temmie: mount nfs shares from microbel

Reviewed-on: #117
Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no>
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>

.sops.yaml

@@ -124,3 +124,14 @@ creation_rules:
       - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
+
+  - path_regex: secrets/skrott/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      pgp:
+      - *user_oysteikt

README.md

@@ -4,7 +4,33 @@ This repository contains the NixOS configurations for Programvareverkstedet's se
 In addition to machine configurations, it also contains a bunch of shared modules, packages, and
 more.
 
-## Machines
+> [!WARNING]
+> Please read [Development - working on the PVV machines](./docs/development.md) before making
+> any changes, and [Secret management and `sops-nix`](./docs/secret-management.md) before adding
+> any credentials such as passwords, API tokens, etc. to the configuration.
+
+## Deploying to machines
+
+> [!WARNING]
+> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
+> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
+> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
+> migrations, you can not go back to the previous version without losing data.
+
+To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
+repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
+
+```bash
+# Run this while in the pvv-nixos-config directory
+sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
+```
+
+This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
+
+Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
+revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
+
+## Machine overview
 
 | Name                       | Type     | Description                                               |
 |----------------------------|----------|-----------------------------------------------------------|

base/services/auto-upgrade.nix

@@ -9,6 +9,8 @@ in
     enable = true;
     flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
+      "-L"
+
       "--refresh"
       "--no-write-lock-file"
       # --update-input is deprecated since nix 2.22, and removed in lix 2.90

docs/development.md

@@ -156,27 +156,6 @@ nix build .#
 > built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
 > if this is the first time.
 
-### Deploying to machines
-
-> [!WARNING]
-> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
-> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
-> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
-> migrations, you can not go back to the previous version without losing data.
-
-To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
-repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
-
-```bash
-# Run this while in the pvv-nixos-config directory
-sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
-```
-
-This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
-
-Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
-revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
-
 ### Forcefully reset to `main`
 
 If you ever want to reset a machine to the `main` branch, you can do so by running:

flake.lock

@@ -387,11 +387,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767906725,
-        "narHash": "sha256-AZpNzcnbl855mqemSrWbYl2mEgngC2lmiI6yiszEgQw=",
+        "lastModified": 1768301954,
+        "narHash": "sha256-qRmrsx0k6Hc0BLM0I/f3YnTg19Sofjk2l1Kp/0Xfhc8=",
         "ref": "main",
-        "rev": "65118b6abebd339e071c38f00a23b92dbbb72b38",
-        "revCount": 537,
+        "rev": "c997ad4b47993dfd2368c3bbd07a0f71d55e3f5a",
+        "revCount": 569,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },

flake.nix

@@ -173,6 +173,7 @@
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
       wenche = stableNixosConfig "wenche" { };
+      temmie = stableNixosConfig "temmie" { };
 
       kommode = stableNixosConfig "kommode" {
         overlays = [

hosts/bekkalokk/services/bluemap.nix

@@ -21,6 +21,7 @@ in {
       inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
     in {
       "verden" = {
+        extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
         settings = {
           world = vanillaSurvival;
           dimension = "minecraft:overworld";
@@ -32,12 +33,10 @@ in {
           };
           ambient-light = 0.1;
           cave-detection-ocean-floor = -5;
-          marker-sets = {
-            _includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
-          };
         };
       };
       "underverden" = {
+        extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
         settings = {
           world = vanillaSurvival;
           dimension = "minecraft:the_nether";
@@ -57,12 +56,10 @@ in {
           render-mask = [{
             max-y = 90;
           }];
-          marker-sets = {
-            _includes = [ (format.lib.mkInclude "${bluemap-export}/nether.hocon") ];
-          };
         };
       };
       "enden" = {
+        extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
         settings = {
           world = vanillaSurvival;
           dimension = "minecraft:the_end";
@@ -78,9 +75,6 @@ in {
           ambient-light = 0.6;
           remove-caves-below-y = -10000;
           cave-detection-ocean-floor = -5;
-          marker-sets = {
-            _includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
-          };
         };
       };
     };

hosts/kommode/services/gitea/customization/labels/projects.json

@@ -35,6 +35,12 @@
     "color": "#ed1111",
     "description": "Report an oopsie"
   },
+  {
+    "name": "developer experience",
+    "exclusive": false,
+    "color": "#eb6420",
+    "description": "Think about the developers"
+  },
   {
     "name": "disputed",
     "exclusive": false,

hosts/skrott/configuration.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, fp, ... }: {
+{ config, pkgs, lib, fp, ... }: {
   imports = [
     # ./hardware-configuration.nix
 
@@ -23,10 +23,17 @@
 
   system.stateVersion = "25.05";
 
-  # sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
-  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  # sops.age.generateKey = true;
+  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  sops.secrets = {
+    "dibbler/postgresql/url" = {
+      owner = "dibbler";
+      group = "dibbler";
+    };
+  };
 
   # zramSwap.enable = true;
 
@@ -46,6 +53,11 @@
     kioskMode = true;
     limitScreenWidth = 80;
     limitScreenHeight = 42;
+
+    settings = {
+      general.quit_allowed = false;
+      database.url = config.sops.secrets."dibbler/postgresql/url".path;
+    };
   };
 
   # https://github.com/NixOS/nixpkgs/issues/84105

hosts/temmie/configuration.nix

@@ -0,0 +1,39 @@
+{ config, fp, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      (fp /base)
+
+      ./services/nfs-mounts.nix
+    ];
+
+  # sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
+  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  # sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "temmie"; # Define your hostname.
+
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "25.11"; # Did you read the comment?
+}

hosts/temmie/hardware-configuration.nix

@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/A367-83FD";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/temmie/services/nfs-mounts.nix

@@ -0,0 +1,21 @@
+{ pkgs, lib, ... }:
+{
+  fileSystems = let
+    # See microbel:/etc/exports
+    shorthandAreas = lib.listToAttrs (map
+      (l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
+      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]);
+  in { }
+  //
+  (lib.mapAttrs (_: device: {
+    inherit device;
+    fsType = "nfs";
+    options = [
+      "nfsvers=3"
+      "noauto"
+      "proto=tcp"
+      "x-systemd.automount"
+      "x-systemd.idle-timeout=300"
+    ];
+  }) shorthandAreas);
+}

modules/bluemap.nix

@@ -13,11 +13,32 @@ let
         (format.generate "${name}.conf" value))
       cfg.storage);
 
-  mapsFolder = pkgs.linkFarm "maps"
-    (lib.attrsets.mapAttrs' (name: value:
-      lib.nameValuePair "${name}.conf"
-        (format.generate "${name}.conf" value.settings))
-      cfg.maps);
+  generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }:
+    assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { });
+    lib.pipe settings (
+      (lib.optionals (extraHoconMarkersFile != null) [
+        (settings: lib.recursiveUpdate settings {
+          marker-placeholder = "###ASDF###";
+        })
+      ]) ++ [
+        (format.generate "${name}.conf")
+      ] ++ (lib.optionals (extraHoconMarkersFile != null) [
+        (hoconFile: pkgs.runCommand "${name}-patched.conf" { } ''
+          mkdir -p "$(dirname "$out")"
+          cp '${hoconFile}' "$out"
+          substituteInPlace "$out" \
+            --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
+        '')
+      ])
+    );
+
+  mapsFolder = lib.pipe cfg.maps [
+    (lib.attrsets.mapAttrs' (name: value: {
+      name = "${name}.conf";
+      value = generateMapConfigWithMarkerData name value;
+    }))
+    (pkgs.linkFarm "maps")
+  ];
 
   webappConfigFolder = pkgs.linkFarm "bluemap-config" {
     "maps" = mapsFolder;
@@ -30,7 +51,7 @@ let
 
   renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
     "maps" = pkgs.linkFarm "maps" {
-      "${name}.conf" = (format.generate "${name}.conf" value.settings);
+      "${name}.conf" = generateMapConfigWithMarkerData name value;
     };
     "storages" = storageFolder;
     "core.conf" = coreConfig;
@@ -160,6 +181,18 @@ in {
             defaultText = lib.literalExpression "config.services.bluemap.packs";
             description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
           };
+
+          extraHoconMarkersFile = mkOption {
+            type = lib.types.nullOr lib.types.path;
+            default = null;
+            description = ''
+              Path to a hocon file containing marker data.
+              The content of this file will be injected into the map config file in a separate derivation.
+
+              DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
+            '';
+          };
+
           settings = mkOption {
             type = (lib.types.submodule {
               freeformType = format.type;

secrets/skrott/skrott.yaml

@@ -0,0 +1,75 @@
+dibbler:
+    postgresql:
+        url: ENC[AES256_GCM,data:rHmeviBKp5b33gZ+nRweJ9YSobG4OSOxypMcyGb3/Za5DyVjydEgWBkcugrLuy1fUYIu1UV93JizCRLqOOsNkg7ON2AGhw==,iv:mWgLeAmnVaRNuKI4jIKRtW5ZPjnt2tGqjfDbZkuAIXk=,tag:iHSkFcMmTWEFlIH7lVmN1Q==,type:str]
+sops:
+    age:
+        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aGQwRlJxN2w0Kzh6OFhC
+            RXFFN1g2RXlmbVpCYTF1Ulg3bHlkSmlZTERBCndWbmNibUZUSjh5MkdwNGQyeDdz
+            dDRVZTliQy80aGxUYWFaQnFqMEEzbkkKLS0tIGVURnFUd0dtVlMvN1lDVUIvaGJy
+            QmZDdk9JOTdDeXg1NUJIcllIdXk5ZHMKFROfzKzo9y1e6siuWsU5q4WiIUhkQTDi
+            05fhUbrS8/OZQfG+KncuF1n3bWQis/USqwW1vEsTDkn6RlU9nGP9hQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QmVRSVMwdkQzT2dJTUlu
+            NDIvUHJvaWNwKzBZaE0wVEVnQml5NHU1Y0Z3CkdhbVpFSG1Oc3lERlVpMDArRnhP
+            SFp0dGtSbVBUcnZpQkd5cGVUWXhXQlEKLS0tIDVBckwvUGtBVGc5RVJjN1F4cDJ2
+            a1NiREtXMG9kcXFMeFNnMk0rQ2c5Z2MKKWK3+P9QshvgP2TCa2H5SFE+ZesaUZ9M
+            qBhPT6t44/dr7foowgVGyEVvnuaUu4GHnSKyYiwZ+bjp6E3Wm2fMRA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkdCQ1dtQWJtWEJsU2ZU
+            bzdpTzZnUUlrbmU3eDNvRlJ4bEk3RmF4cTJRCkNZTEdTWHVHUUU3eEpJNEJFRXM1
+            Si9RZjNVQUpNaVU1Y1owTU1zakpvRzQKLS0tIENSUTFDNktpeWR3VCtpY1pFdXQy
+            aWE0UkRBL29wMTh0RGZUUjdNdDloQlUK9+3fPifkgB3jsqaZrWvp5GoogwOiGuMQ
+            VA8JNJ9Nlph7pom0oxu6wc50WLbUdyOerz37TowXwys9+Lu/XJVGRw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTb2xWOWY4V3Mxd1Z5bklT
+            RXI1bjNtZ3hORkpOOUpFSXUrQ0lpODhsWHlFCmhteWJWam5mU2Nhc2tlTURRbC9i
+            OE1SUE5iczkvdWRTdDRKd2NVNGhHS1kKLS0tIFZWYXA4TnF0dHc4K1FlYW9Cemta
+            a0lzbUNKMzVrcmgwQWIyUWo2VExMYWcKAOwJ8tA9L/jQ1lCPaUMNNJaYz14tLbMH
+            4c+lYZJX3PKjfkc5UnteWNsaXTF/vXoALDnaPBRwBFWFfCVsX5XYnQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZGpMbC9yVTdObFEyZ1pH
+            a0ZOMXhDVGdFNUNOMmJldjZKTElzdHI2bmljCnJtcEUyY1hDUnczZkFSNGErbEtE
+            Y1lyZnFOVTVIL1FKczJ4dUIwdjg2T0kKLS0tIEpSZmN3YUJDUjB1ZnNtT2hCb3c2
+            ZE5tMXJOYlFMOVNJU3FEZFB4TlZ1U00KHnunzKMy91oc92ptcaKCE1sfkhFGvf0S
+            vRX/nyQnBGqD3X3yfvkt+aQnoLxcjoanpJVM9VeigyPu1mRg0OOxXg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-11T17:28:43Z"
+    mac: ENC[AES256_GCM,data:l43vquKg33LndSXOm0hsPcalQRXjqbb30QvptXuBsmQrcEVVh20Aqp92l+rwgv60P03ZtK4SKxm/udVVoqViFTwCLYtCC5GEn4OqbD94LQKzl+XLe7yLWwv2WF8ueu170YpZ97uFxUrhOoaOaKUgnAV+4CocixG5hfadpqA3yYE=,iv:a6RRILzz4gDUuiSZPVoqjlIMu4NZG+D5Q+brusfh9PU=,tag:Y8nKbnctjka44eH15x8oCA==,type:str]
+    pgp:
+        - created_at: "2026-01-11T17:12:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYAQ/9EOJGjNnLgEPo+/pP/4TVt8ECLRRbxsjwpnxuRf2QcmtF
+            p+ZnX+X5mBVdriuTUTFyUvPXBPwG2byrc7w/+zZBvYGWdSZgi+ACBRiAzvXMUYUq
+            ZCY6z4v4dkvbbVW2QE1JmzfZFVC4Vdwup6q+OXtXvQe6n2/GgIHRfyMnG3dynldt
+            1cmEY8ujuZzv+St5tInaGod5pZ4i2/RDvQSk7JHtb9LqsyyIKdxYa1Sc8U7WN9qx
+            Ucwo56HZ9tlAvA4nEqYIaZFGM4XDXO3BV6ltsa57dMXJSzYjG8qYB7Z4CCTmn6HL
+            h7A4NK8yj7El5q9EScbSzJQ8LNMYAPhLMhvOGYio/k2Jnn3woioozCdUEvg4aoAT
+            Y+UVyl/O5MrM6ZcgWVQ7gbhYvAHSyiyr5hlEfzjtxwiETkIXFPiWtOpyq1GIYa7w
+            k93OvrFbbTevzY2ea4gQh4pmzGDfXEqtBm9DjQwUmiTM877bR/sY4b0HV/CA3Txh
+            Xz22dLp8pfvAtBtHuEARJeQ8DeFslICuZZSiDscNe63dqxg9tWmwFqWecOGb5DXG
+            xEbLTyO0YBESsk3jt7JCtx8Dfnb9fVOqCiQN2Ywd1TkSMnM1H627MpaZJNKEXQPT
+            +gWa7QqthW84Vc42wuAYmLAw+1Ob/BgPojogV8XUIr2johzp1tY2jdsDJko84PPS
+            XgEprHVVj49JHRR5ixjJwoO4WbYsN4Tqej7I2Ns00tCzHAKPFQvFlHNLt1CrM88X
+            0HRLTEn7z1F5r54inNP0DIvDJlTSqJdJDA5k0HChQA7by2le+ERpvI4CmTkNyvk=
+            =c+Rd
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

values.nix

@@ -73,6 +73,10 @@ in rec {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;
     };
+    temmie = {
+      ipv4 = pvv-ipv4 167;
+      ipv6 = pvv-ipv6 167;
+    };
     wenche = {
       ipv4 = pvv-ipv4 240;
       ipv6 = pvv-ipv6 240;