlless.nix")
+
+    (fp /base)
+  ];
+
+  # Disable import of a bunch of tools we don't need from nixpkgs.
+  disabledModules = [ "profiles/base.nix" ];
+
+  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
+
+  boot = {
+    consoleLogLevel = 0;
+    enableContainers = false;
+    loader.grub.enable = false;
+    loader.systemd-boot.enable = false;
+    kernelPackages = pkgs.linuxPackages;
+  };
+
+  hardware = {
+    enableAllHardware = lib.mkForce false;
+    firmware = [ pkgs.raspberrypiWirelessFirmware ];
+  };
+
+  # Now turn off a bunch of stuff lol
+  # TODO: can we reduce further?
+  # See also https://nixcademy.com/posts/minimizing-nixos-images/
+  system.autoUpgrade.enable = lib.mkForce false;
+  services.irqbalance.enable = lib.mkForce false;
+  services.logrotate.enable = lib.mkForce false;
+  services.nginx.enable = lib.mkForce false;
+  services.postfix.enable = lib.mkForce false;
+  services.smartd.enable = lib.mkForce false;
+  services.udisks2.enable = lib.mkForce false;
+  services.thermald.enable = lib.mkForce false;
+  services.promtail.enable = lib.mkForce false;
+  # There aren't really that many firmware updates for rbpi3 anyway
+  services.fwupd.enable = lib.mkForce false;
+
+  documentation.enable = lib.mkForce false;
+
+  environment.enableAllTerminfo = lib.mkForce false;
+
+  programs.neovim.enable = lib.mkForce false;
+  programs.zsh.enable = lib.mkForce false;
+  programs.git.package = pkgs.gitMinimal;
+
+  nix.registry = lib.mkForce { };
+  nix.nixPath = lib.mkForce [ ];
+
+  sops.secrets = {
+    "dibbler/postgresql/password" = {
+      owner = "dibbler";
+      group = "dibbler";
+    };
+  };
+
+  # zramSwap.enable = true;
+
+  networking = {
+    hostName = "skrot";
+    defaultGateway = values.hosts.gateway;
+    defaultGateway6 = values.hosts.gateway6;
+    interfaces.eth0 = {
+      useDHCP = false;
+      ipv4.addresses = [{
+        address = values.hosts.skrott.ipv4;
+        prefixLength = 25;
+      }];
+      ipv6.addresses = [{
+        address = values.hosts.skrott.ipv6;
+        prefixLength = 25;
+      }];
+    };
+  };
+
+  services.dibbler = {
+    enable = true;
+    kioskMode = true;
+    limitScreenWidth = 80;
+    limitScreenHeight = 42;
+
+    settings = {
+      general.quit_allowed = false;
+      database = {
+        type = "postgresql";
+        postgresql = {
+          username = "pvv_vv";
+          dbname = "pvv_vv";
+          host = "postgres.pvv.ntnu.no";
+          password_file = config.sops.secrets."dibbler/postgresql/password".path;
+        };
+      };
+    };
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/84105
+  boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
+    "console=ttyUSB0,9600"
+    # "console=tty1" # Already part of the module
+  ];
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
+    enable = true;
+    wantedBy = [ "getty.target" ]; # to start at boot
+    serviceConfig.Restart = "always"; # restart when session is closed
+  };
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
+}

hosts/temmie/configuration.nix

@@ -0,0 +1,24 @@
+{ config, fp, pkgs, values, ... }:
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    (fp /base)
+
+    ./services/nfs-mounts.nix
+    ./services/userweb.nix
+  ];
+
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  services.nginx.enable = false;
+
+  services.qemuGuest.enable = true;
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
+}

hosts/temmie/hardware-configuration.nix

@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by 'nixos-generate-config'
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/A367-83FD";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/temmie/services/nfs-mounts.nix

@@ -0,0 +1,60 @@
+{ lib, values, ... }:
+let
+  # See microbel:/etc/exports
+  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+in
+{
+  systemd.targets."pvv-homedirs" = {
+    description = "PVV Homedir Partitions";
+  };
+
+  systemd.mounts = map (l: {
+    description = "PVV Homedir Partition ${l}";
+
+    before = [ "remote-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+    requiredBy = [ "pvv-homedirs.target" ];
+
+    type = "nfs";
+    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
+    where = "/run/pvv-home-mounts/${l}";
+
+    options = lib.concatStringsSep "," [
+      "nfsvers=3"
+
+      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
+      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
+      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
+      "proto=tcp"
+      "addr=${values.hosts.microbel.ipv4}"
+      "mountproto=tcp"
+      "mounthost=${values.hosts.microbel.ipv4}"
+      "port=2049"
+
+      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
+      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
+      #       quite sure how to fix it. Living life on dangerous mode for now.
+      "nolock"
+
+      # Don't wait on every read/write
+      "async"
+
+      # Always keep mounted
+      "noauto"
+
+      # We don't want to update access time constantly
+      "noatime"
+
+      # No SUID/SGID, no special devices
+      "nosuid"
+      "nodev"
+
+      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
+      # "ro"
+      "rw"
+
+      # TODO: can we enable this and still run cgi stuff?
+      # "noexec"
+    ];
+  }) letters;
+}

hosts/temmie/services/userweb.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  services.httpd = {
+    enable = true;
+
+    # extraModules = [];
+
+    # virtualHosts."userweb.pvv.ntnu.no" = {
+    virtualHosts."temmie.pvv.ntnu.no" = {
+
+      forceSSL = true;
+      enableACME = true;
+    };
+  };
+
+  systemd.services.httpd = {
+    after = [ "pvv-homedirs.target" ];
+    requires = [ "pvv-homedirs.target" ];
+
+    serviceConfig = {
+      ProtectHome = "tmpfs";
+      BindPaths = let
+        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
+    };
+  };
+
+  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
+}

hosts/ustetind/configuration.nix

@@ -7,12 +7,7 @@
     ./services/gitea-runners.nix
   ];
 
-  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  networking.hostName = "ustetind";
+  boot.loader.systemd-boot.enable = false;
 
   networking.useHostResolvConf = lib.mkForce false;
 
@@ -39,5 +34,7 @@
     };
   };
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.11";
 }

hosts/wenche/configuration.nix

@@ -14,15 +14,9 @@
     "armv7l-linux"
   ];
 
-  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
+  boot.loader.systemd-boot.enable = false;
   boot.loader.grub.device = "/dev/sda";
 
-  networking.hostName = "wenche"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,9 +30,9 @@
     package = config.boot.kernelPackages.nvidiaPackages.production;
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
+  services.qemuGuest.enable = true;
 
-  system.stateVersion = "24.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "24.11";
 }

modules/bluemap.nix

@@ -13,11 +13,32 @@ let
         (format.generate "${name}.conf" value))
       cfg.storage);
 
-  mapsFolder = pkgs.linkFarm "maps"
-    (lib.attrsets.mapAttrs' (name: value:
-      lib.nameValuePair "${name}.conf"
-        (format.generate "${name}.conf" value.settings))
-      cfg.maps);
+  generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }:
+    assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { });
+    lib.pipe settings (
+      (lib.optionals (extraHoconMarkersFile != null) [
+        (settings: lib.recursiveUpdate settings {
+          marker-placeholder = "###ASDF###";
+        })
+      ]) ++ [
+        (format.generate "${name}.conf")
+      ] ++ (lib.optionals (extraHoconMarkersFile != null) [
+        (hoconFile: pkgs.runCommand "${name}-patched.conf" { } ''
+          mkdir -p "$(dirname "$out")"
+          cp '${hoconFile}' "$out"
+          substituteInPlace "$out" \
+            --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
+        '')
+      ])
+    );
+
+  mapsFolder = lib.pipe cfg.maps [
+    (lib.attrsets.mapAttrs' (name: value: {
+      name = "${name}.conf";
+      value = generateMapConfigWithMarkerData name value;
+    }))
+    (pkgs.linkFarm "maps")
+  ];
 
   webappConfigFolder = pkgs.linkFarm "bluemap-config" {
     "maps" = mapsFolder;
@@ -30,7 +51,7 @@ let
 
   renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
     "maps" = pkgs.linkFarm "maps" {
-      "${name}.conf" = (format.generate "${name}.conf" value.settings);
+      "${name}.conf" = generateMapConfigWithMarkerData name value;
     };
     "storages" = storageFolder;
     "core.conf" = coreConfig;
@@ -160,6 +181,18 @@ in {
             defaultText = lib.literalExpression "config.services.bluemap.packs";
             description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
           };
+
+          extraHoconMarkersFile = mkOption {
+            type = lib.types.nullOr lib.types.path;
+            default = null;
+            description = ''
+              Path to a hocon file containing marker data.
+              The content of this file will be injected into the map config file in a separate derivation.
+
+              DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
+            '';
+          };
+
           settings = mkOption {
             type = (lib.types.submodule {
               freeformType = format.type;

modules/gickup/update-linktree.nix

@@ -16,6 +16,8 @@ in
 
     # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
     systemd.services."gickup-linktree" = {
+      after = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
+      wantedBy = [ "gickup.target" ];
       serviceConfig = {
         Type = "oneshot";
         ExecStart = let

modules/grzegorz.nix

@@ -37,19 +37,23 @@ in {
   services.nginx.enable = true;
   services.nginx.virtualHosts = {
     ${config.networking.fqdn} = {
+      # NOTE: this overrides the default config in base/services/nginx.nix
+      addSSL = false;
       forceSSL = true;
       enableACME = true;
+
       kTLS = true;
+
       serverAliases = [
         "${machine}.pvv.org"
       ];
       extraConfig = ''
         # pvv
-        allow ${values.ipv4-space}
-        allow ${values.ipv6-space}
+        allow ${values.ipv4-space};
+        allow ${values.ipv6-space};
         # ntnu
-        allow ${values.ntnu.ipv4-space}
-        allow ${values.ntnu.ipv6-space}
+        allow ${values.ntnu.ipv4-space};
+        allow ${values.ntnu.ipv6-space};
         deny all;
       '';
 
@@ -72,11 +76,11 @@ in {
       ];
       extraConfig = ''
         # pvv
-        allow ${values.ipv4-space}
-        allow ${values.ipv6-space}
+        allow ${values.ipv4-space};
+        allow ${values.ipv6-space};
         # ntnu
-        allow ${values.ntnu.ipv4-space}
-        allow ${values.ntnu.ipv6-space}
+        allow ${values.ntnu.ipv4-space};
+        allow ${values.ntnu.ipv6-space};
         deny all;
       '';
 
@@ -95,11 +99,11 @@ in {
       ];
       extraConfig = ''
         # pvv
-        allow ${values.ipv4-space}
-        allow ${values.ipv6-space}
+        allow ${values.ipv4-space};
+        allow ${values.ipv6-space};
         # ntnu
-        allow ${values.ntnu.ipv4-space}
-        allow ${values.ntnu.ipv6-space}
+        allow ${values.ntnu.ipv4-space};
+        allow ${values.ntnu.ipv6-space};
         deny all;
       '';
 

modules/matrix-ooye.nix

@@ -181,6 +181,9 @@ in
           #NoNewPrivileges = true;
           #PrivateDevices = true;
           Restart = "on-failure";
+          RestartSec = "5s";
+          StartLimitIntervalSec = "5s";
+          StartLimitBurst = "5";
           DynamicUser = true;
         };
       };

modules/rsync-pull-targets.nix

@@ -0,0 +1,140 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.rsync-pull-targets;
+in
+{
+  options.services.rsync-pull-targets = {
+    enable = lib.mkEnableOption "";
+
+    rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
+
+    locations = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
+        options = {
+          enable = lib.mkEnableOption "" // {
+            default = true;
+            example = false;
+          };
+
+          user = lib.mkOption {
+            type = lib.types.str;
+            description = "Which user to use as SSH login";
+            example = "root";
+          };
+
+          location = lib.mkOption {
+            type = lib.types.path;
+            default = name;
+            defaultText = lib.literalExpression "<name>";
+            example = "/path/to/rsyncable/item";
+          };
+
+          # TODO: handle autogeneration of keys
+          # autoGenerateSSHKeypair = lib.mkOption {
+          #   type = lib.types.bool;
+          #   default = config.publicKey == null;
+          #   defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
+          #   example = true;
+          # };
+
+          publicKey = lib.mkOption {
+            type = lib.types.str;
+            # type = lib.types.nullOr lib.types.str;
+            # default = null;
+            example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
+          };
+
+          rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
+            default = cfg.rrsyncPackage;
+            defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
+          };
+
+          enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
+
+          rrsyncArgs = {
+            ro = lib.mkEnableOption "" // {
+              description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
+            };
+            wo = lib.mkEnableOption "" // {
+              description = "Allow only writing to the DIR.";
+            };
+            munge = lib.mkEnableOption "" // {
+              description = "Enable rsync's --munge-links on the server side.";
+              # TODO: set a default?
+            };
+            no-del = lib.mkEnableOption "" // {
+              description = "Disable rsync's --delete* and --remove* options.";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+            no-lock = lib.mkEnableOption "" // {
+              description = "Avoid the single-run (per-user) lock check.";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+            no-overwrite = lib.mkEnableOption "" // {
+              description = "Prevent overwriting existing files by enforcing --ignore-existing";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+          };
+
+          authorizedKeysAttrs = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
+              "restrict"
+              "no-agent-forwarding"
+              "no-port-forwarding"
+              "no-pty"
+              "no-X11-forwarding"
+            ];
+            defaultText = lib.literalExpression ''
+              lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
+                "restrict"
+                "no-agent-forwarding"
+                "no-port-forwarding"
+                "no-pty"
+                "no-X11-forwarding"
+              ]
+            '';
+            example = [
+              "restrict"
+              "no-agent-forwarding"
+              "no-port-forwarding"
+              "no-pty"
+              "no-X11-forwarding"
+            ];
+          };
+        };
+      }));
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # assertions = lib.pipe cfg.locations [
+    #   (lib.filterAttrs (_: value: value.enable))
+      # TODO: assert that there are no duplicate (user, publicKey) pairs.
+      #       if there are then ssh won't know which command to provide and might provide a random one, not sure.
+      # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
+      #   assertion =
+      #   message = "";
+      # })
+    # ];
+
+    services.openssh.enable = true;
+    users.users = lib.pipe cfg.locations [
+      (lib.filterAttrs (_: value: value.enable))
+      (lib.mapAttrs' (_: { user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
+        rrsyncArgString = lib.cli.toCommandLineShellGNU {
+          isLong = _: false;
+        } rrsyncArgs;
+        # TODO: handle " in location
+      in {
+        name = user;
+        value.openssh.authorizedKeys.keys = [
+          "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
+        ];
+      }))
+    ];
+  };
+}

packages/ooye/generate-lock-patch.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p bash git gnugrep gnused nodejs_24
+
+GIT_TOPLEVEL=$(git rev-parse --show-toplevel)
+PACKAGE_NIX="$GIT_TOPLEVEL/packages/ooye/package.nix"
+REV="$(grep -oP '(?<=rev = ")[a-z0-9]+(?=")' "$PACKAGE_NIX")"
+
+TMPDIR="$(mktemp -d)"
+
+cleaning() {
+  rm -rf "$TMPDIR"
+}
+
+trap 'cleaning' SIGINT
+
+git clone --depth 1 --revision="$REV" https://git.pvv.ntnu.no/Drift/delete-your-element.git "$TMPDIR/ooye"
+pushd "$TMPDIR/ooye" || exit
+  sed -i 's/\s*"glob@<11.1": "^12"//' package.json
+  git diff --quiet --exit-code package.json && {
+    echo "Sed did't do it's job, please fix" >&2
+    cleaning
+    exit 1
+  }
+
+  rm -rf package-lock.json
+  npm install --package-lock-only
+
+  export GIT_AUTHOR_NAME='Lockinator 9000'
+  export GIT_AUTHOR_EMAIL='locksmith@lockal.local'
+  export GIT_AUTHOR_DATE='Sun, 01 Jan 1984 00:00:00 +0000'
+  export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME"
+  export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL"
+  export GIT_COMMITTER_DATE="$GIT_AUTHOR_DATE"
+
+  git commit -am "package-lock.json: bomp" --no-gpg-sign
+  git format-patch HEAD~
+  mv 0001-package-lock.json-bomp.patch "$GIT_TOPLEVEL/packages/ooye/fix-lockfile.patch"
+  git reset --hard HEAD~
+popd || exit
+cleaning

packages/ooye/package.nix

@@ -2,31 +2,28 @@
   lib,
   fetchFromGitea,
   makeWrapper,
-  nodejs,
+  nodejs_24,
   buildNpmPackage,
-  fetchpatch,
 }:
+let
+  nodejs = nodejs_24;
+in
 buildNpmPackage {
   pname = "delete-your-element";
-  version = "3.3-unstable-2025-12-09";
+  version = "3.3-unstable-2026-01-21";
   src = fetchFromGitea {
     domain = "git.pvv.ntnu.no";
     owner = "Drift";
     repo = "delete-your-element";
-    rev = "1c0c545a024ef7215a1a3483c10acce853f79765";
-    hash = "sha256-ow/PdlHfU7PCwsjJUEzoETzONs1KoKTRMRQ9ADN0tGk=";
+    rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
+    hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "ooye-fix-package-lock-0001.patch";
-      url = "https://cgit.rory.gay/nix/OOYE-module.git/plain/pl.patch?h=ee126389d997ba14be3fe3ef360ba37b3617a9b2";
-      hash = "sha256-dP6WEHb0KksDraYML+jcR5DftH9BiXvwevUg38ALOrc=";
-    })
-  ];
+  inherit nodejs;
 
-  npmDepsHash = "sha256-OXOyO6LxK/WYYVysSxkol0ilMUZB+osLYUE5DpJlbps=";
-  # npmDepsHash = "sha256-Y+vgp7+7pIDm64AYSs8ltoAiON0EPpJInbmgn3/LkVA=";
+  patches = [ ./fix-lockfile.patch ];
+
+  npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
   dontNpmBuild = true;
   makeCacheWritable = true;
 

secrets/bakke/bakke.yaml

@@ -12,78 +12,87 @@ sops:
         - recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0NNRFlYaDVtY2taK2xZ
-            R1pJKzhzOFJJbVI1ZEtQZTJJd1JiejdwaHpJCjlyZVZLZUpVeG1HNHo1UTlaa1gz
-            Q2JOTmpibndlcERXaWw3Ujd3OGo2aU0KLS0tIEhKcjFKYm82VFdHWTkvcFBDam5H
-            bzhGbFF6ZmRPTXpzMWgzWGJJbGlkUTAKtNREtgj4kXKDymmbBt2YVFUqrAaGY72z
-            8fUEIz/2/kPeb4QBpYt4HQabXDLCZXZ0Q5qhHRFOSER8o+TrkJDEow==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOE50MkkxV1p0UlVUT0dE
+            WCtLMEk0ZSttY25UMjNHSHB1QzJ4N2l5WnpFCkNpdmlCY1VxWVo0ZStVclZ0amo4
+            dGhSRWY1SElRZXZzdWo5UDNjUHMzUjAKLS0tIDI3elNXSXJHQU5qb3hCSHYwWnoy
+            N3BhNmJQZjIrbWlVRytxZ3dFMjBtL1kKn7/DTPfJtdBomSplnBomYhsxJbX7kJQa
+            1Qsr+bmugWxHFIPhoDwPIBpChQkLvAo8exQpduos18FsXgvMmB0guQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbEJRNjVJSE5qSk1VcVR6
-            VTh6ZU93Q2dGclhZWXA4YTh5WXZ4MWFMRzNRCkJ6Z1F6a20za3ZxLzRsZGg2aHpn
-            Nll0NW9XRndIOFpzMVgwK3RxWm1BUkEKLS0tIGF0MUYwblY4a3haelJYRkNyd3lS
-            S0ZuSUVXWGVXbnJocm1LRjZRSGVrMFkKQcwZk7mlF96kPdvZyLNR2i5CnU/qR7/i
-            u897JxtxmXuuNDKPA80pFxfwkOwzcUVrYiwOlAbMENwJWH1SwFO3Cg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdnNSSEJoaUQwdTNTMDY4
+            QUxuLzRIWVNkM25QNTZ5VTBwQlYvT2p3SURzCnJmd2g1YUY0cmdLL3FkQTQ4NURL
+            YncyY3VROTFUeDc5ZlB1aWdXVGNNdjgKLS0tIEtXeDdRLzl4RXhpS2o5ZUE4YkpI
+            RjBObVhlWncrRnVidEtGN2N0ZitzNlUK/ooEeWCY5nDgny43q45wvl/e6qq/X4B/
+            7Q/DPj13BcrWRgoCYeHlq6VlIerz5ERNgxyR/qKuVSGAVroSVY6spA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWa2c5d0RvR21jQ21ZRVBL
-            dkR2RDhMMmJKTXk4UnFTbEZCbE5vV2cwRTNnCkFFT05kYUhXREtzSGkyY1VYQ2ZE
-            bU0xZnlUN0draW5DZXRqQlloVi9NaFkKLS0tIDdHb05weWlzcDN4bFdzYnpUVjVV
-            ZkVXK01odnZJeGhoaFFLbEVSMFJsMHcK/mgeA6aMlr7T35rHL3GriYHu2DQE45sI
-            8RdxdErESmpx0bneFbmsBgXOYu+iT64zatPEGVSu1taW/nMa8Ucpzw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRy9CaHY1WEEzOXdUSjd2
+            aFlGU3NGcW5MeHg3U2d0UEk0SXJIcmg4RVFzCkpwODhBWld6T1VNS2haSkpxL0hn
+            b0VRWVNFcTE5c0t3VkFZQ1R1d2dnbmMKLS0tIDdNMHBrU0RRSmlBZUJobXQxZUt2
+            MzZSYlM5bjYzUlRYNXkzNzZlWmx3L0UKkH6WOXHFRRbCprSjxcONSVUN/9NEQvtS
+            Jg+dJSMviq6GvUfUNmNvPJHfyy+CYT6a2Zd+4NdYCetRLsRJPc6p3A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbm4wL1pHeVVRYzJrb0RZ
-            VHA5ZGRTUHkxbk9qenpNRGE4bjQ0SzN6UVFvCkRHQ0VDaUhRRDI3Yy90UXZCdTlo
-            dnBHSmU5WlBlczlBbDBZRHFvLzFBWVkKLS0tIFVNVG5qRDZlcWZ4R00zc0N5bkli
-            d0Z4TEJzdEFuV3NnTndFZlpPMTNYSHMK1d1Use9/w4ClrCfShBymIxHZppCXmhmQ
-            vIW5vI4Ui0jSX9Rwhd17CLT66mQYBbaHTGB9fiGNQpFRc/ztaFbbnw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUckpiMzYrU1NnNFJ4MGps
+            OEt0c0o3Ty9QejhEM29wZFMrNTNyMHlHWlRBCnBHUUdvcmxoL0FqVEtBSHlma25P
+            c2tITUtZTGVzOGdidC84OUYvRlpxSjAKLS0tIFNMVmdiWmJNZUdLS1g3T3ZINUh6
+            Mjg5RHdKYnV3Z2V0L3E3ZlA2WDB0WlkKJr4Vg6rnKqGpL6N143QYfLqS4lQIED/J
+            SYQds8mCiyCNGvV6ON4k096jXcuMAZ1w+0bA16AHlTXnqgIgfaHpKA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNmF2ZTFreDdzdVZHRWt4
-            VW1TNXFWRW13T3VBN04wMi95VkRCeHJIalVNClRLZGFDY2ZIREkweXp5dU9yYVRD
-            T1N5QVh0eWczd3VIWEthbTZRVXM0L00KLS0tIFlWeDZmQzYrQXdoZ3dycS9udEFW
-            TGg0bGwxQjQ1UkR5OC9FajI1RHprUXMK8NRbkEjLEW6pANEkB0QyBcgMin/Aaf5A
-            dkFYo01G3XM7AmlnnM9UCc56Gc/ZfcsVaUhMAZoEvEvuU0++ufCIZg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL1QvSUlWUTN4OTBKOURa
+            VkVVb29McWgxa3gwb2lkVTdSZmUrVVZpSERjCm9oTTFRckg3SUM1a0tJRVlaU3RL
+            dUtsU0FpY1JyNkx6K1U1MWcrSjNYbUUKLS0tICtvTjJVdG1PSXF4TVltZ204SnVu
+            VE9aT3l2dGgxMWNHUXQ0bDN2RjVOek0KwOa/vczHZa+SRr8j6KvkfZZ0kajxXOq0
+            5AoDz2Mtcs+qBctTuogdLCZoL2ZpRVV7v1dGI+Fm1cVLoutV19IvTQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNE04cmdoYnc4cGhmMmlW
-            aU1MNXpacVp2eGV1dU1GUUNyd3dFRDI0and3CllsSG9qR1IwaG1iU2FpWEduanhx
-            WVE2SWZBblp5RWd3Mi8rc2s3M2F6cXcKLS0tIFBnaCtIelBPdEtqRUIrTnY3VytC
-            K3dUNVgrYlVnRjRKVVRDQmxsUC9tOG8KFE/pU3tSnyohg58FTWWc2j1Yk0+QHRyH
-            VakZTPA8l2j7X01KOwEDaZBZrzFd8059GBUMRnylcVOCg5a5VjXpEg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVFp0ZlRhU29DNUhMSmRy
+            Y3VVV2pmajJmaU9qN0tHR1E3ekFMS3o0K2pRClIwek5GYzNNZEliK2ZTT1NVZklQ
+            YWpqY3poN0E1ZTVOTVRhL3FQSVZmZW8KLS0tIHpuWktoa1EwcXc1bEJJYk5VbEw3
+            blE2VXBuTDdlbHJTVjRzOWdyem1UWTQKg5uZRhcLpmiVcadqdJoscqsBD2u6UGx+
+            qT0IoSVOzsBlJw2t9rH1zR7WfRSlCXT1NYzu9aTWGqQaB8qvEtyk4g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdjhMM1ZpM2xFVXlvOXZK
+            MlRZT2U5YzhMUVR1L0FqVVdiSTFTYUpyN25rCjB6ajMwTnNTaWk5d21vM0Zza243
+            dHhSOHM0c3cwS1c5dGxhbzBNVm9DeFEKLS0tIEpOY1lWVE04UkNYNDdCcUdnTUhI
+            NC9xOENWZUNyay9SeXRjSUdkMlE4UXcKiygSIWelRUZQPbiK2ASQya7poe1KCXmo
+            XIlgOaUe1+lvY8s2bjdud0+7QlPOKeyciCSFNNqIxzHMYSEKwNCbpg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-03-15T21:42:17Z"
     mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
     pgp:
-        - created_at: "2025-12-22T06:10:02Z"
+        - created_at: "2026-01-16T06:34:38Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+Jcq2EiWutguXVgFJsG0eU9CmM/ZrSfN7Of6MeGh53vw5
-            F125rivlWf56nEjAnW0u0Ai1MRUUvL6cSqnIxH0y0NcgllkUVrMDJPtsp4/1pFG3
-            pMhQuaoun7mmHbMwFD/WIGk3NeQA2WRm8vCa2yHuOHKG5rISZDgY/5WdkLGK9Vll
-            A3eBaz2r+jQwZNHMTu9Sgmuya7EAGCb/7oSTyE+ZyG9zDwyvbKcuS+xMx/Sqx5a+
-            a1a38fJCdwTHNGR293kMhVK75z0aOvGp4t92bulAe0Tp0Efc43TNGYIGjOQT7r3J
-            k4YQ0OcR+fezp8GSLxoewWBpCMFaRliSnLh7XJwd2jTURbzlpQFFKNXW4pLxrAIr
-            ZJXZ6Hloz91MRoQ8HLCs7WqhLptXGnqXsJPCwdBJEeVzutyt3cZIzq11bNgf9sNv
-            Ydj86FmGTMFK5d9kNYAqxwnfcVIc3/AdbyKNoky1Muu0z5XvUdgUcYu5RK9yL3DA
-            dUJVI5uam+ONUatFeTbS2Vz7KEbwh1H3gfQUQTrE6FOSrh8bk0lp1aG1geL69ram
-            XXh/uHkvzTgbq+oiyiqbodurrEQHcdhrYJwvPELLQwtIq+0iVu7xNIFz+LNuAMqK
-            d1lualLK7xHNqCOhihY1nKR3PjDrE4tUKjtwu1lp2Ae+VEXg1FgrqdkquxlE+0XS
-            XgG0jfeGqwQKM1qGkaj9UX/xXe8Io5KhOAqRhnkauU9nZ4Uaj5X1rFpbLAOT2/FZ
-            rHjT46gUUh1hK2TEnL14yJ8ttIntlcXh6lJ6zbkIL7G+56GlqhPmr8M6N67VEq8=
-            =8M3y
+            hQIMA0av/duuklWYAQ/+O1tft/OfS52K8cmcQE7I7aFb85P2L+7u1TdmTjHwNFkC
+            3jhvzPkNDQDkMIc5EPZKX5WLUS8F1UaqCw4b8zZtqoTqKDpu0S92KL500iXwBxft
+            D3cRMFFb6GBoSlPJVBt6LMRJjGLWCkBihlYL1AknoVV7VERj8m1cvcstdp3qbEd7
+            c+X6t5B+7N0/QPdh2KyrHWXyCzFc/6emVjNGy2EoXRt7idFF2yTbafobCs/hZ8LZ
+            RJyhpGyR9QPtAwFP9Und62tCd4ZwG5FazZBLevRrmD7AOW1WnQhyYvxBvqQp/Oz+
+            lFmhcirLw5CaC1AbF2k3uNoAHXVWyexaQeu2gsNYXq+lpsdCWT8WtrAtNCyC2StI
+            PtdrdQ9oikJptmoWQ0zEBXKXdV8AhukLSX0wtis74KbmcS+2YyNKvQksGF2ZfHBh
+            U9ycfJr1kwm7TAg5Lg6XOmKrdOJkPoIcUCk2QW7MfS3nwwMLt3BjhhpRVUfeUmjB
+            Jjjs+jUXEusnmwmvGGgEU2pT944FLuFClSI8JTnIZ61YkjF7zAtrURvsNKlqu/UG
+            JLrWR+dnnh1YK0qQEcqt6giNSX2IWrw5SpJ8Jekt0TWfB1HDHybQUyFC/n/je/XK
+            0ouAeDL9oqh0eRU3ng4KKhOXNn+WO3/HrnG//KFwokc//BNNvP8qM0CTtPQbQ1HS
+            XgFjhTfzV0T4LyUryuict4rLVI+DDbzWGRp0umdobvQE1CGLhKCanrd2/Ng6fAny
+            9G09vYF5zK95uzqFBCTh1zFr6+rhfbMI501TwBu1KxOaJdYs3vzLiTGWoyI48JM=
+            =5fyo
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/bekkalokk/bekkalokk.yaml

@@ -9,6 +9,7 @@ gitea:
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
 mediawiki:
+    secret-key: ENC[AES256_GCM,data:ixG9vGifYcz44y/copU+eHIjWLcxJ4v7pi8l1P3YHIdGwAk5DNZQWlaA/L3w0g50zM0ESEXL9k2r3jNI1nLGJw==,iv:fwHV4hYDEjP9f/8Bw74EhYDUN8UV+qIwqd6yXa5KtFs=,tag:3c9J/lVoJeRE1b/TTWJNZw==,type:str]
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
     postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
     simplesamlphp:
@@ -39,79 +40,88 @@ sops:
         - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQjZvVEplU2pMQmgrQXE2
-            Qy9FY1NRZEhpSTVCdy9rVEFHekM4NHJEVlRvCkNnVUlCQzdGenlKOW56ZGY4bzJm
-            K1c1N25ZbDFNMDY0YzlGMTlMN2htSEEKLS0tIEYvWEVoMUVtVDRkeEt5eWFZckJs
-            aFRsYmhNMkQwdFlDa1ROWXdhWGFKUUEKqixofKZBMXpV8q801HtVoHzZWJhsifSB
-            DLPHbOAWpXjKygNJ1ogi66FWBFfRL0KGffQEuaIozTA1r1NafSCLKA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMVM0T0Y4Wjg1OGNsR0Iv
+            VmxoNmRMcjlWRHFhc3l2Sy9aZnF4b0ZsTnhnCkd6UnEvWi9kRU9qSmVLZkdiWGJh
+            SW1SS3FDWnZTZnBhTmFvTW5FMCtUK0UKLS0tIFJDdHFoT3pPaEJLZmR3R2Jsd2pt
+            R0RmcXJwRlkvSVhRbGwxZytLNmlqeFkKw/0nGPzgzH39udFyJVkjNTMTmffiQh6/
+            HT1O7imvPymx5kXrnfciAP9bnCV4o/HiVkuDxBP7gG5nBUgY6PIC7Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YmhFNHNuaXlFZXMxNmtR
-            S3ZIM25xVnYxNE5kL0RJR0lpNWo1c2ZTczFRCkRKakRNek8xdVcxcFN5Wkc1VDJ5
-            QjJuQjcwZ25RVkpoMXFpQXltU21MOTQKLS0tIFVrNVJ1alAwM1RtTy9zUUIzMkpi
-            bnFVWG5xWW1hSDZob0NzZVZNOHdqRTAKci5uPZI7K/ljVRZ1j2qQFABpf+Anuj2a
-            yqz92A7DbMUSUqmUNCHWg2vKmMwuRL3CXLPzZoXgIN07dpYQlk6qgg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV2ptWkhqNjcrM0hXOWEv
+            Y21GNkVJUXY3dHV1OUdUdlJZNHhka3g3QVdNCk9vak0wSDBhS3pZSWk2anVsMnVY
+            UmVuamF3ZGw1MGZ5M3ppSThWK3FPR2sKLS0tIDlQRENlQjh6THZRZlpEWnE0djNo
+            cXl3S2tRdExvSjRNUHpwbFNzVXdQVmcK65zb8MPh67TyHkjLA2vLgv2eOQOSUDih
+            JeHkryWGQXzlYL5tZZ24ae1mqYiYQ6DsbWXopA0q0OmndYByXct6FA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZExMODZvbUo5VWt4UWs4
-            ZXRXWkdDczQxcGRJbUFyU3V5bDllampVWTF3CndVSzZESmlwUFcxMjZKODhPY1pz
-            WHo5aC9JOUg0VndhdGIxeU1PU2t2QWMKLS0tIExQelVMSWUrMkUrY3htMVIxTHFo
-            blNkNG02ZTFHR1ZjL1dBbjlDNXk5VmMK+EbzW0Rdq5cxIm8EnQ2P87BTxfMKywyM
-            Q3LGAw4RDR/Gstj9hzpTPnNjb4D5tMcQmeQlAvBriZPFXCrmq5WCXA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSnU5dml1bjY5ejZHUGRQ
+            V1pNQnBXWUx0c1R5WkY5d3NFOFlKTkFrMUN3CkNqMjc5NDRMb05tSW9wV3lkUUVU
+            Mml0VWc5N2NBZDQzVXMrWGpqVzY4NUEKLS0tIHBoNTZlOVBMdFJXOC9QRjJ4bHh2
+            SzM4Rml4dFNjMWxxYXlVdTdxTTB1ZzQKvoBpb4PPNM5yl85wTcTTqZmkXmwZGyvS
+            PMPFNqEkzcZFtC1BfYGIlKAuisGhQ6rFAkyTZXTLP0HjPEcH00+WMw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSGFIdjJwTkpRdzdIQ2Iz
-            WW1jamZFY1JrTTBZRjM5enZmNkNEMTRaQ24wCjdJY2l4OVJyU2pVR3dQZFg0cHRl
-            dU1xS0gwbWM0MktPL2d6dG1wN1ZsWEkKLS0tIHJscElDRVFrakJCZmtMbk0xaVp4
-            MDBoekhiMWZaeU9IWkcybFNWczVtUUUK4BOBttXkGhmUYTjR68ZvaT0BpbIw67rr
-            Ls5XV6Azkid7GAttNayqb/OjshUco1xIbAyGRz77b5uzMzM1cM6+dA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbGdTVUU3UVUwZytQancy
+            ZXY1Ullmck9qZ0dsSmZqUHF0NGpSZlJWRjBJCndmbGh6Y3lUWmdEWUdHNkZwd0dM
+            OWpaTk4xdzlLak1iMFhhU3BnT1NYTE0KLS0tIElxOFVmUnVDUXhUeVBEVjJhR0Rv
+            NmloODFNNXU1TG9FeWxKYTBGOG5qR1kKXGAQyRVO6Sh0LNlFD5nx0F3m2KYP8hYl
+            /g3mwi4NI4UIR2dYXsgNJuF7axxP1IbaZ/j2NLNYbVe2+iZvscvBTw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSmVyNkNiWkxob05lakJI
-            N1dWVWl4bnd0cWV0bzlzQTdhMTZ6aWZJMFU4CkYwc29NTW5PODVVTU5DNFdCV0RO
-            RTJHaDVmbWZ1WFdSRVE4Tk9SbHhsdUkKLS0tIFhiN3M1aGJtY2ZqTkIwYjB6S095
-            WkpCQWlab2s5anVIa2Vlak1vNzI5U0kKRhPzmr9IW0fVDRKzfR1du7KgevNUchxJ
-            GDz5B/EekvwZwhcAGvkE6uwHIAIMaau49S9iwqK4NjIcBIGagoqiDQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWkVyLzJWM01ybHB3cmpq
+            cTJTM3VWaEk3djcxb0RnbVZXUGRyMWQxcWlFCmhQUmtGZm0wczdsLzZUNHFqRnZW
+            R0JaUDhmUXB6OTBwNEFja2xhbm1JNXMKLS0tIHNVUFltMjZjalJya2x2UzVHcUoy
+            RGs3aStCRUJmMG9JRFZyRFJWeTZKWGsK8oTccCGCXPsQEGnn57ml5IwYCHgYoBpC
+            2U7uT/Z10crtrqgPGi3/jYr5IEacLBvbuGLBwSlCo7NGz/6XnVIyaQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXJKL3RzUEMzZXN5Qmsw
-            aFRrMXE2b2dNU05NeWNuaEZOdkcyMWpvUlM0ClVkMVJoS3Y5SnJxQ3RtaUtncDcw
-            cWRKYjdFbEJ3aWE1ei9wYnpVRGhBd00KLS0tIFFycFgyWGVvMFc3azN3T2Z4aHln
-            UzR0dUp5MHFWdDFya0hlRXM4M1d5YVUKhaXAFsId/SGv5wmKvjTLSAAlDNuSH80H
-            SahjRm7nj5Z6ZHJfBZu9cGoZ5ZdvPsr1DtLgErSndnOnh7TWA8SgGQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTlJPQk9DTFNKMjA2bTRj
+            OE5uaWxEQkhUdmRvT2h4TDJvREo4TlQ4MFZrCjNjd2ErOXcxQkJrNzlOdGNFSDNW
+            S1gyaG1SSGpyNmtXZXpqZzVnN3o2MkUKLS0tIGdkbEROYUNjNk54RmFuR2VkK0Zq
+            RlRMc0R3dDllUGRHcmNDTDBSS09mUUUKhdxXMEuwLviNY134uA4SELXiHo4rCC9h
+            pT2iqOV+VDquwE99h9OIo2Kfmblzje/TGpok1i4cxytg8fly3LZD+Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T21:18:23Z"
-    mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcHVjN3MvVUEwazNraXFQ
+            anVTbU1EY1JUQ0FyeSt3bWJ6TVcwY1UwZ1cwClRtOTE1QWNXaUdzejh5a3BUdTFv
+            M25HcGZBY1IrVkdXV21vWnVMTHY2VXcKLS0tIGVKMFFCRjhJaGJPWjhlNEFna1hB
+            SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
+            29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-26T08:40:13Z"
+    mac: ENC[AES256_GCM,data:ppgpARft/YDKP24QF4bLYVhxN4nRrCsf4wBug3UD4MXgQwdFyWPAHn086uONeMbVOvH8IdwlaNBc8h36I7M66cqwK1VsRc/vf9Ud2VnD/WkWijMSrJ80frIvuvREp7aMNlYbD20bjrp4sYohjcJ8KPqyPUFPj71dA+9LZvXJthQ=,iv:lr3R14lRx7RzclknKbOa/bHa6axGbMPqj1FRTjx34xE=,tag:pBHzSArxYs4bqq355T4yog==,type:str]
     pgp:
-        - created_at: "2025-12-01T10:58:17Z"
+        - created_at: "2026-01-16T06:34:44Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+IxSo/UF0bv0ktR4aYDhZF/7y8Xv56jaZbW+bI8os57SY
-            mk7MbCqMmujf31gDlWwvytn3sEBTs69tre2rJH0JhDnfxrfL4uHJqD2Idtfhejgv
-            6ezh37/aFy0GgkUKUMpVG3sksZjQrKrSvJiHgfIAaiEiNU6grc6EDLPqDrgO0s1V
-            RBUiv2VMyg6a2MBf6TSrdoHw/HtK/PvOgrQ/C3q3jjUzVLUnScIsewwTq0zdmVf6
-            WPG5/sTjKoIYRdjrEZOIZglU61Q2/d0GTGkI7nkr5xl+iJicRO8O4cYmZ2NivMLt
-            pjsYGQ+Kyuxzmgqjh2aRv5uu7p4g1fYIBZdcqmm14Jc/IznNUAdfpgoRGUxEbnGW
-            R6C2eTzvhZGFj0+jssLwcWtGxa2xxPAHL8TbAvroffzx7W9IdyWkmOEaMuyHFAWT
-            FpsdlSkYmQs1H5YCdRnapFkNbaIPsQy/c4dQhzYakrheMdpXo6efSPmk9RdjKZrd
-            HvJaepwJA7Uf9+eY+LgPVTKY4ObJziJEEIM8QwmBW4h7ZujbntUHXhL1dt2Bc8nZ
-            5foSRmLA0lsd59QSPA3lg30TpJARC8aq4dlYsTFqQgHVTHA2W1m5gYvIgNKlhR/F
-            NGNaAWW0+3V6NeQF5UVp/ug4RbJK+qbrQw/+jeyRaPj3TWaFobOfs+Ad5zcL5QfS
-            XgG1ix1Re4pnbeGbTE0QsFQ/Ir0mwPGuNzr1CFuVQWvPUYqA4iv8nlxIj2E43gcL
-            4ihGEE6dKrrwLJuALNq4p7mqnCMJ7/kjLNTRUSmWY8fHaVmX/QL0uGZwYH1Y5P4=
-            =2j4b
+            hQIMA0av/duuklWYAQ/7BX4o2qvoL2bJN4zkyjqUBgFi0rS3UXsP2D81nxDmlEYP
+            iAm7uQ56/QLbxQ4nW+aBy+ijy4+a9w6yOEfy4DBwXQLebWJUFn2BJ88+6rOlAz51
+            hxHlAOAkN7aFm5a2Y8SQVGnsM/HFx3xJJU5seD5QhJgoPcaDlD/f3zrmmKzvgwX9
+            CHPI4lmQjzwjyG8BJRDlCdXtjXqYT2prs0raLUESwt9p3Hu+zZ5DZfZcnx0s5F2y
+            nj7cFncmFci204EUzCoYrJNkjYKZSDhlNGyzZzF+7ve6LYW2snet86gDFWNsJqfj
+            /1Xp+pDSZVFs3Sp2iSTKqG0wQaRgmyP/r9IagNwTJxjgCjJall2qmdrj4xi4EJef
+            40ZGn9BGmk5EBAVhErqwFwZTlEDuGRWSzStRMpyi8YMA8DMd/mNxdXetrg7zw+ro
+            iaj+izF+FDjPAm2dCaO9r1zZiFKZk84Q2tYNVAs+2t3a/GJYGAs0qzqWcyJzYk8q
+            CHpXUDHVGFXFjgm067nowjtETLyBtegM1bIfoFJEqJUgWT+NU9kON638Dp0HuV/X
+            DkBbwYCRCRSnumslEHlUxw/I1pZijCiJf6m0hbjWEKxUM8N0fKLLxdoYLSY36/8L
+            kyA9T59+qwNIfpKmpF9jvyIX7/Chers8ebgwwpJrP1UwueKQoxhO2mL99by9+P3S
+            XgE5D3lqS+OQqJfRd5VMjy6Skq5N1kRhtP+dujwBnX/MxClrh1HbgVaNKqwiBKBj
+            CV9oTxtI8LDC06KOws841HmUuGe9/4H0MNu/dz+VMh62RD0MVher7JYs5fuFHVo=
+            =7yLr
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.11.0

secrets/bicep/bicep.yaml

@@ -15,78 +15,87 @@ sops:
         - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWXVrN3MwSkh4RUJHcmRu
-            V0YrMkhIVGZtLzFsbEZ4dmNSV1FmT1Y2M3prCnhWOSs5VElEOUhuQU1xa2FmRlIw
-            YXQvZFpGYXh1eTMwVkZEempxdHA5eGsKLS0tIHlGQXlHc1ZJaWlPNitrSlQ3R25h
-            a28xWWRwbTlaZjIrbUpxUDJzMnp1alkK3awAxPMvmrh42Pwhv4mBUvWH5ev+OK+i
-            nKWXHOMyYPudYg062Ex7iAHS5WTw71bsMkUEwmU0Mt5XbopkXCyyZA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeFE5T1FHeVczVU1aVmhC
+            UE9aKzRHVWdDOG4xMXBtV1Y5dW5sVmZzcWtVCjd1ck1CRmZxZHduZmMzRnRodi9n
+            ZVRNckIyQzErVmJUaDdDb1A1bkRUNkEKLS0tIEJWL3EzTkFYQ2tNRnliRWJISHVr
+            aCtGUFhRYkdPdG1uTVdGN3lITzJJc2MKt9TDBg1CV3a6FhlROVZ3ruKVdehQcuSN
+            hv0vUdbR1uOX89+P1oqNMRMQJI0V4oWi138m+uqA+jozvz+Vn5z/3w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZ3k1VjN4SlVPcHhkNXpw
-            MTFncDF6cDdKVmVSQUdDQUQwNW5scjZ6TUdFCnY0UkJjdE5DaUFNZm00VEVmZG92
-            U0VINHJqbDd4RGFnOWdxaVhoMjRYN0EKLS0tICtESEFUbHBDamFJelphbTlMNmNQ
-            amJIdU5iaWNLQ28wYXJxZ0ptVUxRQVEKZtVEIcBrGHpmg/wGCzDshYZ83pJUf5CY
-            I4hmsoPRnq7Zh45eCuE7j+RNhGiQWGi8q/+sUnSJQMGjzIHf0QfVkA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYUNsemZ4TDR3S3EzcnNI
+            eTduanpyc09XYnBSTk04dEZSME8rYjdvalZFCnd5dDluWStCR0lvRFlkYnpKUVlz
+            dzR6cHU4T01TUGdFamRqZlBGb2NBYUEKLS0tIGRCTTdjVnU4ZjY1czZjZnhJdzdw
+            M0swSS9wQVpIQ29XeGRJelk3aHVNcTQKv2Nuia6fkUIu+P2RcP/iHonc6B3y5GJL
+            eiGHywJ5QnQAVOkaNiMZSNfo6OWL/49GnULWJwvbaS/Hong/ax9GBQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TXZuS2pvOTd0RmdtU1ZE
-            MmIzUUxFV2NKcXJtempJdVpUQVZwWVBlZm5ZCkJZeVZiUjNPdW1XZlJ0YWxDa092
-            aGs5R3VUYkdBbVQ0V2dzcGV5alZxQ00KLS0tIHJqdGExb05DVFhka3duRTY1dFhz
-            MGFxVlJDcEZjc0Jxc3loV1ZjNkl0TjQKu+gUS5uyfWBNn67WFt1NwjzkwYWG4r04
-            hFh9hxB8efiMxYiDp2fc9EKvn1FlTBQJE1KWyiD88twzhKDKaDqQJg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOHJGNWN4ajA0Q2xrWHlX
+            UkZYVGRtcXkrTkl0YWRVd2JOa3o3b215cWlBCkRjWlJCWXlmWTdia1pUOTIvdlNI
+            aHowK29KT3d3a2xuTWlwd01JK3VPZ0kKLS0tIGkxUElSUVVXODZtZHFuTGpqZTd1
+            TzIwUHBIRG0vSHRpM05vQUJYQ01HYVEKFrDzolWZAsiOLhls4hdIkjRXAsYYVq9k
+            aKbS+DAKVP6AnhMC+Xz8zp7N1bvcXI6tKTmrlg+mo7bsc+vOl12AGg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQTF3bXhXa1AxazZqZWZv
-            dWFpWGwyUDZkZnczc2NpbnBWeTJGQUVBSFFzCkwyRFVVa0l3dS9GaGN3Mm5TY3dh
-            Z0VkRU1uZGVscnlLNXArZVMyVFhxTWMKLS0tIHV2ZExtVnFONTlQRVNMTFRzQnFu
-            ZmtGTVJqKzlGWDBaUWs1Qk1PSnc2WE0KrIJy3b1TdI7ur02ZzOfWJGWl6WuSUFV4
-            h9Bb3uSpVZLWb0MRKTK5RIeedQZ0NuVOqAP3hCglzzNkZ10/r7ly2Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZmg1a3d0ZU9idCtMelYw
+            YnZlaFZSc0pCWG4yYVMrZXNkN3RVOXhJTFFVClBXa0NqZjB6TDFCWGRRaG9JWHZx
+            SVZ0SXExU3hBb08xNVQvU3FRRkRXSFkKLS0tIFlmUXJSc25jZVVhaFFNejY5d1Ux
+            TWVyQVRjWFBpOGc2Z0xCRlBBclVmQlEKwdADPZ/JtBznYW5ngAehdFD7dJKjy826
+            G9JaApg1xGj3OQzB88rlyQwE+WSV9yCdJ1BzIK8HVSaBOsitRoJDKQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5L0hVVnE0bVp4d3MwQXo3
-            bnl5aWMxajZRNHFHQzhXVDZtK2k3TjJGRlFZCnRORzNTVEJOeTZ6OGZFNDNlQzZG
-            MmFHRFpQMW0vSVl1c29yTFoySFEyNEkKLS0tIHVPUlhIdHlxWHV3a1Nra0lEN21Z
-            cWxLUTBIeEZ0Sy9Ta2Jsajh5eVd4bTQKvmpiIPGbgPjqssx4sc/bqaCLeGIPcRfF
-            BVWm8tEpDmpjvFPgRKhgIKFAQZXumd/9ykWAJE02OWeOOD/LjfSSMA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ05hM2N0QUNHWmpHMHdq
+            cHJLTWdaMkIxSlRsZ205VjJYU0IwNmtEb0h3CmhBN3hmQ0pscFVQMmNwemY2UnhT
+            OFlRL1VPa01NaDh4Q2xxdUYzU1E1QzgKLS0tIDB4ZjEwRmtSb1hXWFpSdHA1ZzZL
+            YStGSVJYUGE2cDhiYkJhY3dMQ1F0dEEKLexDk8xrQ/7SGGUjGIjt+PiL98LeIm6z
+            Bs+2xr/egd8X8ISwPTjgTutDqTM4Oc6HaDJ/mG8H3ewic4ey7TmuPQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUczg1MEI0VFhFNUxYcCtj
-            UXZZaUhPNEZ3cDkvc2lZMm9ZYnZGTit4U3lnCmR0cC94dDVQcjJYWTh0Zkhkclps
-            WkVrZmdCSE0wdzYwNXMra0hLYWEzU1UKLS0tIHY5MG1LZkFpeisxeDNXQkFrdm9J
-            dndlQmsyTFBOQlIrcnJlOVdWS214aTAK4RSsxV89Ccb5K8JP20J+R621LWdtuQJ6
-            vwWhWkbtBU1Ck3NeEa4UanRqFJxl0bkpdFzHWoQnCm9TmzRf+Oikfw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNkxBQjBDSEt2MllQbzJL
+            VzJrUFhHRzduTDZLUGlTZlBFVUozc1VlY1g4CjM5VzIrbTdZMlJzcTh3MWlGNWNK
+            amVnbnJwbzFxalNSYUJQRjZ0dFllL28KLS0tIFV2SmV3TkNxSEhDTTAweStMUVIy
+            UHVhenNpRGxweWpIQXl6N1B2NEtuYXcKgE62N2ThlFFp+b0T2Rix+H+rmBwrfQDx
+            5jXxPFWOdeEowXMM6kUi4xzeUH7/CGXlg+5uNF9jWMpJ09eAKPoO/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIa3dxbkQwWktRcFI2ZW80
+            S0N5MXZWaWxBTmkwV1o2bzVvZlQ2MldiY0d3CmFyRWk1clJCeEptNkcwVkdwUURR
+            MGVzcldGbUpxWDN6K2RGT3ErajBZRU0KLS0tIFZadXVXbDNsT2Q5eGtJaEtOaTlX
+            U3IrZTB3YUJiREZDQkgzUFMvb3VxU1kKJhYYVcCT8hNJkEK1nD3GBekVGDOI3Nin
+            iBat3LwB4Ijzx1jA+jKJ1Ilf4MgdoL2ox6l/uWft27vvsRaQ501VvA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-08-25T12:27:53Z"
     mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
     pgp:
-        - created_at: "2025-12-02T00:51:13Z"
+        - created_at: "2026-01-16T06:34:45Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ//eMoBqyI6G8T7c+LwLWl0KxVl4bPv8B1w6l2h+DbwYbki
-            s/u0EToWGFKNTcoio1Xwwhb8pVnUprLONKe1LHgDSsWhvZXBaq3OHxWJuGQ+T0lS
-            1nEOZt1aRp9ff4RA4BLS2LIB5+2lkVvQ2jWhgzzrEgC4FXI+d5XMhgXtPlO8Dgv7
-            Dwp+zTkYyCRny3FzL/AhHCYkqxHuuH19u4j9taN5VidKp9a1EKvjYZW4+xPM0gek
-            9AR89EIzVeLGMSVUFToAfmZ2jFOfMj42pmbQg29Dr3iUVvOZ1sP+w6Jt/1j4FoNe
-            iylriaZtSMLb6kjqN6xf0TnA6exa7hHuAlK3WbPv6JAYrGxs7+l9lGLJkgdXqkzt
-            oxyJTilv1+YJuXy4O2oW6hV8yymOfAKGHt/dkEnPX6UtddH+RDCo+HdWmXWy1Feo
-            skEfvwsbzKPCHInPGbo9Yq5NIgJgaisJlHVf5XHxuVVWdEgmpPZ1XxRvmk5B/9lu
-            gvr+kG4nN2ZxjBC8sZmHQrvuF93x3mXmHIyu/W2LV5era7Q7tUjaikBMba3a3Rpo
-            OQw0auB1OBSmZOFWMa4ppWU3H5V1hOBoD6tygpJvRvuKxJIVGMg1XWBuLJuAhLF8
-            Sdz9AtHR7zeHtNG+4/da/5iYFLi8e0j0H16TlKlW+BuN9kXfmuw1UC1cl+gRLPrS
-            XAEXT6KxURapNNTZTbM66rJNdP60J4u8LhvBD4RLQNGXYQe8Q6RrOdrVRCYO1cjx
-            71Sydx+N+XLbNHfgi1AnaVXmWmZ5PRsAxt4xXPWZb0lV8heh8T1FBKeQM35p
-            =Ur6q
+            hQIMA0av/duuklWYAQ//Wr/FkredBdFTg1pft56pSfVNVScGeETZXT/EVr0esNb1
+            8bO2SUxWSSKAFaHy5YJ/C7B9Ok267dmecvDiCpBN/UwAVKnbXIwMwQVEpdwFI7Zp
+            g41BaxZ87ogphyXmmPmTtekbV6hJZE1FJ2D1rDlEuIHECGhn+lViuF2T+WmCE5iN
+            UvcU194RjL5cWy4Rgap7bo9UaowDXRHYTuvc0lEBkoCaNbb252KhC+C/4OXIjV3z
+            BoOxF3jF7xLgeK/7swMfwVpQjwD/aM1IKkCLFdf7GbUfUjdKdEiPCpRCMSmSUtXk
+            JDAJz7lzej6r/fCHSsmntSf2RoaHDk3kKMNSvqR9UkCiF/LHBhIeDz2rJiOx+suR
+            gPQLehedeF66+A6m7WwQarklPqMhPRw/IiVxXgsDR8Ws7Dr5wPmNkuQ+LvO4rPEG
+            iC8pOTs2+Eb0ulxtjY9o3DNkCbXGzorSLZ6MBkhQhNUmCuubVQ0gpw6RR7uflgGL
+            AYvv8GYpoY+uWWAbsnVdeK8XuGccjP5toK25PiOKzIdRXczngGMLdhNpQmS2cfh/
+            A69QRFprjTt1/sAqzbe9V68PZ1Opa3EH/fvWgXbUTJbxhAMJoZy03KGnQC8kNw0O
+            RFMSmX2fnK4ppmahnO5rn+5InF1TGSd34O9yPacSB9glb3hvClmNOsC9b/Ow/FnS
+            XgGY8d7IGU6zlCwJyIEKsekexJ+UiooT1AoyORHvzHw1J9jlrybSZTK+IzSGlpzf
+            bfiUk6yOyYNU82LhJBc+gdl6QVeO7VoQrN8iJq752A9yrk5eZsBWOeZybezJQos=
+            =WTmp
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/bicep/matrix.yaml

@@ -1,6 +1,6 @@
 synapse:
-    turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
-    user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
+    user_registration:
+        registration_shared_secret: ENC[AES256_GCM,data:Ch0JzTJ7OqZQxr+L,iv:6hSTsBwieRg6oy0feBaqJQaY/AvIUyIlcclzlK0GmVE=,tag:Z55kxXppzmU+YP5JkU0jLw==,type:str]
     signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
 coturn:
     static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
@@ -17,84 +17,98 @@ ooye:
 hookshot:
     as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
     hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
+    passkey: ENC[AES256_GCM,data:sR3ZdvNe+321WalGA57Nsb7eIRnOgAWX4P4aahynS5kD8nZ40axO3H29pciTn3rgBLsKPYAbJ24Ch40SL5emlz9UL1nH//khCEAXUXR5+RA83TvRrog1BdiCTX3wYY6SvM8BRwAEcWbAavfRHyNM0stSRjamdam70OvEEHlOUafs4lfQghYXVN+YV6bT+gan9eMRwhTsuWB/V01SAUot5pgFtprpvFs/l90E9sZFxxejlLniy/4nHjO9rcXAeCz/8cw5P56AqCzqyliYxKM3qbhwp+Pz/RVH+7PKQwABP80tw4HLvBz2nwYzPHJrSejIH/lxE1sJH8ttUQ8mHIFpv0GGB0oENyfYCekoSXWL+wuFEE+xjyak1KUDfohaJ9QMZa+A4jHiGoWHAwfU083uNFNdE1NxPpa55xQ/Q5fGE58qmZVbHUoL1EFOi0Nc15vp9kRojjQoEENvEQKwZHlauhm+940s6IwBE/bHk5WBjWM6BM/7Y8dj23uo1Vj0gy5IK0xYk62+IXNINPeDnS5sZJJweOKvS9JDYNw/9oC5ptmsqkGWryWm22Mwq9AIWm1Zt+0nIZRrOM+JHWJCtCqXhD5+UL1fl6wt7IgvOqgOtsFUM39n2hS4UWyVohToLy2u8VFKDIx1yb530y+Q2HfT6oKPYtcm5+b/dgDaqph1JSuqxWoiXMdx/DvGLhM6nIfPnAi5EImXDQIxkh4tJ6P+z+4vOPiX5fKflXk2eioVL77BQ4jXLunu4zBu/bOCePHigAD/+E9IgHnVSMxpTgDQ3w7WI7FCY9wjbXqbsL3QB1BOizIFNqHDcX2COeJV7X8Aia0HBpZgQpFX5XtMJAKnO2BR2EA94xSk9/rAPgZpJkZXTHl5MpPz9+WLv4uFy0daIJ/y7jkxLXK2UNw9VVfkq/I6cteQMwHPe0V9XZc1DIXOjJ23r9qNtx11Dx7Zumh3EQvp/8D/i0G6lhW1y3xP0Uu1iuxfnvhacBTwiRTSrKhT0HKlFG9cG2SaZH5D8zLyhrQhp8V5AdAdikmQUfDigDTzd45YpWRaNEGM1wcAI5cWBdPHY6Hv3NHQoX3yx6jm3Qo1QqIVlhqHqEeM6++H1Sfd3xg8zMSSGXlQT6EYE0+raOvKrmbnGCW3GnguHEjU1vCE/w7u8LCct7IBCSL7XQpLg39SmSx/MdL5OWXaUCxbVMM38q/4PXNzRVNaHRZFXm35+q1gZ/fx9a3vY/YS9+qEhcsvNQaNyuVcbigz9fqEWoAnFh2rCIMT3XMc+N0V0+TSIF4nU/Im82wu1+ujcrJ6OpGubcf208y8giwOgdKAARTKtybInUx31+JkzMw9A4q+CxRLHcrYYhIHz0MyhAVY3JKQp6DvoRwT58/MEENv6hSvsf0PhrgIkPTYeNeasJwFt8tKPmEkFYINhigC3XPmid+hMJfp/w8MnFLAIX9Cp+7adQPPW5RZqHuuf0rV+vdVqU3nFmnet8KZd3SrZiWAXcKViyHYAWb3c60TMO2C37goHkTMd6olZ09ZEfrTpdX+MEHswW65p4rJgNZIbVquD73DpZuE30HsrUBsPeWpQy2JGNUPq8tCvcREVgmnIt7yJn8sC8D+RwgXCXHf6qDMjANi7nvD6uWTik4P68e9lVztO4QudwdZdPieflfFADH4sFPhXwCpGOkR37RSrqe6t3CR3ZI0aXqHdZ1l1JcJv+5WEXmJZfNUOPBGpvatmc7ygJYDxuQoJ5FDFsyZffrAYOcEXC6gDaq6NTGgo4JZAYQsHg8JaFWQPEToagiSQhhErMeA5nTUvNjJ4/0HHIvsjsGabAv3GiT2lcVnowt8qwEyLnQStNiAxv0bURhW82BLCHq5cHx7mtUNqDQjrc48iQZiZd20orTq7PmxwWBa6T9EwuEOQiX69inIbSU7kGbRmVUS+RPKfFoCXXOSlBjzoLM448Ymbf0FsEgATb0I5sJ6R2k9mlh3WgRur/u8ODtXJO9TLjVvAm1WmHWXn8ZSvKRS+/VSGg3RzKGyVqh2gJmpDJmF4BwzqslhaCdvdkwBW+7oZN///1h41NX6Fo68l+P/Rl/ZFvCF2VD18E1EjmnOs8sxmMjsDct3HNd7xB1PJLKtNTCLEF0vLDOM5qGaWfBVZtwHiz7fhbPxeE4ND8ygHhUUVzDsC3uHeVHwBMghSY92wnNq6SJP5HMC5knoEFxGnr5te8GcMT6iD6KMKjzqPnp7raGSFo96d5qDiug8krD3vEpbE+3L0XRye5m+2N/wVL7u888JZ0Yj9uWZoAmg41G9y5NU1g8Sns9gY1jalZFaY1+S2nCAfgZRNzx0gLa4CY7SClib1+qDCKIVLJyCqlbKRkIbNXV/B+/L6MAUwTRn8NLhm1+U1QgqD3X+cTJoys/1laSEBXcupT0CrCkR2wguGh1tfkyZ0yLJcbyIfRHzmEooMHWgL5N+mNYCwxLyIfDmBSacZI7AUBfGD+RT24W0vl976zd/sBzIZtQGFPKDtb5bzNE5FNfSfser+afqBG+S+gr1GUn2ZQMGN2095uqnYiwCUtxmczGlOLixbQMnYPbxClB7i4NFvZj2GbnX+yRgv8OFWTnp0C1aPsQHgZzWKAe0cDaRJpAOTTbaGaSJiwIIu689xqYGKej3oQLaAHqlRyRhJngUOj4panxNb/ZFbP6lfUF0fehNJFJaR3WKSiRAjv6ommtSFDQ26TrhYE9d+yG1KApzkhlPTLNA4fVRQxfZi41hbfHDg4kwZMpc86BSCq85qnzW+nMJiWTLxTKYSzjpiWSnMzBvBYf0vntz5+ltwJwyVMX/TdAoYGyHOCINLSxhKoajORJ0g6zEyBRdG+kg0qZCFi894fR4eAz5/fvbrhOhhnCOaVCJlvLo2jXiizQlsqbvLr8bTbyMF5yJPEPV8H/B8uhzzjCIxvbbc3Ac3rPX47FBdEc5869c7JgL/2HD9GZzJXfRBzyhSTFMMh7J+K7LgEIGsItTsJM9wa4BC9ZicZRifuGxBKATOIVeTpJJHA80yhmL6lsazUrrAlyA93mR4CsuInmum6QMyjkmcXBnEtybSeuUjX7aFmzSz9Il7C9iR/4QRWyzgSIh7sbqEl/v4mQtJMlydbZdd0aT65AShTHUIkNZxOg/IuEW26v8pyZi5msfPBjwmknQkXPTf1fCcgVuY6OoQBPzYR1BFTjpY5lTfAMYH9sDW+xxRTFftsNNRzIctX0IEv5haWxLDhuN7eagltf2v3GubrbsYTeVwuCFJnabgzXan4vvpPVIPhrhE2k6G0FfDhIpQL9oweNBG2hefoXoOr+piHYcc1hJSHnSUp9qRxQxXzjvaFulfRO+2GoMAg6E6pz1Fz8e8mHRubREH6NOLvz070D0u1o7Tb6LE2cmw2XdRaVqO+Jo3u7pZUUVYllF31Uxb8ngHarWQ3dOBneZQHsW3AFpRofz9BcHII6dd4BhAM+sl7+cBEFuNn9nkDBR8PLx7O0G+b99qSAnOdvY6wWTwMbWC2JLcv6QTwqe/bAdEg3hNi2GOoqwvs0e6BO/7GS88egcwqZEe2Tpvtzb+NCia/A3oc/VNWTucmQcv9K10QaloZjHMXAMsDESr3LJ0enaoqc90bbHWEuoyRJoDDuW2NXHpCILLAxCUDZnArlE78J2B15Yc2sBkgHyYrILaZo1dBVR23R+QX4bZXt69EZC74IdcELt4qw4ANK+xKtSRJ5vnVml58/71IukUp5GOwEzImEC4YG5G7O7hpMWZmM48RvOuhmqk3LvCggjHPploLqw3PY46twgbKTBai4PbYZ2NaFAHkgc4jqoKSgzQD0jqUkNxFZNSXmvC6QGksns/GaI/qZJVSWAxr95P3oEyZrsfY+KFvhpGJWAa/TIyJslTsKjSv+VFg9jm93yT6P+Jfp1sR+tnyTgrDUF3SIi1/HbM4DlgbyHon25B+4fabgbGajl0Ua/zNyFmWcGN4yRQfXgK47vhQFyfAaOliIKbvsCEnfLniDhPg9FlnxBHSVPHNxeEufocboCUJzm0pU2r2iRRN6fKiiIZubjxeXDjRHTsJAffstPp6pSDxgtZzivquUkj1669QmZaHhV6VyAhGOz/A3VWWB0FGdToeuS5FciNyYVmfJ8moHP1skV/jR4Ke3R/gHato0Un0nUr39ftB81uVomTYlVYuXAUUfJnAU/i8PbdjWCXSlAIeqCUeEf9oLq4n/xtUvJGBzxPgRJPaWxnckS2umi+6CRCs9f1EzwORgOosnQDJxALsGV3Nl4dR1o8ygAHkiBiqKyaEk0ulVM6XrfGFcQMkRgK2PVIZHNCEY72jU42/LlzWumXH2uoivR0toT7kk919VJYa5+2ac=,iv:BqwTfYEtqtFazQGfhL6rxfIUrZ2cin+jy070FDaGIuc=,tag:MMUGNmH6m4aNR4U8KAac6w==,type:str]
+livekit:
+    keyfile:
+        #ENC[AES256_GCM,data:M+SfmEuhPL8sqxOl3uL8mE6Z6pC6naQNxFRskMPbVpLVWYM1Be+QOoLEiTMtWqH2PAf2NZXLcNY63Q99bYINz+BTt/ekllye,iv:DSZJxoZUlUZxPpzfpXyZ4ECeJjq6/WW8I2fvTXIjmfU=,tag:HwHhdQA8yuSKYxM5LcZV/w==,type:comment]
+        lk-jwt-service: ENC[AES256_GCM,data:6OjQCG2lztUGBojhfxzv7YdflNemhMToibOPTmnZD6q5T/EVRTV36Meg68E=,iv:UahvMi5ssAKuIsr5RlCdAm7XK/B2dLZLi6hcGAJ42DE=,tag:BEV3Clg6Sr9f9tPeJTiIOQ==,type:str]
 sops:
     age:
         - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPL2Z6RVEyWnBPSXZXZFNn
-            dTlKd2xPREVLVjIrcnB4MTRHNU9LQklodGo4CjNuZmwrV2hCSlBXbWMzQk56WStE
-            MW9uVk1ZOWtZb0dFQjZFS1VUZ2ZOd2cKLS0tIFkvU0s4L0h4TS9zemVLc1JyTVhB
-            WEU3d1ZsMVdyYXNFNVpyallMSk1QaG8KYtDGiTY2Cf5YmmAKgr2s0FNeZDRpUCUD
-            vJEm+1XFJI4fkOytpOZt0ZywTDZZd6JkXD1V713Kvr+sDCvuT6HW2A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVGNjVTQyWHloRkxWWjJy
+            ODJ1cEg0aCt3YjkwY2pKa2d4a2N1VUwzcXhVCkpKbkFsZ3lNY2tkdXhuRXRLeTdU
+            b3U1OThkT1BubUVnbHBOaDY3ZDB5enMKLS0tIGZYUU9QeHFRT1BwRVpDdDZRUXVn
+            M2lmWTRiMG5oaUs4NFZCb1NXUVdUZ0kKq28skWDPKQ8U4H+vRu7N3I8vURHj5eMX
+            XKYf6wQ8kyrpT2+nZhWeVP26kpDvHcsMSqQR1ldHOGQAq7fAz8Qwyg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeTFLdGNER2lRZWlWT3RS
-            RXQ5UmMyNm4wRklwRTUyK2RsVlRxMUU3RGdJCmtLa0VTNmFoSWRsc3Nhc0ZhQklJ
-            MVV6M3pvQzdtVTR5Lyt4VmpjMkFhcGcKLS0tIDZzcnpDclZLM21MYjFlbkRKUi9P
-            L1NFL3RQSlh5c0hjVXJ4RWZObUExaWsKyU9dDDimP60N7aF8wda4g+Uqw1Hcx13R
-            9kuemMqS1cj9HPRuEhCOINAHIqtnYGmHaow6UlEc/nuKrsV6Ibbvmw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZSt0QnRMb0lvYlBYTnVq
+            RHNha08xWS9KNURKTTRpQkZUYVJTeXMwc2xNCkplb0JDU2hyakFCN1JjdWd3elZ5
+            QUtzSksrVjhZajJ2Rm5HbkF4aGo3TnMKLS0tIFR3ZFpGZVRNY0MxTEIwbm4wL2oy
+            VFdEczZXV2ZlbElQSjR2MER1YzhMV0EKHT3aX1BnddpVNuzzCKf7f4lqe4hTYPYt
+            +udTQ6pc0XqXEiJmEJN/XrhkS1BOtMBbP4rIse4x663KHREEG1K1OQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFphcGt3V2I1UGdVcFJW
-            RUt2cXNIaUlJbjE3bVRLcFlRalhZODM4ajNrCjdjSC92a0cweG0yWFVBR3BBOUsz
-            OVloN1craG1PdGVnTFdXSllOVkpRb2sKLS0tIDI0UE1QMFpwUG9Xemp2TjJRWTRS
-            UUFYczFnSExjZEJkQzhYc0M3ZFJOOVEKxqyXt/2CmKiuIBKdA24atjD8Ns84mV3C
-            6i2H1P7+XCDTjT+MyaRV7TlOyGPv/AqcXnAgKxk0CNX5O3qoAXmjqg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZEluNjRwRjNHaEZzNHR5
+            ZW5RVll2K0NwUWtOTERwL05HZXJuMUxhUDNZCld6Yjh3Y1N6NHRzSG50Wmh1cUxv
+            MW1OWXB6aWR6cHdHUU0rNGZML3pocVkKLS0tIHA5a0JmdFQ3cUdQYXBKTWxpdUty
+            dFJhWnBsSzVyVkdMSHhEcWNvUmp1WG8KRB4/5AeDmkJ9I/ZMvqs9Rnrtl0FmOpYP
+            hwV87Zznh0jA7vxqB21wH4spqu47VrFo9A7OhTp8e/ogtSJjyJkQHA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVTVyMy9mOGtnK01hRG02
-            TG56MSt6Mzk5Qm9jNE1uTVQ4bUh6M1ZJS3hJCkxlZ004TXJwZUxIYTQrRy9KaGdQ
-            U0VHdHptVmIzazBMMmVjMmt1WXhlOFUKLS0tIGJpNHZxbEhFWENhdDNBS3JZbVBO
-            WFdFdjNPNXRRdUFBZERjRVhLbWhYa1kKDULOz7tab3nP/o3W+2lYQVZy+5R1r5dg
-            V82DVkqygJwhjMD+UHV9KnkHSnaSfwQxF1pVKq1ZZN1l+mgNcISbjA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocEU3amQvazVLRjFzOE1X
+            dHpkQXlIWFptTFNTZmJtak84ODVZZThKSDNzClJrYzBrU01TK3ZNM2prQk5mU01H
+            T1Zyd2N3YVcwQkpsMWJIK3hKaUVQWm8KLS0tIFU2QnZVaHRaZjR3RVlveEVmTjdu
+            SVlaajJ0SThZdUpQUTZBZks4RDcxNnMK33zYR5DuSOe1gJQmaW61Z/CNRvSV5LzC
+            +UeqdUsYxOPUzFHRLwUd1YD/uPO+wfQph/WVDh8ELqsG4i0o/l3ycQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFl6VUtDN0JFeDB5ODUx
-            Q3dEeUFlWWtCV3p3TWUyWHFMc0pTamo2Q1RNCllyR211ZmdTaTdRNzBDVXhqc2xi
-            Rk1Tc2thTGZLNW1hejJzdUpOOTBDUDAKLS0tIEFhb3BPQTcrMXhlenZpeExCNHNH
-            OU9sN3hoTHIxWXUxRGFQekJDaVB2S1UK20kKBwClp4zSlgMShCC5l9EmhbTZ4jwT
-            m82tXz1tCuYqJeyklyHW5vol4jE5To2AL3im7WyepD9C5pgA1xNiZA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYTRCeXJpVi81WE4xWGli
+            TDQ5M0g0MDRYb2ovbzFjbkloeG5LWmdBTUI0CmZSV1FleDhtb3Q3WGhwcEN2OEhN
+            YW1rVEJNVGtWeTNmWnpsQ0J4b1k2b0EKLS0tIHBkVU15a09DdHBQa0x5L3p2THd1
+            VFBQUFZXZ1pKVVoycHVuNnVxem9Gd3cKW6ZqzSjbVZDZcv/cWN31AF+5HlyvbThj
+            W/qDquapYsf6dybP9F3GJ3pyDdSJbkVvInBL1aZWz/mzvny4SPSJLA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQjFGZVdKTGRXdHBtMjY4
-            Yi83alRTNnpZTnl1c1R2ajJYRXYrRnZUYUY0CkE5THJVSXYwT0lHTGZvMGFCcnY2
-            YTJhS3ZyY1ZqNTZmL0ZnZHRUNmhmWmcKLS0tIC9nc0xIMmIzSGl3aG9kaEM1Kzlo
-            aENqOUhnSjZpNi93SDBaRy96MWhjblUKqvy6v1CdL1pqOt3N1gEPCT01ypwd/SG5
-            dVaVKV2nEWoAS0/+mho0KmdHQNJi1Qejhk5RSkoaZRd/jSC8sR8hdA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhN2V0ajNZTWhlb2RlTllF
+            KzdCd29lenR3dEJTclhvTnJDTkFNbVA5QUNFCjd3VFFtOUZxeFR2TmNLTGlZQ3k0
+            SStaKzJHRHdYVEVqTDNnQyttVWFPZm8KLS0tIHNQMHk5QXJQQUZyUmZyUzE1czZk
+            ZmNETDhaT01VL0pQTDhXQnRxUUpWdVUKLxDyNyTKs5hl9CkPGQLOe4JVz1EZN6sR
+            drKTDoEOPdMT+ki0DwfLUcmEOJGg2ZOtmlee6s5jalBIrPZ8MXEndg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-21T21:23:24Z"
-    mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSUNaM0gzTzJ2d2VQUWd3
+            RlVCdkNUblBKcnV3VEx3dmFXeTI0VEJHMUY4CmpoWHVsdHJzZlJXcjRNWCtVa29E
+            dkNLcnExUUJLQ1NiYWVhSkhMMXFnczAKLS0tIFlhd3c4clBYNDNDKzNuZkhRNmhW
+            Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
+            OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-26T12:49:23Z"
+    mac: ENC[AES256_GCM,data:+rkFq7pYZrGTtLIjjwa5DQC6WFpeV3JS80w6xADcn+kNnjg94p70GVZ3zP6p+f4PZ/Rupjg1cmm3w0g/ranx+FEmmX43N+zSY97NYOC2oxOhlNDDyrnRDElaiCOq41Jd13FxnjX3Jg9gxkD3szGS9hG+gv3wSf9NabOhFFL79GQ=,iv:+9UDVsvfr581CSNdtLRTfrjQ7rsLgMLmyK4cof0NZUU=,tag:9/xq9ThqrDzg+Snh3vSkVw==,type:str]
     pgp:
-        - created_at: "2025-12-02T00:51:22Z"
+        - created_at: "2026-01-16T06:34:46Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ//ScZ/w12TKrcPdjlPMgE25vVMG3oH5ozWfVdnzSpDJF/O
-            ELT0FRqoDOQfW+XCi6os3ovWQUqDSxuflLdLUkWJFC801LV9gn63loCZlwvMga5C
-            TWcw1ZwGw+El4I8GklzHc5t+vcWvfICjBj9c0s6b+NlmPhRDt9k9cCtvX2QTHbTm
-            9tO9371o3CuEwzPCBou1WvAvhQHH61j6KmWo+gfaGv2MjF+spB2CDhKGlQZAfaPy
-            Q5SspigrBwv6JhqqqrBMT364OI/mNUfm+y8yX+EdQ/4ZIDmA9JCLmDmA1GMaXBqS
-            XjANHb0rGStNuQKhluUmqYEguzicDWpHDaoFXiJ4C3x9NF2u56cb8IauJ5rBqdC1
-            xyeCc1Ja8dUIHQkTwEvIOXfyxtDrVT2B8gM1AYHHTxNjRgJTXIVBUo826ccN4Uyb
-            GdprWu7Dy0RjC8v2IyVvQiDGzekE4l5ddSgz1N9HIAfbo+j/6vCMTycdsp2FRJ9O
-            1CHzgcQfBRnIgOkgSfxh+b7eKKkL11x4SbT36f9zWL+wSSCtO6p66BxK5kJgQO0X
-            ACWE1gqKdJJlgw3QcBZwCxFT/cIGjfqRE9Rwyi26NvHyd4EnH/BU6xcKtZ3cZkIl
-            D599+UTygoyWz7l2s6h0O2t5KFNP0DarcRHlv6BPJ4KuNwq0+nGa1E54kDHeqfzS
-            XgEg7wqYz9QXtiHHofPEgVOo2MD6FTYNTBQ3Fj91CW65ME0hBfzsliqoLq9B2mvZ
-            3t7SL3uR1vngmtFaXxCyERcsAnAQz1ClSK9Ee5vzAWLazC58xvctwam1eXKkuew=
-            =G9kW
+            hQIMA0av/duuklWYAQ/+L4rjUWtF3NuYc9UlnyPpwSQvsLbw7gsPuLHYd4cq2VGd
+            p8s0Vreq6smVJlFV64PySIJjFuFhc1IuDDYtgym2Lf4PTOSv3brbO3ypMb+J2yKC
+            pH7xwOQBn+YzKfLu4sX26S2IGSKeytXdHv6hlkt9Ca1i5RKS0ymYfn94vf6e56ZX
+            SLVjq2GprTTt4oNymxkZ5JvDNXyG8XjW3MjowfQcNHUqAhmYN8ngv7HMdiIb7GGN
+            JL9u999H4MCi932Nyc1+/OP4nPdUkiqFxDfo4Zgmj/F+LketzV6QCiV7Es9Vmz1I
+            OX/NXzYKYnEl2FLvPZLEtge2qTFs6/Ur+VBPz5tOP9J0Xejmz62+HgtwaJI7Q4mP
+            O+5FCOh/Jxf0QWq+OPQf+Rxj/dxuMHUfXF9IELmBwpGDslKcyxTOCR0kw3aZO+1F
+            Zs3QOoUpz46fTXs94h+7dLoboppug0P4jAwKLbdqmyEDTqiWOfR/ZIbp7RCLFq0F
+            wNPWnB03RTgSKRIXyBhNqP62ZOohHhFSA0oo+IDPzqFWOLTnD8FBJ3SPDFjpHwNJ
+            3bjzqZRPU15dk286S3hMkp47H2iIBW3hlhl9g03UTdlt+MRiUHIXyt053TK2cbuo
+            Jy7YiQr+dq09NoBBVxEo5hszJ154NNF9JxvN1TNHwouw3DxokQWokRtF4g9MSPbS
+            XgFrAw/VlobYHBXNczlKyIaTdHQbosz9EZ7wO8Q1jLlzGF8a2e8F5ca+2I3begns
+            CM4iU9uUpReZC4672sqHX622dZAGf7m0Dt3vVaNjGj90rezeGuajNMnYOEd+PAU=
+            =Lgup
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

secrets/ildkule/ildkule.yaml

@@ -12,78 +12,87 @@ sops:
         - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVFo0QzdTbnE3QUN3NGwz
-            VlYwYkVMd1ZWMlVZcm10cGtDVTdFZGxBdGd3ClArQWRxZ0V5RWY1dXF5MUorTS9P
-            RjhMaXFKaThud3ROcTYrTmt1aUZkSjgKLS0tIGZZczNJVFMrNlBRKzN0dE9rZUsv
-            bkx4ZVg4OXFUWUhPcTRmRERSQmZDUlUK4jdVIeagp0RJ0511jqT8GL9Y2gezzWD6
-            hIYAXFePO/CkN/RA7DF0Y72fawmRWdPjipaFOMMZcKn7FClsZzqVtw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRm5XY3kydDJSRUYrcmRk
+            K21WUEZSSEpYOHFrVkFyOVJYYnRUSU1aYkV3CkVEUllvUm0wZjlmOFU0VSt3OStL
+            Tmdkc3JHRWplS3lnQWlkT3ROVkxkVUEKLS0tIFRJRkFEeE15Q3A1Z24wQzNlbUx1
+            a2tmd21zSWUzbmw5NDdSRUVDcmVwbHcKn+DJ1PnlQApX8fwJoN9DtMqeKzoih6Hr
+            sSh2z6rsTj1UmXocbBm1SduattqZFjvO5XGpp25mM9ZBlpcnVjB/hg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcnBRdEJodU8wbGZlV01t
-            VDBPOXRJY2NtK1l0UTZhSHFDQk1JWHVtcWlBCnBEeWRkZnUvbnZMV0hNbjkrNkZD
-            MjFwaUFyVjlkN3o4SHMxMlFpcnpEZlEKLS0tIFFxN0doOExOak5kUFhyZWVtWWRk
-            QlEyZUlveXVvZ2d3M1dqSkVlV0s2djgK4QAE3eKNYKN12CBteu897jQ8+4sbxBAM
-            wC/mzVvdlf2WXIF6m+R1ugDyQdWZeWZiGcZMX+BwwqE7Qu2egUdxqg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaEdlWnJCdHVpM0ZHTlJj
+            WmNrQnIxYmxmWlJ4Z29WKytHd1plUURPSDBFCnBHU1MyMS9FNnRCMmJ6Ymd4UWcr
+            RGV6QmhrbDFObDM1MW1NdTdDU3ZIVU0KLS0tIEtBR01OOVdITExFcUN1dHEyaklD
+            TVFnZXRva3FUZjcxYlRuQnpFTDhpZzQKxZM0ZB6dVwFr5QkT6YmEA+3RhhsX0pl4
+            SolLZXFal1BluDERtZ2Clb5VzrcV3PUfFo8Yx6ncFjcisyFXUHVnYg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZHNYRldRR3N2eVR0TFhO
-            bi83WnNRT2lRUUVUSDhhQXg5U2RmQTN6RW0wCkswRlgycCs2RWxVQUVTcWcreTVp
-            R1JScWViT1FXUGhVYW1KNTZ6eFdaeEEKLS0tIFpyeCtmRDZtOWY0OEZRZk4vVUhh
-            VnlnZFFDOHNKejBQNEUvUG5xTkphOW8KXskAnKTfKQmQOhgcmGsIA3XXfWfubBeA
-            QQQ3YSlLKPd9czV13SpSo9IDr/jWCUHF5SblpOD4t/ZFZR4ajV/VQQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYmNZSTBrUzg5d3NPSHhM
+            Z2s4KzlVZldKVitmL3RFNHFiQnJlcmlCS3k0CkZ4YlBvbW1DTzEzRTZMUVBOWDNT
+            SHQwcTBQL0NQbXA3WHVZcFhjZW5ZeE0KLS0tIHU2TVErZ0I0dGRuTGIzZkVoeDJC
+            MHJkcXlGdFN2Y1p4Q08rT0phODlLOVEKhSEO8hUZ0d3SA1tFvXN2HuZR35SRzhUq
+            +J3eN/qUBu0LcuiBq+qbGYIAHggXy9ZSGCGfrNw35czzGpzfbK/fwQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQTdHaXRLTFROWVE3dVR5
-            YlV4VGNsd0hCNjc1U3ZOZFVHRVB1cFF3QXdnCkExQTlqalJXVkp1Umt4SDZJME5q
-            R2tmbmNaKzRISkRQN2MrQXY3OGdINU0KLS0tIEtjcDI5WlVPQmFVU1NzNWxZSHQw
-            dE9kZW9OK3FPRHc3YUVobjlwZVpUNDgKeIL32Sbecv/d0FFX+FKYxQqyyiipZbW4
-            GxOVsjUaZsifGsCdT9V2xNlXsuYmoc98azFqRHq9W1VbXP+sUuk9mg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdDBxd3J5MWZ0R1IwVWRw
+            cklOOENFM2R4Q01JdFd2cDZCQ2pSTGNucmhrClgra0tCSGdqZExLbWNoaDZkSzJD
+            aDc3YXdOZi9jMDdwc1duTWdKbEdUVDgKLS0tIGxKbTYzRnAyRVlwbUxGS3JySFJS
+            VXNrSldhMDV4V2preEJ3ZDk5UlZ1YzgK8K2R4LETFFKpUZVdofJoE6eXw/tlz3+9
+            k0iXQX6zMj1uSDmenjztU04FIfRxzIur5xifd8hCJnWmxlOCFDqLag==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Q3lUUS9wMGI5V1NiOWZZ
-            dXppS0ZsL0VXODdsZTlnZW9OS1VjWGticHlzClZPNFBmWjA1dXFvMXlPekZoOEpr
-            NHJtSEIxNU1nb1VDcFdqd3BCWVFEYkUKLS0tIEEwczZSSS80U1MyaW5yTnFZWDFO
-            eVRpUDB1VjZkZTNVSFRRSFlqVUpBVUkK6X6Y0du2C6eslGR9O7r5Wg0P6GO/KBP7
-            HQibU10/HhLOjdzj0LKQldHWDnDUzisUHQH2srRSzCg+RQ/FL+BmUg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc2dCdGNSeWo4RkovV1Vn
+            ckRYYW1xZldjVDRuSjM4elQyRVFROWduL1QwCmNSVzk3aG90MHNWZWlzVDg5RE55
+            L3JKODZlMDJudTZYNGVNQldaNEhPcjQKLS0tIE41dDYxWE84Wk9XbG9iMUhpMHBu
+            VlJZM1VMYkRkQXNlSVVoT3RYZXRaRU0KqqIjxe05oO67IUt/LMIYsUAaZw1qQFNv
+            mmVu5GvHdpSrp3PttxlZC7OiP84Jzj7zM/idj0wBIeVCWedWO59aKQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUFZ1N01mQzZUOGdQemhM
-            VUYvSW53U3VpSnZIN2pHMlBlVzN2UFBiSzJZCkFUeGd2QTRud0tSWHZSSXVNT2dp
-            Z2UrTFFZeTV0dTNUSW0wbkFHV2tqZ1EKLS0tIHJJWGZYeEdSS2hSemtnMmh2c0xt
-            MkZJS1JJUGZBSkU2bWRONHVNK1ZjNTQKbwBOAnmCTTlILx4MVZjt4qg4yIENrrgv
-            x3IogdZAHt5TNBM6TzFT7eEpvmS1WWMveeetT9jFb/rlTVroturzqQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL3RId3Q4SGJkYjM5STJu
+            ZU9BbkgxaXdva3g5ek1hZUF5YWcvZHI5c0VRClhLazhueTRLU2N0T2c2REllT0R1
+            LzFrdDdiVVhLQ3BPdkwvVTg1RjdscG8KLS0tIHRYTmg4NFF2c2FpVHphUFdqWmhH
+            TFNhSDNUMEo0Z05mbmlwRUs5VHhUWHMKJUCyLDJx2voDttv4UrpFKYyNz+HhtyFj
+            X3OrNbmJQYuNpq4hzQs7jN5UD/4YCtFi9mb5pmFr8MTHLb6UsZN++A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNzZ4Y2U2NXpXWHA3Y3Zw
+            S1BKbTNXaGxRaE55QkZNSFV6b3VURFBXWlEwCmpJUjM3VVJRc0dwdjFLOGdQQTlz
+            a0hVUC9tSXNDQ3NyTnlnVlNNalFOZmcKLS0tIFNXYThsRHd2eUQyOGtVT1RLaTdR
+            RmlST2JZS2gwbDBpZ2xMblpWNzB5ZWcKTkKF9aonrBMolxqcj9a5d9JLoCj229KU
+            It2KjhlzBcgcJUIiIPWMoV9VbEpKkTsCLkWxFSLle++ryOUYh3kgaA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-03-16T20:08:18Z"
     mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
     pgp:
-        - created_at: "2025-12-01T10:58:21Z"
+        - created_at: "2026-01-16T06:34:50Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ//fm0H3oXbEcd0f5QwmAggrRzyy49KMXXpZVFm3xa9K2AX
-            W9+GJb9YDiCQ2shiKYas1QNcwxF8EQKWqDGGP5vHpUNb3el89sfE54qnz+MGcAiS
-            eVqggFbtHlDFG6iYt4Rgng4CmVnPv+CKdFuRs0WWO4ouNbG8NKIuqXuDrGw7yxBE
-            i4AvIynHHkrQ8Bu4KAgjhZOCTAd53TH6EFPa4qy1x9fe8Ki1QTJsBcNk4KXIT5ws
-            LUzbcCFths5JzpEdCLEViaFP7joSSlXBKQ7AtAXdznmmrX5JhoiBIEHusYY7Hjoe
-            urzppufh38LF6KFCRAl7EltJPlenA6NhMlTg4jEEi2v6IjqcEGrj9kyAgBnS3uz8
-            MtFovJ2IzENgsIWZxUxr9vbQQY5PYy9ZcJpEPBRVRDfP+tlNs+kA58AD5ZqLkZwM
-            NOZmQZyjRP0L+8HfCiWRBt3dSJGabO4jNIBydKU40/2bTOIY8MnnYR9pss3qIRzf
-            TpePQd7PoGwcU446FV3py3yKecBUMEfb8uA0TYfp+7WMbJqetuQ+fGxCCNDDJKar
-            gMSEhFhduTSvQQPGjZemI89qZhO/0HCxyMMYpIPNYwiohqIGXFfFzCjz+CCt9xOj
-            5eTg+MSV6R8njgbiOpYyrNJE1K9LpKtCZop6QWNtSusaoKOT1jCVQLhvFSNfOeTS
-            XAFdZOYFB/qtaxBF5Uu++jz2MkFZKbSkD+1niVgmusJV/dGwNUU+pvX6Ua1tH3mi
-            WAN4e6EtqtlL2BTIOAv6xPqMFYe7wQw5fdky8J8diGbBd1v77YXpibZoNWfd
-            =Z56A
+            hQIMA0av/duuklWYARAAgrn0irD12kqDfIEvpLpa0Ys/hMG9GwCMeU186iFfJ193
+            72UVEzx2GwIfSt0qQlpBFZtueL9Bb7ka81IrqhAepq8J5//WxEGvv6H9aIm8V7ov
+            ZkS4eZpFksu0ZRFP5HWQvEQwRKj8WxYQY/TS/5QGNSPeHOZYnpQcBhAVLjn9Uj/O
+            6ojnIVoKxDdo235fuDQdiLwCpPXsKi2OQuSFOwq7Acg/fm1pvc76h9dqr5DqrspZ
+            c3stdbYwVOedgYjRrdSYpkplGSqNeVtYYJ3apdauMSRNaKmgMwbkxkzXO9YrWASa
+            beYilvhNgr0rnQB617IhgBZrgik9CvqrqGZqim0fWI+s4bcbgfvK8UORt4+QgJjO
+            FPqAtVE6sNGzElKQ6ZZPWZoXeK7vfIfxwxU+oLcijAnUmLy88zqIUjUZKzmyhDZa
+            YAAwxBL1nh+UzIbn4GGeVbYHLbKJ6XnznF7zfTWph6GbeFfdWuaSwxmnGjE6n1y2
+            ye3GQaW2aeq7RKoqyLJO3oIHyGHZXFe4pB4adz60uKNPJz47/gtA5OofNs0qbxqQ
+            Dp5fmrvZZtDa/TYIV9o1bSp7cYk49TGKHPbX7tLjEIIfRxd4y6rYgwNpPdukjZsk
+            bbdxypWrJkMx+9xk84DGo3e+RY738JgLjc0ylDO+pIzThUruBOcDjUKeGNmVQYnS
+            XAGofG3JSI97wFdYOB+4yoYPqs5rovgPbkGGuT5SBIxH5zVv3X+SE4wCGu3CLFC4
+            A4cdwXmuERPxszVZW+V8CSGq9XnH/OzrpiWVhzqXCRH03F2BmnAx9Fp/zMTH
+            =DooK
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/jokum/jokum.yaml

@@ -1,93 +0,0 @@
-matrix:
-    synapse:
-        dbconfig: ENC[AES256_GCM,data:R7y+867fwnVXHaknUj9RpBtkEATfUo9AoaNId/ODLkHCJyQP1761pJLqeSkQTZAnzZxqACYorV0P57tEQ5bE0aKLOL7tSClx82x7Tki0MiWME4FgxJC2fQk/vP0Ca2zufnw0s697zkfsnyx/1pjjo69amXc207NXAHCtxXO0ztWp0Q==,iv:BsbOLl/hlQIjOLnik8lZWO3+jhMEZ//fisxLon7HdE0=,tag:6sv6ySztGbxAgn+WV0I5NA==,type:str]
-        turnconfig: ENC[AES256_GCM,data:eyUQID6nHiMH1cm418ItI3DEAjAPoR9NR7DvhfYCTvYM1LyHKVg=,iv:Jz7LEOUwTI8LCMOKqB2vN/0Zs+S0IJkHY3wpAC0q5YI=,tag:4SImxB+5JI8VtsZVy0cYIQ==,type:str]
-        user_registration: ENC[AES256_GCM,data:qWtVuNc0YWetsVVtXt+nlaUPq7QzbsDIb+KV2jgEfLZXU/h+vS0PL+k=,iv:72fvhUo3Bhvxj9A16sTL3teLKA0tGEk7pbgKoooOJSo=,tag:Q5vl2+ZJZqtcmMH+tNqVag==,type:str]
-        signing_key: ENC[AES256_GCM,data:3EeV+9X9TtqhBL7QyULTS7tNyH7ayhe88B7UtNZ/TMlQSW2E1WtSVEecqs+097A1SmdKoYVr6iz0ew==,iv:TDfAdYROu7o7FIwn6oOs60surQ7zFy0+9bqhx8LtwXg=,tag:8MpNBw5TbDMxXHF9+tmZfQ==,type:str]
-    coturn:
-        static-auth-secret: ENC[AES256_GCM,data:bDVbTU3QaanU0fPhQF4Fil4=,iv:MVoFWgqHm88JXaCYa5l57SkX3fSmP97Z7IzvwumHWY8=,tag:ZX121OshXiLC6eRxz2Be0g==,type:str]
-    mjolnir:
-        access_token: ENC[AES256_GCM,data:z+BG3nJyUTrJJq0eGNzT3tFatKXffgBzg3E608pqBaPvtJYsnEy4mo1vZig=,iv:VGdnprNYOArhLdY38B1BO/V9YiYGZEy39gnJyh8atgY=,tag:qJ+UryjNPTH0F6ZP5JJlEw==,type:str]
-    registrations:
-        mx-puppet-discord: ENC[AES256_GCM,data:nvWSaZ4we8BD50Op/bZMrlMXGBwzvG3IXGPGJe2paCZ10tTm9v4+aYGYhILNhcQM095AD9KdEJ44TAyPxZ/c5iYLqb/LJzEpa5X2jKoiF6r7PjNFGevKQs7fzJk4Y9MxHwZ2KJT+uHjtXF8erJvFDs3S3WgmuAQW1U9b5fYQNc4ZF0tY+BsWU2ehqMejpx7w93TkcIiZY7Uoj4kPMEp8aI6v/7VPIjM9g7b+R5KGZ1/yIpiNCzZuT+x2mxCtqGfbOynWON8PaCIojp7sbLaRWhX2bd4GG2wP3T5MsgwjJzQSfyXjK1Dyxzr8fVmh0R2mJoZHTYNQLLwYncLwqXQEHr6tXNWPTwxPslW+BdLsp/8//m0F04vUf4Z0dbf22NSaPkH9GdRLB3zXh07VxqG+B7OvAjDULHUmA5uwgtZq9h0G73TWDJ8U75eAxrTdsgQgmIsyhpLljFW2QSnOPL/93ieovh5qRgXjgyqrljDOkB+fhC0gdQalPeBM8l5zPI8aaJsVp/l15rx4nUIrFka0g+v+SRhAIPtQAKA=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:Vm+zNmA53HIb2dP8FIgP6Q==,type:str]
-sops:
-    age:
-        - recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvKzl4b1VWTHQ2bGI4bXJl
-            SFNhY2xVNm9XdG56akFWZkR5NHliUnpFaTFJCkhRY2hONTVvRkZaN0JrM0lkZUVu
-            N3kxWVBWOUV2WHJMZ3Jsd24rOS9hc2cKLS0tIHFDWXBMcmppeHJBb3RLZ08rdVlE
-            R00zS0R1Q29QYUlTamI3MkhNNWpaZ2cKMTZ8G2ZVNsAKgZj8B857eH4yfw/fvwtJ
-            YmDTcA0w+uXI+qTtSLs/UPQ54KcW7zNvMUUSoyKrYSDul0SFUDk+Vw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3U1hmbE0rWVYvenhwQUpQ
-            NFlKcFZtMWVWNGU3cVkvcVY1Mklyb0x6cHg0CkhGTHZPZEFCSnV1aFB0eG1ZOHNU
-            UGJLY3BxOHF6V3NuWGZJUWkzcEVUc2cKLS0tIHhVY2xjaXZCdXR3VU92UUE4eWFF
-            RHNtb1RlUmdpd0RibFlES0FDRjg3RFUKFBfH7eVw3j9wFWYjK3nwd5BuW9V4R29U
-            sD/5X7wLRmfo0zCNkf50RnN3oxiP5Sj8zprQnaZMX95EGZXgqeWuWQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMGc0a2FyTU9MaThIUDlz
-            VWJTOC9ZUktuejl6WFRtdlV5VEFIakZHeENvCkpFRDF4RDRQMnpjZTNCdkE1cWlO
-            VExPNXdxcGk5RTVEUE5KcHY1U1M5VTAKLS0tIEIramZ4R2sycnFnS3AvMWZ2Q1RK
-            dGhDZnVraGlQQkFzdHBRUjEyWEJFMlkK0M3q1NqZdaC9E1hSUOwdTOUWdyvW1xPb
-            E/9SHuRZ+YTzXiECIEx/4ZiQEEcCWOS/wLTQjYpzoozBrmrjGaKC3Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTXJkckNBWERIWUNXMERK
-            UzRnL2FJaUlLTmxvYTBQTXlvSTRvbmhmajFJCnNCZjdxUXpVNDlwY1JDaDNCbWlH
-            ZWJFR1o2YkxLMlVNWStoYnFYL2pNcmsKLS0tIEEzM1ZIN3dBb2paeWcxa0hJSDN2
-            a01lK3hSa3prWERxQ1Z6Q3A5OW42NnMKxfCqjDityZvhOoH1DG0JJuEvowlzFBVv
-            WOofbRQ7HdB17OyZh3u5Kbd37D65bbse4HVUaL3NDbdfpUxsbZIUAg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcExDUDNndXRLY2J5NnpD
-            YTFnWndXYWZvRG1EdGZZekZXYUtBOXFVOVVvCmJJOEc2MVhqSDJPRTBVRU0xcElK
-            SzJYS092eXc2WWExVFFheUZnLzlHb3cKLS0tIHJPRUt0RnlzWGozM1NtTlNzbzVK
-            WUtwa3NvWDlsYmwyalYyL2FoNVBhaDgKiRmCO8OOU94uxnzUmGwnUjipDBVeF88x
-            hF92Hj7+9yBaEi4O1Je0b3ShjHfEsg690ajQKkzojGDX/awkdlcF1Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyc1NLMmZzRUt5TWpyaXhH
-            c01CYTJsQUdBWmZ5eEVRWXduL2ZLQ1crTHgwCndRYzQ1ZU9ybmxlRlZtUVFnL21m
-            eDhYZy82RFJqb1Y4Q1pZMTRRRHpQa2sKLS0tIEk0enhSL0Jjcld0QXNCbjNKNjJm
-            c241QUEvbE9iL2RPTFJCQ1dvVW9kVkEK3N7ojkIdpcN/ui1xw7IEzBKduk9aDKrt
-            KajZLOkcaJWsYZISxP8kmN3CGOBlOx77MxC/rV1yM+/Su0S0TxIC1A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-13T00:12:03Z"
-    mac: ENC[AES256_GCM,data:FolV94dIwYSL5r1ZHTPdmqMKVTAhrnePG+5M4S1H/wBYbED3sr6oPPmmxwiwm5E4K0YR1+ou4yR/vGTV3lfRdxIGWhfAT0WW8WGTZVIlcJCEk5H7Rels6rkma12BCjZ1zOGjZZCcFTm+4NI2KNv+zTc29zry4539jkkxk+8Skog=,iv:KBxSFVaFI3S5J9xG2Lc7FINUI8TRKxPtrbP3f2wXkHo=,tag:TWAtix03ZnB71+O7cF8b4A==,type:str]
-    pgp:
-        - created_at: "2025-12-01T10:58:23Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA0av/duuklWYAQ//R733yCFFSYFZX2bORvyI/xgHjzxNxWPkVZagrWDvjthK
-            zJH6EiHZrivSRx6cXQIQ4SoR0LWHNidmIj188l8oB/Dh7jj42zd93+U99EeUhVNs
-            qPN9C88/e/tEWs05HTSm4oUQpoSeDVBeZEd+du+eP+DJWypSi63fh5sqjPrPHXdq
-            apayt9XGSGBIhWsACb9d56VqCb1eNF/SOcOTLPHWvA074TxmvcbWH5CfiqQLcYGd
-            r600nWol5qhmCqgiLFueUiYDikKVHi+MitatCM15yrnMi0ZLp3B32n3zPjbTUpAh
-            0NHtXHhH4ihBqWxnVSTqAqWiqM+oMORhzVatq0PjUq20XayELsY8yn7YvtJMZLjD
-            CstNQc6NqYxwjLpsuqZQHse5MnAgXapp5ogKLpjxRX9ZKWo5QD1VDB4wELG16sdv
-            h/ZvS7nh0mMWRRyXAe5OL8vTJIeiQBday5aVgqk58OrdhzVtqp3isIKRb5W92W4z
-            53Cw23prLhZnVssMLQiKUVFTIu2f1d907Kj+sH5AUybkbt93T7m/NCaEpDyxPPur
-            QDOT1KFFVTQIBHLyqg8pASJyJMiuSuQ3cbFkTDWrOWpKEDfpxo9Vy64dEKNCeWMb
-            XhVHWMIJXmLXalPePDaCEYCkR8usWZpQsRei2DHaRbXt1dcOjWuLOZeHNizy7CbS
-            XAGkGgNySuI5IFbVBfKG0OaYXu6PM4Kbh8XBnxxREaSH+EiEe11ig6CImV2pbcbU
-            pfHSdTioB03UnQvgVSP2M2DgMr3dkJnqXKrzRO80kVBd9uwR4I/1TUzsk0K+
-            =4Nje
-            -----END PGP MESSAGE-----
-          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3

secrets/kommode/kommode.yaml

@@ -17,78 +17,87 @@ sops:
         - recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQXdwU1FtbkZ0MUw3UXg4
-            WmJWdUFKT0NaTkpjUWFlWTN2cFk0dmJNTG53ClVzUE9jS3RQcjN5WHBacERlZ09N
-            eHRRcnVMaitpeVBGVjNmMzBkNVVBOFUKLS0tIFFxcjBUTjNmVDVLNGw0VENpL1pK
-            NDJCVVNUNG5samc5WTlyYVZvYUNZVGMKvd5QBRv+HRc/DDILlmyhQVqhEDk/ZbBg
-            nsqPf4wmzhqg7l1Fu8FQcjcSwTv/0nCKyWpLC+TvYjnQ5ZSn/eukFA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVmVrZyt6cDE5SUp4OFVm
+            c1hhb3BjNVByaFJEMEZ0Wk41OTIzNmJvd2xjCmtlV2tRNzFUUmdoejJHWXNXRzMy
+            M0QxSWd4WkV6V0JrVzJ3V2QwbDdRekEKLS0tIFpHbXlGMEdvY1J0MjYyVHR3OFlw
+            U2FlRW9SS2RSbm9DeE5WWlJuSWUvcFEKrdtH3UVnpfayfViq459RC93otXzaZBYH
+            O4P1Jb35qjcN5p5+LSMmODPLTawsvil9/Pl4wiK65PbvnY41pJkUMA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRHo0UHhmZmUxdS9KUS9P
-            TDk3Uk1NL2pxSjJYTDlLaTFCRmhzbXZueFI0ClNWTEttaFNmbTNZQWRROEl5OUdr
-            c1RTRW9IaEtXakZSMTYrTERPK0dCRWsKLS0tIHZzSVI3WW5EaE1rRDNmamZnRkhG
-            QTVMaEJxMzB6dFRlY3BXbEl3Mm9CM0EKZ2pXa04/YjjrEPo5SRzFHeT5twZkTqRP
-            mcIO5tm9dmZOXPoauFh8iu1ElbNicfQjELnhAwYLlkjzHcw6HKHnEA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMzRKU0s3L2s3UFJyTVJz
+            VFdlOE83c1JiWk40MU9xeFpObVFZQnl1dG1nCnovRTA1NUFORzVKblJLRDBNWU1E
+            ckpOVE9oNWxHMHRMZmtYWVF0VXRkd2sKLS0tIHpIb1RmVUlYdWpBa1ptOG1GcXZa
+            b1c4djEzRWc4UEdURVFBY0dDNGtFbFEKwV9RWuW9gdfiVoIW+eD1XL1Lox1eqXmj
+            d1U3T61W/qTElUGEo55TPcphCBRdqwGUm22xfc4GZltrBOUmxYWAGg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdVkyOTRQWEhrSmYzaDNi
-            K2RJMEJHK0JNYkFETXRZN1ZQbHVQeDZmY1VFCjdNdXBWL0ZTZ1RFbFp3TzdkNENu
-            STV3SktsVDBuTVMveFVTZUU3dTROem8KLS0tIHRFU3B4K2lETnRPZDJpd2R3ZVh4
-            eHJEUU1WS2R2TTY0Y0xWY3lzT3FTVncKb6dOw1CM7Z1XzdOfjJug7StgdM2HSYDd
-            wHCqZEF5Fbz/wLLnNdUExyOysw5jjemBStCsy3TNZ1bJOEGE6ST2cQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QnM5NFVJZ3ZYdlBzZTFJ
+            dWVSU2s2NTBqUXEzTlEvR1UwRG4yMm9xdVhJCm1vRStmZUN6RTRlcWx1WllXTDNw
+            cjlmWUd1cUhEYlMralArbUdKQ3lUT0EKLS0tIEtXZmp1WWN3VXZPeFFjM3YrWlBE
+            ZDhPKzh1NkxyZWd5UkhkWjJhakJEbVUKWQcJR4w84ZVodBBEkQ4AS4jrJz8l2MqJ
+            xX1mjv0TnAlMF273/NiYB5OiivqFMjFR/slnZ1k1j2FWGhVKyyN1vw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0N0paRTJhSk8zak9pYVdk
-            YXFITC9qb2NuM01udUhBL2ZKbGZMUFU2aG1zCkRHVmlVb2lvdVM3c3NMMnNWb2ZX
-            b1VhZjFzTjFxak5vbEJmWW5tSHJoTlUKLS0tIDBmSStwTmtWdVhUc1NtV3E0MTFH
-            bVBqRk94byt5M1Y3LzdhajBhZTZuTlEKCDchRx9INlVgBz80g5FYP8hrMuDlWBHT
-            hN7jLWcbvzJBsVWTOGMaraEKmebSpOuCSakbu9iYE0lKIZa/YbedlA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Nktja0Z6N09IdkQvTHE3
+            VllabDY5aTd2NE9aQnlDRFlRbTV6WlNnZ2xrCitNM2VOT0NndTk3THRma2ROWXJ0
+            WUlLZ3dqYndOVDNLaThaNmNobTZkTTQKLS0tIFdaWU95LzhQa0txTTh0Q2k5WklI
+            OTdZOHdUSEVQU1N5RkE1QzVXT3R5V0UKtvPQD1HHUBA/C2Fzxixtwc+nJvTwXfGt
+            cg4nYSgFcMTud3VLhcMQuRf++gO3J3xuLepBlhUeD/3Li4MDDZF5vw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnU0Z4eklkNUpJVnh5ZkRD
-            YVUrYjlidTRFRy9BRTBnRUFKMXBwcnBxeW5JCkFiK25UTlY0b0FaZ21jUitsSXdB
-            SmM3Sm5FOWFNK1hVbC9VWTk1WHFQQTAKLS0tIDN2a2EraldQRWxzSThGa1AvTVk1
-            eFhPcnlBQW5tVCtBSmtjUU9rS2kwQ3MKwuktSYQpOPyj43kks2XL4Vs++Kdw+FJ6
-            xoZjfxmyUi5dOl+GPB7+AKyAXWUU4eQPcGHDPp7x+FZfa49jvE4aRA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSWVMTnlVNWxYRXVuWmVZ
+            K1ZIMnpWRUZ2SDFML25wZVpxMXpLcnFHckNrClVmaWlIRlFDSEg2OERBbDJaUlYx
+            dEZ5OVpDYUxFZk81R2piWEVKRkcwOTAKLS0tIHhHSlRKU3VWZm5sRFk0RHhXR2Vz
+            SCtwa25aL3BhUUtGOU5UZk5sWU91RzQKJh7ldnkCBgztyWIwdUjtu5EpEWhRemVG
+            QzjezfDmeSnOd0n0OVwSan62OaUJzJjDpIDb9CT2fvE/qRg8j8rEmA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0T1ZnRFliTE96alg1eDFt
-            dCsvelJHTUxyQUFPemZjbjZOeTRmWTd6ampNCkVTdTdoeGdjcHpzelJDbU1tNWll
-            b1hHTGZSbTVzNWU3YWJ1YmVHU2RKT0EKLS0tIEs1Qm92N1NCZFI1TjR4Z2pxMzZT
-            ZWRCSXpESTNpbnQzU3A3VG1xSE1BeXcKDr35W9phmGfEQtNb7V/f+g4GIcbk/klU
-            +1EJsJ+jK1qCSDgO7omQge5Jx1XqSAg8H+21fnHA4JLhfIeZbntBTQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOXVkenREdWQwUEJka2tE
+            d1ZiNXF6QUxMdldUZzc1UXMzWEV3WHd4WkVVCkxTR2JqQzVaVGo5QnZpY0U0eFQ1
+            MmtqVVpmZWNQZE52NGthei9ZTEdQc1kKLS0tIGdTb0hxZzY3R3ZtQ1pxMnI4bDFO
+            QUtySXBaNmlESHdXZUt4TkNKeC80SW8KRuCXbe2TA4pLOk0Z6E2UI7hwuWo942Oc
+            qpb0DEdv3rX5+yH1WEos0gvOKnx4q/gra7wYj2toUMW+C2VfKdl6Nw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRVhkS2RkczdQZ1pKc2Uw
+            bTkrSjg1QzhSOGx1cjNicGgxb2ltMDcybEZjClltMVk5bHZGNHpQNnAxZXVON0RC
+            Rmp2eFZ1dmlZSmgxa0xWOFhRNVI1TGsKLS0tIHlXWHBxb2tSSUlkSWczWndhSXRR
+            cUNweDFqOFpYd05EVGxlRythRDczQ2cK7VR9UmJHrgRRuKkqQfptDSLwKUOYjSQ9
+            U7Yb1Zk3cEymdTQlnvX0/h1uavWDnJ1fIaqOIJMuTO/sAk1fcJtGDA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-22T06:35:29Z"
     mac: ENC[AES256_GCM,data:Tvj7CzTOFGTMJyNMTjx4XTmrBGBTkOKb2kIHNEtvhCfc5fSbAjzl/keONaq6LGMhyc83jp0XZpM22vN8d+TqTsUiFGwlXIEJ9aa2N/IFlixd/FGRIZUihQj65Uctbk1x5y0LHUDl53aUa/FFEeuF7aPlUB70Q2SiLME1ATtG9+0=,iv:b0Fp4fQUzhgmSKH7caegMXbstWkj2by/8ABQXUJjdIQ=,tag:uzkkvggilx6KWaeMhYRBEQ==,type:str]
     pgp:
-        - created_at: "2025-12-01T10:58:24Z"
+        - created_at: "2026-01-16T06:34:50Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ//TluENVomEd/KwhRiN54IeFeknRyVGWqkTMm2bCV3BGs5
-            1ehbfO+9djAXfDeOfq+66XUWOjKs1arhrv2MeQdxhuJ7Ywa73UGMGSMi+sEobTXv
-            w6iYRxJpzCkcpqhmX3L/FbXDWOVBzJv9Y5itc6sn8/0JXk9CHfZU8CfDB1U9A2H9
-            oRlCT4bTRsAfLirZLZss389zjtV+84cJ+zCnekEZD0pS+wcoo8MICPW3DkFBM76a
-            EJLe8Asx3xlaxht5uxEpWrBseaBfKLEXTgtDW8MZYM7A50aDEvSJ8zolWBH1GTX/
-            6kCvKyTRqbm+mEQ08fktNJW5hd1799+XH9U9gOPP7fme79H98cMrFMNk4cTV8p9I
-            5W3RXROwgnlRdVQIHj6lfkOP+kx7YYrL7UqtKPj3vIVpNeAXEvx0RpnIjJGqOpTP
-            QZWHBUM+UT6QyRTAFsWuNPjo3MwItOfP1WyD0480FKKWFVmwdj8SSk9dsjPhNNv/
-            SiYzJ2elr3/i1R7jf4PqaxSDRjyC1JMmRtKxhhklNi1tIvb1xf2H6EGJLYZpNAxA
-            14q8A9i0GUSaxD2xMaQeF7eVmgMyhcHxNHBydCG8mzP9xuPmOlpkYRBNuB2EBDyd
-            77gGy6xad7KEu4sGaheB/XbHzFSAw6Yet/bvafP3+jKimPP1OsmKhkat/NuueGLS
-            XAGt64/PXo8iDY6iPOifElmFEbepxMaE20Xp1GbF2P5acvBp7v3uDeB4cwUU27QV
-            lTX8wlmKIH3m3nCwk20CBuEnGD1j+/eviUu91Pkz7VAgZrRxOJnPQ3qhH7v5
-            =fg2d
+            hQIMA0av/duuklWYARAA2prIKKdT6eIJQM06tm+VZ6wqD3+ch4pz6vKVrf2+XINy
+            g+nMlOyJfRu2tntJt6OrG9VTeBLtnvivUMAz54QNqPplDHdHelZQerkmKgBzOllq
+            /XQxbH8KJE3G6izBrpWuRHR7rLMRTXLHhI1If+fH8f0SaB9dhS9jHzxJdYJYcDXY
+            Kz1maOxXzlfaiYC+sARwhQnxEHbE5Z4t66JNSiVhaK4jG85Wl16RDY6Q5bvWmwaG
+            7S79Qwf0T2USWHJmQ/KI+NggB2dtXLL3vEo3FV4OVJE6rltxuFTGIcxdD5rp81Fc
+            DNpj/tNeepnjwCUJtitIDn05v2e4nxbHZEbtsLeHxX/tqH02arOPrRqJIntV0Uay
+            ESxv7NTgrdgEDzFMx6qaNvZx7cscFuaR61BgdrL1qHu96bMVt2llypA2BVP0SM6+
+            EGrkRCDX3w+lAl6ZKSJi4myrRv5EMH606zLwj1V3+//0Ndh0cZmK8TlhvQd9j40H
+            UG5ywugyLEom7V/rCdh2uHxWY+t2CD9RVfgz3uGP+tAHB5eTLi0imPRyqGay+U+E
+            y8x0l0QnKwll5Uq8M/25L3efJakUrLvf6Sf3UIyCdmHpRXNjOorqkgKDscVo8IsC
+            XbYSgjopPh5lUsdjicmp1iD9nb/LvukmgHPiPFGN/xw5bvxtqyBPs3qjbd8uHi3S
+            XAGnd1uAMEcGhAhAL3XmPA7Wb9U6Oa918crBl8vOAJzTuvtu9i6lME1LOc1myv+P
+            WsLtp/Kh20xwbOM+LmYMYSEg6lON82TJ+uaXAw8poVFnCQ4uI1Js7ToONSM3
+            =ZTqn
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/lupine/lupine.yaml

@@ -10,114 +10,123 @@ sops:
         - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVlBuRVBBRFVndWV4L3ZJ
-            eE1qWEZWdUpRd1pOQ3VjVExEQjFWcCtmdkM4CmZyQVJWTEw3NnFGeHcxZjRta3ox
-            eTVaNmZ4WC9wTVpYeGpLNHpXbStteUUKLS0tIFZTL3BNZFR5YVNDZE1zKzJLZWNM
-            UkJyek9tcWdwejVqR3hzSDFiaW1zdDgKNqzd1dNco9Ynys03GNOpuKmL9Kyea2Ko
-            xzsDBG08XQc9wpAcjTzXbqujhVvLQJi3IOSUQW4LOAx3BxTsZBHaQw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOTAzdEFVNmRWUFNzY211
+            NUpoMnpoVmpCeFIzU3JacDIxcjNYUTBCZTFrCnpFMUtydndyUDY3emdVVEp4dUpy
+            ZWhTRGEvdG9pQ2JvQ3pGL2s0M3Z1WHcKLS0tIExjaWh3MHk5WEZVQS9lYnkyemxE
+            UjhRL0swUnBJNmNzaGtUMjE2WlZ2VDAKYV8T2iXVEr77e0vuV8e8xpbhStxUoM9l
+            Jpn3XiYuoWHk/bmQyjQIQzjB4oqx4TqEnHccSmN3XtUIPGr296zwMg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTnFTSUlSWE9vNmc3Ui9p
-            MFJsNnU5MzdaRGdoMUNlSW5qVi95Z3pFTG5jClBRRXNabUZWKy8xTmVpYllXT0d1
-            a25zY1BmQW5VdTRrT2l0Q3VqSmFYL2cKLS0tIGVvK1luSWNsVnBBd3N3L2Z1VlY1
-            WThsUEhIUE0wV01XR1dMS08vQW1oNDQKRu2REcJeR2vTbbiU8Mt7aVjCgpT33lUg
-            N+UW2oYPh8G+DmLLy203+WeyktuAZR1+b+1pyeaF0O3SWNvgxnyMLw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVVdmdEdZcTYxajVHQmtF
+            L1pad0ZxVUdlWXVjNHl3eEIxZlNtdlY2WGlBCi9NUUVEakZLV044dldDSkZzaFhS
+            U3FJanBaL0JGV3AyS2daTFNrM0J1M1EKLS0tIGs5ZjRZcVREenN0L2RPaWp5c0s1
+            U3AxOEpvdmozU3RRMGYzZGZOZGVhSWsKHEz+eL/fHgLUuixFIeA2dUAjZekzRIHy
+            NgYmzaWhY7IlPg4mZRIW7hW+ckfr9brdgOR3Gn5Fp3tPbAL9GO7bnQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVT0JmS2FPbE4xMU5MbHdt
-            cktSSitNU21XblBXWldPR3hsam5rYXF0Q0Y4CnkyWnk4K0VndG1WRndMUm00azls
-            aURrbFh0MWlwUGQ4ajZoNXRubFQ1R2MKLS0tIGtlcGwrQzNEc3Y5cTNuSHplZFRV
-            SnhzRFIycVdSaTh2OWRmVDJDWmltemsKc1M2gWp+RQ1LYPI3u3Z+qqPLhB/2vQtZ
-            HieQVRYITLdZ73RKn7jhgvu8cGNdvhkWRNFBcsZ7JsqW1FQ3qs9wLw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5THp4MkRiUGd0VDVERjU2
+            bmR5OWlkTFFmQUM2QmRNWU5DSUI3eFV4djBVCnF3dTV1aGlMUTd2UWlyUWtXcnlG
+            TFFRdUp4dnpXZ2FLSGZoRUsvRlR6ekUKLS0tIDVBMC9oUnBuQXpkcEZHSUd0NzNp
+            U2czY3YxRG10aW9hVGJsbkJwWTEwV0kKaNQRm6qmIIbztzrmw6nZSA131lxw7PA9
+            MBPmPQmskIbGJ/bQCfZ7Sp/Pe51sL3moA8tWMqGZEVa+xuxa/KEKSQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNHlSbmRyejljUzc0VFdZ
-            VW9SV1E1ZGREZWZ6bUMvYWExR3FIUTB2NUNRCnFmdUtjUjJiUHRQbG1vZDB5S0xq
-            bDVkai9EdW5IUjE1alBiL2JST2dTblUKLS0tIE56SFhxU2IvNmFxS0YzYUNnQTFv
-            M09tSCtCVTlndkNZSWtQc1lrV3FxeTgKfgJuAE34QcFnnL1/MajJU9Kv2ygDhHlA
-            LVlfRAfrNsJf4JGus8VuADbsSPpvGJMJMq6UAY10FbMO7KfNaIVA6w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmYUJkQkhJbjU4a3ZNbzJM
+            NGFXS2ZDSjM0Nk9BVVVCNUx0Um9mbmVXT21BCmRjL0pNcUs1NWdxYkQyc25nMG53
+            c1lkaHVyRnloRGZmWk82K3RZVzNnTjAKLS0tIERndWk2TFJWSFUraldwczFOVm13
+            NWRDWGdMNXFraE5ueTM0ZG9hMHpKTjgK4xTJKPcrk3EHwMoXlTHzqeDgx9ZJl962
+            8lyQMOSeICyXLzRgKQWuXssDMuev0CZfvnXeWp8megmXuU5Eq1GW5A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVVQzRG5ySzNLb2xvMTAw
-            K2RORGxzVU1YWnFteVZadTdTU3BVZW04VWg4CjNBMHFwUmpSaEs2S3ZneFhBNVBO
-            ZHVaTXQrQVBQaHZhT3RiNVJ5QVV3VGsKLS0tIDFTSGNuVFpsK0txeENkQjI0cXpZ
-            NFF0VHl2V2NSNzN5L3FhcUZwR2RjanMKKLZVnAGuv1tcAUzFabvgf0i5N4Jtyujm
-            /oYMZHJy0nETeSpDb/tCEwFThQoEY/qdEmvbg4FOOVZH6tfV0nLnuA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY1p6QjViNmdHcjY2and5
+            aEYvOXpxWEtqUnRTNEgxeE44NzZ3VW00OEZFCjJVN0Q4c0FJNEZEaDVXZlNkMTlr
+            cGQ1WWhMY0JCTEVLUDNGMHZFZDAvOU0KLS0tIDE4ZklUMWtKL3JlbzlrUXdvekJt
+            cjhrRmQrQ3g0UG8wKzZHMllidmRaQ0EKVG9D8Fh7xMzNPXecdX6zTfank2/ZNnjl
+            mwxCXnM2e5udtviQURJstLvlCElNtvdY5WdMkUoCXwHoMspPwGByFw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDJ3WUEyZmJIdGxhcmkv
-            M0VSK3NCZ2FVRTB6RnlSZlVXRUNzR0xpZHpJCkJZVXlXbUhEZHI0MlhMK0FtUlhU
-            ZmZBZXdpTURWQTZEWGgrQ0c2RG1JQVUKLS0tIFhkaGxGVVV4NzBKOU5PVURnWmwz
-            MFBiNUtvakhISUR4SjJ3OWhSeUVsT0UKJbo5zlvD17GYTlRzkNCC7zCCCWSyKRUg
-            IChEvMpUKNgYA1xKHOwfPuXuZ4RtcJq/ra4GeVD4OmIGrnXpPWah8A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NGpoWUVmK2ttVno2cG44
+            aGRVSStsc280cGFZL0xERUdrNjJVV01HemdBCmZBSEg0V3FHNVEzWDBId1RYck4w
+            dEd3WnVhUk0wdHRxOE9WUnpaUThLa2MKLS0tIHhWbXJmZ1Y4RWZ3Y1g3dTI0MzMw
+            eGdwemRYSCtoM0FseXhLd0Fzc1dzUG8KdPDyA/XJSgjHFycEwSg7KWX4fMA30CDq
+            GIWYDVDicgzbxjNKcQdGzFvL02B1igogHtuIJn1qE/bNrK6L9PQ3pA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGemlWOHMwR0RFRGk3alN5
-            ek9idytadU1NeEtzUmpyNnNFM2hZek80S1dBCkxYeEtDdlRac1hvcjZZVEdqY3BR
-            Ynp5MlBycW9MSGlnMWx3QldTZzZ6cDgKLS0tIGNweEh0cDhOZHZvY2RUYXVJMTcy
-            S1J5Ujd6Y1gxTExuVzhaZ1UwazhHd0EKAgDI4cNTj2txorTKKwwQIAvgUPRaMlzU
-            4j/JTrNjlFLQrxdigAY0toJfX8ByWWOGMLWm5G7knAi9zR/KH95wNg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTG81cS96bWtOWHJTK0RC
+            WlAzWWdiZkhncWRBVXZtVXdQeTR4WEl5MVJ3CkY5NEpnMmdpVnh1eXBCajhPT1Rr
+            ZWpkUm40WHpFcVdQcStWWVZWZU41VjgKLS0tIGRyUnBsb3FnRE9IL3RkTktjN3dO
+            ZEY3d0I3WVVhQUNPcmhKYW1sVlBGSmsKTsZwHdholYxIhOn49WTdb3pnjT8oTkH5
+            mfayWji2cOBRRRB9X40OaVg8SCIhVAQNdvbn64XaJWqWbXFtXamgLw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQys4dFZDZ2pnQ1ZlWUc5
-            YmtJNk1VZGExNDk3VTJ3V0ZDcjdOTFZkQ1dNCjVESFFjb09PWG94eU9BQWFDMEg0
-            SHZXU1Fla252eGtNbFk1OFE0T2R6ZlEKLS0tIEIybTFFWGp2T2NiWHFMdlVkVWkw
-            bjFkSTR2OWNCV2NadGZJSmxxUG9FVW8KTeF00gXMc9ws3QbvHXvRIIDa3KCYh5/H
-            5mdUFmOBO1JYrab6M5HRVF9DovyMMM7IrBBL8KOtxUk3UeOpijZioA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhejJHU2N3cVF0TnNqZytD
+            UERpTmNnT0FJMysvbVYvNGM5ejNVcE5wemhjCjhyYVpsaDJlNHI2aVg1eXZtV21a
+            eHVFL1ljWXRkYlFrTkgvWHhKS2NZOHcKLS0tIEVLRFhKR0tyeUJ3Z3ZoREY2c2VI
+            c29MWkcvUFlzU0VCTnFTV01rWkxDVGsKcyKsGo6Ep7f2dBwaUYoMsqSqQrn3Obzm
+            sDovKBx+Y7+Yn6fnxy3ISQ9FUjupMtKffiO2AAK7AAI3MFjDOUb9zg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdGZQZDBPUmFMK2JhNE9G
-            d0gweTV0b3lRNkQyRTlHYWtrZ3lwSzlMM3kwCmRPTUN4WTEydy91ZDQxNkkyelhH
-            UEFsd1ZRQUc3emg5Qk50Z2xSZzZjNlUKLS0tIFVsNWs4Und6bjgxZWt0ZllwRTlk
-            SzJ0YlIrK0Jlazkzc3F5U3dXT3dIcG8KkaqYMrJqDGlLN+JwvnJfcGJt1ot+X7ep
-            8st2H2uwLo8groSw1bEnwJhoqaBgu5dBFUCKhSbHMYVIfT7M0JHPGw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVGVOcE9TdVFDYURFeEE5
+            M0t1Zm95SUZpNzdFR0N3UVYwdG1yOWErUTNBCjB4WWtRdXNJV1FVd0xNODUzTDZD
+            ZXRteEpwendneS95alVhckJyMXZucXMKLS0tIDZLNFdGUTNMTm5KUkF2TWxPNk1O
+            V0FISGRYNmZ0N3dXc3RHdGNpQldOVE0Kkc7MRhVvpKlIVGKRvvPGyW/DzatxM7+Z
+            VP4kAf0Vu6DyKZINDXH5XQh6qxeAccYXhv/QhxdSuCW4bjplMMBSnw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZUtqMHgrakhhQ3k3dCtN
-            T3cranZIVFdLRWJlOWMzaDF0NTZCM3poWFFjCkY4TFdmOXdwK1pLcWQzWENTNHR4
-            TkpWNEt4VTdWUG5XdzEwOXY1ZzVsbFEKLS0tIC9RR1MvdmJoYlFiMWM4TUEzNHNv
-            RjQxS2g4QStNeXpKcmFqK21MNGdvM3MKOCnDVWJa5F1Vss2D7l7GMq1xCNurjfRz
-            vvK8S091itHZVy6wamTz2/jAj7YYXDjSu0V1sKPOLdThKNZZcBe1hw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVDZVbDBOR0d2VDJHY0Q5
+            VkdETUV2dFVWcUM0N3pwU0dlekJqYzZPZEhZCkZWd0dVS25jYm5Eb1hES3Z5SmFk
+            WnVEYmFtRURTa2FUYXhpQkNLUnhjbFUKLS0tIForS3RPcFkvenJNaW9wMFAyOEpP
+            c2g3UlRHc1ljVGZaWVRlTUVORzNoczQKFvxD6ty10YobBU2BuyVpDsqGI1nie4Oh
+            eQbvBEqfTN3zR38ujT6/tLfyNrtj71oGzI9M+vUUGbrmob+/y2VABg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOblRZRERwT1k0cUVkeXlF
+            bXZ6VnU1TmE2dFlaU1IwMXV0V09FZjR1bUFFCnFUa0hzeXhvTjlaSk9lZFZHT1d2
+            RU5NQXJBb1FISTVnSFJheEZLTFNWa28KLS0tIFEzUWFvOXE4WGRkWmxtd1hvUGZu
+            QlBkaCsxdlEyT1hhbVA0c3J4bkhHU0EKbdPpiKgu416P0Ciacs3wkH0OAeHKyzQE
+            ekyNhHHKT7IqJSvEl47PpTIsgk99SrLgImNKY8sDieOqDVuM0bhgTA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-04T05:53:51Z"
     mac: ENC[AES256_GCM,data:o55keAaJEXVOAGvoMp8FWvtlxMgfF/qR50FGnNM1whYz+5+naRJ1dAOW9NKYHWbtOa/ZXEMTkjoFrTJidAaIXza1Ot8llbTGYh56fsnu0FKZfVM+rvecRDhXKWxiAqyiLUvtUfA2fSg9LGveh2U+0dulcU25sb3Wf0RcFrtM3xI=,iv:3/UllekmGIaluv8y8I6Azd/52dJzk+C5ah6XLJj7Zik=,tag:T5ILXiC5hK++0jGOnHCMYA==,type:str]
     pgp:
-        - created_at: "2025-12-01T10:58:24Z"
+        - created_at: "2026-01-16T06:34:51Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYARAAmW8iNyzlWC9aeHxLSs3OuZza2Sxmmm+RbtA/n1X2M/iI
-            FeQsvO4m+HB0Y6H7cy8hjyJHa/kGwL4kenDCF+unqJCfF6XQQm+S740+uWndFVFi
-            u02svjncMnGTTrkxazj90ULASXxT0Z5Z+2heCkuQe/spfX+qVJVa5RvzTPBj/Bjm
-            k2NafAW0cfM5MyyeVkF1Rei1LJ860b442vUMpNmU1Av+fbgIyG4f/LEswv/upJWX
-            UdNFvU5yW98FXvUDP6ThJRg6OJqN1ZIYix2UJ6OakUuJN51sywVO4LBZmdsJ21SY
-            cdEjyi+vvAoOsBD2jX+64KzvzoSHkV2MWcez19ZMPguaCwNU9wmrdGD/vVKq8WOl
-            Zs/0BOnOCJ0nEbprzCUCE+RtRZxkKUYmDKYxbu70FSsHWCnRyybKsj7CVak59EZE
-            Ok7IuK6mQ0HT00FQfOCy4ZytgTQSB2fXEGyZsVv65RDdorfapAkwMM1TYVc4j2mD
-            ImoY85xMo/E/KwfAhzL2E2lJLXpAamvBj86RcNW/FEytEEI+l5CIZr6l6UDSDO+W
-            ETYbNcqK8utLTmH539czbXGZ9Cid8i0+QyLtZ8ApHn7s1FsFOAzMpxMyKPYKRSnA
-            VospnGQ3TbdPbbOfVHQvD32iaGw8idP1xb3XNXelD0RZ9OuVxHGELO7re7n/G2jS
-            XgEOiTCRtyQONpfIiii1s7613OfbliWWe5ufhnm0Qsr6Om7jSsm3JfLkSmd/alxf
-            cEk3MFResmtancl1D/2sGhM1ROR6huUChxtgGmz6ZdE2sb8JIXtQOFHzfRw9xo4=
-            =3liy
+            hQIMA0av/duuklWYAQ//S5CPlAJka09zfxhQCKY9SnHOlkNL3mQxSN9EcxiKFgQD
+            G2/qlFze7CiswTr608TXNQ/lPb+SJHgLrJvcBwISh0MCKKOZtyNjfSIIdR1A/JTE
+            OaA/JCJ76j2W7YWYrL18dY57n7DOMmhf/BZj0hI4PtDqh+dB2vX/U2i3kWdODb/K
+            fowmPrqustOLGAXOhuKegtQ8K5KLsP3NHjrp5TiOYmI7fDVkwvBnqXj52n94pw3n
+            o+HpvmyWFSm7QExGsjbbMbtDEmJJ/u8arx+Tb+ELumrz7QgwXt9ZGoPpJnmz9SsC
+            4MoTF8Ul4HRwMoMyGEQAzb1J32THFKWSUtWaLjNDOW91l/eiLpY0Kk5f1BTVcD4W
+            GsA63BsSqnIDB4Tisz4ZRhaRGY6sxyXHDSnHzVQmKrv3kwTJm8ODA18gu+HZ021h
+            ShG+m81PYrGkeqYwJHnEMfSo4XY4/lHdsZ0yldF8eSjZ2raPbsw+lmadot8mc1eE
+            leiEJOP6+ZOs60dJ+dOwaeCb5CDjFaCrq6c0+6ESWpN354tN9L9DZGLlYIt2AlcM
+            /N/5DO5F81jxlBbxI4IFwRvBDBwO81eQlVtjQB5V1+dbeIaZYS6GN72xHUSjICNJ
+            0Wv8iDwxKRjQI2uol7KmPN0Vr9siMIMAP4yCppnmdxF5VcGbLWNu9lZfxlj5o4fS
+            XgHq8TJTMWKGF2Yq25/5rKmIb/8cCOU8XLNZ3xT4X2dErqV+nWtmXgmNySCphn+C
+            xK/cKHseztzXzffdqCrJCaeo2KmTou+gMyDEmJrVLhrcIMayptt9dc0dgJ12N3s=
+            =pLWS
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/skrott/skrott.yaml

@@ -0,0 +1,84 @@
+dibbler:
+    postgresql:
+        password: ENC[AES256_GCM,data:2n85TO709GJc7/qoYp2RXO8Ttfo=,iv:5ZCZPEQQXPGYfDd1qPhDwDfm1Gds1M8PEX9IiCsHcrw=,tag:PAseyFBAe56pLj5Uv8Jd7A==,type:str]
+sops:
+    age:
+        - recipient: age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WllOQ1dRSUJ6a1pvNFg2
+            N0YrQVBtMFZKRml0dG5PUGVhcU9VUXVHc25nClNFSXowUVRRVVhNeHUrTVVZRGRC
+            YkpVYlcrZm1NTE1IT1pSTDdOZGNHYlEKLS0tIHlJbkNBb3o0TlJlbEtsQ2ZsYlJn
+            Wis3T2V5QVYvQi9laUdoaE1DbUZZZE0K/liRzp6TJeufyTzemv+zBTOwzkeJRID4
+            ZviYwwODWopB9/rCd8sIQaNXvEtvuXNWwcV1/p8DsJ9NHwqtdYHpmw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByY0dTMWc2VEVRdTJyOXo4
+            R3BYb1VETHI2RktGVnVJUzg4WUsxbTNsK2tVCjVqVml3d29lK21wUXFnRm5GNHdX
+            blV4NEFZU01ZS3Qwc2FSMlVDRlU0SEEKLS0tIExwWXFJZGRTaTBSbjZtdTBXSXNJ
+            TUhJWkIrdGg5UDdDQkdnQk50YTQ0M0UKqoMwtPlOSIqMcLvII/EVuZGrNDeULJHK
+            l7xCzQM0n72E/zxPuO7koVXVcUNwn4kNQCRLOHLcuqx2ZRD8Oc+zNA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNy8rcHpJclk1b0h2T0dw
+            U0pBYlJvQXlZTG1PeTRCV2hONEJlUWFqdUIwClJ4QnQyOGt4d1NEcVZYek9JUC9X
+            UW0wNjArK2YvZDRMMGpRU1N1dk9jSDQKLS0tIGJMbkZxLzZBVm4wNXVTNFpoRDNo
+            a3dwemI2Wlh2RE8zN0xsbmY5YnJUeTAKhkSpB4RgrfbDpK7IwLs1KGXCj8v0Rze3
+            YZh3BHW2WZLS7uQcIe/tnpIHwPrQnadKeYIw7xBmXu9dWyim9/5RyQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUnA5SXNucGN4bi9zeGlU
+            TzJPUGk5SWVONFVVYnNnejJBdFJmL3d1S0Y0Ci9SOVZmVUMzRWNicGN2dE5aRy80
+            MFh3MUNTSE5EWEhQcUFsUENDdWlWYkkKLS0tIDYrb2RzVm9OTHlzKzBCdEtPYnF3
+            L2VmNm5ITEUwUVJ3WXRmVGZnY0RSNE0KraXjJSZ9HKV8SO93khWVjBJcEYQLI0Rm
+            lQuagfkZ5oaedsPGNqaXWo/cd3g2SZOfhmmRxY9R9gxmnjpP4L6gGg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTlgxOGJwbDYrbXNDWmNY
+            YzZGTTdlQXBFRUEySW1Rd0Z4bi90akZIOGpBCjdseUJIeGlJZVB1WDNFeU5LZDE0
+            cExQSFBPTWlUbVRjREdJaXROTjRwWTgKLS0tIENPM2VnZGtyaUowZmx5ZVdZVjRz
+            SW9kSTVBbDJUWHBzV0xBYTlReGloSkEKq6Q3HVKRnw2B0CUvgXlUkQUBgmCNLP80
+            fY5/ePAWZKt4P6TxzPNFH3aANWcnVC2/QxF2RgYfDXKKp1AVlAIlTA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvS2gzN0ZyakcyVjlYRUZU
+            OFNmUHhsTysxV0JIV1JlM3hLNW9KRm9oY0gwCkh3SWxUV3ZqRXluVVRyRC9OQzVa
+            ODE0NnE2ZHdZc1Qrdkp0YWZFZ0xnMWMKLS0tIFFsNElqVlZ3Sm56b2ZNcEpQMXo4
+            RGJCWmpyd1g1NC9Ud3I3TWRBZ2llblEKVrHE0kPVjapor98D4Z1gCtQsuWS/iAuE
+            5cje1AZdpYVdHoRtzRxKwPekfm9xa/knzFckjjO0JizTQWTPYg0gsQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-25T14:03:57Z"
+    mac: ENC[AES256_GCM,data:RBf3LjVNSclsPN7I4QPaDUjWbKlaccjk3rzsRNdRe3+OvJSd7MsS9RfpUFCqUtO7ZkkocXHmkHA8z8LNxs6vejT9czMsLLQD14qHZS6fFdTnToOx3Kt5UuviPO/2UryVI+6HWORkH1aqFJhzkSMop2TO5mzuOTfbCEBLYUUuS6s=,iv:NQs8O1hIbjzGBTZo+gCuisj3edraFGk/Y146HmfPmQY=,tag:4g9IXw2UFC5V9EIHuWJqdA==,type:str]
+    pgp:
+        - created_at: "2026-01-26T04:52:39Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYARAAtSg5bRhk7DN14CpdTtG9XPwQfZAP2EvCpFqXcU1LnIqi
+            odRqr1vzFlgXH/A/36C/c/JN7M0673PWivUidiMU38/WExgzxPTe/mpwoTHqRRgG
+            aSP5or2UjhwbN7M844JGbTMNAIUh9bVG2/Qm6cLFhv2HalAVhhnWsbIdJIjUmpjU
+            cMjCfxO36uTVp1SajeJKd9x9n+AbWY84SzN/7HYrFcJQomOyb6FcioIwHcIe2YdN
+            GEdNkA13+hTNBR2ZYW3wrPxr39qK4R3mEJambwZLhQfRwUaqIB6PqvXICdqeLbRc
+            2OfzR5oN5HE3Z7QGwDDM8x8diegLYUyTyY3yhJ8PcCs44mXL2XN6XGefgNWuxxDd
+            o8189NRNXD2xloiIcbBJQ6Mpix+qlEI4VRnaxiGI3huv/vpKqSxBZFCu4x4kxGwj
+            OuaX3cPsvjzj0WEFsAvmrUB/Qdabfhhdm1TgY1PqoXfCudyLuDYqRg8sjIIUjmtA
+            /EyXTO6Ah+vc/NP3mLcHeFAh91Lzvxvm6jEmpN7/jg9zbIzs0jNeVchFYxxVZuRn
+            J6ySrkQ5x4FC1DdJlxv36uOLdbsosgia8q3WHOfbt/Lyp/n1RuQX2Kjysi/C79ap
+            xYaozqRmuJIy4Ph4PbhA737PFS4GEyKsHfvskWeGvpGiu/XHP+R+AfE45Mac1O/S
+            XgEgpNsTDb4GS70fjYBjaSyLcgCeAhqt4Mm4O3UTrYWLfziVLMI7vl9zTznGmY9n
+            fS70cnezoSWVj9Nfz+EmmsRWwAYRebzqLWaAtPmrrS5IbWZkLgpay7ga1y9cACo=
+            =0Z+d
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

secrets/ustetind/ustetind.yaml

@@ -8,78 +8,87 @@ sops:
         - recipient: age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTG0xUXQ2OTJDVnVtb2xp
-            M2NEaENPUDJvL1Y5QWtaQ1lQaTBRRzd4bmh3CkdZd3V4bzFJZHAvWVVNVGhZdzhn
-            WTBoSmUzbUs5azZHZzIwVWtSSGFtNTAKLS0tIDFFb2lBbkdBRW4wZ0RkYTBsMDJj
-            TWlNa25udytHRkR4RW92TmRCRkxPR00KXf2XPR/+16GpNdIfaa1biMFSFJ48UIC8
-            5+MLAu+2I/NROLKmg3tOfsxQ2xnlF4FGRdmMuxaeKTZGD580sYiQ6Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYkhoL1F0VHhTN3ZKYnha
+            eFJtSTlOalFEejNqdlRQWkZsQlRjTUZrMm5nCkFRbEpTNkk4UGdDRjI0TDdiaG1v
+            WUZ6eTQ0TzFNRFBudVMrN1QzN2MwaGMKLS0tIEFNQmVlSHJ3ZWtPZ2d0VldWTlhy
+            YjNac29pT1RPazc4THcvQTI5dmVrbGcKp2TJ4NfI6x/C9LHj5e7VZ3PQHNUsF4FN
+            yDmgTG2ys/k8vzN1j1dFdt+FA6NBkk5KBIoZYtP0vLKxotQWsAwI6g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWZVFmMFZWeDBCS0dta3pR
-            czJYV0ZhRmpMWVIvYVFEK2tVbHc3WENhTEhVCnpYSjIxZWtFcEc3ZHFVaDZmM1BD
-            aGNIWnp0aDVjeXZPdkdLdE40UjZNV28KLS0tIDg1Y3dYU3ZDWU50NlBoaWc4VUVx
-            dUk3VG9ZeWVmY1VwWGViUVU2dEtnb2cKo5sHSm3HQNOYlyYirZ1oMz/InAT0QT7x
-            8aYL0afUQ/D++gvX7tGDbBgIkO1Zud+KiKO9CGqz1Wn9krFL20cjJA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU21sVGNlWlZnOXZDcWk3
+            NXZkR0VZNXE5cXlLdDB4YzVmUVFjUE1SUmpNCkU1MVQxUEMwSkZXdW1YcnZ2Uzh6
+            QmxlanEzU3MxK1NlVzc4QkU3a0x1QlEKLS0tIEw5Sm5PcXkzQ0xGRmo3RDFOa3Zm
+            VVF0Y1dRQVI1RGxkMVNPT1g3MFR6aU0KR8ubYMWQunbwnFcMUlRJzvHM3i6YiPVU
+            4G2DHZDG8+DJvyALNaOFav86pSSLn/+OtzxC15U+i66J6oWAcaYZUQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdWxWTlFJSnA3VHljM0Ix
-            SVN5aGdaREJEYjVWNWNUOWdGT2lDUklMZXlvCjNKaHBweDVpdUhuNlluUERzVDdq
-            eVc2RlFKR1dHdGFDb2dRcGl0TDNqRGsKLS0tIDQzTFpYUk5LaTlPZUxxNHVZd0o4
-            dzNCbzdkdC9DNDFYZjVPSjNVd3ErbWcKkJcjk/4zy458WLyOs+NTXbrQ3EkxCBVH
-            bX3+b5yH2YGyvTS2vHnCEY7Zis7KhuxAAIrdLobzKlwLf8LB+p14XQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3JLYnNCYUJNWS9hWHJY
+            YmpXeUFUZlpodDNnTEgrb3ZXK1BEczdlUEhJCjFCMlpwd2c5dGUyR1VXNjM1MFNR
+            aWJXUkNWS3RYK2FaZzFxM2luWEtwV0UKLS0tIHBJNTVGUitNQnpNa0lEakU4QitJ
+            THJ2ZU1paGdhUUhTMitGZTg4WG1WU28KvqBTNQn36JvCDuJFIg7cA/9UagFCv7bA
+            wFCg7K/Ldc+j6ZMz4rqBgGP9US9M8SJAsAU1ZakX3gh5K2hibTpVvg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydmhTM1Mrc1dpWkE4M09s
-            MitqYjJuY0UwVVlITFRlTDB6UUFtdis5bFc0CjNIQURZaURwTEllQTVoZUZiS3BG
-            blM5Y1F6VE5HZXBuNVFlNGtHaXJPem8KLS0tIGFUQ3JHb0dVVllIMlVnY2pZMFZE
-            TU84Tkp3OWxoY1o0LzAvc3BrcXdyME0KyTv0mHUi9voKj0ZTXZ6CEkouTdupYl+F
-            /wLMQn1h4D6Jl3kxh12h4yACLCE9mOAM9wuylzOf/MpbDLbakymWew==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUy9QUHFnTEdyWXJQbmtl
+            dzdDRkRxejM5Rm5ZWGZrQklDSEoxWmtnL0FZCnlvbE52RlJFL3VtNUhoN1pVY3lL
+            OEh6UU4xdm8xenVYQUlyVExmTDA1cEEKLS0tIE91ZUk5dzlxT1N4d2lMTFRaT2N2
+            OERvK25YdEZEd0FicmFQV1lLaEdlZE0KITNdS3ekChSbKyjSS55A//xBbpdfUOMD
+            QojnqFcYaBzv7CrM+tKh1bepkUKwncg+tzuc0uoCgQoRDjEVloQuIg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ek5lZTdFK0ROYUNUeEtp
-            bHVhWUF6VkdEUWpUL0ltWW54dFg1Q2wxckZvCi9OYllUN2xnL1dEMlE0RVkrbEMw
-            dTd1SS8wQnhrdm1peWRMbVI4YXBzbnMKLS0tIFFIcVlIcWpxT2RPSlR0dzh3UHZ3
-            LzZLaDdMZlAzV0hBTHpWb1cwNElpUEEKrgfWuu6RKq9dolGP00CiGZsZ0me20PCX
-            NKHY/eQ2RGF6YLF35v3rBGuH73d2cqmCh/6d0DELX+F/nzOi+ZWb1Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzS1hiWVVqRzFlS0JjQzQr
+            dnprcExlQyt5SC8zZFFCMTMrcEZPT2dLTkZ3CkdZNm9aSFJlR0JpRFAwSW16OVBw
+            KzcwbklvNklLN0U2ckN6NWVwV1NmMkUKLS0tIGhXcUlOYzdkbUdzV3B0QWx4M3dj
+            OUIwMFR1ZDVxWURIbzJzRXpZVVEreDgKSpQ23S+criRsNhT5WP6IxyoRXKMjZNr/
+            8ZK6MvGpCw9oRlNciVOJP6uEcHXZ89FSzqfRB4C+pLOKFlH88XSftA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUkxPN0VIWUNydmJPRmZW
-            V0o3UmZGYkd2NktMdlc0dlpjS0htL24yVVN3ClVjbEViV25ibEwxb3c0TlNOSDB5
-            SjlvNUpSZGpnU3R2aGVIaExBby9qYkEKLS0tIGtJNCtaOGw4OUQrc2JxZExnUHA1
-            bjBzby9HZjFKc2lEMzVLUGxJTndrSzQK7iOGVTi6XuodwBargQ7fUl2gtqIMEnL4
-            Ql0K8J2F2qXtk7/wMHxFAIxwDP5KS5O8uLFjcmOTdGJeAal7Cvv1hQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aGdBSFVjakJvSE42NkhI
+            dUgzcENnMXJOTGFQdkQra1MyNU5KYkJzSlNFCkl0VFdnb21uWkdsd28rVXBsQ0Nj
+            K09VT2FRU3JjZXM5UzZYeTJ4eTRNZXMKLS0tIE9HcFNjeDRZMlpYZlRBYnJyaExY
+            QlVIRXJnSHpBb0hNUzZsRXB1eTdFUG8KsmZLEJHlA9rtxp3PpQDdmtI8L39ollvy
+            DKpfZjCTqj8fbNMHiIhCr0G515w0Ad++bS2DbIbPfZLufiAEuOW00Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Ny9xTUpqZitYZXRDTjE0
+            am1XM1NkbXpPT1ZxM0tZd3Y5KzU2YjdwZ21nCjRySEJmMjAzcXUzSEFPMWtoQ1hn
+            UFdkTjNsMFBxYkVocjBUR1NURE15RlEKLS0tIGUwRG0rc3dZSWlLVHZpUzArTWZx
+            NmZOSGhlNlpiUzF6R29haGFaRVYyWjAKWjde4l2J5wb8zn5JBP5ETReRBni6DFwj
+            1uKU5ecrRrTwNkHGPPSifRB5HdC77PWe1ZLWZhHGmSXFan8fnKGc1Q==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-12-12T12:20:19Z"
     mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
     pgp:
-        - created_at: "2025-12-01T10:58:25Z"
+        - created_at: "2026-01-16T06:34:52Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+NLY+1iw6BqMfPzgcoiR3i7e/8G6MVP91zGjoUx3D6rGQ
-            EhUrdz6xdRY5KnqC2Wt7BJLO4jl/pvKo+w530Ik3wEzXiaZg1AGiUjUi4JhqueUi
-            EQk41mWYifS6nd9T84x8C6luAUjxYXmZDpIY1/lRDEeh4GG9qE4v32f/66+nxFdV
-            icblN90D7Rz6KTinX7RWVYRXHd3Te74NHhzOTPYkouxwnwvFiS2qN4k+7oIKl3+S
-            OyYKeaAVSc3+nfVxuphNlVvl8ih9/f2tWz8XTPu7ohtck9T//5PXawvR51cateXe
-            2A9HNgefysd90XyCozQ8N7uunZsUKxgngqPhzgP2f0FRYeNWqrIOUWjrmI7nYg+A
-            w7Z7TRQwVzptVUAe+v9WfWkWBYFreb3NlbfEQfEC0xAAFQ5TPqL66PlXXMJqyBhN
-            wWhBY50ETDBvhCv2hTghiRy9tczAgyBKoPr2yZNctqyNTuJlaql4o5LT6RTHusK+
-            vUGGYY/qj9XwrcQBi+bRr/Q9zHHjXowwKPr1/UVbdVa6ntMMjUL1D+T26QPhTT2Q
-            7gT57JmXLJKk85MUGyAG3y4TNNdCbxH096kb1Z1O7VwHZfQDNoYXhPXGhYvnz/4q
-            YWHnYLLApuGN6apqETbE8xizKkUR4k0ReXCjHNvsky/nf30k4iUetDeGBwLJRjzS
-            XAGCykcK7VviDM7YOMlXIbeUBK3Rb2rGsgkBby/cPiNh3zS8HzqOti2vn7ioLMbJ
-            Peic2r2TAUUp/aVmU34YqREi071fKpL0zho75IJ2ZtavDOYmDPopEiluIVuV
-            =JCHR
+            hQIMA0av/duuklWYARAAmHD3R6tDuGGv1VTJ6S/HjLcVlt0+kXOmcjlqMMa8xA6l
+            L3hRSlJz5RGVgNny+AJvj1X7l8pzLMKvufShiNEwkG1dIDLGQqg0msJkhXVB5rIZ
+            a8eG8zne3rYy9rb4MHJM6pvIK76PnzxoqltDYzmk+xXhGfTfcQ2ebc4NDeZPXllA
+            mS6TyqLabR6aI9O3eXqTDdgXtOqvMuces0MZ7T/1RT6wfG8QxZNHW/PZLicMYVLC
+            ouojMBpDgHg5XSa2rk2apukphIxm26Y7tJ/ZZVFTTuS+H9h5In815l26Dl84+aDI
+            i34deyKq2QkVesZV+rhPfOMD5AsaW3NzQD0Qlsg4DLk9qXofsGxS9lP+m6L2yKws
+            iA3JKskLC62boFFAlvsAuot/UNKGdYusDvy1Ez3N7B7aITFawyN34md/7q7fcyOh
+            oDtsV9eGtlQfYDM0ZM1vkE4MPF1Yt1Ozdyxf8oI+ymSywLYV8sB8V5m15ureRfnC
+            Zl+sR/m8Qa52Du/RgxzuTElkF8hYK/3Vmiq4WneZq8YXslPgEmFbdWvhD643H843
+            Ml/k9zcLjx0xB2KW8nr60WTFx2dqbQlTMrWMXSj9qSfEwg2M3ZlOav1Hlm8M/g7x
+            vtOvxgg6sZmFJGgt8BwFib2OD9Rt6w+Qj++vAZnT87xthiGkkbMgDq5SPCi5h8XS
+            XAHnlbcp3okHQaJHxA7i2c1wt8BjZlF75B2STsi3F5KGrM/NONGSsbRcgnZUopx0
+            emOo0W/1Ouq14juHG5aDwHOA8Uh5pNCT5RxeqO83ACXDYaYHU9qM0eorqfRD
+            =N3eL
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

topology/default.nix

@@ -0,0 +1,279 @@
+{ config, pkgs, lib, values, ... }:
+let
+  inherit
+    (config.lib.topology)
+    mkInternet
+    mkRouter
+    mkSwitch
+    mkDevice
+    mkConnection
+    mkConnectionRev;
+in {
+  imports = [
+    ./non-nixos-machines.nix
+  ];
+
+  ### Networks
+
+  networks.pvv = {
+    name = "PVV Network";
+    cidrv4 = values.ipv4-space;
+    cidrv6 = values.ipv6-space;
+  };
+
+  networks.site-vpn = {
+    name = "OpenVPN Site to Site";
+    style = {
+      primaryColor = "#9dd68d";
+      secondaryColor = null;
+      pattern = "dashed";
+    };
+  };
+
+  networks.ntnu = {
+    name = "NTNU";
+    cidrv4 = values.ntnu.ipv4-space;
+    cidrv6 = values.ntnu.ipv6-space;
+  };
+
+  nodes.internet = mkInternet {
+    connections = mkConnection "ntnu" "wan1";
+  };
+
+  nodes.ntnu = mkRouter "NTNU" {
+    interfaceGroups = [ ["wan1"] ["eth1" "eth2" "eth3"] ];
+    connections.eth1 = mkConnection "ntnu-pvv-router" "wan1";
+    connections.eth2 = mkConnection "ntnu-veggen" "wan1";
+    connections.eth3 = mkConnection "stackit" "*";
+    interfaces.eth1.network = "ntnu";
+  };
+
+  ### Brus
+
+  nodes.ntnu-pvv-router = mkRouter "NTNU PVV Gateway" {
+    interfaceGroups = [ ["wan1"] ["eth1"] ];
+    connections.eth1 = mkConnection "knutsen" "em1";
+    interfaces.eth1.network = "ntnu";
+  };
+
+  nodes.knutsen = mkRouter "knutsen" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
+
+    interfaceGroups = [ ["em0"] ["em1"] ["vpn1"] ];
+
+    connections.em0 = mkConnection "nintendo" "eth0";
+
+    # connections.vpn1 = mkConnection "ludvigsen" "vpn1";
+    interfaces.vpn1.network = "site-vpn";
+    interfaces.vpn1.virtual = true;
+    interfaces.vpn1.icon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/openvpn.svg";
+
+    interfaces.em0.network = "pvv";
+    interfaces.em1.network = "ntnu";
+  };
+
+  nodes.nintendo = mkSwitch "Nintendo (brus switch)" {
+    interfaceGroups =  [ (lib.genList (i: "eth${toString i}") 16) ];
+
+    connections = let
+      connections' = [
+        (mkConnection "bekkalokk" "enp2s0")
+        # (mkConnection "bicep" "enp6s0f0") # NOTE: physical machine is dead at the moment
+        (mkConnection "buskerud" "eth1")
+        # (mkConnection "knutsen" "eth1")
+        (mkConnection "powerpuff-cluster" "eth1")
+        (mkConnection "powerpuff-cluster" "eth2")
+        (mkConnection "powerpuff-cluster" "eth3")
+        (mkConnection "lupine-1" "enp0s31f6")
+        (mkConnection "lupine-2" "enp0s31f6")
+        (mkConnection "lupine-3" "enp0s31f6")
+        (mkConnection "lupine-4" "enp0s31f6")
+        (mkConnection "lupine-5" "enp0s31f6")
+        (mkConnection "innovation" "em0")
+        (mkConnection "microbel" "eth0")
+        (mkConnection "isvegg" "eth0")
+        (mkConnection "ameno" "eth0")
+        (mkConnection "sleipner" "eno0")
+      ];
+    in
+    assert (lib.length connections' <= 15);
+    builtins.listToAttrs (
+      lib.zipListsWith
+        (a: b: lib.nameValuePair a b)
+        (lib.genList (i: "eth${toString (i + 1)}") 15)
+        connections'
+    );
+  };
+
+  nodes.bekkalokk.hardware.info = "Supermicro X9SCL/X9SCM";
+
+  nodes.lupine-1.hardware.info = "Dell OptiPlex 7040";
+  # nodes.lupine-2.hardware.info = "Dell OptiPlex 5050";
+  nodes.lupine-3.hardware.info = "Dell OptiPlex 5050";
+  nodes.lupine-4.hardware.info = "Dell OptiPlex 5050";
+  # nodes.lupine-5.hardware.info = "Dell OptiPlex 5050";
+
+  nodes.buskerud = mkDevice "buskerud" {
+    deviceIcon = ./icons/proxmox.svg;
+    interfaceGroups = [ [ "eth1" ] ];
+
+    interfaces.eth1.network = "pvv";
+
+    services = {
+      proxmox = {
+        name = "Proxmox web interface";
+        info = "https://buskerud.pvv.ntnu.no:8006/";
+      };
+    };
+  };
+
+  nodes.shark = {
+    guestType = "proxmox";
+    parent = config.nodes.buskerud.id;
+
+    interfaces.ens18.network = "pvv";
+  };
+
+  ### Powerpuff
+
+  nodes.powerpuff-cluster = mkDevice "Powerpuff Cluster" {
+    deviceIcon = ./icons/proxmox.svg;
+
+    hardware.info = "Dell PowerEdge R730 x 3";
+
+    interfaceGroups = [ [ "eth1" "eth2" "eth3" ] ];
+
+    services = {
+      proxmox = {
+        name = "Proxmox web interface";
+        details.bubbles.text = "https://bubbles.pvv.ntnu.no:8006/";
+        details.blossom.text = "https://blossom.pvv.ntnu.no:8006/";
+        details.buttercup.text = "https://buttercup.pvv.ntnu.no:8006/";
+      };
+    };
+  };
+
+  nodes.kommode = {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+
+    interfaces.ens18.network = "pvv";
+  };
+
+  nodes.bicep = {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+
+    # hardware.info = "HP Proliant DL370G6";
+
+    interfaces.ens18.network = "pvv";
+  };
+
+  nodes.temmie = {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+
+    interfaces.ens18.network = "pvv";
+  };
+
+  nodes.ustetind = {
+    guestType = "proxmox LXC";
+    parent = config.nodes.powerpuff-cluster.id;
+
+    # TODO: the interface name is likely wrong
+    # interfaceGroups = [ [ "eth0" ] ];
+    interfaces.eth0 = {
+      network = "pvv";
+      # mac = "";
+      addresses = [
+        "129.241.210.234"
+        "2001:700:300:1900::234"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  ### PVV
+
+  nodes.ntnu-veggen = mkRouter "NTNU-Veggen" {
+    interfaceGroups = [ ["wan1"] ["eth1"] ];
+    connections.eth1 = mkConnection "ludvigsen" "re0";
+  };
+
+  nodes.ludvigsen = mkRouter "ludvigsen" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
+
+    interfaceGroups = [ [ "re0" ] [ "em0" ] [ "vpn1" ] ];
+
+    connections.em0 = mkConnection "pvv-switch" "eth0";
+
+    interfaces.vpn1.network = "site-vpn";
+    interfaces.vpn1.virtual = true;
+    interfaces.vpn1.icon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/openvpn.svg";
+
+    interfaces.re0.network = "ntnu";
+    interfaces.em0.network = "pvv";
+  };
+
+  nodes.pvv-switch = mkSwitch "PVV Switch (Terminalrommet)" {
+    interfaceGroups =  [ (lib.genList (i: "eth${toString i}") 16) ];
+    connections = let
+      connections' = [
+        (mkConnection "brzeczyszczykiewicz" "eno1")
+        (mkConnection "georg" "eno1")
+        (mkConnection "wegonke" "enp4s0")
+        (mkConnection "demiurgen" "eno1")
+        (mkConnection "sanctuary" "ethernet_0")
+        (mkConnection "torskas" "eth0")
+        (mkConnection "skrot" "eth0")
+        (mkConnection "homeassistant" "eth0")
+        (mkConnection "orchid" "eth0")
+        (mkConnection "principal" "em0")
+      ];
+    in
+    assert (lib.length connections' <= 15);
+    builtins.listToAttrs (
+      lib.zipListsWith
+        (a: b: lib.nameValuePair a b)
+        (lib.genList (i: "eth${toString (i + 1)}") 15)
+        connections'
+    );
+  };
+
+
+  ### Openstack
+
+  nodes.stackit = mkDevice "stackit" {
+    interfaceGroups = [ [ "*" ] ];
+
+    interfaces."*".network = "ntnu";
+  };
+
+  nodes.ildkule = {
+    guestType = "openstack";
+    parent = config.nodes.stackit.id;
+
+    interfaces.ens4.network = "ntnu";
+  };
+  nodes.gluttony = {
+    guestType = "openstack";
+    parent = config.nodes.stackit.id;
+
+    interfaces.ens3.network = "ntnu";
+  };
+  nodes.wenche = {
+    guestType = "openstack";
+    parent = config.nodes.stackit.id;
+
+    interfaces.ens18.network = "pvv";
+  };
+  nodes.bakke = {
+    guestType = "openstack";
+    parent = config.nodes.stackit.id;
+
+    interfaces.enp2s0.network = "pvv";
+  };
+}

topology/icons/proxmox.svg

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg">
+   <circle cx="512" cy="512" r="512" style="fill:#e57000"/>
+   <path d="M512 497.8 342.7 311.6c6.6-6.6 14.2-11.7 22.9-15.5 8.7-3.8 18.1-5.7 28.1-5.7 10.7.1 20.4 2.2 29.3 6.3 8.9 4.1 16.6 9.8 23.1 17l65.8 71.9 65.4-71.9c6.8-7.2 14.7-12.9 23.6-17 9-4.1 18.7-6.2 29.2-6.3 10 .1 19.4 2 28.1 5.7 8.7 3.8 16.4 8.9 22.9 15.5L512 497.8m0 28.4L342.7 712.4c6.6 6.6 14.2 11.7 22.9 15.5 8.7 3.8 18.1 5.7 28.1 5.7 10.5-.1 20.2-2.2 29.2-6.3s16.9-9.8 23.6-17l65.4-71.9 65.8 71.9c6.5 7.2 14.2 12.9 23.1 17 8.9 4.1 18.6 6.2 29.3 6.3 10-.1 19.4-2 28.1-5.7 8.7-3.8 16.4-8.9 22.9-15.5L512 526.2M497.8 512 370.3 372.2c-7.4-7.9-16-14.1-25.9-18.7-9.8-4.5-20.5-6.8-31.9-6.9-11 .1-21.3 2.2-30.8 6.3-9.6 4.1-17.9 9.8-25.1 16.9L385.9 512 256.5 654.2c7.2 7.4 15.6 13.2 25.1 17.4 9.6 4.2 19.8 6.3 30.8 6.3 11.5-.1 22.2-2.4 32.1-6.9 9.9-4.5 18.5-10.8 25.7-18.7L497.8 512m28.4 0 127.5 140.3c7.2 7.9 15.8 14.1 25.7 18.7 9.9 4.5 20.6 6.8 32.1 6.9 11-.1 21.3-2.2 30.8-6.3 9.6-4.2 17.9-9.9 25.1-17.4L638.1 512l129.4-142.2c-7.2-7.2-15.6-12.8-25.1-16.9-9.6-4.1-19.8-6.2-30.8-6.3-11.4.1-22.1 2.4-31.9 6.9-9.8 4.5-18.5 10.8-25.9 18.7L526.2 512" style="fill:#fff"/>
+</svg>

topology/non-nixos-machines.nix

@@ -0,0 +1,387 @@
+{ config, pkgs, lib, values, ... }:
+let
+  inherit (config.lib.topology) mkDevice;
+in {
+  nodes.balduzius = mkDevice "balduzius" {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    interfaceGroups = [ [ "ens18" ] ];
+    interfaces.ens18 = {
+      network = "pvv";
+      mac = "00:0c:29:de:05:0f";
+      addresses = [
+        "129.241.210.192"
+        "2001:700:300:1900::1:42"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+
+    services = {
+      kdc = {
+        name = "Heimdal KDC";
+        info = "kdc.pvv.ntnu.no";
+        details.kdc.text = "0.0.0.0:88";
+        details.kpasswd.text = "0.0.0.0:464";
+      };
+    };
+  };
+
+  nodes.tom = mkDevice "tom" {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    interfaceGroups = [ [ "ens18" ] ];
+    interfaces.ens18 = {
+      network = "pvv";
+      mac = "00:0c:29:4d:f7:56";
+      addresses = [
+        "129.241.210.180"
+        "2001:700:300:1900::180"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+
+    services = {
+      apache2 = {
+        name = "Apache2 - user websites";
+        info = "www.pvv.ntnu.no/~";
+        details.listen.text = "0.0.0.0:443";
+      };
+    };
+  };
+
+  nodes.hildring = mkDevice "hildring" {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+    deviceType = "loginbox";
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    interfaceGroups = [ [ "eth0" ] ];
+    interfaces.eth0 = {
+      network = "pvv";
+      mac = "00:0c:29:e7:dd:79";
+      addresses = [
+        "129.241.210.176"
+        "2001:700:300:1900::1:9"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.drolsum = mkDevice "drolsum" {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+    deviceType = "loginbox";
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    # TODO: the interface name is likely wrong
+    interfaceGroups = [ [ "eth0" ] ];
+    interfaces.eth0 = {
+      network = "pvv";
+      # mac = "";
+      addresses = [
+        "129.241.210.217"
+        "2001:700:300:1900::217"
+        "2001:700:300:1900::1:217"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.microbel = mkDevice "microbel" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    hardware.info = "Supermicro X8ST3";
+
+    interfaceGroups = [ [ "eth0" "eth1" ] ];
+    interfaces.eth0 = {
+      mac = "00:25:90:24:76:2c";
+      addresses = [
+        "129.241.210.179"
+        "2001:700:300:1900::1:2"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+
+    services = {
+      dovecot = {
+        name = "Dovecot";
+        info = "imap.pvv.ntnu.no pop.pvv.ntnu.no";
+        icon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/dovecot.svg";
+        details.imap.text = "0.0.0.0:993";
+        details.pop3.text = "0.0.0.0:995";
+      };
+
+      exim4 = {
+        name = "Exim4";
+        info = "mail.pvv.ntnu.no mailhost.pvv.ntnu.no";
+        details.smtp.text = "0.0.0.0:25";
+        details.smtps.text = "0.0.0.0:465";
+        details.starttls.text = "0.0.0.0:587";
+      };
+
+      nfs = {
+        name = "NFS";
+        info = "homepvv.pvv.ntnu.no";
+        details.rpcbind.text = "0.0.0.0:111";
+      };
+    };
+  };
+
+  nodes.innovation = mkDevice "innovation" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
+
+    hardware.info = "Dell Optiplex 9010";
+
+    interfaceGroups = [ [ "em0" ] ];
+    interfaces.em0 = {
+      mac = "18:03:73:20:18:d3";
+      addresses = [
+        "129.241.210.214"
+        "2001:700:300:1900::1:56"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+    services = {
+      minecraft = {
+        name = "Minecraft";
+        icon = "services.minecraft";
+        info = "minecraft.pvv.ntnu.no";
+        details.listen.text = "0.0.0.0:25565";
+        details.directory.text = "/srv/minecraft-pvv";
+      };
+    };
+  };
+
+  nodes.principal = mkDevice "principal" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
+
+    # TODO: the interface name is likely wrong
+    interfaceGroups = [ [ "em0" ] ];
+    interfaces.em0 = {
+      # mac = "";
+      addresses = [
+        "129.241.210.233"
+        "2001:700:300:1900::1:233"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.homeassistant = mkDevice "homeassistant" {
+    deviceIcon = "services.home-assistant";
+
+    hardware.info = "Raspberry Pi 4B";
+
+    # TODO: the interface name is likely wrong
+    interfaceGroups = [ [ "eth0" ] ];
+    interfaces.eth0 = {
+      # mac = "";
+      addresses = [
+        "129.241.210.229"
+        "2001:700:300:1900::4:229"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.sleipner = mkDevice "sleipner" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    interfaceGroups = [ [ "eno0" "enp2s0" ] ];
+    interfaces.enp2s0 = {
+      mac = "00:25:90:57:35:8e";
+      addresses = [
+        "129.241.210.193"
+        "2001:700:300:1900:fab:cab:dab:7ab"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.isvegg = mkDevice "isvegg" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    # TODO: the interface name is likely wrong
+    interfaceGroups = [ [ "eth0" ] ];
+    interfaces.eth0 = {
+      # mac = "";
+      addresses = [
+        "129.241.210.175"
+        "2001:700:300:1900::1:a"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+
+    services = {
+      mapcrafter = {
+        name = "Mapcrafter Minecraft Map";
+        info = "http://isvegg.pvv.ntnu.no/kart/";
+        details.directory.text = "/scratch/mckart/kart";
+      };
+      gophernicus = {
+        name = "Gophernicus";
+        info = "gopher://gopher.pvv.ntnu.no/";
+        details.directory.text = "/var/gopher";
+      };
+    };
+  };
+
+  nodes.ameno = mkDevice "ameno" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/ubuntu.svg";
+
+    hardware.info = "Raspberry Pi 2B 1.1";
+
+    interfaceGroups = [ [ "eth0" ] ];
+    interfaces.eth0 = {
+      mac = "b8:27:eb:62:1d:d8";
+      addresses = [
+        "129.241.210.230"
+        "129.241.210.211"
+        "129.241.210.153"
+        "2001:700:300:1900:ba27:ebff:fe62:1dd8"
+        "2001:700:300:1900::4:230"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+    services = {
+      bind = {
+        name = "Bind DNS";
+        icon = ./icons/bind9.png;
+        info = "hostmaster.pvv.ntnu.no";
+        details.listen.text = "0.0.0.0:53";
+      };
+    };
+  };
+
+  nodes.torskas = mkDevice "torskas" {
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/arch_linux.svg";
+
+    hardware.info = "Raspberry pi 4B";
+
+    # TODO: the interface name is likely wrong
+    interfaceGroups = [ [ "eth0" ] ];
+    interfaces.eth0 = {
+      # mac = "";
+      addresses = [
+        "129.241.210.241"
+        "2001:700:300:1900::241"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.wegonke = mkDevice "wegonke" {
+    deviceType = "terminal";
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    hardware.info = "ASUSTeK G11CD-K";
+
+    interfaceGroups = [ [ "enp4s0" ] ];
+    interfaces.enp4s0 = {
+      mac = "70:4d:7b:a3:32:57";
+      addresses = [
+        "129.241.210.218"
+        "2001:700:300:1900::1:218"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.demiurgen = mkDevice "demiurgen" {
+    deviceType = "terminal";
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    interfaceGroups = [ [ "eno1" ] ];
+    interfaces.eno1 = {
+      mac = "18:03:73:1f:f4:1f";
+      addresses = [
+        "129.241.210.201"
+        "2001:700:300:1900::1:4e"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.sanctuary = mkDevice "sanctuary" {
+    deviceType = "terminal";
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/windows.svg";
+
+    interfaceGroups = [ [ "ethernet_0" ] ];
+    interfaces.ethernet_0 = {
+      addresses = [
+        "129.241.210.170"
+        "2001:700:300:1900::1337"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+
+  nodes.orchid = mkDevice "orchid" {
+    deviceType = "terminal";
+    deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
+
+    hardware.info = "Ryzen1600 Nvidia GTX 1060";
+
+    # TODO: the interface name is likely wrong
+    interfaceGroups = [ [ "eth0" ] ];
+    interfaces.eth0 = {
+      addresses = [
+        "129.241.210.210"
+        "2001:700:300:1900::210"
+      ];
+      gateways = [
+        values.hosts.gateway
+        values.hosts.gateway6
+      ];
+    };
+  };
+}

topology/service-extractors/gitea-runners.nix

@@ -0,0 +1,13 @@
+{ config, unstablePkgs, lib, ... }:
+let
+  cfg = config.services.gitea-actions-runner;
+in
+{
+  config.topology.self.services = lib.mapAttrs' (name: instance: {
+    name = "gitea-runner-${name}";
+    value = {
+      name = "Gitea runner ${name}";
+      icon = "services.gitea";
+    };
+  }) (lib.filterAttrs (_: instance: instance.enable) cfg.instances);
+}

topology/service-extractors/greg-ng.nix

@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.greg-ng or { enable = false; };
+in
+{
+  config.topology.self.services.greg-ng = lib.mkIf cfg.enable {
+    name = "Greg-ng";
+    icon = ../icons/greg-ng.png;
+    details.listen = { text = "${cfg.settings.host}:${toString cfg.settings.port}"; };
+  };
+}

topology/service-extractors/mysql.nix

@@ -0,0 +1,19 @@
+{ config, unstablePkgs, lib, ... }:
+let
+  cfg = config.services.mysql;
+  cfgBak = config.services.mysqlBackup;
+in
+{
+  config.topology.self.services.mysql = lib.mkIf cfg.enable {
+    name = "MySQL";
+    icon = "${unstablePkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/mysql.svg";
+
+    details.listen.text = "${cfg.settings.mysqld.bind-address or "127.0.0.1"}:${toString (cfg.settings.mysqld.port or 3306)}";
+    details.socket.text = cfg.settings.mysqld.socket or "/run/mysqld/mysqld.sock";
+    details.type.text = cfg.package.pname;
+    details.dataDir.text = cfg.dataDir;
+
+    # details.backup-time = lib.mkIf cfgBak.enable cfgBak.calendar;
+    # details.backup-location = lib.mkIf cfgBak.enable cfgBak.location;
+  };
+}