WIP: fix import-gitea-users script

Co-authored-by: h7x4 <h7x4@nani.wtf>

.mailmap

@@ -0,0 +1,25 @@
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
+
+
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
+
+Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
+Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
+Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
+
+Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
+
+Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
+Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
+
+Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
+Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>

.sops.yaml

@@ -15,7 +15,11 @@ keys:
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
   - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
   - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
-  - &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
+  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
+  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
+  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
+  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
 
 creation_rules:
   # Global secrets
@@ -106,8 +110,18 @@ creation_rules:
       pgp:
       - *user_oysteikt
 
-  - path_regex: secrets/kvernberg/[^/]+$
+  - path_regex: secrets/lupine/[^/]+\.yaml$
     key_groups:
     - age:
-          - *host_kvernberg
+      - *host_lupine-1
+      - *host_lupine-2
+      - *host_lupine-3
+      - *host_lupine-4
+      - *host_lupine-5
       - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      pgp:
+      - *user_oysteikt

base/default.nix

@@ -7,8 +7,10 @@
 
     ./networking.nix
     ./nix.nix
+    ./vm.nix
 
     ./services/acme.nix
+    ./services/uptimed.nix
     ./services/auto-upgrade.nix
     ./services/dbus.nix
     ./services/fwupd.nix
@@ -64,7 +66,7 @@
 
   programs.zsh.enable = true;
 
-  security.lockKernelModules = true;
+  # security.lockKernelModules = true;
   security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
   security.sudo.extraConfig = ''
@@ -76,4 +78,3 @@
   # Trusted users on the nix builder machines
   users.groups."nix-builder-users".name = "nix-builder-users";
 }
-

base/nix.nix

@@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ lib, config, inputs, ... }:
 {
   nix = {
     gc = {
@@ -21,11 +21,16 @@
     ** use the same channel the system
     ** was built with
     */
-    registry = {
+    registry = lib.mkMerge [
+      {
         "nixpkgs".flake = inputs.nixpkgs;
         "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
+      }
+      # We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
+      (lib.mkIf (!config.virtualisation.isVmVariant) {
         "pvv-nix".flake = inputs.self;
-    };
+      })
+    ];
     nixPath = [
       "nixpkgs=${inputs.nixpkgs}"
       "unstable=${inputs.nixpkgs-unstable}"

base/services/auto-upgrade.nix

@@ -1,21 +1,33 @@
-{ inputs, pkgs, lib, ... }:
+{ config, inputs, pkgs, lib, ... }:
+
+let
+  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
+in
+
 {
   system.autoUpgrade = {
     enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
-      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
-      # https://git.lix.systems/lix-project/lix/issues/400
       "--refresh"
-      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-unstable-small"
-      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
       "--no-write-lock-file"
-    ];
+      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
+      # as such we instead use --override-input combined with --refresh
+      # https://git.lix.systems/lix-project/lix/issues/400
+    ] ++ (lib.pipe inputUrls [
+      (lib.intersectAttrs {
+        nixpkgs = { };
+        nixpkgs-unstable = { };
+      })
+      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
+      lib.concatLists
+    ]);
   };
 
   # workaround for https://github.com/NixOS/nix/issues/6895
   # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc."current-system-flake-inputs.json".source
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+    "current-system-flake-inputs.json".source
       = pkgs.writers.writeJSON "flake-inputs.json" (
         lib.flip lib.mapAttrs inputs (name: input:
           # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
@@ -23,4 +35,5 @@
             // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
         )
       );
+  };
 }

base/services/uptimed.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.uptimed;
+in
+{
+  options.services.uptimed.settings = lib.mkOption {
+    description = "";
+    default = { };
+    type = lib.types.submodule {
+      freeformType = with lib.types; attrsOf (either str (listOf str));
+    };
+  };
+
+  config = {
+    services.uptimed = {
+      enable = true;
+
+      settings = let
+        stateDir = "/var/lib/uptimed";
+      in {
+        PIDFILE = "${stateDir}/pid";
+        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
+      };
+    };
+
+    systemd.services.uptimed = lib.mkIf (cfg.enable) {
+      serviceConfig = let
+        uptimed = pkgs.uptimed.overrideAttrs (prev: {
+          postPatch = ''
+             substituteInPlace Makefile.am \
+               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+             substituteInPlace src/Makefile.am \
+               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+          '';
+        });
+
+      in {
+        Type = "notify";
+
+        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
+
+        BindReadOnlyPaths = let
+          configFile = lib.pipe cfg.settings [
+            (lib.mapAttrsToList
+              (k: v:
+                if builtins.isList v
+                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
+                  else "${k}=${v}")
+            )
+            (lib.concatStringsSep "\n")
+            (pkgs.writeText "uptimed.conf")
+          ];
+        in [
+          "${configFile}:/var/lib/uptimed/uptimed.conf"
+        ];
+      };
+    };
+  };
+}

base/vm.nix

@@ -0,0 +1,15 @@
+{ lib, ... }:
+
+# This enables
+#     lib.mkIf (!config.virtualisation.isVmVariant) { ... }
+
+{
+  options.virtualisation.isVmVariant = lib.mkOption {
+    description = "`true` if system is build with 'nixos-rebuild build-vm'";
+    type = lib.types.bool;
+    default = false;
+  };
+  config.virtualisation.vmVariant = {
+    virtualisation.isVmVariant = true;
+  };
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739634831,
-        "narHash": "sha256-xFnU+uUl48Icas2wPQ+ZzlL2O3n8f6J2LrzNK9f2nng=",
+        "lastModified": 1752113600,
+        "narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "fa5746ecea1772cf59b3f34c5816ab3531478142",
+        "rev": "79264292b7e3482e5702932949de9cbb69fedf6d",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1736545379,
-        "narHash": "sha256-PeTTmGumdOX3rd6OKI7QMCrZovCDkrckZbcHr+znxWA=",
+        "lastModified": 1752258704,
+        "narHash": "sha256-pRK99+MCgkeVptbJxXhVMXIXl8uwSdkZDpQzFi3OgkA=",
         "ref": "refs/heads/main",
-        "rev": "74f5316121776db2769385927ec0d0c2cc2b23e4",
-        "revCount": 42,
+        "rev": "9ff525339b62855d53a44b4dc0154a33ac19e44d",
+        "revCount": 48,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
       },
@@ -88,16 +88,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1727410897,
-        "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
+        "lastModified": 1753216555,
+        "narHash": "sha256-qfgVfgXjVPV7vEER4PVFiGUOUW08GHH71CVXgYW8EVc=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
+        "rev": "099db715d1eba526a464f271b05cead5166fd9a9",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
-        "ref": "v0.6.1",
+        "ref": "v0.7.1",
         "repo": "nixos-matrix-modules",
         "type": "github"
       }
@@ -110,11 +110,11 @@
         "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
         "revCount": 2,
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
       }
     },
     "nix-gitea-themes": {
@@ -124,49 +124,43 @@
         ]
       },
       "locked": {
-        "lastModified": 1736531400,
-        "narHash": "sha256-+X/HVI1AwoPcud28wI35XRrc1kDgkYdDUGABJBAkxDI=",
+        "lastModified": 1743881366,
+        "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
         "ref": "refs/heads/main",
-        "rev": "e4dafd06b3d7e9e6e07617766e9c3743134571b7",
-        "revCount": 7,
+        "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
+        "revCount": 11,
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1739611738,
-        "narHash": "sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye+VHLQZE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "31ff66eb77d02e9ac34b7256a02edb1c43fb9998",
-        "type": "github"
+        "lastModified": 1752439653,
+        "narHash": "sha256-mG27U2CFuggpAuozOu/4XAMKaOtJxzJVzdEemjQEBgg=",
+        "rev": "dfcd5b901dbab46c9c6e80b265648481aafb01f8",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.806304.dfcd5b901dba/nixexprs.tar.xz"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://nixos.org/channels/nixos-25.05-small/nixexprs.tar.xz"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1739611738,
-        "narHash": "sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye+VHLQZE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "31ff66eb77d02e9ac34b7256a02edb1c43fb9998",
-        "type": "github"
+        "lastModified": 1752439402,
+        "narHash": "sha256-xDfOnjnKStgsgcn9SFPgOV6qzwac4JvGKYyfR++49Pw=",
+        "rev": "b47d4f01d4213715a1f09b999bab96bb6a5b675e",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre829909.b47d4f01d421/nixexprs.tar.xz"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
       }
     },
     "pvv-calendar-bot": {
@@ -176,11 +170,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723850344,
-        "narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
+        "lastModified": 1742225512,
+        "narHash": "sha256-OB0ndlrGLE5wMUeYP4lmxly9JUEpPCeZRQyMzITKCB0=",
         "ref": "refs/heads/main",
-        "rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
-        "revCount": 19,
+        "rev": "c4a6a02c84d8227abf00305dc995d7242176e6f6",
+        "revCount": 21,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       },
@@ -196,11 +190,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737151758,
-        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
-        "ref": "refs/heads/master",
-        "rev": "a4ebe6ded0c8c124561a41cb329ff30891914b5e",
-        "revCount": 475,
+        "lastModified": 1752865540,
+        "narHash": "sha256-VYLXcV8FsaMTsmxISOejvBq76eA41yi7BCRNW1qGbV0=",
+        "ref": "refs/heads/main",
+        "rev": "f732582d0d1389721ea2c91ab370ba2fb824d644",
+        "revCount": 496,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -233,11 +227,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729391507,
-        "narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
+        "lastModified": 1752201818,
+        "narHash": "sha256-d8KczaVT8WFEZdWg//tMAbv8EDyn2YTWcJvSY8gqKBU=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "784981a9feeba406de38c1c9a3decf966d853cca",
+        "rev": "bd8f8329780b348fedcd37b53dbbee48c08c496d",
         "type": "github"
       },
       "original": {
@@ -253,11 +247,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739262228,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "lastModified": 1751606940,
+        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,8 +2,8 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; # remember to also update the url in base/services/auto-upgrade.nix
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "https://nixos.org/channels/nixos-25.05-small/nixexprs.tar.xz";
+    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,7 +17,7 @@
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    matrix-next.url = "github:dali99/nixos-matrix-modules/0.7.0";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.7.1";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
     nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
@@ -55,46 +55,63 @@
 
     nixosConfigurations = let
       unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-      nixosConfig = nixpkgs: name: config: lib.nixosSystem (lib.recursiveUpdate
-        rec {
+
+      nixosConfig =
+        nixpkgs:
+        name:
+        configurationPath:
+        extraArgs:
+        lib.nixosSystem (lib.recursiveUpdate
+        (let
           system = "x86_64-linux";
+        in {
+          inherit system;
+
           specialArgs = {
             inherit unstablePkgs inputs;
             values = import ./values.nix;
             fp = path: ./${path};
-          };
+          } // extraArgs.specialArgs or { };
 
           modules = [
-            ./hosts/${name}/configuration.nix
+            configurationPath
             sops-nix.nixosModules.sops
-          ] ++ config.modules or [];
+          ] ++ extraArgs.modules or [];
 
           pkgs = import nixpkgs {
             inherit system;
-            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+            extraArgs.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
               [
                 "nvidia-x11"
                 "nvidia-settings"
               ];
             overlays = [
               # Global overlays go here
-            ] ++ config.overlays or [ ];
+            ] ++ extraArgs.overlays or [ ];
           };
-        }
-        (removeAttrs config [ "modules" "overlays" ])
+        })
+        (builtins.removeAttrs extraArgs [
+          "modules"
+          "overlays"
+          "specialArgs"
+        ])
       );
 
-      stableNixosConfig = nixosConfig nixpkgs;
-      unstableNixosConfig = nixosConfig nixpkgs-unstable;
+      stableNixosConfig = name: extraArgs:
+          nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
     in {
       bicep = stableNixosConfig "bicep" {
         modules = [
           inputs.matrix-next.nixosModules.default
           inputs.pvv-calendar-bot.nixosModules.default
           self.nixosModules.gickup
+          self.nixosModules.matrix-ooye
         ];
         overlays = [
           inputs.pvv-calendar-bot.overlays.x86_64-linux.default
+          (final: prev: {
+            inherit (self.packages.${prev.system}) out-of-your-element;
+          })
         ];
       };
       bekkalokk = stableNixosConfig "bekkalokk" {
@@ -111,12 +128,6 @@
           inputs.pvv-nettsiden.nixosModules.default
         ];
       };
-      bob = stableNixosConfig "bob" {
-        modules = [
-          disko.nixosModules.disko
-          { disko.devices.disk.disk1.device = "/dev/vda"; }
-        ];
-      };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
@@ -159,25 +170,29 @@
           inputs.gergle.overlays.default
         ];
       };
-      kvernberg = stableNixosConfig "kvernberg" {
-        modules = [
-          disko.nixosModules.disko
-          { disko.devices.disk.disk1.device = "/dev/sda"; }
-        ];
-      };
-    };
+    }
+    //
+    (let
+      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
+      stableLupineNixosConfig = name: extraArgs:
+          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
+    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
+      modules = [{ networking.hostName = name; }];
+      specialArgs.lupineName = name;
+    }));
 
     nixosModules = {
       snakeoil-certs = ./modules/snakeoil-certs.nix;
       snappymail = ./modules/snappymail.nix;
       robots-txt = ./modules/robots-txt.nix;
       gickup = ./modules/gickup;
+      matrix-ooye = ./modules/matrix-ooye.nix;
     };
 
     devShells = forAllSystems (system: {
-      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
       cuda = let
-        cuda-pkgs = import nixpkgs {
+        cuda-pkgs = import nixpkgs-unstable {
           inherit system;
           config = {
             allowUnfree = true;
@@ -199,6 +214,7 @@
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
+        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
       } //
       (lib.pipe null [
         (_: pkgs.callPackage ./packages/mediawiki-extensions { })

hosts/bicep/services/git-mirrors/default.nix

@@ -17,7 +17,7 @@ in
       zip = false;
       keep = 10;
       bare = true;
-      lfs = true;
+      lfs = false;
     };
 
     instances = let
@@ -59,7 +59,7 @@ in
   };
 
   services.cgit = let
-    domain = "bicep.pvv.ntnu.no";
+    domain = "mirrors.pvv.ntnu.no";
   in {
     ${domain} = {
       enable = true;
@@ -81,7 +81,7 @@ in
     };
   };
 
-  services.nginx.virtualHosts."bicep.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
     forceSSL = true;
     enableACME = true;
 
@@ -94,7 +94,7 @@ in
     in toString small-pvv-logo;
   };
 
-  systemd.services."fcgiwrap-cgit-bicep.pvv.ntnu.no" = {
+  systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
     serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
   };
 }

hosts/bicep/services/matrix/default.nix

@@ -9,7 +9,8 @@
     ./coturn.nix
     ./mjolnir.nix
 
-    ./discord.nix
+    # ./discord.nix
+    ./out-of-your-element.nix
     ./hookshot
   ];
 

hosts/bicep/services/matrix/discord.nix

@@ -45,7 +45,7 @@ in
   };
 
 
-  services.mx-puppet-discord.enable = true;
+  services.mx-puppet-discord.enable = false;
   services.mx-puppet-discord.settings = {
     bridge = {
       bindAddress = "localhost";

hosts/bicep/services/matrix/out-of-your-element.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, fp, ... }:
+let
+  cfg = config.services.matrix-ooye;
+in
+{
+  users.groups.keys-matrix-registrations = { };
+
+  sops.secrets = {
+    "matrix/ooye/as_token" = {
+      sopsFile = fp /secrets/bicep/matrix.yaml;
+      key = "ooye/as_token";
+    };
+    "matrix/ooye/hs_token" = {
+      sopsFile = fp /secrets/bicep/matrix.yaml;
+      key = "ooye/hs_token";
+    };
+    "matrix/ooye/discord_token" = {
+      sopsFile = fp /secrets/bicep/matrix.yaml;
+      key = "ooye/discord_token";
+    };
+    "matrix/ooye/discord_client_secret" = {
+      sopsFile = fp /secrets/bicep/matrix.yaml;
+      key = "ooye/discord_client_secret";
+    };
+  };
+
+  services.matrix-ooye = {
+    enable = true;
+    homeserver = "https://matrix.pvv.ntnu.no";
+    homeserverName = "pvv.ntnu.no";
+    discordTokenPath = config.sops.secrets."matrix/ooye/discord_token".path;
+    discordClientSecretPath = config.sops.secrets."matrix/ooye/discord_client_secret".path;
+    bridgeOrigin = "https://ooye.pvv.ntnu.no";
+
+    enableSynapseIntegration = false;
+  };
+
+  systemd.services."matrix-synapse" = {
+    after = [
+      "matrix-ooye-pre-start.service"
+      "network-online.target"
+    ];
+    requires = [ "matrix-ooye-pre-start.service" ];
+    serviceConfig = {
+      LoadCredential = [
+        "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
+      ];
+      ExecStartPre = [
+        "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
+        "+${pkgs.coreutils}/bin/chown matrix-synapse:keys-matrix-registrations ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
+      ];
+    };
+  };
+
+  services.matrix-synapse-next.settings = {
+    app_service_config_files = [
+      "${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
+    ];
+  };
+
+  services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${cfg.socket}";
+  };
+}

hosts/bob/configuration.nix

@@ -1,46 +0,0 @@
-{ config, fp, pkgs, values, ... }:
-{
-  imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      (fp /base)
-      (fp /misc/metrics-exporters.nix)
-      ./disks.nix
-
-      (fp /misc/builder.nix)
-    ];
-
-  sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = true;
-    efiInstallAsRemovable = true;
-  };
-
-  networking.hostName = "bob"; # Define your hostname.
-
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
-    matchConfig.Name = "en*";
-    DHCP = "yes";
-    gateway = [ ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
-}

hosts/bob/disks.nix

@@ -1,39 +0,0 @@
-# Example to create a bios compatible gpt partition
-{ lib, ... }:
-{
-  disko.devices = {
-    disk.disk1 = {
-      device = lib.mkDefault "/dev/sda";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "ESP";
-            size = "500M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              type = "filesystem";
-              format = "ext4";
-              mountpoint = "/";
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/georg/configuration.nix

@@ -8,7 +8,7 @@
 
       (fp /modules/grzegorz.nix)
     ];
-  services.spotifyd.enable = true;
+
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
@@ -25,6 +25,26 @@
 
   # List services that you want to enable:
 
+
+
+  services.spotifyd = {
+    enable = true;
+    settings.global = {
+      device_name = "georg";
+      use_mpris = false;
+      #dbus_type = "system";
+      #zeroconf_port = 1234;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    # config.services.spotifyd.settings.zeroconf_port
+    5353 # spotifyd is its own mDNS service wtf
+  ];
+
+
+
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -2,11 +2,12 @@
   stateDir = "/data/monitoring/prometheus";
 in {
   imports = [
+    ./exim.nix
     ./gitea.nix
+    ./machines.nix
     ./matrix-synapse.nix
     ./mysqld.nix
     ./postgres.nix
-    ./machines.nix
   ];
 
   services.prometheus = {

hosts/ildkule/services/monitoring/prometheus/exim.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.prometheus = {
+    scrapeConfigs = [
+      {
+        job_name = "exim";
+        scrape_interval = "15s";
+        static_configs = [{
+          targets = [ "microbel.pvv.ntnu.no:9636" ];
+        }];
+      }
+    ];
+  };
+}

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -1,66 +1,36 @@
 { config, ... }: let
   cfg = config.services.prometheus;
+
+  mkHostScrapeConfig = name: ports: {
+    labels.hostname = name;
+    targets = map (port: "${name}.pvv.ntnu.no:${toString port}") ports;
+  };
+
+  defaultNodeExporterPort = 9100;
+  defaultSystemdExporterPort = 9101;
 in {
   services.prometheus.scrapeConfigs = [{
     job_name = "base_info";
     static_configs = [
-      { labels.hostname = "ildkule";
-        targets = [
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
-        ];
-      }
-      { labels.hostname = "bekkalokk";
-        targets = [
-          "bekkalokk.pvv.ntnu.no:9100"
-          "bekkalokk.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname = "kommode";
-        targets = [
-          "kommode.pvv.ntnu.no:9100"
-          "kommode.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname = "bicep";
-        targets = [
-          "bicep.pvv.ntnu.no:9100"
-          "bicep.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname = "brzeczyszczykiewicz";
-        targets = [
-          "brzeczyszczykiewicz.pvv.ntnu.no:9100"
-          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname = "georg";
-        targets = [
-          "georg.pvv.ntnu.no:9100"
-          "georg.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname = "ustetind";
-        targets = [
-          "ustetind.pvv.ntnu.no:9100"
-          "ustetind.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname =  "hildring";
-        targets = [
-          "hildring.pvv.ntnu.no:9100"
-        ];
-      }
-      { labels.hostname =  "isvegg";
-        targets = [
-          "isvegg.pvv.ntnu.no:9100"
-        ];
-      }
-      { labels.hostname =  "microbel";
-        targets = [
-          "microbel.pvv.ntnu.no:9100"
-        ];
-      }
+      (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port ])
+
+      (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+
+      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+
+      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
+      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
+      (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
     ];
   }];
 }

hosts/kommode/services/gitea/customization/default.nix

@@ -3,7 +3,12 @@ let
   cfg = config.services.gitea;
 in
 {
-  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
+  services.gitea-themes = {
+    monokai = pkgs.gitea-theme-monokai;
+    earl-grey = pkgs.gitea-theme-earl-grey;
+    pitch-black = pkgs.gitea-theme-pitch-black;
+    catppuccin = pkgs.gitea-theme-catppuccin;
+  };
 
   systemd.services.gitea-customization = lib.mkIf cfg.enable {
     description = "Install extra customization in gitea's CUSTOM_DIR";

hosts/kommode/services/gitea/default.nix

@@ -11,15 +11,17 @@ in {
     ./web-secret-provider
   ];
 
-  sops.secrets = {
-    "gitea/database" = {
-      owner = "gitea";
-      group = "gitea";
-    };
-    "gitea/email-password" = {
+  sops.secrets = let
+    defaultConfig = {
       owner = "gitea";
       group = "gitea";
     };
+  in {
+    "gitea/database" = defaultConfig;
+    "gitea/email-password" = defaultConfig;
+    "gitea/lfs-jwt-secret" = defaultConfig;
+    "gitea/oauth2-jwt-secret" = defaultConfig;
+    "gitea/secret-key" = defaultConfig;
   };
 
   services.gitea = {
@@ -45,9 +47,15 @@ in {
         ROOT_URL = "https://${domain}/";
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
+        LANDING_PAGE = "explore";
         START_SSH_SERVER = true;
         START_LFS_SERVER = true;
-        LANDING_PAGE = "explore";
+        LFS_JWT_SECRET = lib.mkForce "";
+        LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
+      };
+      oauth2 = {
+        JWT_SECRET = lib.mkForce "";
+        JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
       };
       "git.timeout" = {
         MIGRATE = 3600;
@@ -75,6 +83,10 @@ in {
       };
       admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
       session.COOKIE_SECURE = true;
+      security = {
+        SECRET_KEY = lib.mkForce "";
+        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
+      };
       database.LOG_SQL = false;
       repository = {
         PREFERRED_LICENSES = lib.concatStringsSep "," [

hosts/kommode/services/gitea/import-users/default.nix

@@ -11,7 +11,8 @@ in
 
   systemd.services.gitea-import-users = lib.mkIf cfg.enable {
     enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
+    environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
     serviceConfig = {
       ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
         flakeIgnore = [
@@ -25,6 +26,7 @@ in
       ];
       DynamicUser="yes";
       EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
+      RuntimeDirectory = "gitea-import-users";
     };
   };
 

hosts/kommode/services/gitea/import-users/gitea-import-users.py

@@ -17,6 +17,10 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
     GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 
+PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
+if PASSWD_FILE_PATH is None:
+    PASSWD_FILE_PATH = '/tmp/passwd-import'
+
 
 def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
     r = requests.get(
@@ -187,7 +191,8 @@ def main():
     if existing_users is None:
         exit(1)
 
-    for username, name in passwd_file_parser("/tmp/passwd-import"):
+    print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
+    for username, name in passwd_file_parser(PASSWD_FILE_PATH):
         print(f"Processing {username}")
         add_or_patch_gitea_user(username, name, existing_users)
         for org, team_name in COMMON_USER_TEAMS:

hosts/kvernberg/configuration.nix

@@ -1,45 +0,0 @@
-{ config, fp, pkgs, values, ... }:
-{
-  imports = [
-    # Include the results of the hardware scan.
-    ./hardware-configuration.nix
-    (fp /base)
-    (fp /misc/metrics-exporters.nix)
-    ./disks.nix
-
-    ./services/nginx.nix
-    ./services/pvvvvvv
-  ];
-
-  sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
- 
-  networking.hostName = "kvernberg"; # Define your hostname.
-
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
-    matchConfig.Name = "en*";
-    address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-    
-  ];
-
-  # No devices with SMART
-  services.smartd.enable = false;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
-
-}

hosts/kvernberg/disks.nix

@@ -1,39 +0,0 @@
-# Example to create a bios compatible gpt partition
-{ lib, ... }:
-{
-  disko.devices = {
-    disk.disk1 = {
-      device = lib.mkDefault "/dev/sda";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "ESP";
-            size = "500M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              type = "filesystem";
-              format = "ext4";
-              mountpoint = "/";
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/kvernberg/services/nginx.nix

@@ -1,5 +0,0 @@
-{ config, lib, ... }:
-
-{
-  services.nginx.enable = true;
-}

hosts/kvernberg/services/pvvvvvv/bank.nix

@@ -1,51 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.libeufin.bank;
-  tcfg = config.services.taler;
-  inherit (tcfg.settings.taler) CURRENCY;
-in {
-  services.libeufin.bank = {
-    enable = true;
-    debug = true;
-    createLocalDatabase = true;
-    initialAccounts = [
-      { username = "exchange";
-        password = "exchange";
-        name = "Exchange";
-      }
-    ];
-    settings = {
-      libeufin-bank = {
-        WIRE_TYPE = "x-taler-bank";
-        X_TALER_BANK_PAYTO_HOSTNAME = "bank.kvernberg.pvv.ntnu.no";
-        BASE_URL = "bank.kvernberg.pvv.ntnu.no/";
-
-        ALLOW_REGISTRATION = "yes";
-
-        REGISTRATION_BONUS_ENABLED = "yes";
-        REGISTRATION_BONUS = "${CURRENCY}:500";
-
-        DEFAULT_DEBT_LIMIT = "${CURRENCY}:0";
-
-        ALLOW_CONVERSION = "no";
-        ALLOW_EDIT_CASHOUT_PAYTO_URI = "yes";
-
-        SUGGESTED_WITHDRAWAL_EXCHANGE = "https://exchange.kvernberg.pvv.ntnu.no/";
-
-        inherit CURRENCY;
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."bank.kvernberg.pvv.ntnu.no" = {
-    enableACME = true;
-    forceSSL = true;
-    kTLS = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:8082";
-      extraConfig = ''
-         proxy_read_timeout 300s; 
-      '';
-    };
-  };
-}

hosts/kvernberg/services/pvvvvvv/default.nix

@@ -1,17 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.taler;
-in
-{
-  imports = [
-    ./exchange.nix
-    ./bank.nix
-  ];
-
-  services.taler = {
-    settings = {
-      taler.CURRENCY = "SCHPENN";
-      taler.CURRENCY_ROUND_UNIT = "${cfg.settings.taler.CURRENCY}:1";
-    };
-  };
-}

hosts/kvernberg/services/pvvvvvv/exchange.nix

@@ -1,187 +0,0 @@
-{ config, lib, fp, pkgs, ... }:
-let
-  cfg = config.services.taler;
-  inherit (cfg.settings.taler) CURRENCY;
-in {
-  sops.secrets.exchange-offline-master = {
-    format = "binary";
-    sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
-  };
-
-  services.taler.exchange = {
-    enable = true;
-    debug = true;
-    denominationConfig = ''
-      ## Old denomination names cannot be used again
-      # [COIN-${CURRENCY}-k1-1-0]
-
-      ## NOK Denominations
-      [coin-${CURRENCY}-nok-1-0]
-      VALUE = ${CURRENCY}:1
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-5-0]
-      VALUE = ${CURRENCY}:5
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-
-      [coin-${CURRENCY}-nok-10-0]
-      VALUE = ${CURRENCY}:10
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-20-0]
-      VALUE = ${CURRENCY}:20
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-50-0]
-      VALUE = ${CURRENCY}:50
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-100-0]
-      VALUE = ${CURRENCY}:100
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-200-0]
-      VALUE = ${CURRENCY}:200
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-500-0]
-      VALUE = ${CURRENCY}:500
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-1000-0]
-      VALUE = ${CURRENCY}:1000
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-
-      ## PVV Special Prices
-      # 2024 pizza egenandel
-      [coin-${CURRENCY}-pvv-64-0]
-      VALUE = ${CURRENCY}:64
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-    '';
-    settings = {
-      exchange = {
-        inherit (config.services.taler.settings.taler) CURRENCY CURRENCY_ROUND_UNIT; 
-        MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
-        BASE_URL = "https://exchange.kvernberg.pvv.ntnu.no/";
-        TERMS_DIR = "${./terms}";
-        TERMS_ETAG = "0";
-        ENABLE_KYC = "NO";
-      };
-      exchange-offline = {
-        MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
-      };
-      exchange-account-test = {
-        PAYTO_URI = "payto://x-taler-bank/bank.kvernberg.pvv.ntnu.no/exchange?receiver-name=Exchange";
-        ENABLE_DEBIT = "YES";
-        ENABLE_CREDIT = "YES";
-      };
-      exchange-accountcredentials-test = {
-        WIRE_GATEWAY_URL = "https://bank.kvernberg.pvv.ntnu.no/accounts/exchange/taler-wire-gateway/";
-        WIRE_GATEWAY_AUTH_METHOD = "BASIC";
-        USERNAME = "exchange";
-        PASSWORD = "exchange";
-      };
-      "currency-${CURRENCY}" = {
-        ENABLED = "YES";
-        CODE = "SCHPENN";
-        NAME = "SCHPENN";
-        FRACTIONAL_NORMAL_DIGITS = 0;
-        FRACTIONAL_INPUT_DIGITS = 0;
-        FRACTIONAL_TRAILING_ZERO_DIGITS = 0;
-        ALT_UNIT_NAMES = "{\"0\": \"S\"}";
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."exchange.kvernberg.pvv.ntnu.no" = {
-    enableACME = true;
-    forceSSL = true;
-    kTLS = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:8081";
-      extraConfig = ''
-        proxy_read_timeout 300s;
-      '';
-    };
-  };
-}

hosts/kvernberg/services/pvvvvvv/terms/en/0.txt

@@ -1,147 +0,0 @@
-Terms of Service
-================
-
-Last update: 19.11.2024
-----------------------
-
-Welcome! A subset of PVVers who cares about Dibbler (“we,” “our,” or “us”) provides a experimental payment service
-through our Internet presence (collectively the “Services”). Before using our
-Services, please read the Terms of Service (the “Terms” or the “Agreement”)
-carefully.
-
-Overview
---------
-
-This section provides a brief summary of the highlights of this
-Agreement. Please note that when you accept this Agreement, you are accepting
-all of the terms and conditions and not just this section. We and possibly
-other third parties provide Internet services which interact with the Taler
-Wallet’s self-hosted personal payment application. When using the Taler Wallet
-to interact with our Services, you are agreeing to our Terms, so please read
-carefully.
-
-Research
-----------
-
-This is research, any dibbler credits sent to the dibbler account could be lost at any time.
-We would make an effort to send the credits back to their canonical owners, but this may be difficult.
-We make no guarantees on the state of this. The dibbler economy is totally unsecured, and so are these services!
-Usage is wholly on your own risk.
-
-Highlights:
------------
-
-* You are responsible for keeping the data in your Taler Wallet at all times under your control. Any losses arising from you not being in control of your private information are your problem.
-
-* For our Services, we may charge transaction fees. The specific fee structure is provided based on the Taler protocol and should be shown to you when you withdraw electronic coins using a Taler Wallet. You agree and understand that the Taler protocol allows for the fee structure to change.
-
-* You agree to not intentionally overwhelm our systems with requests and follow responsible disclosure if you find security issues in our services.
-
-* We cannot be held accountable for our Services not being available due to circumstances beyond our control. If we modify or terminate our services, we will try to give you the opportunity to recover your funds. However, given the experimental state of the Services today, this may not be possible. You are strongly advised to limit your use of the Service to small-scale experiments expecting total loss of all funds.
-
-These terms outline approved uses of our Services. The Services and these
-Terms are still at an experimental stage. If you have any questions or
-comments related to this Agreement, please send us a message on IRC, or on our Matrix server.
-If you do not agree to this Agreement, you must not use our Services.
-
-How you accept this policy
---------------------------
-
-By sending funds to us (to top-up your Taler Wallet), you acknowledge that you
-have read, understood, and agreed to these Terms. We reserve the right to
-change these Terms at any time. If you disagree with the change, we may in the
-future offer you with an easy option to recover your unspent funds. However,
-in the current experimental period you acknowledge that this feature is not
-yet available, resulting in your funds being lost unless you accept the new
-Terms. If you continue to use our Services other than to recover your unspent
-funds, your continued use of our Services following any such change will
-signify your acceptance to be bound by the then current Terms. Please check
-the effective date above to determine if there have been any changes since you
-have last reviewed these Terms.
-
-Services
---------
-
-We will try to transfer funds that we hold in escrow for our users to any
-legal recipient to the best of our ability and within the limitations of the
-law and our implementation. However, the Services offered today are highly
-experimental and the set of recipients of funds is severely restricted. The
-Taler Wallet can be loaded by exchanging ordinary dibbler credit for electronic
-coins. We are providing this exchange service. Once your Taler Wallet is
-loaded with electronic coins they can be spent for purchases if the seller is
-accepting Taler as a means of payment. We are not guaranteeing that any seller
-is accepting Taler at all or a particular seller. The seller or recipient of
-deposits of electronic coins must specify the target account, as per the
-design of the Taler protocol. They are responsible for following the protocol
-and specifying the correct dibbler account, and are solely liable for any losses
-that may arise from specifying the wrong account. We will allow the government
-to link wire transfers to the underlying contract hash. It is the
-responsibility of recipients to preserve the full contracts and to pay
-whatever taxes and charges may be applicable. Technical issues may lead to
-situations where we are unable to make transfers at all or lead to incorrect
-transfers that cannot be reversed. We will only refuse to execute transfers if
-the transfers are prohibited by a competent legal authority and we are ordered
-to do so.
-
-When using our Services, you agree to not take any action that intentionally
-imposes an unreasonable load on our infrastructure. If you find security
-problems in our Services, you agree to first report them to
-security@taler-systems.com and grant us the right to publish your report. We
-warrant that we will ourselves publicly disclose any issues reported within 3
-months, and that we will not prosecute anyone reporting security issues if
-they did not exploit the issue beyond a proof-of-concept, and followed the
-above responsible disclosure practice.
-
-Fees
-----
-
-You agree to pay the fees for exchanges and withdrawals completed via the
-Taler Wallet ("Fees") as defined by us, which we may change from time to
-time.
-
-
-Copyrights and trademarks
--------------------------
-
-The Taler Wallet is released under the terms of the GNU General Public License
-(GNU GPL). You have the right to access, use, and share the Taler Wallet, in
-modified or unmodified form. However, the GPL is a strong copyleft license,
-which means that any derivative works must be distributed under the same
-license terms as the original software. If you have any questions, you should
-review the GNU GPL’s full terms and conditions on the GNU GPL Licenses page 
-(https://www.gnu.org/licenses/). “Taler” itself is a trademark
-of Taler Systems SA. You are welcome to use the name in relation to processing
-payments based on the Taler protocol, assuming your use is compatible with an
-official release from the GNU Project that is not older than two years.
-
-
-
-Discontinuance of services and Force majeure
---------------------------------------------
-
-We may, in our sole discretion and without cost to you, with or without prior
-notice, and at any time, modify or discontinue, temporarily or permanently,
-any portion of our Services. We will use the Taler protocol’s provisions to
-notify Wallets if our Services are to be discontinued. It is your
-responsibility to ensure that the Taler Wallet is online at least once every
-three months to observe these notifications. We shall not be held responsible
-or liable for any loss of funds in the event that we discontinue or depreciate
-the Services and your Taler Wallet fails to transfer out the coins within a
-three months notification period.
-
-We shall not be held liable for any delays, failure in performance, or
-interruptions of service which result directly or indirectly from any cause or
-condition beyond our reasonable control, including but not limited to: any
-delay or failure due to any act of God, act of civil or military authorities,
-act of terrorism, civil disturbance, war, strike or other labor dispute, fire,
-interruption in telecommunications or Internet services or network provider
-services, failure of equipment and/or software, other catastrophe, or any
-other occurrence which is beyond our reasonable control and shall not affect
-the validity and enforceability of any remaining provisions.
-
-
-Questions or comments
----------------------
-
-We welcome comments, questions, concerns, or suggestions. Please send us a
-message via the usual communication channels at PVV

hosts/lupine/configuration.nix

@@ -0,0 +1,35 @@
+{ fp, values, lupineName, ... }:
+{
+  imports = [
+    ./hardware-configuration/${lupineName}.nix
+
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
+
+    ./services/gitea-runner.nix
+  ];
+
+  sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp0s31f6";
+    address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
+    networkConfig.LLDP = false;
+  };
+  systemd.network.wait-online = {
+    anyInterface = true;
+  };
+
+  # There are no smart devices
+  services.smartd.enable = false;
+
+  # Do not change, even during upgrades.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.05";
+}

hosts/lupine/hardware-configuration/lupine-1.nix

@@ -5,20 +5,36 @@
 
 {
   imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/81D6-38D3";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
+    ];
+
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/lupine/hardware-configuration/lupine-2.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/4A34-6AE5";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/lupine/hardware-configuration/lupine-3.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/63FA-297B";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/lupine/hardware-configuration/lupine-4.nix

@@ -5,22 +5,30 @@
 
 {
   imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  swapDevices = [ ];
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/lupine/hardware-configuration/lupine-5.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/F372-37DF";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/lupine/services/gitea-runner.nix

@@ -0,0 +1,45 @@
+{ config, lupineName, ... }:
+{
+  # This is unfortunately state, and has to be generated one at a time :(
+  # To do that, comment out all except one of the runners, fill in its token
+  # inside the sops file, rebuild the system, and only after this runner has
+  # successfully registered will gitea give you the next token.
+  # - oysteikt Sep 2023
+  sops = {
+    secrets."gitea/runners/token" = {
+      key = "gitea/runners/${lupineName}";
+    };
+
+    templates."gitea-runner-envfile" = {
+      restartUnits = [
+        "gitea-runner-${lupineName}.service"
+      ];
+      content = ''
+        TOKEN="${config.sops.placeholder."gitea/runners/token"}"
+      '';
+    };
+  };
+
+  services.gitea-actions-runner.instances = {
+    ${lupineName} = {
+      enable = true;
+      name = "git-runner-${lupineName}";
+      url = "https://git.pvv.ntnu.no";
+      labels = [
+        "debian-latest:docker://node:current-bookworm"
+        "ubuntu-latest:docker://node:current-bookworm"
+      ];
+      tokenFile = config.sops.templates."gitea-runner-envfile".path;
+    };
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    defaultNetwork.settings.dns_enabled = true;
+    autoPrune.enable = true;
+  };
+
+  networking.dhcpcd.IPv6rs = false;
+
+  networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
+}

justfile

@@ -1,25 +1,56 @@
+set positional-arguments # makes variables accesible as $1 $2 $@
 export GUM_FILTER_HEIGHT := "15"
-nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
+nom := `if [[ -t 1 ]] && command -v nom >/dev/null; then echo nom; else echo nix; fi`
+nix_eval_opts := "--log-format raw --option warn-dirty false"
 
 @_default:
   just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
 
-check:
-  nix flake check --keep-going
+check *_:
+  nix flake check --keep-going "$@"
 
-build-machine machine=`just _a_machine`:
-  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
+build-machine machine=`just _a_machine` *_:
+  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel "${@:2}"
 
-run-vm machine=`just _a_machine`:
-  nixos-rebuild build-vm --flake .#{{ machine }}
+run-vm machine=`just _a_machine` *_:
+  nixos-rebuild build-vm --flake .#{{ machine }} "${@:2}"
   QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
 
-@update-inputs:
-  nix eval .#inputs --apply builtins.attrNames --json \
-    | jq '.[]' -r \
-    | gum choose --no-limit --height=15 \
-    | xargs -L 1 nix flake lock --update-input
+@update-inputs *_:
+  @git reset flake.lock
+  @git restore flake.lock
+  nix eval {{nix_eval_opts}} --file flake.nix --apply 'x: builtins.attrNames x.inputs' --json \
+    | { printf "%s\n" --commit-lock-file; jq '.[]' -r | grep -vxF "self" ||:; } \
+    | gum choose --no-limit --header "Choose extra arguments:" \
+    | tee >(xargs -d'\n' echo + nix flake update "$@" >&2) \
+    | xargs -d'\n' nix flake update "$@"
+
+@repl $machine=`just _a_machine` *_:
+  set -v; nixos-rebuild --flake .#"$machine" repl "${@:2}"
+
+@eval $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
+  set -v; nix eval {{nix_eval_opts}} ".#nixosConfigurations.\"$machine\".config.$attrpath" --show-trace "${@:3}"
+
+@eval-vm $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
+  just eval "$machine" "virtualisation.vmVariant.$attrpath" "${@:3}"
 
 
+# helpers
+
+[no-exit-message]
 _a_machine:
-  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter
+  #!/usr/bin/env -S sh -euo pipefail
+  machines="$(
+    nix eval {{nix_eval_opts}} .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r
+  )"
+  [ -n "$machines" ] || { echo >&2 "ERROR: no machines found"; false; }
+  if [ -s .direnv/vars/last-machine.txt ]; then
+    machines="$(
+      grep <<<"$machines" -xF  "$(cat .direnv/vars/last-machine.txt)" ||:
+      grep <<<"$machines" -xFv "$(cat .direnv/vars/last-machine.txt)" ||:
+    )"
+  fi
+  choice="$(gum filter <<<"$machines")"
+  mkdir -p .direnv/vars
+  cat <<<"$choice" >.direnv/vars/last-machine.txt
+  cat <<<"$choice"

keys/oysteikt.pub

@@ -26,29 +26,40 @@ eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
 Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
 dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
 4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
-Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLuQINBGLmhnoB
-EADa1yBK0NKxVIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXt
-jAcqUmMyC+PMs1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRv
-hPxzTsOaeOssgMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7a
-SQ+pk6k1uzODXX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC
-+LuCSGm66gIDMC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0h
-BFOgDhKKCHBuMwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp
-6lsAg6/T8EysKG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0G
-ycOvqb9PoEO2dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDR
-mkv+wWJoipwUaVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6j
-gpCGtxnHW2zReIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBH
-OjXZe3LzBt2rVgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYW
-IQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoq
-rDE0AQDBxRsmW9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0
-YRbyh1LPYL6YQePL0dQkYsjm6XVmrAKIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9
-SEa5Io6BSiqsBQJmqp4FBQkFpUsIAAoJEEa5Io6BSiqsydsA/ihBulpSSLg4B9pJ
-sffqphMht7yT3Dnz57iexUEgj3jBAQDedI+gwpZlMjV6IdH/Epz244j82Ta04cqk
-SOz2Y63LBrgzBGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1
-OWOoVU3mZX/K7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaG
-xQIbIAUJA8JnAAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9du
-IJ7zdR0U15tONAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQY
-FgoAJgIbIBYhBPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5
-Io6BSiqsjF0BAJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/l
-DkrvOytuFnKbkDrCaTrtLh/JAmBXpSERIejmDw==
-=7cFp
+Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLiPUEGBYKACYC
+GwIWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCaI6lzgUJCWqGhwCBdiAEGRYKAB0W
+IQTzzahsxVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYe
+Jt9t02jOc3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFa
+azcz/QqTZeBs6Q+AkQ4JEEa5Io6BSiqsCG0BALDNFlploZWjQ0Xn3B9fd+1sTUmY
++e0s95lEY7XqVkF2AQCkKzMd2mHsymyVtY32bSsZ0iJxHTmxomS0uQ/TGIugB7kC
+DQRi5oZ6ARAA2tcgStDSsVSLaN4UodtYaKGKVnBF1qjD1xzt+K3AIZLVRTjhyJdm
+xRknEAGV7YwHKlJjMgvjzLNQ2aKHBZPvTybde4QGv7Ogka8PLyvtX1aoY9Fzi7Xr
+xlfYguiEb4T8c07DmnjrLIDBiFPMQ5jCk9pxhxjVJKjlxpXetxNzSrCt5Z5fgQna
+SdH9xhAe2kkPqZOpNbszg11/5oQFCZi9TJFWeoyQN74bK3tCn2vafguZj+ISyeox
+fqBErwOBwvi7gkhpuuoCAzAt/Y5y6OocGBBI3z1w+wlADeEtniEkhXfmXJTdr2HK
+ymILAmUtIQRToA4SighwbjMD9dgCDPMvC+uP3jlhaUe7NkrQD442G2XmRAhy1mbd
+cxlb5Eu16epbAIOv0/BMrChu705dkKvVtAZszYJNjg02ZIb9IKql6aXa/HkYqvod
+KjHyabRtBsnDr6m/T6BDtnXzQo4yCPFX2khn0hGKPFMLKmE7X4HaDZxQlynda+0J
+r63WzbBQ0ZpL/sFiaIqcFGlarsm9ijeudo0pacDBAlun0hLE/+Qt5iS4AJoupesq
+LMOh3SGOo4KQhrcZx1ts0XiEuns2XbcWAQpBByu9MgEsmiB6yyw5J8Pg7ir1wFjg
+HnKG/BjQRzo12Xty8wbdq1YDgkWvlu5opTYI1ArM/kd6zPF30fsDRBsAEQEAAYh+
+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmLmhnoCGwwFCQPCZwAACgkQ
+RrkijoFKKqwxNAEAwcUbJlvS+tJsRgqdQqTVgVw9k+g+tOT5TYjQnDPnDgoA/3Nj
+orUkhudDNGEW8odSz2C+mEHjy9HUJGLI5ul1ZqwCiH4EGBYKACYCGwwWIQT303iQ
+IoqQdEDh/UhGuSKOgUoqrAUCZqqeBQUJBaVLCAAKCRBGuSKOgUoqrMnbAP4oQbpa
+Uki4OAfaSbH36qYTIbe8k9w58+e4nsVBII94wQEA3nSPoMKWZTI1eiHR/xKc9uOI
+/Nk2tOHKpEjs9mOtywaIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9SEa5Io6BSiqs
+BQJojqXOBQkJaoZUAAoJEEa5Io6BSiqsiXkBAJ0JTRmdQQpEK9KSh8V7FEkblIsm
+Ngko2cs+OhNSUgW9AQD0a7FHM3Dx32a7yD0zE3QwWi5VgeZZVIPyhItrOaANDbgz
+BGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1OWOoVU3mZX/K
+7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGxQIbIAUJA8Jn
+AAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9duIJ7zdR0U15tO
+NAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQYFgoAJgIbIBYh
+BPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5Io6BSiqsjF0B
+AJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/lDkrvOytuFnKb
+kDrCaTrtLh/JAmBXpSERIejmD4h+BBgWCgAmAhsgFiEE99N4kCKKkHRA4f1IRrki
+joFKKqwFAmiOpc4FCQlqhgkACgkQRrkijoFKKqwSMAD/bbO/uwwdFEJVgcNRexZU
+6aoSxAGI1vjS92hSyfxZ9AABAK8KYO8sBGGCiVu+vWUpoUYmp3lfYTJHtf+36WMc
+D5MD
+=Gubf
 -----END PGP PUBLIC KEY BLOCK-----

modules/grzegorz.nix

@@ -46,6 +46,15 @@ in {
         allow 2001:700:300:1900::/64;
         deny all;
       '';
+
+      locations."/docs" = {
+        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+      };
+
+      locations."/api" = {
+        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+        proxyWebsockets = true;
+      };
     };
 
     "${machine}-backend.pvv.ntnu.no" = {

modules/matrix-ooye.nix

@@ -0,0 +1,211 @@
+# Original from: https://cgit.rory.gay/nix/OOYE-module.git/
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.matrix-ooye;
+  mkStringOption =
+    name: default:
+    lib.mkOption {
+      type = lib.types.str;
+      default = default;
+    };
+in
+{
+  options = {
+    services.matrix-ooye = {
+      enable = lib.mkEnableOption "Enable OOYE service";
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.out-of-your-element;
+      };
+      appserviceId = mkStringOption "The ID of the appservice." "ooye";
+      homeserver = mkStringOption "The homeserver to connect to." "http://localhost:8006";
+      homeserverName = mkStringOption "The name of the homeserver to connect to." "localhost";
+      namespace = mkStringOption "The prefix to use for the MXIDs/aliases of bridged users/rooms. Should end with a _!" "_ooye_";
+      discordTokenPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-token";
+      discordClientSecretPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-client-secret";
+      socket = mkStringOption "The socket to listen on, can either be a port number or a unix socket path." "6693";
+      bridgeOrigin = mkStringOption "The web frontend URL for the bridge, defaults to http://localhost:{socket}" "";
+
+      enableSynapseIntegration = lib.mkEnableOption "Enable Synapse integration";
+    };
+  };
+  config = lib.mkIf cfg.enable (
+    let
+      baseConfig = pkgs.writeText "matrix-ooye-config.json" (
+        builtins.toJSON {
+          id = cfg.appserviceId;
+          namespaces = {
+            users = [
+              {
+                exclusive = true;
+                regex = "@${cfg.namespace}.*:${cfg.homeserverName}";
+              }
+            ];
+            aliases = [
+              {
+                exclusive = true;
+                regex = "#${cfg.namespace}.*:${cfg.homeserverName}";
+              }
+            ];
+          };
+          protocols = [ "discord" ];
+          sender_localpart = "${cfg.namespace}bot";
+          rate_limited = false;
+          socket = cfg.socket; # Can either be a TCP port or a unix socket path
+          url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
+          ooye = {
+            server_name = cfg.homeserverName;
+            namespace_prefix = cfg.namespace;
+            max_file_size = 5000000;
+            content_length_workaround = false;
+            include_user_id_in_mxid = true;
+            server_origin = cfg.homeserver;
+            bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
+          };
+        }
+      );
+
+      script = pkgs.writeScript "matrix-ooye-pre-start.sh" ''
+        #!${lib.getExe pkgs.bash}
+        REGISTRATION_FILE=registration.yaml
+
+        id
+        echo "Before if statement"
+        stat ''${REGISTRATION_FILE}
+
+        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
+          echo "No registration file found at '$REGISTRATION_FILE'"
+          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+        fi
+
+        echo "After if statement"
+        stat ''${REGISTRATION_FILE}
+
+        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
+        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
+        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
+        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
+
+        # Check if we have all required tokens
+        if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
+          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          echo "Generated new AS token: ''${AS_TOKEN}"
+        fi
+
+        if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
+          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          echo "Generated new HS token: ''${HS_TOKEN}"
+        fi
+
+        if [[ -z "$DISCORD_TOKEN" ]]; then
+          echo "No Discord token found at '${cfg.discordTokenPath}'"
+          echo "You can find this on the 'Bot' tab of your Discord application."
+          exit 1
+        fi
+
+        if [[ -z "$DISCORD_CLIENT_SECRET" ]]; then
+          echo "No Discord client secret found at '${cfg.discordTokenPath}'"
+          echo "You can find this on the 'OAuth2' tab of your Discord application."
+          exit 1
+        fi
+
+        shred -u ''${REGISTRATION_FILE}
+        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+
+        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
+
+        shred -u ''${REGISTRATION_FILE}
+        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
+      '';
+
+    in
+    {
+      warnings =
+        lib.optionals ((builtins.substring (lib.stringLength cfg.namespace - 1) 1 cfg.namespace) != "_") [
+          "OOYE namespace does not end with an underscore! This is recommended to have better ID formatting. Provided: '${cfg.namespace}'"
+        ]
+        ++ lib.optionals ((builtins.substring 0 1 cfg.namespace) != "_") [
+          "OOYE namespace does not start with an underscore! This is recommended to avoid conflicts with registered users. Provided: '${cfg.namespace}'"
+        ];
+
+      environment.systemPackages = [ cfg.package ];
+
+      systemd.services."matrix-ooye-pre-start" = {
+        enable = true;
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          ExecStart = script;
+          WorkingDirectory = "/var/lib/matrix-ooye";
+          StateDirectory = "matrix-ooye";
+          DynamicUser = true;
+          RemainAfterExit = true;
+          Type = "oneshot";
+
+          LoadCredential = [
+            "discord_token:${cfg.discordTokenPath}"
+            "discord_client_secret:${cfg.discordClientSecretPath}"
+          ];
+        };
+      };
+
+      systemd.services."matrix-ooye" = {
+        enable = true;
+        description = "Out of Your Element - a Discord bridge for Matrix.";
+
+        wants = [
+          "network-online.target"
+          "matrix-synapse.service"
+          "conduit.service"
+          "dendrite.service"
+        ];
+        after = [
+          "matrix-ooye-pre-start.service"
+          "network-online.target"
+        ];
+        requires = [ "matrix-ooye-pre-start.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig = {
+          ExecStart = lib.getExe config.services.matrix-ooye.package;
+          WorkingDirectory = "/var/lib/matrix-ooye";
+          StateDirectory = "matrix-ooye";
+          #ProtectSystem = "strict";
+          #ProtectHome = true;
+          #PrivateTmp = true;
+          #NoNewPrivileges = true;
+          #PrivateDevices = true;
+          Restart = "on-failure";
+          DynamicUser = true;
+        };
+      };
+
+      systemd.services."matrix-synapse" = lib.mkIf cfg.enableSynapseIntegration {
+
+        after = [
+          "matrix-ooye-pre-start.service"
+          "network-online.target"
+        ];
+        requires = [ "matrix-ooye-pre-start.service" ];
+        serviceConfig = {
+          LoadCredential = [
+            "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
+          ];
+          ExecStartPre = [
+            "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
+            "+${pkgs.coreutils}/bin/chown matrix-synapse:matrix-synapse ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
+          ];
+        };
+      };
+
+      services.matrix-synapse.settings.app_service_config_files = lib.mkIf cfg.enableSynapseIntegration [
+        "${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
+      ];
+    }
+  );
+}

packages/out-of-your-element.nix

@@ -0,0 +1,42 @@
+{
+  lib,
+  fetchgit,
+  makeWrapper,
+  nodejs,
+  buildNpmPackage,
+}:
+buildNpmPackage {
+  pname = "delete-your-element";
+  version = "3.1-unstable-2025-06-23";
+  src = fetchgit {
+    url = "https://git.pvv.ntnu.no/Drift/delete-your-element.git";
+    rev = "67658bf68026918163a2e5c2a30007364c9b2d2d";
+    sha256 = "sha256-jSQ588kwvAYCe6ogmO+jDB6Hi3ACJ/3+rC8M94OVMNw=";
+  };
+  npmDepsHash = "sha256-HNHEGez8X7CsoGYXqzB49o1pcCImfmGYIw9QKF2SbHo=";
+  dontNpmBuild = true;
+
+  nativeBuildInputs = [makeWrapper];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share
+    cp -a . $out/share/ooye
+    makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye --add-flags $out/share/ooye/start.js
+    makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye-addbot --add-flags $out/share/ooye/addbot.js
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Matrix-Discord bridge with modern features.";
+    homepage = "https://gitdab.com/cadence/out-of-your-element";
+    longDescription = ''
+      Modern Matrix-to-Discord appservice bridge, created by @cadence:cadence.moe.
+    '';
+    license = licenses.gpl3;
+    # maintainers = with maintainers; [ RorySys ];
+    mainProgram = "matrix-ooye";
+  };
+}

secrets/bicep/matrix.yaml

@@ -9,14 +9,15 @@ mjolnir:
 discord:
     as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
     hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
+ooye:
+    hs_token: ENC[AES256_GCM,data:QBrdRt4ozAh2XYJtssm82uHlk9aGO1Nr0fEZetmWfLvmw52FZEq8ijyKOgwS6uTcndMi4gGKkq9r4eapLwcMdQ==,iv:VHOAqxR1WGzZ9dmNx+FmjGAKRpUFjWOwyOVmgDswpE0=,tag:k5it/yx7pOfGbJXZUlV69Q==,type:str]
+    as_token: ENC[AES256_GCM,data:RMkY0xVj14FwDbYaAysSmzB0IlJuk0ucicNhhTmVAEgiU05PxWG+qk3/elFcaFwaXRFgQQtVyGFZEcK5gpE9hA==,iv:8JgNrTe7GQqPMdUCxEaxJ9qV7Uec2fkYBmF9LmH4X3o=,tag:tRnFpRAZs9kO3u2SDMwNnA==,type:str]
+    discord_token: ENC[AES256_GCM,data:6rzv3glW03jcYiJ7sAvDcvDmQHs9iVbV11tIFwgD3GuTkVn6mbAoQhjUaz3zpb/OeoGt+j/pCBRlZgk=,iv:JwkqLpeGYhgwLX7SACNh0AUO53XSx9IKgncI0+KkvyU=,tag:30C0X9nVSlEYPITVzuN0qA==,type:str]
+    discord_client_secret: ENC[AES256_GCM,data:wbM7bPZCWa2+UNUqXi27fP0ppdinRkEC4N9KB68TJzg=,iv:Y2j+8oI+kI7DMrBfFU3G5HtFWguNxDpxbNvJkpK5lQs=,tag:GntocbTCybCVqZ2T3lNSIQ==,type:str]
 hookshot:
     as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
     hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
           enc: |
@@ -72,8 +73,8 @@ sops:
             WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
             pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-13T23:30:01Z"
-    mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
+    lastmodified: "2025-06-21T21:23:24Z"
+    mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:46Z"
           enc: |-
@@ -96,4 +97,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.10.2

secrets/kommode/kommode.yaml

@@ -8,11 +8,10 @@ gitea:
     gpg-signing-key: ENC[AES256_GCM,data:AyafTF3H8p1qDk9xsNvT68BksoKGLwE2uE3hjz0TrT2XPxCRDOIlfAVYEPSu2Ih6l5a2uruEJhHPtU2fPCB2hln3Bv3gZfFGLb3GFWkSvdePIYFxG56uqGK5dE1KaMccc2cTi+raDImKqSTbp7Qpdo/c6C0WYVglYrD+2l8Y4QOiFuazyLY9zwcX0qG7pIjJ+akCUjfE4rJDAW6H/v+OqvHpcED3q4iXOYuw9sj/UeIgZfJ5Xc/uVrRmPewP4yALnA8o9gsaaLdjWRFIILe7VRwPr0YqwQ6XGgc+pEartkV8AzxjCq6DOtifOOzmu8EI1U1yoaOViYCAMbSHfP6SIKr7pJbrdU+YDBq9mvRx8KPXWUU2uNGrMObATEzlqMYAYA/HJeOdV4w3Axvq8RG2FLkJxJJniwNP5VZRF3bbbI3w+hprRP2yAwgeQw19KBU8yF8upKga/GdMNScpKJvRyVLjZtI0rsfvSC81lHawouuje6aPXT3dH1S5ROJBHMTeV0sP0vK6liBevz9RZpvNs6JVyNCgiRRtRSSYqsgwPJonDKuPeI/Zpgih7HboA8HqhIibqpO96h5/4yO69oJAbLUYV3zlKQcMDTaqadL4Ox5Z+8ygSAL3l1ufZIFGSj73SNHGQqQlIS/a3dAccRi5fPqv0gOmGFAAUJPKfeauFn3TclwojKzu5vwmQxZ5g50txEpTSTaYOy++qq6UZa/dXEyDC7fle75dXhqXyqMCf9kDwZZl5E9eBsabNdTF+auQCp82iLQivdBy7uJX2hkJFSg84fF9MLgH4mOcMQc2E/z961uNzEgoyvVhbDY6+SIJ+6SGmnardbFW7mYrj/QqnSUiMc4tHukAB4NGQYHgjOYRZMpHfVO/6dLbjmTOljnPsnfQUCepvb9rGim8NazvnARaVzezx4t3tfbNR8uLQudSeLZzn/Fu1mKSQvpP+IjdglmyAgp6QhB4OCDPbiaMRDUtOQIzlVILdz1/geUVzhZkJ4xzkm5klGukhtv+3TqjiTcEnoVJC+A1jRvxBQUfEE92GFuupJUfrw8bIDqsWQLkHPCNUMgdoKa/q2OkrWeQz2zm2yUqMAJn1/puoLHdSH5aCELUggx1gQZoc480pSBUvSCML+Qc4B4Cd6hX2PPp+/KQeKtfqHIsKz2I+DMT6KDirReX6WHxqk+s2DtLw7Wx/j65PWCIWLCz,iv:c9BDRxQImWTmwq11+T2CW0S00Dixd8d0od5xn5zZmY8=,tag:brnMedsdTwlkbaHaLa2w2g==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str]
     import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str]
+    secret-key: ENC[AES256_GCM,data:YqwSJazPqz1OOsUVIPKsGvIHbX7SyJqryan1KWSRGRJkt9yZlaiRtQG/mQugAM6IvLFD3pj+gPTcXyqenaAQKA==,iv:nyPnL7wuhpb0kl0tm1JhOHmF7KI9vVcTN1SRGTgD2o8=,tag:Rt/IPC/YtBcmTx5osGlbBg==,type:str]
+    oauth2-jwt-secret: ENC[AES256_GCM,data:YUVbf0xgnzeNoahu57yzoib2XSB0rR2AAIkdlEe8eC9AFEdv4vE0S372jw==,iv:k1cEa/sWqJZ9b/NetVSR37BYy6UUOM4qAnbsfLEw+5Y=,tag:CrUh0xDWA77dAFp8FY0jPA==,type:str]
+    lfs-jwt-secret: ENC[AES256_GCM,data:fAirrt7Ue1XpHYB12e8l+47x1dY/eIsDV61KrDA/sRSKvZherRNnahtLQw==,iv:S6+rQHf3TL/1tKcknX/jHJ7k79GCU1BRBZHhuqXSRME=,tag:WUjNaP8bb1HvZnAX3+vXoQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
           enc: |
@@ -68,8 +67,8 @@ sops:
             OCtLcUZwL084TUp0QmpSQXNtSFhHYkUKwGvXXE9AWlrlDgRl2ECCmej7IMztO+fx
             852Vu610cI9FLv5oghlKM769+/A2QP82KwdxZ4MaRSDvJwXKBi16aw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-16T13:03:12Z"
-    mac: ENC[AES256_GCM,data:cuMHvEjR3nA/LqGHwIGOD+rWwmvg0fPiFtVTDLATKuc0Ulf+0PKogv9cddmXlmqaBOLMkmZue44egEpiLoNm38kEr7gPfP7XKj3kkwL2U4BiS43JEokt5CEq44sSETKylEMEVajgOEwyWn1od4MLxa7xsuhbvGvDpsbvjyPvzh0=,iv:zWFNpOS9cgCs36rdW9FcJ+jG3HrjRmcw2Ogz7QZuyJQ=,tag:L3x6Bsu+7n5A0/Dx0HghkA==,type:str]
+    lastmodified: "2025-08-03T01:35:52Z"
+    mac: ENC[AES256_GCM,data:wQPIW9zRhB6IjK1OQy69Ln+dj6OMNLnNKIzFIhv/vbQ4GllMJ3N/gZjuzMJIumcVND+jEY/qiYnsCFSptStlDYtB3/zHWo1e6It2pM4igtoTP29uiQME0vPJSz0guakZlDMa20mOTN0vVZODEbeBiQNXWtnTbl93R2JVJlZrWcI=,iv:L9Dk5S+hbBO0LTM0irfLuqjLYHzVtY5Tq+Q7m65u6p8=,tag:0GT9IyPeGY5YM6PP/LNs/Q==,type:str]
     pgp:
         - created_at: "2025-03-16T13:02:45Z"
           enc: |-
@@ -92,4 +91,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2

secrets/kvernberg/exhange-offline-master.priv

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:dhVo1B+ZG1B6s0bTLgph4ipPmi0mveaObbJAffDQbpY=,iv:P5plvu4DQYa99cQZQ6B/gEFcSffu3lTY3+Z80Cfoj94=,tag:4xcqCbn6fFSmCbYmmEgQEg==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MzVHSE15Nk9MODQxc2g0\nbHlqNmFKclBYbUNKQTNUOGo0VThiaEZTVzJFCmU2YkYwMXlyeHM3ZzAxOWZpa3k4\nUUJLanVFbkNMa25RcGZmOTBsVmtzazQKLS0tIE1sTTBqT3VJMDFOYXl0T1JvcDRV\nRFpsZGNOZzFzMFc3YzcxeXdIK1d6QUUKzy0n7DJsOmrNvU03Tn6Zcj/l/kAylzzP\nhNnFLXfStdKl3A/qrzBPhTVbYD73yFkZuQ+bDr7/IMsHAmDsztuA9g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbEdBWjdEbmtNYWJHQnFj\nSU1yb0NYVG4xVlZkYTdUWUpDcGdmbFF6U1NrCjBlWFZkcC9FMVJLYUtDNlBTUWcw\nNHBwWFNESDBQQmJNb3NDN2tDekM4eUUKLS0tICtMVGc1L2JFQ1BqKzM3eWFPRmRQ\nWXlQUWpvdUdOUlZ1OFhtS0ErL0JKSlUKzxLKbsnXvEqnR2HVsTxNqmM7YPjWfCjG\nZ4Bf046NdseomkNuTvWuPzjzPTe4GvjudMYc4ODchkIMOo6hXyf5kw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-11-17T01:12:23Z",
-		"mac": "ENC[AES256_GCM,data:aXIM/pmgVmfNSa+PwpfK6Efh/kCWXUqZNcKLkyhRwl++vaIBQUIQgQjv09hWHOF77V3ZjRQjh2E1uNe2baBLEmrDT5Au+7VABW+j49KX/vKMd+1l4w47l3DukOVnoo50bsOQFtH+amSl2P2imxpO15sjVDu9/nUeu2qXrtbIUh8=,iv:BQVs3P9p86uzTH2BfuSOxycpE6di4ZIwSz7OTZdcQPg=,tag:mT4Ek8dDbVINGp4Odt62zw==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.1"
-	}
-}

secrets/lupine/lupine.yaml

@@ -0,0 +1,124 @@
+gitea:
+    runners:
+        lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str]
+        lupine-2: null
+        lupine-3: null
+        lupine-4: null
+        lupine-5: null
+sops:
+    age:
+        - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncnd2NVdqdjU1WWx4YWJr
+            RUVuSThBWWdyVnpFT0kzZjBrVjZiN1FiU0ZBCmNCbGVZK09YaFNGSUE2QWpidEFw
+            aEZEVndkODRzYmNLWDRzSGMzOWZKajAKLS0tIE00b3NiclFrOEk3R1lkeWM0VHY3
+            dUFQcG04bWNwYjRjTlNWV0pXNnlTN28KEc8nM7jzMuh2B6Q9vDS9apmVZDH9fAGi
+            dyze2SHCvfbr6So6GtJnZQy5J7tPoHBd3zwjojYV11kR9Ci1GszrVw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVzdFdXdETEN3bjdIY0hi
+            TUV3YjFSUHBhNTIyUDd6MC93R2xRZmZGTkd3CkZuNWRZY25nY1FMZjV1QzJuUUZN
+            d0hzMUplY0w4c0hVK0dCbHVzVURvUm8KLS0tIGt2UEozYTdzMDRGUlRYeWpLY0Q3
+            bmFMZGRhWGZQZlpwMFZsV3VwdEljRUkKwS1gGaLCY/+wv2blCiDWHXOTl7eRVDPH
+            NPk33fXDa0y4AxFmwJ9caHL+UHWhSCVvi6odl1F6OA4blNLHRZAyzQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdmZXREhrUk5kWHgyMzI0
+            RnR0bVE1cm9GQkpwc0VWZ3ZmUjMxMzF2WVhFCkcrcEI4enlRN09wNzF4M0tTNXZi
+            TWg1TTkwUlNYUU1ReUVSU1dTdFoxeWcKLS0tIGZaMmVmZ1kxbFVVMmsxTzczYU9j
+            N3Y3Qm9SQ2Z0bWNhM043czdnWC9RR0kK61W5sqXybAbjTUR8D05dYMInLl683Rzj
+            G+0MZEzvfYONGU1gduRB5quHAwZLG5b9N6zorRSFON1meni+v/Ciww==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBod1RDR1NLZlhQQWw4Nk8z
+            TTZHZitTNjFxUHVIZWY3N2VDd3pXRGt4N0JFClNzQ2REbSt5T0FXaVBhS09zcS9y
+            TW5PTW1mSzlyOHppSm1yMWp6by9ZUWMKLS0tIFVsYkJZbHE3K3B5TS95amJhbDYy
+            dFV1REdKYmIweWw1MDJ4L3p0cW9nVWMKQndDoniGQOn01SnscX7u7y6l119Eb++q
+            JoTZELALPIyGdI4pXd6zCfRyLFaqWd4CO0RFtl8FTcm75W+ETmqqlQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdlhET094ZGJsZU9tZnhz
+            d20wcnltVU1MS09Qb3lzV2RjNi9OZjhDdFRBCndRY3hwQ3VHQWF2MVRFUU1MQkhh
+            bGRQdEVaSzF0YTgxTGdITGN2dDlYc1kKLS0tIEw1MmFkUHJaKzZGRU93T2VTTkxK
+            VU0xV0gwQ1NnbVIrS3lHTnJ5bU9IcGMKDWSWfA7iBQ+8iclmXDVf5Qjv67D2WbJg
+            ovrYcT1F5+qE4xkuUkzVaGn9vgT+/kkzFucBz0c0iD5KCoa52z5AlQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtV2R5VzdCbkFDTGRJUG81
+            bUk3Y3F6NkJGYUk1VW1XQnFOSTlwMTduL0Y0CjJ4N1Q5MXZjQXhsTk5Hbk40U1pU
+            aFNxeFIyaGJpd3dMZFpQL0R2M1dHbk0KLS0tIGpUVGMyRSt6aDZVOERRWnRSY1Ns
+            dXptcUNmeGRHcEs3WStpL3BuZUtJbjAKhqJEec4vjSC18oRl1dTNkF2Ev4YtudE4
+            Lp2vbcSHXwrZhqbFlQ8stCpUJvjCBEr2cT/shrG38aP0MzgeSmMacQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURXhRWEFHU2Rtd0pyZGUw
+            b09VQ1JhYjhJYlpnY2FCZndEcU1Ed3k1K0UwCit1NVIyL2xuZlAzbEJwY3V0UTB3
+            Unk1L3p6cHlVWjllMjcvcTdDcnlxcGcKLS0tIGdGa3MvTmJiSGF4YnBZbE1wdGEv
+            eFArZE5MaXlvOE9XN1I4eEtNMEpzcU0KVNUfcUJM+IVY/+b8mQiHKvuFnsih+zHx
+            ZdUD+FPjghqrzJB4MOl/PYAxJ4lga6gPbcRWD5UUDuyDGOUwRpOt7w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUnhIOHVLUG1meWFlZ24w
+            SVlFenR1aWZXK21HSXpHU1NSZ2llQ1EwSnpnCmJYRXR3b3IvclZvaGpGdEpOUk9D
+            eDg2eFFJQ0M4TEJqZDVUQUZGa2h3V3cKLS0tIEhWTzhoMVg1UEM2M1k1TVZTUDlL
+            RDE1RCtUV2dDR3haclBMZDFhYXcyV2sKjwEI2dY4rluumihyEggLYDDvZZAK4SZw
+            FWkwIUpMCZzg2fCeDMnTSAWfAZbiDcPLoCieJ2bpGXPTzyasRlOakg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxamdXMXJ4K3hMV2g1WmUy
+            Ry80dG5wdWlLc1paY1VoSE8vWk1ra1g5cldFClN1eXlVUGVndnovQ3dxQTdzQjRV
+            Wm9NNWg5VVR4NVNsRjM0VHFya1FQeWsKLS0tIG43bTdKVjNrQlBUWHJoNjIyOW85
+            TGd1Tng1akExRDd0TFZmQ3JnS3FtK3cKn2t7/4yIDZT2oy8fyJibF62usPjhuBOb
+            9qQjChRm5h5mNSWdAzyf48wID7czzJiZjqtfE4vjLYLsWKMzz9j3xg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQm5UalBhV1NWa2ZQNzVQ
+            OEZXODkrYXRGR2lRMzMwSk5KV01WK3pLZlZ3ClNwZTV6aGRvZlV2UXJaNm9IOVVR
+            VFZscVZhVkFaMlk5a1ZCcWJReVN5YWcKLS0tIEhHMnRKdWJvTkREbFlWb25YRXg3
+            YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ
+            /jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-30T18:29:08Z"
+    mac: ENC[AES256_GCM,data:47cki5ucPTVd4JuEyK0QkDCCEqj1pW6SA5I6ihC/MEja6TIuHTcEPFpje8+LvpGjpP9uobKX4g3UcyvkJ63j/k3hU0xPYQX3Z1ee00KIMKB0GHNjUR8ENtnwd3TU7kp5ohtXeCtcyzCjdFFuXp8AINGv3vpbU2MzauctUxn5B1Y=,iv:1mpk/f1QlRtHfA9dqyNLBrvfVPgtLnZ7ibj8qNrEGD8=,tag:drEK1+qeJy97rgeQJyqucA==,type:str]
+    pgp:
+        - created_at: "2025-07-30T18:27:50Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYAQ/9HdDiIXAQjcAbokD7yliGC+p7j+RxD2FDh5aXtDIS14dM
+            pF7wdTdY7PvcXoSCQ5ZC7bjIY86MDfD+BT63MwjOczIgBJJ9wrGDZ2o9DnzzYsI1
+            XdUgQscjtbAycNlaczI6IXrYlWqjt6qpp/OADXdMXZo3W+pTR3aSdrj/FcMzJad1
+            AMQt8raqrD5LxIj0yWEYvob5z7NA6slBvVJRszsbYgz3aJWqG2DhlUBph6j2Rgmq
+            /W796+fywrunmY/dmzptT5Epp5gZ55BAqg09qHj/+crTxIt7SNpsfps2ki8JBVq0
+            4ooaUktBBMnhsZBA8NIauesokZkLO0MvyvjMBPGR8jun2EXoNtFmWZqUqD1fb0B5
+            xe0SVg8XIzS/AFnKVAWfj6h9lM4guLL/kxu3aPAJwOj+YtIAXx4vojs81Led8nlQ
+            jXvfy7Y94EQhKTLWuK12QC+bw2vy4V9L98nyDKB3ZuN2l3A2CN1ZLXArk/oez56d
+            5t/0C43qEPfzQH87kygGuuQmlZvQupnHN4iCvExmoiX362/3S9h1wS5QcKdC3Lk/
+            f3yr0+r1uOYuoQuofwitLZaq66aCmqYUmXhLvGujPjg8YuNXQ5k1MlOilDqoZnxk
+            0V8RQbTpvUcqRLgczofC0ovgE2W13khS2BGxG3ZPmAbUGiaIP9OkfebI7hJJE7LS
+            XgE4cU06C5jj4wLkOj3y4nEKwaFrEGRO3YQa1kl5/sExOg0Jd7fehozVh8+opGOZ
+            MhmVHghd/RYZzBi3NZL28xnAvsawE1m6h6WEGk6JaVEdJh9W009AQCtVyChs9Og=
+            =4gbo
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

values.nix

@@ -41,10 +41,6 @@ in rec {
       ipv4 = pvv-ipv4 209;
       ipv6 = pvv-ipv6 209;
     };
-    bob = {
-      ipv4 = "129.241.152.254";
-      # ipv6 = ;
-    };
     knutsen = {
       ipv4 = pvv-ipv4 191;
     };
@@ -71,9 +67,26 @@ in rec {
     wenche = {
       ipv4 = pvv-ipv4 240;
       ipv6 = pvv-ipv6 240;
-    kvernberg = {
-      ipv4 = pvv-ipv4 206;
-      ipv6 = pvv-ipv6 "1:206";
+    };
+    lupine-1 = {
+      ipv4 = pvv-ipv4 224;
+      ipv6 = pvv-ipv6 224;
+    };
+    lupine-2 = {
+      ipv4 = pvv-ipv4 225;
+      ipv6 = pvv-ipv6 225;
+    };
+    lupine-3 = {
+      ipv4 = pvv-ipv4 226;
+      ipv6 = pvv-ipv6 226;
+    };
+    lupine-4 = {
+      ipv4 = pvv-ipv4 227;
+      ipv6 = pvv-ipv6 227;
+    };
+    lupine-5 = {
+      ipv4 = pvv-ipv4 228;
+      ipv6 = pvv-ipv6 228;
     };
   };