diskonaut is dead

update flake.lock
kvernberg/taler: various fixes
2025-05-24 17:18:59 +02:00 · 2025-05-24 17:18:59 +02:00 · 2025-05-24 17:18:59 +02:00 · 2025-05-24 17:18:59 +02:00 · 2025-05-24 17:18:59 +02:00 · 2025-05-24 17:18:59 +02:00
29 changed files with 660 additions and 587 deletions
--- a/.mailmap
+++ b/.mailmap
@@ -1,25 +0,0 @@
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
 Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
 Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
 Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -15,6 +15,7 @@ keys:
  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
  - &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
 creation_rules:
  # Global secrets
@@ -104,3 +105,9 @@ creation_rules:
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
  - path_regex: secrets/kvernberg/[^/]+$
    key_groups:
      - age:
          - *host_kvernberg
          - *user_danio
--- a/base/default.nix
+++ b/base/default.nix
@@ -7,10 +7,8 @@
    ./networking.nix
    ./nix.nix
    ./vm.nix
    ./services/acme.nix
    ./services/uptimed.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fwupd.nix
@@ -78,3 +76,4 @@
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
 }
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -1,4 +1,4 @@
-{ lib, config, inputs, ... }:
+{ inputs, ... }:
 {
  nix = {
    gc = {
@@ -21,16 +21,11 @@
    ** use the same channel the system
    ** was built with
    */
-    registry = lib.mkMerge [
+    registry = {
      {
      "nixpkgs".flake = inputs.nixpkgs;
      "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
      }
      # We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
      (lib.mkIf (!config.virtualisation.isVmVariant) {
      "pvv-nix".flake = inputs.self;
-      })
+    };
    ];
    nixPath = [
      "nixpkgs=${inputs.nixpkgs}"
      "unstable=${inputs.nixpkgs-unstable}"
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -1,33 +1,21 @@
-{ config, inputs, pkgs, lib, ... }:
+{ inputs, pkgs, lib, ... }:
 let
  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
 in
 {
  system.autoUpgrade = {
    enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
    flags = [
      "--refresh"
      "--no-write-lock-file"
      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
      # as such we instead use --override-input combined with --refresh
      # https://git.lix.systems/lix-project/lix/issues/400
-    ] ++ (lib.pipe inputUrls [
+      "--refresh"
-      (lib.intersectAttrs {
+      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-unstable-small"
-        nixpkgs = { };
+      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
-        nixpkgs-unstable = { };
+      "--no-write-lock-file"
-      })
+    ];
      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
      lib.concatLists
    ]);
  };
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+  environment.etc."current-system-flake-inputs.json".source
    "current-system-flake-inputs.json".source
    = pkgs.writers.writeJSON "flake-inputs.json" (
      lib.flip lib.mapAttrs inputs (name: input:
        # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
@@ -35,5 +23,4 @@ in
          // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
      )
    );
  };
 }
--- a/base/services/uptimed.nix
+++ b/base/services/uptimed.nix
@@ -1,59 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.uptimed;
 in
 {
  options.services.uptimed.settings = lib.mkOption {
    description = "";
    default = { };
    type = lib.types.submodule {
      freeformType = with lib.types; attrsOf (either str (listOf str));
    };
  };
  config = {
    services.uptimed = {
      enable = true;
      settings = let
        stateDir = "/var/lib/uptimed";
      in {
        PIDFILE = "${stateDir}/pid";
        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
      };
    };
    systemd.services.uptimed = lib.mkIf (cfg.enable) {
      serviceConfig = let
        uptimed = pkgs.uptimed.overrideAttrs (prev: {
          postPatch = ''
             substituteInPlace Makefile.am \
               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
             substituteInPlace src/Makefile.am \
               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
          '';
        });
      in {
        Type = "notify";
        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
        BindReadOnlyPaths = let
          configFile = lib.pipe cfg.settings [
            (lib.mapAttrsToList
              (k: v:
                if builtins.isList v
                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
                  else "${k}=${v}")
            )
            (lib.concatStringsSep "\n")
            (pkgs.writeText "uptimed.conf")
          ];
        in [
          "${configFile}:/var/lib/uptimed/uptimed.conf"
        ];
      };
    };
  };
 }
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -1,15 +0,0 @@
 { lib, ... }:
 # This enables
 #     lib.mkIf (!config.virtualisation.isVmVariant) { ... }
 {
  options.virtualisation.isVmVariant = lib.mkOption {
    description = "`true` if system is build with 'nixos-rebuild build-vm'";
    type = lib.types.bool;
    default = false;
  };
  config.virtualisation.vmVariant = {
    virtualisation.isVmVariant = true;
  };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1745502102,
+        "lastModified": 1739634831,
-        "narHash": "sha256-LqhRwzvIVPEjH0TaPgwzqpyhW6DtCrvz7FnUJDoUZh8=",
+        "narHash": "sha256-xFnU+uUl48Icas2wPQ+ZzlL2O3n8f6J2LrzNK9f2nng=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "ca27b88c88948d96feeee9ed814cbd34f53d0d70",
+        "rev": "fa5746ecea1772cf59b3f34c5816ab3531478142",
        "type": "github"
      },
      "original": {
@@ -48,11 +48,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1746563623,
+        "lastModified": 1736545379,
-        "narHash": "sha256-5DxgNFpSgxft/sWraZnHIUlb4S3Io73SVS7FZCbWSUY=",
+        "narHash": "sha256-PeTTmGumdOX3rd6OKI7QMCrZovCDkrckZbcHr+znxWA=",
        "ref": "refs/heads/main",
-        "rev": "4e0408887f80e61a90286ff630a7855b828ae421",
+        "rev": "74f5316121776db2769385927ec0d0c2cc2b23e4",
-        "revCount": 45,
+        "revCount": 42,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
      },
@@ -88,16 +88,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1735857245,
+        "lastModified": 1727410897,
-        "narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
+        "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
+        "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
-        "ref": "0.7.0",
+        "ref": "v0.6.1",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
@@ -110,11 +110,11 @@
        "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
        "revCount": 2,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
      }
    },
    "nix-gitea-themes": {
@@ -124,43 +124,49 @@
        ]
      },
      "locked": {
-        "lastModified": 1743881366,
+        "lastModified": 1736531400,
-        "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
+        "narHash": "sha256-+X/HVI1AwoPcud28wI35XRrc1kDgkYdDUGABJBAkxDI=",
        "ref": "refs/heads/main",
-        "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
+        "rev": "e4dafd06b3d7e9e6e07617766e9c3743134571b7",
-        "revCount": 11,
+        "revCount": 7,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748615477,
+        "lastModified": 1739611738,
-        "narHash": "sha256-8sjG4sNIonQPK2olCGvq3/j1qtjwPaTOFU5nkz1gj2Q=",
+        "narHash": "sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye+VHLQZE=",
-        "rev": "97d3ce1ceb663a24184aac92b7e9e8f5452111c1",
+        "owner": "NixOS",
-        "type": "tarball",
+        "repo": "nixpkgs",
-        "url": "https://releases.nixos.org/nixos/24.11-small/nixos-24.11.718472.97d3ce1ceb66/nixexprs.tar.xz?rev=97d3ce1ceb663a24184aac92b7e9e8f5452111c1"
+        "rev": "31ff66eb77d02e9ac34b7256a02edb1c43fb9998",
        "type": "github"
      },
      "original": {
-        "type": "tarball",
+        "owner": "NixOS",
-        "url": "https://nixos.org/channels/nixos-24.11-small/nixexprs.tar.xz"
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1748588304,
+        "lastModified": 1739611738,
-        "narHash": "sha256-YCnUqO9k39p0oMIBndxYTbu8m0fOA/KVcq3IekXPy9c=",
+        "narHash": "sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye+VHLQZE=",
-        "rev": "b8af95f4cf511c5f056b463c3a45d2b63c7cfb03",
+        "owner": "NixOS",
-        "type": "tarball",
+        "repo": "nixpkgs",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre807945.b8af95f4cf51/nixexprs.tar.xz?rev=b8af95f4cf511c5f056b463c3a45d2b63c7cfb03"
+        "rev": "31ff66eb77d02e9ac34b7256a02edb1c43fb9998",
        "type": "github"
      },
      "original": {
-        "type": "tarball",
+        "owner": "NixOS",
-        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "pvv-calendar-bot": {
@@ -190,11 +196,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741738148,
+        "lastModified": 1737151758,
-        "narHash": "sha256-cJo6nbcJEOjkazkZ194NDnlsZe0W0wpxeUh2/886uC8=",
+        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
-        "ref": "refs/heads/main",
+        "ref": "refs/heads/master",
-        "rev": "c1802e7cf27c7cf8b4890354c982a4eef5b11593",
+        "rev": "a4ebe6ded0c8c124561a41cb329ff30891914b5e",
-        "revCount": 486,
+        "revCount": 475,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -227,11 +233,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1746498961,
+        "lastModified": 1729391507,
-        "narHash": "sha256-rp+oh/N88JKHu7ySPuGiA3lBUVIsrOtHbN2eWJdYCgk=",
+        "narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "24b00064cdd1d7ba25200c4a8565dc455dc732ba",
+        "rev": "784981a9feeba406de38c1c9a3decf966d853cca",
        "type": "github"
      },
      "original": {
@@ -247,11 +253,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1745310711,
+        "lastModified": 1739262228,
-        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -2,8 +2,8 @@
  description = "PVV System flake";
  inputs = {
-    nixpkgs.url = "https://nixos.org/channels/nixos-24.11-small/nixexprs.tar.xz";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; # remember to also update the url in base/services/auto-upgrade.nix
-    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -92,13 +92,9 @@
          inputs.matrix-next.nixosModules.default
          inputs.pvv-calendar-bot.nixosModules.default
          self.nixosModules.gickup
          self.nixosModules.matrix-ooye
        ];
        overlays = [
          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
          (final: prev: {
            inherit (self.packages.${prev.system}) out-of-your-element;
          })
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" {
@@ -163,6 +159,12 @@
          inputs.gergle.overlays.default
        ];
      };
      kvernberg = stableNixosConfig "kvernberg" {
        modules = [
          disko.nixosModules.disko
          { disko.devices.disk.disk1.device = "/dev/sda"; }
        ];
      };
    };
    nixosModules = {
@@ -170,13 +172,12 @@
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
    };
    devShells = forAllSystems (system: {
-      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
      cuda = let
-        cuda-pkgs = import nixpkgs-unstable {
+        cuda-pkgs = import nixpkgs {
          inherit system;
          config = {
            allowUnfree = true;
@@ -198,7 +199,6 @@
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
      } //
      (lib.pipe null [
        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@@ -17,7 +17,7 @@ in
      zip = false;
      keep = 10;
      bare = true;
-      lfs = false;
+      lfs = true;
    };
    instances = let
@@ -59,7 +59,7 @@ in
  };
  services.cgit = let
-    domain = "mirrors.pvv.ntnu.no";
+    domain = "bicep.pvv.ntnu.no";
  in {
    ${domain} = {
      enable = true;
@@ -81,7 +81,7 @@ in
    };
  };
-  services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."bicep.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
@@ -94,7 +94,7 @@ in
    in toString small-pvv-logo;
  };
-  systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
+  systemd.services."fcgiwrap-cgit-bicep.pvv.ntnu.no" = {
    serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
  };
 }
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -9,8 +9,7 @@
    ./coturn.nix
    ./mjolnir.nix
-    # ./discord.nix
+    ./discord.nix
    ./out-of-your-element.nix
    ./hookshot
  ];
--- a/hosts/bicep/services/matrix/discord.nix
+++ b/hosts/bicep/services/matrix/discord.nix
@@ -45,7 +45,7 @@ in
  };
-  services.mx-puppet-discord.enable = false;
+  services.mx-puppet-discord.enable = true;
  services.mx-puppet-discord.settings = {
    bridge = {
      bindAddress = "localhost";
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -1,66 +0,0 @@
 { config, pkgs, fp, ... }:
 let
  cfg = config.services.matrix-ooye;
 in
 {
  users.groups.keys-matrix-registrations = { };
  sops.secrets = {
    "matrix/ooye/as_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/as_token";
    };
    "matrix/ooye/hs_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/hs_token";
    };
    "matrix/ooye/discord_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/discord_token";
    };
    "matrix/ooye/discord_client_secret" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/discord_client_secret";
    };
  };
  services.matrix-ooye = {
    enable = true;
    homeserver = "https://matrix.pvv.ntnu.no";
    homeserverName = "pvv.ntnu.no";
    discordTokenPath = config.sops.secrets."matrix/ooye/discord_token".path;
    discordClientSecretPath = config.sops.secrets."matrix/ooye/discord_client_secret".path;
    bridgeOrigin = "https://ooye.pvv.ntnu.no";
    enableSynapseIntegration = false;
  };
  systemd.services."matrix-synapse" = {
    after = [
      "matrix-ooye-pre-start.service"
      "network-online.target"
    ];
    requires = [ "matrix-ooye-pre-start.service" ];
    serviceConfig = {
      LoadCredential = [
        "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
      ];
      ExecStartPre = [
        "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
        "+${pkgs.coreutils}/bin/chown matrix-synapse:keys-matrix-registrations ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
      ];
    };
  };
  services.matrix-synapse-next.settings = {
    app_service_config_files = [
      "${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
    ];
  };
  services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${cfg.socket}";
  };
 }
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -3,12 +3,7 @@ let
  cfg = config.services.gitea;
 in
 {
-  services.gitea-themes = {
+  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
    monokai = pkgs.gitea-theme-monokai;
    earl-grey = pkgs.gitea-theme-earl-grey;
    pitch-black = pkgs.gitea-theme-pitch-black;
    catppuccin = pkgs.gitea-theme-catppuccin;
  };
  systemd.services.gitea-customization = lib.mkIf cfg.enable {
    description = "Install extra customization in gitea's CUSTOM_DIR";
--- a/hosts/kvernberg/configuration.nix
+++ b/hosts/kvernberg/configuration.nix
@@ -0,0 +1,45 @@
 { config, fp, pkgs, values, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    (fp /misc/metrics-exporters.nix)
    ./disks.nix
    ./services/nginx.nix
    ./services/pvvvvvv
  ];
  sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "kvernberg"; # Define your hostname.
  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
    matchConfig.Name = "en*";
    address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # No devices with SMART
  services.smartd.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
 }
--- a/hosts/kvernberg/disks.nix
+++ b/hosts/kvernberg/disks.nix
@@ -0,0 +1,39 @@
 # Example to create a bios compatible gpt partition
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/kvernberg/hardware-configuration.nix
+++ b/hosts/kvernberg/hardware-configuration.nix
@@ -0,0 +1,26 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/kvernberg/services/nginx.nix
+++ b/hosts/kvernberg/services/nginx.nix
@@ -0,0 +1,5 @@
 { config, lib, ... }:
 {
  services.nginx.enable = true;
 }
--- a/hosts/kvernberg/services/pvvvvvv/bank.nix
+++ b/hosts/kvernberg/services/pvvvvvv/bank.nix
@@ -0,0 +1,51 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.libeufin.bank;
  tcfg = config.services.taler;
  inherit (tcfg.settings.taler) CURRENCY;
 in {
  services.libeufin.bank = {
    enable = true;
    debug = true;
    createLocalDatabase = true;
    initialAccounts = [
      { username = "exchange";
        password = "exchange";
        name = "Exchange";
      }
    ];
    settings = {
      libeufin-bank = {
        WIRE_TYPE = "x-taler-bank";
        X_TALER_BANK_PAYTO_HOSTNAME = "bank.kvernberg.pvv.ntnu.no";
        BASE_URL = "bank.kvernberg.pvv.ntnu.no/";
        ALLOW_REGISTRATION = "yes";
        REGISTRATION_BONUS_ENABLED = "yes";
        REGISTRATION_BONUS = "${CURRENCY}:500";
        DEFAULT_DEBT_LIMIT = "${CURRENCY}:0";
        ALLOW_CONVERSION = "no";
        ALLOW_EDIT_CASHOUT_PAYTO_URI = "yes";
        SUGGESTED_WITHDRAWAL_EXCHANGE = "https://exchange.kvernberg.pvv.ntnu.no/";
        inherit CURRENCY;
      };
    };
  };
  services.nginx.virtualHosts."bank.kvernberg.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8082";
      extraConfig = ''
         proxy_read_timeout 300s; 
      '';
    };
  };
 }
--- a/hosts/kvernberg/services/pvvvvvv/default.nix
+++ b/hosts/kvernberg/services/pvvvvvv/default.nix
@@ -0,0 +1,17 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.taler;
 in
 {
  imports = [
    ./exchange.nix
    ./bank.nix
  ];
  services.taler = {
    settings = {
      taler.CURRENCY = "SCHPENN";
      taler.CURRENCY_ROUND_UNIT = "${cfg.settings.taler.CURRENCY}:1";
    };
  };
 }
--- a/hosts/kvernberg/services/pvvvvvv/exchange.nix
+++ b/hosts/kvernberg/services/pvvvvvv/exchange.nix
@@ -0,0 +1,187 @@
 { config, lib, fp, pkgs, ... }:
 let
  cfg = config.services.taler;
  inherit (cfg.settings.taler) CURRENCY;
 in {
  sops.secrets.exchange-offline-master = {
    format = "binary";
    sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
  };
  services.taler.exchange = {
    enable = true;
    debug = true;
    denominationConfig = ''
      ## Old denomination names cannot be used again
      # [COIN-${CURRENCY}-k1-1-0]
      ## NOK Denominations
      [coin-${CURRENCY}-nok-1-0]
      VALUE = ${CURRENCY}:1
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-5-0]
      VALUE = ${CURRENCY}:5
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-10-0]
      VALUE = ${CURRENCY}:10
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-20-0]
      VALUE = ${CURRENCY}:20
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-50-0]
      VALUE = ${CURRENCY}:50
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-100-0]
      VALUE = ${CURRENCY}:100
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-200-0]
      VALUE = ${CURRENCY}:200
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-500-0]
      VALUE = ${CURRENCY}:500
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-1000-0]
      VALUE = ${CURRENCY}:1000
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      ## PVV Special Prices
      # 2024 pizza egenandel
      [coin-${CURRENCY}-pvv-64-0]
      VALUE = ${CURRENCY}:64
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
    '';
    settings = {
      exchange = {
        inherit (config.services.taler.settings.taler) CURRENCY CURRENCY_ROUND_UNIT; 
        MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
        BASE_URL = "https://exchange.kvernberg.pvv.ntnu.no/";
        TERMS_DIR = "${./terms}";
        TERMS_ETAG = "0";
        ENABLE_KYC = "NO";
      };
      exchange-offline = {
        MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
      };
      exchange-account-test = {
        PAYTO_URI = "payto://x-taler-bank/bank.kvernberg.pvv.ntnu.no/exchange?receiver-name=Exchange";
        ENABLE_DEBIT = "YES";
        ENABLE_CREDIT = "YES";
      };
      exchange-accountcredentials-test = {
        WIRE_GATEWAY_URL = "https://bank.kvernberg.pvv.ntnu.no/accounts/exchange/taler-wire-gateway/";
        WIRE_GATEWAY_AUTH_METHOD = "BASIC";
        USERNAME = "exchange";
        PASSWORD = "exchange";
      };
      "currency-${CURRENCY}" = {
        ENABLED = "YES";
        CODE = "SCHPENN";
        NAME = "SCHPENN";
        FRACTIONAL_NORMAL_DIGITS = 0;
        FRACTIONAL_INPUT_DIGITS = 0;
        FRACTIONAL_TRAILING_ZERO_DIGITS = 0;
        ALT_UNIT_NAMES = "{\"0\": \"S\"}";
      };
    };
  };
  services.nginx.virtualHosts."exchange.kvernberg.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8081";
      extraConfig = ''
        proxy_read_timeout 300s;
      '';
    };
  };
 }
--- a/hosts/kvernberg/services/pvvvvvv/terms/en/0.txt
+++ b/hosts/kvernberg/services/pvvvvvv/terms/en/0.txt
@@ -0,0 +1,147 @@
 Terms of Service
 ================
 Last update: 19.11.2024
 ----------------------
 Welcome! A subset of PVVers who cares about Dibbler (“we,” “our,” or “us”) provides a experimental payment service
 through our Internet presence (collectively the “Services”). Before using our
 Services, please read the Terms of Service (the “Terms” or the “Agreement”)
 carefully.
 Overview
 --------
 This section provides a brief summary of the highlights of this
 Agreement. Please note that when you accept this Agreement, you are accepting
 all of the terms and conditions and not just this section. We and possibly
 other third parties provide Internet services which interact with the Taler
 Wallet’s self-hosted personal payment application. When using the Taler Wallet
 to interact with our Services, you are agreeing to our Terms, so please read
 carefully.
 Research
 ----------
 This is research, any dibbler credits sent to the dibbler account could be lost at any time.
 We would make an effort to send the credits back to their canonical owners, but this may be difficult.
 We make no guarantees on the state of this. The dibbler economy is totally unsecured, and so are these services!
 Usage is wholly on your own risk.
 Highlights:
 -----------
 * You are responsible for keeping the data in your Taler Wallet at all times under your control. Any losses arising from you not being in control of your private information are your problem.
 * For our Services, we may charge transaction fees. The specific fee structure is provided based on the Taler protocol and should be shown to you when you withdraw electronic coins using a Taler Wallet. You agree and understand that the Taler protocol allows for the fee structure to change.
 * You agree to not intentionally overwhelm our systems with requests and follow responsible disclosure if you find security issues in our services.
 * We cannot be held accountable for our Services not being available due to circumstances beyond our control. If we modify or terminate our services, we will try to give you the opportunity to recover your funds. However, given the experimental state of the Services today, this may not be possible. You are strongly advised to limit your use of the Service to small-scale experiments expecting total loss of all funds.
 These terms outline approved uses of our Services. The Services and these
 Terms are still at an experimental stage. If you have any questions or
 comments related to this Agreement, please send us a message on IRC, or on our Matrix server.
 If you do not agree to this Agreement, you must not use our Services.
 How you accept this policy
 --------------------------
 By sending funds to us (to top-up your Taler Wallet), you acknowledge that you
 have read, understood, and agreed to these Terms. We reserve the right to
 change these Terms at any time. If you disagree with the change, we may in the
 future offer you with an easy option to recover your unspent funds. However,
 in the current experimental period you acknowledge that this feature is not
 yet available, resulting in your funds being lost unless you accept the new
 Terms. If you continue to use our Services other than to recover your unspent
 funds, your continued use of our Services following any such change will
 signify your acceptance to be bound by the then current Terms. Please check
 the effective date above to determine if there have been any changes since you
 have last reviewed these Terms.
 Services
 --------
 We will try to transfer funds that we hold in escrow for our users to any
 legal recipient to the best of our ability and within the limitations of the
 law and our implementation. However, the Services offered today are highly
 experimental and the set of recipients of funds is severely restricted. The
 Taler Wallet can be loaded by exchanging ordinary dibbler credit for electronic
 coins. We are providing this exchange service. Once your Taler Wallet is
 loaded with electronic coins they can be spent for purchases if the seller is
 accepting Taler as a means of payment. We are not guaranteeing that any seller
 is accepting Taler at all or a particular seller. The seller or recipient of
 deposits of electronic coins must specify the target account, as per the
 design of the Taler protocol. They are responsible for following the protocol
 and specifying the correct dibbler account, and are solely liable for any losses
 that may arise from specifying the wrong account. We will allow the government
 to link wire transfers to the underlying contract hash. It is the
 responsibility of recipients to preserve the full contracts and to pay
 whatever taxes and charges may be applicable. Technical issues may lead to
 situations where we are unable to make transfers at all or lead to incorrect
 transfers that cannot be reversed. We will only refuse to execute transfers if
 the transfers are prohibited by a competent legal authority and we are ordered
 to do so.
 When using our Services, you agree to not take any action that intentionally
 imposes an unreasonable load on our infrastructure. If you find security
 problems in our Services, you agree to first report them to
 security@taler-systems.com and grant us the right to publish your report. We
 warrant that we will ourselves publicly disclose any issues reported within 3
 months, and that we will not prosecute anyone reporting security issues if
 they did not exploit the issue beyond a proof-of-concept, and followed the
 above responsible disclosure practice.
 Fees
 ----
 You agree to pay the fees for exchanges and withdrawals completed via the
 Taler Wallet ("Fees") as defined by us, which we may change from time to
 time.
 Copyrights and trademarks
 -------------------------
 The Taler Wallet is released under the terms of the GNU General Public License
 (GNU GPL). You have the right to access, use, and share the Taler Wallet, in
 modified or unmodified form. However, the GPL is a strong copyleft license,
 which means that any derivative works must be distributed under the same
 license terms as the original software. If you have any questions, you should
 review the GNU GPL’s full terms and conditions on the GNU GPL Licenses page 
 (https://www.gnu.org/licenses/). “Taler” itself is a trademark
 of Taler Systems SA. You are welcome to use the name in relation to processing
 payments based on the Taler protocol, assuming your use is compatible with an
 official release from the GNU Project that is not older than two years.
 Discontinuance of services and Force majeure
 --------------------------------------------
 We may, in our sole discretion and without cost to you, with or without prior
 notice, and at any time, modify or discontinue, temporarily or permanently,
 any portion of our Services. We will use the Taler protocol’s provisions to
 notify Wallets if our Services are to be discontinued. It is your
 responsibility to ensure that the Taler Wallet is online at least once every
 three months to observe these notifications. We shall not be held responsible
 or liable for any loss of funds in the event that we discontinue or depreciate
 the Services and your Taler Wallet fails to transfer out the coins within a
 three months notification period.
 We shall not be held liable for any delays, failure in performance, or
 interruptions of service which result directly or indirectly from any cause or
 condition beyond our reasonable control, including but not limited to: any
 delay or failure due to any act of God, act of civil or military authorities,
 act of terrorism, civil disturbance, war, strike or other labor dispute, fire,
 interruption in telecommunications or Internet services or network provider
 services, failure of equipment and/or software, other catastrophe, or any
 other occurrence which is beyond our reasonable control and shall not affect
 the validity and enforceability of any remaining provisions.
 Questions or comments
 ---------------------
 We welcome comments, questions, concerns, or suggestions. Please send us a
 message via the usual communication channels at PVV
--- a/57
+++ b/57
@@ -1,56 +1,25 @@
 set positional-arguments # makes variables accesible as $1 $2 $@
 export GUM_FILTER_HEIGHT := "15"
-nom := `if [[ -t 1 ]] && command -v nom >/dev/null; then echo nom; else echo nix; fi`
+nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
 nix_eval_opts := "--log-format raw --option warn-dirty false"
@_default:
  just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
-check *_:
+check:
-  nix flake check --keep-going "$@"
+  nix flake check --keep-going
-build-machine machine=`just _a_machine` *_:
+build-machine machine=`just _a_machine`:
-  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel "${@:2}"
+  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
-run-vm machine=`just _a_machine` *_:
+run-vm machine=`just _a_machine`:
-  nixos-rebuild build-vm --flake .#{{ machine }} "${@:2}"
+  nixos-rebuild build-vm --flake .#{{ machine }}
  QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
-@update-inputs *_:
+@update-inputs:
-  @git reset flake.lock
+  nix eval .#inputs --apply builtins.attrNames --json \
-  @git restore flake.lock
+    | jq '.[]' -r \
-  nix eval {{nix_eval_opts}} --file flake.nix --apply 'x: builtins.attrNames x.inputs' --json \
+    | gum choose --no-limit --height=15 \
-    | { printf "%s\n" --commit-lock-file; jq '.[]' -r | grep -vxF "self" ||:; } \
+    | xargs -L 1 nix flake lock --update-input
    | gum choose --no-limit --header "Choose extra arguments:" \
    | tee >(xargs -d'\n' echo + nix flake update "$@" >&2) \
    | xargs -d'\n' nix flake update "$@"
@repl $machine=`just _a_machine` *_:
  set -v; nixos-rebuild --flake .#"$machine" repl "${@:2}"
@eval $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
  set -v; nix eval {{nix_eval_opts}} ".#nixosConfigurations.\"$machine\".config.$attrpath" --show-trace "${@:3}"
@eval-vm $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
  just eval "$machine" "virtualisation.vmVariant.$attrpath" "${@:3}"
 # helpers
 [no-exit-message]
 _a_machine:
-  #!/usr/bin/env -S sh -euo pipefail
+  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter
  machines="$(
    nix eval {{nix_eval_opts}} .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r
  )"
  [ -n "$machines" ] || { echo >&2 "ERROR: no machines found"; false; }
  if [ -s .direnv/vars/last-machine.txt ]; then
    machines="$(
      grep <<<"$machines" -xF  "$(cat .direnv/vars/last-machine.txt)" ||:
      grep <<<"$machines" -xFv "$(cat .direnv/vars/last-machine.txt)" ||:
    )"
  fi
  choice="$(gum filter <<<"$machines")"
  mkdir -p .direnv/vars
  cat <<<"$choice" >.direnv/vars/last-machine.txt
  cat <<<"$choice"
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -46,15 +46,6 @@ in {
        allow 2001:700:300:1900::/64;
        deny all;
      '';
      locations."/docs" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
      };
      locations."/api" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
        proxyWebsockets = true;
      };
    };
    "${machine}-backend.pvv.ntnu.no" = {
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -1,211 +0,0 @@
 # Original from: https://cgit.rory.gay/nix/OOYE-module.git/
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.matrix-ooye;
  mkStringOption =
    name: default:
    lib.mkOption {
      type = lib.types.str;
      default = default;
    };
 in
 {
  options = {
    services.matrix-ooye = {
      enable = lib.mkEnableOption "Enable OOYE service";
      package = lib.mkOption {
        type = lib.types.package;
        default = pkgs.out-of-your-element;
      };
      appserviceId = mkStringOption "The ID of the appservice." "ooye";
      homeserver = mkStringOption "The homeserver to connect to." "http://localhost:8006";
      homeserverName = mkStringOption "The name of the homeserver to connect to." "localhost";
      namespace = mkStringOption "The prefix to use for the MXIDs/aliases of bridged users/rooms. Should end with a _!" "_ooye_";
      discordTokenPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-token";
      discordClientSecretPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-client-secret";
      socket = mkStringOption "The socket to listen on, can either be a port number or a unix socket path." "6693";
      bridgeOrigin = mkStringOption "The web frontend URL for the bridge, defaults to http://localhost:{socket}" "";
      enableSynapseIntegration = lib.mkEnableOption "Enable Synapse integration";
    };
  };
  config = lib.mkIf cfg.enable (
    let
      baseConfig = pkgs.writeText "matrix-ooye-config.json" (
        builtins.toJSON {
          id = cfg.appserviceId;
          namespaces = {
            users = [
              {
                exclusive = true;
                regex = "@${cfg.namespace}.*:${cfg.homeserverName}";
              }
            ];
            aliases = [
              {
                exclusive = true;
                regex = "#${cfg.namespace}.*:${cfg.homeserverName}";
              }
            ];
          };
          protocols = [ "discord" ];
          sender_localpart = "${cfg.namespace}bot";
          rate_limited = false;
          socket = cfg.socket; # Can either be a TCP port or a unix socket path
          url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
          ooye = {
            server_name = cfg.homeserverName;
            namespace_prefix = cfg.namespace;
            max_file_size = 5000000;
            content_length_workaround = false;
            include_user_id_in_mxid = true;
            server_origin = cfg.homeserver;
            bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
          };
        }
      );
      script = pkgs.writeScript "matrix-ooye-pre-start.sh" ''
        #!${lib.getExe pkgs.bash}
        REGISTRATION_FILE=registration.yaml
        id
        echo "Before if statement"
        stat ''${REGISTRATION_FILE}
        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
          echo "No registration file found at '$REGISTRATION_FILE'"
          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
        fi
        echo "After if statement"
        stat ''${REGISTRATION_FILE}
        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
        # Check if we have all required tokens
        if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
          echo "Generated new AS token: ''${AS_TOKEN}"
        fi
        if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
          echo "Generated new HS token: ''${HS_TOKEN}"
        fi
        if [[ -z "$DISCORD_TOKEN" ]]; then
          echo "No Discord token found at '${cfg.discordTokenPath}'"
          echo "You can find this on the 'Bot' tab of your Discord application."
          exit 1
        fi
        if [[ -z "$DISCORD_CLIENT_SECRET" ]]; then
          echo "No Discord client secret found at '${cfg.discordTokenPath}'"
          echo "You can find this on the 'OAuth2' tab of your Discord application."
          exit 1
        fi
        shred -u ''${REGISTRATION_FILE}
        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
        shred -u ''${REGISTRATION_FILE}
        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
      '';
    in
    {
      warnings =
        lib.optionals ((builtins.substring (lib.stringLength cfg.namespace - 1) 1 cfg.namespace) != "_") [
          "OOYE namespace does not end with an underscore! This is recommended to have better ID formatting. Provided: '${cfg.namespace}'"
        ]
        ++ lib.optionals ((builtins.substring 0 1 cfg.namespace) != "_") [
          "OOYE namespace does not start with an underscore! This is recommended to avoid conflicts with registered users. Provided: '${cfg.namespace}'"
        ];
      environment.systemPackages = [ cfg.package ];
      systemd.services."matrix-ooye-pre-start" = {
        enable = true;
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = script;
          WorkingDirectory = "/var/lib/matrix-ooye";
          StateDirectory = "matrix-ooye";
          DynamicUser = true;
          RemainAfterExit = true;
          Type = "oneshot";
          LoadCredential = [
            "discord_token:${cfg.discordTokenPath}"
            "discord_client_secret:${cfg.discordClientSecretPath}"
          ];
        };
      };
      systemd.services."matrix-ooye" = {
        enable = true;
        description = "Out of Your Element - a Discord bridge for Matrix.";
        wants = [
          "network-online.target"
          "matrix-synapse.service"
          "conduit.service"
          "dendrite.service"
        ];
        after = [
          "matrix-ooye-pre-start.service"
          "network-online.target"
        ];
        requires = [ "matrix-ooye-pre-start.service" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = lib.getExe config.services.matrix-ooye.package;
          WorkingDirectory = "/var/lib/matrix-ooye";
          StateDirectory = "matrix-ooye";
          #ProtectSystem = "strict";
          #ProtectHome = true;
          #PrivateTmp = true;
          #NoNewPrivileges = true;
          #PrivateDevices = true;
          Restart = "on-failure";
          DynamicUser = true;
        };
      };
      systemd.services."matrix-synapse" = lib.mkIf cfg.enableSynapseIntegration {
        after = [
          "matrix-ooye-pre-start.service"
          "network-online.target"
        ];
        requires = [ "matrix-ooye-pre-start.service" ];
        serviceConfig = {
          LoadCredential = [
            "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
          ];
          ExecStartPre = [
            "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
            "+${pkgs.coreutils}/bin/chown matrix-synapse:matrix-synapse ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
          ];
        };
      };
      services.matrix-synapse.settings.app_service_config_files = lib.mkIf cfg.enableSynapseIntegration [
        "${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
      ];
    }
  );
 }
--- a/packages/out-of-your-element.nix
+++ b/packages/out-of-your-element.nix
@@ -1,42 +0,0 @@
 {
  lib,
  fetchgit,
  makeWrapper,
  nodejs,
  buildNpmPackage,
 }:
 buildNpmPackage {
  pname = "delete-your-element";
  version = "3.1-unstable-2025-06-22";
  src = fetchgit {
    url = "https://git.pvv.ntnu.no/Drift/delete-your-element.git";
    rev = "cdc3b95858419568c7058d4f0056b14dbbf1152b";
    sha256 = "sha256-v6PFyduwve6uwqBB5mzXMP09GwaxGjv1xIzgs/Eeolc=";
  };
  npmDepsHash = "sha256-HNHEGez8X7CsoGYXqzB49o1pcCImfmGYIw9QKF2SbHo=";
  dontNpmBuild = true;
  nativeBuildInputs = [makeWrapper];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/share
    cp -a . $out/share/ooye
    makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye --add-flags $out/share/ooye/start.js
    makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye-addbot --add-flags $out/share/ooye/addbot.js
    runHook postInstall
  '';
  meta = with lib; {
    description = "Matrix-Discord bridge with modern features.";
    homepage = "https://gitdab.com/cadence/out-of-your-element";
    longDescription = ''
      Modern Matrix-to-Discord appservice bridge, created by @cadence:cadence.moe.
    '';
    license = licenses.gpl3;
    # maintainers = with maintainers; [ RorySys ];
    mainProgram = "matrix-ooye";
  };
 }
--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@@ -9,15 +9,14 @@ mjolnir:
 discord:
    as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
    hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
 ooye:
    hs_token: ENC[AES256_GCM,data:QBrdRt4ozAh2XYJtssm82uHlk9aGO1Nr0fEZetmWfLvmw52FZEq8ijyKOgwS6uTcndMi4gGKkq9r4eapLwcMdQ==,iv:VHOAqxR1WGzZ9dmNx+FmjGAKRpUFjWOwyOVmgDswpE0=,tag:k5it/yx7pOfGbJXZUlV69Q==,type:str]
    as_token: ENC[AES256_GCM,data:RMkY0xVj14FwDbYaAysSmzB0IlJuk0ucicNhhTmVAEgiU05PxWG+qk3/elFcaFwaXRFgQQtVyGFZEcK5gpE9hA==,iv:8JgNrTe7GQqPMdUCxEaxJ9qV7Uec2fkYBmF9LmH4X3o=,tag:tRnFpRAZs9kO3u2SDMwNnA==,type:str]
    discord_token: ENC[AES256_GCM,data:6rzv3glW03jcYiJ7sAvDcvDmQHs9iVbV11tIFwgD3GuTkVn6mbAoQhjUaz3zpb/OeoGt+j/pCBRlZgk=,iv:JwkqLpeGYhgwLX7SACNh0AUO53XSx9IKgncI0+KkvyU=,tag:30C0X9nVSlEYPITVzuN0qA==,type:str]
    discord_client_secret: ENC[AES256_GCM,data:wbM7bPZCWa2+UNUqXi27fP0ppdinRkEC4N9KB68TJzg=,iv:Y2j+8oI+kI7DMrBfFU3G5HtFWguNxDpxbNvJkpK5lQs=,tag:GntocbTCybCVqZ2T3lNSIQ==,type:str]
 hookshot:
    as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
    hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
          enc: |
@@ -73,8 +72,8 @@ sops:
            WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
            pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-21T21:23:24Z"
+    lastmodified: "2024-10-13T23:30:01Z"
-    mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
+    mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
    pgp:
        - created_at: "2024-08-04T00:03:46Z"
          enc: |-
@@ -97,4 +96,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.8.1
--- a/secrets/kvernberg/exhange-offline-master.priv
+++ b/secrets/kvernberg/exhange-offline-master.priv
@@ -0,0 +1,24 @@
 {
 	"data": "ENC[AES256_GCM,data:dhVo1B+ZG1B6s0bTLgph4ipPmi0mveaObbJAffDQbpY=,iv:P5plvu4DQYa99cQZQ6B/gEFcSffu3lTY3+Z80Cfoj94=,tag:4xcqCbn6fFSmCbYmmEgQEg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MzVHSE15Nk9MODQxc2g0\nbHlqNmFKclBYbUNKQTNUOGo0VThiaEZTVzJFCmU2YkYwMXlyeHM3ZzAxOWZpa3k4\nUUJLanVFbkNMa25RcGZmOTBsVmtzazQKLS0tIE1sTTBqT3VJMDFOYXl0T1JvcDRV\nRFpsZGNOZzFzMFc3YzcxeXdIK1d6QUUKzy0n7DJsOmrNvU03Tn6Zcj/l/kAylzzP\nhNnFLXfStdKl3A/qrzBPhTVbYD73yFkZuQ+bDr7/IMsHAmDsztuA9g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbEdBWjdEbmtNYWJHQnFj\nSU1yb0NYVG4xVlZkYTdUWUpDcGdmbFF6U1NrCjBlWFZkcC9FMVJLYUtDNlBTUWcw\nNHBwWFNESDBQQmJNb3NDN2tDekM4eUUKLS0tICtMVGc1L2JFQ1BqKzM3eWFPRmRQ\nWXlQUWpvdUdOUlZ1OFhtS0ErL0JKSlUKzxLKbsnXvEqnR2HVsTxNqmM7YPjWfCjG\nZ4Bf046NdseomkNuTvWuPzjzPTe4GvjudMYc4ODchkIMOo6hXyf5kw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-17T01:12:23Z",
 		"mac": "ENC[AES256_GCM,data:aXIM/pmgVmfNSa+PwpfK6Efh/kCWXUqZNcKLkyhRwl++vaIBQUIQgQjv09hWHOF77V3ZjRQjh2E1uNe2baBLEmrDT5Au+7VABW+j49KX/vKMd+1l4w47l3DukOVnoo50bsOQFtH+amSl2P2imxpO15sjVDu9/nUeu2qXrtbIUh8=,iv:BQVs3P9p86uzTH2BfuSOxycpE6di4ZIwSz7OTZdcQPg=,tag:mT4Ek8dDbVINGp4Odt62zw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/values.nix
+++ b/values.nix
@@ -71,6 +71,9 @@ in rec {
    wenche = {
      ipv4 = pvv-ipv4 240;
      ipv6 = pvv-ipv6 240;
    kvernberg = {
      ipv4 = pvv-ipv4 206;
      ipv6 = pvv-ipv6 "1:206";
    };
  };
Author	SHA1	Message	Date
Daniel Olsen	1fe3972aa5	diskonaut is dead Some checks failed Eval nix flake / evals (push) Has been cancelled Details	2025-05-24 17:18:59 +02:00
Daniel Olsen	e269c1165d	update flake.lock	2025-05-24 17:18:59 +02:00
Daniel Olsen	0db8cb5737	kvernberg/taler: various fixes	2025-05-24 17:18:59 +02:00
Daniel Olsen	0880ebb9dc	kvernberg/taler: move behind nginx	2025-05-24 17:18:59 +02:00
Daniel Olsen	af8a4890ea	kvernberg/taler/bank: init	2025-05-24 17:18:59 +02:00
Daniel Olsen	bf071c64ff	kvernberg/taler/exchange: Add more denominations	2025-05-24 17:18:59 +02:00
Daniel Olsen	4dfaf52220	Maybe this sets up the exchange idk....	2025-05-24 17:18:56 +02:00
Daniel Olsen	767d233dd6	drop when #332699 is used: Use nixpkgs taler branch	2025-05-24 17:17:36 +02:00
Daniel Olsen	14c1365758	kvernberg: temporarily autoupgrade to this branch DROP BEFORE MERGE	2025-05-24 17:17:36 +02:00
Daniel Olsen	a1c8a64c01	kvernberg: init	2025-05-24 17:17:33 +02:00