uptime-kuma: wants to use /var/lib/private for state

This has already been upstreamed

.sops.yaml

@@ -12,14 +12,13 @@ keys:
   # Hosts
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
   - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
   - &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
   - &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
   - &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
   - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
   - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
-  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
   - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
 
 creation_rules:
@@ -91,19 +90,6 @@ creation_rules:
       pgp:
       - *user_oysteikt
 
-  - path_regex: secrets/ustetind/[^/]+\.yaml$
-    key_groups:
-    - age:
-      - *host_ustetind
-      - *user_danio
-      - *user_felixalb
-      - *user_pederbs_sopp
-      - *user_pederbs_nord
-      - *user_pederbs_bjarte
-      - *user_vegardbm
-      pgp:
-      - *user_oysteikt
-
   - path_regex: secrets/lupine/[^/]+\.yaml$
     key_groups:
     - age:

README.md

@@ -39,6 +39,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
+| [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
@@ -57,6 +58,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
+[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine

base/default.nix

@@ -23,6 +23,7 @@
     ./services/acme.nix
     ./services/auto-upgrade.nix
     ./services/dbus.nix
+    ./services/fluentbit.nix
     ./services/fwupd.nix
     ./services/irqbalance.nix
     ./services/journald-upload.nix
@@ -33,7 +34,6 @@
     ./services/postfix.nix
     ./services/prometheus-node-exporter.nix
     ./services/prometheus-systemd-exporter.nix
-    ./services/promtail.nix
     ./services/roowho2.nix
     ./services/smartd.nix
     ./services/thermald.nix

base/hardening.nix

@@ -7,7 +7,13 @@
     "ax25"
     "batman-adv"
     "can"
+    "dccp"
+    "ipx"
+    "llc"
+    "n-hdlc"
     "netrom"
+    "p8022"
+    "p8023"
     "psnap"
     "rds"
     "rose"
@@ -23,7 +29,6 @@
     "cramfs"
     "efs"
     "exofs"
-    "orangefs"
     "freevxfs"
     "gfs2"
     "hfs"
@@ -35,10 +40,12 @@
     "nilfs2"
     "ntfs"
     "omfs"
+    "orangefs"
     "qnx4"
     "qnx6"
     "sysv"
     "ubifs"
+    "udf"
     "ufs"
 
     # Legacy hardware

base/mitigations.nix

@@ -1,17 +1,24 @@
-{ ... }:
+{ pkgs, lib, ... }:
+let
+  modulesToBan = [
+    # copy.fail
+    "af_alg"
+    "algif_aead"
+    "algif_hash"
+    "algif_rng"
+    "algif_skcipher"
 
+    # dirtyfrag / Fragnesia
+    "esp4"
+    "esp6"
+    "rxrpc"
+
+    # PinTheft
+    "rds"
+  ];
+in
 {
-  boot.blacklistedKernelModules = [
-  "rxrpc" # dirtyfrag
-  "esp6" # dirtyfrag
-  "esp4" # dirtyfrag
-];
-boot.extraModprobeConfig = ''
-  # dirtyfrag
-  install esp4 /bin/false
-  # dirtyfrag
-  install esp6 /bin/false
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
+  boot.blacklistedKernelModules = modulesToBan;
+
+  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
 }

base/services/fluentbit.nix

@@ -0,0 +1,135 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.fluent-bit;
+in
+{
+  services.fluent-bit = {
+    enable = lib.mkDefault true;
+    settings = {
+      service = {
+        flush = 1;
+        log_level = "warn";
+
+        http_server = "on";
+        http_listen = "127.0.0.1";
+        http_port = 28183;
+
+        # filesystem-backed buffering so logs survives potential outages.
+        "storage.path" = "/var/lib/fluent-bit/storage";
+        "storage.sync" = "normal";
+        "storage.max_chunks_up" = 64;
+        "storage.backlog.mem_limit" = "16M";
+      };
+
+      pipeline = {
+        inputs = [{
+          name = "systemd";
+          tag = "journal.*";
+
+          db = "/var/lib/fluent-bit/journal.db";
+          read_from_tail = true;
+          strip_underscores = true;
+          lowercase = true;
+          max_entries = 1000;
+          "storage.type" = "filesystem";
+        }];
+
+        filters = [{
+          name = "modify";
+          match = "journal.*";
+          rename = [
+            "hostname host"
+            "priority level"
+            "systemd_unit unit"
+          ];
+        }] ++ (lib.mapAttrsToList (k: v: {
+          name = "modify";
+          match = "journal.*";
+          condition = "Key_value_equals level ${k}";
+          set = "level ${v}";
+        }) {
+          "7" = "debug";
+          "6" = "info";
+          "5" = "notice";
+          "4" = "warning";
+          "3" = "error";
+          "2" = "crit";
+          "1" = "alert";
+          "0" = "emergency";
+        });
+
+        outputs = [{
+          name = "loki";
+          match = "*";
+
+          host = "ildkule.pvv.ntnu.no";
+          port = 3100;
+          uri = "/loki/api/v1/push";
+          compress = "gzip";
+
+          labels = lib.concatStringsSep ", " [
+            "job=systemd-journal"
+          ];
+          label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
+            "host"
+            "unit"
+            "level"
+          ];
+
+          # JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
+          # line_format = "key_value";
+          # drop_single_key = true;
+
+          "storage.total_limit_size" = "256M";
+        }];
+      };
+    };
+  };
+
+  systemd.services.fluent-bit = lib.mkIf cfg.enable {
+    serviceConfig = {
+      StateDirectory = "fluent-bit";
+
+      # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      # Lua JIT, maybe other things
+      MemoryDenyWriteExecute = false;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "~@resources"
+      ];
+      UMask = "0077";
+
+      BindReadOnlyPaths = [
+        "/run/systemd/journal"
+      ];
+    };
+  };
+}

base/services/promtail.nix

@@ -1,38 +0,0 @@
-{ config, lib, values, ... }:
-let
-  cfg = config.services.prometheus.exporters.node;
-in
-{
-  services.promtail = {
-    enable = lib.mkDefault true;
-    configuration = {
-      server = {
-        http_listen_port = 28183;
-        grpc_listen_port = 0;
-      };
-      clients = [{
-        url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
-      }];
-      scrape_configs = [{
-        job_name = "systemd-journal";
-        journal = {
-          max_age = "12h";
-          labels = {
-            job = "systemd-journal";
-            host = config.networking.hostName;
-          };
-        };
-        relabel_configs = [
-          {
-            source_labels = [ "__journal__systemd_unit" ];
-            target_label = "unit";
-          }
-          {
-            source_labels = [ "__journal_priority_keyword" ];
-            target_label = "level";
-          }
-        ];
-      }];
-    };
-  };
-}

flake.nix

@@ -228,12 +228,6 @@
           ];
         };
 
-        ustetind = stableNixosConfig "ustetind" {
-          modules = [
-            "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-          ];
-        };
-
         brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
           modules = [
             inputs.grzegorz-clients.nixosModules.grzegorz-webui

hosts/bekkalokk/services/vaultwarden.nix

@@ -6,40 +6,58 @@ let
   port = 3011;
   wsPort = 3012;
 in {
-  sops.secrets."vaultwarden/environ" = {
+  sops.secrets."vaultwarden/rsa_key.pem" = {
     owner = "vaultwarden";
     group = "vaultwarden";
+    mode = "440";
+    restartUnits = [ "vaultwarden.service" ];
+  };
+  sops.secrets."vaultwarden/rsa_key.pub.pem" = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+    mode = "440";
+    restartUnits = [ "vaultwarden.service" ];
+  };
+  sops.secrets."vaultwarden/env/DATABASE_PASSWORD" = { };
+  sops.secrets."vaultwarden/env/SMTP_PASSWORD" = { };
+  sops.templates."vaultwarden/environment_file" = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+    mode = "440";
+    restartUnits = [ "vaultwarden.service" ];
+    content = ''
+        DATABASE_URL=postgresql://vaultwarden:${config.sops.placeholder."vaultwarden/env/DATABASE_PASSWORD"}@postgres.pvv.ntnu.no/vaultwarden
+        SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/env/SMTP_PASSWORD"}
+    '';
   };
 
   services.vaultwarden = {
     enable = true;
     dbBackend = "postgresql";
-    environmentFile = config.sops.secrets."vaultwarden/environ".path;
+    environmentFile = config.sops.templates."vaultwarden/environment_file".path;
     config = {
-      domain = "https://${domain}";
+      DOMAIN = "https://${domain}";
 
-      rocketAddress = address;
-      rocketPort = port;
+      ROCKET_ADDRESS = address;
+      ROCKET_PORT = port;
 
-      websocketEnabled = true;
-      websocketAddress = address;
-      websocketPort = wsPort;
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = address;
+      WEBSOCKET_PORT = wsPort;
 
-      signupsAllowed = true;
-      signupsVerify = true;
-      signupsDomainsWhitelist = "pvv.ntnu.no";
+      SIGNUPS_ALLOWED = true;
+      SIGNUPS_VERIFY = true;
+      SIGNUPS_DOMAINS_WHITELIST = "pvv.ntnu.no";
 
-      smtpFrom = "vaultwarden@pvv.ntnu.no";
-      smtpFromName = "VaultWarden PVV";
+      SMTP_FROM = "vaultwarden@pvv.ntnu.no";
+      SMTP_FROM_NAME = "VaultWarden PVV";
 
-      smtpHost = "smtp.pvv.ntnu.no";
-      smtpUsername = "vaultwarden";
-      smtpSecurity = "force_tls";
-      smtpAuthMechanism = "Login";
+      SMTP_HOST = "smtp.pvv.ntnu.no";
+      SMTP_USERNAME = "vaultwarden";
+      SMTP_SECURITY = "force_tls";
+      SMTP_AUTH_MECHANISM = "Login";
 
-      # Configured in environ:
-      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
-      # smtpPassword = hemli
+      RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa_key.pem".path;
     };
   };
 
@@ -66,40 +84,6 @@ in {
     };
   };
 
-  systemd.services.vaultwarden = lib.mkIf cfg.enable {
-    serviceConfig = {
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DeviceAllow = [ "" ];
-      LockPersonality = true;
-      NoNewPrivileges = true;
-      # MemoryDenyWriteExecute = true;
-      PrivateMounts = true;
-      PrivateUsers = true;
-      ProcSubset = "pid";
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        "AF_UNIX"
-      ];
-      RemoveIPC = true;
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-    };
-  };
-
   services.rsync-pull-targets = {
     enable = true;
     locations."/var/lib/vaultwarden" = {

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -9,6 +9,12 @@ in
   sops.secrets."roundcube/postgres_password" = {
     owner = "nginx";
     group = "nginx";
+    restartUnits = [ "phpfpm-roundcube.service" ];
+  };
+  sops.secrets."roundcube/des_key" = {
+    owner = "nginx";
+    group = "nginx";
+    restartUnits = [ "phpfpm-roundcube.service" ];
   };
 
   services.roundcube = {
@@ -39,6 +45,7 @@ in
       $config['mail_domain'] = "pvv.ntnu.no";
       $config['smtp_user'] = "%u";
       $config['support_url'] = "";
+      $config['des_key'] = "${config.sops.secrets."roundcube/des_key".path}";
     '';
   };
 

hosts/bicep/services/matrix/livekit.nix

@@ -64,4 +64,11 @@ in
       '';
     };
   };
+
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = cfg.settings.rtc.port_range_start;
+      to = cfg.settings.rtc.port_range_end;
+    }
+  ];
 }

hosts/bicep/services/postgresql/cleanup-timers.nix

@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.postgresql;
+in
+{
+  config = lib.mkIf cfg.enable {
+    systemd.services = {
+      postgresql-repack = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Repack all PostgreSQL databases";
+        startAt = "Mon 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
+        };
+      };
+
+      postgresql-vacuum-analyze = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Vacuum and analyze all PostgreSQL databases";
+        startAt = "Tue 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
+        };
+      };
+    };
+  };
+}

hosts/bicep/services/postgresql/default.nix

@@ -3,11 +3,15 @@ let
   cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
+    ./backup.nix
+    ./cleanup-timers.nix
+  ];
 
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_18;
+    extensions = ps: with ps; [ pg_repack ];
     enableTCPIP = true;
 
     authentication = ''

hosts/gluttony/hardware-configuration.nix

@@ -22,7 +22,7 @@
     "sd_mod"
   ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
@@ -31,7 +31,7 @@
   };
 
   fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/933A-3005";
+    device = "/dev/disk/by-uuid/BD97-FCA0";
     fsType = "vfat";
     options = [
       "fmask=0077"

hosts/ildkule/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -21,6 +21,7 @@ in {
 
   fileSystems."/var/lib/prometheus2" = {
     device = stateDir;
+    fsType = "bind";
     options = [ "bind" ];
   };
 }

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -27,7 +27,6 @@ in {
       (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
 
       (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -19,8 +19,9 @@ in {
     locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
   };
 
-  fileSystems."/var/lib/uptime-kuma" = {
+  fileSystems."/var/lib/private/uptime-kuma" = {
     device = stateDir;
+    fsType = "bind";
     options = [ "bind" ];
   };
 }

hosts/kommode/services/gitea/default.nix

@@ -226,16 +226,11 @@ in {
         # Logs are stored in the systemd journal
         skip-log = true;
       };
-    in lib.mkForce "${lib.getExe cfg.package} ${args}";
+    in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
 
-    # Only keep n backup files at a time
-    postStop = let
-      cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
-      backupCount = 3;
-    in ''
-      for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
-        ${cu "rm"} "$file"
-      done
-      '';
+    # Only keep a single backup file at a time.
+    postStop = ''
+      ${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
+    '';
   };
 }

hosts/lupine/hardware-configuration/lupine-1.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-3.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-5.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/ustetind/configuration.nix

@@ -1,40 +0,0 @@
-{ config, fp, pkgs, lib, values, ... }:
-
-{
-  imports = [
-    (fp /base)
-
-    ./services/gitea-runners.nix
-  ];
-
-  boot.loader.systemd-boot.enable = false;
-
-  networking.useHostResolvConf = lib.mkForce false;
-
-  systemd.network.networks = {
-    "30-lxc-eth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "eth*"
-        ];
-      };
-      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
-    };
-    "40-podman-veth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "veth*"
-        ];
-      };
-      DHCP = "yes";
-    };
-  };
-
-  # Don't change (even during upgrades) unless you know what you are doing.
-  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "24.11";
-}

hosts/ustetind/services/gitea-runners.nix

@@ -1,41 +0,0 @@
-{ config, lib, values, ... }:
-let
-  mkRunner = name: {
-    # This is unfortunately state, and has to be generated one at a time :(
-    # To do that, comment out all except one of the runners, fill in its token
-    # inside the sops file, rebuild the system, and only after this runner has
-    # successfully registered will gitea give you the next token.
-    # - oysteikt Sep 2023
-    sops.secrets."gitea/runners/${name}".restartUnits = [
-      "gitea-runner-${name}.service"
-    ];
-
-    services.gitea-actions-runner.instances = {
-      ${name} = {
-        enable = true;
-        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
-        labels = [
-          "debian-latest:docker://node:current-bookworm"
-          "ubuntu-latest:docker://node:current-bookworm"
-        ];
-        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
-      };
-    };
-  };
-in
-lib.mkMerge [
-  (mkRunner "alpha")
-  (mkRunner "beta")
-  (mkRunner "epsilon")
-  {
-    virtualisation.podman = {
-      enable = true;
-      defaultNetwork.settings.dns_enabled = true;
-      autoPrune.enable = true;
-    };
-
-    networking.dhcpcd.IPv6rs = false;
-
-    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
-  }
-]

secrets/bekkalokk/bekkalokk.yaml

@@ -18,6 +18,7 @@ mediawiki:
         admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
 roundcube:
     postgres_password: ENC[AES256_GCM,data:fGHmq6r/ZCeIseHL8/gmm5DfWQYorI3OJq1TW0EHvh7rHL62M4TE+Lrlrmq8AIlmGLSWtO8AQzOP3toxidL6xWX3pcwLxtTefa1gom2oQf6ZL4TbAZLidHksdiro6pWtpMOO66bb8O9eXvZmns4=,iv:Irnb2/bgx8WilDyRLleWfo6HHafZ+vlDEwxIcgm1f18=,tag:eTNBUELmLwO7DsQN9CLX7Q==,type:str]
+    des_key: ENC[AES256_GCM,data:U5AHdFgDtidjN7XqPSJkT/anS/q29/9p,iv:okLPMdnNW3dawiqirLA6VmnhXsbPyP4QnqbRo0wfd58=,tag:ZVmCzJK9uhw6CvxK1On1Sg==,type:str]
 idp:
     cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
     admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
@@ -31,14 +32,17 @@ nettsiden:
         cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
         admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 vaultwarden:
-    environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
+    env:
+        DATABASE_PASSWORD: ENC[AES256_GCM,data:uSaQuyx4yn1QfUABWpEjf8x97Imh6A==,iv:pukLl3k8X+ITRZ4bZfOPjsWKCHjVCo8Zd6qEHRERAYc=,tag:4y03dQbEhS+mTXUhzt54bA==,type:str]
+        SMTP_PASSWORD: ENC[AES256_GCM,data:Nr+4wZSvq6KjfzB169v4ojvWHa25Aw==,iv:HM4VYLUCI0HaBT8cDzusYA+49LpuJeg7v/Pz4nfulmM=,tag:T4TkDt+NdWnqbCDaRUERJw==,type:str]
+    rsa_key.pem: ENC[AES256_GCM,data:bYZzFj2ImB0jfiIP9N9V+nk1ROjql4PEuDcJIhVV96BeE++Kq+DGORrnfCyJaubNlqT7+nlMGN/D6bfzwKWivuXDd7T5s6wXplk480anOrFU4cJ9NYXHJjoT8Cn+jKSb7JEWO42cVwraB+qGWFZevOrRtdBM328ffOH4IDqVYgIonnM+pHe7oGglg2Xc97x3GQ46ODWKFZsAqU3ZZv+4SGJXJJorPv+cOIoVvXpqec7TuD2MnfdXvLQEl6o/zsGuV/yQkbJus/BqKUUR+RZ9i/0xuzCd/hJS9yFbHHBj82fDh6+D4TG+1PM+dVRSolkkxhcBvvBJtUPqRewTe5cNO9wZP1ocf9GNmXMbvopaNdAxh6uPJNH1Z6aZ+kLShF5ddE4FuKSvucEPgUdscZw01LeJIehZ7uzHCC99jmojU8rlsWFPvJqUfp0xAZDFDJgCIGt6AbKwBCCeFGuvqYT6w5GQ8uT8OQVBmRxUCZuplcDTUMsBXDxa/Q/5Q/O2zIev7jw7Rm0cJ23ovllu40VvLD+Xu/uQVYzivOOHkvUhQkjVkfbk073ZjrhlIMO3BOuA7PDKUsMBz3UVndtrYU+OOtCI0CoCVVP/K/CamNBGGHdvBoQ13bVn04OgdgJYgz04gP6MqFkr8AWoPFHVZe8+Z/tlW5DtV6SRoUfGFlnROWhiBVZpNuUj/ef1gUY1OoFuqY4GRc3nkC/Fwxi81+lSbAQ2ZdtqroJxquoVJhoUWuSonNDBtOYU0yczvF70R84AFzWKh1eJ7hr2iwcMJPSkhTzTm7LTrr0mQqU8qMxUz4pa0yxOZW0UkC2koz6jKdYlwXHMjjyiUZqfc2y9DrRF6Sa/NUPTrzIvikYk9yr3thnh4VtcsYdqvwlsnkbM/HtGvcmmtZjT4npLyD5t/7tUOs453Ntoo1BOto7+X+0IrFs9yHheBOqfj8dA1M2am0cjrS9LyaSnqBREgBFWVJdpSB0aDdh0M8vmpCBcdrzGPLCUXhNWihiZFEVh1ZrwzXWndRtqmhFLFfXmnEAhtEQL6l/GuA5WEYPHIThq+33BDhXAUB5oBcQQSI8TGPWw0IkOci8Q+SlUd81h2JtAmek/L+1kGZwmyolg1iA9c0LVxapM9cpSNVnmON/O2q3tFisQS82/ysKnNggeyD/ByY0dGMUZILAeONBqm41UcVGoAP5N5KE6Cb7FlppBRitn4QejVvLExPtK8NwQl503Yjq+yBTjSjhuZbB2mQaFgJeKhXrm34I3ZMKKm58j+NAGVJTi7RPzSfTW3kvPvtfm8GvM+vuOOxvNzdid8jR241pQl35d6hOYS3wvbkDVmkvbcjTJBPslvq6pGmAVPyHLHshgyTvvTweX1yodoV+4Z3dtrBb9wZKADT6VfTmEo4RXNjIoZFQrTJTdBeVQbgxejySKHAy2G0/8ZipvToj7zRULSOHh6yS4no8b7U7ZY9tEdxs8uxhDob0nkGy7VQUGG8YNXuwGsjLjVsTiawXiWnqdxeFLuTkKEvtMEEmDUfIRErY2juZbra4AKKWdjegc4ayW1ZyUq5i12eRdnpNbdXBQBtBjagvo3A29bse1TMV3Hww+B7oZ0wsHFD72byD159DdEqnLYlxzRjXns3E2qX8f5xvIUFkBIFNDqkKVaq9wqCrmS0vpbHvuiEJDwyr+nu32nWYT9M+RO41Ri/W63juukd/wf75QKVNNjV5WVrJaN2lgr1+3ux0LE5qs01nZZKqv0jzk4P2SnrPJLMq9NbEgXgKjmwqABnQm8KkeHpPQ8ns4JAY7L5pV6faf1rKWQnE71t9qpKSNMlOgtcv2Jd+5HZuUYbYw5SdDYmwsd+OT0cVu0jURz22k/OmT9GY09SnYpvgHrXLNjvEtY0Tr2vpX1SL5qTx6MWDs/nr47+t/DUEMC/JmUrIOE3OSZXpS9AO4BsBmTV0DF5SlvYBDnHAqkHuJbzRdQ1FjGg/wZLFDmIUy3F7m7bGB+5NX+1ZO1BmG2f0ICpHiR1SGnaK81mY3gmfUD8al7gmmKmAltfvw2kP+Z+Hv2d+XGqVk2csRlfq9e5wu0jFKgcGIs4NuA71V0oKfwL7a3gN0Drd270frH1lYzET0NRSQkqw4oeTt0y4my5TvYGmLEHE05IORdrmHUkHefUtomTEB6YQYY+wLyxVBo6z6MFLN7eCe1HtxjUBp8LFxTT+2l7IusDgIs+6I05Krrrz5GHgNHdMBhw==,iv:CtmysYvEFew/839Gj+vZEDoqu6TvrZ9bUIg9GwejIX0=,tag:CnTEOKLYDsVGRVrQDwfFKQ==,type:str]
+    rsa_key.pub.pem: ENC[AES256_GCM,data:B/2SQrEQ4zRie6A89jneHl5tXfHraYzVEBshY+IrRoufI9YpQw16VjGgrNVCpaG5+PSsCNjz8lXM33oQwg7HU1IWHmvrZdEgkguYv722Ngdb4D8IKHL1nsL9/gkVQFFFvty9ru3LDTfrFKF3cLX+6eIQMFk5W+qLuVO5Pbxh3LKWmN7zG8XHa/b+tvMQclHrtY2iomIThyxKi8w03uE1Fs6V80hyuMA/3TdIz9nUwl5WpiGxaelwaJyts2b5KoBzJ0zZbdR4IHCTYYqBkdjo8929M/gfPS6ZqZS2FPDReoWiujJSAyyoC9xZxglUk/g7vU/8CVwcrtVzn5DEbUot/om98p/1Hq/1Hk4zli49Ysy8nbPhlshZeH5RNSQIDkY6wT7TYD5m3QXjXV+siH7ClKAfri2zp4S4k9uEXvL27NTPqvoXKIUpSEl1b0A/ApQt761PODEMtEXx2PmlRKhg9T9cvLRNYbJavg3FMNivZ+2oQNZXeJZWUEjtqsEoPBAbEHklMtKJiQiThtIPHL3eEdTAhOVhjxBGYU2Kase2hU7g2YvgC3+8u48OarXZbZYgcJkoCHrm+hocYm5DZJ64rxURZQ==,iv:6x0vx8tiGOsQxHsp+qO+nvdUmqNKWINdFO1wXOnORVo=,tag:zuPNh7IfEG/c4lsFVNRYog==,type:str]
 bluemap:
     ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
 sops:
     age:
-        - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
-          enc: |
+        - enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMVM0T0Y4Wjg1OGNsR0Iv
             VmxoNmRMcjlWRHFhc3l2Sy9aZnF4b0ZsTnhnCkd6UnEvWi9kRU9qSmVLZkdiWGJh
@@ -46,8 +50,8 @@ sops:
             R0RmcXJwRlkvSVhRbGwxZytLNmlqeFkKw/0nGPzgzH39udFyJVkjNTMTmffiQh6/
             HT1O7imvPymx5kXrnfciAP9bnCV4o/HiVkuDxBP7gG5nBUgY6PIC7Q==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
-          enc: |
+          recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
+        - enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV2ptWkhqNjcrM0hXOWEv
             Y21GNkVJUXY3dHV1OUdUdlJZNHhka3g3QVdNCk9vak0wSDBhS3pZSWk2anVsMnVY
@@ -55,8 +59,8 @@ sops:
             cXl3S2tRdExvSjRNUHpwbFNzVXdQVmcK65zb8MPh67TyHkjLA2vLgv2eOQOSUDih
             JeHkryWGQXzlYL5tZZ24ae1mqYiYQ6DsbWXopA0q0OmndYByXct6FA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
-          enc: |
+          recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+        - enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSnU5dml1bjY5ejZHUGRQ
             V1pNQnBXWUx0c1R5WkY5d3NFOFlKTkFrMUN3CkNqMjc5NDRMb05tSW9wV3lkUUVU
@@ -64,8 +68,8 @@ sops:
             SzM4Rml4dFNjMWxxYXlVdTdxTTB1ZzQKvoBpb4PPNM5yl85wTcTTqZmkXmwZGyvS
             PMPFNqEkzcZFtC1BfYGIlKAuisGhQ6rFAkyTZXTLP0HjPEcH00+WMw==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
-          enc: |
+          recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+        - enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbGdTVUU3UVUwZytQancy
             ZXY1Ullmck9qZ0dsSmZqUHF0NGpSZlJWRjBJCndmbGh6Y3lUWmdEWUdHNkZwd0dM
@@ -73,8 +77,8 @@ sops:
             NmloODFNNXU1TG9FeWxKYTBGOG5qR1kKXGAQyRVO6Sh0LNlFD5nx0F3m2KYP8hYl
             /g3mwi4NI4UIR2dYXsgNJuF7axxP1IbaZ/j2NLNYbVe2+iZvscvBTw==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
-          enc: |
+          recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+        - enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWkVyLzJWM01ybHB3cmpq
             cTJTM3VWaEk3djcxb0RnbVZXUGRyMWQxcWlFCmhQUmtGZm0wczdsLzZUNHFqRnZW
@@ -82,8 +86,8 @@ sops:
             RGs3aStCRUJmMG9JRFZyRFJWeTZKWGsK8oTccCGCXPsQEGnn57ml5IwYCHgYoBpC
             2U7uT/Z10crtrqgPGi3/jYr5IEacLBvbuGLBwSlCo7NGz/6XnVIyaQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
-          enc: |
+          recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+        - enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTlJPQk9DTFNKMjA2bTRj
             OE5uaWxEQkhUdmRvT2h4TDJvREo4TlQ4MFZrCjNjd2ErOXcxQkJrNzlOdGNFSDNW
@@ -91,8 +95,8 @@ sops:
             RlRMc0R3dDllUGRHcmNDTDBSS09mUUUKhdxXMEuwLviNY134uA4SELXiHo4rCC9h
             pT2iqOV+VDquwE99h9OIo2Kfmblzje/TGpok1i4cxytg8fly3LZD+Q==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
-          enc: |
+          recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+        - enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcHVjN3MvVUEwazNraXFQ
             anVTbU1EY1JUQ0FyeSt3bWJ6TVcwY1UwZ1cwClRtOTE1QWNXaUdzejh5a3BUdTFv
@@ -100,8 +104,9 @@ sops:
             SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
             29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-26T08:40:13Z"
-    mac: ENC[AES256_GCM,data:ppgpARft/YDKP24QF4bLYVhxN4nRrCsf4wBug3UD4MXgQwdFyWPAHn086uONeMbVOvH8IdwlaNBc8h36I7M66cqwK1VsRc/vf9Ud2VnD/WkWijMSrJ80frIvuvREp7aMNlYbD20bjrp4sYohjcJ8KPqyPUFPj71dA+9LZvXJthQ=,iv:lr3R14lRx7RzclknKbOa/bHa6axGbMPqj1FRTjx34xE=,tag:pBHzSArxYs4bqq355T4yog==,type:str]
+          recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+    lastmodified: "2026-05-22T08:58:19Z"
+    mac: ENC[AES256_GCM,data:EYU8RCXRMdQn+yLB0iWBw7JULZya3PqkScAFtlP0d0zTyud4MGVCTINtrn7EgboYONvEWgi4yRvJVHUDPArRA6WlHx/tx175DJbVq6sdnl0xsL0Y9dt18HbdEgDDyOxbCjTOjAV1WPINOmpVvyXMp4+cc0oU3g+2ANjiodkU+t4=,iv:wAi+m9VkKx1bCxz5kZyEgNQcPE9aa5f9TlaYEohnwu0=,tag:3ZtP78aCmyqW0A0zvgpUTw==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:44Z"
           enc: |-
@@ -124,4 +129,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.13.0

secrets/ildkule/ildkule.yaml

@@ -9,90 +9,90 @@ keys:
         postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
     age:
-        - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+        - recipient: age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRm5XY3kydDJSRUYrcmRk
-            K21WUEZSSEpYOHFrVkFyOVJYYnRUSU1aYkV3CkVEUllvUm0wZjlmOFU0VSt3OStL
-            Tmdkc3JHRWplS3lnQWlkT3ROVkxkVUEKLS0tIFRJRkFEeE15Q3A1Z24wQzNlbUx1
-            a2tmd21zSWUzbmw5NDdSRUVDcmVwbHcKn+DJ1PnlQApX8fwJoN9DtMqeKzoih6Hr
-            sSh2z6rsTj1UmXocbBm1SduattqZFjvO5XGpp25mM9ZBlpcnVjB/hg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWRSM3IwMmxtTmZVcCsw
+            OUhlakxHZzgrSEhEdUZFTXE1anNjQ2wvdkZFCnB6S1l3TXQ3ZGFYWmtYM1cwMFZT
+            V2UrTkk0Z1BVQ1U2N1hsaTc5NjFsVUEKLS0tIGZYV041M01DYndQWUNCVGxUVXZa
+            YlltQ3FBU3RBYUx4TnNPRk1SUWNqZG8KAJjc09x553ncaWduGLsnIHdroaOmMasP
+            /fq0GzW6UNfmE2rQ6qrQti21B37/sN0WMLCSPLUPG45kBgx20GG4hQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaEdlWnJCdHVpM0ZHTlJj
-            WmNrQnIxYmxmWlJ4Z29WKytHd1plUURPSDBFCnBHU1MyMS9FNnRCMmJ6Ymd4UWcr
-            RGV6QmhrbDFObDM1MW1NdTdDU3ZIVU0KLS0tIEtBR01OOVdITExFcUN1dHEyaklD
-            TVFnZXRva3FUZjcxYlRuQnpFTDhpZzQKxZM0ZB6dVwFr5QkT6YmEA+3RhhsX0pl4
-            SolLZXFal1BluDERtZ2Clb5VzrcV3PUfFo8Yx6ncFjcisyFXUHVnYg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTOWFvcFFzc1lmNVdmV3lX
+            cVVLNHowcGdENzI5UUJLZTNSMHhjNlI2c0FnCmdwOS9oL1kwTnhwbXRodWxxWVE3
+            TEtzVmMyN0lkdDBPNzhSR0J6SVhwM3MKLS0tIHhSOFA2TEdMdEd5TlpJb3h0N2xr
+            eDVwd2dKMG9FRW1OY1pyUkhLeWw3b0EKtJpsQ/Ss39ZLiRNqUhn8sdB3hpQy7Syv
+            ererqhMkqmDugGEHPk6KpZuj7DVSK1di7JgA2qZOUPzI7UpxjaC0Kg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYmNZSTBrUzg5d3NPSHhM
-            Z2s4KzlVZldKVitmL3RFNHFiQnJlcmlCS3k0CkZ4YlBvbW1DTzEzRTZMUVBOWDNT
-            SHQwcTBQL0NQbXA3WHVZcFhjZW5ZeE0KLS0tIHU2TVErZ0I0dGRuTGIzZkVoeDJC
-            MHJkcXlGdFN2Y1p4Q08rT0phODlLOVEKhSEO8hUZ0d3SA1tFvXN2HuZR35SRzhUq
-            +J3eN/qUBu0LcuiBq+qbGYIAHggXy9ZSGCGfrNw35czzGpzfbK/fwQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQU1iVXRkQmo4b3F1Vngz
+            S0pkNkVFR1FUb1djdmI0eHh3V3BBTDJTSTJZClA0S0Z0cTdFRmRaOEZQdHQzdGZ3
+            SC9HRkF3eHQ3MHh6VUFiTW1MZmZoQ2sKLS0tIGlXcWtCczBuOXZBTE9IcVQ1aFJz
+            REdjRFZyY2pNdEd6cmgvQisyVDhLUEkKRItJ0CGbzlEB5RNAyem4feMVhTfcLef3
+            QIqltZ2l4LLexnkECi3FCJZHxrbUa+/RF6p1DsueUw7LLUnOcphB9A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdDBxd3J5MWZ0R1IwVWRw
-            cklOOENFM2R4Q01JdFd2cDZCQ2pSTGNucmhrClgra0tCSGdqZExLbWNoaDZkSzJD
-            aDc3YXdOZi9jMDdwc1duTWdKbEdUVDgKLS0tIGxKbTYzRnAyRVlwbUxGS3JySFJS
-            VXNrSldhMDV4V2preEJ3ZDk5UlZ1YzgK8K2R4LETFFKpUZVdofJoE6eXw/tlz3+9
-            k0iXQX6zMj1uSDmenjztU04FIfRxzIur5xifd8hCJnWmxlOCFDqLag==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZTBpaWM0c1hmODBaK0Iw
+            bmp1NzRacklXMHU0K2J2d0g5ajBiNlRNWGhRCm1DOWI0cm5BdTdlNmFzM2JVekNk
+            U0VnQmJKMU9ZczZBN0o3czAxOXc4TkkKLS0tIDA1aFRsS3VHdmFtUDY3S25qK01p
+            U0ZCT2toZ1ZMZ3E0bXRhSTQvNGFWNVkKhxfQDIDe2LQW7OMBJv0J267AW1wI32df
+            ZQxd657TEqzm7i19azrCS0jyRbfj2MYzEJAtTGiGZaNC9uKDFzBhKw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc2dCdGNSeWo4RkovV1Vn
-            ckRYYW1xZldjVDRuSjM4elQyRVFROWduL1QwCmNSVzk3aG90MHNWZWlzVDg5RE55
-            L3JKODZlMDJudTZYNGVNQldaNEhPcjQKLS0tIE41dDYxWE84Wk9XbG9iMUhpMHBu
-            VlJZM1VMYkRkQXNlSVVoT3RYZXRaRU0KqqIjxe05oO67IUt/LMIYsUAaZw1qQFNv
-            mmVu5GvHdpSrp3PttxlZC7OiP84Jzj7zM/idj0wBIeVCWedWO59aKQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRlJROHRKb21YUnlicmc1
+            MlptQllEcXFhajNKS1krMDdUMWk5QWo4eVJBCndGSlhXS1Vaa2RSTllIcmF1ZVpl
+            V28wUGpPVE04Q3VPdzFYdlNpdXBPWHMKLS0tIGJLNStURVJ2NkZKNHVURXh3SjBL
+            TE41aFdjU0h0ekQ2Zjg4Z3VQVjFWcnMK6zjSalqeYjyc4NH6nOeghlhYJydrz4pM
+            N5ZcXjRbrIVFdhbYnvQGKvGKZm0kK6vjzBjdT7BM6ctr8cq/qrz1xQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL3RId3Q4SGJkYjM5STJu
-            ZU9BbkgxaXdva3g5ek1hZUF5YWcvZHI5c0VRClhLazhueTRLU2N0T2c2REllT0R1
-            LzFrdDdiVVhLQ3BPdkwvVTg1RjdscG8KLS0tIHRYTmg4NFF2c2FpVHphUFdqWmhH
-            TFNhSDNUMEo0Z05mbmlwRUs5VHhUWHMKJUCyLDJx2voDttv4UrpFKYyNz+HhtyFj
-            X3OrNbmJQYuNpq4hzQs7jN5UD/4YCtFi9mb5pmFr8MTHLb6UsZN++A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRXpBa2tYc2xEeldub0VK
+            bkFwOFdlUGRZM0FVT0tyUW1RWnl0TjRUTUh3CnZlMC92MU1hRW1yZU1NSUdoUEZh
+            YmhHN3pjd0lhOXk3KzFqRVhaU2IvWFUKLS0tIGxVRGNmZmd1QS9sc0NMVFZMNGVB
+            aXFQWlNVQ2laVm1ETStRemNZRXc3TUEKlPYSU3gp67dsPfbEJkru4ieMvspC7+pu
+            rfp315HLyj1FGhrA8f2qOxE/PYI2rn0yKm80KffWBV7ylX/uonm4Fg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNzZ4Y2U2NXpXWHA3Y3Zw
-            S1BKbTNXaGxRaE55QkZNSFV6b3VURFBXWlEwCmpJUjM3VVJRc0dwdjFLOGdQQTlz
-            a0hVUC9tSXNDQ3NyTnlnVlNNalFOZmcKLS0tIFNXYThsRHd2eUQyOGtVT1RLaTdR
-            RmlST2JZS2gwbDBpZ2xMblpWNzB5ZWcKTkKF9aonrBMolxqcj9a5d9JLoCj229KU
-            It2KjhlzBcgcJUIiIPWMoV9VbEpKkTsCLkWxFSLle++ryOUYh3kgaA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaTEzOFBEeG9LVThSVmQ5
+            VXBoaFpueFRCbFJ1akE4RWc1aE1HUmVGcXdZCjFnbU0wd2drazNsTmNBMHNuOFhO
+            b21MZmNPSVNDU2RycEtXTys1V3BVVVEKLS0tIG5oc0VoTXlzeVh3b2NjcFl6WE9U
+            dC9meDZlc3d3aUJEVjc4REF0Y1BLcGcK79LbJzc5KVgEgyJR11crGuX8YcVoJBbT
+            Fin7Zoon06L7qx0Zw5u27wV7RKMnYT7hOMiWs6660ZTLcYJ5M1aEZQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-03-16T20:08:18Z"
     mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
     pgp:
-        - created_at: "2026-01-16T06:34:50Z"
+        - created_at: "2026-05-20T17:35:58Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYARAAgrn0irD12kqDfIEvpLpa0Ys/hMG9GwCMeU186iFfJ193
-            72UVEzx2GwIfSt0qQlpBFZtueL9Bb7ka81IrqhAepq8J5//WxEGvv6H9aIm8V7ov
-            ZkS4eZpFksu0ZRFP5HWQvEQwRKj8WxYQY/TS/5QGNSPeHOZYnpQcBhAVLjn9Uj/O
-            6ojnIVoKxDdo235fuDQdiLwCpPXsKi2OQuSFOwq7Acg/fm1pvc76h9dqr5DqrspZ
-            c3stdbYwVOedgYjRrdSYpkplGSqNeVtYYJ3apdauMSRNaKmgMwbkxkzXO9YrWASa
-            beYilvhNgr0rnQB617IhgBZrgik9CvqrqGZqim0fWI+s4bcbgfvK8UORt4+QgJjO
-            FPqAtVE6sNGzElKQ6ZZPWZoXeK7vfIfxwxU+oLcijAnUmLy88zqIUjUZKzmyhDZa
-            YAAwxBL1nh+UzIbn4GGeVbYHLbKJ6XnznF7zfTWph6GbeFfdWuaSwxmnGjE6n1y2
-            ye3GQaW2aeq7RKoqyLJO3oIHyGHZXFe4pB4adz60uKNPJz47/gtA5OofNs0qbxqQ
-            Dp5fmrvZZtDa/TYIV9o1bSp7cYk49TGKHPbX7tLjEIIfRxd4y6rYgwNpPdukjZsk
-            bbdxypWrJkMx+9xk84DGo3e+RY738JgLjc0ylDO+pIzThUruBOcDjUKeGNmVQYnS
-            XAGofG3JSI97wFdYOB+4yoYPqs5rovgPbkGGuT5SBIxH5zVv3X+SE4wCGu3CLFC4
-            A4cdwXmuERPxszVZW+V8CSGq9XnH/OzrpiWVhzqXCRH03F2BmnAx9Fp/zMTH
-            =DooK
+            hQIMA0av/duuklWYAQ/+ONarLX0spY0m0iLGEp4Qe9YcfKrf4G0QLbiYMW8Bko7M
+            iV5PSn4MeDlu5vIkNy1vbYqN2kCQZJDNtirtVqggoq+h/lEvXlkgmkJXeMnnVugy
+            xJZCG1SnGnx9BD/tWaFZp4IY9m8sQtEqcpQIvitQTCgovdWPb7NddlDaHbn4R95t
+            SeTZxnxT2MCYiGHyESMrdy8JEFER81O4XIGuccBV4GyoDcEAxDD7PXf7Y5YlwUQk
+            /sQ3awgsy1WJF4YzQ4zCvK8dO4meiD6asEijQEXNTyrXrkkIX6pS14l9HLzg8HLT
+            ZLelRyCYeIGEPyEJtbBKxMEu28SAmCMESCdLImqz3RnT0Z6QV1Z+DqAPck3aij2v
+            VCeJZgK7tmjuusThzi0ymSb0tC14JS7eK/BNGIvVK/41TlzI0qBeA1yYf8Fdtsqt
+            7OGfCR7aUdBn7yweGuo9L9eHRFiJvoB9tNiPnw7rdr/SrptL0ovsML7m1nvg6mO1
+            os1JCL5E6u7d6cGbqaTmjwKLhvNuI1keJoVGtlOYt95tfEAwWeuG2ML6wJ6u6oJ4
+            WAw/g5Tqb4jeLpcgw8iclhK5JzAL9Uz3G95VXkS6CcTrOfQfvIJHxs5JtsxFC98l
+            xMgnMY4SNQ6sHAHZ+6Wku8X+lnZ0uKZkYlRqpH95/VTp+I6QpuqydIOeZ+ILn+jS
+            XAHa6CahC07yA93g8kgTeMhI3ezqOQD0gYnY3QROX5kKVD/bNu3JwNTprO5b/kRK
+            2Ehg8D0wdaJ9OM+pShGyf6CK5wVBvSq2VQHKxjEIifi62RYtUvnf+sx/ob9h
+            =9nB8
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

topology/default.nix

@@ -176,26 +176,6 @@ in {
     interfaces.ens18.network = "pvv";
   };
 
-  nodes.ustetind = {
-    guestType = "proxmox LXC";
-    parent = config.nodes.powerpuff-cluster.id;
-
-    # TODO: the interface name is likely wrong
-    # interfaceGroups = [ [ "eth0" ] ];
-    interfaces.eth0 = {
-      network = "pvv";
-      # mac = "";
-      addresses = [
-        "129.241.210.234"
-        "2001:700:300:1900::234"
-      ];
-      gateways = [
-        values.hosts.gateway
-        values.hosts.gateway6
-      ];
-    };
-  };
-
   ### PVV
 
   nodes.ntnu-veggen = mkRouter "NTNU-Veggen" {

values.nix

@@ -73,10 +73,6 @@ in rec {
       ipv4 = pvv-ipv4 233;
       ipv6 = pvv-ipv6 "4:233";
     };
-    ustetind = {
-      ipv4 = pvv-ipv4 234;
-      ipv6 = pvv-ipv6 234;
-    };
     skrot = {
       ipv4 = pvv-ipv4 237;
       ipv6 = pvv-ipv6 237;
@@ -86,10 +82,10 @@ in rec {
       ipv6 = pvv-ipv6 167;
     };
     gluttony = {
-      ipv4 = "129.241.100.118";
-      ipv4_internal = "192.168.20.77";
-      ipv4_internal_gw = "192.168.20.1";
-      ipv6 = "2001:700:305:aa07::3b3";
+      ipv4 = "129.241.100.37";
+      ipv4_internal = "192.168.1.219";
+      ipv4_internal_gw = "192.168.1.1";
+      ipv6 = "2001:700:305:8a0f:f816:3eff:fe9b:7a46";
     };
     wenche = {
       ipv4 = pvv-ipv4 240;