update README to reflect added host

hosts: add skrot
Co-authored-by: System administrator <root@skrot.pvv.ntnu.no> Reviewed-on: #124 Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com> Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
2026-02-14 19:12:41 +01:00 · 2026-02-14 18:53:54 +01:00 · 2026-02-13 19:45:45 +09:00 · 2026-02-13 18:55:42 +09:00 · 2026-02-13 18:26:55 +09:00 · 2026-02-13 14:32:36 +09:00
244 changed files with 33283 additions and 31533 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,10 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.nix]
+indent_style = space
+indent_size = 2
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -0,0 +1 @@
+e00008da1afe0d760badd34bbeddff36bb08c475
--- a/.gitea/workflows/build-topology-graph.yml
+++ b/.gitea/workflows/build-topology-graph.yml
@@ -0,0 +1,32 @@
+name: "Build topology graph"
+on:
+  push:
+    branches:
+      - main
+jobs:
+  evals:
+    runs-on: debian-latest
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Install sudo
+      run: apt-get update && apt-get -y install sudo
+
+    - uses: https://github.com/cachix/install-nix-action@v31
+
+    - name: Configure Nix
+      run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+
+    - name: Build topology graph
+      run: nix build .#topology -L
+
+    - name: Upload topology graph
+      uses: https://git.pvv.ntnu.no/Projects/rsync-action@v2
+      with:
+        source: result/*.svg
+        quote-source: false
+        target: ${{ gitea.ref_name }}/topology_graph/
+        username: gitea-web
+        ssh-key: ${{ secrets.WEB_SYNC_SSH_KEY }}
+        host: pages.pvv.ntnu.no
+        known-hosts: "pages.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2QjfFB+city1SYqltkVqWACfo1j37k+oQQfj13mtgg"
--- a/.gitea/workflows/eval.yml
+++ b/.gitea/workflows/eval.yml
@@ -4,10 +4,10 @@ on:
  push:
 jobs:
  evals:
-    runs-on: ubuntu-latest
+    runs-on: debian-latest
    steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
    - run: apt-get update && apt-get -y install sudo
-    - uses: https://github.com/cachix/install-nix-action@v23
+    - uses: https://github.com/cachix/install-nix-action@v31
    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
    - run: nix flake check
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 result*
 /configuration.nix
+/.direnv/
+*.qcow2
--- a/.mailmap
+++ b/.mailmap
@@ -0,0 +1,31 @@
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
+
+
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
+
+Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
+Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
+Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
+
+Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
+
+Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
+Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
+
+Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
+Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
+Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
+
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
+
+Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,43 +1,69 @@
 keys:
  # Users
-  - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+  - &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
  - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
  - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
+  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+  - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune

  # Hosts
-  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
-  - &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
+  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
-  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
+  - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
+  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
+  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
+  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
+  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
+  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
+  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
+  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr

 creation_rules:
  # Global secrets
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_jokum
      - *user_danio
      - *user_felixalb
+      - *user_eirikwit
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
      pgp:
      - *user_oysteikt

  # Host specific secrets
-  
+
  - path_regex: secrets/bekkalokk/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bekkalokk
      - *user_danio
      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
      pgp:
      - *user_oysteikt

-  - path_regex: secrets/jokum/[^/]+\.yaml$
+  - path_regex: secrets/kommode/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_jokum
+      - *host_kommode
      - *user_danio
      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
      pgp:
      - *user_oysteikt

@@ -47,14 +73,90 @@ creation_rules:
      - *host_ildkule
      - *user_danio
      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
      pgp:
      - *user_oysteikt
-  
+
  - path_regex: secrets/bicep/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bicep
      - *user_danio
      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+
+  - path_regex: secrets/ustetind/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_ustetind
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+
+  - path_regex: secrets/lupine/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_lupine-1
+      - *host_lupine-2
+      - *host_lupine-3
+      - *host_lupine-4
+      - *host_lupine-5
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+
+  - path_regex: secrets/bakke/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_bakke
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+
+  - path_regex: secrets/skrott/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_skrott
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+  - path_regex: secrets/skrot/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_skrot
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
      pgp:
      - *user_oysteikt
--- a/README.MD
+++ b/README.MD
@@ -1,57 +0,0 @@
-# PVV NixOS configs
-
-## Hvordan endre på ting
-
-Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
-
-Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
-
-`nix flake check --keep-going`
-
-før du bygger en maskin med:
-
-`nix build .#<maskinnavn>`
-
-hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
-
-`nix build .` for å bygge alle de viktige maskinene.
-
-NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
-
-Husk å hvertfall stage nye filer om du har laget dem!
-
-Om alt bygger fint commit det og push til git repoet.
-Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
-
-Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
-
-Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
-
-som root på maskinen.
-
-## Seksjonen for hemmeligheter
-
-For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
-readable i nix-storen, bruker vi [sops-nix](https://github.com/Mic92/sops-nix)
-
-For å legge til secrets kan du kjøre f.eks. `sops secrets/jokum/jokum.yaml`
-Dette vil dekryptere filen og gi deg en text-editor du kan bruke for endre hemmelighetene.
-
-Et nix shell med dette verktøyet inkludert ligger i flaket og shell.nix og kan aktiveres med:
-
-`nix-shell` eller `nix develop`. Vi anbefaler det siste.
-I tilegg kan du sette opp [direnv](https://direnv.net/) slik at dette skjer automatisk
-
-for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som har tilgang til hemmelighetene
-om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
-
-Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
-
-### Legge til flere keys
-
-Gjør det som gir mening i .sops.yml
-
-Etter det kjør `sops updatekeys secrets/host/file.yml`
-
-MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila
--- a/README.md
+++ b/README.md
@@ -0,0 +1,64 @@
+# PVV NixOS config
+
+This repository contains the NixOS configurations for Programvareverkstedet's server closet.
+In addition to machine configurations, it also contains a bunch of shared modules, packages, and
+more.
+
+> [!WARNING]
+> Please read [Development - working on the PVV machines](./docs/development.md) before making
+> any changes, and [Secret management and `sops-nix`](./docs/secret-management.md) before adding
+> any credentials such as passwords, API tokens, etc. to the configuration.
+
+## Deploying to machines
+
+> [!WARNING]
+> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
+> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
+> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
+> migrations, you can not go back to the previous version without losing data.
+
+To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
+repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
+
+```bash
+# Run this while in the pvv-nixos-config directory
+sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
+```
+
+This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
+
+Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
+revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
+
+## Machine overview
+
+| Name                       | Type     | Description                                               |
+|----------------------------|----------|-----------------------------------------------------------|
+| [bekkalokk][bek]           | Physical | Our main web host, webmail, wiki, idp, minecraft map, ... |
+| [bicep][bic]               | Virtual  | Database host, matrix, git mirrors, ...                   |
+|  bikkje                    | Virtual  | Experimental login box                                    |
+| [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
+| [georg][geo]               | Physical | Shared music player                                       |
+| [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
+| [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
+| [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
+|  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
+| [skrot/skrott][skr]        | Physical | Kiosk, snacks and soda                                    |
+| [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
+
+## Documentation
+
+- [Development - working on the PVV machines](./docs/development.md)
+- [Miscellaneous development notes](./docs/development-misc.md)
+- [User management](./docs/users.md)
+- [Secret management and `sops-nix`](./docs/secret-management.md)
+
+[bek]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bekkalokk
+[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
+[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
+[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
+[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
+[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
+[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
+[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
+[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
--- a/base.nix
+++ b/base.nix
@@ -1,86 +0,0 @@
-{ config, lib, pkgs, inputs, values, ... }:
-
-{
-  imports = [
-    ./users
-  ];
-
-  networking.domain = "pvv.ntnu.no";
-  networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
-
-  systemd.network.enable = true;
-
-  services.resolved = {
-    enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
-  };
-
-  time.timeZone = "Europe/Oslo";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "no";
-  };
-
-  system.autoUpgrade = {
-    enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
-    flags = [
-      "--update-input" "nixpkgs"
-      "--update-input" "nixpkgs-unstable"
-      "--no-write-lock-file"
-    ];
-  };
-  nix.gc.automatic = true;
-  nix.gc.options = "--delete-older-than 2d";
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  /* This makes commandline tools like
-  ** nix run nixpkgs#hello
-  ** and nix-shell -p hello
-  ** use the same channel the system
-  ** was built with
-  */
-  nix.registry = {
-    nixpkgs.flake = inputs.nixpkgs;
-  };
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-  ];
-
-  programs.zsh.enable = true;
-
-  users.groups."drift".name = "drift";
-
-  # Trusted users on the nix builder machines
-  users.groups."nix-builder-users".name = "nix-builder-users";
-
-  services.openssh = {
-    enable = true;
-    extraConfig = ''
-      PubkeyAcceptedAlgorithms=+ssh-rsa
-    '';
-    settings.PermitRootLogin = "yes";
-  };
-
-
-}
--- a/base/default.nix
+++ b/base/default.nix
@@ -0,0 +1,90 @@
+{
+  pkgs,
+  lib,
+  fp,
+  ...
+}:
+
+{
+  imports = [
+    (fp /users)
+    (fp /modules/snakeoil-certs.nix)
+
+    ./flake-input-exporter.nix
+    ./networking.nix
+    ./nix.nix
+    ./programs.nix
+    ./sops.nix
+    ./vm.nix
+
+    ./services/acme.nix
+    ./services/auto-upgrade.nix
+    ./services/dbus.nix
+    ./services/fwupd.nix
+    ./services/irqbalance.nix
+    ./services/journald-upload.nix
+    ./services/logrotate.nix
+    ./services/nginx.nix
+    ./services/openssh.nix
+    ./services/polkit.nix
+    ./services/postfix.nix
+    ./services/prometheus-node-exporter.nix
+    ./services/prometheus-systemd-exporter.nix
+    ./services/promtail.nix
+    ./services/roowho2.nix
+    ./services/smartd.nix
+    ./services/thermald.nix
+    ./services/uptimed.nix
+    ./services/userborn.nix
+    ./services/userdbd.nix
+  ];
+
+  boot.tmp.cleanOnBoot = lib.mkDefault true;
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+
+  boot.loader.systemd-boot.enable = lib.mkDefault true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
+
+  time.timeZone = "Europe/Oslo";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "no";
+  };
+
+  # Don't install the /lib/ld-linux.so.2 stub
+  environment.ldso32 = null;
+
+  # .bash_profile already works, but lets also use .bashrc like literally every other distro
+  # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
+  # home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
+  # btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
+  programs.bash.shellInit = ''
+    if [ -n "''${BASH_VERSION:-}" ]; then
+      if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
+       [[ -f ~/.bashrc ]] && . ~/.bashrc
+      fi
+    fi
+  '';
+
+  # security.lockKernelModules = true;
+  security.protectKernelImage = true;
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+
+  # These are servers, sleep is for the weak
+  systemd.sleep.extraConfig = lib.mkDefault ''
+    AllowSuspend=no
+    AllowHibernation=no
+  '';
+
+  # users.mutableUsers = lib.mkDefault false;
+
+  users.groups."drift".name = "drift";
+
+  # Trusted users on the nix builder machines
+  users.groups."nix-builder-users".name = "nix-builder-users";
+}
--- a/base/flake-input-exporter.nix
+++ b/base/flake-input-exporter.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  values,
+  ...
+}:
+let
+  data = lib.flip lib.mapAttrs inputs (
+    name: input: {
+      inherit (input)
+        lastModified
+        ;
+    }
+  );
+  folder = pkgs.writeTextDir "share/flake-inputs" (
+    lib.concatMapStringsSep "\n" (
+      { name, value }: ''nixos_last_modified_input{flake="${name}"} ${toString value.lastModified}''
+    ) (lib.attrsToList data)
+  );
+  port = 9102;
+in
+{
+  services.nginx.virtualHosts."${config.networking.fqdn}-nixos-metrics" = {
+    serverName = config.networking.fqdn;
+    serverAliases = [
+      "${config.networking.hostName}.pvv.org"
+    ];
+    locations."/metrics" = {
+      root = "${folder}/share";
+      tryFiles = "/flake-inputs =404";
+      extraConfig = ''
+        default_type text/plain;
+      '';
+    };
+    listen = [
+      {
+        inherit port;
+        addr = "0.0.0.0";
+      }
+    ];
+    extraConfig = ''
+      allow ${values.hosts.ildkule.ipv4}/32;
+      allow ${values.hosts.ildkule.ipv6}/128;
+      allow 127.0.0.1/32;
+      allow ::1/128;
+      allow ${values.ipv4-space};
+      allow ${values.ipv6-space};
+      deny all;
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ port ];
+}
--- a/base/networking.nix
+++ b/base/networking.nix
@@ -0,0 +1,13 @@
+{ lib, values, ... }:
+{
+  systemd.network.enable = true;
+  networking.domain = "pvv.ntnu.no";
+  networking.useDHCP = false;
+
+  # The rest of the networking configuration is usually sourced from /values.nix
+
+  services.resolved = {
+    enable = lib.mkDefault true;
+    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
+  };
+}
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -0,0 +1,45 @@
+{ lib, config, inputs, ... }:
+{
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 2d";
+    };
+    optimise.automatic = true;
+
+    settings = {
+      allow-dirty = true;
+      auto-allocate-uids = true;
+      builders-use-substitutes = true;
+      experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
+      log-lines = 50;
+      use-xdg-base-directories = true;
+    };
+
+    /* This makes commandline tools like
+    ** nix run nixpkgs#hello
+    ** and nix-shell -p hello
+    ** use the same channel the system
+    ** was built with
+    */
+    registry = lib.mkMerge [
+      {
+        "nixpkgs".flake = inputs.nixpkgs;
+        "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
+      }
+      # We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
+      (lib.mkIf (!config.virtualisation.isVmVariant) {
+        "pvv-nix".flake = inputs.self;
+      })
+    ];
+    nixPath = [
+      "nixpkgs=${inputs.nixpkgs}"
+      "unstable=${inputs.nixpkgs-unstable}"
+    ];
+  };
+
+  # Make builds to be more likely killed than important services.
+  # 100 is the default for user slices and 500 is systemd-coredumpd@
+  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
+}
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -0,0 +1,68 @@
+{ pkgs, lib, ... }:
+{
+  # We don't need fonts on headless machines
+  fonts.fontconfig.enable = lib.mkDefault false;
+
+  # Extra packags for better terminal emulator compatibility in SSH sessions
+  environment.enableAllTerminfo = true;
+
+  environment.systemPackages = with pkgs; [
+    # Debug dns outside resolvectl
+    dig
+
+    # Debug and find files
+    file
+
+    # Process json data
+    jq
+
+    # Check computer specs
+    lshw
+
+    # Check who is keeping open files
+    lsof
+
+    # Scan for open ports with netstat
+    net-tools
+
+    # Grep for files quickly
+    ripgrep
+
+    # Copy files over the network
+    rsync
+
+    # Access various state, often in /var/lib
+    sqlite-interactive
+
+    # Debug software which won't debug itself
+    strace
+
+    # Download files from the internet
+    wget
+  ];
+
+  # Clone/push nix config and friends
+  programs.git.enable = true;
+
+  # Gitea gpg, oysteikt sops, etc.
+  programs.gnupg.agent.enable = true;
+
+  # Monitor the wellbeing of the machines
+  programs.htop.enable = true;
+
+  # Keep sessions running during work over SSH
+  programs.tmux.enable = true;
+
+  # Same reasoning as tmux
+  programs.screen.enable = true;
+
+  # Edit files on the system without resorting to joe(1)
+  programs.nano.enable = true;
+  # Same reasoning as nano
+  programs.vim.enable = true;
+  # Same reasoning as vim
+  programs.neovim.enable = true;
+
+  # Some people like this shell for some reason
+  programs.zsh.enable = true;
+}
--- a/base/services/acme.nix
+++ b/base/services/acme.nix
@@ -0,0 +1,13 @@
+{ ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme-drift@pvv.ntnu.no";
+  };
+
+  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
+  virtualisation.vmVariant = {
+    security.acme.defaults.server = "https://127.0.0.1";
+    users.users.root.initialPassword = "root";
+  };
+}
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -0,0 +1,41 @@
+{ config, inputs, pkgs, lib, ... }:
+
+let
+  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
+in
+
+{
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flags = [
+      "-L"
+
+      "--refresh"
+      "--no-write-lock-file"
+      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
+      # as such we instead use --override-input combined with --refresh
+      # https://git.lix.systems/lix-project/lix/issues/400
+    ] ++ (lib.pipe inputUrls [
+      (lib.intersectAttrs {
+        nixpkgs = { };
+        nixpkgs-unstable = { };
+      })
+      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
+      lib.concatLists
+    ]);
+  };
+
+  # workaround for https://github.com/NixOS/nix/issues/6895
+  # via https://git.lix.systems/lix-project/lix/issues/400
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
+    "current-system-flake-inputs.json".source
+      = pkgs.writers.writeJSON "flake-inputs.json" (
+        lib.flip lib.mapAttrs inputs (name: input:
+          # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
+          lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
+            // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
+        )
+      );
+  };
+}
--- a/base/services/dbus.nix
+++ b/base/services/dbus.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services.dbus = {
+    enable = true;
+    implementation = "broker";
+  };
+}
--- a/base/services/fwupd.nix
+++ b/base/services/fwupd.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.fwupd.enable = true;
+}
--- a/base/services/irqbalance.nix
+++ b/base/services/irqbalance.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.irqbalance.enable = true;
+}
--- a/base/services/journald-upload.nix
+++ b/base/services/journald-upload.nix
@@ -0,0 +1,24 @@
+{ config, lib, values, ... }:
+let
+  cfg = config.services.journald.upload;
+in
+{
+  services.journald.upload = {
+    enable = lib.mkDefault true;
+    settings.Upload = {
+      # URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
+      URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
+      ServerKeyFile = "-";
+      ServerCertificateFile = "-";
+      TrustedCertificateFile = "-";
+    };
+  };
+
+  systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+    ];
+  };
+}
--- a/base/services/logrotate.nix
+++ b/base/services/logrotate.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+  systemd.services.logrotate = {
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
+    unitConfig.RequiresMountsFor = "/var/log";
+    serviceConfig.ReadWritePaths = [ "/var/log" ];
+  };
+}
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -0,0 +1,76 @@
+{ config, lib, ... }:
+{
+  # nginx return 444 for all nonexistent virtualhosts
+
+  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
+
+  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
+    "/etc/certs/nginx" = {
+      owner = "nginx";
+      group = "nginx";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
+
+  services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    appendConfig = ''
+      # pcre_jit on;
+      worker_processes auto;
+      worker_rlimit_nofile 100000;
+    '';
+    eventsConfig = ''
+      worker_connections 2048;
+      use epoll;
+      # multi_accept on;
+    '';
+  };
+
+  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
+    LimitNOFILE = 65536;
+    # We use jit my dudes
+    MemoryDenyWriteExecute = lib.mkForce false;
+    # What the fuck do we use that where the defaults are not enough???
+    SystemCallFilter = lib.mkForce null;
+  };
+
+  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
+    "_" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          extraParameters = [
+            "default_server"
+            # Seemingly the default value of net.core.somaxconn
+            "backlog=4096"
+            "deferred"
+          ];
+        }
+        {
+          addr = "[::0]";
+          extraParameters = [
+            "default_server"
+            "backlog=4096"
+            "deferred"
+          ];
+        }
+      ];
+      sslCertificate = "/etc/certs/nginx.crt";
+      sslCertificateKey = "/etc/certs/nginx.key";
+      addSSL = true;
+      extraConfig = "return 444;";
+    };
+
+    ${config.networking.fqdn} = {
+      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
+      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
+      addSSL = lib.mkDefault true;
+      extraConfig = lib.mkDefault "return 444;";
+    };
+  };
+}
--- a/base/services/openssh.nix
+++ b/base/services/openssh.nix
@@ -0,0 +1,21 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    extraConfig = ''
+      PubkeyAcceptedAlgorithms=+ssh-rsa
+      Match Group wheel
+        PasswordAuthentication no
+      Match All
+    '';
+    settings.PermitRootLogin = "yes";
+
+  };
+    users.users."root".openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
+
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
+    ];
+}
+
--- a/base/services/polkit.nix
+++ b/base/services/polkit.nix
@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+let
+  cfg = config.security.polkit;
+in
+{
+  security.polkit.enable = true;
+
+  environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
+    polkit.addAdminRule(function(action, subject) {
+        if(subject.isInGroup("wheel")) {
+            return ["unix-user:"+subject.user];
+        }
+    });
+  '';
+}
--- a/base/services/postfix.nix
+++ b/base/services/postfix.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.postfix;
+in
+{
+  services.postfix = {
+    enable = true;
+
+    settings.main = {
+      myhostname = "${config.networking.hostName}.pvv.ntnu.no";
+      mydomain = "pvv.ntnu.no";
+
+      # Nothing should be delivered to this machine
+      mydestination = [ ];
+
+      relayhost = [ "smtp.pvv.ntnu.no:465" ];
+
+      smtp_tls_wrappermode = "yes";
+      smtp_tls_security_level = "encrypt";
+    };
+  };
+}
--- a/base/services/prometheus-node-exporter.nix
+++ b/base/services/prometheus-node-exporter.nix
@@ -0,0 +1,23 @@
+{ config, lib, values, ... }:
+let
+  cfg = config.services.prometheus.exporters.node;
+in
+{
+  services.prometheus.exporters.node = {
+    enable = lib.mkDefault true;
+    port = 9100;
+    enabledCollectors = [ "systemd" ];
+  };
+
+  systemd.services.prometheus-node-exporter.serviceConfig = lib.mkIf cfg.enable {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
+}
--- a/base/services/prometheus-systemd-exporter.nix
+++ b/base/services/prometheus-systemd-exporter.nix
@@ -0,0 +1,26 @@
+{ config, lib, values, ... }:
+let
+  cfg = config.services.prometheus.exporters.systemd;
+in
+{
+  services.prometheus.exporters.systemd = {
+    enable = lib.mkDefault true;
+    port = 9101;
+    extraFlags = [
+      "--systemd.collector.enable-restart-count"
+      "--systemd.collector.enable-ip-accounting"
+    ];
+  };
+
+  systemd.services.prometheus-systemd-exporter.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
+}
--- a/base/services/promtail.nix
+++ b/base/services/promtail.nix
@@ -0,0 +1,38 @@
+{ config, lib, values, ... }:
+let
+  cfg = config.services.prometheus.exporters.node;
+in
+{
+  services.promtail = {
+    enable = lib.mkDefault true;
+    configuration = {
+      server = {
+        http_listen_port = 28183;
+        grpc_listen_port = 0;
+      };
+      clients = [{
+        url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
+      }];
+      scrape_configs = [{
+        job_name = "systemd-journal";
+        journal = {
+          max_age = "12h";
+          labels = {
+            job = "systemd-journal";
+            host = config.networking.hostName;
+          };
+        };
+        relabel_configs = [
+          {
+            source_labels = [ "__journal__systemd_unit" ];
+            target_label = "unit";
+          }
+          {
+            source_labels = [ "__journal_priority_keyword" ];
+            target_label = "level";
+          }
+        ];
+      }];
+    };
+  };
+}
--- a/base/services/roowho2.nix
+++ b/base/services/roowho2.nix
@@ -0,0 +1,12 @@
+{ lib, values, ... }:
+{
+  services.roowho2.enable = lib.mkDefault true;
+
+  systemd.sockets.roowho2-rwhod.socketConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      values.ipv4-space
+    ];
+  };
+}
--- a/base/services/smartd.nix
+++ b/base/services/smartd.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+{
+  services.smartd = {
+    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
+    #       hosts with disk passthrough.
+    enable = lib.mkDefault (!config.services.qemuGuest.enable);
+    notifications = {
+      mail = {
+        enable = true;
+        sender = "root@pvv.ntnu.no";
+        recipient = "root@pvv.ntnu.no";
+      };
+      wall.enable = false;
+    };
+  };
+
+  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
+    smartmontools
+  ]);
+
+  systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
+}
--- a/base/services/thermald.nix
+++ b/base/services/thermald.nix
@@ -0,0 +1,8 @@
+{ config, lib, ... }:
+{
+  # Let's not thermal throttle
+  services.thermald.enable = lib.mkIf (lib.all (x: x) [
+      (config.nixpkgs.system == "x86_64-linux")
+      (!config.boot.isContainer or false)
+    ]) true;
+}
--- a/base/services/uptimed.nix
+++ b/base/services/uptimed.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.uptimed;
+in
+{
+  options.services.uptimed.settings = lib.mkOption {
+    description = "";
+    default = { };
+    type = lib.types.submodule {
+      freeformType = with lib.types; attrsOf (either str (listOf str));
+    };
+  };
+
+  config = {
+    services.uptimed = {
+      enable = true;
+
+      settings = let
+        stateDir = "/var/lib/uptimed";
+      in {
+        PIDFILE = "${stateDir}/pid";
+        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
+      };
+    };
+
+    systemd.services.uptimed = lib.mkIf (cfg.enable) {
+      serviceConfig = let
+        uptimed = pkgs.uptimed.overrideAttrs (prev: {
+          postPatch = ''
+             substituteInPlace Makefile.am \
+               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+             substituteInPlace src/Makefile.am \
+               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+          '';
+        });
+
+      in {
+        Type = "notify";
+
+        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
+
+        BindReadOnlyPaths = let
+          configFile = lib.pipe cfg.settings [
+            (lib.mapAttrsToList
+              (k: v:
+                if builtins.isList v
+                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
+                  else "${k}=${v}")
+            )
+            (lib.concatStringsSep "\n")
+            (pkgs.writeText "uptimed.conf")
+          ];
+        in [
+          "${configFile}:/var/lib/uptimed/uptimed.conf"
+        ];
+      };
+    };
+  };
+}
--- a/base/services/userborn.nix
+++ b/base/services/userborn.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.userborn.enable = true;
+}
--- a/base/services/userdbd.nix
+++ b/base/services/userdbd.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.userdbd.enable = true;
+}
--- a/base/sops.nix
+++ b/base/sops.nix
@@ -0,0 +1,12 @@
+{ config, fp, lib, ... }:
+{
+  sops.defaultSopsFile = let
+    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
+  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
+
+  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
+    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
+    keyFile = "/var/lib/sops-nix/key.txt";
+    generateKey = true;
+  };
+}
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -0,0 +1,16 @@
+{ lib, ... }:
+
+# This enables
+#     lib.mkIf (!config.virtualisation.isVmVariant) { ... }
+
+{
+  options.virtualisation.isVmVariant = lib.mkOption {
+    description = "`true` if system is build with 'nixos-rebuild build-vm'";
+    type = lib.types.bool;
+    default = false;
+  };
+  config.virtualisation.vmVariant = {
+    virtualisation.isVmVariant = true;
+    virtualisation.graphics = false;
+  };
+}
--- a/docs/development-misc.md
+++ b/docs/development-misc.md
@@ -0,0 +1,103 @@
+# Miscellaneous development notes
+
+This document contains a bunch of information that is not particularly specific to the pvv nixos config,
+but concerns technologies we use often or gotchas to be aware of when working with NixOS. A lot of the information
+here is already public information spread around the internet, but we've collected some of the items we use often
+here.
+
+## The firewall
+
+`networking.firewall` is a NixOS module that configures `iptables` rules on the machine. It is enabled by default on
+all of our machines, and it can be easy to forget about it when setting up new services, especially when we are the
+ones creating the NixOS module.
+
+When setting up a new service that listens on a TCP or UDP port, make sure to add the appropriate ports to either
+`networking.firewall.allowedTCPPorts` or `networking.firewall.allowedUDPPorts`.
+
+You can list out the current firewall rules by running `sudo iptables -L -n -v` on the machine.
+
+## Finding stuff
+
+Finding stuff, both underlying implementation and usage is absolutely crucial when working on nix.
+Oftentimes, the documentation will be outdated, lacking or just plain out wrong. These are some of
+the techniques we have found to be quite good when working with nix.
+
+### [ripgrep](https://github.com/BurntSushi/ripgrep)
+
+ripgrep (or `rg` for short) is a tool that lets you recursively grep for regex patters in a directory.
+
+It is great for finding references to configuration, and where and how certain things are used. It is
+especially great when working with [nixpkgs](https://github.com/NixOS/nixpkgs), which is quite large.
+
+### GitHub Search
+
+When trying to set up a new service or reconfigure something, it is very common that someone has done it
+before you, but it has never been documented anywhere. A lot of Nix code exists on GitHub, and you can
+easily query it by using the `lang:nix` filter in the search bar.
+
+For example: https://github.com/search?q=lang%3Anix+dibbler&type=code
+
+## rsync
+
+`rsync` is a tool for synchronizing files between machines. It is very useful when transferring large
+amounts of data from a to b. We use it for multiple things, often when data is produced or stored on
+one machine, and we want to process or convert it on another. For example, we use it to transfer gitea
+artifacts, to transfer gallery pictures, to transfer minecraft world data for map rendering, and more.
+
+Along with `rsync`, we often use a lesser known tool called `rrsync`, which you can use inside an ssh
+configuration (`authorized_keys` file) to restrict what paths a user can access when connecting over ssh.
+This is useful both as a security measure, but also to avoid accidental overwrites of files outside the intended
+path. `rrsync` will use chroot to restrict what paths the user can access, as well as refuse to run arbitrary commands.
+
+## `nix repl`
+
+`nix repl` is an interactive REPL for the Nix language. It is very useful for experimenting with Nix code,
+and testing out small snippets of code to make sure it behaves as expected. You can also use it to explore
+NixOS machine configurations, to interactively see that the configuration evaluates to what you expect.
+
+```
+# While in the pvv-nixos-config directory
+nix repl .
+
+# Upon writing out the config path and clickin [Tab], you will get autocompletion suggestions:
+nix-repl> nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts._
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.bekkalokk.pvv.ntnu.no-nixos-metrics
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.idp.pvv.ntnu.no
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.minecraft.pvv.ntnu.no
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.ntnu.no
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.org
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pw.pvv.ntnu.no
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.roundcubeplaceholder.example.com
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.snappymail.pvv.ntnu.no
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.webmail.pvv.ntnu.no
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.wiki.pvv.ntnu.no
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.ntnu.no
+nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.org
+```
+
+## `nix why-depends`
+
+If you ever wonder why a certain package is being used as a dependency of another package,
+or another machine, you can use `nix why-depends` to find the dependency path from one package to another.
+This is often useful after updating nixpkgs and finding an error saying that a certain package is insecure,
+broken or whatnot. You can do something like the following
+
+```bash
+# Why does bekkalokk depend on openssl?
+nix why-depends .#nixosConfigurations.bekkalokk.config.system.build.toplevel .#nixosConfigurations.bekkalokk.pkgs.openssl
+
+# Why does bekkalokk's minecraft-server depend on zlib? (this is not real)
+nix why-depends .#nixosConfigurations.bekkalokk.pkgs.minecraft-server .#nixosConfigurations.bekkalokk.pkgs.zlib
+```
+
+## php-fpm
+
+php-fpm (FastCGI Process Manager) is a PHP implementation that is designed for speed and production use. We host a bunch
+of different PHP applications (including our own website), and so we use php-fpm quite a bit. php-fpm typically exposes a
+unix socket that nginx will connect to, and php-fpm will then render php upon web requests forwarded from nginx and return
+it.
+
+php-fpm has a tendency to be a bit hard to debug. It is not always very willing to spit out error messages and logs, and so
+it can be a bit hard to figure out what's up when something goes wrong. You should see some of the commented stuff laying around
+in the website code on bekkalokk for examples of how to configure php-fpm for better logging and error reporting.
--- a/docs/development.md
+++ b/docs/development.md
@@ -0,0 +1,169 @@
+# Development - working on the PVV machines
+
+This document outlines the process of editing our NixOS configurations, and testing and deploying said changes
+to the machines. Most of the information written here is specific to the PVV NixOS configuration, and the topics
+will not really cover the nix code itself in detail. You can find some more resources for that by either following
+the links from the *Upstream documentation* section below, or in [Miscellaneous development notes](./development-misc.md).
+
+## Editing nix files
+
+> [!WARNING]
+> Before editing any nix files, make sure to read [Secret management and `sops-nix`](./secret-management.md)!
+> We do not want to add any secrets in plaintext to the nix files, and certainly not commit and publish
+> them into the common public.
+
+The files are plaintext code, written in the [`Nix` language](https://nix.dev/manual/nix/stable/language/).
+
+Below is a list of important files and directories, and a description of what they contain.
+
+### `flake.nix`
+
+The `flake.nix` file is a [nix flake](https://wiki.nixos.org/wiki/Flakes) and makes up the entrypoint of the
+entire configuration. It declares what inputs are used (similar to dependencies), as well as what outputs the
+flake exposes. In our case, the most important outputs are the `nixosConfigurations` (our machine configs), but
+we also expose custom modules, packages, devshells, and more. You can run `nix flake show` to get an overview of
+the outputs (however you will need to [enable the `nix-flakes` experimental option](https://wiki.nixos.org/wiki/Flakes#Setup)).
+
+You will find that a lot of the flake inputs are the different PVV projects that we develop, imported to be hosted
+on the NixOS machines. This makes it easy to deploy changes to these projects, as we can just update the flake input
+to point to a new commit or version, and then rebuild the machines.
+
+A NixOS configuration is usually made with the `nixpkgs.lib.nixosSystem` function, however we have a few custom wrapper
+functions named `nixosConfig` and `stableNixosConfig` that abstracts away some common configuration we want on all our machines.
+
+### `values.nix`
+
+`values.nix` is a somewhat rare pattern in NixOS configurations around the internet. It contains a bunch of constant values
+that we use throughout the configuration, such as IP addresses, DNS names, paths and more. This not only makes it easier to
+change the values should we need to, but it also makes the configuration more readable. Instead of caring what exact IP any
+machine has, you can write `values.machines.name.ipv4` and abstract the details away.
+
+### `base`
+
+The `base` directory contains a bunch of NixOS configuration that is common for all or most machines. Some of the config
+you will find here sets defaults for certain services without enabling them, so that when they are enabled in a machine config,
+we don't need to repeat the same defaults over again. Other parts actually enable certain services that we want on all machines,
+such as `openssh` or the auto upgrade timer.
+
+### Vendoring `modules` and `packages`
+
+Sometimes, we either find that the packages or modules provided by `nixpkgs` is not sufficient for us,
+or that they are bugged in some way that can not be easily overrided. There are also cases where the
+modules or packages does not exist. In these cases, we tend to either copy and modify the modules and
+packages from nixpkgs, or create our own. These modules and packages end up in the top-level `modules`
+and `packages` directories. They are usually exposed in `flake.nix` as flake outputs `nixosModules.<name>`
+and `packages.<platform>.<name>`, and they are usually also added to the machines that need them in the flake.
+
+In order to override or add an extra package, the easiest way is to use an [`overlay`](https://wiki.nixos.org/wiki/Overlays).
+This makes it so that the package from `pkgs.<name>` now refers to the modified variant of the package.
+
+In order to add a module, you can just register it in the modules of the nixos machine.
+In order to override a module, you also have to use `disabledModules = [ "<path-relative-to-nixpkgs/modules>" ];`.
+Use `rg` to find examples of the latter.
+
+Do note that if you believe a new module to be of high enough quality, or the change you are making to be
+relevant for every nix user, you should strongly consider also creating a PR towards nixpkgs. However,
+getting changes made there has a bit higher threshold and takes more time than making changes in the PVV config,
+so feel free to make the changes here first. We can always remove the changes again once the upstreaming is finished.
+
+### `users`, `secrets` and `keys`
+
+For `users`, see [User management](./users.md)
+
+For `secrets` and `keys`, see [Secret management and `sops-nix`](./secret-management.md)
+
+### Collaboration
+
+We use our gitea to collaborate on changes to the nix configuration. Every PVV maintenance member should have
+access to the repository. The usual workflow is that we create a branch for the change we want to make, do a bunch
+of commits and changes, and then open a merge request for review (or just rebase on master if you know what you are doing).
+
+### Upstream documentation
+
+Here are different sources of documentation and stuff that you might find useful while
+writing, editing and debugging nix code.
+
+ - [nixpkgs repository](https://github.com/NixOS/nixpkgs)
+
+This is particularly useful to read the source code, as well as upstreaming pieces of code that we think
+everyone would want
+
+ - [NixOS search](https://search.nixos.org/)
+
+This is useful for searching for both packages and NixOS options.
+
+ - [nixpkgs documentation](https://nixos.org/manual/nixpkgs/stable/)
+ - [NixOS documentation](https://nixos.org/manual/nixos/stable/)
+ - [nix (the tool) documentation](https://nix.dev/manual/nix/stable/)
+
+All of the three above make up the official documentation with all technical
+details about the different pieces that makes up NixOS.
+
+ - [The official NixOS wiki](https://wiki.nixos.org)
+
+User-contributed guides, tips and tricks, and whatever else.
+
+ - [nix.dev](https://nix.dev)
+
+Additional stuff
+
+ - [Noogle](https://noogle.dev)
+
+This is useful when looking for nix functions and packaging helpers.
+
+## Testing and deploying changes
+
+After editing the nix files on a certain branch, you will want to test and deploy the changes to the machines.
+Unfortunately, we don't really have a good setup for testing for runtime correctness locally, but we can at least
+make sure that the code evaluates and builds correctly before deploying.
+
+To just check that the code evaluates without errors, you can run:
+
+```bash
+nix flake check
+# Or if you want to keep getting all errors before it quits:
+nix flake check --keep-going
+```
+
+> [!NOTE]
+> If you are making changes that involves creating new nix files, remember to `git add` those files before running
+> any nix commands. Nix refuses to acknowledge files that are not either commited or at least staged. It will spit
+> out an error message about not finding the file in question.
+
+### Building machine configurations
+
+To build any specific machine configuration and look at the output, you can run:
+
+```bash
+nix build .#nixosConfigurations.<machine-name>.config.system.build.toplevel
+# or just
+nix build .#<machine-name>
+```
+
+This will create a symlink name `./result` to a directory containing the built NixOS system. It is oftentimes
+the case that config files for certain services only end up in the nix store without being put into `/etc`. If you wish
+to read those files, you can often find them by looking at the systemd unit files in `./result/etc/systemd/system/`.
+(if you are using vim, `gf` or go-to-file while the cursor is over a file path is a useful trick while doing this).
+
+If you have edited something that affects multiple machines, you can also build all important machines at once by running:
+
+```bash
+nix build .#
+```
+
+> [!NOTE]
+> Building all machines at once can take a long time, depending on what has changed and whether you have already
+> built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
+> if this is the first time.
+
+### Forcefully reset to `main`
+
+If you ever want to reset a machine to the `main` branch, you can do so by running:
+
+```bash
+nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
+```
+
+This will ignore the current branch and just pull the latest `main` from the git repository directly from gitea.
+You can also use this command if there are updates on the `main` branch that you want to deploy to the machine without
+waiting for the nightly rebuild.
--- a/docs/secret-management.md
+++ b/docs/secret-management.md
@@ -0,0 +1,160 @@
+# Secret management and `sops-nix`
+
+Nix config is love, nix config is life, and publishing said config to the
+internet is not only a good deed and kinda cool, but also encourages properly
+secured configuration as opposed to [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity).
+That being said, there are some details of the config that we really shouldn't
+share with the general public. In particular, there are so-called *secrets*, that is
+API keys, passwords, tokens, cookie secrets, salts, peppers and jalapenos that we'd
+rather keep to ourselves. However, it is not entirely trivial to do so in the NixOS config.
+For one, we'd have to keep these secrets out of the public git repo somehow, and secondly
+everything that is configured via nix ends up as world readable files (i.e. any user on the
+system can read the file) in `/nix/store`.
+
+In order to solve this, we use a NixOS module called [`sops-nix`](https://github.com/Mic92/sops-nix)
+which uses a technology called [`sops`](https://github.com/getsops/sops) behind the scenes.
+The idea is simple: we encrypt these secrets with a bunch of different keys and store the
+encrypted files in the git repo. First of all, we encrypt the secrets a bunch of time with
+PVV maintenance member's keys, so that we can decrypt and edit the contents. Secondly, we
+encrypt the secrets with the [host keys]() of the NixOS machines, so that they can decrypt
+the secrets. The secrets will be decrypted and stored in a well-known location (usually `/run/secrets`)
+so that they do not end up in the nix store, and are not world readable.
+
+This way, we can both keep the secrets in the git repository and let multiple people edit them,
+but also ensure that they don't end up in the wrong hands.
+
+## Adding a new machine
+
+In order to add a new machine to the nix-sops setup, you should do the following:
+
+```console
+# Create host keys (if they don't already exist)
+ssh-keygen -A -b 4096
+
+# Derive an age-key from the public host key
+nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+
+# Register the age key in .sops.yaml
+vim .sops.yaml
+```
+
+The contents of `.sops.yaml` should look like this:
+
+```yaml
+keys:
+  # Users
+  ...
+
+  # Hosts
+  ...
+  - &host_<machine_name> <public_age_key>
+
+creation_rules:
+  ...
+
+  - path_regex: secrets/<machine_name>/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_<machine_name>
+      - ... user keys
+    - pgp:
+      - ... user keys
+```
+
+> [!NOTE]
+> Take care that all the keys in the `age` and `pgp` sections are prefixed
+> with a `-`, or else sops might try to encrypt the secrets in a way where
+> you need both keys present to decrypt the content. Also, it tends to throw
+> interesting errors when it fails to do so.
+
+```console
+# While cd-ed into the repository, run this to get a shell with the `sops` tool present
+nix-shell
+```
+
+Now you should also be able to edit secrets for this machine by running:
+
+```
+sops secrets/<machine_name>/<machine_name>.yaml
+```
+
+## Adding a user
+
+Adding a user is quite similar to adding a new machine.
+This guide assumes you have already set up SSH keys.
+
+```
+# Derive an age-key from your key
+# (edit the path to the key if it is named something else)
+nix-shell -p ssh-to-age --run 'cat ~/.ssh/id_ed25519.pub | ssh-to-age'
+
+# Register the age key in .sops.yaml
+vim .sops.yaml
+```
+
+The contents of `.sops.yaml` should look like this:
+
+```yaml
+keys:
+  # Users
+  ...
+  - &user_<user_name> <public_age_key>
+
+  # Hosts
+  ...
+
+creation_rules:
+  ...
+
+  # Do this for all the machines you are planning to edit
+  # (or just do it for all machines)
+  - path_regex: secrets/<machine_name>/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_<machine_name>
+      - ... user keys
+      - *host_<user_name>
+    - pgp:
+      - ... user keys
+```
+
+Now that sops is properly configured to recognize the key, you need someone
+who already has access to decrypt all the secrets and re-encrypt them with your
+key. At this point, you should probably [open a PR](https://docs.gitea.com/usage/issues-prs/pull-request)
+and ask someone in PVV maintenance if they can checkout the PR branch, run the following
+command and push the diff back into the PR (and maybe even ask them to merge if you're feeling
+particularly needy).
+
+```console
+sops updatekeys secrets/*/*.yaml
+```
+
+## Updating keys
+
+> [!NOTE]
+> At some point, we found this flag called `sops -r` that seemed to be described to do what
+> `sops updatekeys` does, do not be fooled. This only rotates the "inner key" for those who
+> already have the secrets encrypted with their key.
+
+Updating keys is done with this command:
+
+```console
+sops updatekeys secrets/*/*.yaml
+```
+
+However, there is a small catch. [oysteikt](https://git.pvv.ntnu.no/oysteikt) has kinda been
+getting gray hairs lately, and refuses to use modern technology - he is still stuck using GPG.
+This means that to be able to re-encrypt the sops secrets, you will need to have a gpg keychain
+with his latest public key available. The key has an expiry date, so if he forgets to update it,
+you should send him and angry email and tag him a bunch of times in a gitea issue. If the key
+is up to date, you can do the following:
+
+```console
+# Fetch gpg (unless you have it already)
+nix shell nixpkgs#gnupg
+
+# Import oysteikts key to the gpg keychain
+gpg --import ./keys/oysteikt.pub
+```
+
+Now you should be able to run the `sops updatekeys` command again.
--- a/docs/users.md
+++ b/docs/users.md
@@ -0,0 +1,50 @@
+# User management
+
+Due to some complications with how NixOS creates users compared to how we used to
+create users with the salt-based setup, the NixOS machine users are created and
+managed separately. We tend to create users on-demand, whenever someone in PVV
+maintenance want to work on the NixOS machines.
+
+## Setting up a new user
+
+You can find the files for the existing users, and thereby examples of user files
+in the [`users`](../users) directory. When creating a new file here, you should name it
+`your-username.nix`, and add *at least* the following contents:
+
+```nix
+{ pkgs, ... }:
+{
+  users.users."<username>" = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel" # In case you wanna use sudo (you probably do)
+      "nix-builder-users" # Arbitrary access to write to the nix store
+    ];
+
+    # Any packages you frequently use to manage servers go here.
+    # Please don't pull gigantonormous packages here unless you
+    # absolutely need them, and remember that any package can be
+    # pulled via nix-shell if you only use it once in a blue moon.
+    packages = with pkgs; [
+      bottom
+      eza
+    ];
+
+    # Not strictly needed, but we recommend adding your public SSH
+    # key here. If it is not present, you will have to log into the
+    # machine as 'root' before setting your password for every NixOS
+    # machine you have not logged into yet.
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjiQ0wg4lpC7YBMAAHoGmgwqHOBi+EUz5mmCymGlIyT my-key"
+    ];
+  };
+}
+```
+
+The file will be picked up automatically, so creating the file and adding the
+contents should be enough to get you registered. You should
+[open a PR](https://docs.gitea.com/usage/issues-prs/pull-request) with the new
+code so the machines will be rebuilt with your user present.
+
+See also [Secret Management](./secret-management.md) for how to add your keys to the
+system that lets us add secrets (API keys, password, etc.) to the NixOS config.
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
  "nodes": {
+    "dibbler": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1770133120,
+        "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
+        "ref": "main",
+        "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
+        "revCount": 244,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -7,39 +28,81 @@
        ]
      },
      "locked": {
-        "lastModified": 1700927249,
-        "narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=",
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
+        "ref": "v1.11.0",
        "repo": "disko",
        "type": "github"
      }
    },
-    "grzegorz": {
+    "flake-parts": {
      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unstable"
-        ]
+        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1696346665,
-        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
-        "owner": "Programvareverkstedet",
-        "repo": "grzegorz",
-        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
+        "lastModified": 1765835352,
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
        "type": "github"
      },
      "original": {
-        "owner": "Programvareverkstedet",
-        "repo": "grzegorz",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
        "type": "github"
      }
    },
+    "gergle": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767906545,
+        "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
+        "ref": "main",
+        "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
+        "revCount": 23,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
+      }
+    },
+    "greg-ng": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1767906494,
+        "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
+        "ref": "main",
+        "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
+        "revCount": 61,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
+      }
+    },
    "grzegorz-clients": {
      "inputs": {
        "nixpkgs": [
@@ -47,60 +110,147 @@
        ]
      },
      "locked": {
-        "lastModified": 1693864994,
-        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
-        "owner": "Programvareverkstedet",
-        "repo": "grzegorz-clients",
-        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
-        "type": "github"
+        "lastModified": 1764867811,
+        "narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=",
+        "ref": "master",
+        "rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3",
+        "revCount": 81,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
      },
      "original": {
-        "owner": "Programvareverkstedet",
-        "repo": "grzegorz-clients",
-        "type": "github"
+        "ref": "master",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
      }
    },
    "matrix-next": {
      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
      },
      "locked": {
-        "lastModified": 1697936579,
-        "narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=",
+        "lastModified": 1764844095,
+        "narHash": "sha256-Drf1orxsmFDzO+UbPo85gHjXW7QzAM+6oTPvI7vOSik=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
+        "rev": "25b9f31ef1dbc3987b4c716de716239f2b283701",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
+        "ref": "v0.8.0",
        "repo": "nixos-matrix-modules",
-        "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
+        "type": "github"
+      }
+    },
+    "minecraft-heatmap": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_2"
+      },
+      "locked": {
+        "lastModified": 1767906976,
+        "narHash": "sha256-igCg8I83eO+noF00raXVJqDxzLS2SrZN8fK5bnvO+xI=",
+        "ref": "main",
+        "rev": "626bc9b6bae6a997b347cdbe84080240884f2955",
+        "revCount": 17,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
+      }
+    },
+    "minecraft-kartverket": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769500363,
+        "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
+        "ref": "main",
+        "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
+        "revCount": 47,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
+      }
+    },
+    "nix-gitea-themes": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1770960722,
+        "narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=",
+        "ref": "main",
+        "rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2",
+        "revCount": 15,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
+      }
+    },
+    "nix-topology": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769018862,
+        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
+        "owner": "oddlama",
+        "repo": "nix-topology",
+        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "ref": "main",
+        "repo": "nix-topology",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1701362232,
-        "narHash": "sha256-GVdzxL0lhEadqs3hfRLuj+L1OJFGiL/L7gCcelgBlsw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d2332963662edffacfddfad59ff4f709dde80ffe",
-        "type": "github"
+        "lastModified": 1769724120,
+        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
+        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-23.05-small",
-        "type": "indirect"
+        "type": "tarball",
+        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
+        "lastModified": 1765674936,
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
        "type": "github"
      },
      "original": {
@@ -109,35 +259,17 @@
        "type": "github"
      }
    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1700905716,
-        "narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "dfb95385d21475da10b63da74ae96d89ab352431",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-23.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1701368325,
-        "narHash": "sha256-3OqZyi2EdopJxpxwrySPyCTuCvfBY4oXTLVgQ4B6qDg=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3934dbde4f4a0e266825348bc4ad1bdd00a8d6a3",
-        "type": "github"
+        "lastModified": 1769813739,
+        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
+        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable-small",
-        "type": "indirect"
+        "type": "tarball",
+        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
      }
    },
    "pvv-calendar-bot": {
@@ -147,48 +279,185 @@
        ]
      },
      "locked": {
-        "lastModified": 1693136143,
-        "narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
-        "ref": "refs/heads/main",
-        "rev": "a32894b305f042d561500f5799226afd1faf5abb",
-        "revCount": 9,
+        "lastModified": 1764869785,
+        "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
+        "ref": "main",
+        "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
+        "revCount": 23,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      },
      "original": {
+        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      }
    },
+    "pvv-nettsiden": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769009806,
+        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
+        "ref": "main",
+        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
+        "revCount": 575,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      }
+    },
+    "qotd": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768684204,
+        "narHash": "sha256-TErBiXxTRPUtZ/Mw8a5p+KCeGCFXa0o8fzwGoo75//Y=",
+        "ref": "main",
+        "rev": "a86f361bb8cfac3845b96d49fcbb2faea669844f",
+        "revCount": 11,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
+      }
+    },
    "root": {
      "inputs": {
+        "dibbler": "dibbler",
        "disko": "disko",
-        "grzegorz": "grzegorz",
+        "gergle": "gergle",
+        "greg-ng": "greg-ng",
        "grzegorz-clients": "grzegorz-clients",
        "matrix-next": "matrix-next",
+        "minecraft-heatmap": "minecraft-heatmap",
+        "minecraft-kartverket": "minecraft-kartverket",
+        "nix-gitea-themes": "nix-gitea-themes",
+        "nix-topology": "nix-topology",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pvv-calendar-bot": "pvv-calendar-bot",
+        "pvv-nettsiden": "pvv-nettsiden",
+        "qotd": "qotd",
+        "roowho2": "roowho2",
        "sops-nix": "sops-nix"
      }
    },
+    "roowho2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_3"
+      },
+      "locked": {
+        "lastModified": 1769834595,
+        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
+        "ref": "main",
+        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
+        "revCount": 49,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "greg-ng",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767840362,
+        "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
+      "inputs": {
+        "nixpkgs": [
+          "minecraft-heatmap",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1766371695,
+        "narHash": "sha256-W7CX9vy7H2Jj3E8NI4djHyF8iHSxKpb2c/7uNQ/vGFU=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "d81285ba8199b00dc31847258cae3c655b605e8c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_3": {
+      "inputs": {
+        "nixpkgs": [
+          "roowho2",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769309768,
+        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
      },
      "locked": {
-        "lastModified": 1701127353,
-        "narHash": "sha256-qVNX0wOl0b7+I35aRu78xUphOyELh+mtUp1KBx89K1Q=",
+        "lastModified": 1769469829,
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "b1edbf5c0464b4cced90a3ba6f999e671f0af631",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
+        "ref": "master",
        "repo": "sops-nix",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -2,37 +2,63 @@
  description = "PVV System flake";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.05-small";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
+    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";

-    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.url = "github:Mic92/sops-nix/master";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";

-    disko.url = "github:nix-community/disko";
+    disko.url = "github:nix-community/disko/v1.11.0";
    disko.inputs.nixpkgs.follows = "nixpkgs";

-    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
+    nix-topology.url = "github:oddlama/nix-topology/main";
+    nix-topology.inputs.nixpkgs.follows = "nixpkgs";
+
+    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=main";
+    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
+
+    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git?ref=main";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";

-    # Last release compatible with 23.05
-    matrix-next.url = "github:dali99/nixos-matrix-modules/e09814657187c8ed1a5fe1646df6d8da1eb2dee9";
+    dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
+    dibbler.inputs.nixpkgs.follows = "nixpkgs";

-    grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
+    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
+
+    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git?ref=main";
+    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
+
+    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
+    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
+
+    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
+    roowho2.inputs.nixpkgs.follows = "nixpkgs";
+
+    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
+    greg-ng.inputs.nixpkgs.follows = "nixpkgs";
+    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
+    gergle.inputs.nixpkgs.follows = "nixpkgs";
+    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
+    minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
+
+    qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
+    qotd.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
  let
-    nixlib = nixpkgs.lib;
+    inherit (nixpkgs) lib;
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      "aarch64-darwin"
    ];
-    forAllSystems = f: nixlib.genAttrs systems (system: f system);
-    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    forAllSystems = f: lib.genAttrs systems f;
+    allMachines = builtins.attrNames self.nixosConfigurations;
    importantMachines = [
      "bekkalokk"
      "bicep"
@@ -41,100 +67,330 @@
      "ildkule"
    ];
  in {
+    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
+
+    pkgs = forAllSystems (system: import nixpkgs {
+      inherit system;
+      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        [
+          "nvidia-x11"
+          "nvidia-settings"
+        ];
+    });
+
    nixosConfigurations = let
-      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
-        rec {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit nixpkgs-unstable inputs;
-            values = import ./values.nix;
+      nixosConfig =
+        nixpkgs:
+        name:
+        configurationPath:
+        extraArgs@{
+          localSystem ? "x86_64-linux", # buildPlatform
+          crossSystem ? "x86_64-linux", # hostPlatform
+          specialArgs ? { },
+          modules ? [ ],
+          overlays ? [ ],
+          enableDefaults ? true,
+          ...
+        }:
+        let
+          commonPkgsConfig = {
+            inherit localSystem crossSystem;
+            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+              [
+                "nvidia-x11"
+                "nvidia-settings"
+              ];
+            overlays = (lib.optionals enableDefaults [
+              # Global overlays go here
+              inputs.roowho2.overlays.default
+            ]) ++ overlays;
          };

+          pkgs = import nixpkgs commonPkgsConfig;
+          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
+        in
+        lib.nixosSystem (lib.recursiveUpdate
+        {
+          system = crossSystem;
+
+          inherit pkgs;
+
+          specialArgs = {
+            inherit inputs unstablePkgs;
+            values = import ./values.nix;
+            fp = path: ./${path};
+          } // specialArgs;
+
          modules = [
-            ./hosts/${name}/configuration.nix
+            {
+              networking.hostName = lib.mkDefault name;
+            }
+            configurationPath
+          ] ++ (lib.optionals enableDefaults [
            sops-nix.nixosModules.sops
-          ];
-
-          pkgs = import nixpkgs {
-            inherit system;
-            overlays = [
-              (final: prev: {
-                mx-puppet-discord = prev.mx-puppet-discord.override { nodejs_14 = final.nodejs_18; };
-              })
-              inputs.pvv-calendar-bot.overlays.${system}.default
-            ];
-          };
+            inputs.roowho2.nixosModules.default
+            self.nixosModules.rsync-pull-targets
+          ]) ++ modules;
        }
-        config
+        (builtins.removeAttrs extraArgs [
+          "localSystem"
+          "crossSystem"
+          "modules"
+          "overlays"
+          "specialArgs"
+          "enableDefaults"
+        ])
      );

-      stableNixosConfig = nixosConfig nixpkgs;
-      unstableNixosConfig = nixosConfig nixpkgs-unstable;
+      stableNixosConfig = name: extraArgs:
+          nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
    in {
-      bicep = stableNixosConfig "bicep" {
+      bakke = stableNixosConfig "bakke" {
        modules = [
-          ./hosts/bicep/configuration.nix
-          sops-nix.nixosModules.sops
-
-          inputs.matrix-next.nixosModules.default
-          inputs.pvv-calendar-bot.nixosModules.default
+          inputs.disko.nixosModules.disko
        ];
      };
-      bekkalokk = stableNixosConfig "bekkalokk" { };
-      bob = stableNixosConfig "bob" {
+      bicep = stableNixosConfig "bicep" {
        modules = [
-          ./hosts/bob/configuration.nix
-          sops-nix.nixosModules.sops
-
-          disko.nixosModules.disko
-          { disko.devices.disk.disk1.device = "/dev/vda"; }
+          inputs.matrix-next.nixosModules.default
+          inputs.pvv-calendar-bot.nixosModules.default
+          inputs.minecraft-heatmap.nixosModules.default
+          self.nixosModules.gickup
+          self.nixosModules.matrix-ooye
+        ];
+        overlays = [
+          inputs.pvv-calendar-bot.overlays.default
+          inputs.minecraft-heatmap.overlays.default
+          (final: prev: {
+            inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
+          })
+        ];
+      };
+      bekkalokk = stableNixosConfig "bekkalokk" {
+        overlays = [
+          (final: prev: {
+            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
+            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+            bluemap = final.callPackage ./packages/bluemap.nix { };
+          })
+          inputs.pvv-nettsiden.overlays.default
+          inputs.qotd.overlays.default
+        ];
+        modules = [
+          inputs.pvv-nettsiden.nixosModules.default
+          self.nixosModules.bluemap
+          inputs.qotd.nixosModules.default
        ];
      };
      ildkule = stableNixosConfig "ildkule" { };
      #ildkule-unstable = unstableNixosConfig "ildkule" { };
+      skrot = stableNixosConfig "skrot" {
+        modules = [
+          inputs.disko.nixosModules.disko
+          inputs.dibbler.nixosModules.default
+        ];
+        overlays = [inputs.dibbler.overlays.default];
+      };
      shark = stableNixosConfig "shark" { };
+      wenche = stableNixosConfig "wenche" { };
+      temmie = stableNixosConfig "temmie" { };
+      gluttony = stableNixosConfig "gluttony" { };
+
+      kommode = stableNixosConfig "kommode" {
+        overlays = [
+          inputs.nix-gitea-themes.overlays.default
+        ];
+        modules = [
+          inputs.nix-gitea-themes.nixosModules.default
+          inputs.disko.nixosModules.disko
+        ];
+      };
+
+      ustetind = stableNixosConfig "ustetind" {
+        modules = [
+         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+        ];
+      };

      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
        modules = [
-          ./hosts/brzeczyszczykiewicz/configuration.nix
-          sops-nix.nixosModules.sops
-
-          inputs.grzegorz.nixosModules.grzegorz-kiosk
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
+          inputs.gergle.nixosModules.default
+          inputs.greg-ng.nixosModules.default
+        ];
+        overlays = [
+          inputs.greg-ng.overlays.default
+          inputs.gergle.overlays.default
        ];
      };
      georg = stableNixosConfig "georg" {
        modules = [
-          ./hosts/georg/configuration.nix
-          sops-nix.nixosModules.sops
-
-          inputs.grzegorz.nixosModules.grzegorz-kiosk
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
+          inputs.gergle.nixosModules.default
+          inputs.greg-ng.nixosModules.default
+        ];
+        overlays = [
+          inputs.greg-ng.overlays.default
+          inputs.gergle.overlays.default
        ];
      };
-      buskerud = stableNixosConfig "buskerud" {
+    }
+    //
+    (let
+      skrottConfig = {
        modules = [
-          ./hosts/buskerud/configuration.nix
-          sops-nix.nixosModules.sops
+          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
+          inputs.dibbler.nixosModules.default
+        ];
+        overlays = [
+          inputs.dibbler.overlays.default
+          (final: prev: {
+            # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
+            atool = prev.emptyDirectory;
+            micro = prev.emptyDirectory;
+            ncdu = prev.emptyDirectory;
+          })
        ];
      };
+    in {
+      skrott = self.nixosConfigurations.skrott-native;
+      skrott-native = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "aarch64-linux";
+        crossSystem = "aarch64-linux";
+      });
+      skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "x86_64-linux";
+        crossSystem = "aarch64-linux";
+      });
+      skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "x86_64-linux";
+        crossSystem = "x86_64-linux";
+      });
+    })
+    //
+    (let
+      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
+      stableLupineNixosConfig = name: extraArgs:
+          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
+    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
+      modules = [{ networking.hostName = name; }];
+      specialArgs.lupineName = name;
+    }));
+
+    nixosModules = {
+      bluemap = ./modules/bluemap.nix;
+      gickup = ./modules/gickup;
+      matrix-ooye = ./modules/matrix-ooye.nix;
+      robots-txt = ./modules/robots-txt.nix;
+      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
+      snakeoil-certs = ./modules/snakeoil-certs.nix;
+      snappymail = ./modules/snappymail.nix;
    };

    devShells = forAllSystems (system: {
-      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = let
+        pkgs = import nixpkgs-unstable {
+          inherit system;
+          overlays = [
+            (final: prev: {
+              inherit (inputs.disko.packages.${system}) disko;
+            })
+          ];
+        };
+      in pkgs.callPackage ./shell.nix { };
+      cuda = let
+        cuda-pkgs = import nixpkgs-unstable {
+          inherit system;
+          config = {
+            allowUnfree = true;
+            cudaSupport = true;
+          };
+        };
+      in cuda-pkgs.callPackage ./shells/cuda.nix { };
    });

    packages = {
      "x86_64-linux" = let
-        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+        system = "x86_64-linux";
+        pkgs = nixpkgs.legacyPackages.${system};
      in rec {
        default = important-machines;
        important-machines = pkgs.linkFarm "important-machines"
-          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
+          (lib.getAttrs importantMachines self.packages.${system});
        all-machines = pkgs.linkFarm "all-machines"
-          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
-      } // nixlib.genAttrs allMachines
-        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
+          (lib.getAttrs allMachines self.packages.${system});
+
+        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+
+        bluemap = pkgs.callPackage ./packages/bluemap.nix { };
+
+        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
+      }
+      //
+      # Mediawiki extensions
+      (lib.pipe null [
+        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
+        (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+        (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
+      ])
+      //
+      # Machines
+      lib.genAttrs allMachines
+        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
+      //
+      # Skrott is exception
+      {
+        skrott = self.packages.${system}.skrott-native-sd;
+        skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
+        skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
+        skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
+        skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
+        skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
+      }
+      //
+      # Nix-topology
+      (let
+        topology' = import inputs.nix-topology {
+          pkgs = import nixpkgs {
+            inherit system;
+            overlays = [
+              inputs.nix-topology.overlays.default
+              (final: prev: {
+                inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
+              })
+            ];
+          };
+
+          specialArgs = {
+            values = import ./values.nix;
+          };
+
+          modules = [
+            ./topology
+            {
+              nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
+                modules = [
+                  inputs.nix-topology.nixosModules.default
+                  ./topology/service-extractors/greg-ng.nix
+                  ./topology/service-extractors/postgresql.nix
+                  ./topology/service-extractors/mysql.nix
+                  ./topology/service-extractors/gitea-runners.nix
+                ];
+              }) self.nixosConfigurations;
+            }
+          ];
+        };
+      in {
+        topology = topology'.config.output;
+        topology-png = pkgs.runCommand "pvv-config-topology-png" {
+          nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
+        } ''
+          mkdir -p "$out"
+          for file in '${topology'.config.output}'/*.svg; do
+            ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
+          done
+        '';
+      });
    };
  };
 }
--- a/hosts/bakke/configuration.nix
+++ b/hosts/bakke/configuration.nix
@@ -0,0 +1,18 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      ./hardware-configuration.nix
+      ../../base
+      ./filesystems.nix
+    ];
+
+  networking.hostId = "99609ffc";
+  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp2s0";
+    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "24.05";
+}
--- a/hosts/bakke/disks.nix
+++ b/hosts/bakke/disks.nix
@@ -0,0 +1,83 @@
+{
+  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
+  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
+  disko.devices = {
+    disk = {
+      one = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "mdraid";
+                name = "boot";
+              };
+            };
+            mdadm = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid1";
+              };
+            };
+          };
+        };
+      };
+      two = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "mdraid";
+                name = "boot";
+              };
+            };
+            mdadm = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid1";
+              };
+            };
+          };
+        };
+      };
+    };
+    mdadm = {
+      boot = {
+        type = "mdadm";
+        level = 1;
+        metadata = "1.0";
+        content = {
+          type = "filesystem";
+          format = "vfat";
+          mountpoint = "/boot";
+        };
+      };
+      raid1 = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "gpt";
+          partitions.primary = {
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";