WIP: grevling/tuba: init

base/services/auto-upgrade.nix

@@ -7,7 +7,7 @@
       # --update-input is deprecated since nix 2.22, and removed in lix 2.90
       # https://git.lix.systems/lix-project/lix/issues/400
       "--refresh"
-      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.11-small"
+      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
       "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
       "--no-write-lock-file"
     ];

base/services/logrotate.nix

@@ -1,8 +1,42 @@
 { ... }:
 {
+  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
   systemd.services.logrotate = {
     documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
     unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig.ReadWritePaths = [ "/var/log" ];
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [ "/var/log" ];
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
   };
-}
+}

base/services/nginx.nix

@@ -33,10 +33,6 @@
 
   systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
     LimitNOFILE = 65536;
-    # We use jit my dudes
-    MemoryDenyWriteExecute = lib.mkForce false;
-    # What the fuck do we use that where the defaults are not enough???
-    SystemCallFilter = lib.mkForce null;
   };
 
   services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
@@ -45,4 +41,4 @@
     addSSL = true;
     extraConfig = "return 444;";
   };
-}
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733168902,
-        "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=",
+        "lastModified": 1731746438,
+        "narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5",
+        "rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
         "type": "github"
       },
       "original": {
@@ -119,27 +119,43 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733466147,
-        "narHash": "sha256-1QAch5UZXGDc8Kh3PvdIKfVNeebjZFWiIKn8lAr1ZBM=",
+        "lastModified": 1731663789,
+        "narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "66dddf2c2aae34272f117ea95a06efe376edbe27",
+        "rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11-small",
+        "ref": "nixos-24.05-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1733603762,
-        "narHash": "sha256-E+cuaL8s1oHCumWD/Zkw0gkLOOQcz848pVyLfvqWDVw=",
+        "lastModified": 1731745710,
+        "narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b1dd465e8139748a8e26037fdd4c5ffe79457cbd",
+        "rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
         "type": "github"
       },
       "original": {
@@ -176,11 +192,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734820349,
-        "narHash": "sha256-ZjfttVIMtDqns9wNRyWfP7Ae+kuEZfyXK5sqLmxzsgU=",
+        "lastModified": 1725212759,
+        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
         "ref": "refs/heads/master",
-        "rev": "2930f9863ffa4bdc036535159717c9605bcb5a06",
-        "revCount": 474,
+        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
+        "revCount": 473,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -229,14 +245,15 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1733128155,
-        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
+        "lastModified": 1731748189,
+        "narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
+        "rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,7 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; # remember to also update the url in base/services/auto-upgrade.nix
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -139,6 +139,20 @@
           inputs.greg-ng.overlays.default
         ];
       };
+
+      grevling = stableNixosConfig "grevling" {
+        modules = [
+          ./hosts/grevling/configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
+
+      tuba = stableNixosConfig "grevling" {
+        modules = [
+          ./hosts/tuba/configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
     };
 
     nixosModules = {

hosts/bekkalokk/services/bluemap/default.nix

@@ -6,7 +6,7 @@ in {
     ./module.nix # From danio, pending upstreaming
   ];
 
-  disabledModules = [ "services/web-apps/bluemap.nix" ];
+  disabledModules = [ "services/web-servers/bluemap.nix" ];
 
   sops.secrets."bluemap/ssh-key" = { };
   sops.secrets."bluemap/ssh-known-hosts" = { };

hosts/bekkalokk/services/gitea/web-secret-provider/default.nix

@@ -27,7 +27,6 @@ in
   users.users."gitea-web" = {
     group = "gitea-web";
     isSystemUser = true;
-    shell = pkgs.bash;
   };
 
   sops.secrets."gitea/web-secret-provider/token" = {
@@ -59,7 +58,6 @@ in
           key-dir = "/var/lib/gitea-web/keys/%i";
           authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
           rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
-            mkdir -p "$1"
             ${lib.getExe pkgs.rrsync} -wo "$1"
             ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
           '';

hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@@ -34,21 +34,7 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
         f"{args.api_url}/orgs/{args.org}/repos",
         headers = { 'Authorization': 'token ' + token },
     )
-
-    results = [repo["name"] for repo in result.json()]
-    target = int(result.headers['X-Total-Count'])
-
-    i = 2
-    while len(results) < target:
-        result = requests.get(
-            f"{args.api_url}/orgs/{args.org}/repos",
-            params = { 'page': i },
-            headers = { 'Authorization': 'token ' + token },
-        )
-        results += [repo["name"] for repo in result.json()]
-        i += 1
-
-    return results
+    return [repo["name"] for repo in result.json()]
 
 
 def generate_ssh_key(args: argparse.Namespace, repository: str):

hosts/bekkalokk/services/vaultwarden.nix

@@ -83,6 +83,7 @@ in {
       ProtectKernelLogs = true;
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
+      ProtectProc = "invisible";
       RestrictAddressFamilies = [
         "AF_INET"
         "AF_INET6"
@@ -97,6 +98,7 @@ in {
         "@system-service"
         "~@privileged"
       ];
+      UMask = "0007";
     };
   };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -21,7 +21,7 @@ in
       custom_from
     ]);
 
-    dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
+    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
     maxAttachmentSize = 20;
     hostName = "roundcubeplaceholder.example.com";
 

hosts/bicep/services/matrix/hookshot/default.nix

@@ -6,6 +6,10 @@ let
   webhookListenPort = 8435;
 in
 {
+  imports = [
+    ./module.nix
+  ];
+
   sops.secrets."matrix/hookshot/as_token" = {
     sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "hookshot/as_token";

hosts/bicep/services/matrix/hookshot/module.nix

@@ -0,0 +1,127 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.matrix-hookshot;
+  settingsFormat = pkgs.formats.yaml { };
+  configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
+in
+{
+  options = {
+    services.matrix-hookshot = {
+      enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
+
+      package = lib.mkPackageOption pkgs "matrix-hookshot" { };
+
+      registrationFile = lib.mkOption {
+        type = lib.types.path;
+        description = ''
+          Appservice registration file.
+          As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
+        '';
+        example = lib.literalExpression ''
+          pkgs.writeText "matrix-hookshot-registration" \'\'
+            id: matrix-hookshot
+            as_token: aaaaaaaaaa
+            hs_token: aaaaaaaaaa
+            namespaces:
+              rooms: []
+              users:
+                - regex: "@_webhooks_.*:foobar"
+                  exclusive: true
+
+            sender_localpart: hookshot
+            url: "http://localhost:9993"
+            rate_limited: false
+            \'\'
+        '';
+      };
+
+      settings = lib.mkOption {
+        description = ''
+          {file}`config.yml` configuration as a Nix attribute set.
+
+          For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
+        '';
+        example = {
+          bridge = {
+            domain = "example.com";
+            url = "http://localhost:8008";
+            mediaUrl = "https://example.com";
+            port = 9993;
+            bindAddress = "127.0.0.1";
+          };
+          listeners = [
+            {
+              port = 9000;
+              bindAddress = "0.0.0.0";
+              resources = [ "webhooks" ];
+            }
+            {
+              port = 9001;
+              bindAddress = "localhost";
+              resources = [
+                "metrics"
+                "provisioning"
+              ];
+            }
+          ];
+        };
+        default = { };
+        type = lib.types.submodule {
+          freeformType = settingsFormat.type;
+          options = {
+            passFile = lib.mkOption {
+              type = lib.types.path;
+              default = "/var/lib/matrix-hookshot/passkey.pem";
+              description = ''
+                A passkey used to encrypt tokens stored inside the bridge.
+                File will be generated if not found.
+              '';
+            };
+          };
+        };
+      };
+
+      serviceDependencies = lib.mkOption {
+        type = with lib.types; listOf str;
+        default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
+        defaultText = lib.literalExpression ''
+          lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
+        '';
+        description = ''
+          List of Systemd services to require and wait for when starting the application service,
+          such as the Matrix homeserver if it's running on the same host.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.matrix-hookshot = {
+      description = "a bridge between Matrix and multiple project management services";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+
+      preStart = ''
+        if [ ! -f '${cfg.settings.passFile}' ]; then
+          mkdir -p $(dirname '${cfg.settings.passFile}')
+          ${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
+        fi
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+        ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ flandweber ];
+}

hosts/grevling/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ./services/openvpn
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "grevling";
+
+  # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+  #   matchConfig.Name = "eno1";
+  #   address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  # };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/grevling/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/145E-7362";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/grevling/services/openvpn/default.nix

@@ -0,0 +1,77 @@
+{ pkgs, lib, values, ... }:
+{
+  services.openvpn.servers."ov-tunnel" = {
+    config = let
+      conf = {
+        # TODO: use aliases
+        local = "129.241.210.191";
+        port = 1194;
+        proto = "udp";
+        dev = "tap";
+
+        # TODO: set up
+        ca = "";
+        cert = "";
+        key = "";
+        dh = "";
+
+        # Maintain a record of client <-> virtual IP address
+        # associations in this file.  If OpenVPN goes down or
+        # is restarted, reconnecting clients can be assigned
+        # the same virtual IP address from the pool that was
+        # previously assigned.
+        ifconfig-pool-persist = ./ipp.txt;
+
+        server-bridge = builtins.concatStringsSep " " [
+          "129.241.210.129"
+          "255.255.255.128"
+          "129.241.210.253"
+          "129.241.210.254"
+        ];
+
+        keepalive = "10 120";
+        cipher = "none";
+
+        user = "nobody";
+        group = "nobody";
+
+        status = "/var/log/openvpn-status.log";
+
+        client-config-dir = pkgs.writeTextDir "tuba" ''
+          # Sett IP-adr. for tap0 til tubas PVV-adr.
+          ifconfig-push ${values.services.tuba-tap} 255.255.255.128
+          # Hvordan skal man faa dette til aa funke, tro?
+          #ifconfig-ipv6-push 2001:700:300:1900::xxx/64
+          
+          # La tuba bruke std. PVV-gateway til all trafikk (unntatt
+          # VPN-tunnellen).
+          push "redirect-gateway"
+        '';
+
+        persist-key = true;
+        persist-tun = true;
+
+        verb = 5;
+
+        explicit-exit-notify = 1;
+      };
+    in lib.pipe conf [
+      (lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
+      (builtins.mapAttrs (_: value:
+        if builtins.isList value then builtins.concatStringsSep " " (map toString value)
+        else if value == true then value
+        else if builtins.any (f: f value) [
+          builtins.isString
+          builtins.isInt
+          builtins.isFloat
+          lib.isPath
+          lib.isDerivation
+        ] then toString value
+        else throw "Unknown value in grevling openvpn config, deading now\n${value}"
+      ))
+      (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
+      (builtins.concatStringsSep "\n")
+      (x: x + "\n\n")
+    ];
+  };
+}

hosts/tuba/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ./services/openvpn
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "tuba";
+
+  # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+  #   matchConfig.Name = "eno1";
+  #   address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  # };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/tuba/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/145E-7362";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/tuba/services/openvpn/default.nix

@@ -0,0 +1,54 @@
+{ lib, values, ... }:
+{
+  services.openvpn.servers."ov-tunnel" = {
+    config = let
+      conf = {
+        # TODO: use aliases
+        client = true;
+        dev = "tap";
+        proto = "udp";
+        remote = "129.241.210.191 1194";
+
+        resolv-retry = "infinite";
+        nobind = true;
+
+        # # TODO: set up
+        ca = "";
+        cert = "";
+        key = "";
+        remote-cert-tls = "server";
+        cipher = "none";
+
+        user = "nobody";
+        group = "nobody";
+
+        status = "/var/log/openvpn-status.log";
+
+        persist-key = true;
+        persist-tun = true;
+
+        verb = 5;
+
+        # script-security = 2;
+        # up = "systemctl restart rwhod";
+      };
+    in lib.pipe conf [
+      (lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
+      (builtins.mapAttrs (_: value:
+        if builtins.isList value then builtins.concatStringsSep " " (map toString value)
+        else if value == true then value
+        else if builtins.any (f: f value) [
+          builtins.isString
+          builtins.isInt
+          builtins.isFloat
+          lib.isPath
+          lib.isDerivation
+        ] then toString value
+        else throw "Unknown value in tuba openvpn config, deading now\n${value}"
+      ))
+      (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
+      (builtins.concatStringsSep "\n")
+      (x: x + "\n\n")
+    ];
+  };
+}

hosts/ustetind/services/gitea-runners.nix

@@ -15,8 +15,8 @@ let
         enable = true;
         name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
         labels = [
-          "debian-latest:docker://node:current-bookworm"
-          "ubuntu-latest:docker://node:current-bookworm"
+          "debian-latest:docker://node:18-bullseye"
+          "ubuntu-latest:docker://node:18-bullseye"
         ];
         tokenFile = config.sops.secrets."gitea/runners/${name}".path;
       };

packages/mediawiki-extensions/default.nix

@@ -12,7 +12,7 @@ let
     name
   , commit
   , hash
-  , tracking-branch ? "REL1_42"
+  , tracking-branch ? "REL1_41"
   , kebab-name ? kebab-case-name name
   , fetchgit ? pkgs.fetchgit
   }:
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
   (mw-ext {
     name = "CodeEditor";
-    commit = "9f69f2cf7616342d236726608a702d651b611938";
-    hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
+    commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
+    hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
-    hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
+    commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
+    hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "b76bb482e026453079104d00f9675b4ab851947e";
-    hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
+    commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
+    hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
-    hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
+    commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
+    hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
   })
   (mw-ext {
     name = "Popups";
-    commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
-    hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
+    commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
+    hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
-    hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
+    commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
+    hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
-    hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
+    commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
+    hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
-    hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
+    commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
+    hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
-    hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
+    commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
+    hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "41759d0c61377074d159f7d84130a095822bc7a3";
-    hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
+    commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
+    hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
-    hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
+    commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
+    hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
-    hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
+    commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
+    hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
   })
 ]

secrets/ustetind/ustetind.yaml

@@ -1,8 +1,8 @@
 gitea:
     runners:
-        alpha: ENC[AES256_GCM,data:Hnq2guka4oERPIFCv1/ggrLjaePA7907VHXMStDQ7ll3hntTioT76qGOUJgfIw==,iv:wDPYuuL6VAWJakrz6asVRrzwRxqw0JDRes13MgJIT6E=,tag:ogFUeUirHVkCLN63nctxOw==,type:str]
-        beta: ENC[AES256_GCM,data:HmdjBvW8eO5MkzXf7KEzSNQAptF/RKN8Bh03Ru7Ru/Ky+eJJtk91aqSSIjFa+Q==,iv:Hz9HE3U6CFfZFcPmYMd6wSzZkSvszt92L2gV+pUlMis=,tag:LG3NfsS7B1EdRFvnP3XESQ==,type:str]
-        epsilon: ENC[AES256_GCM,data:wfGxwWwDzb6AJaFnxe/93WNZGtuTpCkLci/Cc5MTCTKJz6XlNuy3m/1Xsnw0hA==,iv:I6Zl+4BBAUTXym2qUlFfdnoLTHShu+VyxPMjRlFzMis=,tag:jjTyZs1Nzqlhjd8rAldxDw==,type:str]
+        alpha: ENC[AES256_GCM,data:aAFv+/ygC7oxGT3qnoEf+AZL3Nk1yOq3HupL9l0j8P913GefPKqlBt/mbuRVug==,iv:usXElENwbOHxUdoqHScK7PjeZavXUwoxpQWEMjxU2u4=,tag:E8OzZ9pmxIru7Glgh7v0lg==,type:str]
+        beta: ENC[AES256_GCM,data:riRSBDzX9DAxKl2UCds1ANddl3ij+byAgigOafJ5RjWl8cNVlowK21klBiKTxw==,iv:clijEUKX9o52p5A94eEW0f8qGGhFpy/LFe+uQG/iQLg=,tag:PchXbsZMnW//O7brEAEeWw==,type:str]
+        epsilon: ENC[AES256_GCM,data:lUt8uaqh9eC1IdIUfiw3dzxcDErSWaiT9lzg4ONf/QZeXj7Do7Es0GXBFd41Hw==,iv:hPm5Lez5ISHIlw1+i4z/oBsh4H5ZXPVYnXXSGq1eal0=,tag:/KcmPw30622tN9ruMUwfUw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -63,8 +63,8 @@ sops:
             aU4xWjVYYlNvSmYxajVGdzk5dTQ4WG8Klq12bSegsW29xp4qteuCB5Tzis6EhVCk
             53jqtYe5UG9MjFVQYiSi2jJz5/dxfqSINMZ/Y/EB5LxbwgbFws8Yuw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-12T12:20:19Z"
-    mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
+    lastmodified: "2024-12-09T21:17:40Z"
+    mac: ENC[AES256_GCM,data:HensJbPU1Kx9aQNUhdtFkX/6qdxj7yby6GeSruOT+HYEtoq0py/zvMtdCqmfjc4AOptYlXdgK7w30P976dG1esjlYwF07qtVvAbUqvExkksuV4zp81VKHMXUOAyiQK79kLe3rx6cvEdUDbOjZOsxN02eRrcanN+7rJS6f7vNN88=,iv:PlePCik6JcOtVBQhhOj9khhp2LwwfXBwAGpzu4ywhTA=,tag:Clz+xX1Cffs8Zpv2LdsGVA==,type:str]
     pgp:
         - created_at: "2024-12-09T21:17:27Z"
           enc: |-
@@ -87,4 +87,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.8.1

values.nix

@@ -21,6 +21,12 @@ in rec {
       ipv4 = pvv-ipv4 213;
       ipv6 = pvv-ipv6 213;
     };
+    grevling-tap = {
+      ipv4 = pvv-ipv4 251;
+    };
+    tuba-tap = {
+      ipv4 = pvv-ipv4 252;
+    };
   };
 
   hosts = {
@@ -64,6 +70,14 @@ in rec {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;
     };
+    grevling = {
+      ipv4 = pvv-ipv4 198;
+      ipv6 = pvv-ipv6 198;
+    };
+    tuba = {
+      ipv4 = pvv-ipv4 199;
+      ipv6 = pvv-ipv6 199;
+    };
   };
 
   defaultNetworkConfig = {