WIP: Move krb5 realm to pvv.local, make sane ldap structure

Reviewed-on: #121

.mailmap

@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
 
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
+Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
+
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
+
+Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>

.sops.yaml

@@ -20,6 +20,7 @@ keys:
   - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
   - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
   - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_skrott age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
   - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
 
 creation_rules:
@@ -137,6 +138,7 @@ creation_rules:
   - path_regex: secrets/skrott/[^/]+\.yaml$
     key_groups:
     - age:
+      - *host_skrott
       - *user_danio
       - *user_felixalb
       - *user_pederbs_sopp

README.md

@@ -43,6 +43,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
+| [skrott][skr]              | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 
 ## Documentation
@@ -59,4 +60,5 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
+[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

base/default.nix

@@ -81,7 +81,7 @@
     AllowHibernation=no
   '';
 
-  users.mutableUsers = lib.mkDefault false;
+  # users.mutableUsers = lib.mkDefault false;
 
   users.groups."drift".name = "drift";
 

base/networking.nix

@@ -3,6 +3,10 @@
   systemd.network.enable = true;
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
+  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
+  # networking.tempAddresses = lib.mkDefault "disabled";
+  # networking.defaultGateway = values.hosts.gateway;
 
   # The rest of the networking configuration is usually sourced from /values.nix
 

base/programs.nix

@@ -13,9 +13,15 @@
     # Debug and find files
     file
 
+    # Process json data
+    jq
+
     # Check computer specs
     lshw
 
+    # Check who is keeping open files
+    lsof
+
     # Scan for open ports with netstat
     net-tools
 
@@ -54,6 +60,8 @@
   programs.nano.enable = true;
   # Same reasoning as nano
   programs.vim.enable = true;
+  # Same reasoning as vim
+  programs.neovim.enable = true;
 
   # Some people like this shell for some reason
   programs.zsh.enable = true;

base/services/acme.nix

@@ -8,8 +8,6 @@
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
   virtualisation.vmVariant = {
     security.acme.defaults.server = "https://127.0.0.1";
-    security.acme.preliminarySelfsigned = true;
-
     users.users.root.initialPassword = "root";
   };
-}
+}

base/services/auto-upgrade.nix

@@ -28,7 +28,7 @@ in
 
   # workaround for https://github.com/NixOS/nix/issues/6895
   # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
     "current-system-flake-inputs.json".source
       = pkgs.writers.writeJSON "flake-inputs.json" (
         lib.flip lib.mapAttrs inputs (name: input:

base/vm.nix

@@ -11,5 +11,6 @@
   };
   config.virtualisation.vmVariant = {
     virtualisation.isVmVariant = true;
+    virtualisation.graphics = false;
   };
 }

flake.lock

@@ -2,17 +2,16 @@
   "nodes": {
     "dibbler": {
       "inputs": {
-        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1768138611,
-        "narHash": "sha256-KfZX6wpuwE2IRKLjh0DrEviE4f6kqLJWwKIE5QJSqa4=",
+        "lastModified": 1769510541,
+        "narHash": "sha256-jxuQY0anT3YpwpnYB5w7p6EPS6UWIj4vGxzfsOJvC1I=",
         "ref": "main",
-        "rev": "cb385097dcda5fb9772f903688d078b30a66ccd4",
-        "revCount": 221,
+        "rev": "ec43f67e58f049a709fa2c19601b8c637f38126f",
+        "revCount": 232,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
       },
@@ -61,23 +60,6 @@
         "type": "github"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "id": "flake-utils",
-        "type": "indirect"
-      }
-    },
     "gergle": {
       "inputs": {
         "nixpkgs": [
@@ -192,11 +174,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768749374,
-        "narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
+        "lastModified": 1769500363,
+        "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
         "ref": "main",
-        "rev": "040294f2e1df46e33d995add6944b25859654097",
-        "revCount": 37,
+        "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
+        "revCount": 47,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
       },
@@ -235,11 +217,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768955766,
-        "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
+        "lastModified": 1769018862,
+        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
+        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
         "type": "github"
       },
       "original": {
@@ -251,11 +233,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768877948,
-        "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
-        "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
+        "lastModified": 1769724120,
+        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
+        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -279,11 +261,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1768886240,
-        "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
-        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
+        "lastModified": 1769813739,
+        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
+        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -318,11 +300,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768636400,
-        "narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
+        "lastModified": 1769009806,
+        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
         "ref": "main",
-        "rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
-        "revCount": 573,
+        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
+        "revCount": 575,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -382,11 +364,11 @@
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
-        "lastModified": 1768140181,
-        "narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
+        "lastModified": 1769834595,
+        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
         "ref": "main",
-        "rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
-        "revCount": 43,
+        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
+        "revCount": 49,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
       },
@@ -446,11 +428,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767322002,
-        "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
+        "lastModified": 1769309768,
+        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
+        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
         "type": "github"
       },
       "original": {
@@ -466,11 +448,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768863606,
-        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "lastModified": 1769469829,
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
         "type": "github"
       },
       "original": {
@@ -479,21 +461,6 @@
         "repo": "sops-nix",
         "type": "github"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -69,37 +69,54 @@
   in {
     inputs = lib.mapAttrs (_: src: src.outPath) inputs;
 
-    pkgs = forAllSystems (system:
-      import nixpkgs {
-        inherit system;
-        config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-          [
-            "nvidia-x11"
-            "nvidia-settings"
-          ];
-      });
+    pkgs = forAllSystems (system: import nixpkgs {
+      inherit system;
+      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        [
+          "nvidia-x11"
+          "nvidia-settings"
+        ];
+    });
 
     nixosConfigurations = let
-      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-
       nixosConfig =
         nixpkgs:
         name:
         configurationPath:
         extraArgs@{
-          system ? "x86_64-linux",
+          localSystem ? "x86_64-linux", # buildPlatform
+          crossSystem ? "x86_64-linux", # hostPlatform
           specialArgs ? { },
           modules ? [ ],
           overlays ? [ ],
           enableDefaults ? true,
           ...
         }:
+        let
+          commonPkgsConfig = {
+            inherit localSystem crossSystem;
+            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+              [
+                "nvidia-x11"
+                "nvidia-settings"
+              ];
+            overlays = (lib.optionals enableDefaults [
+              # Global overlays go here
+              inputs.roowho2.overlays.default
+            ]) ++ overlays;
+          };
+
+          pkgs = import nixpkgs commonPkgsConfig;
+          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
+        in
         lib.nixosSystem (lib.recursiveUpdate
         {
-          inherit system;
+          system = crossSystem;
+
+          inherit pkgs;
 
           specialArgs = {
-            inherit unstablePkgs inputs;
+            inherit inputs unstablePkgs;
             values = import ./values.nix;
             fp = path: ./${path};
           } // specialArgs;
@@ -112,23 +129,12 @@
           ] ++ (lib.optionals enableDefaults [
             sops-nix.nixosModules.sops
             inputs.roowho2.nixosModules.default
+            self.nixosModules.rsync-pull-targets
           ]) ++ modules;
-
-          pkgs = import nixpkgs {
-            inherit system;
-            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-              [
-                "nvidia-x11"
-                "nvidia-settings"
-              ];
-            overlays = (lib.optionals enableDefaults [
-              # Global overlays go here
-              inputs.roowho2.overlays.default
-            ]) ++ overlays;
-          };
         }
         (builtins.removeAttrs extraArgs [
-          "system"
+          "localSystem"
+          "crossSystem"
           "modules"
           "overlays"
           "specialArgs"
@@ -141,7 +147,7 @@
     in {
       bakke = stableNixosConfig "bakke" {
         modules = [
-          disko.nixosModules.disko
+          inputs.disko.nixosModules.disko
         ];
       };
       bicep = stableNixosConfig "bicep" {
@@ -163,7 +169,6 @@
       bekkalokk = stableNixosConfig "bekkalokk" {
         overlays = [
           (final: prev: {
-            heimdal = unstablePkgs.heimdal;
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
             bluemap = final.callPackage ./packages/bluemap.nix { };
@@ -190,6 +195,7 @@
         ];
         modules = [
           inputs.nix-gitea-themes.nixosModules.default
+          inputs.disko.nixosModules.disko
         ];
       };
 
@@ -199,6 +205,8 @@
         ];
       };
 
+      dagali = unstableNixosConfig "dagali" { };
+
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
@@ -221,17 +229,39 @@
           inputs.gergle.overlays.default
         ];
       };
-      skrott = stableNixosConfig "skrott" {
-        system = "aarch64-linux";
+    }
+    //
+    (let
+      skrottConfig = {
         modules = [
           (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
           inputs.dibbler.nixosModules.default
         ];
         overlays = [
           inputs.dibbler.overlays.default
+          (final: prev: {
+            # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
+            atool = prev.emptyDirectory;
+            micro = prev.emptyDirectory;
+            ncdu = prev.emptyDirectory;
+          })
         ];
       };
-    }
+    in {
+      skrott = self.nixosConfigurations.skrott-native;
+      skrott-native = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "aarch64-linux";
+        crossSystem = "aarch64-linux";
+      });
+      skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "x86_64-linux";
+        crossSystem = "aarch64-linux";
+      });
+      skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "x86_64-linux";
+        crossSystem = "x86_64-linux";
+      });
+    })
     //
     (let
       machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
@@ -244,15 +274,25 @@
 
     nixosModules = {
       bluemap = ./modules/bluemap.nix;
-      snakeoil-certs = ./modules/snakeoil-certs.nix;
-      snappymail = ./modules/snappymail.nix;
-      robots-txt = ./modules/robots-txt.nix;
       gickup = ./modules/gickup;
       matrix-ooye = ./modules/matrix-ooye.nix;
+      robots-txt = ./modules/robots-txt.nix;
+      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
+      snakeoil-certs = ./modules/snakeoil-certs.nix;
+      snappymail = ./modules/snappymail.nix;
     };
 
     devShells = forAllSystems (system: {
-      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = let
+        pkgs = import nixpkgs-unstable {
+          inherit system;
+          overlays = [
+            (final: prev: {
+              inherit (inputs.disko.packages.${system}) disko;
+            })
+          ];
+        };
+      in pkgs.callPackage ./shell.nix { };
       cuda = let
         cuda-pkgs = import nixpkgs-unstable {
           inherit system;
@@ -266,13 +306,14 @@
 
     packages = {
       "x86_64-linux" = let
-        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+        system = "x86_64-linux";
+        pkgs = nixpkgs.legacyPackages.${system};
       in rec {
         default = important-machines;
         important-machines = pkgs.linkFarm "important-machines"
-          (lib.getAttrs importantMachines self.packages.x86_64-linux);
+          (lib.getAttrs importantMachines self.packages.${system});
         all-machines = pkgs.linkFarm "all-machines"
-          (lib.getAttrs allMachines self.packages.x86_64-linux);
+          (lib.getAttrs allMachines self.packages.${system});
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
@@ -294,18 +335,23 @@
       //
       # Skrott is exception
       {
-        skrott = self.nixosConfigurations.skrott.config.system.build.sdImage;
+        skrott = self.packages.${system}.skrott-native-sd;
+        skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
+        skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
+        skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
+        skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
+        skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
       }
       //
       # Nix-topology
       (let
         topology' = import inputs.nix-topology {
           pkgs = import nixpkgs {
-            system = "x86_64-linux";
+            inherit system;
             overlays = [
               inputs.nix-topology.overlays.default
               (final: prev: {
-                inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
+                inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
               })
             ];
           };

hosts/bakke/filesystems.nix

@@ -1,17 +1,17 @@
-{ config, pkgs, lib, ... }:
+{ pkgs,... }:
 {
   # Boot drives:
   boot.swraid.enable = true;
 
   # ZFS Data pool:
-  environment.systemPackages = with pkgs; [ zfs ];
   boot = {
     zfs = {
       extraPools = [ "tank" ];
       requestEncryptionCredentials = false;
     };
-    supportedFilesystems = [ "zfs" ];
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+    supportedFilesystems.zfs = true;
+    # Use stable linux packages, these work with zfs
+    kernelPackages = pkgs.linuxPackages;
   };
   services.zfs.autoScrub = {
     enable = true;

hosts/bekkalokk/configuration.nix

@@ -28,5 +28,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }

hosts/bekkalokk/services/mediawiki/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, fp, config, values, ... }: let
   cfg = config.services.mediawiki;
 
   # "mediawiki"
@@ -34,6 +34,7 @@ in {
   services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
 
   sops.secrets = lib.pipe [
+    "mediawiki/secret-key"
     "mediawiki/password"
     "mediawiki/postgres_password"
     "mediawiki/simplesamlphp/postgres_password"
@@ -48,6 +49,23 @@ in {
     lib.listToAttrs
   ];
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.uploadsDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
+    };
+  };
+
   services.mediawiki = {
     enable = true;
     name = "Programvareverkstedet";
@@ -179,15 +197,15 @@ in {
 
   # Cache directory for simplesamlphp
   # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
     user = "mediawiki";
     group = "mediawiki";
     mode = "0770";
   };
 
-  users.groups.mediawiki.members = [ "nginx" ];
+  users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
 
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
     kTLS = true;
     forceSSL = true;
     enableACME = true;
@@ -233,4 +251,20 @@ in {
     };
 
   };
+
+  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
+    after = [ "sops-install-secrets.service" ];
+    serviceConfig = {
+      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
+      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+    };
+  };
+
+  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
+    after = [ "sops-install-secrets.service" ];
+    serviceConfig = {
+      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
+      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+    };
+  };
 }

hosts/bekkalokk/services/vaultwarden.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, values, ... }:
 let
   cfg = config.services.vaultwarden;
   domain = "pw.pvv.ntnu.no";
@@ -99,4 +99,21 @@ in {
       ];
     };
   };
+
+  services.rsync-pull-targets = {
+    enable = true;
+    locations."/var/lib/vaultwarden" = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
+    };
+  };
 }

hosts/bekkalokk/services/webmail/snappymail.nix

@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, ... }:
+{ config, lib, fp, pkgs, values, ... }:
 let
   cfg = config.services.snappymail;
 in {
@@ -14,5 +14,21 @@ in {
     enableACME = true;
     kTLS = true;
   };
-}
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.dataDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
+    };
+  };
+}

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -3,13 +3,21 @@ let
   galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
   transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
-  users.users.${config.services.pvv-nettsiden.user} = {
-    useDefaultShell = true;
-
-    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
-    ];
+  # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${transferDir} = {
+      user = config.services.pvv-nettsiden.user;
+      rrsyncArgs.wo = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
+    };
   };
 
   systemd.paths.pvv-nettsiden-gallery-update = {

hosts/bekkalokk/services/well-known/root/security.txt

@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
 Preferred-Languages: no, en
 
 Expires: 2032-12-31T23:59:59.000Z
-# This file was last updated 2024-09-14.
+# This file was last updated 2026-02-27.
 
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
+
+# Please note that we are a student organization, and unfortunately we do not
+# have a bug bounty program or offer monetary compensation for disclosure of
+# security vulnerabilities.

hosts/bicep/configuration.nix

@@ -9,8 +9,8 @@
     ./services/calendar-bot.nix
     #./services/git-mirrors
     ./services/minecraft-heatmap.nix
-    ./services/mysql.nix
-    ./services/postgres.nix
+    ./services/mysql
+    ./services/postgresql
 
     ./services/matrix
   ];
@@ -30,5 +30,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }

hosts/bicep/services/matrix/default.nix

@@ -1,8 +1,9 @@
 { config, ... }:
 {
   imports = [
-    ./synapse.nix
     ./synapse-admin.nix
+    ./synapse-auto-compressor.nix
+    ./synapse.nix
     ./element.nix
     ./coturn.nix
     ./livekit.nix

hosts/bicep/services/matrix/element.nix

@@ -37,6 +37,7 @@ in {
           # element call group calls
           feature_group_calls = true;
         };
+        default_country_code = "NO";
         default_theme = "dark";
         # Servers in this list should provide some sort of valuable scoping
         # matrix.org is not useful compared to matrixrooms.info,

hosts/bicep/services/matrix/hookshot/default.nix

@@ -14,6 +14,10 @@ in
     sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "hookshot/hs_token";
   };
+  sops.secrets."matrix/hookshot/passkey" = {
+    sopsFile = fp /secrets/bicep/matrix.yaml;
+    key = "hookshot/passkey";
+  };
 
   sops.templates."hookshot-registration.yaml" = {
     owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
   };
 
   systemd.services.matrix-hookshot = {
-    serviceConfig.SupplementaryGroups = [
-      config.users.groups.keys-matrix-registrations.name
-    ];
+    serviceConfig = {
+      SupplementaryGroups = [
+        config.users.groups.keys-matrix-registrations.name
+      ];
+      LoadCredential = [
+        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
+      ];
+    };
   };
 
   services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
     package = unstablePkgs.matrix-hookshot;
     registrationFile = config.sops.templates."hookshot-registration.yaml".path;
     settings = {
+      passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
+
       bridge = {
         bindAddress = "127.0.0.1";
         domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
         mediaUrl = "https://matrix.pvv.ntnu.no";
         port = 9993;
       };
+
       listeners = [
         {
           bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
           ];
         }
       ];
+
       generic = {
         enabled = true;
         outbound = true;

hosts/bicep/services/matrix/synapse-auto-compressor.nix

@@ -0,0 +1,56 @@
+{ config, lib, utils, ... }:
+let
+  cfg = config.services.synapse-auto-compressor;
+in
+{
+  services.synapse-auto-compressor = {
+    # enable = true;
+    postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
+  };
+
+  # NOTE: nixpkgs has some broken asserts, vendored the entire unit
+  systemd.services.synapse-auto-compressor = {
+    description = "synapse-auto-compressor";
+    requires = [
+      "postgresql.target"
+    ];
+    inherit (cfg) startAt;
+    serviceConfig = {
+      Type = "oneshot";
+      DynamicUser = true;
+      User = "matrix-synapse";
+      PrivateTmp = true;
+      ExecStart = utils.escapeSystemdExecArgs [
+        "${cfg.package}/bin/synapse_auto_compressor"
+        "-p"
+        cfg.postgresUrl
+        "-c"
+        cfg.settings.chunk_size
+        "-n"
+        cfg.settings.chunks_to_compress
+        "-l"
+        (lib.concatStringsSep "," (map toString cfg.settings.levels))
+      ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      ProcSubset = "pid";
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+    };
+  };
+}

hosts/bicep/services/matrix/synapse.nix

@@ -27,6 +27,23 @@ in {
     '';
   };
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.settings.media_store_path} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
+    };
+  };
+
   services.matrix-synapse-next = {
     enable = true;
 

hosts/bicep/services/minecraft-heatmap.nix

@@ -22,7 +22,7 @@ in
     };
   };
 
-  systemd.services.minecraft-heatmap-ingest-logs = {
+  systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
     serviceConfig.LoadCredential = [
       "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
     ];

hosts/bicep/services/mysql/backup.nix

@@ -0,0 +1,83 @@
+{ config, lib, pkgs, values, ... }:
+let
+  cfg = config.services.mysql;
+  backupDir = "/data/mysql-backups";
+in
+{
+  # services.mysqlBackup = lib.mkIf cfg.enable {
+  #   enable = true;
+  #   location = "/var/lib/mysql-backups";
+  # };
+
+  systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
+	  user = "mysql";
+	  group = "mysql";
+	  mode = "700";
+	};
+
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations.${backupDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
+    };
+  };
+
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  #       another unit, it was easier to just make one ourselves.
+  systemd.services."backup-mysql" = lib.mkIf cfg.enable {
+    description = "Backup MySQL data";
+    requires = [ "mysql.service" ];
+
+    path = with pkgs; [
+      cfg.package
+      coreutils
+      zstd
+    ];
+
+    script = let
+      rotations = 2;
+    in ''
+      set -euo pipefail
+
+      OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
+
+      mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
+
+      # NOTE: this needs to be a hardlink for rrsync to allow sending it
+      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
+      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
+
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
+      done
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "mysql";
+      Group = "mysql";
+      UMask = "0077";
+
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      StateDirectory = [ "mysql-backups" ];
+      BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
+
+      # TODO: hardening
+    };
+
+    startAt = "*-*-* 02:15:00";
+  };
+}

hosts/bicep/services/mysql/default.nix

@@ -1,5 +1,11 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
+let
+  cfg = config.services.mysql;
+  dataDir = "/data/mysql";
+in
 {
+  imports = [ ./backup.nix ];
+
   sops.secrets."mysql/password" = {
     owner = "mysql";
     group = "mysql";
@@ -9,8 +15,7 @@
 
   services.mysql = {
     enable = true;
-    dataDir = "/data/mysql";
-    package = pkgs.mariadb;
+    package = pkgs.mariadb_118;
     settings = {
       mysqld = {
         # PVV allows a lot of connections at the same time
@@ -21,6 +26,9 @@
         # This was needed in order to be able to use all of the old users
         # during migration from knakelibrak to bicep in Sep. 2023
         secure_auth = 0;
+
+        slow-query-log = 1;
+        slow-query-log-file = "/var/log/mysql/mysql-slow.log";
       };
     };
 
@@ -36,20 +44,31 @@
     }];
   };
 
-  services.mysqlBackup = {
-    enable = true;
-    location = "/var/lib/mysql/backups";
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
+
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
+    inherit (cfg) user group;
+    mode = "0700";
   };
 
-  networking.firewall.allowedTCPPorts = [ 3306 ];
-
-  systemd.services.mysql.serviceConfig = {
-    IPAddressDeny = "any";
-    IPAddressAllow = [
-      values.ipv4-space
-      values.ipv6-space
-      values.hosts.ildkule.ipv4
-      values.hosts.ildkule.ipv6
+  systemd.services.mysql = lib.mkIf cfg.enable {
+    after = [
+      "systemd-tmpfiles-setup.service"
+      "systemd-tmpfiles-resetup.service"
     ];
+
+    serviceConfig = {
+      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
+
+      LogsDirectory = "mysql";
+
+      IPAddressDeny = "any";
+      IPAddressAllow = [
+        values.ipv4-space
+        values.ipv6-space
+        values.hosts.ildkule.ipv4
+        values.hosts.ildkule.ipv6
+      ];
+    };
   };
 }

hosts/bicep/services/postgresql/backup.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, values, ... }:
+let
+  cfg = config.services.postgresql;
+  backupDir = "/data/postgresql-backups";
+in
+{
+  # services.postgresqlBackup = lib.mkIf cfg.enable {
+  #   enable = true;
+  #   location = "/var/lib/postgresql-backups";
+  #   backupAll = true;
+  # };
+
+  systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
+	  user = "postgres";
+	  group = "postgres";
+	  mode = "700";
+	};
+
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations.${backupDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
+    };
+  };
+
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  #       another unit, it was easier to just make one ourselves
+  systemd.services."backup-postgresql" = {
+    description = "Backup PostgreSQL data";
+    requires = [ "postgresql.service" ];
+
+    path = with pkgs; [
+      coreutils
+      zstd
+      cfg.package
+    ];
+
+    script = let
+      rotations = 2;
+    in ''
+      set -euo pipefail
+
+      OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
+
+      pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
+
+      # NOTE: this needs to be a hardlink for rrsync to allow sending it
+      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
+      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
+
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
+      done
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "postgres";
+      Group = "postgres";
+      UMask = "0077";
+
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      StateDirectory = [ "postgresql-backups" ];
+      BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
+
+      # TODO: hardening
+    };
+
+    startAt = "*-*-* 01:15:00";
+  };
+}

hosts/bicep/services/postgresql/default.nix

@@ -1,8 +1,13 @@
-{ config, pkgs, values, ... }:
+{ config, lib, pkgs, values, ... }:
+let
+  cfg = config.services.postgresql;
+in
 {
+  imports = [ ./backup.nix ];
+
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_18;
     enableTCPIP = true;
 
     authentication = ''
@@ -74,13 +79,13 @@
     };
   };
 
-  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
     user = config.systemd.services.postgresql.serviceConfig.User;
     group = config.systemd.services.postgresql.serviceConfig.Group;
     mode = "0700";
   };
 
-  systemd.services.postgresql-setup = {
+  systemd.services.postgresql-setup = lib.mkIf cfg.enable {
     after = [
       "systemd-tmpfiles-setup.service"
       "systemd-tmpfiles-resetup.service"
@@ -95,7 +100,7 @@
     };
   };
 
-  systemd.services.postgresql = {
+  systemd.services.postgresql = lib.mkIf cfg.enable {
     after = [
       "systemd-tmpfiles-setup.service"
       "systemd-tmpfiles-resetup.service"
@@ -110,18 +115,12 @@
     };
   };
 
-  environment.snakeoil-certs."/etc/certs/postgres" = {
+  environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
     owner = "postgres";
     group = "postgres";
     subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
   };
 
-  networking.firewall.allowedTCPPorts = [ 5432 ];
-  networking.firewall.allowedUDPPorts = [ 5432 ];
-
-  services.postgresqlBackup = {
-    enable = true;
-    location = "/var/lib/postgres/backups";
-    backupAll = true;
-  };
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
 }

hosts/brzeczyszczykiewicz/configuration.nix

@@ -17,5 +17,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }

hosts/dagali/TODO.md

@@ -0,0 +1,78 @@
+# Tracking document for new PVV kerberos auth stack
+
+![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
+
+<div align="center">
+  Bensinstasjon på heimdal
+</div>
+
+### TODO:
+
+- [ ] setup heimdal
+  - [x] ensure running with systemd
+  - [x] compile smbk5pwd (part of openldap)
+  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
+  - [ ] fully initialize PVV.NTNU.NO
+    - [x] `kadmin -l init PVV.NTNU.NO`
+    - [x] add oysteikt/admin@PVV.NTNU.NO principal
+    - [x] add oysteikt@PVV.NTNU.NO principal
+    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
+      - why is this needed, and where is it documented?
+      - `kadmin check` seems to work under sudo?
+      - (it is included by default, just included as error message
+         in a weird state)
+
+    - [x] Ensure client is working correctly
+      - [x] Ensure kinit works on darbu
+      - [x] Ensure kpasswd works on darbu
+      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
+
+    - [ ] Ensure kdc is working correctly
+      - [x] Ensure kinit works on dagali
+      - [x] Ensure kpasswd works on dagali
+      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
+
+    - [x] Fix FQDN
+      - https://github.com/NixOS/nixpkgs/issues/94011
+      - https://github.com/NixOS/nixpkgs/issues/261269
+      - Possibly fixed by disabling systemd-resolved
+
+- [ ] setup cyrus sasl
+  - [x] ensure running with systemd 
+  - [x] verify GSSAPI support plugin is installed
+    - `nix-shell -p cyrus_sasl --command pluginviewer`
+  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
+  - [x] verify cyrus sasl is able to talk to heimdal
+    - `sudo testsaslauthd -u oysteikt -p <password>`
+  - [ ] provide ldap principal to cyrus sasl through keytab
+
+- [ ] setup openldap
+  - [x] ensure running with systemd
+  - [ ] verify openldap is able to talk to cyrus sasl
+  - [ ] create user for oysteikt in openldap
+  - [ ] authenticate openldap login through sasl
+    - does this require creating an ldap user?
+
+- [ ] fix smbk5pwd integration
+  - [x] add smbk5pwd schemas to openldap
+  - [x] create openldap db for smbk5pwd with overlays
+  - [ ] test to ensure that user sync is working
+  - [ ] test as user source (replace passwd)
+  - [ ] test as PAM auth source
+  - [ ] test as auth source for 3rd party appliation
+
+- [ ] Set up ldap administration panel
+  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
+
+- [ ] Set up kerberos SRV DNS entry
+
+### Information and URLS
+
+- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
+- Use a keytab: https://kb.iu.edu/d/aumh
+- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
+- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
+- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
+- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
+- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -0,0 +1,51 @@
+
+{ config, pkgs, values, lib, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+
+    ./services/heimdal.nix
+    #./services/openldap.nix
+    ./services/cyrus-sasl.nix
+  ];
+
+  # buskerud does not support efi?
+  # boot.loader.systemd-boot.enable = true;
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  # resolved messes up FQDN coming from nscd
+  services.resolved.enable = false;
+
+  networking.hostName = "dagali";
+  networking.domain = lib.mkForce "pvv.local";
+  networking.hosts = {
+    "129.241.210.185" = [ "dagali.pvv.local" ];
+  };
+  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
+  networking.tempAddresses = "disabled";
+  networking.networkmanager.enable = true;
+
+  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+    # TODO: consider adding to base.nix
+    nix-output-monitor
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/dagali/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/dagali/services/cyrus-sasl.nix

@@ -0,0 +1,21 @@
+{ config, ... }:
+let
+  cfg = config.services.saslauthd;
+in
+{
+  # TODO: This is seemingly required for openldap to authenticate
+  #       against kerberos, but I have no idea how to configure it as
+  #       such. Does it need a keytab? There's a binary "testsaslauthd"
+  #       that follows with `pkgs.cyrus_sasl` that might be useful.
+  services.saslauthd = {
+    enable = true;
+    mechanism = "kerberos5";
+    config = ''
+      mech_list: gs2-krb5 gssapi
+      keytab: /etc/krb5.keytab
+    '';
+  };
+
+  # TODO: maybe the upstream module should consider doing this?
+  environment.systemPackages = [ cfg.package ];
+}

hosts/dagali/services/heimdal.nix

@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }:
+let
+  realm = "PVV.LOCAL";
+  cfg = config.security.krb5;
+in
+{
+  security.krb5 = {
+    enable = true;
+
+    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
+    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
+    #       will do for now.
+    package = pkgs.heimdal.overrideAttrs (prev: {
+      postInstall = prev.postInstall + ''
+        cp include/heim_threads.h $dev/include
+      '';
+    });
+
+    settings = {
+      realms.${realm} = {
+        kdc = [ "dagali.${lib.toLower realm}" ];
+        admin_server = "dagali.${lib.toLower realm}";
+        kpasswd_server = "dagali.${lib.toLower realm}";
+        default_domain = lib.toLower realm;
+        primary_kdc = "dagali.${lib.toLower realm}";
+      };
+
+      kadmin.default_keys = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96:pw-salt"
+        "aes128-cts-hmac-sha1-96:pw-salt"
+      ];
+
+      libdefaults.default_etypes = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96"
+        "aes128-cts-hmac-sha1-96"
+      ];
+
+      libdefaults = {
+        default_realm = realm;
+        dns_lookup_kdc = false;
+        dns_lookup_realm = false;
+      };
+
+      domain_realm = {
+        "${lib.toLower realm}" = realm;
+        ".${lib.toLower realm}" = realm;
+      };
+
+      logging = {
+        # kdc = "CONSOLE";
+        kdc = "SYSLOG:DEBUG:AUTH";
+        admin_server = "SYSLOG:DEBUG:AUTH";
+        default = "SYSLOG:DEBUG:AUTH";
+      };
+    };
+  };
+
+  services.kerberos_server = {
+    enable = true;
+    settings = {
+      realms.${realm} = {
+        dbname = "/var/lib/heimdal/heimdal";
+        mkey = "/var/lib/heimdal/m-key";
+        acl = [
+          {
+            principal = "kadmin/admin";
+            access = "all";
+          }
+          {
+            principal = "felixalb/admin";
+            access = "all";
+          }
+          {
+            principal = "oysteikt/admin";
+            access = "all";
+          }
+        ];
+      };
+      # kadmin.default_keys = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96:pw-salt"
+      #   "aes128-cts-hmac-sha1-96:pw-salt"
+      # ];
+
+      # libdefaults.default_etypes = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96"
+      #   "aes128-cts-hmac-sha1-96"
+      # ];
+
+      # password_quality.min_length = 8;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
+  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
+
+  networking.hosts = {
+    "127.0.0.2" = lib.mkForce [ ];
+    "::1" = lib.mkForce [ ];
+  };
+}

hosts/dagali/services/openldap.nix

@@ -0,0 +1,121 @@
+{ config, pkgs, lib, ... }:
+{
+  services.openldap = let
+    dn = "dc=pvv,dc=ntnu,dc=no";
+    cfg = config.services.openldap;
+
+    heimdal = config.security.krb5.package;
+  in {
+    enable = true;
+
+    # NOTE: this is a custom build of openldap with support for
+    #       perl and kerberos.
+    package = pkgs.openldap.overrideAttrs (prev: {
+      # https://github.com/openldap/openldap/blob/master/configure
+      configureFlags = prev.configureFlags ++ [
+        # Connect to slapd via UNIX socket
+        "--enable-local"
+        # Cyrus SASL
+        "--enable-spasswd"
+        # Reverse hostname lookups
+        "--enable-rlookups"
+        # perl
+        "--enable-perl"
+      ];
+
+      buildInputs = prev.buildInputs ++ [
+        pkgs.perl
+	# NOTE: do not upstream this, it might not work with
+	#       MIT in the same way
+        heimdal
+      ];
+
+      extraContribModules = prev.extraContribModules ++ [
+        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
+        "smbk5pwd"
+      ];
+    });
+
+    settings = {
+      attrs = {
+        olcLogLevel = [ "stats" "config" "args" ];
+
+        # olcAuthzRegexp = ''
+        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
+        #         "uid=heimdal,${dn2}"
+        # '';
+
+        # olcSaslSecProps = "minssf=0";
+      };
+
+      children = {
+        "cn=schema".includes = let
+          # NOTE: needed for smbk5pwd.so module
+          schemaToLdif = name: path: pkgs.runCommandNoCC name {
+            buildInputs = with pkgs; [ schema2ldif ];
+          } ''
+            schema2ldif "${path}" > $out
+          '';
+
+          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
+          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
+        in [
+           "${cfg.package}/etc/schema/core.ldif"
+           "${cfg.package}/etc/schema/cosine.ldif"
+           "${cfg.package}/etc/schema/nis.ldif"
+           "${cfg.package}/etc/schema/inetorgperson.ldif"
+           "${hdb-ldif}"
+           "${samba-ldif}"
+        ];
+
+        # NOTE: installation of smbk5pwd.so module
+        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+        "cn=module{0}".attrs = {
+          objectClass = [ "olcModuleList" ];
+          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
+        };
+
+        # NOTE: activation of smbk5pwd.so module for {1}mdb
+        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
+          olcOverlay = "{0}smbk5pwd";
+          olcSmbK5PwdEnable = [ "krb5" "samba" ];
+          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
+        };
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+          olcDatabase = "{1}mdb";
+
+          olcSuffix = dn;
+
+          # TODO: PW is supposed to be a secret, but it's probably fine for testing
+          olcRootDN = "cn=users,${dn}";
+
+          # TODO: replace with proper secret
+          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
+
+          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
+          olcDbIndex = "objectClass eq";
+
+          olcAccess = [
+            ''{0}to attrs=userPassword,shadowLastChange
+                by dn.exact=cn=users,${dn} write
+                by self write
+                by anonymous auth
+                by * none''
+
+            ''{1}to dn.base=""
+                by * read''
+
+            /* allow read on anything else */
+            # ''{2}to *
+            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
+            #     by * read''
+          ];
+        };
+      };
+    };
+  };
+}

hosts/georg/configuration.nix

@@ -32,5 +32,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }

hosts/gluttony/configuration.nix

@@ -11,6 +11,15 @@
   ];
 
   systemd.network.enable = lib.mkForce false;
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  boot.loader = {
+    systemd-boot.enable = false; # no uefi support on this device
+    grub.device = "/dev/sda";
+    grub.enable = true;
+  };
+  boot.tmp.cleanOnBoot = true;
+
   networking =
     let
       hostConf = values.hosts.gluttony;

hosts/ildkule/services/monitoring/dashboards/mysql.json

@@ -13,7 +13,7 @@
     ]
   },
   "description": "",
-  "editable": true,
+  "editable": false,
   "gnetId": 11323,
   "graphTooltip": 1,
   "id": 31,
@@ -1899,7 +1899,7 @@
       "dashes": false,
       "datasource": "$datasource",
       "decimals": 0,
-      "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool,  TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB 's internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
+      "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool,  TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB ‘s internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
       "editable": true,
       "error": false,
       "fieldConfig": {
@@ -3690,7 +3690,7 @@
         },
         "hide": 0,
         "includeAll": false,
-        "label": "Data Source",
+        "label": "Data source",
         "multi": false,
         "name": "datasource",
         "options": [],
@@ -3713,12 +3713,12 @@
         "definition": "label_values(mysql_up, job)",
         "hide": 0,
         "includeAll": true,
-        "label": "job",
+        "label": "Job",
         "multi": true,
         "name": "job",
         "options": [],
         "query": "label_values(mysql_up, job)",
-        "refresh": 1,
+        "refresh": 2,
         "regex": "",
         "skipUrlSync": false,
         "sort": 0,
@@ -3742,12 +3742,12 @@
         "definition": "label_values(mysql_up, instance)",
         "hide": 0,
         "includeAll": true,
-        "label": "instance",
+        "label": "Instance",
         "multi": true,
         "name": "instance",
         "options": [],
         "query": "label_values(mysql_up, instance)",
-        "refresh": 1,
+        "refresh": 2,
         "regex": "",
         "skipUrlSync": false,
         "sort": 0,

hosts/ildkule/services/monitoring/dashboards/postgres.json

@@ -328,7 +328,7 @@
         "rgba(50, 172, 45, 0.97)"
       ],
       "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
       "gauge": {
         "maxValue": 100,
         "minValue": 0,
@@ -411,7 +411,7 @@
         "rgba(50, 172, 45, 0.97)"
       ],
       "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
       "gauge": {
         "maxValue": 100,
         "minValue": 0,
@@ -1410,7 +1410,7 @@
       "tableColumn": "",
       "targets": [
         {
-          "expr": "pg_settings_seq_page_cost",
+          "expr": "pg_settings_seq_page_cost{instance=\"$instance\"}",
           "format": "time_series",
           "intervalFactor": 1,
           "refId": "A"
@@ -1872,7 +1872,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -1966,7 +1966,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -2060,7 +2060,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -2251,7 +2251,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -2439,7 +2439,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -2589,35 +2589,35 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "buffers_backend",
           "refId": "A"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "buffers_alloc",
           "refId": "B"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "backend_fsync",
           "refId": "C"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "buffers_checkpoint",
           "refId": "D"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
           "refId": "B"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
@@ -3164,4 +3164,4 @@
   "title": "PostgreSQL Database",
   "uid": "000000039",
   "version": 1
-}
+}

hosts/ildkule/services/monitoring/grafana.nix

@@ -47,13 +47,13 @@ in {
         {
           name = "Node Exporter Full";
           type = "file";
-          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
+          url = "https://grafana.com/api/dashboards/1860/revisions/42/download";
           options.path = dashboards/node-exporter-full.json;
         }
         {
           name = "Matrix Synapse";
           type = "file";
-          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
+          url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json";
           options.path = dashboards/synapse.json;
         }
         {
@@ -65,15 +65,9 @@ in {
         {
           name = "Postgresql";
           type = "file";
-          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
+          url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
           options.path = dashboards/postgres.json;
         }
-        {
-          name = "Go Processes (gogs)";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
-          options.path = dashboards/go-processes.json;
-        }
         {
           name = "Gitea Dashboard";
           type = "file";

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -19,15 +19,18 @@ in {
       (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-
       (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+
+      (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
 
       (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
       (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])

hosts/kommode/configuration.nix

@@ -4,6 +4,7 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     (fp /base)
+    ./disks.nix
 
     ./services/gitea
     ./services/nginx.nix

hosts/kommode/disks.nix

@@ -0,0 +1,80 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        type = "disk";
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            root = {
+              name = "root";
+              label = "root";
+              start = "1MiB";
+              end = "-5G";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # subvolumes = let
+                #   makeSnapshottable = subvolPath: mountOptions: let
+                #     name = lib.replaceString "/" "-" subvolPath;
+                #   in {
+                #     "@${name}/active" = {
+                #       mountpoint = subvolPath;
+                #       inherit mountOptions;
+                #     };
+                #     "@${name}/snapshots" = {
+                #       mountpoint = "${subvolPath}/.snapshots";
+                #       inherit mountOptions;
+                #     };
+                #   };
+                # in {
+                #   "@" = { };
+                #   "@/swap" = {
+                #     mountpoint = "/.swapvol";
+                #     swap.swapfile.size = "4G";
+                #   };
+                #   "@/root" = {
+                #     mountpoint = "/";
+                #     mountOptions = [ "compress=zstd" "noatime" ];
+                #   };
+                # }
+                # // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
+
+                # swap.swapfile.size = "4G";
+                mountpoint = "/";
+              };
+            };
+
+            swap = {
+              name = "swap";
+              label = "swap";
+              start = "-5G";
+              end = "-1G";
+              content.type = "swap";
+            };
+
+            ESP = {
+              name = "ESP";
+              label = "ESP";
+              start = "-1G";
+              end = "100%";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/kommode/hardware-configuration.nix

@@ -13,21 +13,6 @@
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/86CD-4C23";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
-    ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction

hosts/kommode/services/gitea/default.nix

@@ -195,6 +195,23 @@ in {
 
   networking.firewall.allowedTCPPorts = [ sshPort ];
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.dump.backupDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
+    };
+  };
+
   systemd.services.gitea-dump = {
     serviceConfig.ExecStart = let
       args = lib.cli.toGNUCommandLineShell { } {

hosts/shark/configuration.nix

@@ -15,5 +15,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }

hosts/skrott/configuration.nix

@@ -1,10 +1,13 @@
-{ config, pkgs, lib, fp, values, ... }: {
+{ config, pkgs, lib, modulesPath, fp, values, ... }: {
   imports = [
-    # ./hardware-configuration.nix
+    (modulesPath + "/profiles/perlless.nix")
 
     (fp /base)
   ];
 
+  # Disable import of a bunch of tools we don't need from nixpkgs.
+  disabledModules = [ "profiles/base.nix" ];
+
   sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
 
   boot = {
@@ -15,17 +18,39 @@
     kernelPackages = pkgs.linuxPackages;
   };
 
+  hardware = {
+    enableAllHardware = lib.mkForce false;
+    firmware = [ pkgs.raspberrypiWirelessFirmware ];
+  };
+
   # Now turn off a bunch of stuff lol
+  # TODO: can we reduce further?
+  # See also https://nixcademy.com/posts/minimizing-nixos-images/
   system.autoUpgrade.enable = lib.mkForce false;
   services.irqbalance.enable = lib.mkForce false;
   services.logrotate.enable = lib.mkForce false;
   services.nginx.enable = lib.mkForce false;
   services.postfix.enable = lib.mkForce false;
+  services.smartd.enable = lib.mkForce false;
+  services.udisks2.enable = lib.mkForce false;
+  services.thermald.enable = lib.mkForce false;
+  services.promtail.enable = lib.mkForce false;
+  # There aren't really that many firmware updates for rbpi3 anyway
+  services.fwupd.enable = lib.mkForce false;
 
-  # TODO: can we reduce further?
+  documentation.enable = lib.mkForce false;
+
+  environment.enableAllTerminfo = lib.mkForce false;
+
+  programs.neovim.enable = lib.mkForce false;
+  programs.zsh.enable = lib.mkForce false;
+  programs.git.package = pkgs.gitMinimal;
+
+  nix.registry = lib.mkForce { };
+  nix.nixPath = lib.mkForce [ ];
 
   sops.secrets = {
-    "dibbler/postgresql/url" = {
+    "dibbler/postgresql/password" = {
       owner = "dibbler";
       group = "dibbler";
     };
@@ -35,6 +60,8 @@
 
   networking = {
     hostName = "skrot";
+    defaultGateway = values.hosts.gateway;
+    defaultGateway6 = values.hosts.gateway6;
     interfaces.eth0 = {
       useDHCP = false;
       ipv4.addresses = [{
@@ -56,16 +83,24 @@
 
     settings = {
       general.quit_allowed = false;
-      database.url = config.sops.secrets."dibbler/postgresql/url".path;
+      database = {
+        type = "postgresql";
+        postgresql = {
+          username = "pvv_vv";
+          dbname = "pvv_vv";
+          host = "postgres.pvv.ntnu.no";
+          password_file = config.sops.secrets."dibbler/postgresql/password".path;
+        };
+      };
     };
   };
 
   # https://github.com/NixOS/nixpkgs/issues/84105
-  boot.kernelParams = [
+  boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
     "console=ttyUSB0,9600"
     # "console=tty1" # Already part of the module
   ];
-  systemd.services."serial-getty@ttyUSB0" = {
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
     enable = true;
     wantedBy = [ "getty.target" ]; # to start at boot
     serviceConfig.Restart = "always"; # restart when session is closed
@@ -73,5 +108,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "25.05";
+  system.stateVersion = "25.11";
 }

hosts/temmie/services/nfs-mounts.nix

@@ -1,7 +1,7 @@
 { lib, values, ... }:
 let
   # See microbel:/etc/exports
-  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+  letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
 in
 {
   systemd.targets."pvv-homedirs" = {
@@ -52,9 +52,6 @@ in
       # TODO: are there cgi scripts that modify stuff in peoples homedirs?
       # "ro"
       "rw"
-
-      # TODO: can we enable this and still run cgi stuff?
-      # "noexec"
     ];
   }) letters;
 }

hosts/temmie/services/userweb.nix

@@ -1,27 +1,342 @@
-{ ... }:
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.httpd;
+
+  homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
+
+  # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
+  phpEnv = pkgs.php.buildEnv {
+    extensions = { all, ... }: with all; [
+      imagick
+      opcache
+      protobuf
+    ];
+
+    extraConfig = ''
+      display_errors=0
+      post_max_size = 40M
+      upload_max_filesize = 40M
+    '';
+  };
+
+  perlEnv = pkgs.perl.withPackages (ps: with ps; [
+    pkgs.exiftool
+    pkgs.ikiwiki
+    pkgs.irssi
+    pkgs.nix.libs.nix-perl-bindings
+
+    AlgorithmDiff
+    AnyEvent
+    AnyEventI3
+    ArchiveZip
+    CGI
+    CPAN
+    CPANPLUS
+    DBDPg
+    DBDSQLite
+    DBI
+    EmailAddress
+    EmailSimple
+    Env
+    Git
+    HTMLMason
+    HTMLParser
+    HTMLTagset
+    HTTPDAV
+    HTTPDaemon
+    ImageMagick
+    JSON
+    LWP
+    MozillaCA
+    PathTiny
+    Switch
+    SysSyslog
+    TestPostgreSQL
+    TextPDF
+    TieFile
+    Tk
+    URI
+    XMLLibXML
+  ]);
+
+  # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
+  pythonEnv = pkgs.python3.buildEnv.override {
+    extraLibs = with pkgs.python3Packages; [
+      legacy-cgi
+
+      matplotlib
+      requests
+    ];
+    ignoreCollisions = true;
+  };
+
+  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
+  fhsEnv = pkgs.buildEnv {
+    name = "userweb-env";
+    paths = with pkgs; [
+      bash
+
+      perlEnv
+      pythonEnv
+
+      phpEnv
+    ]
+    ++ (with phpEnv.packages; [
+      # composer
+    ])
+    ++ [
+      acl
+      aspell
+      autoconf
+      autotrash
+      bazel
+      bintools
+      bison
+      bsd-finger
+      catdoc
+      ccache
+      clang
+      cmake
+      coreutils-full
+      curl
+      devcontainer
+      diffutils
+      emacs
+      # exiftags
+      exiftool
+      ffmpeg
+      file
+      findutils
+      gawk
+      gcc
+      glibc
+      gnugrep
+      gnumake
+      gnupg
+      gnuplot
+      gnused
+      gnutar
+      gzip
+      html-tidy
+      imagemagick
+      inetutils
+      iproute2
+      jhead
+      less
+      libgcc
+      lndir
+      mailutils
+      man # TODO: does this one want a mandb instance?
+      meson
+      more
+      mpc
+      mpi
+      mplayer
+      ninja
+      nix
+      openssh
+      openssl
+      patchelf
+      pkg-config
+      ppp
+      procmail
+      procps
+      qemu
+      rc
+      rhash
+      rsync
+      ruby # TODO: does this one want systemwide packages?
+      salt
+      sccache
+      sourceHighlight
+      spamassassin
+      strace
+      subversion
+      system-sendmail
+      systemdMinimal
+      texliveMedium
+      tmux
+      unzip
+      util-linux
+      valgrind
+      vim
+      wget
+      which
+      wine
+      xdg-utils
+      zip
+      zstd
+    ];
+
+    extraOutputsToInstall = [
+      "man"
+      "doc"
+    ];
+  };
+in
 {
   services.httpd = {
     enable = true;
+    adminAddr = "drift@pvv.ntnu.no";
 
-    # extraModules = [];
+    # TODO: consider upstreaming systemd support
+    # TODO: mod_log_journald in v2.5
+    package = pkgs.apacheHttpd.overrideAttrs (prev: {
+      nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
+      buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
+      configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
+    });
+
+    enablePHP = true;
+    phpPackage = phpEnv;
+
+    enablePerl = true;
+
+    # TODO: mod_log_journald in v2.5
+    extraModules = [
+      "systemd"
+      "userdir"
+      # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
+      #       incorrect or restrictive assumptions upstream, either nixpkgs or source
+      # {
+      #   name = "perl";
+      #   path = let
+      #     mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
+      #       apacheHttpd = cfg.package.out;
+      #       perl = perlEnv;
+      #     };
+      #   in "${mod_perl}/modules/mod_perl.so";
+      # }
+    ];
+
+    extraConfig = ''
+      TraceEnable on
+      LogLevel warn rewrite:trace3
+      ScriptLog ${cfg.logDir}/cgi.log
+    '';
 
     # virtualHosts."userweb.pvv.ntnu.no" = {
     virtualHosts."temmie.pvv.ntnu.no" = {
-
       forceSSL = true;
       enableACME = true;
+
+      extraConfig = ''
+        UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
+        UserDir disabled root
+        AddHandler cgi-script .cgi
+        DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
+
+        <Directory "/home/pvv/?/*/web-docs">
+          Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
+          AllowOverride All
+          Require all granted
+        </Directory>
+      '';
     };
   };
 
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  # socket activation comes in v2.5
+  # systemd.sockets.httpd = {
+  #   wantedBy = [ "sockets.target" ];
+  #   description = "HTTPD socket";
+  #   listenStreams = [
+  #     "0.0.0.0:80"
+  #     "0.0.0.0:443"
+  #   ];
+  # };
+
   systemd.services.httpd = {
     after = [ "pvv-homedirs.target" ];
     requires = [ "pvv-homedirs.target" ];
 
+    environment = {
+      PATH = lib.mkForce "/usr/bin";
+    };
+
     serviceConfig = {
+      Type = lib.mkForce "notify";
+
+      ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
+      ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
+      ExecStop = lib.mkForce "";
+      KillMode = "mixed";
+
+      ConfigurationDirectory = [ "httpd" ];
+      LogsDirectory = [ "httpd" ];
+      LogsDirectoryMode = "0700";
+
+      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+      LockPersonality = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      # NOTE: this removes CAP_NET_BIND_SERVICE...
+      # PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
       ProtectHome = "tmpfs";
-      BindPaths = let
-        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
-      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectSystem = true;
+      RemoveIPC = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SocketBindDeny = "any";
+      SocketBindAllow = [
+        "tcp:80"
+        "tcp:443"
+      ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+         "@system-service"
+      ];
+      UMask = "0077";
+
+      RuntimeDirectory = [ "httpd/root-mnt" ];
+      RootDirectory = "/run/httpd/root-mnt";
+      MountAPIVFS = true;
+      BindReadOnlyPaths = [
+        builtins.storeDir
+        "/etc"
+        # NCSD socket
+        "/var/run"
+        "/var/lib/acme"
+
+        "${fhsEnv}/bin:/bin"
+        "${fhsEnv}/sbin:/sbin"
+        "${fhsEnv}/lib:/lib"
+        "${fhsEnv}/share:/share"
+      ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
+        parent = [
+          "/local"
+          "/opt"
+          "/opt/local"
+          "/store"
+          "/store/gnu"
+          "/usr"
+          "/usr/local"
+        ];
+        child = [
+          "/bin"
+          "/sbin"
+          "/lib"
+          "/libexec"
+          "/include"
+          "/share"
+        ];
+      });
+      BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
     };
   };
 

modules/rsync-pull-targets.nix

@@ -0,0 +1,146 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.rsync-pull-targets;
+in
+{
+  options.services.rsync-pull-targets = {
+    enable = lib.mkEnableOption "";
+
+    rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
+
+    locations = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
+        options = {
+          enable = lib.mkEnableOption "" // {
+            default = true;
+            example = false;
+          };
+
+          user = lib.mkOption {
+            type = lib.types.str;
+            description = "Which user to use as SSH login";
+            example = "root";
+          };
+
+          location = lib.mkOption {
+            type = lib.types.path;
+            default = name;
+            defaultText = lib.literalExpression "<name>";
+            example = "/path/to/rsyncable/item";
+          };
+
+          # TODO: handle autogeneration of keys
+          # autoGenerateSSHKeypair = lib.mkOption {
+          #   type = lib.types.bool;
+          #   default = config.publicKey == null;
+          #   defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
+          #   example = true;
+          # };
+
+          publicKey = lib.mkOption {
+            type = lib.types.str;
+            # type = lib.types.nullOr lib.types.str;
+            # default = null;
+            example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
+          };
+
+          rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
+            default = cfg.rrsyncPackage;
+            defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
+          };
+
+          enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
+
+          rrsyncArgs = {
+            ro = lib.mkEnableOption "" // {
+              description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
+            };
+            wo = lib.mkEnableOption "" // {
+              description = "Allow only writing to the DIR.";
+            };
+            munge = lib.mkEnableOption "" // {
+              description = "Enable rsync's --munge-links on the server side.";
+              # TODO: set a default?
+            };
+            no-del = lib.mkEnableOption "" // {
+              description = "Disable rsync's --delete* and --remove* options.";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+            no-lock = lib.mkEnableOption "" // {
+              description = "Avoid the single-run (per-user) lock check.";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+            no-overwrite = lib.mkEnableOption "" // {
+              description = "Prevent overwriting existing files by enforcing --ignore-existing";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+          };
+
+          authorizedKeysAttrs = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
+              "restrict"
+              "no-agent-forwarding"
+              "no-port-forwarding"
+              "no-pty"
+              "no-X11-forwarding"
+            ];
+            defaultText = lib.literalExpression ''
+              lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
+                "restrict"
+                "no-agent-forwarding"
+                "no-port-forwarding"
+                "no-pty"
+                "no-X11-forwarding"
+              ]
+            '';
+            example = [
+              "restrict"
+              "no-agent-forwarding"
+              "no-port-forwarding"
+              "no-pty"
+              "no-X11-forwarding"
+            ];
+          };
+        };
+      }));
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # assertions = lib.pipe cfg.locations [
+    #   (lib.filterAttrs (_: value: value.enable))
+      # TODO: assert that there are no duplicate (user, publicKey) pairs.
+      #       if there are then ssh won't know which command to provide and might provide a random one, not sure.
+      # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
+      #   assertion =
+      #   message = "";
+      # })
+    # ];
+
+    services.openssh.enable = true;
+    users.users = lib.pipe cfg.locations [
+      (lib.filterAttrs (_: value: value.enable))
+
+      lib.attrValues
+
+      # Index locations by SSH user
+      (lib.foldl (acc: location: acc // {
+        ${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
+      }) { })
+
+      (lib.mapAttrs (_name: locations: {
+        openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
+          rrsyncArgString = lib.cli.toCommandLineShellGNU {
+            isLong = _: false;
+          } rrsyncArgs;
+          # TODO: handle " in location
+        in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
+        ) locations;
+      }))
+    ];
+  };
+}

packages/mediawiki-extensions/default.nix

@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
   (mw-ext {
     name = "CodeEditor";
-    commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
-    hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
+    commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
+    hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
-    hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
+    commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
+    hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
-    hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
+    commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
+    hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
-    hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
+    commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
+    hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
   })
   (mw-ext {
     name = "Popups";
-    commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
-    hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
+    commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
+    hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
-    hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
+    commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
+    hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
-    hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
+    commit = "a2f77374713473d594e368de24539aebcc1a800a";
+    hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
-    hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
+    commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
+    hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
-    hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
+    commit = "7de60a8da6576d7930f293d19ef83529abf52704";
+    hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
-    hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
+    commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
+    hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
-    hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
+    commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
+    hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
-    hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
+    commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
+    hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
   })
 ]

secrets/bekkalokk/bekkalokk.yaml

@@ -9,6 +9,7 @@ gitea:
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
 mediawiki:
+    secret-key: ENC[AES256_GCM,data:ixG9vGifYcz44y/copU+eHIjWLcxJ4v7pi8l1P3YHIdGwAk5DNZQWlaA/L3w0g50zM0ESEXL9k2r3jNI1nLGJw==,iv:fwHV4hYDEjP9f/8Bw74EhYDUN8UV+qIwqd6yXa5KtFs=,tag:3c9J/lVoJeRE1b/TTWJNZw==,type:str]
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
     postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
     simplesamlphp:
@@ -99,8 +100,8 @@ sops:
             SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
             29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T21:18:23Z"
-    mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
+    lastmodified: "2026-01-26T08:40:13Z"
+    mac: ENC[AES256_GCM,data:ppgpARft/YDKP24QF4bLYVhxN4nRrCsf4wBug3UD4MXgQwdFyWPAHn086uONeMbVOvH8IdwlaNBc8h36I7M66cqwK1VsRc/vf9Ud2VnD/WkWijMSrJ80frIvuvREp7aMNlYbD20bjrp4sYohjcJ8KPqyPUFPj71dA+9LZvXJthQ=,iv:lr3R14lRx7RzclknKbOa/bHa6axGbMPqj1FRTjx34xE=,tag:pBHzSArxYs4bqq355T4yog==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:44Z"
           enc: |-
@@ -123,4 +124,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.11.0

secrets/bicep/matrix.yaml

@@ -17,6 +17,7 @@ ooye:
 hookshot:
     as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
     hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
+    passkey: ENC[AES256_GCM,data:sR3ZdvNe+321WalGA57Nsb7eIRnOgAWX4P4aahynS5kD8nZ40axO3H29pciTn3rgBLsKPYAbJ24Ch40SL5emlz9UL1nH//khCEAXUXR5+RA83TvRrog1BdiCTX3wYY6SvM8BRwAEcWbAavfRHyNM0stSRjamdam70OvEEHlOUafs4lfQghYXVN+YV6bT+gan9eMRwhTsuWB/V01SAUot5pgFtprpvFs/l90E9sZFxxejlLniy/4nHjO9rcXAeCz/8cw5P56AqCzqyliYxKM3qbhwp+Pz/RVH+7PKQwABP80tw4HLvBz2nwYzPHJrSejIH/lxE1sJH8ttUQ8mHIFpv0GGB0oENyfYCekoSXWL+wuFEE+xjyak1KUDfohaJ9QMZa+A4jHiGoWHAwfU083uNFNdE1NxPpa55xQ/Q5fGE58qmZVbHUoL1EFOi0Nc15vp9kRojjQoEENvEQKwZHlauhm+940s6IwBE/bHk5WBjWM6BM/7Y8dj23uo1Vj0gy5IK0xYk62+IXNINPeDnS5sZJJweOKvS9JDYNw/9oC5ptmsqkGWryWm22Mwq9AIWm1Zt+0nIZRrOM+JHWJCtCqXhD5+UL1fl6wt7IgvOqgOtsFUM39n2hS4UWyVohToLy2u8VFKDIx1yb530y+Q2HfT6oKPYtcm5+b/dgDaqph1JSuqxWoiXMdx/DvGLhM6nIfPnAi5EImXDQIxkh4tJ6P+z+4vOPiX5fKflXk2eioVL77BQ4jXLunu4zBu/bOCePHigAD/+E9IgHnVSMxpTgDQ3w7WI7FCY9wjbXqbsL3QB1BOizIFNqHDcX2COeJV7X8Aia0HBpZgQpFX5XtMJAKnO2BR2EA94xSk9/rAPgZpJkZXTHl5MpPz9+WLv4uFy0daIJ/y7jkxLXK2UNw9VVfkq/I6cteQMwHPe0V9XZc1DIXOjJ23r9qNtx11Dx7Zumh3EQvp/8D/i0G6lhW1y3xP0Uu1iuxfnvhacBTwiRTSrKhT0HKlFG9cG2SaZH5D8zLyhrQhp8V5AdAdikmQUfDigDTzd45YpWRaNEGM1wcAI5cWBdPHY6Hv3NHQoX3yx6jm3Qo1QqIVlhqHqEeM6++H1Sfd3xg8zMSSGXlQT6EYE0+raOvKrmbnGCW3GnguHEjU1vCE/w7u8LCct7IBCSL7XQpLg39SmSx/MdL5OWXaUCxbVMM38q/4PXNzRVNaHRZFXm35+q1gZ/fx9a3vY/YS9+qEhcsvNQaNyuVcbigz9fqEWoAnFh2rCIMT3XMc+N0V0+TSIF4nU/Im82wu1+ujcrJ6OpGubcf208y8giwOgdKAARTKtybInUx31+JkzMw9A4q+CxRLHcrYYhIHz0MyhAVY3JKQp6DvoRwT58/MEENv6hSvsf0PhrgIkPTYeNeasJwFt8tKPmEkFYINhigC3XPmid+hMJfp/w8MnFLAIX9Cp+7adQPPW5RZqHuuf0rV+vdVqU3nFmnet8KZd3SrZiWAXcKViyHYAWb3c60TMO2C37goHkTMd6olZ09ZEfrTpdX+MEHswW65p4rJgNZIbVquD73DpZuE30HsrUBsPeWpQy2JGNUPq8tCvcREVgmnIt7yJn8sC8D+RwgXCXHf6qDMjANi7nvD6uWTik4P68e9lVztO4QudwdZdPieflfFADH4sFPhXwCpGOkR37RSrqe6t3CR3ZI0aXqHdZ1l1JcJv+5WEXmJZfNUOPBGpvatmc7ygJYDxuQoJ5FDFsyZffrAYOcEXC6gDaq6NTGgo4JZAYQsHg8JaFWQPEToagiSQhhErMeA5nTUvNjJ4/0HHIvsjsGabAv3GiT2lcVnowt8qwEyLnQStNiAxv0bURhW82BLCHq5cHx7mtUNqDQjrc48iQZiZd20orTq7PmxwWBa6T9EwuEOQiX69inIbSU7kGbRmVUS+RPKfFoCXXOSlBjzoLM448Ymbf0FsEgATb0I5sJ6R2k9mlh3WgRur/u8ODtXJO9TLjVvAm1WmHWXn8ZSvKRS+/VSGg3RzKGyVqh2gJmpDJmF4BwzqslhaCdvdkwBW+7oZN///1h41NX6Fo68l+P/Rl/ZFvCF2VD18E1EjmnOs8sxmMjsDct3HNd7xB1PJLKtNTCLEF0vLDOM5qGaWfBVZtwHiz7fhbPxeE4ND8ygHhUUVzDsC3uHeVHwBMghSY92wnNq6SJP5HMC5knoEFxGnr5te8GcMT6iD6KMKjzqPnp7raGSFo96d5qDiug8krD3vEpbE+3L0XRye5m+2N/wVL7u888JZ0Yj9uWZoAmg41G9y5NU1g8Sns9gY1jalZFaY1+S2nCAfgZRNzx0gLa4CY7SClib1+qDCKIVLJyCqlbKRkIbNXV/B+/L6MAUwTRn8NLhm1+U1QgqD3X+cTJoys/1laSEBXcupT0CrCkR2wguGh1tfkyZ0yLJcbyIfRHzmEooMHWgL5N+mNYCwxLyIfDmBSacZI7AUBfGD+RT24W0vl976zd/sBzIZtQGFPKDtb5bzNE5FNfSfser+afqBG+S+gr1GUn2ZQMGN2095uqnYiwCUtxmczGlOLixbQMnYPbxClB7i4NFvZj2GbnX+yRgv8OFWTnp0C1aPsQHgZzWKAe0cDaRJpAOTTbaGaSJiwIIu689xqYGKej3oQLaAHqlRyRhJngUOj4panxNb/ZFbP6lfUF0fehNJFJaR3WKSiRAjv6ommtSFDQ26TrhYE9d+yG1KApzkhlPTLNA4fVRQxfZi41hbfHDg4kwZMpc86BSCq85qnzW+nMJiWTLxTKYSzjpiWSnMzBvBYf0vntz5+ltwJwyVMX/TdAoYGyHOCINLSxhKoajORJ0g6zEyBRdG+kg0qZCFi894fR4eAz5/fvbrhOhhnCOaVCJlvLo2jXiizQlsqbvLr8bTbyMF5yJPEPV8H/B8uhzzjCIxvbbc3Ac3rPX47FBdEc5869c7JgL/2HD9GZzJXfRBzyhSTFMMh7J+K7LgEIGsItTsJM9wa4BC9ZicZRifuGxBKATOIVeTpJJHA80yhmL6lsazUrrAlyA93mR4CsuInmum6QMyjkmcXBnEtybSeuUjX7aFmzSz9Il7C9iR/4QRWyzgSIh7sbqEl/v4mQtJMlydbZdd0aT65AShTHUIkNZxOg/IuEW26v8pyZi5msfPBjwmknQkXPTf1fCcgVuY6OoQBPzYR1BFTjpY5lTfAMYH9sDW+xxRTFftsNNRzIctX0IEv5haWxLDhuN7eagltf2v3GubrbsYTeVwuCFJnabgzXan4vvpPVIPhrhE2k6G0FfDhIpQL9oweNBG2hefoXoOr+piHYcc1hJSHnSUp9qRxQxXzjvaFulfRO+2GoMAg6E6pz1Fz8e8mHRubREH6NOLvz070D0u1o7Tb6LE2cmw2XdRaVqO+Jo3u7pZUUVYllF31Uxb8ngHarWQ3dOBneZQHsW3AFpRofz9BcHII6dd4BhAM+sl7+cBEFuNn9nkDBR8PLx7O0G+b99qSAnOdvY6wWTwMbWC2JLcv6QTwqe/bAdEg3hNi2GOoqwvs0e6BO/7GS88egcwqZEe2Tpvtzb+NCia/A3oc/VNWTucmQcv9K10QaloZjHMXAMsDESr3LJ0enaoqc90bbHWEuoyRJoDDuW2NXHpCILLAxCUDZnArlE78J2B15Yc2sBkgHyYrILaZo1dBVR23R+QX4bZXt69EZC74IdcELt4qw4ANK+xKtSRJ5vnVml58/71IukUp5GOwEzImEC4YG5G7O7hpMWZmM48RvOuhmqk3LvCggjHPploLqw3PY46twgbKTBai4PbYZ2NaFAHkgc4jqoKSgzQD0jqUkNxFZNSXmvC6QGksns/GaI/qZJVSWAxr95P3oEyZrsfY+KFvhpGJWAa/TIyJslTsKjSv+VFg9jm93yT6P+Jfp1sR+tnyTgrDUF3SIi1/HbM4DlgbyHon25B+4fabgbGajl0Ua/zNyFmWcGN4yRQfXgK47vhQFyfAaOliIKbvsCEnfLniDhPg9FlnxBHSVPHNxeEufocboCUJzm0pU2r2iRRN6fKiiIZubjxeXDjRHTsJAffstPp6pSDxgtZzivquUkj1669QmZaHhV6VyAhGOz/A3VWWB0FGdToeuS5FciNyYVmfJ8moHP1skV/jR4Ke3R/gHato0Un0nUr39ftB81uVomTYlVYuXAUUfJnAU/i8PbdjWCXSlAIeqCUeEf9oLq4n/xtUvJGBzxPgRJPaWxnckS2umi+6CRCs9f1EzwORgOosnQDJxALsGV3Nl4dR1o8ygAHkiBiqKyaEk0ulVM6XrfGFcQMkRgK2PVIZHNCEY72jU42/LlzWumXH2uoivR0toT7kk919VJYa5+2ac=,iv:BqwTfYEtqtFazQGfhL6rxfIUrZ2cin+jy070FDaGIuc=,tag:MMUGNmH6m4aNR4U8KAac6w==,type:str]
 livekit:
     keyfile:
         #ENC[AES256_GCM,data:M+SfmEuhPL8sqxOl3uL8mE6Z6pC6naQNxFRskMPbVpLVWYM1Be+QOoLEiTMtWqH2PAf2NZXLcNY63Q99bYINz+BTt/ekllye,iv:DSZJxoZUlUZxPpzfpXyZ4ECeJjq6/WW8I2fvTXIjmfU=,tag:HwHhdQA8yuSKYxM5LcZV/w==,type:comment]
@@ -86,8 +87,8 @@ sops:
             Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
             OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-21T02:03:24Z"
-    mac: ENC[AES256_GCM,data:yVe+78V7zYgYveLFBghKdAeibg97DRafgsRRCZPYkWu8t2iadtD5UqRK0KS4Zcc55ojHJ11otgadaPHQyl8EIzt7Dwlm7ZOVEmmPAYdaweWfnPRdFhDAxcgj8Ejh03LAdLQK8WwlfTF/09Avub2ZUnN0aPwFCen/qD6dYmcGDNk=,iv:y4YE9AqlVVBBtRGoIdfIcNGE4chChBOR0Euy68xkQBA=,tag:/yopCpkvFaEzr2iXxLd3uw==,type:str]
+    lastmodified: "2026-01-26T12:49:23Z"
+    mac: ENC[AES256_GCM,data:+rkFq7pYZrGTtLIjjwa5DQC6WFpeV3JS80w6xADcn+kNnjg94p70GVZ3zP6p+f4PZ/Rupjg1cmm3w0g/ranx+FEmmX43N+zSY97NYOC2oxOhlNDDyrnRDElaiCOq41Jd13FxnjX3Jg9gxkD3szGS9hG+gv3wSf9NabOhFFL79GQ=,iv:+9UDVsvfr581CSNdtLRTfrjQ7rsLgMLmyK4cof0NZUU=,tag:9/xq9ThqrDzg+Snh3vSkVw==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:46Z"
           enc: |-

secrets/jokum/jokum.yaml

@@ -1,93 +0,0 @@
-matrix:
-    synapse:
-        dbconfig: ENC[AES256_GCM,data:R7y+867fwnVXHaknUj9RpBtkEATfUo9AoaNId/ODLkHCJyQP1761pJLqeSkQTZAnzZxqACYorV0P57tEQ5bE0aKLOL7tSClx82x7Tki0MiWME4FgxJC2fQk/vP0Ca2zufnw0s697zkfsnyx/1pjjo69amXc207NXAHCtxXO0ztWp0Q==,iv:BsbOLl/hlQIjOLnik8lZWO3+jhMEZ//fisxLon7HdE0=,tag:6sv6ySztGbxAgn+WV0I5NA==,type:str]
-        turnconfig: ENC[AES256_GCM,data:eyUQID6nHiMH1cm418ItI3DEAjAPoR9NR7DvhfYCTvYM1LyHKVg=,iv:Jz7LEOUwTI8LCMOKqB2vN/0Zs+S0IJkHY3wpAC0q5YI=,tag:4SImxB+5JI8VtsZVy0cYIQ==,type:str]
-        user_registration: ENC[AES256_GCM,data:qWtVuNc0YWetsVVtXt+nlaUPq7QzbsDIb+KV2jgEfLZXU/h+vS0PL+k=,iv:72fvhUo3Bhvxj9A16sTL3teLKA0tGEk7pbgKoooOJSo=,tag:Q5vl2+ZJZqtcmMH+tNqVag==,type:str]
-        signing_key: ENC[AES256_GCM,data:3EeV+9X9TtqhBL7QyULTS7tNyH7ayhe88B7UtNZ/TMlQSW2E1WtSVEecqs+097A1SmdKoYVr6iz0ew==,iv:TDfAdYROu7o7FIwn6oOs60surQ7zFy0+9bqhx8LtwXg=,tag:8MpNBw5TbDMxXHF9+tmZfQ==,type:str]
-    coturn:
-        static-auth-secret: ENC[AES256_GCM,data:bDVbTU3QaanU0fPhQF4Fil4=,iv:MVoFWgqHm88JXaCYa5l57SkX3fSmP97Z7IzvwumHWY8=,tag:ZX121OshXiLC6eRxz2Be0g==,type:str]
-    mjolnir:
-        access_token: ENC[AES256_GCM,data:z+BG3nJyUTrJJq0eGNzT3tFatKXffgBzg3E608pqBaPvtJYsnEy4mo1vZig=,iv:VGdnprNYOArhLdY38B1BO/V9YiYGZEy39gnJyh8atgY=,tag:qJ+UryjNPTH0F6ZP5JJlEw==,type:str]
-    registrations:
-        mx-puppet-discord: ENC[AES256_GCM,data:nvWSaZ4we8BD50Op/bZMrlMXGBwzvG3IXGPGJe2paCZ10tTm9v4+aYGYhILNhcQM095AD9KdEJ44TAyPxZ/c5iYLqb/LJzEpa5X2jKoiF6r7PjNFGevKQs7fzJk4Y9MxHwZ2KJT+uHjtXF8erJvFDs3S3WgmuAQW1U9b5fYQNc4ZF0tY+BsWU2ehqMejpx7w93TkcIiZY7Uoj4kPMEp8aI6v/7VPIjM9g7b+R5KGZ1/yIpiNCzZuT+x2mxCtqGfbOynWON8PaCIojp7sbLaRWhX2bd4GG2wP3T5MsgwjJzQSfyXjK1Dyxzr8fVmh0R2mJoZHTYNQLLwYncLwqXQEHr6tXNWPTwxPslW+BdLsp/8//m0F04vUf4Z0dbf22NSaPkH9GdRLB3zXh07VxqG+B7OvAjDULHUmA5uwgtZq9h0G73TWDJ8U75eAxrTdsgQgmIsyhpLljFW2QSnOPL/93ieovh5qRgXjgyqrljDOkB+fhC0gdQalPeBM8l5zPI8aaJsVp/l15rx4nUIrFka0g+v+SRhAIPtQAKA=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:Vm+zNmA53HIb2dP8FIgP6Q==,type:str]
-sops:
-    age:
-        - recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvKzl4b1VWTHQ2bGI4bXJl
-            SFNhY2xVNm9XdG56akFWZkR5NHliUnpFaTFJCkhRY2hONTVvRkZaN0JrM0lkZUVu
-            N3kxWVBWOUV2WHJMZ3Jsd24rOS9hc2cKLS0tIHFDWXBMcmppeHJBb3RLZ08rdVlE
-            R00zS0R1Q29QYUlTamI3MkhNNWpaZ2cKMTZ8G2ZVNsAKgZj8B857eH4yfw/fvwtJ
-            YmDTcA0w+uXI+qTtSLs/UPQ54KcW7zNvMUUSoyKrYSDul0SFUDk+Vw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3U1hmbE0rWVYvenhwQUpQ
-            NFlKcFZtMWVWNGU3cVkvcVY1Mklyb0x6cHg0CkhGTHZPZEFCSnV1aFB0eG1ZOHNU
-            UGJLY3BxOHF6V3NuWGZJUWkzcEVUc2cKLS0tIHhVY2xjaXZCdXR3VU92UUE4eWFF
-            RHNtb1RlUmdpd0RibFlES0FDRjg3RFUKFBfH7eVw3j9wFWYjK3nwd5BuW9V4R29U
-            sD/5X7wLRmfo0zCNkf50RnN3oxiP5Sj8zprQnaZMX95EGZXgqeWuWQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMGc0a2FyTU9MaThIUDlz
-            VWJTOC9ZUktuejl6WFRtdlV5VEFIakZHeENvCkpFRDF4RDRQMnpjZTNCdkE1cWlO
-            VExPNXdxcGk5RTVEUE5KcHY1U1M5VTAKLS0tIEIramZ4R2sycnFnS3AvMWZ2Q1RK
-            dGhDZnVraGlQQkFzdHBRUjEyWEJFMlkK0M3q1NqZdaC9E1hSUOwdTOUWdyvW1xPb
-            E/9SHuRZ+YTzXiECIEx/4ZiQEEcCWOS/wLTQjYpzoozBrmrjGaKC3Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTXJkckNBWERIWUNXMERK
-            UzRnL2FJaUlLTmxvYTBQTXlvSTRvbmhmajFJCnNCZjdxUXpVNDlwY1JDaDNCbWlH
-            ZWJFR1o2YkxLMlVNWStoYnFYL2pNcmsKLS0tIEEzM1ZIN3dBb2paeWcxa0hJSDN2
-            a01lK3hSa3prWERxQ1Z6Q3A5OW42NnMKxfCqjDityZvhOoH1DG0JJuEvowlzFBVv
-            WOofbRQ7HdB17OyZh3u5Kbd37D65bbse4HVUaL3NDbdfpUxsbZIUAg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcExDUDNndXRLY2J5NnpD
-            YTFnWndXYWZvRG1EdGZZekZXYUtBOXFVOVVvCmJJOEc2MVhqSDJPRTBVRU0xcElK
-            SzJYS092eXc2WWExVFFheUZnLzlHb3cKLS0tIHJPRUt0RnlzWGozM1NtTlNzbzVK
-            WUtwa3NvWDlsYmwyalYyL2FoNVBhaDgKiRmCO8OOU94uxnzUmGwnUjipDBVeF88x
-            hF92Hj7+9yBaEi4O1Je0b3ShjHfEsg690ajQKkzojGDX/awkdlcF1Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyc1NLMmZzRUt5TWpyaXhH
-            c01CYTJsQUdBWmZ5eEVRWXduL2ZLQ1crTHgwCndRYzQ1ZU9ybmxlRlZtUVFnL21m
-            eDhYZy82RFJqb1Y4Q1pZMTRRRHpQa2sKLS0tIEk0enhSL0Jjcld0QXNCbjNKNjJm
-            c241QUEvbE9iL2RPTFJCQ1dvVW9kVkEK3N7ojkIdpcN/ui1xw7IEzBKduk9aDKrt
-            KajZLOkcaJWsYZISxP8kmN3CGOBlOx77MxC/rV1yM+/Su0S0TxIC1A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-13T00:12:03Z"
-    mac: ENC[AES256_GCM,data:FolV94dIwYSL5r1ZHTPdmqMKVTAhrnePG+5M4S1H/wBYbED3sr6oPPmmxwiwm5E4K0YR1+ou4yR/vGTV3lfRdxIGWhfAT0WW8WGTZVIlcJCEk5H7Rels6rkma12BCjZ1zOGjZZCcFTm+4NI2KNv+zTc29zry4539jkkxk+8Skog=,iv:KBxSFVaFI3S5J9xG2Lc7FINUI8TRKxPtrbP3f2wXkHo=,tag:TWAtix03ZnB71+O7cF8b4A==,type:str]
-    pgp:
-        - created_at: "2025-12-01T10:58:23Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA0av/duuklWYAQ//R733yCFFSYFZX2bORvyI/xgHjzxNxWPkVZagrWDvjthK
-            zJH6EiHZrivSRx6cXQIQ4SoR0LWHNidmIj188l8oB/Dh7jj42zd93+U99EeUhVNs
-            qPN9C88/e/tEWs05HTSm4oUQpoSeDVBeZEd+du+eP+DJWypSi63fh5sqjPrPHXdq
-            apayt9XGSGBIhWsACb9d56VqCb1eNF/SOcOTLPHWvA074TxmvcbWH5CfiqQLcYGd
-            r600nWol5qhmCqgiLFueUiYDikKVHi+MitatCM15yrnMi0ZLp3B32n3zPjbTUpAh
-            0NHtXHhH4ihBqWxnVSTqAqWiqM+oMORhzVatq0PjUq20XayELsY8yn7YvtJMZLjD
-            CstNQc6NqYxwjLpsuqZQHse5MnAgXapp5ogKLpjxRX9ZKWo5QD1VDB4wELG16sdv
-            h/ZvS7nh0mMWRRyXAe5OL8vTJIeiQBday5aVgqk58OrdhzVtqp3isIKRb5W92W4z
-            53Cw23prLhZnVssMLQiKUVFTIu2f1d907Kj+sH5AUybkbt93T7m/NCaEpDyxPPur
-            QDOT1KFFVTQIBHLyqg8pASJyJMiuSuQ3cbFkTDWrOWpKEDfpxo9Vy64dEKNCeWMb
-            XhVHWMIJXmLXalPePDaCEYCkR8usWZpQsRei2DHaRbXt1dcOjWuLOZeHNizy7CbS
-            XAGkGgNySuI5IFbVBfKG0OaYXu6PM4Kbh8XBnxxREaSH+EiEe11ig6CImV2pbcbU
-            pfHSdTioB03UnQvgVSP2M2DgMr3dkJnqXKrzRO80kVBd9uwR4I/1TUzsk0K+
-            =4Nje
-            -----END PGP MESSAGE-----
-          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3

secrets/skrott/skrott.yaml

@@ -1,74 +1,83 @@
 dibbler:
     postgresql:
-        url: ENC[AES256_GCM,data:rHmeviBKp5b33gZ+nRweJ9YSobG4OSOxypMcyGb3/Za5DyVjydEgWBkcugrLuy1fUYIu1UV93JizCRLqOOsNkg7ON2AGhw==,iv:mWgLeAmnVaRNuKI4jIKRtW5ZPjnt2tGqjfDbZkuAIXk=,tag:iHSkFcMmTWEFlIH7lVmN1Q==,type:str]
+        password: ENC[AES256_GCM,data:2n85TO709GJc7/qoYp2RXO8Ttfo=,iv:5ZCZPEQQXPGYfDd1qPhDwDfm1Gds1M8PEX9IiCsHcrw=,tag:PAseyFBAe56pLj5Uv8Jd7A==,type:str]
 sops:
     age:
+        - recipient: age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WllOQ1dRSUJ6a1pvNFg2
+            N0YrQVBtMFZKRml0dG5PUGVhcU9VUXVHc25nClNFSXowUVRRVVhNeHUrTVVZRGRC
+            YkpVYlcrZm1NTE1IT1pSTDdOZGNHYlEKLS0tIHlJbkNBb3o0TlJlbEtsQ2ZsYlJn
+            Wis3T2V5QVYvQi9laUdoaE1DbUZZZE0K/liRzp6TJeufyTzemv+zBTOwzkeJRID4
+            ZviYwwODWopB9/rCd8sIQaNXvEtvuXNWwcV1/p8DsJ9NHwqtdYHpmw==
+            -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aGQwRlJxN2w0Kzh6OFhC
-            RXFFN1g2RXlmbVpCYTF1Ulg3bHlkSmlZTERBCndWbmNibUZUSjh5MkdwNGQyeDdz
-            dDRVZTliQy80aGxUYWFaQnFqMEEzbkkKLS0tIGVURnFUd0dtVlMvN1lDVUIvaGJy
-            QmZDdk9JOTdDeXg1NUJIcllIdXk5ZHMKFROfzKzo9y1e6siuWsU5q4WiIUhkQTDi
-            05fhUbrS8/OZQfG+KncuF1n3bWQis/USqwW1vEsTDkn6RlU9nGP9hQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByY0dTMWc2VEVRdTJyOXo4
+            R3BYb1VETHI2RktGVnVJUzg4WUsxbTNsK2tVCjVqVml3d29lK21wUXFnRm5GNHdX
+            blV4NEFZU01ZS3Qwc2FSMlVDRlU0SEEKLS0tIExwWXFJZGRTaTBSbjZtdTBXSXNJ
+            TUhJWkIrdGg5UDdDQkdnQk50YTQ0M0UKqoMwtPlOSIqMcLvII/EVuZGrNDeULJHK
+            l7xCzQM0n72E/zxPuO7koVXVcUNwn4kNQCRLOHLcuqx2ZRD8Oc+zNA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QmVRSVMwdkQzT2dJTUlu
-            NDIvUHJvaWNwKzBZaE0wVEVnQml5NHU1Y0Z3CkdhbVpFSG1Oc3lERlVpMDArRnhP
-            SFp0dGtSbVBUcnZpQkd5cGVUWXhXQlEKLS0tIDVBckwvUGtBVGc5RVJjN1F4cDJ2
-            a1NiREtXMG9kcXFMeFNnMk0rQ2c5Z2MKKWK3+P9QshvgP2TCa2H5SFE+ZesaUZ9M
-            qBhPT6t44/dr7foowgVGyEVvnuaUu4GHnSKyYiwZ+bjp6E3Wm2fMRA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNy8rcHpJclk1b0h2T0dw
+            U0pBYlJvQXlZTG1PeTRCV2hONEJlUWFqdUIwClJ4QnQyOGt4d1NEcVZYek9JUC9X
+            UW0wNjArK2YvZDRMMGpRU1N1dk9jSDQKLS0tIGJMbkZxLzZBVm4wNXVTNFpoRDNo
+            a3dwemI2Wlh2RE8zN0xsbmY5YnJUeTAKhkSpB4RgrfbDpK7IwLs1KGXCj8v0Rze3
+            YZh3BHW2WZLS7uQcIe/tnpIHwPrQnadKeYIw7xBmXu9dWyim9/5RyQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkdCQ1dtQWJtWEJsU2ZU
-            bzdpTzZnUUlrbmU3eDNvRlJ4bEk3RmF4cTJRCkNZTEdTWHVHUUU3eEpJNEJFRXM1
-            Si9RZjNVQUpNaVU1Y1owTU1zakpvRzQKLS0tIENSUTFDNktpeWR3VCtpY1pFdXQy
-            aWE0UkRBL29wMTh0RGZUUjdNdDloQlUK9+3fPifkgB3jsqaZrWvp5GoogwOiGuMQ
-            VA8JNJ9Nlph7pom0oxu6wc50WLbUdyOerz37TowXwys9+Lu/XJVGRw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUnA5SXNucGN4bi9zeGlU
+            TzJPUGk5SWVONFVVYnNnejJBdFJmL3d1S0Y0Ci9SOVZmVUMzRWNicGN2dE5aRy80
+            MFh3MUNTSE5EWEhQcUFsUENDdWlWYkkKLS0tIDYrb2RzVm9OTHlzKzBCdEtPYnF3
+            L2VmNm5ITEUwUVJ3WXRmVGZnY0RSNE0KraXjJSZ9HKV8SO93khWVjBJcEYQLI0Rm
+            lQuagfkZ5oaedsPGNqaXWo/cd3g2SZOfhmmRxY9R9gxmnjpP4L6gGg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTb2xWOWY4V3Mxd1Z5bklT
-            RXI1bjNtZ3hORkpOOUpFSXUrQ0lpODhsWHlFCmhteWJWam5mU2Nhc2tlTURRbC9i
-            OE1SUE5iczkvdWRTdDRKd2NVNGhHS1kKLS0tIFZWYXA4TnF0dHc4K1FlYW9Cemta
-            a0lzbUNKMzVrcmgwQWIyUWo2VExMYWcKAOwJ8tA9L/jQ1lCPaUMNNJaYz14tLbMH
-            4c+lYZJX3PKjfkc5UnteWNsaXTF/vXoALDnaPBRwBFWFfCVsX5XYnQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTlgxOGJwbDYrbXNDWmNY
+            YzZGTTdlQXBFRUEySW1Rd0Z4bi90akZIOGpBCjdseUJIeGlJZVB1WDNFeU5LZDE0
+            cExQSFBPTWlUbVRjREdJaXROTjRwWTgKLS0tIENPM2VnZGtyaUowZmx5ZVdZVjRz
+            SW9kSTVBbDJUWHBzV0xBYTlReGloSkEKq6Q3HVKRnw2B0CUvgXlUkQUBgmCNLP80
+            fY5/ePAWZKt4P6TxzPNFH3aANWcnVC2/QxF2RgYfDXKKp1AVlAIlTA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZGpMbC9yVTdObFEyZ1pH
-            a0ZOMXhDVGdFNUNOMmJldjZKTElzdHI2bmljCnJtcEUyY1hDUnczZkFSNGErbEtE
-            Y1lyZnFOVTVIL1FKczJ4dUIwdjg2T0kKLS0tIEpSZmN3YUJDUjB1ZnNtT2hCb3c2
-            ZE5tMXJOYlFMOVNJU3FEZFB4TlZ1U00KHnunzKMy91oc92ptcaKCE1sfkhFGvf0S
-            vRX/nyQnBGqD3X3yfvkt+aQnoLxcjoanpJVM9VeigyPu1mRg0OOxXg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvS2gzN0ZyakcyVjlYRUZU
+            OFNmUHhsTysxV0JIV1JlM3hLNW9KRm9oY0gwCkh3SWxUV3ZqRXluVVRyRC9OQzVa
+            ODE0NnE2ZHdZc1Qrdkp0YWZFZ0xnMWMKLS0tIFFsNElqVlZ3Sm56b2ZNcEpQMXo4
+            RGJCWmpyd1g1NC9Ud3I3TWRBZ2llblEKVrHE0kPVjapor98D4Z1gCtQsuWS/iAuE
+            5cje1AZdpYVdHoRtzRxKwPekfm9xa/knzFckjjO0JizTQWTPYg0gsQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-11T17:28:43Z"
-    mac: ENC[AES256_GCM,data:l43vquKg33LndSXOm0hsPcalQRXjqbb30QvptXuBsmQrcEVVh20Aqp92l+rwgv60P03ZtK4SKxm/udVVoqViFTwCLYtCC5GEn4OqbD94LQKzl+XLe7yLWwv2WF8ueu170YpZ97uFxUrhOoaOaKUgnAV+4CocixG5hfadpqA3yYE=,iv:a6RRILzz4gDUuiSZPVoqjlIMu4NZG+D5Q+brusfh9PU=,tag:Y8nKbnctjka44eH15x8oCA==,type:str]
+    lastmodified: "2026-01-25T14:03:57Z"
+    mac: ENC[AES256_GCM,data:RBf3LjVNSclsPN7I4QPaDUjWbKlaccjk3rzsRNdRe3+OvJSd7MsS9RfpUFCqUtO7ZkkocXHmkHA8z8LNxs6vejT9czMsLLQD14qHZS6fFdTnToOx3Kt5UuviPO/2UryVI+6HWORkH1aqFJhzkSMop2TO5mzuOTfbCEBLYUUuS6s=,iv:NQs8O1hIbjzGBTZo+gCuisj3edraFGk/Y146HmfPmQY=,tag:4g9IXw2UFC5V9EIHuWJqdA==,type:str]
     pgp:
-        - created_at: "2026-01-11T17:12:49Z"
+        - created_at: "2026-01-26T04:52:39Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/9EOJGjNnLgEPo+/pP/4TVt8ECLRRbxsjwpnxuRf2QcmtF
-            p+ZnX+X5mBVdriuTUTFyUvPXBPwG2byrc7w/+zZBvYGWdSZgi+ACBRiAzvXMUYUq
-            ZCY6z4v4dkvbbVW2QE1JmzfZFVC4Vdwup6q+OXtXvQe6n2/GgIHRfyMnG3dynldt
-            1cmEY8ujuZzv+St5tInaGod5pZ4i2/RDvQSk7JHtb9LqsyyIKdxYa1Sc8U7WN9qx
-            Ucwo56HZ9tlAvA4nEqYIaZFGM4XDXO3BV6ltsa57dMXJSzYjG8qYB7Z4CCTmn6HL
-            h7A4NK8yj7El5q9EScbSzJQ8LNMYAPhLMhvOGYio/k2Jnn3woioozCdUEvg4aoAT
-            Y+UVyl/O5MrM6ZcgWVQ7gbhYvAHSyiyr5hlEfzjtxwiETkIXFPiWtOpyq1GIYa7w
-            k93OvrFbbTevzY2ea4gQh4pmzGDfXEqtBm9DjQwUmiTM877bR/sY4b0HV/CA3Txh
-            Xz22dLp8pfvAtBtHuEARJeQ8DeFslICuZZSiDscNe63dqxg9tWmwFqWecOGb5DXG
-            xEbLTyO0YBESsk3jt7JCtx8Dfnb9fVOqCiQN2Ywd1TkSMnM1H627MpaZJNKEXQPT
-            +gWa7QqthW84Vc42wuAYmLAw+1Ob/BgPojogV8XUIr2johzp1tY2jdsDJko84PPS
-            XgEprHVVj49JHRR5ixjJwoO4WbYsN4Tqej7I2Ns00tCzHAKPFQvFlHNLt1CrM88X
-            0HRLTEn7z1F5r54inNP0DIvDJlTSqJdJDA5k0HChQA7by2le+ERpvI4CmTkNyvk=
-            =c+Rd
+            hQIMA0av/duuklWYARAAtSg5bRhk7DN14CpdTtG9XPwQfZAP2EvCpFqXcU1LnIqi
+            odRqr1vzFlgXH/A/36C/c/JN7M0673PWivUidiMU38/WExgzxPTe/mpwoTHqRRgG
+            aSP5or2UjhwbN7M844JGbTMNAIUh9bVG2/Qm6cLFhv2HalAVhhnWsbIdJIjUmpjU
+            cMjCfxO36uTVp1SajeJKd9x9n+AbWY84SzN/7HYrFcJQomOyb6FcioIwHcIe2YdN
+            GEdNkA13+hTNBR2ZYW3wrPxr39qK4R3mEJambwZLhQfRwUaqIB6PqvXICdqeLbRc
+            2OfzR5oN5HE3Z7QGwDDM8x8diegLYUyTyY3yhJ8PcCs44mXL2XN6XGefgNWuxxDd
+            o8189NRNXD2xloiIcbBJQ6Mpix+qlEI4VRnaxiGI3huv/vpKqSxBZFCu4x4kxGwj
+            OuaX3cPsvjzj0WEFsAvmrUB/Qdabfhhdm1TgY1PqoXfCudyLuDYqRg8sjIIUjmtA
+            /EyXTO6Ah+vc/NP3mLcHeFAh91Lzvxvm6jEmpN7/jg9zbIzs0jNeVchFYxxVZuRn
+            J6ySrkQ5x4FC1DdJlxv36uOLdbsosgia8q3WHOfbt/Lyp/n1RuQX2Kjysi/C79ap
+            xYaozqRmuJIy4Ph4PbhA737PFS4GEyKsHfvskWeGvpGiu/XHP+R+AfE45Mac1O/S
+            XgEgpNsTDb4GS70fjYBjaSyLcgCeAhqt4Mm4O3UTrYWLfziVLMI7vl9zTznGmY9n
+            fS70cnezoSWVj9Nfz+EmmsRWwAYRebzqLWaAtPmrrS5IbWZkLgpay7ga1y9cACo=
+            =0Z+d
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

shell.nix

@@ -1,15 +1,16 @@
 { pkgs ? import <nixpkgs> {} }:
 pkgs.mkShellNoCC {
   packages = with pkgs; [
-    just
-    jq
+    disko
+    editorconfig-checker
+    gnupg
     gum
+    jq
+    just
+    openstackclient
     sops
     ssh-to-age
-    gnupg
     statix
-    openstackclient
-    editorconfig-checker
   ];
 
   env = {

users/adriangl.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ ... }:
 {
   users.users.adriangl = {
     isNormalUser = true;
@@ -9,14 +9,6 @@
       "nix-builder-users"
     ];
 
-    packages = with pkgs; [
-      neovim
-      htop
-      ripgrep
-      vim
-      foot.terminfo
-    ];
-
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf7SlyHR6KgP7+IeFr/Iuiu2lL5vaSlzqPonaO8XU0J gunalx@aragon"

users/albertba.nix

@@ -1,18 +1,14 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   users.users.albertba = {
     isNormalUser = true;
     extraGroups = [ "wheel" "drift" "nix-builder-users" ];
 
     packages = with pkgs; [
-      htop
-      neovim
-      ripgrep
       fd
-      tmux
     ];
 
-    shell = pkgs.zsh;
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
 
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICheSCAxsYc/6g8hq2lXXHoUWPjWvntzzTA7OhG8waMN albert@Arch"
@@ -20,4 +16,3 @@
   };
 
 }
-

users/alfhj.nix

@@ -1,13 +1,12 @@
-{pkgs, ...}:
+{ config, pkgs, ... }:
 
 {
   users.users.alfhj = {
     isNormalUser = true;
     extraGroups = [ "wheel" ];
-    shell = pkgs.zsh;
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
     ];
   };
 }
-

users/amalieem.nix

@@ -1,10 +1,10 @@
-{pkgs, ...}:
+{ config, pkgs, ... }:
 
 {
   users.users.amalieem = {
     isNormalUser = true;
     extraGroups = [ "wheel" ];
-    shell = pkgs.zsh;
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsMtFIj4Dem/onwMoWYbosOcU4y7A5nTjVwqWaU33E1 amalieem@matey-aug22"
     ];

users/danio.nix

@@ -1,10 +1,10 @@
-{pkgs, ...}:
+{ config, pkgs, ... }:
 
 {
   users.users.danio = {
     isNormalUser = true;
     extraGroups = [ "drift" "nix-builder-users" "wheel" ];
-    shell = pkgs.zsh;
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
 
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl"

users/default.nix

@@ -1,4 +1,4 @@
-{lib, ...}:
+{ lib, ... }:
 with lib;
 let
   # get all files in folder

users/felixalb.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ config, pkgs, lib, ... }:
 {
   users.users.felixalb = {
     isNormalUser = true;
@@ -7,10 +7,11 @@
     ] ++ lib.optionals ( config.users.groups ? "libvirtd" ) [
       "libvirtd"
     ];
-    shell = pkgs.zsh;
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalb@pvv.ntnu.no"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
     ];
   };
 }

users/frero.nix

@@ -1,9 +1,9 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   users.users.frero = {
     isNormalUser = true;
     extraGroups = [ "wheel" "drift" "nix-builder-users" ];
-    shell = pkgs.zsh;
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII09JbtSUMurvmHpJ7TmUQctXpNVhjFYhoJ3+1ZITmMx"
     ];

users/jonmro.nix

@@ -1,10 +1,10 @@
-{pkgs, ...}:
+{ config, pkgs, ... }:
 
 {
   users.users.jonmro = {
     isNormalUser = true;
     extraGroups = [ "wheel" "drift" "nix-builder-users" ];
-    shell = pkgs.zsh;
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
     ];

users/oysteikt.nix

@@ -12,9 +12,6 @@
     packages = with pkgs; [
       bottom
       eza
-      neovim
-      ripgrep
-      tmux
     ];
 
     openssh.authorizedKeys.keys = [

users/pederbs.nix

@@ -14,14 +14,9 @@
       bat
       edir
       fd
-      htop
-      jq
       micro
       ncdu
-      ripgrep
       sd
-      tmux
-      wget
       xe
       yq
     ];

users/vegardbm.nix

@@ -11,9 +11,6 @@
     packages = with pkgs; [
       btop
       eza
-      neovim
-      ripgrep
-      tmux
     ];
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVA3HqEx3je6L1AC+bP8sTxu3ZTKvTCR0npCyOVAYK5 vbm@arch-xeon"

values.nix

@@ -40,6 +40,10 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
+    dagali = {
+      ipv4 = pvv-ipv4 185;
+      ipv6 = pvv-ipv6 185;
+    };
     ildkule = {
       ipv4 = "129.241.153.213";
       ipv4_internal = "192.168.12.209";
@@ -73,6 +77,10 @@ in rec {
       ipv4 = pvv-ipv4 179;
       ipv6 = pvv-ipv6 "1:2";
     };
+    principal = {
+      ipv4 = pvv-ipv4 233;
+      ipv6 = pvv-ipv6 "4:233";
+    };
     ustetind = {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;