base/resolved: use RFC42 format

update keys

.sops.yaml

@@ -12,7 +12,7 @@ keys:
   # Hosts
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
   - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
   - &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
   - &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt

README.md

@@ -39,6 +39,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
+| [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
@@ -57,6 +58,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
+[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine

base/default.nix

@@ -23,6 +23,7 @@
     ./services/acme.nix
     ./services/auto-upgrade.nix
     ./services/dbus.nix
+    ./services/fluentbit.nix
     ./services/fwupd.nix
     ./services/irqbalance.nix
     ./services/journald-upload.nix
@@ -33,7 +34,6 @@
     ./services/postfix.nix
     ./services/prometheus-node-exporter.nix
     ./services/prometheus-systemd-exporter.nix
-    ./services/promtail.nix
     ./services/roowho2.nix
     ./services/smartd.nix
     ./services/thermald.nix
@@ -77,15 +77,13 @@
   '';
 
   # These are servers, sleep is for the weak
-  systemd.sleep.extraConfig = lib.mkDefault ''
-    AllowSuspend=no
-    AllowHibernation=no
-  '';
+  systemd.sleep.settings.Sleep = {
+    AllowSuspend = lib.mkDefault false;
+    AllowHibernation = lib.mkDefault false;
+  };
 
   # users.mutableUsers = lib.mkDefault false;
 
-  users.users.root.initialHashedPassword = "$y$j9T$ahP6GAdttD17OMBo7Yqeh.$Ad7qBcFvTL7HrJ9uTtrQzksN3220Nj9t/CrP6DwgK34"; # generated using mkpasswd, see huttiheita root on vaultwarden
-
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/hardening.nix

@@ -7,7 +7,13 @@
     "ax25"
     "batman-adv"
     "can"
+    "dccp"
+    "ipx"
+    "llc"
+    "n-hdlc"
     "netrom"
+    "p8022"
+    "p8023"
     "psnap"
     "rds"
     "rose"
@@ -23,7 +29,6 @@
     "cramfs"
     "efs"
     "exofs"
-    "orangefs"
     "freevxfs"
     "gfs2"
     "hfs"
@@ -35,10 +40,12 @@
     "nilfs2"
     "ntfs"
     "omfs"
+    "orangefs"
     "qnx4"
     "qnx6"
     "sysv"
     "ubifs"
+    "udf"
     "ufs"
 
     # Legacy hardware

base/mitigations.nix

@@ -1,17 +1,24 @@
-{ ... }:
+{ pkgs, lib, ... }:
+let
+  modulesToBan = [
+    # copy.fail
+    "af_alg"
+    "algif_aead"
+    "algif_hash"
+    "algif_rng"
+    "algif_skcipher"
 
+    # dirtyfrag / Fragnesia
+    "esp4"
+    "esp6"
+    "rxrpc"
+
+    # PinTheft
+    "rds"
+  ];
+in
 {
-  boot.blacklistedKernelModules = [
-  "rxrpc" # dirtyfrag
-  "esp6" # dirtyfrag
-  "esp4" # dirtyfrag
-];
-boot.extraModprobeConfig = ''
-  # dirtyfrag
-  install esp4 /bin/false
-  # dirtyfrag
-  install esp6 /bin/false
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
+  boot.blacklistedKernelModules = modulesToBan;
+
+  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
 }

base/networking.nix

@@ -8,6 +8,6 @@
 
   services.resolved = {
     enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
+    settings.Resolve.DNSSEC = false; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
   };
 }

base/services/acme.nix

@@ -8,5 +8,6 @@
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
   virtualisation.vmVariant = {
     security.acme.defaults.server = "https://127.0.0.1";
+    users.users.root.initialPassword = "root";
   };
 }

base/services/fluentbit.nix

@@ -0,0 +1,135 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.fluent-bit;
+in
+{
+  services.fluent-bit = {
+    enable = lib.mkDefault true;
+    settings = {
+      service = {
+        flush = 1;
+        log_level = "warn";
+
+        http_server = "on";
+        http_listen = "127.0.0.1";
+        http_port = 28183;
+
+        # filesystem-backed buffering so logs survives potential outages.
+        "storage.path" = "/var/lib/fluent-bit/storage";
+        "storage.sync" = "normal";
+        "storage.max_chunks_up" = 64;
+        "storage.backlog.mem_limit" = "16M";
+      };
+
+      pipeline = {
+        inputs = [{
+          name = "systemd";
+          tag = "journal.*";
+
+          db = "/var/lib/fluent-bit/journal.db";
+          read_from_tail = true;
+          strip_underscores = true;
+          lowercase = true;
+          max_entries = 1000;
+          "storage.type" = "filesystem";
+        }];
+
+        filters = [{
+          name = "modify";
+          match = "journal.*";
+          rename = [
+            "hostname host"
+            "priority level"
+            "systemd_unit unit"
+          ];
+        }] ++ (lib.mapAttrsToList (k: v: {
+          name = "modify";
+          match = "journal.*";
+          condition = "Key_value_equals level ${k}";
+          set = "level ${v}";
+        }) {
+          "7" = "debug";
+          "6" = "info";
+          "5" = "notice";
+          "4" = "warning";
+          "3" = "error";
+          "2" = "crit";
+          "1" = "alert";
+          "0" = "emergency";
+        });
+
+        outputs = [{
+          name = "loki";
+          match = "*";
+
+          host = "ildkule.pvv.ntnu.no";
+          port = 3100;
+          uri = "/loki/api/v1/push";
+          compress = "gzip";
+
+          labels = lib.concatStringsSep ", " [
+            "job=systemd-journal"
+          ];
+          label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
+            "host"
+            "unit"
+            "level"
+          ];
+
+          # JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
+          # line_format = "key_value";
+          # drop_single_key = true;
+
+          "storage.total_limit_size" = "256M";
+        }];
+      };
+    };
+  };
+
+  systemd.services.fluent-bit = lib.mkIf cfg.enable {
+    serviceConfig = {
+      StateDirectory = "fluent-bit";
+
+      # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      # Lua JIT, maybe other things
+      MemoryDenyWriteExecute = false;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "~@resources"
+      ];
+      UMask = "0077";
+
+      BindReadOnlyPaths = [
+        "/run/systemd/journal"
+      ];
+    };
+  };
+}

base/services/promtail.nix

@@ -1,38 +0,0 @@
-{ config, lib, values, ... }:
-let
-  cfg = config.services.prometheus.exporters.node;
-in
-{
-  services.promtail = {
-    enable = lib.mkDefault true;
-    configuration = {
-      server = {
-        http_listen_port = 28183;
-        grpc_listen_port = 0;
-      };
-      clients = [{
-        url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
-      }];
-      scrape_configs = [{
-        job_name = "systemd-journal";
-        journal = {
-          max_age = "12h";
-          labels = {
-            job = "systemd-journal";
-            host = config.networking.hostName;
-          };
-        };
-        relabel_configs = [
-          {
-            source_labels = [ "__journal__systemd_unit" ];
-            target_label = "unit";
-          }
-          {
-            source_labels = [ "__journal_priority_keyword" ];
-            target_label = "level";
-          }
-        ];
-      }];
-    };
-  };
-}

flake.nix

@@ -228,12 +228,6 @@
           ];
         };
 
-        ustetind = stableNixosConfig "ustetind" {
-          modules = [
-            "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-          ];
-        };
-
         brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
           modules = [
             inputs.grzegorz-clients.nixosModules.grzegorz-webui

hosts/bicep/services/matrix/livekit.nix

@@ -64,4 +64,11 @@ in
       '';
     };
   };
+
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = cfg.settings.rtc.port_range_start;
+      to = cfg.settings.rtc.port_range_end;
+    }
+  ];
 }

hosts/bicep/services/postgresql/cleanup-timers.nix

@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.postgresql;
+in
+{
+  config = lib.mkIf cfg.enable {
+    systemd.services = {
+      postgresql-repack = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Repack all PostgreSQL databases";
+        startAt = "Mon 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
+        };
+      };
+
+      postgresql-vacuum-analyze = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Vacuum and analyze all PostgreSQL databases";
+        startAt = "Tue 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
+        };
+      };
+    };
+  };
+}

hosts/bicep/services/postgresql/default.nix

@@ -3,11 +3,15 @@ let
   cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
+    ./backup.nix
+    ./cleanup-timers.nix
+  ];
 
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_18;
+    extensions = ps: with ps; [ pg_repack ];
     enableTCPIP = true;
 
     authentication = ''

hosts/gluttony/hardware-configuration.nix

@@ -22,7 +22,7 @@
     "sd_mod"
   ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
@@ -31,7 +31,7 @@
   };
 
   fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/933A-3005";
+    device = "/dev/disk/by-uuid/BD97-FCA0";
     fsType = "vfat";
     options = [
       "fmask=0077"

hosts/ildkule/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -21,6 +21,7 @@ in {
 
   fileSystems."/var/lib/prometheus2" = {
     device = stateDir;
+    fsType = "bind";
     options = [ "bind" ];
   };
 }

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -27,7 +27,6 @@ in {
       (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
 
       (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -21,6 +21,7 @@ in {
 
   fileSystems."/var/lib/uptime-kuma" = {
     device = stateDir;
+    fsType = "bind";
     options = [ "bind" ];
   };
 }

hosts/kommode/services/gitea/default.nix

@@ -226,7 +226,7 @@ in {
         # Logs are stored in the systemd journal
         skip-log = true;
       };
-    in lib.mkForce "${lib.getExe cfg.package} ${args}";
+    in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
 
     # Only keep n backup files at a time
     postStop = let

hosts/lupine/hardware-configuration/lupine-1.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-3.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-5.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/ustetind/configuration.nix

@@ -1,40 +0,0 @@
-{ config, fp, pkgs, lib, values, ... }:
-
-{
-  imports = [
-    (fp /base)
-
-    ./services/gitea-runners.nix
-  ];
-
-  boot.loader.systemd-boot.enable = false;
-
-  networking.useHostResolvConf = lib.mkForce false;
-
-  systemd.network.networks = {
-    "30-lxc-eth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "eth*"
-        ];
-      };
-      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
-    };
-    "40-podman-veth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "veth*"
-        ];
-      };
-      DHCP = "yes";
-    };
-  };
-
-  # Don't change (even during upgrades) unless you know what you are doing.
-  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "24.11";
-}

hosts/ustetind/services/gitea-runners.nix

@@ -1,41 +0,0 @@
-{ config, lib, values, ... }:
-let
-  mkRunner = name: {
-    # This is unfortunately state, and has to be generated one at a time :(
-    # To do that, comment out all except one of the runners, fill in its token
-    # inside the sops file, rebuild the system, and only after this runner has
-    # successfully registered will gitea give you the next token.
-    # - oysteikt Sep 2023
-    sops.secrets."gitea/runners/${name}".restartUnits = [
-      "gitea-runner-${name}.service"
-    ];
-
-    services.gitea-actions-runner.instances = {
-      ${name} = {
-        enable = true;
-        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
-        labels = [
-          "debian-latest:docker://node:current-bookworm"
-          "ubuntu-latest:docker://node:current-bookworm"
-        ];
-        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
-      };
-    };
-  };
-in
-lib.mkMerge [
-  (mkRunner "alpha")
-  (mkRunner "beta")
-  (mkRunner "epsilon")
-  {
-    virtualisation.podman = {
-      enable = true;
-      defaultNetwork.settings.dns_enabled = true;
-      autoPrune.enable = true;
-    };
-
-    networking.dhcpcd.IPv6rs = false;
-
-    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
-  }
-]

packages/mediawiki-extensions/default.nix

@@ -12,7 +12,7 @@ let
     name
   , commit
   , hash
-  , tracking-branch ? "REL1_44"
+  , tracking-branch ? "REL1_45"
   , kebab-name ? kebab-case-name name
   , fetchgit ? pkgs.fetchgit
   }:
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
   (mw-ext {
     name = "CodeEditor";
-    commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a";
-    hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A=";
+    commit = "af7e82f24ba4b68393712fece6f1b5fa4bb049ec";
+    hash = "sha256-XT8E4O6MEZYHSs6Q+A/dfYaUvJ4kY13Kd/cq30dA5NA=";
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441";
-    hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ=";
+    commit = "f06dfd40a08562a841ddf11b4ae3444ef06c98c7";
+    hash = "sha256-5zXkBjOwFdoQezkPRJ2AcBZLZEEpGG6FawO2K3KzllI=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "1b947c0f80249cf052b58138f830b379edf080bc";
-    hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI=";
+    commit = "9bc75a753efefedfc88c598fb01f18a7e4b61f00";
+    hash = "sha256-1xA758fsvoioN9xuq0hRqZKtPXMQViVLtuRINDtowdk=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1";
-    hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0=";
+    commit = "64133683b73d8eeea8069fe7ed9cb7237fd5c212";
+    hash = "sha256-wqpfgVLenZp6XC510nrsrbvK1IMEPcWVYq5YuAOt5+c=";
   })
   (mw-ext {
     name = "Popups";
-    commit = "6732d8d195bd8312779d8514e92bad372ef63096";
-    hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU=";
+    commit = "f74a8639f57232898978d9f3792293eb2d370e40";
+    hash = "sha256-uunUtN3M/ksW/kcbeIzDVTdb1P/PHTeTwaTsvspMLko=";
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d";
-    hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk=";
+    commit = "cbab0c740e03c8e6184fd647d95e24e0826d20cb";
+    hash = "sha256-vXS3+wrUBVtPsETa19pMvud9sALGt4Ao9mM5rQRbBQc=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "4c615a9203860bb908f2476a5467573e3287d224";
-    hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE=";
+    commit = "fc5ad4501434fe85198f0b1f0087d798efa91f9f";
+    hash = "sha256-se0krTglo1fShJXj38bPLhw65tZC5P54Ywt7oeZrLes=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3";
-    hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ=";
+    commit = "d37b02f6ed194138ac7193a0782bbf6efb9164f8";
+    hash = "sha256-NpzVBzX7qfXkIE+jh33ndooS9GE8ZF3/Jynm22in7IQ=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab";
-    hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs=";
+    commit = "f85614c26a0057a9f418342f89214a04c9de9988";
+    hash = "sha256-XZOtM3iadjE5vavsjkx7kfJNhLZlnnFt1CN+mv6XVHQ=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "6c138ffc65991766fd58ff4739fcb7febf097146";
-    hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU=";
+    commit = "2f2432c909a36691ca0002daf6fb304d6c182beb";
+    hash = "sha256-ZP8Tp6u+uJxx3I39YGMmkP0sTnjAQUSaxImAJaRv+Ek=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9";
-    hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4=";
+    commit = "1508d49d0dd71fdc1d18badd23671441b3bc327b";
+    hash = "sha256-VNiCVNrCAImAr1tS9T28KPPzzNsKPz5ELFRIBtng+So=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780";
-    hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI=";
+    commit = "aba5e7c6701877a6b43583709751658fec606d47";
+    hash = "sha256-XmbQy0NXuY3oVGkkgC233kkzfBfx32HDylloGYXU/Nc=";
   })
 ]

secrets/ildkule/ildkule.yaml

@@ -9,90 +9,90 @@ keys:
         postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
     age:
-        - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+        - recipient: age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRm5XY3kydDJSRUYrcmRk
-            K21WUEZSSEpYOHFrVkFyOVJYYnRUSU1aYkV3CkVEUllvUm0wZjlmOFU0VSt3OStL
-            Tmdkc3JHRWplS3lnQWlkT3ROVkxkVUEKLS0tIFRJRkFEeE15Q3A1Z24wQzNlbUx1
-            a2tmd21zSWUzbmw5NDdSRUVDcmVwbHcKn+DJ1PnlQApX8fwJoN9DtMqeKzoih6Hr
-            sSh2z6rsTj1UmXocbBm1SduattqZFjvO5XGpp25mM9ZBlpcnVjB/hg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWRSM3IwMmxtTmZVcCsw
+            OUhlakxHZzgrSEhEdUZFTXE1anNjQ2wvdkZFCnB6S1l3TXQ3ZGFYWmtYM1cwMFZT
+            V2UrTkk0Z1BVQ1U2N1hsaTc5NjFsVUEKLS0tIGZYV041M01DYndQWUNCVGxUVXZa
+            YlltQ3FBU3RBYUx4TnNPRk1SUWNqZG8KAJjc09x553ncaWduGLsnIHdroaOmMasP
+            /fq0GzW6UNfmE2rQ6qrQti21B37/sN0WMLCSPLUPG45kBgx20GG4hQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaEdlWnJCdHVpM0ZHTlJj
-            WmNrQnIxYmxmWlJ4Z29WKytHd1plUURPSDBFCnBHU1MyMS9FNnRCMmJ6Ymd4UWcr
-            RGV6QmhrbDFObDM1MW1NdTdDU3ZIVU0KLS0tIEtBR01OOVdITExFcUN1dHEyaklD
-            TVFnZXRva3FUZjcxYlRuQnpFTDhpZzQKxZM0ZB6dVwFr5QkT6YmEA+3RhhsX0pl4
-            SolLZXFal1BluDERtZ2Clb5VzrcV3PUfFo8Yx6ncFjcisyFXUHVnYg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTOWFvcFFzc1lmNVdmV3lX
+            cVVLNHowcGdENzI5UUJLZTNSMHhjNlI2c0FnCmdwOS9oL1kwTnhwbXRodWxxWVE3
+            TEtzVmMyN0lkdDBPNzhSR0J6SVhwM3MKLS0tIHhSOFA2TEdMdEd5TlpJb3h0N2xr
+            eDVwd2dKMG9FRW1OY1pyUkhLeWw3b0EKtJpsQ/Ss39ZLiRNqUhn8sdB3hpQy7Syv
+            ererqhMkqmDugGEHPk6KpZuj7DVSK1di7JgA2qZOUPzI7UpxjaC0Kg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYmNZSTBrUzg5d3NPSHhM
-            Z2s4KzlVZldKVitmL3RFNHFiQnJlcmlCS3k0CkZ4YlBvbW1DTzEzRTZMUVBOWDNT
-            SHQwcTBQL0NQbXA3WHVZcFhjZW5ZeE0KLS0tIHU2TVErZ0I0dGRuTGIzZkVoeDJC
-            MHJkcXlGdFN2Y1p4Q08rT0phODlLOVEKhSEO8hUZ0d3SA1tFvXN2HuZR35SRzhUq
-            +J3eN/qUBu0LcuiBq+qbGYIAHggXy9ZSGCGfrNw35czzGpzfbK/fwQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQU1iVXRkQmo4b3F1Vngz
+            S0pkNkVFR1FUb1djdmI0eHh3V3BBTDJTSTJZClA0S0Z0cTdFRmRaOEZQdHQzdGZ3
+            SC9HRkF3eHQ3MHh6VUFiTW1MZmZoQ2sKLS0tIGlXcWtCczBuOXZBTE9IcVQ1aFJz
+            REdjRFZyY2pNdEd6cmgvQisyVDhLUEkKRItJ0CGbzlEB5RNAyem4feMVhTfcLef3
+            QIqltZ2l4LLexnkECi3FCJZHxrbUa+/RF6p1DsueUw7LLUnOcphB9A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdDBxd3J5MWZ0R1IwVWRw
-            cklOOENFM2R4Q01JdFd2cDZCQ2pSTGNucmhrClgra0tCSGdqZExLbWNoaDZkSzJD
-            aDc3YXdOZi9jMDdwc1duTWdKbEdUVDgKLS0tIGxKbTYzRnAyRVlwbUxGS3JySFJS
-            VXNrSldhMDV4V2preEJ3ZDk5UlZ1YzgK8K2R4LETFFKpUZVdofJoE6eXw/tlz3+9
-            k0iXQX6zMj1uSDmenjztU04FIfRxzIur5xifd8hCJnWmxlOCFDqLag==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZTBpaWM0c1hmODBaK0Iw
+            bmp1NzRacklXMHU0K2J2d0g5ajBiNlRNWGhRCm1DOWI0cm5BdTdlNmFzM2JVekNk
+            U0VnQmJKMU9ZczZBN0o3czAxOXc4TkkKLS0tIDA1aFRsS3VHdmFtUDY3S25qK01p
+            U0ZCT2toZ1ZMZ3E0bXRhSTQvNGFWNVkKhxfQDIDe2LQW7OMBJv0J267AW1wI32df
+            ZQxd657TEqzm7i19azrCS0jyRbfj2MYzEJAtTGiGZaNC9uKDFzBhKw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc2dCdGNSeWo4RkovV1Vn
-            ckRYYW1xZldjVDRuSjM4elQyRVFROWduL1QwCmNSVzk3aG90MHNWZWlzVDg5RE55
-            L3JKODZlMDJudTZYNGVNQldaNEhPcjQKLS0tIE41dDYxWE84Wk9XbG9iMUhpMHBu
-            VlJZM1VMYkRkQXNlSVVoT3RYZXRaRU0KqqIjxe05oO67IUt/LMIYsUAaZw1qQFNv
-            mmVu5GvHdpSrp3PttxlZC7OiP84Jzj7zM/idj0wBIeVCWedWO59aKQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRlJROHRKb21YUnlicmc1
+            MlptQllEcXFhajNKS1krMDdUMWk5QWo4eVJBCndGSlhXS1Vaa2RSTllIcmF1ZVpl
+            V28wUGpPVE04Q3VPdzFYdlNpdXBPWHMKLS0tIGJLNStURVJ2NkZKNHVURXh3SjBL
+            TE41aFdjU0h0ekQ2Zjg4Z3VQVjFWcnMK6zjSalqeYjyc4NH6nOeghlhYJydrz4pM
+            N5ZcXjRbrIVFdhbYnvQGKvGKZm0kK6vjzBjdT7BM6ctr8cq/qrz1xQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL3RId3Q4SGJkYjM5STJu
-            ZU9BbkgxaXdva3g5ek1hZUF5YWcvZHI5c0VRClhLazhueTRLU2N0T2c2REllT0R1
-            LzFrdDdiVVhLQ3BPdkwvVTg1RjdscG8KLS0tIHRYTmg4NFF2c2FpVHphUFdqWmhH
-            TFNhSDNUMEo0Z05mbmlwRUs5VHhUWHMKJUCyLDJx2voDttv4UrpFKYyNz+HhtyFj
-            X3OrNbmJQYuNpq4hzQs7jN5UD/4YCtFi9mb5pmFr8MTHLb6UsZN++A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRXpBa2tYc2xEeldub0VK
+            bkFwOFdlUGRZM0FVT0tyUW1RWnl0TjRUTUh3CnZlMC92MU1hRW1yZU1NSUdoUEZh
+            YmhHN3pjd0lhOXk3KzFqRVhaU2IvWFUKLS0tIGxVRGNmZmd1QS9sc0NMVFZMNGVB
+            aXFQWlNVQ2laVm1ETStRemNZRXc3TUEKlPYSU3gp67dsPfbEJkru4ieMvspC7+pu
+            rfp315HLyj1FGhrA8f2qOxE/PYI2rn0yKm80KffWBV7ylX/uonm4Fg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNzZ4Y2U2NXpXWHA3Y3Zw
-            S1BKbTNXaGxRaE55QkZNSFV6b3VURFBXWlEwCmpJUjM3VVJRc0dwdjFLOGdQQTlz
-            a0hVUC9tSXNDQ3NyTnlnVlNNalFOZmcKLS0tIFNXYThsRHd2eUQyOGtVT1RLaTdR
-            RmlST2JZS2gwbDBpZ2xMblpWNzB5ZWcKTkKF9aonrBMolxqcj9a5d9JLoCj229KU
-            It2KjhlzBcgcJUIiIPWMoV9VbEpKkTsCLkWxFSLle++ryOUYh3kgaA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaTEzOFBEeG9LVThSVmQ5
+            VXBoaFpueFRCbFJ1akE4RWc1aE1HUmVGcXdZCjFnbU0wd2drazNsTmNBMHNuOFhO
+            b21MZmNPSVNDU2RycEtXTys1V3BVVVEKLS0tIG5oc0VoTXlzeVh3b2NjcFl6WE9U
+            dC9meDZlc3d3aUJEVjc4REF0Y1BLcGcK79LbJzc5KVgEgyJR11crGuX8YcVoJBbT
+            Fin7Zoon06L7qx0Zw5u27wV7RKMnYT7hOMiWs6660ZTLcYJ5M1aEZQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-03-16T20:08:18Z"
     mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
     pgp:
-        - created_at: "2026-01-16T06:34:50Z"
+        - created_at: "2026-05-20T17:35:58Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYARAAgrn0irD12kqDfIEvpLpa0Ys/hMG9GwCMeU186iFfJ193
-            72UVEzx2GwIfSt0qQlpBFZtueL9Bb7ka81IrqhAepq8J5//WxEGvv6H9aIm8V7ov
-            ZkS4eZpFksu0ZRFP5HWQvEQwRKj8WxYQY/TS/5QGNSPeHOZYnpQcBhAVLjn9Uj/O
-            6ojnIVoKxDdo235fuDQdiLwCpPXsKi2OQuSFOwq7Acg/fm1pvc76h9dqr5DqrspZ
-            c3stdbYwVOedgYjRrdSYpkplGSqNeVtYYJ3apdauMSRNaKmgMwbkxkzXO9YrWASa
-            beYilvhNgr0rnQB617IhgBZrgik9CvqrqGZqim0fWI+s4bcbgfvK8UORt4+QgJjO
-            FPqAtVE6sNGzElKQ6ZZPWZoXeK7vfIfxwxU+oLcijAnUmLy88zqIUjUZKzmyhDZa
-            YAAwxBL1nh+UzIbn4GGeVbYHLbKJ6XnznF7zfTWph6GbeFfdWuaSwxmnGjE6n1y2
-            ye3GQaW2aeq7RKoqyLJO3oIHyGHZXFe4pB4adz60uKNPJz47/gtA5OofNs0qbxqQ
-            Dp5fmrvZZtDa/TYIV9o1bSp7cYk49TGKHPbX7tLjEIIfRxd4y6rYgwNpPdukjZsk
-            bbdxypWrJkMx+9xk84DGo3e+RY738JgLjc0ylDO+pIzThUruBOcDjUKeGNmVQYnS
-            XAGofG3JSI97wFdYOB+4yoYPqs5rovgPbkGGuT5SBIxH5zVv3X+SE4wCGu3CLFC4
-            A4cdwXmuERPxszVZW+V8CSGq9XnH/OzrpiWVhzqXCRH03F2BmnAx9Fp/zMTH
-            =DooK
+            hQIMA0av/duuklWYAQ/+ONarLX0spY0m0iLGEp4Qe9YcfKrf4G0QLbiYMW8Bko7M
+            iV5PSn4MeDlu5vIkNy1vbYqN2kCQZJDNtirtVqggoq+h/lEvXlkgmkJXeMnnVugy
+            xJZCG1SnGnx9BD/tWaFZp4IY9m8sQtEqcpQIvitQTCgovdWPb7NddlDaHbn4R95t
+            SeTZxnxT2MCYiGHyESMrdy8JEFER81O4XIGuccBV4GyoDcEAxDD7PXf7Y5YlwUQk
+            /sQ3awgsy1WJF4YzQ4zCvK8dO4meiD6asEijQEXNTyrXrkkIX6pS14l9HLzg8HLT
+            ZLelRyCYeIGEPyEJtbBKxMEu28SAmCMESCdLImqz3RnT0Z6QV1Z+DqAPck3aij2v
+            VCeJZgK7tmjuusThzi0ymSb0tC14JS7eK/BNGIvVK/41TlzI0qBeA1yYf8Fdtsqt
+            7OGfCR7aUdBn7yweGuo9L9eHRFiJvoB9tNiPnw7rdr/SrptL0ovsML7m1nvg6mO1
+            os1JCL5E6u7d6cGbqaTmjwKLhvNuI1keJoVGtlOYt95tfEAwWeuG2ML6wJ6u6oJ4
+            WAw/g5Tqb4jeLpcgw8iclhK5JzAL9Uz3G95VXkS6CcTrOfQfvIJHxs5JtsxFC98l
+            xMgnMY4SNQ6sHAHZ+6Wku8X+lnZ0uKZkYlRqpH95/VTp+I6QpuqydIOeZ+ILn+jS
+            XAHa6CahC07yA93g8kgTeMhI3ezqOQD0gYnY3QROX5kKVD/bNu3JwNTprO5b/kRK
+            2Ehg8D0wdaJ9OM+pShGyf6CK5wVBvSq2VQHKxjEIifi62RYtUvnf+sx/ob9h
+            =9nB8
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

topology/default.nix

@@ -176,26 +176,6 @@ in {
     interfaces.ens18.network = "pvv";
   };
 
-  nodes.ustetind = {
-    guestType = "proxmox LXC";
-    parent = config.nodes.powerpuff-cluster.id;
-
-    # TODO: the interface name is likely wrong
-    # interfaceGroups = [ [ "eth0" ] ];
-    interfaces.eth0 = {
-      network = "pvv";
-      # mac = "";
-      addresses = [
-        "129.241.210.234"
-        "2001:700:300:1900::234"
-      ];
-      gateways = [
-        values.hosts.gateway
-        values.hosts.gateway6
-      ];
-    };
-  };
-
   ### PVV
 
   nodes.ntnu-veggen = mkRouter "NTNU-Veggen" {

values.nix

@@ -73,10 +73,6 @@ in rec {
       ipv4 = pvv-ipv4 233;
       ipv6 = pvv-ipv6 "4:233";
     };
-    ustetind = {
-      ipv4 = pvv-ipv4 234;
-      ipv6 = pvv-ipv6 234;
-    };
     skrot = {
       ipv4 = pvv-ipv4 237;
       ipv6 = pvv-ipv6 237;
@@ -86,10 +82,10 @@ in rec {
       ipv6 = pvv-ipv6 167;
     };
     gluttony = {
-      ipv4 = "129.241.100.118";
-      ipv4_internal = "192.168.20.77";
-      ipv4_internal_gw = "192.168.20.1";
-      ipv6 = "2001:700:305:aa07::3b3";
+      ipv4 = "129.241.100.37";
+      ipv4_internal = "192.168.1.219";
+      ipv4_internal_gw = "192.168.1.1";
+      ipv6 = "2001:700:305:8a0f:f816:3eff:fe9b:7a46";
     };
     wenche = {
       ipv4 = pvv-ipv4 240;