WIP

This is whitelisted to just bicep

As a side-effect it's also much easier to use synapse-admin now

.editorconfig

@@ -0,0 +1,10 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.nix]
+indent_style = space
+indent_size = 2

.git-blame-ignore-revs

@@ -0,0 +1 @@
+e00008da1afe0d760badd34bbeddff36bb08c475

.gitignore

@@ -1,3 +1,4 @@
 result*
 /configuration.nix
 /.direnv/
+*.qcow2

base.nix

@@ -1,133 +0,0 @@
-{ config, lib, pkgs, inputs, values, ... }:
-
-{
-  imports = [
-    ./users
-    ./modules/snakeoil-certs.nix
-  ];
-
-  networking.domain = "pvv.ntnu.no";
-  networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
-
-  systemd.network.enable = true;
-
-  services.resolved = {
-    enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
-  };
-
-  time.timeZone = "Europe/Oslo";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "no";
-  };
-
-  system.autoUpgrade = {
-    enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
-    flags = [
-      "--update-input" "nixpkgs"
-      "--update-input" "nixpkgs-unstable"
-      "--no-write-lock-file"
-    ];
-  };
-  nix.gc.automatic = true;
-  nix.gc.options = "--delete-older-than 2d";
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  /* This makes commandline tools like
-  ** nix run nixpkgs#hello
-  ** and nix-shell -p hello
-  ** use the same channel the system
-  ** was built with
-  */
-  nix.registry = {
-    nixpkgs.flake = inputs.nixpkgs;
-  };
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    ripgrep
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-  ];
-
-  programs.zsh.enable = true;
-
-  users.groups."drift".name = "drift";
-
-  # Trusted users on the nix builder machines
-  users.groups."nix-builder-users".name = "nix-builder-users";
-
-  services.openssh = {
-    enable = true;
-    extraConfig = ''
-      PubkeyAcceptedAlgorithms=+ssh-rsa
-    '';
-    settings.PermitRootLogin = "yes";
-  };
-
-  # nginx return 444 for all nonexistent virtualhosts
-
-  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
-
-  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
-    "/etc/certs/nginx" = {
-      owner = "nginx";
-      group = "nginx";
-    };
-  };
-
-  services.nginx = {
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes auto;
-      worker_rlimit_nofile 100000;
-    '';
-    eventsConfig = ''
-      worker_connections 2048;
-      use epoll;
-      multi_accept on;
-    '';
-  };
-
-  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
-    LimitNOFILE = 65536;
-  };
-
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
-  };
-
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-}

base/default.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, ... }:
+
+{
+  imports = [
+    ../users
+    ../modules/snakeoil-certs.nix
+
+    ./networking.nix
+    ./nix.nix
+
+    ./services/acme.nix
+    ./services/auto-upgrade.nix
+    ./services/irqbalance.nix
+    ./services/logrotate.nix
+    ./services/nginx.nix
+    ./services/openssh.nix
+    ./services/postfix.nix
+    ./services/smartd.nix
+    ./services/thermald.nix
+  ];
+
+  boot.tmp.cleanOnBoot = lib.mkDefault true;
+
+  time.timeZone = "Europe/Oslo";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "no";
+  };
+
+  environment.systemPackages = with pkgs; [
+    file
+    git
+    gnupg
+    htop
+    nano
+    ripgrep
+    rsync
+    screen
+    tmux
+    vim
+    wget
+
+    kitty.terminfo
+  ];
+
+  programs.zsh.enable = true;
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+
+  users.groups."drift".name = "drift";
+
+  # Trusted users on the nix builder machines
+  users.groups."nix-builder-users".name = "nix-builder-users";
+}
+

base/networking.nix

@@ -0,0 +1,16 @@
+{ lib, values, ... }:
+{
+  networking.domain = "pvv.ntnu.no";
+  networking.useDHCP = false;
+  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
+  # networking.tempAddresses = lib.mkDefault "disabled";
+  # networking.defaultGateway = values.hosts.gateway;
+
+  systemd.network.enable = true;
+
+  services.resolved = {
+    enable = lib.mkDefault true;
+    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
+  };
+}

base/nix.nix

@@ -0,0 +1,30 @@
+{ inputs, ... }:
+{
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 2d";
+    };
+
+    settings = {
+      allow-dirty = true;
+      auto-optimise-store = true;
+      builders-use-substitutes = true;
+      experimental-features = [ "nix-command" "flakes" ];
+      log-lines = 50;
+      use-xdg-base-directories = true;
+    };
+
+    /* This makes commandline tools like
+    ** nix run nixpkgs#hello
+    ** and nix-shell -p hello
+    ** use the same channel the system
+    ** was built with
+    */
+    registry = {
+      "nixpkgs".flake = inputs.nixpkgs;
+      "pvv-nix".flake = inputs.self;
+    };
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+  };
+}

base/services/acme.nix

@@ -0,0 +1,15 @@
+{ ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
+  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
+  virtualisation.vmVariant = {
+    security.acme.defaults.server = "https://127.0.0.1";
+    security.acme.preliminarySelfsigned = true;
+
+    users.users.root.initialPassword = "root";
+  };
+}

base/services/auto-upgrade.nix

@@ -0,0 +1,12 @@
+{ ... }:
+{
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flags = [
+      "--update-input" "nixpkgs"
+      "--update-input" "nixpkgs-unstable"
+      "--no-write-lock-file"
+    ];
+  };
+}

base/services/irqbalance.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.irqbalance.enable = true;
+}

base/services/logrotate.nix

@@ -0,0 +1,42 @@
+{ ... }:
+{
+  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
+  systemd.services.logrotate = {
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
+    unitConfig.RequiresMountsFor = "/var/log";
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [ "/var/log" ];
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
+  };
+}

base/services/nginx.nix

@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+{
+  # nginx return 444 for all nonexistent virtualhosts
+
+  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
+
+  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
+    "/etc/certs/nginx" = {
+      owner = "nginx";
+      group = "nginx";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
+
+  services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes auto;
+      worker_rlimit_nofile 100000;
+    '';
+    eventsConfig = ''
+      worker_connections 2048;
+      use epoll;
+      multi_accept on;
+    '';
+  };
+
+  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
+    LimitNOFILE = 65536;
+  };
+
+  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+    sslCertificate = "/etc/certs/nginx.crt";
+    sslCertificateKey = "/etc/certs/nginx.key";
+    addSSL = true;
+    extraConfig = "return 444;";
+  };
+}

base/services/openssh.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    extraConfig = ''
+      PubkeyAcceptedAlgorithms=+ssh-rsa
+      Match Group wheel
+        PasswordAuthentication no
+      Match All
+    '';
+    settings.PermitRootLogin = "yes";
+  };
+}

base/services/postfix.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.postfix;
+in
+{
+  services.postfix = {
+    enable = true;
+
+    hostname = "${config.networking.hostName}.pvv.ntnu.no";
+    domain = "pvv.ntnu.no";
+
+    relayHost = "smtp.pvv.ntnu.no";
+    relayPort = 465;
+
+    config = {
+      smtp_tls_wrappermode = "yes";
+      smtp_tls_security_level = "encrypt";
+    };
+
+    # Nothing should be delivered to this machine
+    destination = [ ];
+  };
+}

base/services/smartd.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, lib, ... }:
+{
+  services.smartd.enable = lib.mkDefault true;
+
+  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
+    smartmontools
+  ]);
+}

base/services/thermald.nix

@@ -0,0 +1,8 @@
+{ config, lib, ... }:
+{
+  # Let's not thermal throttle
+  services.thermald.enable = lib.mkIf (lib.all (x: x) [
+      (config.nixpkgs.system == "x86_64-linux")
+      (!config.boot.isContainer or false)
+    ]) true;
+}

flake.lock

@@ -194,11 +194,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1693136143,
+        "lastModified": 1723850344,
-        "narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
+        "narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
         "ref": "refs/heads/main",
-        "rev": "a32894b305f042d561500f5799226afd1faf5abb",
+        "rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
-        "revCount": 9,
+        "revCount": 19,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       },

flake.nix

@@ -37,8 +37,8 @@
       "aarch64-linux"
       "aarch64-darwin"
     ];
-    forAllSystems = f: nixlib.genAttrs systems (system: f system);
+    forAllSystems = f: nixlib.genAttrs systems f;
-    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    allMachines = builtins.attrNames self.nixosConfigurations;
     importantMachines = [
       "bekkalokk"
       "bicep"
@@ -47,6 +47,8 @@
       "ildkule"
     ];
   in {
+    inherit inputs;
+
     nixosConfigurations = let
       unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
@@ -124,6 +126,11 @@
       buskerud = stableNixosConfig "buskerud" { };
     };
 
+    nixosModules = {
+      snakeoil-certs = ./modules/snakeoil-certs.nix;
+      snappymail = ./modules/snappymail.nix;
+    };
+
     devShells = forAllSystems (system: {
       default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
     });

hosts/bekkalokk/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
     ./hardware-configuration.nix
 
-    ../../base.nix
+    ../../base
     ../../misc/metrics-exporters.nix
 
     ./services/gitea/default.nix
@@ -11,6 +11,7 @@
     ./services/kerberos
     ./services/mediawiki
     ./services/nginx.nix
+    ./services/phpfpm.nix
     ./services/vaultwarden.nix
     ./services/webmail
     ./services/website
@@ -31,6 +32,8 @@
     address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  services.btrfs.autoScrub.enable = true;
+
   # Do not change, even during upgrades.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";

hosts/bekkalokk/services/gitea/ci.nix

@@ -15,9 +15,9 @@ let
         enable = true;
         name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
         labels = [
-	  "debian-latest:docker://node:18-bullseye"
+          "debian-latest:docker://node:18-bullseye"
-	  "ubuntu-latest:docker://node:18-bullseye"
+          "ubuntu-latest:docker://node:18-bullseye"
-	];
+        ];
         tokenFile = config.sops.secrets."gitea/runners/${name}".path;
       };
     };

hosts/bekkalokk/services/gitea/default.nix

@@ -6,7 +6,8 @@ let
 in {
   imports = [
     ./ci.nix
-    ./import-users.nix
+    ./import-users
+    ./web-secret-provider
   ];
 
   sops.secrets = {
@@ -58,6 +59,7 @@ in {
       service = {
         DISABLE_REGISTRATION = true;
         ENABLE_NOTIFY_MAIL = true;
+        AUTO_WATCH_NEW_REPOS = false;
       };
       admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
       session.COOKIE_SECURE = true;
@@ -135,10 +137,16 @@ in {
     script = let
       logo-svg = ../../../../assets/logo_blue_regular.svg;
       logo-png = ../../../../assets/logo_blue_regular.png;
+      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
+        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
+        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
+        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
+      '';
     in ''
       install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
       install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
       install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
     '';
   };
 }

hosts/bekkalokk/services/gitea/gitea-import-users.py

@@ -1,94 +0,0 @@
-import requests
-import secrets
-import os
-
-EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
-if EMAIL_DOMAIN is None:
-    EMAIL_DOMAIN = 'pvv.ntnu.no'
-
-API_TOKEN = os.getenv('API_TOKEN')
-if API_TOKEN is None:
-    raise Exception('API_TOKEN not set')
-
-GITEA_API_URL = os.getenv('GITEA_API_URL')
-if GITEA_API_URL is None:
-    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
-
-BANNED_SHELLS = [
-    "/usr/bin/nologin",
-    "/usr/sbin/nologin",
-    "/sbin/nologin",
-    "/bin/false",
-    "/bin/msgsh",
-]
-
-existing_users = {}
-
-
-# This function should only ever be called when adding users
-# from the passwd file
-def add_user(username, name):
-    user = {
-            "full_name": name,
-            "username": username,
-            "login_name": username,
-            "source_id": 1,  # 1 = SMTP
-    }
-
-    if username not in existing_users:
-        user["password"] = secrets.token_urlsafe(32)
-        user["must_change_password"] = False
-        user["visibility"] = "private"
-        user["email"] = username + '@' + EMAIL_DOMAIN
-
-        r = requests.post(GITEA_API_URL + '/admin/users', json=user,
-                          headers={'Authorization': 'token ' + API_TOKEN})
-        if r.status_code != 201:
-            print('ERR: Failed to create user ' + username + ': ' + r.text)
-            return
-
-        print('Created user ' + username)
-        existing_users[username] = user
-
-    else:
-        user["visibility"] = existing_users[username]["visibility"]
-        r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
-                           json=user,
-                           headers={'Authorization': 'token ' + API_TOKEN})
-        if r.status_code != 200:
-            print('ERR: Failed to update user ' + username + ': ' + r.text)
-            return
-
-        print('Updated user ' + username)
-
-
-def main():
-    # Fetch existing users
-    r = requests.get(GITEA_API_URL + '/admin/users',
-                     headers={'Authorization': 'token ' + API_TOKEN})
-
-    if r.status_code != 200:
-        raise Exception('Failed to get users: ' + r.text)
-
-    for user in r.json():
-        existing_users[user['login']] = user
-
-    # Read the file, add each user
-    with open("/tmp/passwd-import", 'r') as f:
-        for line in f.readlines():
-            uid = int(line.split(':')[2])
-            if uid < 1000:
-                continue
-
-            shell = line.split(':')[-1]
-            if shell in BANNED_SHELLS:
-                continue
-
-            username = line.split(':')[0]
-            name = line.split(':')[4].split(',')[0]
-
-            add_user(username, name)
-
-
-if __name__ == '__main__':
-    main()

hosts/bekkalokk/services/gitea/import-users/default.nix

@@ -14,6 +14,9 @@ in
     preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
     serviceConfig = {
       ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
+        flakeIgnore = [
+          "E501" # Line over 80 chars lol
+        ];
         libraries = with pkgs.python3Packages; [ requests ];
       } (builtins.readFile ./gitea-import-users.py);
       LoadCredential=[

hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py

@@ -0,0 +1,198 @@
+import requests
+import secrets
+import os
+
+
+EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
+if EMAIL_DOMAIN is None:
+    EMAIL_DOMAIN = 'pvv.ntnu.no'
+
+
+API_TOKEN = os.getenv('API_TOKEN')
+if API_TOKEN is None:
+    raise Exception('API_TOKEN not set')
+
+
+GITEA_API_URL = os.getenv('GITEA_API_URL')
+if GITEA_API_URL is None:
+    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
+
+
+def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
+    r = requests.get(
+        GITEA_API_URL + '/admin/users',
+        headers={'Authorization': 'token ' + API_TOKEN}
+    )
+
+    if r.status_code != 200:
+        print('Failed to get users:', r.text)
+        return None
+
+    return {user['login']: user for user in r.json()}
+
+
+def gitea_create_user(username: str, userdata: dict[str, any]) -> bool:
+    r = requests.post(
+        GITEA_API_URL + '/admin/users',
+        json=userdata,
+        headers={'Authorization': 'token ' + API_TOKEN},
+    )
+
+    if r.status_code != 201:
+        print(f'ERR: Failed to create user {username}:', r.text)
+        return False
+
+    return True
+
+
+def gitea_edit_user(username: str, userdata: dict[str, any]) -> bool:
+    r = requests.patch(
+        GITEA_API_URL + f'/admin/users/{username}',
+        json=userdata,
+        headers={'Authorization': 'token ' + API_TOKEN},
+    )
+
+    if r.status_code != 200:
+        print(f'ERR: Failed to update user {username}:', r.text)
+        return False
+
+    return True
+
+
+def gitea_list_teams_for_organization(org: str) -> dict[str, any] | None:
+    r = requests.get(
+        GITEA_API_URL + f'/orgs/{org}/teams',
+        headers={'Authorization': 'token ' + API_TOKEN},
+    )
+
+    if r.status_code != 200:
+        print(f"ERR: Failed to list teams for {org}:", r.text)
+        return None
+
+    return {team['name']: team for team in r.json()}
+
+
+def gitea_add_user_to_organization_team(username: str, team_id: int) -> bool:
+    r = requests.put(
+        GITEA_API_URL + f'/teams/{team_id}/members/{username}',
+        headers={'Authorization': 'token ' + API_TOKEN},
+    )
+
+    if r.status_code != 204:
+        print(f'ERR: Failed to add user {username} to org team {team_id}:', r.text)
+        return False
+
+    return True
+
+
+# If a passwd user has one of the following shells,
+# it is most likely not a PVV user, but rather a system user.
+# Users with these shells should thus be ignored.
+BANNED_SHELLS = [
+    "/usr/bin/nologin",
+    "/usr/sbin/nologin",
+    "/sbin/nologin",
+    "/bin/false",
+    "/bin/msgsh",
+]
+
+
+# Reads out a passwd-file line for line, and filters out
+# real PVV users (as opposed to system users meant for daemons and such)
+def passwd_file_parser(passwd_path):
+    with open(passwd_path, 'r') as f:
+        for line in f.readlines():
+            uid = int(line.split(':')[2])
+            if uid < 1000:
+                continue
+
+            shell = line.split(':')[-1]
+            if shell in BANNED_SHELLS:
+                continue
+
+            username = line.split(':')[0]
+            name = line.split(':')[4].split(',')[0]
+            yield (username, name)
+
+
+# This function either creates a new user in gitea
+# and fills it out with some default information if
+# it does not exist, or ensures that the default information
+# is correct if the user already exists. All user information
+# (including non-default fields) is pulled from gitea and added
+# to the `existing_users` dict
+def add_or_patch_gitea_user(
+    username: str,
+    name: str,
+    existing_users: dict[str, dict[str, any]],
+) -> None:
+    user = {
+        "full_name": name,
+        "username": username,
+        "login_name": username,
+        "source_id": 1,  # 1 = SMTP
+    }
+
+    if username not in existing_users:
+        user["password"] = secrets.token_urlsafe(32)
+        user["must_change_password"] = False
+        user["visibility"] = "private"
+        user["email"] = username + '@' + EMAIL_DOMAIN
+
+        if not gitea_create_user(username, user):
+            return
+
+        print('Created user', username)
+        existing_users[username] = user
+
+    else:
+        user["visibility"] = existing_users[username]["visibility"]
+
+        if not gitea_edit_user(username, user):
+            return
+
+        print('Updated user', username)
+
+
+# This function adds a user to a gitea team (part of organization)
+# if the user is not already part of said team.
+def ensure_gitea_user_is_part_of_team(
+    username: str,
+    org: str,
+    team_name: str,
+) -> None:
+    teams = gitea_list_teams_for_organization(org)
+
+    if teams is None:
+        return
+
+    if team_name not in teams:
+        print(f'ERR: could not find team "{team_name}" in organization "{org}"')
+
+    gitea_add_user_to_organization_team(username, teams[team_name]['id'])
+
+    print(f'User {username} is now part of {org}/{team_name}')
+
+
+# List of teams that all users should be part of by default
+COMMON_USER_TEAMS = [
+    ("Projects", "Members"),
+    ("Kurs", "Members"),
+]
+
+
+def main():
+    existing_users = gitea_list_all_users()
+    if existing_users is None:
+        exit(1)
+
+    for username, name in passwd_file_parser("/tmp/passwd-import"):
+        print(f"Processing {username}")
+        add_or_patch_gitea_user(username, name, existing_users)
+        for org, team_name in COMMON_USER_TEAMS:
+            ensure_gitea_user_is_part_of_team(username, org, team_name)
+        print()
+
+
+if __name__ == '__main__':
+    main()

hosts/bekkalokk/services/gitea/web-secret-provider/default.nix

@@ -0,0 +1,114 @@
+{ config, pkgs, lib, ... }:
+let
+  organizations = [
+    "Drift"
+    "Projects"
+    "Kurs"
+  ];
+
+  giteaCfg = config.services.gitea;
+
+  giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
+    libraries = with pkgs.python3Packages; [ requests ];
+    flakeIgnore = [
+      "E501" # Line over 80 chars lol
+      "E201" # "whitespace after {"
+      "E202" # "whitespace after }"
+      "E251" # unexpected spaces around keyword / parameter equals
+      "W391" # Newline at end of file
+    ];
+    makeWrapperArgs = [
+      "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
+    ];
+  } (builtins.readFile ./gitea-web-secret-provider.py);
+in
+{
+  users.groups."gitea-web" = { };
+  users.users."gitea-web" = {
+    group = "gitea-web";
+    isSystemUser = true;
+  };
+
+  sops.secrets."gitea/web-secret-provider/token" = {
+    owner = "gitea-web";
+    group = "gitea-web";
+    restartUnits = [
+      "gitea-web-secret-provider@"
+    ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
+  };
+
+  systemd.slices.system-giteaweb = {
+    description = "Gitea web directories";
+  };
+
+  # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
+  # %i - instance name (after the @)
+  # %d - secrets directory
+  systemd.services."gitea-web-secret-provider@" = {
+    description = "Ensure all repos in %i has an SSH key to push web content";
+    requires = [ "gitea.service" "network.target" ];
+    serviceConfig = {
+      Slice = "system-giteaweb.slice";
+      Type = "oneshot";
+      ExecStart = let
+        args = lib.cli.toGNUCommandLineShell { } {
+          org = "%i";
+          token-path = "%d/token";
+          api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
+          key-dir = "/var/lib/gitea-web/keys/%i";
+          authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
+          rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
+            ${lib.getExe pkgs.rrsync} -wo "$1"
+            ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
+          '';
+          web-dir = "/var/lib/gitea-web/web";
+        };
+      in "${giteaWebSecretProviderScript} ${args}";
+
+      User = "gitea-web";
+      Group = "gitea-web";
+
+      StateDirectory = "gitea-web";
+      StateDirectoryMode = "0750";
+      LoadCredential = [
+        "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
+      ];
+
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectSystem = true;
+      ProtectHome = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      MemoryDenyWriteExecute = true;
+      LockPersonality = true;
+    };
+  };
+
+  systemd.timers."gitea-web-secret-provider@" = {
+    description = "Ensure all repos in %i has an SSH key to push web content";
+    timerConfig = {
+      RandomizedDelaySec = "1h";
+      Persistent = true;
+      Unit = "gitea-web-secret-provider@%i.service";
+      OnCalendar = "daily";
+    };
+  };
+
+  systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
+
+  services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
+
+  users.users.nginx.extraGroups = [ "gitea-web" ];
+  services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
+    kTLS = true;
+    forceSSL = true;
+    enableACME = true;
+    root = "/var/lib/gitea-web/web";
+  };
+}

hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@@ -0,0 +1,112 @@
+import argparse
+import hashlib
+import os
+import requests
+import subprocess
+from pathlib import Path
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
+    parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
+    parser.add_argument("--token-path", metavar='PATH', required=True, type=Path, help="Path to a file containing the Gitea API token")
+    parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
+    parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
+    parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
+    parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
+    parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
+    parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
+    return parser.parse_args()
+
+
+def add_secret(args: argparse.Namespace, token: str, repo: str, name: str, secret: str):
+    result = requests.put(
+        f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
+        json = { 'data': secret },
+        headers = { 'Authorization': 'token ' + token },
+    )
+    if result.status_code not in (201, 204):
+        raise Exception(f"Failed to add secret: {result.json()}")
+
+
+def get_org_repo_list(args: argparse.Namespace, token: str):
+    result = requests.get(
+        f"{args.api_url}/orgs/{args.org}/repos",
+        headers = { 'Authorization': 'token ' + token },
+    )
+    return [repo["name"] for repo in result.json()]
+
+
+def generate_ssh_key(args: argparse.Namespace, repository: str):
+    keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
+    key_path = args.key_dir / keyname
+    if not key_path.is_file() or args.force:
+        subprocess.run(
+            [
+                "ssh-keygen",
+                *("-t", "ed25519"),
+                *("-f", key_path),
+                *("-N", ""),
+                *("-C", f"{args.org}/{repository}"),
+            ],
+            check=True,
+            stdin=subprocess.DEVNULL,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+        )
+        print(f"Generated SSH key for `{args.org}/{repository}`")
+
+    with open(key_path, "r") as f:
+        private_key = f.read()
+
+    pub_key_path = args.key_dir / (keyname + '.pub')
+    with open(pub_key_path, "r") as f:
+        public_key = f.read()
+
+    return private_key, public_key
+
+
+SSH_OPTS = ",".join([
+    "restrict",
+    "no-agent-forwarding",
+    "no-port-forwarding",
+    "no-pty",
+    "no-X11-forwarding",
+])
+
+
+def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
+    lines = []
+    for repo, public_key in repo_public_keys:
+        command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
+        lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
+
+    with open(args.authorized_keys_path, "w") as f:
+        f.writelines(lines)
+
+
+def main():
+    args = parse_args()
+
+    with open(args.token_path, "r") as f:
+        token = f.read().strip()
+
+    os.makedirs(args.key_dir, 0o700, exist_ok=True)
+    os.makedirs(args.authorized_keys_path.parent, 0o700, exist_ok=True)
+
+    repos = get_org_repo_list(args, token)
+    print(f'Found {len(repos)} repositories in `{args.org}`')
+
+    repo_public_keys = []
+    for repo in repos:
+        print(f"Locating key for `{args.org}/{repo}`")
+        private_key, public_key = generate_ssh_key(args, repo)
+        add_secret(args, token, repo, "WEB_SYNC_SSH_KEY", private_key)
+        repo_public_keys.append((repo, public_key))
+
+    generate_authorized_keys(args, repo_public_keys)
+    print(f"Wrote authorized_keys file to `{args.authorized_keys_path}`")
+
+
+if __name__ == "__main__":
+    main()

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -22,62 +22,62 @@ let
       # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
       "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
         <?php
-	  $metadata['https://idp.pvv.ntnu.no/'] = array(
+        $metadata['https://idp.pvv.ntnu.no/'] = array(
-	    'host' => '__DEFAULT__',
+          'host' => '__DEFAULT__',
-	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
+          'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
-	    'certificate' => '${./idp.crt}',
+          'certificate' => '${./idp.crt}',
-	    'auth' => 'pwauth',
+          'auth' => 'pwauth',
-	  );
+        );
-	?>
+        ?>
       '';
 
       "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
         <?php
-	  ${ lib.pipe config.services.idp.sp-remote-metadata [
+          ${ lib.pipe config.services.idp.sp-remote-metadata [
-             (map (url: ''
+            (map (url: ''
-               $metadata['${url}'] = [
+              $metadata['${url}'] = [
-                   'SingleLogoutService' => [
+                'SingleLogoutService' => [
-                       [
+                  [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                    'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
-                       ],
+                  ],
-                       [
+                  [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
-                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                    'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
-                       ],
+                  ],
-                   ],
+                ],
-                   'AssertionConsumerService' => [
+                'AssertionConsumerService' => [
-                       [
+                  [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                    'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
-                           'index' => 0,
+                    'index' => 0,
-                       ],
+                  ],
-                       [
+                  [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
-                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                    'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
-                           'index' => 1,
+                    'index' => 1,
-                       ],
+                  ],
-                   ],
+                ],
-               ];
+              ];
-	     ''))
+            ''))
-	     (lib.concatStringsSep "\n")
+            (lib.concatStringsSep "\n")
-	  ]}
+          ]}
-	?>
+        ?>
       '';
 
       "config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
         <?php
           $config = array(
-	    'admin' => array(
+            'admin' => array(
-	      'core:AdminPassword'
+              'core:AdminPassword'
-	    ),
+            ),
             'pwauth' => array(
-               'authpwauth:PwAuth',
+              'authpwauth:PwAuth',
-               'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
+              'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
-               'mail_domain' => '@pvv.ntnu.no',
+              'mail_domain' => '@pvv.ntnu.no',
             ),
           );
-	?>
+        ?>
       '';
 
       "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
@@ -108,7 +108,7 @@ in
       List of urls point to (simplesamlphp) service profiders, which the idp should trust.
 
       :::{.note}
-	Make sure the url ends with a `/`
+      Make sure the url ends with a `/`
       :::
     '';
   };
@@ -199,9 +199,9 @@ in
           '';
         };
         "^~ /simplesaml/".extraConfig = ''
-	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
+          rewrite ^/simplesaml/(.*)$ /$1 redirect;
-	  return 404;
+          return 404;
-	'';
+        '';
       };
     };
   };

hosts/bekkalokk/services/kerberos/pam.nix

@@ -879,15 +879,15 @@ let
 
   inherit (pkgs) pam_krb5 pam_ccreds;
 
-  use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
+  use_ldap = config.users.ldap.enable && config.users.ldap.loginPam;
   pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
 
   # Create a limits.conf(5) file.
   makeLimitsConf = limits:
     pkgs.writeText "limits.conf"
-       (concatMapStrings ({ domain, type, item, value }:
+      (concatMapStrings ({ domain, type, item, value }:
-         "${domain} ${type} ${item} ${toString value}\n")
+        "${domain} ${type} ${item} ${toString value}\n")
-         limits);
+        limits);
 
   limitsType = with lib.types; listOf (submodule ({ ... }: {
     options = {
@@ -935,8 +935,8 @@ let
   }));
 
   motd = if config.users.motdFile == null
-         then pkgs.writeText "motd" config.users.motd
+    then pkgs.writeText "motd" config.users.motd
-         else config.users.motdFile;
+    else config.users.motdFile;
 
   makePAMService = name: service:
     { name = "pam.d/${name}";
@@ -976,20 +976,20 @@ in
             item   = "maxlogins";
             value  = "4";
           }
-       ];
+        ];
 
-     description = lib.mdDoc ''
+      description = lib.mdDoc ''
-       Define resource limits that should apply to users or groups.
+        Define resource limits that should apply to users or groups.
-       Each item in the list should be an attribute set with a
+        Each item in the list should be an attribute set with a
-       {var}`domain`, {var}`type`,
+        {var}`domain`, {var}`type`,
-       {var}`item`, and {var}`value`
+        {var}`item`, and {var}`value`
-       attribute.  The syntax and semantics of these attributes
+        attribute.  The syntax and semantics of these attributes
-       must be that described in {manpage}`limits.conf(5)`.
+        must be that described in {manpage}`limits.conf(5)`.
 
-       Note that these limits do not apply to systemd services,
+        Note that these limits do not apply to systemd services,
-       whose limits can be changed via {option}`systemd.extraConfig`
+        whose limits can be changed via {option}`systemd.extraConfig`
-       instead.
+        instead.
-     '';
+      '';
     };
 
     security.pam.services = mkOption {
@@ -1507,10 +1507,10 @@ in
         runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
 
         /* FIXME: should runuser -l start a systemd session? Currently
-           it complains "Cannot create session: Already running in a
+            it complains "Cannot create session: Already running in a
-           session". */
+            session". */
         runuser-l = { rootOK = true; unixAuth = false; };
-      } // optionalAttrs (config.security.pam.enableFscrypt) {
+      } // optionalAttrs config.security.pam.enableFscrypt {
         # Allow fscrypt to verify login passphrase
         fscrypt = {};
       };

hosts/bekkalokk/services/phpfpm.nix

@@ -0,0 +1,51 @@
+{ lib, ... }:
+let
+  pools = map (pool: "phpfpm-${pool}") [
+    "idp"
+    "mediawiki"
+    "pvv-nettsiden"
+    "roundcube"
+    "snappymail"
+  ];
+in
+{
+  # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
+  systemd.services = lib.genAttrs pools (_: {
+    serviceConfig = let
+      caps = [
+        "CAP_NET_BIND_SERVICE"
+        "CAP_SETGID"
+        "CAP_SETUID"
+        "CAP_CHOWN"
+        "CAP_KILL"
+        "CAP_IPC_LOCK"
+        "CAP_DAC_OVERRIDE"
+      ];
+    in {
+      AmbientCapabilities = caps;
+      CapabilityBoundingSet = caps;
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = false;
+      NoNewPrivileges = true;
+      PrivateMounts = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      RemoveIPC = true;
+      UMask = "0077";
+      RestrictNamespaces = "~mnt";
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      KeyringMode = "private";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
+  });
+}

hosts/bekkalokk/services/vaultwarden.nix

@@ -65,4 +65,40 @@ in {
       proxyWebsockets = true;
     };
   };
+
+  systemd.services.vaultwarden = lib.mkIf cfg.enable {
+    serviceConfig = {
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      # MemoryDenyWriteExecute = true;
+      PrivateMounts = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0007";
+    };
+  };
 }

hosts/bekkalokk/services/website/default.nix

@@ -43,7 +43,7 @@ in {
                   'idp' => 'https://idp.pvv.ntnu.no/',
               ),
           );
-	'';
+        '';
       };
     };
 

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -46,7 +46,7 @@ in {
       while IFS= read fname; do
         # Skip this file if an up-to-date thumbnail already exists
         if [ -f ".thumbnails/$fname.png" ] && \
-           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
+          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
         then
           continue
         fi
@@ -54,7 +54,7 @@ in {
         echo "Creating thumbnail for $fname"
         mkdir -p $(dirname ".thumbnails/$fname")
         convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
-	touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
+        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
       done <<< "$images"
     '';
 

hosts/bicep/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
     ./hardware-configuration.nix
 
-    ../../base.nix
+    ../../base
     ../../misc/metrics-exporters.nix
     ./services/nginx
 
@@ -12,8 +12,7 @@
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix
-    # TODO: fix the calendar bot
+    ./services/calendar-bot.nix
-    # ./services/calendar-bot.nix
 
     ./services/matrix
   ];

hosts/bicep/services/calendar-bot.nix

@@ -2,11 +2,19 @@
 let
   cfg = config.services.pvv-calendar-bot;
 in {
-  sops.secrets."calendar-bot/matrix_token" = {
+  sops.secrets = {
-    sopsFile = ../../../secrets/bicep/bicep.yaml;
+    "calendar-bot/matrix_token" = {
-    key = "calendar-bot/matrix_token";
+      sopsFile = ../../../secrets/bicep/bicep.yaml;
-    owner = cfg.user;
+      key = "calendar-bot/matrix_token";
-    group = cfg.group;
+      owner = cfg.user;
+      group = cfg.group;
+    };
+    "calendar-bot/mysql_password" = {
+      sopsFile = ../../../secrets/bicep/bicep.yaml;
+      key = "calendar-bot/mysql_password";
+      owner = cfg.user;
+      group = cfg.group;
+    };
   };
 
   services.pvv-calendar-bot = {
@@ -18,6 +26,11 @@ in {
         user = "@bot_calendar:pvv.ntnu.no";
         channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
       };
+      database = {
+        host = "mysql.pvv.ntnu.no";
+        user = "calendar-bot";
+        passwordFile = config.sops.secrets."calendar-bot/mysql_password".path;
+      };
       secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
       onCalendar = "*-*-* 09:00:00";
     };

hosts/bicep/services/matrix/mjolnir.nix

@@ -11,7 +11,7 @@
   services.mjolnir = {
     enable = true;
     pantalaimon.enable = false;
-    homeserverUrl = http://127.0.0.1:8008;
+    homeserverUrl = "https://matrix.pvv.ntnu.no";
     accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
     managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
     protectedRooms = map (a: "https://matrix.to/#/${a}") [

hosts/bicep/services/matrix/synapse.nix

@@ -143,10 +143,10 @@ in {
   services.redis.servers."".enable = true;
 
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
+  {
     kTLS = true;
-  })
+  }
-  ({
+  {
     locations."/.well-known/matrix/server" = {
       return = ''
         200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
@@ -156,16 +156,28 @@ in {
         add_header Access-Control-Allow-Origin *;
       '';
     };
-  })
+  }
-  ({
+  {
+    locations."/_synapse/admin" = {
+      proxyPass = "http://$synapse_backend";
+      extraConfig = ''
+        allow 127.0.0.1;
+        allow ::1;
+        allow ${values.hosts.bicep.ipv4};
+        allow ${values.hosts.bicep.ipv6};
+        deny all;
+      '';
+    };
+  }
+  {
     locations = let
       connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
-      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
 
       metricsPath = w: "/metrics/${w.type}/${toString w.index}";
       proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
     in lib.mapAttrs' (n: v: lib.nameValuePair
-      (metricsPath v) ({
+      (metricsPath v) {
         proxyPass = proxyPath v;
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4};
@@ -174,10 +186,10 @@ in {
           allow ${values.hosts.ildkule.ipv6_global};
           deny all;
         '';
-      }))
+      })
       cfg.workers.instances;
-  })
+  }
-  ({
+  {
     locations."/metrics/master/1" = {
       proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
       extraConfig = ''
@@ -202,5 +214,5 @@ in {
             labels = { };
           }]) + "/";
     };
-  })];
+  }];
 }

hosts/bicep/services/mysql.nix

@@ -1,4 +1,7 @@
 { pkgs, lib, config, values, ... }:
+let
+  backupDir = "/var/lib/mysql/backups";
+in
 {
   sops.secrets."mysql/password" = {
     owner = "mysql";
@@ -15,12 +18,12 @@
       mysqld = {
         # PVV allows a lot of connections at the same time
         max_connect_errors = 10000;
-	bind-address = values.services.mysql.ipv4;
+        bind-address = values.services.mysql.ipv4;
-	skip-networking = 0;
+        skip-networking = 0;
 
-	# This was needed in order to be able to use all of the old users
+        # This was needed in order to be able to use all of the old users
-	# during migration from knakelibrak to bicep in Sep. 2023
+        # during migration from knakelibrak to bicep in Sep. 2023
-	secure_auth = 0;
+        secure_auth = 0;
       };
     };
 
@@ -36,11 +39,6 @@
     }];
   };
 
-  services.mysqlBackup = {
-    enable = true;
-    location = "/var/lib/mysql/backups";
-  };
-
   networking.firewall.allowedTCPPorts = [ 3306 ];
 
   systemd.services.mysql.serviceConfig = {
@@ -50,4 +48,58 @@
       values.ipv6-space
     ];
   };
+
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  #       another unit, it was easier to just make one ourselves
+  systemd.services."backup-mysql" = {
+    description = "Backup MySQL data";
+    requires = [ "mysql.service" ];
+
+    path = [
+      pkgs.coreutils
+      pkgs.rsync
+      pkgs.gzip
+      config.services.mysql.package
+    ];
+
+    script = let
+      rotations = 10;
+      # rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/mysql";
+      rsyncTarget = "/data/backup/mysql";
+    in ''
+      set -eo pipefail
+
+      mysqldump --all-databases | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
+
+      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
+        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
+      done
+
+      rsync -avz --delete "${backupDir}" '${rsyncTarget}'
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "mysql";
+      Group = "mysql";
+      UMask = "0077";
+
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [
+        backupDir
+        "/data/backup/mysql" # NOTE: should not be part of this option once rsyncTarget is remote
+      ];
+    };
+
+    startAt = "*-*-* 02:15:00";
+  };
+
+  systemd.tmpfiles.settings."10-mysql-backup".${backupDir}.d = {
+    user = "mysql";
+    group = "mysql";
+    mode = "700";
+  };
 }

hosts/bicep/services/postgres.nix

@@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
-  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
+  backupDir = "/var/lib/postgresql/backups";
 in
 {
   services.postgresql = {
@@ -79,19 +79,71 @@ in
 
   systemd.services.postgresql.serviceConfig = {
     LoadCredential = [
-      "cert:${sslCert.directory}/cert.pem"
+      "cert:/etc/certs/postgres.crt"
-      "key:${sslCert.directory}/key.pem"
+      "key:/etc/certs/postgres.key"
     ];
   };
 
-  users.groups.acme.members = [ "postgres" ];
+  environment.snakeoil-certs."/etc/certs/postgres" = {
+    owner = "postgres";
+    group = "postgres";
+    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+  };
 
   networking.firewall.allowedTCPPorts = [ 5432 ];
   networking.firewall.allowedUDPPorts = [ 5432 ];
 
-  services.postgresqlBackup = {
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
-    enable = true;
+  #       another unit, it was easier to just make one ourselves
-    location = "/var/lib/postgres/backups";
+  systemd.services."backup-postgresql" = {
-    backupAll = true;
+    description = "Backup PostgreSQL data";
+    requires = [ "postgresql.service" ];
+
+    path = [
+      pkgs.coreutils
+      pkgs.rsync
+      pkgs.gzip
+      config.services.postgresql.package
+    ];
+
+    script = let
+      rotations = 10;
+      # rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/postgresql";
+      rsyncTarget = "/data/backup/postgresql";
+    in ''
+      set -eo pipefail
+
+      pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
+
+      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
+        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
+      done
+
+      rsync -avz --delete "${backupDir}" '${rsyncTarget}'
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "postgres";
+      Group = "postgres";
+      UMask = "0077";
+
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [
+        backupDir
+        "/data/backup/postgresql" # NOTE: should not be part of this option once rsyncTarget is remote
+      ];
+    };
+
+    startAt = "*-*-* 01:15:00";
+  };
+
+  systemd.tmpfiles.settings."10-postgresql-backup".${backupDir}.d = {
+    user = "postgres";
+    group = "postgres";
+    mode = "700";
   };
 }

hosts/bob/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
       ./disks.nix
 

hosts/brzeczyszczykiewicz/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ./services/grzegorz.nix

hosts/buskerud/configuration.nix

@@ -2,7 +2,7 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../base.nix
+    ../../base
     ../../misc/metrics-exporters.nix
 
     ./services/libvirt.nix

hosts/georg/configuration.nix

@@ -3,11 +3,10 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ../../modules/grzegorz.nix
-      ../../modules/spotifyd.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

hosts/ildkule/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ./services/monitoring

hosts/ildkule/services/monitoring/grafana.nix

@@ -34,13 +34,13 @@ in {
         {
           name = "Ildkule Prometheus";
           type = "prometheus";
-          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
+          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
-         isDefault = true;
+          isDefault = true;
         }
         {
           name = "Ildkule loki";
           type = "loki";
-          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
+          url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
         }
       ];
       dashboards.settings.providers = [
@@ -56,13 +56,13 @@ in {
           url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
           options.path = dashboards/synapse.json;
         }
-	# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
+        # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
-	# {
+        # {
-	#   name = "MySQL";
+        #   name = "MySQL";
-	#   type = "file";
+        #   type = "file";
-	#   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
+        #   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
-	#   options.path = dashboards/mysql.json;
+        #   options.path = dashboards/mysql.json;
-	# }
+        # }
         {
           name = "Postgresql";
           type = "file";

hosts/ildkule/services/monitoring/loki.nix

@@ -58,7 +58,7 @@ in {
       };
 
       limits_config = {
-	allow_structured_metadata = false;
+        allow_structured_metadata = false;
         reject_old_samples = true;
         reject_old_samples_max_age = "72h";
       };

hosts/shark/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
     ];
 

justfile

@@ -0,0 +1,25 @@
+export GUM_FILTER_HEIGHT := "15"
+nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
+
+@_default:
+  just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
+
+check:
+  nix flake check --keep-going
+
+build-machine machine=`just _a_machine`:
+  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
+
+run-vm machine=`just _a_machine`:
+  nixos-rebuild build-vm --flake .#{{ machine }}
+  QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
+
+@update-inputs:
+  nix eval .#inputs --apply builtins.attrNames --json \
+    | jq '.[]' -r \
+    | gum choose --no-limit --height=15 \
+    | xargs nix flake update --commit-lock-file
+
+
+_a_machine:
+  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter

modules/snakeoil-certs.nix

@@ -36,10 +36,10 @@ in
           type = lib.types.str;
           default = "${name}.key";
         };
-	subject = lib.mkOption {
+        subject = lib.mkOption {
-	  type = lib.types.str;
+          type = lib.types.str;
-	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+          default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
-	};
+        };
       };
     }));
   };
@@ -50,25 +50,27 @@ in
       serviceConfig.Type = "oneshot";
       script = let
         openssl = lib.getExe pkgs.openssl;
-      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
+      in lib.concatMapStringsSep "\n" ({ name, value }: ''
         mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
         if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
         then
-           echo "Regenerating '${value.certificate}'"
+          echo "Regenerating '${value.certificate}'"
-           ${openssl} req \
+          ${openssl} req \
-             -newkey rsa:4096 \
+            -newkey rsa:4096 \
-             -new -x509 \
+            -new -x509 \
-             -days "${toString value.daysValid}" \
+            -days "${toString value.daysValid}" \
-             -nodes \
+            -nodes \
-             -subj "${value.subject}" \
+            -subj "${value.subject}" \
-             -out "${value.certificate}" \
+            -out "${value.certificate}" \
-             -keyout "${value.certificateKey}" \
+            -keyout "${value.certificateKey}" \
-             ${lib.escapeShellArgs value.extraOpenSSLArgs}
+            ${lib.escapeShellArgs value.extraOpenSSLArgs}
         fi
         chown "${value.owner}:${value.group}" "${value.certificate}"
         chown "${value.owner}:${value.group}" "${value.certificateKey}"
         chmod "${value.mode}" "${value.certificate}"
         chmod "${value.mode}" "${value.certificateKey}"
+
+        echo "\n-----------------\n"
       '') (lib.attrsToList cfg);
     };
     systemd.timers."generate-snakeoil-certs" = {

modules/spotifyd.nix

@@ -1,44 +0,0 @@
-{ lib, config, ... }:
-
-{
-
-  services.spotifyd.enable = true;
-  # https://docs.spotifyd.rs/config/File.html
-  services.spotifyd.settings = {
-    device_name = "${config.networking.hostName}-spotifyd";
-    device_type = "t_v"; # in ["unknown" "computer" "tablet" "smartphone" "speaker" "t_v"],
-    bitrate = 160; # in [96 160 320]
-    volume_normalisation = true;
-    zeroconf_port = 44677; # instead of user/password
-
-    # this is the place you add blinkenlights
-    #on_song_change_hook = "rm -rf / --no-preserve-root";
-  };
-
-  systemd.services.spotifyd.serviceConfig = {
-    SupplementaryGroups = [
-      "audio"
-      "pipewire"
-    ];
-  };
-
-  services.avahi.enable = true;
-  services.avahi.publish.enable = true;
-  services.avahi.publish.addresses = true;
-  services.avahi.publish.domain = true;
-  services.avahi.extraServiceFiles.spotifyd = ''
-    <?xml version="1.0" standalone='no'?><!--*-nxml-*-->
-    <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
-    <service-group>
-      <name replace-wildcards="yes">%h</name>
-      <service>
-        <type>_spotify-connect._tcp</type>
-        <port>${builtins.toString config.services.spotifyd.settings.zeroconf_port}</port>
-      </service>
-    </service-group>
-  '';
-
-  networking.firewall.allowedTCPPorts = [ config.services.spotifyd.settings.zeroconf_port ];
-  networking.firewall.allowedUDPPorts = [ 5353 ]; # mDNS
-
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -1,10 +1,12 @@
 gitea:
+    web-secret-provider:
+        token: ENC[AES256_GCM,data:pHmBKxrNcLifl4sjR44AGEElfdachja35Tl/InsqvBWturaeTv4R0w==,iv:emBWfXQs2VNqtpDp5iA5swNC+24AWDYYXo6nvN+Fwx4=,tag:lkhSVSs6IqhHpfDPOX0wQA==,type:str]
     password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
     database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
     email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
-    import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str]
+    import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
     runners:
         alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
         beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
@@ -90,8 +92,8 @@ sops:
             UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
             4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-26T02:07:41Z"
+    lastmodified: "2024-08-26T19:38:58Z"
-    mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str]
+    mac: ENC[AES256_GCM,data:3FyfZPmJ7znQEul+IwqN1ZaM53n6os3grquJwJ9vfyDSc2h8UZBhqYG+2uW9Znp9DSIjuhCUI8iqGKRJE0M/6IDICeXms/5+ynVFOS9bA2cdzPvWaj0FFAd2x3g4Vhs47+vRlsnIe/tMiKU3IOvzOfI6KAUHc9L2ySrzH7z2+fo=,iv:1iZSR9qOIEtf+fNbtWSwJBIUEQGKadfHSVOnkFzOwq8=,tag:Sk6JEU1B6Rd1GXLYC6rQtQ==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:28Z"
           enc: |-
@@ -114,4 +116,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0

secrets/bicep/bicep.yaml

@@ -1,5 +1,6 @@
 calendar-bot:
     matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
+    mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
 mysql:
     password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
 sops:
@@ -62,8 +63,8 @@ sops:
             cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
             0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-05T23:28:56Z"
+    lastmodified: "2024-08-15T21:18:33Z"
-    mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str]
+    mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:40Z"
           enc: |-
@@ -86,4 +87,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.9.0

shell.nix

@@ -1,9 +1,14 @@
 { pkgs ? import <nixpkgs> {} }:
 pkgs.mkShellNoCC {
   packages = with pkgs; [
+    just
+    jq
+    gum
     sops
     gnupg
+    statix
     openstackclient
+    editorconfig-checker
   ];
 
   shellHook = ''

statix.toml

@@ -0,0 +1,24 @@
+ignore = [".direnv"]
+nix_version = '2.18' # '2.4'
+disabled = [
+    # "bool_comparison", # W01
+    # "empty_let_in", # W02
+    "manual_inherit", # W03
+    "manual_inherit_from", # W04
+    # "legacy_let_syntax", # W05
+    "collapsible_let_in", # W06
+    # "eta_reduction", # W07
+    # "useless_parens", # W08
+    "empty_pattern", # W10
+    # "redundant_pattern_bind", # W11
+    # "unquoted_uri", # W12
+    # "deprecated_is_null", # W13
+    # "empty_inherit", # W14
+    # "faster_groupby", # W15
+    # "faster_zipattrswith", # W16
+    # "deprecated_to_path", # W17
+    # "bool_simplification", # W18
+    # "useless_has_attr", # W19
+    "repeated_keys", # W20
+    "empty_list_concat", # W23
+]