Adding unstable to pkgs.unstable and try apply it at runtime

2022-12-19 22:42:15 +01:00
48 changed files with 258 additions and 41859 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,51 +1,31 @@
 keys:
  # Users
  - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
  - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
  - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
-
+  - &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
  # Hosts
  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
  - &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
  - &host_bekkalokk age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
 creation_rules:
  # Global secrets
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
      - *user_danio
      - *host_jokum
      - *user_danio
      - *user_felixalb
      pgp:
      - *user_oysteikt
  # Host specific secrets
-  
+  ## Jokum
  - path_regex: secrets/bekkalokk/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bekkalokk
      - *user_danio
      - *user_felixalb
      pgp:
      - *user_oysteikt
  - path_regex: secrets/jokum/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_jokum
      - *user_danio
-      - *user_felixalb
+      - *host_jokum
      pgp:
      - *user_oysteikt
  - path_regex: secrets/ildkule/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_ildkule
      - *user_danio
      - *user_felixalb
      - *user_danio
      pgp:
      - *user_oysteikt
--- a/README.MD
+++ b/README.MD
@@ -16,7 +16,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --flake "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"`
 som root på maskinen.
@@ -37,11 +37,3 @@ for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som
 om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
 Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
 ### Legge til flere keys
 Gjør det som gir mening i .sops.yml
 Etter det kjør `sops updatekeys secrets/host/file.yml`
 MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila
--- a/base.nix
+++ b/base.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, values, ... }:
+{ config, pkgs, inputs, ... }:
 {
  imports = [
@@ -7,15 +7,10 @@
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
  # networking.tempAddresses = lib.mkDefault "disabled";
  # networking.defaultGateway = values.hosts.gateway;
  systemd.network.enable = true;
  services.resolved = {
-    enable = lib.mkDefault true;
+    enable = true;
    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };
@@ -41,25 +36,30 @@
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  /* This makes commandline tools like
+  # This makes commandline tools like nix run nixpkgs#hello
-  ** nix run nixpkgs#hello
+  # and nix-shell -p hello use the same channel the system was built with
  ** and nix-shell -p hello
  ** use the same channel the system
  ** was built with
  */
  nix.registry = {
    nixpkgs.flake = inputs.nixpkgs;
  };
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+  nix.nixPath = [
    "nixpkgs=${inputs.nixpkgs}"
    "nixpkgs-overlays=${./overlays-compat}/"
  ];
  # Allows access to nixpkgs-unstable via pkgs.unstable
  nixpkgs.overlays = let
    unstable-overlay = final: prev: {
      unstable = inputs.unstable.legacyPackages.${prev.system};
    };
  in [
    unstable-overlay
  ];
  environment.systemPackages = with pkgs; [
    file
    git
    gnupg
    htop
    nano
    rsync
    screen
    tmux
    vim
    wget
--- a/flake.lock
+++ b/flake.lock
@@ -1,30 +1,28 @@
 {
  "nodes": {
    "matrix-next": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1676674799,
+        "lastModified": 1671480255,
-        "narHash": "sha256-NaZWOgNrco5OT0J5VrWg02SCkKz8RV1sxRjh0/MWMEc=",
+        "narHash": "sha256-06G6xYTFPVuvmN/k2QDeBk9XIp4LDxEKWRL3aLAFFNo=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "362496f4aacb680406db3fad36f98d38e8285b30",
+        "rev": "f42306e0a2df064f1beb6dfcc1776ea33e7ae9df",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
        "ref": "flake-experiments",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1680879128,
+        "lastModified": 1671445885,
-        "narHash": "sha256-ISFCCZ3/Dw5WK/6kFKwqA6gIEaOjqU/5NoB6Vge87sE=",
+        "narHash": "sha256-oDCTgQiqr3y62NrU+viFCYXKln24wgUdYaf4ynXRPgI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fa98075869eb8264052548dde5c2ce9e68cf4cf1",
+        "rev": "d3cf188b498a7dc936de67254ba2fdafcf5a1368",
        "type": "github"
      },
      "original": {
@@ -34,28 +32,13 @@
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "lastModified": 1673743903,
        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1680390120,
+        "lastModified": 1671459584,
-        "narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
+        "narHash": "sha256-6wRK7xmeHfClJ0ICOkax1avLZVGTDqBodQlkl/opccY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
+        "rev": "87b58217c9a05edcf7630b9be32570f889217aef",
        "type": "github"
      },
      "original": {
@@ -81,11 +64,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1680404136,
+        "lastModified": 1671472949,
-        "narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
+        "narHash": "sha256-9iHSGpljCX+RypahQssBXPwkru9onfKfceCTeVrMpH4=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "b93eb910f768f9788737bfed596a598557e5625d",
+        "rev": "32840f16ffa0856cdf9503a8658f2dd42bf70342",
        "type": "github"
      },
      "original": {
@@ -96,11 +79,11 @@
    },
    "unstable": {
      "locked": {
-        "lastModified": 1680882415,
+        "lastModified": 1671442489,
-        "narHash": "sha256-trt2pwLDu1+kEtp3bx2DiYgg8CFWNbes+ujdAtSBO/U=",
+        "narHash": "sha256-pSCuSrG+XxWCs5IZ90eKIxDIZy4rM22YSFMRZ/fiixc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cd07e0258cf73e1bcbd0c9abc5513baa091ee801",
+        "rev": "ff07b107adeda2164b29f8feb4a86ed012854dfb",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -8,10 +8,10 @@
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments";
  };
-  outputs = { self, nixpkgs, matrix-next, unstable, sops-nix, ... }@inputs: 
+  outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs: 
  let
    systems = [
      "x86_64-linux"
@@ -19,32 +19,28 @@
    ];
    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
  in {
-    nixosConfigurations = let
+    nixosConfigurations = {
-      nixosConfig = name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
+      jokum = nixpkgs.lib.nixosSystem {
        config
        rec {
        system = "x86_64-linux";
-          specialArgs = {
+        specialArgs = { inherit inputs; };
            inherit unstable inputs;
            values = import ./values.nix;
          };
        modules = [
-            ./hosts/${name}/configuration.nix
+          ./base.nix
          ./hosts/jokum/configuration.nix
          sops-nix.nixosModules.sops
          inputs.matrix-next.nixosModules.synapse
        ];
      };
      ildkule = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = { inherit inputs; };
        modules = [
          ./base.nix
          ./hosts/ildkule/configuration.nix
          sops-nix.nixosModules.sops
            matrix-next.nixosModules.synapse
        ];
        });
    in {
      bicep = nixosConfig "bicep" { };
      bekkalokk = nixosConfig "bekkalokk" { };
      greddost = nixosConfig "greddost" { };
      ildkule = nixosConfig "ildkule" { };
      jokum = nixosConfig "jokum" {
        modules = [ matrix-next.nixosModules.synapse ];
      };
    };
    devShells = forAllSystems (system: {
      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
    });
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -1,33 +0,0 @@
 { pkgs, values, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    # TODO: set up authentication for the following:
    # ./services/website.nix
    ./services/nginx.nix
    ./services/gitea.nix
    # ./services/mediawiki.nix
  ];
  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bekkalokk";
  systemd.network.networks."30-ens33" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens33";
    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
 }
--- a/hosts/bekkalokk/hardware-configuration.nix
+++ b/hosts/bekkalokk/hardware-configuration.nix
@@ -1,37 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/cdcafe3a-01d8-4bdf-9a3d-78705b581090";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/1CB4-280D";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/3eaace48-91ec-4d46-be86-fd26877d8b86"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens33.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bekkalokk/services/gitea.nix
+++ b/hosts/bekkalokk/services/gitea.nix
@@ -1,57 +0,0 @@
 { config, values, pkgs, ... }:
 let
  cfg = config.services.gitea;
 in {
  sops.secrets."gitea/dbpassword" = { };
  services.gitea = {
    enable = true;
    user = "git";
    rootUrl = "https://gitea.pvv.ntnu.no/";
    stateDir = "/data/gitea";
    appName = "PVV Git";
    enableUnixSocket = true;
    database = {
      type = "postgres";
      host = values.hosts.bicep.ipv4;
      port = 5432;
      passwordFile = config.sops.secrets."gitea/dbpassword".path;
      createDatabase = false;
    };
    settings = {
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
    };
  };
  services.nginx.virtualHosts = {
    "gitea.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://unix:/run/gitea/gitea.sock";
        proxyWebsockets = true;
        recommendedProxySettings = true;
      };
    };
    "git2.pvv.ntnu.no" = {
      globalRedirect = "gitea.pvv.ntnu.no";
    };
  };
  users.users.git = {
    description = "Gitea service";
    home = cfg.stateDir;
    #useDefaultShell = true;
    group = "gitea";
    isSystemUser = true;
    #uid = config.ids.uids.git;
    packages = [ pkgs.gitea ];
  };
 }
--- a/hosts/bekkalokk/services/mediawiki.nix
+++ b/hosts/bekkalokk/services/mediawiki.nix
@@ -1,23 +0,0 @@
 { values, config, ... }:
 {
  sops.secrets = {
    "mediawiki/password" = { };
    "postgres/mediawiki/password" = { };
  };
  services.mediawiki = {
    enable = true;
    name = "PVV";
    passwordFile = config.sops.secrets."mediawiki/password".path;
    virtualHost = {
    };
    database = {
      type = "postgres";
      host = values.bicep.ipv4;
      port = config.services.postgresql.port;
      passwordFile = config.sops.secrets."postgres/mediawiki/password".path;
    };
  };
 }
--- a/hosts/bekkalokk/services/metrics/loki.nix
+++ b/hosts/bekkalokk/services/metrics/loki.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
 }
--- a/hosts/bekkalokk/services/metrics/prometheus.nix
+++ b/hosts/bekkalokk/services/metrics/prometheus.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
 }
--- a/hosts/bekkalokk/services/nginx.nix
+++ b/hosts/bekkalokk/services/nginx.nix
@@ -1,28 +0,0 @@
 { config, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "danio@pvv.ntnu.no";
  };
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    # virtualHosts = {
    #   "www.pvv.ntnu.no" = {
    #     forceSSL = true;
    #     locations = {
    #       "/pvv" = {
    #         proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}";
    #       };
    #     };
    #   };
    # };
  };
 }
--- a/hosts/bekkalokk/services/website.nix
+++ b/hosts/bekkalokk/services/website.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
 }
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -1,35 +0,0 @@
 { pkgs, values, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    ./services/postgres.nix
    ./services/jokum.nix
  ];
  sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
  networking.hostName = "bicep";
  systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp6s0f0";
    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  systemd.network.wait-online = {
    ignoredInterfaces = [ "enp6s0f1" ];
    anyInterface = true;
  };
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
 }
--- a/hosts/bicep/hardware-configuration.nix
+++ b/hosts/bicep/hardware-configuration.nix
@@ -1,40 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
      fsType = "ext4";
    };
  fileSystems."/data" =
    { device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
      fsType = "f2fs";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bicep/services/jokum.nix
+++ b/hosts/bicep/services/jokum.nix
@@ -1,51 +0,0 @@
 {config, lib, pkgs, inputs, values, ...}:
 {
  # lfmao
  containers.jokum = {
    autoStart = true;
    # wtf
    #path = inputs.self.nixosConfigurations.jokum.config.system.build.toplevel;
    interfaces = [ "enp6s0f1" ];
    bindMounts = {
      "/data" = { hostPath = "/data/jokum"; isReadOnly = false; };
    };
    config = {config, pkgs, ...}: let
      inherit values inputs;
    in {
      imports = [
        inputs.sops-nix.nixosModules.sops
        inputs.matrix-next.nixosModules.synapse
        ../../jokum/services/matrix
        ../../jokum/services/nginx
      ];
      _module.args = {
        inherit values inputs;
      };
      sops.defaultSopsFile = ../../../secrets/jokum/jokum.yaml;
      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      sops.age.keyFile = "/var/lib/sops-nix/key.txt";
      sops.age.generateKey = true;
      services.openssh = {
        enable = true;
        permitRootLogin = "yes";
      };
      systemd.network.enable = true;
      networking.useHostResolvConf = false;
      systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
        matchConfig.Name = "enp6s0f1";
        address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
          ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
      };
      system.stateVersion = "21.05";
    };
  };
 }
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -1,75 +0,0 @@
 { pkgs, ... }:
 {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_15;
    enableTCPIP = true;
    dataDir = "/data/postgresql";
    authentication = ''
      host all all 129.241.210.128/25 md5
      host all all 2001:700:300:1900::/64 md5
    '';
    # Hilsen https://pgconfigurator.cybertec-postgresql.com/
    settings = {
      # Connectivity
      max_connections = 500;
      superuser_reserved_connections = 3;
      # Memory Settings
      shared_buffers = "2048 MB";
      work_mem = "32 MB";
      maintenance_work_mem = "320 MB";
      effective_cache_size = "6 GB";
      effective_io_concurrency = 100;
      random_page_cost = 1.25;
      # Monitoring
      shared_preload_libraries = "pg_stat_statements";
      track_io_timing = true;
      track_functions = "pl";
      # Replication
      wal_level = "replica";
      max_wal_senders = 0;
      synchronous_commit = false;
      # Checkpointing:
      checkpoint_timeout = "15 min";
      checkpoint_completion_target = 0.9;
      max_wal_size = "1024 MB";
      min_wal_size = "512 MB";
      # WAL writing
      wal_compression = true;
      wal_buffers = -1;
      # Background writer
      bgwriter_delay = "200ms";
      bgwriter_lru_maxpages = 100;
      bgwriter_lru_multiplier = 2.0;
      bgwriter_flush_after = 0;
      # Parallel queries:
      max_worker_processes = 8;
      max_parallel_workers_per_gather = 4;
      max_parallel_maintenance_workers = 4;
      max_parallel_workers = 8;
      parallel_leader_participation = true;
      # Advanced features
      enable_partitionwise_join = true;
      enable_partitionwise_aggregate = true;
      jit = true;
      max_slot_wal_keep_size = "1000 MB";
      track_wal_io_timing = true;
      maintenance_io_concurrency = 100;
      wal_recycle = true;
    };
  };
  networking.firewall.allowedTCPPorts = [ 5432 ];
  networking.firewall.allowedUDPPorts = [ 5432 ];
 }
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -1,13 +1,11 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../base.nix
      ../../misc/metrics-exporters.nix
-      ./services/nginx
+      ../../base.nix
-      ./services/metrics
+      # Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
    ];
  sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
@@ -20,10 +18,26 @@
  networking.hostName = "ildkule"; # Define your hostname.
-  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+  networking.interfaces.ens18.useDHCP = false;
-    matchConfig.Name = "ens18";
+
-    address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  networking.defaultGateway = "129.241.210.129";
  networking.interfaces.ens18.ipv4 = {
    addresses = [
      {
        address = "129.241.210.187";
        prefixLength = 25;
      }
    ];
  };
  networking.interfaces.ens18.ipv6 = {
    addresses = [
      {
        address = "2001:700:300:1900::187";
        prefixLength = 64;
      }
    ];
  };
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
--- a/hosts/ildkule/hardware-configuration.nix
+++ b/hosts/ildkule/hardware-configuration.nix
@@ -1,37 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/afe70fe4-681a-4675-8cbd-e5d08cdcf5b5";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/B71A-E5CD";
      fsType = "vfat";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/ildkule/services/metrics/dashboards/go-processes.json
+++ b/hosts/ildkule/services/metrics/dashboards/go-processes.json
--- a/hosts/ildkule/services/metrics/dashboards/node-exporter-full.json
+++ b/hosts/ildkule/services/metrics/dashboards/node-exporter-full.json
--- a/hosts/ildkule/services/metrics/dashboards/postgres.json
+++ b/hosts/ildkule/services/metrics/dashboards/postgres.json
--- a/hosts/ildkule/services/metrics/dashboards/synapse.json
+++ b/hosts/ildkule/services/metrics/dashboards/synapse.json
--- a/hosts/ildkule/services/metrics/default.nix
+++ b/hosts/ildkule/services/metrics/default.nix
@@ -1,9 +0,0 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./prometheus
    ./grafana.nix
    ./loki.nix
  ];
 }
--- a/hosts/ildkule/services/metrics/grafana.nix
+++ b/hosts/ildkule/services/metrics/grafana.nix
@@ -1,98 +0,0 @@
 { config, pkgs, values, ... }: let
  cfg = config.services.grafana;
 in {
  sops.secrets = let
    owner = "grafana";
    group = "grafana";
  in {
    "keys/grafana/secret_key" = { inherit owner group; };
    "keys/grafana/admin_password" = { inherit owner group; };
    "keys/postgres/grafana" = { inherit owner group; };
  };
  services.grafana = {
    enable = true;
    settings = let
      # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
      secretFile = path: "$__file{${path}}";
    in {
      server = {
        domain = "ildkule.pvv.ntnu.no";
        http_port = 2342;
        http_addr = "127.0.0.1";
      };
      security = {
        secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
        admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
      };
      database = {
        type = "postgres";
        user = "grafana";
        host = "${values.hosts.bicep.ipv4}:5432";
        password = secretFile config.sops.secrets."keys/postgres/grafana".path;
      };
    };
    provision = {
      enable = true;
      datasources.settings.datasources = [
        {
          name = "Ildkule Prometheus";
          type = "prometheus";
          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
         isDefault = true;
        }
        {
          name = "Ildkule loki";
          type = "loki";
          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
        }
      ];
      dashboards.settings.providers = [
        {
          name = "Node Exporter Full";
          type = "file";
          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
          options.path = dashboards/node-exporter-full.json;
        }
        {
          name = "Matrix Synapse";
          type = "file";
          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
        {
          name = "Postgresql";
          type = "file";
          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
          options.path = dashboards/postgres.json;
        }
        {
          name = "Go Processes (gogs)";
          type = "file";
          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
          options.path = dashboards/go-processes.json;
        }
      ];
    };
  };
  services.nginx.virtualHosts.${cfg.settings.server.domain} = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_buffers 8 1024k;
          proxy_buffer_size 1024k;
        '';
      };
    };
  };
 }
--- a/hosts/ildkule/services/metrics/loki.nix
+++ b/hosts/ildkule/services/metrics/loki.nix
@@ -1,86 +0,0 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.loki;
 in {
  services.loki = {
    enable = true;
    configuration = {
      auth_enabled = false;
      server = {
        http_listen_port = 3100;
        http_listen_address = "0.0.0.0";
        grpc_listen_port = 9096;
      };
      ingester = {
        wal = {
          enabled = true;
          dir = "/var/lib/loki/wal";
        };
        lifecycler = {
          address = "127.0.0.1";
          ring = {
            kvstore = {
              store = "inmemory";
            };
            replication_factor = 1;
          };
          final_sleep = "0s";
        };
        chunk_idle_period = "1h";
      };
      schema_config = {
        configs = [
          {
            from = "2022-12-01";
            store = "boltdb-shipper";
            object_store = "filesystem";
            schema = "v11";
            index = {
              prefix = "index_";
              period = "24h";
            };
          }
        ];
      };
      storage_config = {
        boltdb_shipper = {
          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
          cache_location = "/var/lib/loki/boltdb-shipper-cache";
          shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
          directory = "/var/lib/loki/chunks";
        };
      };
      limits_config = {
        enforce_metric_name = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
      compactor = {
        working_directory = "/var/lib/loki/compactor";
        shared_store = "filesystem";
      };
      # ruler = {
      #   storage = {
      #     type = "local";
      #     local = {
      #       directory = "/var/lib/loki/rules";
      #     };
      #   };
      #   rule_path = "/etc/loki/rules";
      #   alertmanager_url = "http://localhost:9093";
      # };
    };
  };
  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
 }
--- a/hosts/ildkule/services/metrics/prometheus/default.nix
+++ b/hosts/ildkule/services/metrics/prometheus/default.nix
@@ -1,16 +0,0 @@
 { config, ... }: {
  imports = [
    ./node.nix
    ./matrix-synapse.nix
    ./postgres.nix
    ./gogs.nix
  ];
  services.prometheus = {
    enable = true;
    listenAddress = "127.0.0.1";
    port = 9001;
    ruleFiles = [ rules/synapse-v2.rules ];
  };
 }
--- a/hosts/ildkule/services/metrics/prometheus/gogs.nix
+++ b/hosts/ildkule/services/metrics/prometheus/gogs.nix
@@ -1,16 +0,0 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "git-gogs";
    scheme = "https";
    metrics_path = "/-/metrics";
    static_configs = [
      {
        targets = [
          "essendrop.pvv.ntnu.no:443"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/metrics/prometheus/matrix-synapse.nix
+++ b/hosts/ildkule/services/metrics/prometheus/matrix-synapse.nix
@@ -1,40 +0,0 @@
 { ... }:
 {
  services.prometheus.scrapeConfigs = [{
    job_name = "synapse";
    scrape_interval = "15s";
    scheme = "https";
    http_sd_configs = [{
      url = "https://matrix.pvv.ntnu.no/metrics/config.json";
    }];
    relabel_configs = [
      {
        source_labels = [ "__address__" ];
        regex = "[^/]+(/.*)";
        target_label = "__metrics_path__";
      }
      {
        source_labels = [ "__address__" ];
        regex = "([^/]+)/.*";
        target_label = "instance";
      }
      {
        source_labels = [ "__address__" ];
        regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
        target_label = "job";
      }
      {
        source_labels = [ "__address__" ];
        regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
        target_label = "index";
      }
      {
        source_labels = [ "__address__" ];
        regex = "([^/]+)/.*";
        target_label = "__address__";
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/metrics/prometheus/node.nix
+++ b/hosts/ildkule/services/metrics/prometheus/node.nix
@@ -1,22 +0,0 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "node";
    static_configs = [
      {
        targets = [
          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
          "microbel.pvv.ntnu.no:9100"
          "isvegg.pvv.ntnu.no:9100"
          "knakelibrak.pvv.ntnu.no:9100"
          "hildring.pvv.ntnu.no:9100"
          "bicep.pvv.ntnu.no:9100"
          "jokum.pvv.ntnu.no:9100"
          "essendrop.pvv.ntnu.no:9100"
          "andresbu.pvv.ntnu.no:9100"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/metrics/prometheus/postgres.nix
+++ b/hosts/ildkule/services/metrics/prometheus/postgres.nix
@@ -1,51 +0,0 @@
 { pkgs, lib, config, values, ... }: let
  cfg = config.services.prometheus;
 in {
  sops.secrets = {
    "keys/postgres/postgres_exporter_env" = {};
    "keys/postgres/postgres_exporter_knakelibrak_env" = {};
  };
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "postgres";
        scrape_interval = "15s";
        static_configs = [{
          targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
          labels = {
            server = "bicep";
          };
        }];
      }
      {
        job_name = "postgres-knakelibrak";
        scrape_interval = "15s";
        static_configs = [{
          targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
          labels = {
            server = "knakelibrak";
          };
        }];
      }
    ];
    exporters.postgres = {
      enable = true;
      extraFlags = [ "--auto-discover-databases" ];
      environmentFile = config.sops.secrets."keys/postgres/postgres_exporter_env".path;
    };
  };
  systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
    localCfg = config.services.prometheus.exporters.postgres; 
  in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
      EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
      ExecStart = ''
        ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
          --web.listen-address ${localCfg.listenAddress}:${toString (localCfg.port + 1)} \
          --web.telemetry-path ${localCfg.telemetryPath} \
          ${lib.concatStringsSep " \\\n  " localCfg.extraFlags}
      '';
    };
 }
--- a/hosts/ildkule/services/metrics/prometheus/rules/synapse-v2.rules
+++ b/hosts/ildkule/services/metrics/prometheus/rules/synapse-v2.rules
@@ -1,74 +0,0 @@
 groups:
 - name: synapse
  rules:
  ###
  ### Prometheus Console Only
  ### The following rules are only needed if you use the Prometheus Console
  ### in contrib/prometheus/consoles/synapse.html
  ###
  - record: 'synapse_federation_client_sent'
    labels:
      type: "EDU"
    expr: 'synapse_federation_client_sent_edus_total + 0'
  - record: 'synapse_federation_client_sent'
    labels:
      type: "PDU"
    expr: 'synapse_federation_client_sent_pdu_destinations_count_total + 0'
  - record: 'synapse_federation_client_sent'
    labels:
      type: "Query"
    expr: 'sum(synapse_federation_client_sent_queries) by (job)'
  - record: 'synapse_federation_server_received'
    labels:
      type: "EDU"
    expr: 'synapse_federation_server_received_edus_total + 0'
  - record: 'synapse_federation_server_received'
    labels:
      type: "PDU"
    expr: 'synapse_federation_server_received_pdus_total + 0'
  - record: 'synapse_federation_server_received'
    labels:
      type: "Query"
    expr: 'sum(synapse_federation_server_received_queries) by (job)'
  - record: 'synapse_federation_transaction_queue_pending'
    labels:
      type: "EDU"
    expr: 'synapse_federation_transaction_queue_pending_edus + 0'
  - record: 'synapse_federation_transaction_queue_pending'
    labels:
      type: "PDU"
    expr: 'synapse_federation_transaction_queue_pending_pdus + 0'
  ###
  ### End of 'Prometheus Console Only' rules block
  ###
  ###
  ### Grafana Only
  ### The following rules are only needed if you use the Grafana dashboard
  ### in contrib/grafana/synapse.json
  ###
  - record: synapse_storage_events_persisted_by_source_type
    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_type="remote"})
    labels:
      type: remote
  - record: synapse_storage_events_persisted_by_source_type
    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity="*client*",origin_type="local"})
    labels:
      type: local
  - record: synapse_storage_events_persisted_by_source_type
    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity!="*client*",origin_type="local"})
    labels:
      type: bridges
  - record: synapse_storage_events_persisted_by_event_type
    expr: sum without(origin_entity, origin_type) (synapse_storage_events_persisted_events_sep_total)
  - record: synapse_storage_events_persisted_by_origin
    expr: sum without(type) (synapse_storage_events_persisted_events_sep_total)
  ###
  ### End of 'Grafana Only' rules block
  ###
--- a/hosts/ildkule/services/nginx/default.nix
+++ b/hosts/ildkule/services/nginx/default.nix
@@ -1,5 +1,7 @@
-{ config, values, ... }:
+{config, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
@@ -8,17 +10,6 @@
  services.nginx = {
    enable = true;
    enableReload = true;
    defaultListenAddresses = [
      values.hosts.ildkule.ipv4
      "[${values.hosts.ildkule.ipv6}]"
      "127.0.0.1"
      "127.0.0.2"
      "[::1]"
    ];
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
--- a/hosts/jokum/configuration.nix
+++ b/hosts/jokum/configuration.nix
@@ -1,31 +1,58 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, ... }:
 {
  imports = [
-      ../../base.nix
+      # Include the results of the hardware scan.
-#      ../../misc/metrics-exporters.nix
+      ./hardware-configuration.nix
      # Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
      ../../misc/rust-motd.nix
-#      ./services/matrix
+      ./services/matrix
-#      ./services/nginx
+      ./services/nginx
    ];
-#  sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
+  sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
-#  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-#  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-#  sops.age.generateKey = true;
+  sops.age.generateKey = true;
-  boot.kernel.enable = false;
+
-  boot.isContainer = true;
+  # Use the GRUB 2 boot loader.
-  boot.loader.initScript.enable = true;
+  boot.loader.grub.enable = true;
-  networking.useHostResolvConf = false;
+  boot.loader.grub.version = 2;
  boot.loader.grub.devices = [ "/dev/sda" ];
  networking.hostName = "jokum"; # Define your hostname.
-  systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
+  networking.interfaces.ens18.useDHCP = false;
-    matchConfig.Name = "ens10f1";
+
-    address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
+  networking.defaultGateway = "129.241.210.129";
-      ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
+  networking.interfaces.ens18.ipv4 = {
    addresses = [
      {
        address = "129.241.210.169";
        prefixLength = 25;
      }
      {
        address = "129.241.210.213";
        prefixLength = 25;
      }
    ];
  };
  networking.interfaces.ens18.ipv6 = {
    addresses = [
      {
        address = "2001:700:300:1900::169";
        prefixLength = 64;
      }
      {
        address = "2001:700:300:1900::213";
        prefixLength = 64;
      }
    ];
  };
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
@@ -40,4 +67,5 @@
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?
 }
--- a/hosts/jokum/hardware-configuration.nix
+++ b/hosts/jokum/hardware-configuration.nix
@@ -0,0 +1,29 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/1a8bf91a-5948-40c2-a9fd-7a33e46fa441";
      fsType = "ext4";
    };
  fileSystems."/data" =
    { device = "/dev/disk/by-uuid/c812e204-b998-4ec5-9f26-29c5808ed6ba";
      fsType = "ext4";
    };
  swapDevices = [ ];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/jokum/services/matrix/default.nix
+++ b/hosts/jokum/services/matrix/default.nix
@@ -7,7 +7,6 @@
    ./synapse-admin.nix
    ./element.nix
    ./coturn.nix
    ./mjolnir.nix
    ./discord.nix
  ];
--- a/hosts/jokum/services/matrix/element.nix
+++ b/hosts/jokum/services/matrix/element.nix
@@ -1,7 +1,6 @@
 { config, lib, pkgs, ... }:
-let
+
-  synapse-cfg = config.services.matrix-synapse-next;
+{
 in {
  services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
@@ -42,8 +41,7 @@ in {
        ];
        enable_presence_by_hs_url = {
          "https://matrix.org" = false;
-          # "https://matrix.dodsorf.as" = false;
+          "https://matrix.dodsorf.as" = false;
          "${synapse-cfg.settings.public_baseurl}" = synapse-cfg.settings.presence.enabled;
        };
      };
    };
--- a/hosts/jokum/services/matrix/mjolnir.nix
+++ b/hosts/jokum/services/matrix/mjolnir.nix
@@ -1,54 +0,0 @@
 { config, lib, ... }:
 {
  sops.secrets."matrix/mjolnir/access_token" = {
    owner = config.users.users.mjolnir.name;
    group = config.users.users.mjolnir.group;
  };
  services.mjolnir = {
    enable = true;
    pantalaimon.enable = false;
    homeserverUrl = http://127.0.0.1:8008;
    accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
    managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
    protectedRooms = map (a: "https://matrix.to/#/${a}") [
      "#pvv:pvv.ntnu.no"
      "#stand:pvv.ntnu.no"
      "#music:pvv.ntnu.no"
      "#arts-and-crafts:pvv.ntnu.no"
      "#programming:pvv.ntnu.no"
      "#talks-and-texts:pvv.ntnu.no"
      "#job-offers:pvv.ntnu.no"
      "#vaffling:pvv.ntnu.no"
      "#pvv-fadder:pvv.ntnu.no"
      "#offsite:pvv.ntnu.no"
      "#help:pvv.ntnu.no"
      "#garniske-algoritmer:pvv.ntnu.no"
      "#bouldering:pvv.ntnu.no"
      "#filmclub:pvv.ntnu.no"
      "#video-games:pvv.ntnu.no"
      "#board-games:pvv.ntnu.no"
      "#tabletop-rpgs:pvv.ntnu.no"
      "#anime:pvv.ntnu.no"
      "#general:pvv.ntnu.no"
      "#announcements:pvv.ntnu.no"
      "#memes:pvv.ntnu.no"
      "#drift:pvv.ntnu.no"
      "#notifikasjoner:pvv.ntnu.no"
      "#forespoersler:pvv.ntnu.no"
      "#krisekanalen:pvv.ntnu.no"
      "#styret:pvv.ntnu.no"
    ];
    settings = {
      admin.enableMakeRoomAdminCommand = true;
    };
    # Module wants it even when not using pantalaimon
    # TODO: Fix upstream module in nixpkgs
    pantalaimon.username = "bot_admin";
  };
 }
--- a/hosts/jokum/services/matrix/synapse.nix
+++ b/hosts/jokum/services/matrix/synapse.nix
@@ -1,10 +1,8 @@
-{ config, lib, pkgs, values, inputs, ... }:
+{ config, lib, pkgs, ... }:
 let
  cfg = config.services.matrix-synapse-next;
  matrix-lib = inputs.matrix-next.lib;
  imap0Attrs = with lib; f: set:
    listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
 in {
@@ -18,28 +16,22 @@ in {
    group = config.users.users.matrix-synapse.group;
  };
  sops.secrets."matrix/synapse/user_registration" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
  };
  services.matrix-synapse-next = {
    enable = true;
    dataDir = "/data/synapse";
    workers.federationSenders = 2;
-    workers.federationReceivers = 2;
+    workers.federationReceivers = 1;
    workers.initialSyncers = 1;
    workers.normalSyncers = 1;
-    workers.eventPersisters = 2;
+    workers.eventPersisters = 1;
    workers.useUserDirectoryWorker = true;
    enableNginx = true;
    extraConfigFiles = [
      config.sops.secrets."matrix/synapse/dbconfig".path
      config.sops.secrets."matrix/synapse/user_registration".path
    ];
    settings = {
@@ -50,14 +42,6 @@ in {
      media_store_path =  "${cfg.dataDir}/media";
      presence.enabled = false;
      caches = {
        per_cache_factors = {
          _event_auth_cache = 2.0;
        };
      };
      autocreate_auto_join_rooms = false;
      auto_join_rooms = [
        "#pvv:pvv.ntnu.no" # Main space
@@ -70,7 +54,6 @@ in {
      max_upload_size = "150M";
      enable_metrics = true;
      mau_stats_only = true;
      enable_registration = false;
@@ -189,38 +172,37 @@ in {
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
    locations = let
-      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
+      isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
-      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
+      isMetricsListener = l: isListenerType "metrics" l;
      firstMetricsListener = w: lib.lists.findFirst isMetricsListener (throw "No metrics endpoint on worker") w.settings.worker_listeners;
      wAddress = w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstMetricsListener w).bind_addresses;
      wPort = w: (firstMetricsListener w).port;
      socketAddress = w: "${wAddress w}:${toString (wPort w)}";
      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
-    in lib.mapAttrs' (n: v: lib.nameValuePair
+    in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; }))
      (metricsPath v) ({
        proxyPass = proxyPath v;
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4};
          allow ${values.hosts.ildkule.ipv6};
          deny all;
        '';
      }))
      cfg.workers.instances;
  })
  ({
    locations."/metrics/master/1" = {
      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
      extraConfig = ''
        allow ${values.hosts.ildkule.ipv4};
        allow ${values.hosts.ildkule.ipv6};
        deny all;
      '';
    };
    locations."/metrics/" = let
-      endpoints = lib.pipe cfg.workers.instances [
+      endpoints = builtins.map (x: "matrix.pvv.ntnu.no/metrics/${x}") [
-        (lib.mapAttrsToList (_: v: v))
+        "master/1"
-        (map (w: "${w.type}/${toString w.index}"))
+        "fed-sender/1"
-        (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
+        "fed-sender/2"
-      ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
+        "fed-receiver/1"
        "initial-sync/1"
        "normal-sync/1"
        "event-persist/1"
        "user-dir/1"
      ];
    in {
      alias = pkgs.writeTextDir "/config.json"
        (builtins.toJSON [
--- a/hosts/jokum/services/nginx/default.nix
+++ b/hosts/jokum/services/nginx/default.nix
@@ -1,5 +1,7 @@
-{ config, values, ... }:
+{config, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "danio@pvv.ntnu.no";
@@ -8,16 +10,7 @@
  services.nginx = {
    enable = true;
-    enableReload = true;
+    defaultListenAddresses = [ "129.241.210.169" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::169]" "[::1]" ];
    defaultListenAddresses = [
      values.hosts.jokum.ipv4
      "[${values.hosts.jokum.ipv6}]"
      "127.0.0.1"
      "127.0.0.2"
      "[::1]"
    ];
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
--- a/misc/metrics-exporters.nix
+++ b/misc/metrics-exporters.nix
@@ -1,60 +0,0 @@
 { config, pkgs, values, ... }:
 {
  services.prometheus.exporters.node = {
    enable = true;
    port = 9100;
    enabledCollectors = [ "systemd" ];
  };
  systemd.services.prometheus-node-exporter.serviceConfig = {
    IPAddressDeny = "any";
    IPAddressAllow = [
      "127.0.0.1"
      "::1"
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
  networking.firewall.allowedTCPPorts = [ 9100 ];
  services.promtail = {
    enable = true;
    configuration = {
      server = {
        http_listen_port = 28183;
        grpc_listen_port = 0;
      };
      clients = [
        {
          url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
        }
      ];
      scrape_configs = [
        {
          job_name = "systemd-journal";
          journal = {
            max_age = "12h";
            labels = {
              job = "systemd-journal";
              host = config.networking.hostName;
            };
          };
          relabel_configs = [
            {
              source_labels = [ "__journal__systemd_unit" ];
              target_label = "unit";
            }
            {
              source_labels = [ "__journal_priority_keyword" ];
              target_label = "level";
            }
          ];
        }
      ];
    };
  };
 }
--- a/overlays-compat/overlays.nix
+++ b/overlays-compat/overlays.nix
@@ -0,0 +1,8 @@
 self: super:
 with super.lib;
 let
  # Load the system config and get the `nixpkgs.overlays` option
  overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
 in
  # Apply all overlays to the input of the current "main" overlay
  foldl' (flip extends) (_: super) overlays self
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@@ -1,64 +0,0 @@
 gitea:
    dbpassword: ENC[AES256_GCM,data:Tx7bFpHjXev1Q3G5Rdq5/Pg5XVro7hQFyG/FJUsiGeJOezymfk1V84VXPQ==,iv:msn8d2sarb2r+nSy1Qk1IOtkXhKDOXjcUO5dFpln1e4=,tag:Wtm1Q5FzTt1WA+uQjaVQKA==,type:str]
 mediawiki:
    password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
 postgres:
    mediawiki: ENC[AES256_GCM,data:JsDjfDrbJHejPDZFn6TyPkDnMIX9Go62ZmRy7P+N1Ncaz5tintspO1YtIA==,iv:7EgzkRf8GP/pIMxxEkI3fzKjxr1sT4vwsqshRtkeYU0=,tag:l3DO/0sicTolInEl2mJNSA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYUR4TjA3WU96TzV6R1V5
            TFpPUW1CdnRZck50bzJSb3VnUXFYUDhxM2hJCmI2Q0p3ZVZGS0U4UmNaQ0Z3Vmgv
            MkNyS1hVUWs5UjZ3cTJRU0pWbmFSeEkKLS0tIGlIRGYxTjgzWmVWbXRwTjhHdnRx
            U3JMU1ZUT1ZhT2xSbHRLVXgzODB1NXcKJ2LTJB2oKffW+aZgkEEwp+xhAY0FpnBl
            5GqUdZrgkNOV0pvgVAOoXMyCdZbndYLS+dUzggnF91HJOr87wRH4uw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmpzTVdlRlg0OHBFQ2lq
            eDdmOUlxbzcxakFsS2JHK3JqU0tNTC9mOGhRCjNCbFcxWTFzeTkxcHZLQjBpb2c1
            V3VHeGhuTkhNbGlsVVlMallPcTVIK0kKLS0tIHRISitSQXBENVY3ejdYa3pXRmJ1
            TVNBRXQvUmRPdlMreGtzZUNUcnM4aEkKAp/Ofix26q1eeHszIJa4yYF9ycwWodeV
            216hz9YUYb9aZCoJJzGPceb/ER17yvqFHQlhgEb9EiKaH3vbIu+WRQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVC9Cd01HaWpyUm5mdTh4
            Uk5mSlBLQTlydkpQc0Irakxmalg1WU92U0JjCnhFbDFNaThIVEVNMldiT3BtL2cw
            UU4rNEhvTXkzWXlMWUZGeEdJaTg0WjQKLS0tIEZlWkI3SzFOT1NoQWpIM2poMXE4
            RHN4RDJWWGV2ZDJzVUo1VVorNzhlMGMKCwdWOZOnibpbB5mZSCBGhj+yUZvk/vuK
            hsiDo74vmsmNZ/zmN6cw60hNwhZ4NgtfXcKG8Axe+1rPUwEcrvWHIQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-04-22T23:00:19Z"
    mac: ENC[AES256_GCM,data:/c9N6/qSzeqjzNq1buR5Z7YLp/H1wDgpnpw5G8CcTJkggzn/mDfvyNg/k/TAJl5CzH/mh20yeHTjOGOiTXubkhJya+WT01g0PVinU3+GxTUZOxkaF0rHTCRzuiSbbrJzhtvMmmgbbYSkaGBZ8+Y3VvC8qnNKzadO+QozqZbLuWY=,iv:FiMABv8OBDRJeI6VsuapFS3qOlDP+TzJE8rrYSV/F7A=,tag:GAv2Pk5U7igVAyhch+ZEeA==,type:str]
    pgp:
        - created_at: "2023-01-28T23:37:44Z"
          enc: |
            -----BEGIN PGP MESSAGE-----
            hQIMA0av/duuklWYAQ//foXRhar7kfr0PbxVjk2uWzGBoXpffjZPCoaM3D8RhIM8
            kod/LMqUUkCvGjBFrmKiN2BCKf3SLDjnZp55J7zQ8x3Go133JdOAB/zZDaT+oxv1
            kGQneeXRqeD51/25nFTq+ZZSzBP8fXJgmlsR/1ZM1/IjKF5m5JzD2duqNKV3fqto
            IwdiqvrkMiCQICmvKxwwtbdP8+29eUbnfdOi9MO8wcXuObwz84mmpgjT30mNCWF8
            Ha7PlcdjpRpYHwUp66+yO4uZ9nOAs7ygzcxKLOMwyaHDv9QJYHtXDUvLv50Jnucw
            KhukMJHTURzeNgUEtTu7kR0WCEBl4IyZ6GUJhc2bX3JEbYi9xZqMHgh+lf1usd1q
            bDPe3xUEKKgAPXeZRzqCQoy/MuIPErMWpqAQePtL3KOafX+vTve0lfPtLKKbne8+
            Tv3eaj3chC255wq6CaJjHO+PI1nt2k29KC6XXxTzkwbRxgT6wVP9uIszeRdREpyX
            +//TCsvnAwd2l3ojzXwIEv3F6/xeYpj7hur59BopDRX3yEUNZhgfDa+l6+BIHoDZ
            TY3ocQrIxH40CF4IxL6dDR8OOut9vlDpfZTora7MLiQbTU1t5huGY0zBH1LpQ4u9
            B/DnBKIuEhZf6eoH5DNHLnzuFYT6Q8QUHfHsM5KOnSEtx2oS2Txd/Ag7dS4FTPPS
            XgEe6r+BP6ItZlDVBHN9EPkgS96xpQ5EIacTxX7qmA0ToGySIyMC3PVJkO8muIIK
            /Lmmp6yaBOQN0kqQ26dTuVOMfMzI8zqnOW03Lm35nGnl3x8mGDH48j4Y05pS85k=
            =t11j
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/ildkule/ildkule.yaml
+++ b/secrets/ildkule/ildkule.yaml
@@ -1,21 +1,13 @@
-#ENC[AES256_GCM,data:oyFG9fCzJH8yLB0QY78CVOcYO6Ttp/ARqtIcXwWGYOvL6nW+yLcakrdmVA96sR5toywb32aW,iv:7o3FI0cI6GHCwmQfLYh2iAVr8sELOMoxGSzE5qvuAaI=,tag:z9F1c4dOIiy2FtKpBwm5wg==,type:comment]
+hello: ENC[AES256_GCM,data:MmbRxfMJf9sbqseEeSWnlGI1/4zmAdlb8ZxWCvOttJ3OlYe4Nng46SCtcSDOQA==,iv:KiD5smLGdIbMg62Q+h/9Gz7ROMdOe2CA02na/f081FM=,tag:tjdO1AzwvQWFR+JGuy4PQg==,type:str]
-#ENC[AES256_GCM,data:nhDznFCozGpXdYBfumLyhp7TnA7C/IqBCpHJ,iv:3AZN6iVBha8Qh5/X6Yn/5JWsGhDXlE/zdUh1CcO7fQc=,tag:59DaAyKTOmkKty4eyFWFqw==,type:comment]
+example_key: ENC[AES256_GCM,data:yAaiu+Rpb4377U8YIQ==,iv:OE4cpTlEVNE73y6bc5TGQvAnYU8P2c2hqnMFxzL0PHI=,tag:G7D5TJdEA+F9UwaIFKC0KA==,type:str]
-#ENC[AES256_GCM,data:vQu+AG19Vy94xxwj196G2uk9,iv:YJGBvoMgOngjn/TeuXeoU82daRvJDxvCQMYb3XCPlw0=,tag:fU6ZhhmAh0yh3/QuXbCNkQ==,type:comment]
+#ENC[AES256_GCM,data:sGYwXL05D45kmWboJUPzjg==,iv:4nOP8F7kGGl6HhuV5Jxjol12pc3f6UO+pp+IcgUrjGU=,tag:tIf9ozHCOBeDprjEv98F1Q==,type:comment]
-#ENC[AES256_GCM,data:S1UOENn/ewhw8Pb9CmKp,iv:jafOhkCoiTm5HXQ/S611L4VlQFa1Wqr5WIIRzLQm3i0=,tag:6CQ+Y9E/FxWN8K+D9J7+Fg==,type:comment]
+example_array:
-#ENC[AES256_GCM,data:lHHmoCHyP2Tc3waRGeMPEasQiv5+,iv:W6SSFpeWBfTBOEDo4P9hox39eoAiO40Ay4T3QeiI9Tw=,tag:9bLbcEZ9/B1QolDettwcfg==,type:comment]
+    - ENC[AES256_GCM,data:UQ5w4scNH8E49iQo7gM=,iv:dLT/JlTWvscnYre9g9s3YgznNuvdWDyOFozxW50zdWI=,tag:jqtV8Ebfm4Y4ayIIuYGoeg==,type:str]
-#ENC[AES256_GCM,data:DrF4XHSd8QAWn5h1xEGGpDKMQcLF,iv:nPCBbThQh/Aa+uccKJtmiCXSvoJKHxZMJ42yFkV+hi8=,tag:3l50mMn7cPoCnjPcHv1+Vg==,type:comment]
+    - ENC[AES256_GCM,data:Zfm0FeuICoe4mrSoMRM=,iv:I/IakhKYtIclPQBA8nuAouuGylzCR/RbQLSWNWBQZYs=,tag:V1/WomLShKX0yaXkBQW0rQ==,type:str]
-#ENC[AES256_GCM,data:ADUhFzufaR2xXNOLgiXKu5Cd8Zx3waYeZiLF,iv:WMK2gJwplf6r/EdijrvrOBHgPL57W+UMIQ8dBPp/DBA=,tag:E/q/ccAd7UH3BV7nut6Slg==,type:comment]
+example_number: ENC[AES256_GCM,data:9wZEFB7/jOt11Q==,iv:5RVyKZe3D9BgRDDMsxUsMMKdVA5B3Ekm2G4WWt/1EuY=,tag:MSIbensfrWKU1d/XbcNtvg==,type:float]
-#ENC[AES256_GCM,data:IVFSM6VOWnR0YDRfecsDPlYr,iv:Jxe8pq3lxw5QUGKyspB8tWSquDSMo3mAJBAsQGKxSec=,tag:7bffwY98iTX4/De0coUIxA==,type:comment]
+example_booleans:
-#ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
+    - ENC[AES256_GCM,data:LLg+sA==,iv:WQSKdlEaQCjdrsSYz0P+pdRD/pl3QMa01d8XV/EZUzY=,tag:QIH98LcUyPXDvs36XPbyxA==,type:bool]
-#ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
+    - ENC[AES256_GCM,data:9ZQqdg==,iv:wWRmZ0nQg76sAKiPfGUX0KG/p41VnTc1wmANv4Wt2+w=,tag:3vmvuMDTZSEeZBpAE2soAA==,type:bool]
 keys:
    grafana:
        secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
        admin_password: ENC[AES256_GCM,data:ttKwfC4WuXeL/6x4,iv:x1X+e3z08CR992GzC62YnFIN7SGrE81/nDNrgcgVzx0=,tag:YajUoy61kYbpeGeC7yNrXQ==,type:str]
    postgres:
        grafana: ENC[AES256_GCM,data:D6qkg98WZYzKYegSNBb31v8o+KHisGmJ+ab5Ut7EMtsJz36kUup5RS4EbtM=,iv:rfE1uH1QycKMTpSq2p1ntQ2BIvptAh2J3l/QcQhiuLo=,tag:QxmGFcekjFRPf6orN86IxQ==,type:str]
        postgres_exporter_env: ENC[AES256_GCM,data:8MEoikoA6tFNm9qZbk0DFWANd7nRs5QSqrsGLoLKPIc1xykJaXTlyP5v8ywVGR8j7bfPs4p6QfpUIWK8CCnfQ1QhsFPXUMksl8p+K+xuMakYZr9OoWigGqvOHpFb9blfBN1FBdRrk38REXWAMUn74KSRI9v+0i5lpC4=,iv:anpjWVUadKfSAm9XbkeAKu+jAk+LxcpVYQ+gUe5szYw=,tag:4tzb/8B/e1uVoqTsQGlcKA==,type:str]
        postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -25,52 +17,23 @@ sops:
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrN3lJM2xWTUZ3UkRBaENI
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDM2RidW9wYUVHWHhFTmM1
-            VmJiWDlQbHd0VUNYdllPdURyQmUvL3lKMzJzCkZlRFVxbmNLOVNqUFg1akJQQlBP
+            c1BIazd5MTRMU3dRNEFyWHIxMzhNL21VNURZCnkzKzNNbXgrcmJtNFZjSHQyWHN1
-            VmdOMUdjZ1M4U2lLVEpGaGI5NjNTR2MKLS0tIDRlQUtucEZhZmRYbmpadVdKK01v
+            aEpjV1dQVmJTb2F5YXJWazMxTmJUYTAKLS0tIDNRUVlTR1p3eEtRYkVMcjlYS3Ir
-            cWxCQlBRR1VaZTBDQnkzNGE0WGttWm8KK5s/coWNsdCP5lKQ8LMK7/3ku179+Lg1
+            bWhUaDA1eTJRTGpEb3FmSTlPTFY4c3cKrrQcomMURB9dqT+aAkWbFMzMqB3AIvEl
-            4ujTVn4LhvXy6JvgGTWS/UbMmJjJebVxkulzf5St3YMMs2mcIYjOtA==
+            t9Fd5puhhto5/SInssCxpH1p4kbqQZWMfDqE+eFFs2whDVuoiM/Tlg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa25taGsxdlhrUS96cXBi
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNkllWlY4L251Z29qOEVX
-            cUo3WDVmdEhKN256THJhS2tHSitDRkVraDJNCmhGZzlFUDFkN0JKNkFWUlVLVzcz
+            Vmh2YU5BNVhwbXhDaEpYcXoxY0hCOHhPYXdNCjROQ2piWFQ2MWYwbnF4cFdKS0tv
-            MjFhcDdmcmpxdTA3V3JRREFNVmNUbEEKLS0tIFNSU2xNZzN2Y1ZzR2hFM0dOK0Zy
+            dFUveEsrQVRpT1REQ0hib1pla2R5RkUKLS0tIFJOSXNaZitxbWk1cHNGc1k0Zk9m
-            Tmk4bXd0ZHhPemxDSDREb3IvSjFza1EKsjtC6J3kYGRe8oLAoUZmg1BUmpkMyC98
+            NHU1elF3L2ZRZlVJZTdZU01qNER4a1EK+pvM24FDok4lbbailCspaA1vsZrtsumH
-            uYq+IQmfJt48R/MKDei00j1w3zIK5+E5GU4o8+jILzwfpzYUUZWwiA==
+            c8uHITgStobUmdqsdv9ta8gpar0nZ66N0kztyhW15sJh1vZY8Guxxg==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
+    lastmodified: "2022-12-17T20:25:20Z"
-          enc: |
+    mac: ENC[AES256_GCM,data:KKo9xz6vQHKH6tIiU9cTA4ngwbyqeX33QwvJq5dDCJlEDm5CA+akD5Wsqyp+rGuIjiIDi01eRUONA0YRG4DcmmcRWlnmA9hrBfRWJKtV/0gR+yeYCuY95J9twu3pbOODCyMdcLJqB0tLmyqWGHowNk+mIhEw/a+kxZX+kiB8ilY=,iv:3uHmBVnuaTvnNbdtii++8FzFS7SrsO2inTBtzXmhBhU=,tag:OqpHlELdpn6mlUB544HdmA==,type:str]
-            -----BEGIN AGE ENCRYPTED FILE-----
+    pgp: []
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPb09qTTc4cjRMcjIzRmxu
            RzZWTDBNTGdvaEc2VFJPakYvakRMK1RnS1FnCktHRVkwZGlUUXl4UTBRcGxMQzdn
            QVBCYVdlWEw5NW9tNytJTGIzRlpwa0UKLS0tIGdDdUtFMUgyT0phMXBxZE41Y1h4
            a2hQVVprakt5NURpNXdQUjREczJKWTgKn60yrLqco9brlqigAolO8rEkww9z3y3u
            KmefLVZCGfoko+fnKLVE9UKFS/tAowqgPS1qE76u1Mmkk6yqZoG9rg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-01-26T00:16:54Z"
    mac: ENC[AES256_GCM,data:T13TG5fwXgAXUD4I8yIsdUQTA4MKZdEWkpVP1H734YBt5c0J0FJ5Ppxvf1n3hPcC6dcyCJ1NonbmmDBeKn0JUlxTlrK645O33RHLHlsMZGVijYyLyvxCxGo22SfdT2OdPv7tggyat9Cpd9bVLd7YdhPxTYDnZ3eNbIwx+5Fnw48=,iv:bYz6k1f30nlCjOuTRu3F2OE9iQIMd2eBGezXQx901zE=,tag:GHGGNlNg+huP6F3uyrbncQ==,type:str]
    pgp:
        - created_at: "2023-01-21T19:52:08Z"
          enc: |
            -----BEGIN PGP MESSAGE-----
            hQIMA0av/duuklWYAQ//Sw5EHNbC9iPXcHSULYVmSMOQCAH7GSGvaaFvey/KffPD
            5gbFr00vIi1JfjYXmYfn3KKpUfs/mMMo5NzYU2Ou5fWcPsqFLXOwubebuf61X6p7
            7YfLYQMnjgBzkpb972AJl2tWUlcBcOz89tIw3oMi8R5vvXjRjEdDY8Yp+Z2Apj9V
            YJCoSIe6RLBlubMs4I6VIOaTaKIM1DWthg95dozlShXYsEgFTYaJ6FbN9RuZOZPa
            KzFs2DXtbylXXJtiCArQCHnOgA1Jnp80VvMYLO1ldteQhqGdmnxnqwjETx/uqy4l
            QE31LcRf2JFKi0BBJdQfEqBGW9LD4Mjfwi6tWbHq4Mn29u8IT6z5HJIB99JRAV/9
            RfBPzF7UVLq2baWxDwG/M6TvZlVJPdAyhJ5QqhkVdrWir7D1D108u+cgtJWw+vlS
            cP3hT73LWCo2bXUrHXxFnrWdDQQSDpew/x2cTHUNvqdqLZgMJWdZgh+mXOQLjzHP
            xGkjt0ae5/CEnUIse/Qt3SyoKN3rGVKJgoQ4D0AeBFU5z7NEOx7Ebl9t6IgVnJIB
            sDJXg+7jJ8A0V1xGan6BP8dFi7m0aAJH0xi8RB9jC1ZRVNxUjFow3Szh0JQ7u2P5
            4jZ3FT4tWzPzLQsgJUd/H41QyKSd3ke4VMf97mEKULJ7prtXdyxQfRDcE93UgVXS
            XAF0u7pIl+O2RlJtki+UvuwVDszPBRSmGmfiQa4vsYfXahO4fmBjhdl2hdLtz82F
            dh+dPu+RSD9OKwIhUwsDLtWWlI/4BvIB1yXbQxP2MyjZm3uVf1CtgUHyjWw8
            =rri5
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/jokum/jokum.yaml
+++ b/secrets/jokum/jokum.yaml
@@ -1,69 +1,57 @@
 matrix:
    synapse:
-        dbconfig: ENC[AES256_GCM,data:R7y+867fwnVXHaknUj9RpBtkEATfUo9AoaNId/ODLkHCJyQP1761pJLqeSkQTZAnzZxqACYorV0P57tEQ5bE0aKLOL7tSClx82x7Tki0MiWME4FgxJC2fQk/vP0Ca2zufnw0s697zkfsnyx/1pjjo69amXc207NXAHCtxXO0ztWp0Q==,iv:BsbOLl/hlQIjOLnik8lZWO3+jhMEZ//fisxLon7HdE0=,tag:6sv6ySztGbxAgn+WV0I5NA==,type:str]
+        dbconfig: ENC[AES256_GCM,data:a0Bq2ilDZM0GddHZS1WcaSY3kdFDbau4BNMu+rumisYZy5/VQOE6LT/gq3vdwH2T7D3r1/cj7YSRcdjq+SRYHiJ9xgb1m3tx+ZlvNrY8PMaYvtmOpMoXyYlJ2iT7/IiMk5UW50cSZEcww7zS8NknZMzjiNEq3+D88J57J6WRmQqj/w==,iv:BsbOLl/hlQIjOLnik8lZWO3+jhMEZ//fisxLon7HdE0=,tag:WqMGflg5+Sh2zx5QFnjy4A==,type:str]
-        turnconfig: ENC[AES256_GCM,data:eyUQID6nHiMH1cm418ItI3DEAjAPoR9NR7DvhfYCTvYM1LyHKVg=,iv:Jz7LEOUwTI8LCMOKqB2vN/0Zs+S0IJkHY3wpAC0q5YI=,tag:4SImxB+5JI8VtsZVy0cYIQ==,type:str]
+        turnconfig: ENC[AES256_GCM,data:lHySrJUpQKAUXsl9LzYlxu4YSCz4qJF6MRLr+LprTEdhGvrnk7U=,iv:Jz7LEOUwTI8LCMOKqB2vN/0Zs+S0IJkHY3wpAC0q5YI=,tag:8KR7duN+Qqpl6B40hSEndw==,type:str]
-        user_registration: ENC[AES256_GCM,data:qWtVuNc0YWetsVVtXt+nlaUPq7QzbsDIb+KV2jgEfLZXU/h+vS0PL+k=,iv:72fvhUo3Bhvxj9A16sTL3teLKA0tGEk7pbgKoooOJSo=,tag:Q5vl2+ZJZqtcmMH+tNqVag==,type:str]
+        signing_key: ENC[AES256_GCM,data:6RDZWsrRKDGTefIeZZ6UVlcoqVV3fdRas/sox4WkEgtouCh7lwwrSzpuM5R1H0cNVxA/8wBsaHG1xQ==,iv:TDfAdYROu7o7FIwn6oOs60surQ7zFy0+9bqhx8LtwXg=,tag:RNzcTYkDuyz6nz2z43CJwQ==,type:str]
        signing_key: ENC[AES256_GCM,data:3EeV+9X9TtqhBL7QyULTS7tNyH7ayhe88B7UtNZ/TMlQSW2E1WtSVEecqs+097A1SmdKoYVr6iz0ew==,iv:TDfAdYROu7o7FIwn6oOs60surQ7zFy0+9bqhx8LtwXg=,tag:8MpNBw5TbDMxXHF9+tmZfQ==,type:str]
    coturn:
-        static-auth-secret: ENC[AES256_GCM,data:bDVbTU3QaanU0fPhQF4Fil4=,iv:MVoFWgqHm88JXaCYa5l57SkX3fSmP97Z7IzvwumHWY8=,tag:ZX121OshXiLC6eRxz2Be0g==,type:str]
+        static-auth-secret: ENC[AES256_GCM,data:tPz4GUvJwB2osO2vwyyThms=,iv:MVoFWgqHm88JXaCYa5l57SkX3fSmP97Z7IzvwumHWY8=,tag:af7Qs4qiSYQ/OBLJbZGk2A==,type:str]
    mjolnir:
        access_token: ENC[AES256_GCM,data:z+BG3nJyUTrJJq0eGNzT3tFatKXffgBzg3E608pqBaPvtJYsnEy4mo1vZig=,iv:VGdnprNYOArhLdY38B1BO/V9YiYGZEy39gnJyh8atgY=,tag:qJ+UryjNPTH0F6ZP5JJlEw==,type:str]
    registrations:
-        mx-puppet-discord: ENC[AES256_GCM,data:nvWSaZ4we8BD50Op/bZMrlMXGBwzvG3IXGPGJe2paCZ10tTm9v4+aYGYhILNhcQM095AD9KdEJ44TAyPxZ/c5iYLqb/LJzEpa5X2jKoiF6r7PjNFGevKQs7fzJk4Y9MxHwZ2KJT+uHjtXF8erJvFDs3S3WgmuAQW1U9b5fYQNc4ZF0tY+BsWU2ehqMejpx7w93TkcIiZY7Uoj4kPMEp8aI6v/7VPIjM9g7b+R5KGZ1/yIpiNCzZuT+x2mxCtqGfbOynWON8PaCIojp7sbLaRWhX2bd4GG2wP3T5MsgwjJzQSfyXjK1Dyxzr8fVmh0R2mJoZHTYNQLLwYncLwqXQEHr6tXNWPTwxPslW+BdLsp/8//m0F04vUf4Z0dbf22NSaPkH9GdRLB3zXh07VxqG+B7OvAjDULHUmA5uwgtZq9h0G73TWDJ8U75eAxrTdsgQgmIsyhpLljFW2QSnOPL/93ieovh5qRgXjgyqrljDOkB+fhC0gdQalPeBM8l5zPI8aaJsVp/l15rx4nUIrFka0g+v+SRhAIPtQAKA=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:Vm+zNmA53HIb2dP8FIgP6Q==,type:str]
+        mx-puppet-discord: ENC[AES256_GCM,data:jrFvjgWG3qdM8ruIehfBP4WfSUFJHA2SabhVFNuUCWk2HR7Q+2PSGrZ0h9ikFnJhZD5JO0hK5AiYJQ34MWaFEKuOqV1DGOf6VCr3QgeIItvctQyS2DD+R1zt5a32KIJOFMFbH66c/X3POY/ZMsT7UA7BcvqX8uB0Esqa8wRqV4wmzGOmUp2v4uBTihr9O7V61m0t+kSYmMgZnJqmGf7b0/FM/dmTxcp+qXrnRPz9JCNCtYKoVjDUZFNlBKrppDC6GjN1y4cBzzVezlHKCk53x71T2yberFRcK02Ni9RLoH0yqU/1jt2gjaQHal52wF3QxSXKT9rtCGZh2o+9Txpp61LNqBiua/Ija+9ToALlP8ihsFDv7UZ04g5y8u2A5mC1HHB5wU1E94ay0NcYasfdBOwQqpwqunQxjvp1cHHnspUasXXwWoRr7faxkKhBGVoCA5yNsSmp8+4zWjkFendRVZan1UsJsJ8me1nOLji4BKAevh3FzagLjjtANIoNqKr9kGBfDzIOCgPGzBLlhJcMZPwZCV/QNbs583g=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:O+bfssIhPDSKRCpv0YPxTg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXY29wUXJnMURlWk4rUTRh
            alZsb0xSTlI2MFFTb3B4dzhDT2l5M1pLMWg4CkgzT1h0VHBMTTNhRTJRNEZLWWlk
            dyt0aCt0c3NTR1ovS1FIM1VBTW9Ha0kKLS0tIHN0eDNqbzJXQUZFcTFGaFEyME5t
            djJpWDlRNGhGemZXR0tMc0RhYVZpMWcKG/Airf45TgfJ82vPfXxMLtRRLPvZR/Iu
            teoToXtddxFVY675nFy0gfq9P21qHJ7MvTYwVBhQAT/TitTZ/q2u9A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQnlmMVE1aDRycXNmclk4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3K29HWS9ZRWxpbzQ3d1V2
-            OWgyQzhDdzJrdlEvL2NzeURoa3hZa3lEMzJJCk11ai90L0ZGd3U2VUhHdm1mQ1VC
+            OEZwYjA5eEE1Z0YrM1o0YnlGbGt3QmQ2YkdBCkpnZHN1TE45dWxqY3lndjBYcWVQ
-            eCt0WjVKVEt0N0tkRHl1QW4vRWdtMG8KLS0tIEVjVER2QXlIbnZXQUNONzlGbnRl
+            cFdoUi9WaVNibndWdTcwTDRiOTBtWXMKLS0tIGNIYkdIZWo4cUlrM094Qi9KTnJa
-            dDZ4RGFqaktTZ05yNjhqUlhqQmpBcncKTSSe5rZhV/+tsgk3xlV7nEphS8qhxucz
+            ZXI1bnZlbmZZQ2dvLys4YllYRG9jNlkKn2UbGP+TOUU5+Q3OQuZTQvr8S5oDX/aN
-            0O1J0U8FEdyfrwF2AOobsf4YIgtTrb20gyXsTdPwIbsQToJ+YqVAgQ==
+            a7iaQn2z/Y5M3tGvFBOiaWZjqtoCHgtZL56LKAaF60yLeUIPnKylbg==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+        - recipient: age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeDVwdHEvUk1JTW9FSkx2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISzh3QmlzempEMDNsaTQy
-            VmlxejM0ZkJmZ3JkemQ2cnkvenY2ZmRJRFZzCmFHbUJzZ0VjYWZuelZHei9SWUo2
+            bGxFZlNLdURhY0NzcjhjdlgzZlFxV0R6cURnCnhqRUlpcFNPUWd0YmF6TjYvK0t4
-            bjhPSUNrRW5JTWhVWnRzOU9sY25BMlEKLS0tIDF3M3ZFei9qczdDaGVsV0hrTWVU
+            UDVlcFFTbDByTkRZTW9ITC9yVVlzYUkKLS0tIGtkWHF4enhrK004RG00NUt5ZlND
-            NktTc2Y4ZDV4VGlza1FVdXBQUUVPZUkKYs9b4a+yAzI5kpv0X5/Ogg8sH0zdTim7
+            TFBiblFGNkdHZkk1L2RXdkpHSGQ1U2cK/mBTDDHOWSGZRflIsxOyDWShQH2EILJr
-            fXnkXZfAJ9oL/0qjVzFZA3j5aQX0xKMffSE/SFcQxUY2sISnwh1Tfw==
+            jCrLGbIaGgphIgLCHVmMV8QLRPK+8f9t8KZg7sczRViuDwZsAx5vPA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-13T00:12:03Z"
+    lastmodified: "2022-12-09T05:16:09Z"
-    mac: ENC[AES256_GCM,data:FolV94dIwYSL5r1ZHTPdmqMKVTAhrnePG+5M4S1H/wBYbED3sr6oPPmmxwiwm5E4K0YR1+ou4yR/vGTV3lfRdxIGWhfAT0WW8WGTZVIlcJCEk5H7Rels6rkma12BCjZ1zOGjZZCcFTm+4NI2KNv+zTc29zry4539jkkxk+8Skog=,iv:KBxSFVaFI3S5J9xG2Lc7FINUI8TRKxPtrbP3f2wXkHo=,tag:TWAtix03ZnB71+O7cF8b4A==,type:str]
+    mac: ENC[AES256_GCM,data:MSKUQkCDCEOcl9Eh2VH9ccZ3Ux0eIyJFyjFVaJZ5WQA4fIB1J6Y/EoK/q7iaLFIH8YkeVPIvXVu9eCXjIyQkSugJwQXk+gSFtssjegUBTcZkRJJ0Lo48IWO4yVFXnDYzyFjcgH4TBmL0uco3BkWHfLHR46fQUJIco9yYlVKtsFU=,iv:d3uWCTVV8o1Nx6WJCF/YQHOeGjTzJk6xaDxMTWeUINU=,tag:KOi1naN2Uhe0NcMl6oW/6A==,type:str]
    pgp:
-        - created_at: "2023-03-26T11:12:37Z"
+        - created_at: "2022-12-17T23:05:08Z"
          enc: |
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ/9GHLOAfLgTqVmfJACvt9xMqlzfrXyiACTJg+J5BD8hEtn
+            hQIMA0av/duuklWYARAAvQ3TCvGiu75Swvd9hyY8rw2TeXiKPbHESzXFSZdR3+wk
-            oe2clo/fO9u6df42hk/szQTQH4rJULdxvUNiBzYS0XbWCa+iWzpiOPN+bQZKoV3X
+            XkaRTPuxMot5IUmUhC4EWxzUrKKyPsfw685FpojHDUeOWzaAcnbTT3NVg+VoSIAl
-            U4sFrHMT0ledUg62rlTbOmqpvLivoP6//DEqHAWl2weUvpplBRFzTFwICo+2+Jjo
+            pDnt7BUZ/23Hd0tYt+VJuX8S4Iqny6xnhzWTaFNrLFhPGvIN3XbDqEsWRLQk9s46
-            18dzdYyBa5sxJ/KZKUoNsxRaCFgXs5L6qTuqzmZpnhnH1pKNW3D6e6Hfb0BmebUy
+            rMht6DJkz8itsFTJrwmg52oXP0mIlZkaGFvWBNZlLf/0PiEET4sjZ3cn4rRGRNhf
-            wt5NgxWJ/4dHFK84i93E1vxPbSusvQ++6JCSWgZtOwZJehnz5AeHgdDBzcHeJY8O
+            Zk7u7ZgrBFRib0OO/edN6zFh9+/zbculXucqlnvccm6BQluHj2Z66++cyyzEL2xY
-            Idq+QrvRsqjisDNvd7blmBleup1Ai0l/CzEtTEYd/h/QipaT1rVaPOP4H/lnHZmO
+            eU+8sBNWWKHPusPhKNWZsUGQ30fM7Ctdri5PWOzglJ0Ah+lAFgmbqdcSHjAuF9f7
-            f0HWGxhPCDfiuLK43DBExrj1QUq4LVUZf145fRGMWZfHtlzHM+4dY+/ijyUi7pFY
+            9YVA5G4b7B1vT0dCv3MZ3419Gqa9Vimi1xUw+9SbZjACpMraovUKshTsKN/9rBzY
-            cenrE3/Iz8gaUWqRdaYqK/O/vrHq/siUS8IiWY53ALUF+DlBMuRrtc76T/fkSKbR
+            YkojmBdaneMoFGvo+aj5vMxG8CJbPV3Oiq1+G0E/fj53W1Qi8boeqcLxw5IbJIbq
-            LuO7MnOnNyBy5HT+MQii1Tat7ODtPXlky+N5leVQQVAUMHrI6ETWAQlctBjDZXyT
+            27hQYm2L1gNBg84cEJfzjtxqPkP4IMb5DOZYo8hNVbXCP4AYjgyecw4tkSnbRkB9
-            UzXh8WVT+pijxNYDqUVMJ4d43AuHKayf2m0PftOZv+Q8n5ZqwUoQN6WbpsLvDFTU
+            GaRYSx2b1HMOxrDnzRUx8cX26a/eNlLhictPUy10Dvcs/xfWzGytL/3AtiAeaIY9
-            4XweZaChhoq4K68o6vpOb5b7x+vlisiL2j+kYAgMjlWk1vkDY/GsHY8USi0Rj17S
+            4G6rWuUv6XqYMM20bMc+HnKaFpYq2Y98DuLCqddrek8UaMX2b1p1Kw1ebC1i56fS
-            XAGAULPvLDP+ohieT6dP2xLvzu4ghrySCTF6LjQ9sN2gHWfcV2FVw+anA3mxOLGK
+            XgFIdcQDWiMi8rsWjAoFE7CDe/FvyCNSE88pvwhH2/BQjowUeMLqqqCHbrEj8sgo
-            P4hOgPPfiP/0O9H0KSHq0gXjhBkackFVAOPixvSAJdvkooVW+PisHjl59Jd6
+            icW/6tsXZ5ShJ5bi56Hal5FsAdR6sXTTdm8nYSFdmIfSHUz+auZ41WkLJYXpuFU=
-            =exZj
+            =EVJD
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/users/felixalb.nix
+++ b/users/felixalb.nix
@@ -4,8 +4,5 @@
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
    ];
  };
 }
--- a/users/oysteikt.nix
+++ b/users/oysteikt.nix
@@ -1,23 +1,9 @@
 {pkgs, ...}:
 {
  users.users.oysteikt = {
    isNormalUser = true;
-    extraGroups = [
+    #extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
      "wheel"
      "drift"
    ];
    shell = pkgs.zsh;
    packages = with pkgs; [
      bottom
      exa
      neovim
      ripgrep
      tmux
    ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0aYHsiqfLCA0prSmEi6hZeQPCGxZYR7gp+3U99POUWJyycSVqXMhgVZHT8VEYGf+EZ/y5nL1bvna7ChBwQBzInB2mRW+TCLL3h1w9t/27vTHe3wV+fowTooD/paOErmWFO4yDBEJ3cYFMXowAd3GfvsBSFGPSsvSxghSzWj+kfhIFkXD02LZxn/hBQyCT6irp3Hwx1cBu8ic/l2ln64SLARuEmj4ITaafNC5wD2Gr5Jf3q+T9QtJeFPXSpJD7MtVMJ1VpgpfGBvlEYKggiQjxgu2BXHv1w3KIfyltTwhrcqHvttaJSuR5TreAgQ5+dZHmMr6XX8rFG+HEa8gND6NjGjHrJBxp53qgPtLAmBddvf8xQMYiq6+XST16nlRaAsjU3yr3VqCt7XhJiS2IV8JiIV3dok8nxzDX9sjdZeGchdnAnU6lcxDgnBvAcJRaWHwMCG8Ty9sJ4otgjr5A1GxRBndJIIuKzjpdtsrCAHg/K2zqFoKPJxN/K9zDWKNy0aEy2Akl3LgHF2QIuG5pUOmbyvbF8AoTudaz6Zu6JpVwOb9T9avFJBH4RHQ3mK0faBkrEmnkAg6JnDDMIt0XLALl88rI4kbdkVvJ2kaodvq799TCCw1PwMidgWX63LemWVBx+CL9ebXrsOkOthhMhkeaFXY9Am3Ee7rfD1tq3PGU1w== h7x4"
    ];
  };
 }
--- a/values.nix
+++ b/values.nix
@@ -1,46 +0,0 @@
 # Feel free to change the structure of this file
 let
  pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
  pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
 in rec {
  services = {
    matrix = {
      ipv4 = hosts.jokum.ipv4;
      ipv6 = hosts.jokum.ipv6;
    };
    # Also on jokum
    turn = {
      ipv4 = pvv-ipv4 213;
      ipv6 = pvv-ipv6 213;
    };
  };
  hosts = {
    gateway = pvv-ipv4 129;
    bekkalokk = {
      ipv4 = pvv-ipv4 168;
      ipv6 = pvv-ipv6 168;
    };
    jokum = {
      ipv4 = pvv-ipv4 169;
      ipv6 = pvv-ipv6 169; 
    };
    ildkule = {
      ipv4 = pvv-ipv4 187;
      ipv6 = pvv-ipv6 "1:187";
    };
    bicep = {
      ipv4 = pvv-ipv4 209;
      ipv6 = pvv-ipv6 209;
    };
  };
  defaultNetworkConfig = {
    networkConfig.IPv6AcceptRA = "no";
    gateway = [ hosts.gateway ];
    dns = [ "129.241.0.200" "129.241.0.201" ];
    domains = [ "pvv.ntnu.no" "pvv.org" ];
    DHCP = "no";
  };
 }