flake: Make openstack-image EFI

Reviewed-on: #78
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>

README.MD

@@ -26,10 +26,14 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
 
 som root på maskinen.
 
+Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
+
+`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
+
 ## Seksjonen for hemmeligheter
 
 For at hemmeligheter ikke skal deles med hele verden i git - eller å være world

base.nix

@@ -1,200 +0,0 @@
-{ config, lib, pkgs, inputs, values, ... }:
-
-{
-  imports = [
-    ./users
-    ./modules/snakeoil-certs.nix
-  ];
-
-  networking.domain = "pvv.ntnu.no";
-  networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
-
-  systemd.network.enable = true;
-
-  services.resolved = {
-    enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
-  };
-
-  time.timeZone = "Europe/Oslo";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "no";
-  };
-
-  system.autoUpgrade = {
-    enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
-    flags = [
-      "--update-input" "nixpkgs"
-      "--update-input" "nixpkgs-unstable"
-      "--no-write-lock-file"
-    ];
-  };
-  nix.gc.automatic = true;
-  nix.gc.options = "--delete-older-than 2d";
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  /* This makes commandline tools like
-  ** nix run nixpkgs#hello
-  ** and nix-shell -p hello
-  ** use the same channel the system
-  ** was built with
-  */
-  nix.registry = {
-    nixpkgs.flake = inputs.nixpkgs;
-  };
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    ripgrep
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-  ];
-
-  programs.zsh.enable = true;
-
-  users.groups."drift".name = "drift";
-
-  # Trusted users on the nix builder machines
-  users.groups."nix-builder-users".name = "nix-builder-users";
-
-  # Let's not thermal throttle
-  services.thermald.enable = lib.mkIf (lib.all (x: x) [
-      (config.nixpkgs.system == "x86_64-linux")
-      (!config.boot.isContainer or false)
-    ]) true;
-
-  services.openssh = {
-    enable = true;
-    extraConfig = ''
-      PubkeyAcceptedAlgorithms=+ssh-rsa
-      Match Group wheel
-        PasswordAuthentication no
-      Match All
-    '';
-    settings.PermitRootLogin = "yes";
-  };
-
-  # nginx return 444 for all nonexistent virtualhosts
-
-  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
-
-  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
-    "/etc/certs/nginx" = {
-      owner = "nginx";
-      group = "nginx";
-    };
-  };
-
-  services.nginx = {
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes auto;
-      worker_rlimit_nofile 100000;
-    '';
-    eventsConfig = ''
-      worker_connections 2048;
-      use epoll;
-      multi_accept on;
-    '';
-  };
-
-  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
-    LimitNOFILE = 65536;
-  };
-
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
-  };
-
-  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
-  systemd.services.logrotate = {
-    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
-    unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig = {
-      Nice = 19;
-      IOSchedulingClass = "best-effort";
-      IOSchedulingPriority = 7;
-
-      ReadWritePaths = [ "/var/log" ];
-
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DeviceAllow = [ "" ];
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true; # disable for third party rotate scripts
-      PrivateDevices = true;
-      PrivateNetwork = true; # disable for mail delivery
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true; # disable for userdir logs
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "full";
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true; # disable for creating setgid directories
-      SocketBindDeny = [ "any" ];
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-      ];
-    };
-  };
-
-  services.journald.upload = {
-    enable =  values.services.logcollector.ipv4;
-    settings.Upload = {
-      URL = "https://logcollector.pvv.ntnu.no:19532";
-      ServerKeyFile = "-";
-      ServerCertificateFile = "-";
-      TrustedCertificateFile = "-";
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
-  virtualisation.vmVariant = {
-    security.acme.defaults.server = "https://127.0.0.1";
-    security.acme.preliminarySelfsigned = true;
-
-    users.users.root.initialPassword = "root";
-  };
-
-}

base/default.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, ... }:
+
+{
+  imports = [
+    ../users
+    ../modules/snakeoil-certs.nix
+
+    ./networking.nix
+    ./nix.nix
+
+    ./services/acme.nix
+    ./services/auto-upgrade.nix
+    ./services/irqbalance.nix
+    ./services/logrotate.nix
+    ./services/nginx.nix
+    ./services/openssh.nix
+    ./services/postfix.nix
+    ./services/smartd.nix
+    ./services/thermald.nix
+  ];
+
+  boot.tmp.cleanOnBoot = lib.mkDefault true;
+
+  time.timeZone = "Europe/Oslo";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "no";
+  };
+
+  environment.systemPackages = with pkgs; [
+    file
+    git
+    gnupg
+    htop
+    nano
+    ripgrep
+    rsync
+    screen
+    tmux
+    vim
+    wget
+
+    kitty.terminfo
+  ];
+
+  programs.zsh.enable = true;
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+
+  users.groups."drift".name = "drift";
+
+  # Trusted users on the nix builder machines
+  users.groups."nix-builder-users".name = "nix-builder-users";
+}
+

base/networking.nix

@@ -0,0 +1,16 @@
+{ lib, values, ... }:
+{
+  networking.domain = "pvv.ntnu.no";
+  networking.useDHCP = false;
+  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
+  # networking.tempAddresses = lib.mkDefault "disabled";
+  # networking.defaultGateway = values.hosts.gateway;
+
+  systemd.network.enable = true;
+
+  services.resolved = {
+    enable = lib.mkDefault true;
+    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
+  };
+}

base/nix.nix

@@ -0,0 +1,34 @@
+{ inputs, ... }:
+{
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 2d";
+    };
+
+    settings = {
+      allow-dirty = true;
+      auto-optimise-store = true;
+      builders-use-substitutes = true;
+      experimental-features = [ "nix-command" "flakes" ];
+      log-lines = 50;
+      use-xdg-base-directories = true;
+    };
+
+    /* This makes commandline tools like
+    ** nix run nixpkgs#hello
+    ** and nix-shell -p hello
+    ** use the same channel the system
+    ** was built with
+    */
+    registry = {
+      "nixpkgs".flake = inputs.nixpkgs;
+      "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
+      "pvv-nix".flake = inputs.self;
+    };
+    nixPath = [
+      "nixpkgs=${inputs.nixpkgs}"
+      "unstable=${inputs.nixpkgs-unstable}"
+    ];
+  };
+}

base/services/acme.nix

@@ -0,0 +1,15 @@
+{ ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
+  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
+  virtualisation.vmVariant = {
+    security.acme.defaults.server = "https://127.0.0.1";
+    security.acme.preliminarySelfsigned = true;
+
+    users.users.root.initialPassword = "root";
+  };
+}

base/services/auto-upgrade.nix

@@ -0,0 +1,12 @@
+{ ... }:
+{
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flags = [
+      "--update-input" "nixpkgs"
+      "--update-input" "nixpkgs-unstable"
+      "--no-write-lock-file"
+    ];
+  };
+}

base/services/irqbalance.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.irqbalance.enable = true;
+}

base/services/logrotate.nix

@@ -0,0 +1,42 @@
+{ ... }:
+{
+  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
+  systemd.services.logrotate = {
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
+    unitConfig.RequiresMountsFor = "/var/log";
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [ "/var/log" ];
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
+  };
+}

base/services/nginx.nix

@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+{
+  # nginx return 444 for all nonexistent virtualhosts
+
+  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
+
+  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
+    "/etc/certs/nginx" = {
+      owner = "nginx";
+      group = "nginx";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
+
+  services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes auto;
+      worker_rlimit_nofile 100000;
+    '';
+    eventsConfig = ''
+      worker_connections 2048;
+      use epoll;
+      multi_accept on;
+    '';
+  };
+
+  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
+    LimitNOFILE = 65536;
+  };
+
+  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+    sslCertificate = "/etc/certs/nginx.crt";
+    sslCertificateKey = "/etc/certs/nginx.key";
+    addSSL = true;
+    extraConfig = "return 444;";
+  };
+}

base/services/openssh.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    extraConfig = ''
+      PubkeyAcceptedAlgorithms=+ssh-rsa
+      Match Group wheel
+        PasswordAuthentication no
+      Match All
+    '';
+    settings.PermitRootLogin = "yes";
+  };
+}

base/services/postfix.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.postfix;
+in
+{
+  services.postfix = {
+    enable = true;
+
+    hostname = "${config.networking.hostName}.pvv.ntnu.no";
+    domain = "pvv.ntnu.no";
+
+    relayHost = "smtp.pvv.ntnu.no";
+    relayPort = 465;
+
+    config = {
+      smtp_tls_wrappermode = "yes";
+      smtp_tls_security_level = "encrypt";
+    };
+
+    # Nothing should be delivered to this machine
+    destination = [ ];
+  };
+}

base/services/smartd.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, lib, ... }:
+{
+  services.smartd.enable = lib.mkDefault true;
+
+  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
+    smartmontools
+  ]);
+}

base/services/thermald.nix

@@ -0,0 +1,8 @@
+{ config, lib, ... }:
+{
+  # Let's not thermal throttle
+  services.thermald.enable = lib.mkIf (lib.all (x: x) [
+      (config.nixpkgs.system == "x86_64-linux")
+      (!config.boot.isContainer or false)
+    ]) true;
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715445235,
-        "narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
+        "lastModified": 1725242307,
+        "narHash": "sha256-a2iTMBngegEZvaNAzzxq5Gc5Vp3UWoGUqWtK11Txbic=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
+        "rev": "96073e6423623d4a8027e9739d2af86d6422ea7a",
         "type": "github"
       },
       "original": {
@@ -63,15 +63,15 @@
       "inputs": {
         "fix-python": "fix-python",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1715364232,
-        "narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
+        "lastModified": 1716065905,
+        "narHash": "sha256-08uhxBzfakfhl/ooc+gMzDupWKYvTeyQZwuvB1SBS7A=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz",
-        "rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
+        "rev": "0481aef6553ae9aee86e4edb4ca0ed4f2eba2058",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715384651,
-        "narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
+        "lastModified": 1716115695,
+        "narHash": "sha256-aI65l4x+U5v3i/nfn6N3eW5IZodmf4pyAByE7vTJh8I=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz-clients",
-        "rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
+        "rev": "b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe",
         "type": "github"
       },
       "original": {
@@ -121,6 +121,21 @@
         "type": "github"
       }
     },
+    "minecraft-data": {
+      "locked": {
+        "lastModified": 1725277886,
+        "narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
+        "ref": "refs/heads/master",
+        "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
+        "revCount": 2,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+      }
+    },
     "nix-gitea-themes": {
       "inputs": {
         "nixpkgs": [
@@ -141,13 +156,49 @@
         "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
       }
     },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1725757153,
+        "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726102718,
+        "narHash": "sha256-u89QyfjtXryLHrO3Wre4kuWK5KDKiXe8lgRi6+cUOEw=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "5ae384b83b91080f0fead6bc1add1cff8277cb3f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719520878,
-        "narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
+        "lastModified": 1725198597,
+        "narHash": "sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
+        "rev": "3524b030c839db4ea4ba16737789c6fb8a1769c6",
         "type": "github"
       },
       "original": {
@@ -158,27 +209,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1714858427,
-        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+        "lastModified": 1721524707,
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1715435713,
-        "narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
+        "lastModified": 1725183711,
+        "narHash": "sha256-gkjg8FfjL92azt3gzZUm1+v+U4y+wbQE630uIf4Aybo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
+        "rev": "a2c345850e5e1d96c62e7fa8ca6c9d77ebad1c37",
         "type": "github"
       },
       "original": {
@@ -214,11 +265,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722722932,
-        "narHash": "sha256-K81a2GQpY2kRX+C9ek9r91THlZB674CqRTSMMb5IO7E=",
+        "lastModified": 1725212759,
+        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
         "ref": "refs/heads/master",
-        "rev": "6580cfe546c902cdf11e17b0b8aa30b3c412bb34",
-        "revCount": 465,
+        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
+        "revCount": 473,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -233,7 +284,9 @@
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
+        "minecraft-data": "minecraft-data",
         "nix-gitea-themes": "nix-gitea-themes",
+        "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
@@ -249,11 +302,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1715244550,
-        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
+        "lastModified": 1725201042,
+        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
+        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
         "type": "github"
       },
       "original": {

flake.nix

@@ -24,12 +24,17 @@
     nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
+
+    nixos-generators.url = "github:nix-community/nixos-generators";
+    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, nixos-generators, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -92,6 +97,7 @@
             heimdal = unstablePkgs.heimdal;
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+            bluemap = final.callPackage ./packages/bluemap.nix { };
           })
           inputs.nix-gitea-themes.overlays.default
           inputs.pvv-nettsiden.overlays.default
@@ -123,7 +129,6 @@
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
-      buskerud = stableNixosConfig "buskerud" { };
     };
 
     nixosModules = {
@@ -147,6 +152,40 @@
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
+        openstack-image = nixos-generators.nixosGenerate {
+          system = "x86_64-linux";
+          format = "openstack";
+
+          modules = [
+            ({config, lib, pkgs, modulesPath, ... }: {
+              system.build.openstackImage = lib.mkForce (import "${modulesPath}/../lib/make-disk-image.nix" {
+                inherit config lib pkgs;
+                additionalSpace = "1024M";
+                copyChannel = true;
+                diskSize = "auto";
+                format = "raw";
+                partitionTableType = "efi";
+                configFile = pkgs.writeText "configuration.nix"
+                  ''
+                    {
+                      imports = [ <nixpkgs/nixos/modules/virtualisation/openstack-config.nix> ];
+                    }
+                  '';
+              });
+              boot.loader.grub = lib.mkForce {
+                device = "nodev";
+                efiSupport = true;
+                efiInstallAsRemovable = true;
+              };
+
+              fileSystems."/boot" = {
+                device = "/dev/disk/by-label/ESP";
+                fsType = "vfat";
+              };
+            })
+          ];
+        };
+
       } //
       (nixlib.pipe null [
         (_: pkgs.callPackage ./packages/mediawiki-extensions { })

hosts/bekkalokk/configuration.nix

@@ -3,9 +3,10 @@
   imports = [
     ./hardware-configuration.nix
 
-    ../../base.nix
+    ../../base
     ../../misc/metrics-exporters.nix
 
+    ./services/bluemap/default.nix
     ./services/gitea/default.nix
     ./services/idp-simplesamlphp
     ./services/kerberos
@@ -32,6 +33,8 @@
     address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  services.btrfs.autoScrub.enable = true;
+
   # Do not change, even during upgrades.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";

hosts/bekkalokk/services/bluemap/default.nix

@@ -0,0 +1,83 @@
+{ config, lib, pkgs, inputs, ... }:
+let
+  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
+in {
+  imports = [
+    ./module.nix # From danio, pending upstreaming
+  ];
+
+  disabledModules = [ "services/web-servers/bluemap.nix" ];
+
+  sops.secrets."bluemap/ssh-key" = { };
+  sops.secrets."bluemap/ssh-known-hosts" = { };
+
+  services.bluemap = {
+    enable = true;
+    eula = true;
+    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
+
+    host = "minecraft.pvv.ntnu.no";
+
+    maps = {
+      "verden" = {
+        settings = {
+          world = vanillaSurvival;
+          sorting = 0;
+          ambient-light = 0.1;
+          cave-detection-ocean-floor = -5;
+          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
+        };
+      };
+      "underverden" = {
+        settings = {
+          world = "${vanillaSurvival}/DIM-1";
+          sorting = 100;
+          sky-color = "#290000";
+          void-color = "#150000";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+          cave-detection-uses-block-light = true;
+          max-y = 90;
+          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
+        };
+      };
+      "enden" = {
+        settings = {
+          world = "${vanillaSurvival}/DIM1";
+          sorting = 200;
+          sky-color = "#080010";
+          void-color = "#080010";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+        };
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  # TODO: render somewhere else lmao
+  systemd.services."render-bluemap-maps" = {
+    preStart = ''
+      mkdir -p /var/lib/bluemap/world
+      ${pkgs.rsync}/bin/rsync \
+        -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
+        -avz --no-owner --no-group \
+        root@innovation.pvv.ntnu.no:/ \
+        ${vanillaSurvival}
+    '';
+    serviceConfig = {
+      LoadCredential = [
+        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
+        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
+      ];
+    };
+  };
+}

hosts/bekkalokk/services/bluemap/module.nix

@@ -0,0 +1,343 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.bluemap;
+  format = pkgs.formats.hocon { };
+
+  coreConfig = format.generate "core.conf" cfg.coreSettings;
+  webappConfig = format.generate "webapp.conf" cfg.webappSettings;
+  webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
+
+  storageFolder = pkgs.linkFarm "storage"
+    (lib.attrsets.mapAttrs' (name: value:
+      lib.nameValuePair "${name}.conf"
+        (format.generate "${name}.conf" value))
+      cfg.storage);
+
+  mapsFolder = pkgs.linkFarm "maps"
+    (lib.attrsets.mapAttrs' (name: value:
+      lib.nameValuePair "${name}.conf"
+        (format.generate "${name}.conf" value.settings))
+      cfg.maps);
+
+  webappConfigFolder = pkgs.linkFarm "bluemap-config" {
+    "maps" = mapsFolder;
+    "storages" = storageFolder;
+    "core.conf" = coreConfig;
+    "webapp.conf" = webappConfig;
+    "webserver.conf" = webserverConfig;
+    "packs" = cfg.resourcepacks;
+    "addons" = cfg.resourcepacks; # TODO
+  };
+
+  renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
+    "maps" = pkgs.linkFarm "maps" {
+      "${name}.conf" = (format.generate "${name}.conf" value.settings);
+    };
+    "storages" = storageFolder;
+    "core.conf" = coreConfig;
+    "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
+    "webserver.conf" = webserverConfig;
+    "packs" = value.resourcepacks;
+    "addons" = cfg.resourcepacks; # TODO
+  };
+
+  inherit (lib) mkOption;
+in {
+  options.services.bluemap = {
+    enable = lib.mkEnableOption "bluemap";
+
+    eula = mkOption {
+      type = lib.types.bool;
+      description = ''
+        By changing this option to true you confirm that you own a copy of minecraft Java Edition,
+        and that you agree to minecrafts EULA.
+      '';
+      default = false;
+    };
+
+    defaultWorld = mkOption {
+      type = lib.types.path;
+      description = ''
+        The world used by the default map ruleset.
+        If you configure your own maps you do not need to set this.
+      '';
+      example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
+    };
+
+    enableRender = mkOption {
+      type = lib.types.bool;
+      description = "Enable rendering";
+      default = true;
+    };
+
+    webRoot = mkOption {
+      type = lib.types.path;
+      default = "/var/lib/bluemap/web";
+      description = "The directory for saving and serving the webapp and the maps";
+    };
+
+    enableNginx = mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable configuring a virtualHost for serving the bluemap webapp";
+    };
+
+    host = mkOption {
+      type = lib.types.str;
+      default = "bluemap.${config.networking.domain}";
+      defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
+      description = "Domain to configure nginx for";
+    };
+
+    onCalendar = mkOption {
+      type = lib.types.str;
+      description = ''
+        How often to trigger rendering the map,
+        in the format of a systemd timer onCalendar configuration.
+        See {manpage}`systemd.timer(5)`.
+      '';
+      default = "*-*-* 03:10:00";
+    };
+
+    coreSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          data = mkOption {
+            type = lib.types.path;
+            description = "Folder for where bluemap stores its data";
+            default = "/var/lib/bluemap";
+          };
+          metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
+        };
+      };
+      description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
+    };
+
+    webappSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+      default = {
+        enabled = true;
+        webroot = cfg.webRoot;
+      };
+      defaultText = lib.literalExpression ''
+        {
+          enabled = true;
+          webroot = config.services.bluemap.webRoot;
+        }
+      '';
+      description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
+    };
+
+    webserverSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          enabled = mkOption {
+            type = lib.types.bool;
+            description = ''
+              Enable bluemap's built-in webserver.
+              Disabled by default in nixos for use of nginx directly.
+            '';
+            default = false;
+          };
+        };
+      };
+      default = { };
+      description = ''
+        Settings for the webserver.conf file, usually not required.
+        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
+      '';
+    };
+
+    maps = mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          resourcepacks = mkOption {
+            type = lib.types.path;
+            default = cfg.resourcepacks;
+            defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
+            description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
+          };
+          settings = mkOption {
+            type = (lib.types.submodule {
+              freeformType = format.type;
+              options = {
+                world = mkOption {
+                  type = lib.types.path;
+                  description = "Path to world folder containing the dimension to render";
+                };
+              };
+            });
+            description = ''
+              Settings for files in `maps/`.
+              See the default for an example with good options for the different world types.
+              For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
+            '';
+          };
+        };
+      });
+      default = {
+        "overworld".settings = {
+          world = "${cfg.defaultWorld}";
+          ambient-light = 0.1;
+          cave-detection-ocean-floor = -5;
+        };
+
+        "nether".settings = {
+          world = "${cfg.defaultWorld}/DIM-1";
+          sorting = 100;
+          sky-color = "#290000";
+          void-color = "#150000";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+          cave-detection-uses-block-light = true;
+          max-y = 90;
+        };
+
+        "end".settings = {
+          world = "${cfg.defaultWorld}/DIM1";
+          sorting = 200;
+          sky-color = "#080010";
+          void-color = "#080010";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+        };
+      };
+      defaultText = lib.literalExpression ''
+        {
+          "overworld".settings = {
+            world = "''${cfg.defaultWorld}";
+            ambient-light = 0.1;
+            cave-detection-ocean-floor = -5;
+          };
+
+          "nether".settings = {
+            world = "''${cfg.defaultWorld}/DIM-1";
+            sorting = 100;
+            sky-color = "#290000";
+            void-color = "#150000";
+            ambient-light = 0.6;
+            world-sky-light = 0;
+            remove-caves-below-y = -10000;
+            cave-detection-ocean-floor = -5;
+            cave-detection-uses-block-light = true;
+            max-y = 90;
+          };
+
+          "end".settings = {
+            world = "''${cfg.defaultWorld}/DIM1";
+            sorting = 200;
+            sky-color = "#080010";
+            void-color = "#080010";
+            ambient-light = 0.6;
+            world-sky-light = 0;
+            remove-caves-below-y = -10000;
+            cave-detection-ocean-floor = -5;
+          };
+        };
+      '';
+      description = ''
+        map-specific configuration.
+        These correspond to views in the webapp and are usually
+        different dimension of a world or different render settings of the same dimension.
+        If you set anything in this option you must configure all dimensions yourself!
+      '';
+    };
+
+    storage = mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          storage-type = mkOption {
+            type = lib.types.enum [ "FILE" "SQL" ];
+            description = "Type of storage config";
+            default = "FILE";
+          };
+        };
+      });
+      description = ''
+        Where the rendered map will be stored.
+        Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
+        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
+      '';
+      default = {
+        "file" = {
+          root = "${cfg.webRoot}/maps";
+        };
+      };
+      defaultText = lib.literalExpression ''
+        {
+          "file" = {
+            root = "''${config.services.bluemap.webRoot}/maps";
+          };
+        }
+      '';
+    };
+
+    resourcepacks = mkOption {
+      type = lib.types.path;
+      default = pkgs.linkFarm "resourcepacks" { };
+      description = ''
+        A set of resourcepacks/mods to extract models from loaded in alphabetical order.
+        Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
+      '';
+    };
+  };
+
+
+  config = lib.mkIf cfg.enable {
+    assertions =
+      [ { assertion = config.services.bluemap.eula;
+          message = ''
+            You have enabled bluemap but have not accepted minecraft's EULA.
+            You can achieve this through setting `services.bluemap.eula = true`
+          '';
+        }
+      ];
+
+    services.bluemap.coreSettings.accept-download = cfg.eula;
+
+    systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
+      serviceConfig = {
+        Type = "oneshot";
+        Group = "nginx";
+        UMask = "026";
+      };
+      script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
+        (name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
+        cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
+    };
+
+    systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.onCalendar;
+        Persistent = true;
+        Unit = "render-bluemap-maps.service";
+      };
+    };
+
+    services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
+      "${cfg.host}" = {
+        root = config.services.bluemap.webRoot;
+        locations = {
+          "~* ^/maps/[^/]*/tiles/".extraConfig = ''
+            error_page 404 = @empty;
+          '';
+          "@empty".return = "204";
+        };
+      };
+    };
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ dandellion h7x4 ];
+  };
+}

hosts/bekkalokk/services/gitea/default.nix

@@ -55,6 +55,11 @@ in {
         USER = "gitea@pvv.ntnu.no";
         SUBJECT_PREFIX = "[pvv-git]";
       };
+      metrics = {
+        ENABLED = true;
+        ENABLED_ISSUE_BY_LABEL = true;
+        ENABLED_ISSUE_BY_REPOSITORY = true;
+      };
       indexer.REPO_INDEXER_ENABLED = true;
       service = {
         DISABLE_REGISTRATION = true;
@@ -109,11 +114,20 @@ in {
     forceSSL = true;
     enableACME = true;
     kTLS = true;
-    locations."/" = {
-      proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
-      extraConfig = ''
-        client_max_body_size 512M;
-      '';
+    locations = {
+      "/" = {
+        proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+        extraConfig = ''
+          client_max_body_size 512M;
+        '';
+      };
+      "/metrics" = {
+        proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+        extraConfig = ''
+          allow ${values.hosts.ildkule.ipv4}/32;
+          deny all;
+        '';
+      };
     };
   };
 

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -202,6 +202,12 @@ in
           rewrite ^/simplesaml/(.*)$ /$1 redirect;
           return 404;
         '';
+        "/robots.txt" = {
+          root = pkgs.writeTextDir "robots.txt" ''
+            User-agent: *
+            Disallow: /
+          '';
+        };
       };
     };
   };

hosts/bicep/acmeCert.nix

@@ -1,24 +0,0 @@
-{ values, ... }:
-{
-  users.groups.acme.members = [ "nginx" ];
-
-  security.acme.certs."postgres.pvv.ntnu.no" = {
-    group = "acme";
-    extraDomainNames = [
-      # "postgres.pvv.org"
-      "bicep.pvv.ntnu.no"
-      # "bicep.pvv.org"
-      # values.hosts.bicep.ipv4
-      # values.hosts.bicep.ipv6
-    ];
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."postgres.pvv.ntnu.no" = {
-      forceSSL = true;
-      enableACME = true;
-      # useACMEHost = "postgres.pvv.ntnu.no";
-    };
-  };
-}

hosts/bicep/configuration.nix

@@ -3,12 +3,10 @@
   imports = [
     ./hardware-configuration.nix
 
-    ../../base.nix
+    ../../base
     ../../misc/metrics-exporters.nix
     ./services/nginx
 
-    ./acmeCert.nix
-
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix
@@ -36,6 +34,9 @@
     anyInterface = true;
   };
 
+  # There are no smart devices
+  services.smartd.enable = false;
+
   # Do not change, even during upgrades.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";

hosts/bicep/services/matrix/mjolnir.nix

@@ -11,7 +11,7 @@
   services.mjolnir = {
     enable = true;
     pantalaimon.enable = false;
-    homeserverUrl = "http://127.0.0.1:8008";
+    homeserverUrl = "https://matrix.pvv.ntnu.no";
     accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
     managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
     protectedRooms = map (a: "https://matrix.to/#/${a}") [

hosts/bicep/services/matrix/synapse.nix

@@ -157,6 +157,18 @@ in {
       '';
     };
   }
+  {
+    locations."/_synapse/admin" = {
+      proxyPass = "http://$synapse_backend";
+      extraConfig = ''
+        allow 127.0.0.1;
+        allow ::1;
+        allow ${values.hosts.bicep.ipv4};
+        allow ${values.hosts.bicep.ipv6};
+        deny all;
+      '';
+    };
+  }
   {
     locations = let
       connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
@@ -170,8 +182,6 @@ in {
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4};
           allow ${values.hosts.ildkule.ipv6};
-          allow ${values.hosts.ildkule.ipv4_global};
-          allow ${values.hosts.ildkule.ipv6_global};
           deny all;
         '';
       })
@@ -183,8 +193,6 @@ in {
       extraConfig = ''
         allow ${values.hosts.ildkule.ipv4};
         allow ${values.hosts.ildkule.ipv6};
-        allow ${values.hosts.ildkule.ipv4_global};
-        allow ${values.hosts.ildkule.ipv6_global};
         deny all;
       '';
     };

hosts/bob/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
       ./disks.nix
 

hosts/brzeczyszczykiewicz/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ./services/grzegorz.nix

hosts/buskerud/configuration.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../base.nix
-    ../../misc/metrics-exporters.nix
-
-    ./services/libvirt.nix
-  ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sdb";
-
-  networking.hostName = "buskerud";
-  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-
-  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
-    matchConfig.Name = "enp3s0f0";
-    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-}

hosts/buskerud/hardware-configuration.nix

@@ -1,37 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/buskerud/services/libvirt.nix

@@ -1,10 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  virtualisation.libvirtd.enable = true;
-  programs.dconf.enable = true;
-  boot.kernelModules = [ "kvm-intel" ];
-
-  # On a gui-enabled machine, connect with:
-  # $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
-}
-

hosts/georg/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ../../modules/grzegorz.nix

hosts/ildkule/configuration.nix

@@ -1,9 +1,9 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, lib, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ./services/monitoring
@@ -19,33 +19,37 @@
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
-  networking.hostName = "ildkule"; # Define your hostname.
+  # Openstack Neutron and systemd-networkd are not best friends, use something else:
+  systemd.network.enable = lib.mkForce false;
+  networking = let
+    hostConf = values.hosts.ildkule;
+  in {
+    hostName = "ildkule";
+    tempAddresses = "disabled";
+    useDHCP = lib.mkForce true;
 
-  # Main connection, using the global/floatig IP, for communications with the world
-  systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // {
-    matchConfig.Name = "ens4";
+    search = values.defaultNetworkConfig.domains;
+    nameservers = values.defaultNetworkConfig.dns;
+    defaultGateway.address = hostConf.ipv4_internal_gw;
 
-    # Add the global addresses in addition to the local address learned from DHCP
-    addresses = [
-      { addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; }
-      { addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; }
-    ];
-  };
-
-  # Secondary connection only for use within the university network
-  systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // {
-    matchConfig.Name = "ens3";
-    # Add the ntnu-internal addresses in addition to the local address learned from DHCP
-    addresses = [
-      { addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
-      { addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
-    ];
+    interfaces."ens4" = {
+      ipv4.addresses = [
+        { address = hostConf.ipv4;          prefixLength = 32; }
+        { address = hostConf.ipv4_internal; prefixLength = 24; }
+      ];
+      ipv6.addresses = [
+        { address = hostConf.ipv6;          prefixLength = 64; }
+      ];
+    };
   };
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
+  # No devices with SMART
+  services.smartd.enable = false;
+
   system.stateVersion = "23.11"; # Did you read the comment?
 
 }

hosts/ildkule/services/journald-remote.nix

@@ -1,18 +0,0 @@
-{ ... }:
-{
-  services.journald.remote = {
-    enable = true;
-    settings.Remote = {
-      # ServerKeyFile = "/run/credentials/systemd-journald-remote.service/key.pem";
-      # ServerCertificateFile = "/run/credentials/systemd-journald-remote.service/.pem";
-      ServerKeyFile = "/etc/journald-remote-certs/key.pem";
-      ServerCertificateFile = "/etc/journald-remote-certs/cert.pem";
-      TrustedCertificateFile = "-";
-    };
-  };
-
-  # systemd.services.systemd-journal-remote.serviceConfig.LoadCredential = [
-  #   "key.pem:/etc/journald-remote-certs/key.pem"
-  #   "cert.pem:/etc/journald-remote-certs/cert.pem"
-  # ];
-}

hosts/ildkule/services/monitoring/grafana.nix

@@ -75,6 +75,12 @@ in {
           url = "https://grafana.com/api/dashboards/240/revisions/3/download";
           options.path = dashboards/go-processes.json;
         }
+        {
+          name = "Gitea Dashbaord";
+          type = "file";
+          url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
+          options.path = dashboards/gitea-dashbaord.json;
+        }
       ];
 
     };

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -1,11 +1,11 @@
 { config, ... }: {
   imports = [
-    ./gogs.nix
+    ./gitea.nix
     ./matrix-synapse.nix
     # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
     # ./mysqld.nix
-    ./node.nix
     ./postgres.nix
+    ./machines.nix
   ];
 
   services.prometheus = {

hosts/ildkule/services/monitoring/prometheus/gitea.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  services.prometheus.scrapeConfigs = [{
+    job_name = "gitea";
+    scrape_interval = "60s";
+    scheme = "https";
+
+    static_configs = [
+      {
+        targets = [
+          "git.pvv.ntnu.no:443"
+        ];
+      }
+    ];
+  }];
+}

hosts/ildkule/services/monitoring/prometheus/gogs.nix

@@ -1,16 +0,0 @@
-{ config, ... }: let
-  cfg = config.services.prometheus;
-in {
-  services.prometheus.scrapeConfigs = [{
-    job_name = "git-gogs";
-    scheme = "https";
-    metrics_path = "/-/metrics";
-    static_configs = [
-      {
-        targets = [
-          "essendrop.pvv.ntnu.no:443"
-        ];
-      }
-    ];
-  }];
-}

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -0,0 +1,54 @@
+{ config, ... }: let
+  cfg = config.services.prometheus;
+in {
+  services.prometheus.scrapeConfigs = [{
+    job_name = "base_info";
+    static_configs = [
+      { labels.hostname = "ildkule";
+        targets = [
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
+        ];
+      }
+      { labels.hostname = "bekkalokk";
+        targets = [
+          "bekkalokk.pvv.ntnu.no:9100"
+          "bekkalokk.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "bicep";
+        targets = [
+          "bicep.pvv.ntnu.no:9100"
+          "bicep.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "brzeczyszczykiewicz";
+        targets = [
+          "brzeczyszczykiewicz.pvv.ntnu.no:9100"
+          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "georg";
+        targets = [
+          "georg.pvv.ntnu.no:9100"
+          "georg.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname =  "hildring";
+        targets = [
+          "hildring.pvv.ntnu.no:9100"
+        ];
+      }
+      { labels.hostname =  "isvegg";
+        targets = [
+          "isvegg.pvv.ntnu.no:9100"
+        ];
+      }
+      { labels.hostname =  "microbel";
+        targets = [
+          "microbel.pvv.ntnu.no:9100"
+        ];
+      }
+    ];
+  }];
+}

hosts/ildkule/services/monitoring/prometheus/node.nix

@@ -1,22 +0,0 @@
-{ config, ... }: let
-  cfg = config.services.prometheus;
-in {
-  services.prometheus.scrapeConfigs = [{
-    job_name = "node";
-    static_configs = [
-      {
-        targets = [
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
-          "microbel.pvv.ntnu.no:9100"
-          "isvegg.pvv.ntnu.no:9100"
-          "knakelibrak.pvv.ntnu.no:9100"
-          "hildring.pvv.ntnu.no:9100"
-          "bicep.pvv.ntnu.no:9100"
-          "essendrop.pvv.ntnu.no:9100"
-          "andresbu.pvv.ntnu.no:9100"
-          "bekkalokk.pvv.ntnu.no:9100"
-        ];
-      }
-    ];
-  }];
-}

hosts/shark/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
     ];
 

justfile

@@ -18,7 +18,7 @@ run-vm machine=`just _a_machine`:
   nix eval .#inputs --apply builtins.attrNames --json \
     | jq '.[]' -r \
     | gum choose --no-limit --height=15 \
-    | xargs nix flake update --commit-lock-file
+    | xargs -L 1 nix flake lock --update-input
 
 
 _a_machine:

misc/metrics-exporters.nix

@@ -14,13 +14,31 @@
       "::1"
       values.hosts.ildkule.ipv4
       values.hosts.ildkule.ipv6
-      values.hosts.ildkule.ipv4_global
-      values.hosts.ildkule.ipv6_global
     ];
   };
 
 
-  networking.firewall.allowedTCPPorts = [ 9100 ];
+  services.prometheus.exporters.systemd = {
+    enable = true;
+    port = 9101;
+    extraFlags = [
+      "--systemd.collector.enable-restart-count"
+      "--systemd.collector.enable-ip-accounting"
+    ];
+  };
+
+  systemd.services.prometheus-systemd-exporter.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+    ];
+  };
+  
+
+  networking.firewall.allowedTCPPorts = [ 9100 9101 ];
 
   services.promtail = {
     enable = true;

packages/bluemap.nix

@@ -0,0 +1,30 @@
+{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "bluemap";
+  version = "5.2";
+
+  src = fetchurl {
+    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
+    hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
+  };
+
+  dontUnpack = true;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    runHook preInstall
+    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "3D minecraft map renderer";
+    homepage = "https://bluemap.bluecolored.de/";
+    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dandellion ];
+    mainProgram = "bluemap";
+  };
+}

secrets/bekkalokk/bekkalokk.yaml

@@ -32,6 +32,9 @@ nettsiden:
         admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 vaultwarden:
     environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
+bluemap:
+    ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
+    ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -92,8 +95,8 @@ sops:
             UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
             4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-26T19:38:58Z"
-    mac: ENC[AES256_GCM,data:3FyfZPmJ7znQEul+IwqN1ZaM53n6os3grquJwJ9vfyDSc2h8UZBhqYG+2uW9Znp9DSIjuhCUI8iqGKRJE0M/6IDICeXms/5+ynVFOS9bA2cdzPvWaj0FFAd2x3g4Vhs47+vRlsnIe/tMiKU3IOvzOfI6KAUHc9L2ySrzH7z2+fo=,iv:1iZSR9qOIEtf+fNbtWSwJBIUEQGKadfHSVOnkFzOwq8=,tag:Sk6JEU1B6Rd1GXLYC6rQtQ==,type:str]
+    lastmodified: "2024-09-01T01:33:50Z"
+    mac: ENC[AES256_GCM,data:PkcOD9hJWD5tILO9PuZkOgIoujt4q2qtHBB9KF8ikrNKo0yw24Jf1ceI5/+BHCxhdi8sF4qQM/zty61zqwNaBsvrsLUkdWDwUDsuJQa1KKZiCEZPqYBc+qGIQ5wNPsU2zJ0c8+wU8H0LtGqKOH9GmaQtTdm0Rt2IcexV823uTjQ=,iv:GYTI85OgqnN8iUc6OOXO7Sz2XIthWJtz8zwMuWutEYs=,tag:2rhfhjXXzZLzoVlkINo0ZQ==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:28Z"
           enc: |-

values.nix

@@ -21,9 +21,6 @@ in rec {
       ipv4 = pvv-ipv4 213;
       ipv6 = pvv-ipv6 213;
     };
-    log-collector = {
-      inherit (hosts.ildkule) ipv4 ipv6;
-    };
   };
 
   hosts = {
@@ -33,11 +30,10 @@ in rec {
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "10.212.25.209";
-      ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
-
-      ipv4_global = "129.241.153.213";
-      ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
+      ipv4 = "129.241.153.213";
+      ipv4_internal = "192.168.12.209";
+      ipv4_internal_gw = "192.168.12.1";
+      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;
@@ -62,39 +58,14 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
-    buskerud = {
-      ipv4 = pvv-ipv4 231;
-      ipv6 = pvv-ipv6 231;
-    };
   };
 
   defaultNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
-    gateway = [ hosts.gateway ];
-    dns = [ "129.241.0.200" "129.241.0.201" ];
+    dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
     domains = [ "pvv.ntnu.no" "pvv.org" ];
+    gateway = [ hosts.gateway ];
+
+    networkConfig.IPv6AcceptRA = "no";
     DHCP = "no";
   };
-
-  openstackGlobalNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "yes";
-    dns = [ "129.241.0.200" "129.241.0.201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    DHCP = "yes";
-  };
-
-  openstackLocalNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
-    dns = [ "129.241.0.200" "129.241.0.201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    DHCP = "yes";
-
-    # Only use this network for link-local networking, not global/default routes
-    dhcpV4Config.UseRoutes = "no";
-    routes = [
-      { routeConfig = { Destination = "10.0.0.0/8"; Gateway = "_dhcp4"; }; }
-    ];
-
-    linkConfig.RequiredForOnline = "no";
-  };
 }