WIP: modules/debug-locations

base: add sops keys for everyone and everything
Merge pull request 'bekkalokk: set up idp + mediawiki' (#25 ) from mediawiki-on-bekkalokk into main
2024-04-02 19:44:53 +02:00 · 2024-04-02 00:03:23 +02:00 · 2024-04-02 00:00:24 +02:00 · 2024-04-01 23:57:39 +02:00 · 2024-04-01 23:57:39 +02:00 · 2024-04-01 23:57:39 +02:00
119 changed files with 53032 additions and 872 deletions
--- a/.gitea/workflows/eval.yml
+++ b/.gitea/workflows/eval.yml
@@ -0,0 +1,13 @@
 name: "Eval nix flake"
 on:
  pull_request:
  push:
 jobs:
  evals:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - run: apt-get update && apt-get -y install sudo
    - uses: https://github.com/cachix/install-nix-action@v23
    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
    - run: nix flake check
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,31 +1,66 @@
 keys:
  # Users
  - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
  - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
  - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
-  - &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
  # Hosts
  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
  - &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
 creation_rules:
  # Global secrets
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
      - *user_danio
      - *host_jokum
      - *host_ildkule
      - *host_bekkalokk
      - *host_bicep
      - *user_danio
      - *user_felixalb
      - *user_eirikwit
      pgp:
      - *user_oysteikt
  # Host specific secrets
-  ## Jokum
+  
  - path_regex: secrets/bekkalokk/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bekkalokk
      - *user_danio
      - *user_felixalb
      pgp:
      - *user_oysteikt
  - path_regex: secrets/jokum/[^/]+\.yaml$
    key_groups:
    - age:
      - *user_danio
      - *host_jokum
      - *user_danio
      - *user_felixalb
      pgp:
      - *user_oysteikt
  - path_regex: secrets/ildkule/[^/]+\.yaml$
    key_groups:
    - age:
-      - *user_felixalb
+      - *host_ildkule
      - *user_danio
      - *user_felixalb
      pgp:
      - *user_oysteikt
  - path_regex: secrets/bicep/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bicep
      - *user_danio
      - *user_felixalb
      pgp:
      - *user_oysteikt
--- a/README.MD
+++ b/README.MD
@@ -4,9 +4,19 @@
 Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
-Etter å ha klonet prosjektet ned og gjort endringer kan du bygge med:
+Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
-`nix build .#nixosConfigurations.jokum.config.system.build.toplevel`
+`nix flake check --keep-going`
 før du bygger en maskin med:
 `nix build .#<maskinnavn>`
 hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
 `nix build .` for å bygge alle de viktige maskinene.
 NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
 Husk å hvertfall stage nye filer om du har laget dem!
@@ -16,7 +26,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --flake "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
 som root på maskinen.
@@ -37,3 +47,11 @@ for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som
 om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
 Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
 ### Legge til flere keys
 Gjør det som gir mening i .sops.yml
 Etter det kjør `sops updatekeys secrets/host/file.yml`
 MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila
--- a/assets/logo_blue_regular.png
+++ b/assets/logo_blue_regular.png
--- a/assets/logo_blue_regular.svg
+++ b/assets/logo_blue_regular.svg
@@ -0,0 +1,172 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
 <svg
   width="200mm"
   height="200mm"
   viewBox="0 0 200 200"
   version="1.1"
   id="svg5"
   inkscape:version="1.1.2 (b8e25be833, 2022-02-05)"
   sodipodi:docname="logo_blue_thicc.svg"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:svg="http://www.w3.org/2000/svg">
  <sodipodi:namedview
     id="namedview7"
     pagecolor="#505050"
     bordercolor="#ffffff"
     borderopacity="1"
     inkscape:pageshadow="0"
     inkscape:pageopacity="0"
     inkscape:pagecheckerboard="1"
     inkscape:document-units="mm"
     showgrid="false"
     inkscape:zoom="3.9730533"
     inkscape:cx="359.54715"
     inkscape:cy="690.40101"
     inkscape:window-width="1920"
     inkscape:window-height="1057"
     inkscape:window-x="-8"
     inkscape:window-y="-8"
     inkscape:window-maximized="1"
     inkscape:current-layer="Layer_4"
     width="200mm" />
  <defs
     id="defs2" />
  <g
     inkscape:label="Layer 1"
     inkscape:groupmode="layer"
     id="layer1">
    <g
       id="g98"
       transform="scale(0.25)">
      <g
         id="Layer_2"
         style="fill:#283681;fill-opacity:1">
        <rect
           y="0"
           class="st0"
           width="800"
           height="800"
           id="rect4"
           x="0"
           style="fill:#283681;fill-opacity:1"
           inkscape:export-filename="C:\Users\al3xk\OneDrive - NTNU\PVV\Gogs\PR\logoer\logo_blue.png"
           inkscape:export-xdpi="480"
           inkscape:export-ydpi="480" />
      </g>
      <g
         id="Layer_4"
         style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
        <line
           class="st1"
           x1="478.39999"
           y1="720.29999"
           x2="313.20001"
           y2="720.29999"
           id="line9"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <path
           class="st1"
           d="M 478.4,720.3"
           id="path11"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <polyline
           class="st2"
           points="717.1,223.3 717.1,720.3 497.3,720.3  "
           id="polyline13"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <path
           class="st2"
           d="m 498.39888,720.3 c 0,-5.6 -4.5,-10.1 -10.1,-10.1 -5.6,0 -10.1,4.5 -10.1,10.1 h -163.8 c 0,-5.6 -4.5,-10.1 -10.1,-10.1 -5.6,0 -10.1,4.5 -10.1,10.1 -69.7592,0 -145.68417,0 -217.599996,0 V 79.7 H 717.09888 v 120 0 h -17.3 v 24.8 h 17.3"
           id="path15"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-linecap:square;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
           sodipodi:nodetypes="csccsccccccccc" />
      </g>
      <g
         id="Layer_3"
         style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1">
        <circle
           class="st2"
           cx="396.79999"
           cy="400"
           id="circle18"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
           r="320.29999" />
      </g>
      <g
         id="Layer_1"
         style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
        <polyline
           class="st2"
           points="514.5,173.5 170.2,173.5 170.3,626.6 623.3,626.5 623.3,215.7 584.4,173.4 557,173.4 548,180.6    526.5,180.7  "
           id="polyline21"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <path
           class="st2"
           d="m 526.5,331.8 c 0,7.6 -5.4,13.7 -12,13.7 H 227.7 c -6.6,0 -12,-6.1 -12,-13.7 V 187.2 c 0,-7.6 5.4,-13.7 12,-13.7 h 286.8 c 6.6,0 12,6.1 12,13.7 z"
           id="path27"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <path
           class="st2"
           d="m 526.7,333.6 c 0,6.6 -5.4,12 -12,12 H 296.8 c -6.6,0 -12,-5.4 -12,-12 V 185.5 c 0,-6.6 5.4,-12 12,-12 h 217.9 c 6.6,0 12,5.4 12,12 z"
           id="path29"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <path
           class="st2"
           d="m 577.9,613.7 c 0,6.6 -5.4,12 -12,12 H 227.7 c -6.6,0 -12,-5.4 -12,-12 V 381.1 c 0,-6.6 5.4,-12 12,-12 h 338.2 c 6.6,0 12,5.4 12,12 z"
           id="path31"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <rect
           x="179.89999"
           y="590.20001"
           class="st2"
           width="25.700001"
           height="23"
           id="rect33"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <rect
           x="587.59998"
           y="590.20001"
           class="st2"
           width="25.700001"
           height="23"
           id="rect35"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
        <rect
           x="433.60001"
           y="193.5"
           class="st2"
           width="64.900002"
           height="137.8"
           id="rect37"
           style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
      </g>
      <path
         d="m 274.9401,541.572 c 0,3.528 2.772,6.426 6.3,6.426 3.528,0 6.426,-2.898 6.426,-6.426 v -30.996 h 30.87 c 10.458,0 19.152,-8.694 19.152,-19.152 v -22.68 c 0,-10.332 -8.694,-19.026 -19.152,-19.026 h -43.596 z m 12.726,-43.722 v -35.406 h 30.87 c 3.276,0 6.426,2.898 6.426,6.3 v 22.68 c 0,3.528 -3.024,6.426 -6.426,6.426 z"
         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
         id="path55-2" />
      <path
         d="m 365.99479,478.824 25.326,65.142 c 1.008,2.394 3.276,4.032 6.048,4.032 2.646,0 4.914,-1.638 5.922,-4.032 l 25.452,-65.268 v -22.68 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 v 20.286 l -18.648,47.628 -18.648,-47.628 v -20.286 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 z"
         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
         id="path57-8" />
      <path
         d="m 457.04947,478.824 25.326,65.142 c 1.008,2.394 3.276,4.032 6.048,4.032 2.646,0 4.914,-1.638 5.922,-4.032 l 25.452,-65.268 v -22.68 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 v 20.286 l -18.648,47.628 -18.648,-47.628 v -20.286 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 z"
         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
         id="path59-1" />
    </g>
  </g>
  <style
     type="text/css"
     id="style2">
 	.st0{fill:#ffffff;}
 	.st1{fill:none;stroke:#ffffff;stroke-width:2;stroke-miterlimit:10;}
 	.st2{fill:none;stroke:#000000;stroke-width:2;stroke-miterlimit:10;}
 	.st3{fill:none;}
 	.st4{stroke:#000000;stroke-miterlimit:10;}
 	.st5{font-family:'OCRAStd';}
 	.st6{font-size:126px;}
 </style>
 </svg>
--- a/base.nix
+++ b/base.nix
@@ -1,16 +1,23 @@
-{ config, pkgs, inputs, ... }:
+{ config, lib, pkgs, inputs, values, ... }:
 {
  imports = [
    ./users
    ./modules/snakeoil-certs.nix
    ./modules/debug-locations.nix
  ];
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
-  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
  # networking.tempAddresses = lib.mkDefault "disabled";
  # networking.defaultGateway = values.hosts.gateway;
  systemd.network.enable = true;
  services.resolved = {
-    enable = true;
+    enable = lib.mkDefault true;
    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };
@@ -27,7 +34,7 @@
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "--update-input" "nixpkgs"
-      "--update-input" "unstable"
+      "--update-input" "nixpkgs-unstable"
      "--no-write-lock-file"
    ];
  };
@@ -50,8 +57,12 @@
  environment.systemPackages = with pkgs; [
    file
    git
    gnupg
    htop
    nano
    ripgrep
    rsync
    screen
    tmux
    vim
    wget
@@ -59,15 +70,42 @@
    kitty.terminfo
  ];
  programs.zsh.enable = true;
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
  services.openssh = {
    enable = true;
    permitRootLogin = "yes";
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
    '';
    settings.PermitRootLogin = "yes";
  };
  sops.age = {
    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    keyFile = "/var/lib/sops-nix/key.txt";
    generateKey = true;
  };
  # nginx return 444 for all nonexistent virtualhosts
  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
  environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
    "/etc/certs/nginx" = {
      owner = "nginx";
      group = "nginx";
    };
  };
  services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
    sslCertificate = "/etc/certs/nginx.crt";
    sslCertificateKey = "/etc/certs/nginx.key";
    addSSL = true;
    extraConfig = "return 444;";
  };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -1,59 +1,161 @@
 {
  "nodes": {
-    "matrix-next": {
+    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1671009204,
+        "lastModified": 1710169806,
-        "narHash": "sha256-gqA9po/KmHyh44XYqv/LfFJ1+MGufhaaD6DhDqBeaF8=",
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "grzegorz": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
      },
      "locked": {
        "lastModified": 1696346665,
        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
        "owner": "Programvareverkstedet",
        "repo": "grzegorz",
        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
        "type": "github"
      },
      "original": {
        "owner": "Programvareverkstedet",
        "repo": "grzegorz",
        "type": "github"
      }
    },
    "grzegorz-clients": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1693864994,
        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
        "owner": "Programvareverkstedet",
        "repo": "grzegorz-clients",
        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
        "type": "github"
      },
      "original": {
        "owner": "Programvareverkstedet",
        "repo": "grzegorz-clients",
        "type": "github"
      }
    },
    "matrix-next": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1710311999,
        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "43dbc17526576cb8e0980cef51c48b6598f97550",
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
        "ref": "flake-experiments",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1670946965,
+        "lastModified": 1710248792,
-        "narHash": "sha256-PDJfKgK/aSV3ISnD1TbKpLPW85LO/AQI73yQjbwribA=",
+        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "265caf30fa0a5148395b62777389b57eb0a537fd",
+        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
-        "ref": "nixos-22.11-small",
+        "ref": "nixos-23.11-small",
-        "repo": "nixpkgs",
+        "type": "indirect"
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1670146390,
+        "lastModified": 1710033658,
-        "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "86370507cb20c905800527539fc049a2bf09c667",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-22.11",
+        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1710247538,
        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-unstable-small",
        "type": "indirect"
      }
    },
    "pvv-calendar-bot": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1693136143,
        "narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
        "ref": "refs/heads/main",
        "rev": "a32894b305f042d561500f5799226afd1faf5abb",
        "revCount": 9,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      }
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "grzegorz": "grzegorz",
        "grzegorz-clients": "grzegorz-clients",
        "matrix-next": "matrix-next",
        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix",
+        "nixpkgs-unstable": "nixpkgs-unstable",
-        "unstable": "unstable"
+        "pvv-calendar-bot": "pvv-calendar-bot",
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
@@ -64,11 +166,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1670149631,
+        "lastModified": 1710195194,
-        "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "da98a111623101c64474a14983d83dad8f09f93d",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
        "type": "github"
      },
      "original": {
@@ -76,22 +178,6 @@
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "unstable": {
      "locked": {
        "lastModified": 1670918062,
        "narHash": "sha256-iOhkyBYUU9Jfkk0lvI4ahpjyrTsLXj9uyJWwmjKg+gg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "84575b0bd882be979516f4fecfe4d7c8de8f6a92",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -2,45 +2,133 @@
  description = "PVV System flake";
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments";
+    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
    matrix-next.url = "github:dali99/nixos-matrix-modules";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
    grzegorz.url = "github:Programvareverkstedet/grzegorz";
    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs: 
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
  let
    nixlib = nixpkgs.lib;
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      "aarch64-darwin"
    ];
    forAllSystems = f: nixlib.genAttrs systems (system: f system);
    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
    importantMachines = [
      "bekkalokk"
      "bicep"
      "brzeczyszczykiewicz"
      "georg"
      "ildkule"
    ];
    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
  in {
-    nixosConfigurations = {
+    nixosConfigurations = let
-      jokum = nixpkgs.lib.nixosSystem {
+      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
        rec {
          system = "x86_64-linux";
-        specialArgs = { inherit unstable inputs; };
+          specialArgs = {
-        modules = [
+            inherit nixpkgs-unstable inputs;
-          ./hosts/jokum/configuration.nix
+            values = import ./values.nix;
-          sops-nix.nixosModules.sops
+          };
          inputs.matrix-next.nixosModules.synapse
        ];
      };
      ildkule = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = { inherit unstable inputs; };
          modules = [
-          ./hosts/ildkule/configuration.nix
+            ./hosts/${name}/configuration.nix
            sops-nix.nixosModules.sops
          ] ++ config.modules or [];
          pkgs = import nixpkgs {
            inherit system;
            overlays = [ ] ++ config.overlays or [ ];
          };
        }
        (removeAttrs config [ "modules" "overlays" ])
      );
      stableNixosConfig = nixosConfig nixpkgs;
      unstableNixosConfig = nixosConfig nixpkgs-unstable;
    in {
      bicep = stableNixosConfig "bicep" {
        modules = [
          inputs.matrix-next.nixosModules.default
          inputs.pvv-calendar-bot.nixosModules.default
        ];
        overlays = [
          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" {
        overlays = [
          (final: prev: {
            heimdal = unstablePkgs.heimdal;
            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
          })
        ];
      };
      bob = stableNixosConfig "bob" {
        modules = [
          disko.nixosModules.disko
          { disko.devices.disk.disk1.device = "/dev/vda"; }
        ];
      };
      ildkule = stableNixosConfig "ildkule" { };
      #ildkule-unstable = unstableNixosConfig "ildkule" { };
      shark = stableNixosConfig "shark" { };
      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
        modules = [
          inputs.grzegorz.nixosModules.grzegorz-kiosk
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
        ];
      };
      georg = stableNixosConfig "georg" {
        modules = [
          inputs.grzegorz.nixosModules.grzegorz-kiosk
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
        ];
      };
      buskerud = stableNixosConfig "buskerud" { };
    };
    devShells = forAllSystems (system: {
      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
    });
    packages = {
      "x86_64-linux" = let
        pkgs = nixpkgs.legacyPackages."x86_64-linux";
      in rec {
        default = important-machines;
        important-machines = pkgs.linkFarm "important-machines"
          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
        all-machines = pkgs.linkFarm "all-machines"
          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
      } // nixlib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
    };
  };
 }
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -0,0 +1,41 @@
 { pkgs, values, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    ../../misc/metrics-exporters.nix
    #./services/keycloak.nix
    # TODO: set up authentication for the following:
    # ./services/website.nix
    ./services/nginx
    ./services/gitea/default.nix
    ./services/kerberos
    ./services/webmail
    ./services/mediawiki
    ./services/idp-simplesamlphp
  ];
  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  virtualisation.podman.enable = true;
  networking.hostName = "bekkalokk";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
 }
--- a/hosts/bekkalokk/hardware-configuration.nix
+++ b/hosts/bekkalokk/hardware-configuration.nix
@@ -0,0 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/sda1";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/CE63-3B9B";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bekkalokk/services/gitea/ci.nix
+++ b/hosts/bekkalokk/services/gitea/ci.nix
@@ -0,0 +1,30 @@
 { config, lib, values, ... }:
 let
  mkRunner = name: {
    # This is unfortunately state, and has to be generated one at a time :(
    # To do that, comment out all except one of the runners, fill in its token
    # inside the sops file, rebuild the system, and only after this runner has
    # successfully registered will gitea give you the next token.
    # - oysteikt Sep 2023
    sops.secrets."gitea/runners/${name}".restartUnits = [
      "gitea-runner-${name}.service"
    ];
    services.gitea-actions-runner.instances = {
      ${name} = {
        enable = true;
        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
        labels = [
 	  "debian-latest:docker://node:18-bullseye"
 	  "ubuntu-latest:docker://node:18-bullseye"
 	];
        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
      };
    };
  };
 in
 lib.mkMerge [
  (mkRunner "alpha")
  (mkRunner "beta")
  (mkRunner "epsilon")
 ]
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@@ -0,0 +1,105 @@
 { config, values, pkgs, ... }:
 let
  cfg = config.services.gitea;
  domain = "git.pvv.ntnu.no";
  sshPort  = 2222;
 in {
  imports = [
    ./ci.nix
  ];
  sops.secrets = {
    "gitea/database" = {
      owner = "gitea";
      group = "gitea";
    };
    "gitea/passwd-ssh-key" = { };
    "gitea/ssh-known-hosts" = { };
    "gitea/import-user-env" = { };
  };
  services.gitea = {
    enable = true;
    stateDir = "/data/gitea";
    appName = "PVV Git";
    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
      port = config.services.postgresql.port;
      passwordFile = config.sops.secrets."gitea/database".path;
      createDatabase = false;
    };
    settings = {
      server = {
        DOMAIN   = domain;
        ROOT_URL = "https://${domain}/";
        PROTOCOL = "http+unix";
        SSH_PORT = sshPort;
 	      START_SSH_SERVER = true;
      };
      indexer.REPO_INDEXER_ENABLED = true;
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
      database.LOG_SQL = false;
      picture = {
        DISABLE_GRAVATAR = true;
        ENABLE_FEDERATED_AVATAR = false;
      };
      actions.ENABLED = true;
      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
    };
  };
  environment.systemPackages = [ cfg.package ];
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
      recommendedProxySettings = true;
      extraConfig = ''
        client_max_body_size 512M;
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [ sshPort ];
  # Automatically import users
  systemd.services.gitea-import-users = {
    enable = true;
    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
    serviceConfig = {
      ExecStart = pkgs.writers.writePython3 "gitea-import-users" { libraries = [ pkgs.python3Packages.requests ]; } (builtins.readFile ./gitea-import-users.py);
      LoadCredential=[
        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
      ];
      DynamicUser="yes";
      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
    };
  };
  systemd.timers.gitea-import-users = {
    requires = [ "gitea.service" ];
    after = [ "gitea.service" ];
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "*-*-* 02:00:00";
      Persistent = true;
      Unit = "gitea-import-users.service";
    };
  };
  system.activationScripts.linkGiteaLogo.text = let
    logo-svg = ../../../../assets/logo_blue_regular.svg;
    logo-png = ../../../../assets/logo_blue_regular.png;
  in ''
    install -Dm444 ${logo-svg} ${cfg.stateDir}/custom/public/img/logo.svg
    install -Dm444 ${logo-png} ${cfg.stateDir}/custom/public/img/logo.png
    install -Dm444 ${./loading.apng} ${cfg.stateDir}/custom/public/img/loading.png
  '';
 }
--- a/hosts/bekkalokk/services/gitea/gitea-import-users.py
+++ b/hosts/bekkalokk/services/gitea/gitea-import-users.py
@@ -0,0 +1,94 @@
 import requests
 import secrets
 import os
 EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
 if EMAIL_DOMAIN is None:
    EMAIL_DOMAIN = 'pvv.ntnu.no'
 API_TOKEN = os.getenv('API_TOKEN')
 if API_TOKEN is None:
    raise Exception('API_TOKEN not set')
 GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 BANNED_SHELLS = [
    "/usr/bin/nologin",
    "/usr/sbin/nologin",
    "/sbin/nologin",
    "/bin/false",
    "/bin/msgsh",
 ]
 existing_users = {}
 # This function should only ever be called when adding users
 # from the passwd file
 def add_user(username, name):
    user = {
            "full_name": name,
            "username": username,
            "login_name": username,
            "source_id": 1,  # 1 = SMTP
    }
    if username not in existing_users:
        user["password"] = secrets.token_urlsafe(32)
        user["must_change_password"] = False
        user["visibility"] = "private"
        user["email"] = username + '@' + EMAIL_DOMAIN
        r = requests.post(GITEA_API_URL + '/admin/users', json=user,
                          headers={'Authorization': 'token ' + API_TOKEN})
        if r.status_code != 201:
            print('ERR: Failed to create user ' + username + ': ' + r.text)
            return
        print('Created user ' + username)
        existing_users[username] = user
    else:
        user["visibility"] = existing_users[username]["visibility"]
        r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
                           json=user,
                           headers={'Authorization': 'token ' + API_TOKEN})
        if r.status_code != 200:
            print('ERR: Failed to update user ' + username + ': ' + r.text)
            return
        print('Updated user ' + username)
 def main():
    # Fetch existing users
    r = requests.get(GITEA_API_URL + '/admin/users',
                     headers={'Authorization': 'token ' + API_TOKEN})
    if r.status_code != 200:
        raise Exception('Failed to get users: ' + r.text)
    for user in r.json():
        existing_users[user['login']] = user
    # Read the file, add each user
    with open("/tmp/passwd-import", 'r') as f:
        for line in f.readlines():
            uid = int(line.split(':')[2])
            if uid < 1000:
                continue
            shell = line.split(':')[-1]
            if shell in BANNED_SHELLS:
                continue
            username = line.split(':')[0]
            name = line.split(':')[4].split(',')[0]
            add_user(username, name)
 if __name__ == '__main__':
    main()
--- a/hosts/bekkalokk/services/gitea/loading.apng
+++ b/hosts/bekkalokk/services/gitea/loading.apng
--- a/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php
@@ -0,0 +1,135 @@
 <?php
 /**
 * Authenticate using HTTP login.
 *
 * @author Yorn de Jong
 * @author Oystein Kristoffer Tveit
 * @package simpleSAMLphp
 */
 namespace SimpleSAML\Module\authpwauth\Auth\Source;
 class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
 {
    protected $pwauth_bin_path;
    protected $mail_domain;
    public function __construct(array $info, array &$config) {
            assert('is_array($info)');
            assert('is_array($config)');
            /* Call the parent constructor first, as required by the interface. */
            parent::__construct($info, $config);
            $this->pwauth_bin_path = $config['pwauth_bin_path'];
            if (array_key_exists('mail_domain', $config)) {
                    $this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
            }
    }
    public function login(string $username, string $password): array {
            $username = strtolower( $username );
 	    if (!file_exists($this->pwauth_bin_path)) {
                    die("Could not find pwauth binary");
                    return false;
 	    }
 	    if (!is_executable($this->pwauth_bin_path)) {
                    die("pwauth binary is not executable");
                    return false;
 	    }
            $handle = popen($this->pwauth_bin_path, 'w');
            if ($handle === FALSE) {
                    die("Error opening pipe to pwauth");
                    return false;
            }
            $data = "$username\n$password\n";
            if (fwrite($handle, $data) !== strlen($data)) {
                    die("Error writing to pwauth pipe");
                    return false;
            }
            # Is the password valid?
            $result = pclose( $handle );
            if ($result !== 0) {
                    if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
                            die("pwauth returned $result for username $username");
                    }
                    throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
            }
            /*
            $ldap = ldap_connect('129.241.210.159', 389);
            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
            ldap_start_tls($ldap);
            ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
            $search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
            $entry = ldap_first_entry($ldap, $search);
            $dn = ldap_get_dn($ldap, $entry);
            $newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
            ldap_modify_batch($ldap, $dn, [
                    #[
                    #       'modtype' => LDAP_MODIFY_BATCH_REMOVE,
                    #       'attrib' => 'unicodePwd',
                    #       'values' => [$password],
                    #],
                    [
                            #'modtype' => LDAP_MODIFY_BATCH_ADD,
                            'modtype' => LDAP_MODIFY_BATCH_REPLACE,
                            'attrib' => 'unicodePwd',
                            'values' => [$newpassword],
                    ],
            ]);
            */
            #0  -  Login OK.
            #1  -  Nonexistant login or (for some configurations) incorrect password.
            #2  -  Incorrect password (for some configurations).
            #3  -  Uid number is below MIN_UNIX_UID value configured in config.h.
            #4  -  Login ID has expired.
            #5  -  Login's password has expired.
            #6  -  Logins to system have been turned off (usually by /etc/nologin file).
            #7  -  Limit on number of bad logins exceeded.
            #50 -  pwauth was not run with real uid SERVER_UID.  If you get this
            #      this error code, you probably have SERVER_UID set incorrectly
            #      in pwauth's config.h file.
            #51 -  pwauth was not given a login & password to check.  The means
            #      the passing of data from mod_auth_external to pwauth is messed
            #      up.  Most likely one is trying to pass data via environment
            #      variables, while the other is trying to pass data via a pipe.
            #52 -  one of several possible internal errors occured.
            $uid = $username;
 	    # TODO: Reinstate this code once passwd is working...
 	    /*
            $cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
            $groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
            array_shift($groups);
            array_shift($groups);
            array_pop($groups);
            $info = posix_getpwnam($uid);
            $group = $info['gid'];
            if (!in_array($group, $groups)) {
                    $groups[] = $group;
            }
 	    */
 	    $cn = "Unknown McUnknown";
 	    $groups = array();
            $result = array(
                    'uid' => array($uid),
                    'cn' => array($cn),
                    'group' => $groups,
            );
            if (isset($this->mail_domain)) {
                    $result['mail'] = array($uid.$this->mail_domain);
            }
            return $result;
    }
 }
--- a/hosts/bekkalokk/services/idp-simplesamlphp/config.php
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/config.php
--- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
@@ -0,0 +1,203 @@
 { config, pkgs, lib, ... }:
 let
  pwAuthScript = pkgs.writeShellApplication {
    name = "pwauth";
    runtimeInputs = with pkgs; [ coreutils heimdal ];
    text = ''
      read -r user1
      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
      if test "$user1" != "$user2"
      then
        read -r _
        exit 2
      fi
      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
      kdestroy >/dev/null 2>/dev/null
    '';
  };
  package = pkgs.simplesamlphp.override {
    extra_files = {
      # NOTE: Using self signed certificate created 30. march 2024, with command:
      # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
      "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
        <?php
 	  $metadata['https://idp2.pvv.ntnu.no/'] = array(
 	    'host' => '__DEFAULT__',
 	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
 	    'certificate' => '${./idp.crt}',
 	    'auth' => 'pwauth',
 	  );
 	?>
      '';
      "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
        <?php
 	  ${ lib.pipe config.services.idp.sp-remote-metadata [
             (map (url: ''
               $metadata['${url}'] = [
                   'SingleLogoutService' => [
                       [
                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
                       ],
                       [
                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
                       ],
                   ],
                   'AssertionConsumerService' => [
                       [
                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
                           'index' => 0,
                       ],
                       [
                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
                           'index' => 1,
                       ],
                   ],
               ];
 	     ''))
 	     (lib.concatStringsSep "\n")
 	  ]}
 	?>
      '';
      "config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
        <?php
          $config = array(
 	    'admin' => array(
 	      'core:AdminPassword'
 	    ),
            'pwauth' => array(
               'authpwauth:PwAuth',
               'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
               'mail_domain' => '@pvv.ntnu.no',
            ),
          );
 	?>
      '';
      "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
        cp ${./config.php} "$out"
        substituteInPlace "$out" \
          --replace '$SAML_COOKIE_SECURE' 'true' \
          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
          --replace '$SAML_ADMIN_NAME' '"Drift"' \
          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
      '';
      "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
    };
  };
 in
 {
  options.services.idp.sp-remote-metadata = lib.mkOption {
    type = with lib.types; listOf str;
    default = [ ];
    description = ''
      List of urls point to (simplesamlphp) service profiders, which the idp should trust.
      :::{.note}
 	Make sure the url ends with a `/`
      :::
    '';
  };
  config = {
    sops.secrets = {
      "idp/privatekey" = {
        owner = "idp";
        group = "idp";
        mode = "0770";
      };
      "idp/admin_password" = {
        owner = "idp";
        group = "idp";
      };
      "idp/postgres_password" = {
        owner = "idp";
        group = "idp";
      };
      "idp/cookie_salt" = {
        owner = "idp";
        group = "idp";
      };
    };  
    users.groups."idp" = { };
    users.users."idp" = {
      description = "PVV Identity Provider Service User";
      group = "idp";
      createHome = false;
      isSystemUser = true;
    };
    systemd.tmpfiles.settings."10-idp" = {
      "/var/cache/idp".d = {
        user = "idp";
        group = "idp";
        mode = "0770";
      };
      "/var/lib/idp".d = {
        user = "idp";
        group = "idp";
        mode = "0770";
      };
    };
    services.phpfpm.pools.idp = {
      user = "idp";
      group = "idp";
      settings = let
        listenUser = config.services.nginx.user;
        listenGroup = config.services.nginx.group;
      in {
        "pm" = "dynamic";
        "pm.max_children" = 32;
        "pm.max_requests" = 500;
        "pm.start_servers" = 2;
        "pm.min_spare_servers" = 2;
        "pm.max_spare_servers" = 4;
        "listen.owner" = listenUser;
        "listen.group" = listenGroup;
        "catch_workers_output" = true;
        "php_admin_flag[log_errors]" = true;
        # "php_admin_value[error_log]" = "stderr";
      };
    };
    services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      root = "${package}/share/php/simplesamlphp/public";
      locations =  {
        # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
        "/" = {
          alias = "${package}/share/php/simplesamlphp/public/";
          index = "index.php";
          extraConfig = ''
            location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
              include ${pkgs.nginx}/conf/fastcgi_params;
              fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
              fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
              fastcgi_param SCRIPT_NAME /$phpfile;
              fastcgi_param PATH_INFO $pathinfo if_not_empty;
            }
          '';
        };
      };
    };
  };
 }
--- a/hosts/bekkalokk/services/idp-simplesamlphp/idp.crt
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/idp.crt
@@ -0,0 +1,33 @@
 -----BEGIN CERTIFICATE-----
 MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
 BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
 FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
 Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
 VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
 cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
 AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
 JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
 xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
 dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
 Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
 Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
 +8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
 rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
 oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
 sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
 Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
 BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
 xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
 Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
 2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
 DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
 2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
 EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
 fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
 T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
 TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
 W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
 HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
 88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
 UxTpf01QJnZkMqf5NQ==
 -----END CERTIFICATE-----
--- a/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix
@@ -0,0 +1,22 @@
 ''
  <?php
  $metadata['https://idp2.pvv.ntnu.no/'] = [
      'metadata-set' => 'saml20-idp-hosted',
      'entityid' => 'https://idp2.pvv.ntnu.no/',
      'SingleSignOnService' => [
          [
              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
          ],
      ],
      'SingleLogoutService' => [
          [
              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
          ],
      ],
      'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
      'certificate' => '${./idp.crt}',
  ];
  ?>
 ''
--- a/hosts/bekkalokk/services/kerberos/default.nix
+++ b/hosts/bekkalokk/services/kerberos/default.nix
@@ -0,0 +1,27 @@
 { config, pkgs, lib, ... }:
 {
  #######################
  # TODO: remove these once nixos 24.05 gets released
  #######################
  imports = [
    ./krb5.nix
    ./pam.nix
  ];
  disabledModules = [
    "config/krb5/default.nix"
    "security/pam.nix"
  ];
  #######################
  security.krb5 = {
    enable = true;
    settings = {
      libdefaults = {
        default_realm = "PVV.NTNU.NO";
        dns_lookup_realm = "yes";
        dns_lookup_kdc = "yes";
      };
      realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
    };
  };
 }
--- a/hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
+++ b/hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
@@ -0,0 +1,88 @@
 { pkgs, lib, ... }:
 # Based on
 # - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
 # - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
 let
  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
    str submodule;
 in
 { }: {
  type = let
    section = attrsOf relation;
    relation = either (attrsOf value) value;
    value = either (listOf atom) atom;
    atom = oneOf [int str bool];
  in submodule {
    freeformType = attrsOf section;
    options = {
      include = mkOption {
        default = [ ];
        description = mdDoc ''
          Files to include in the Kerberos configuration.
        '';
        type = coercedTo path singleton (listOf path);
      };
      includedir = mkOption {
        default = [ ];
        description = mdDoc ''
          Directories containing files to include in the Kerberos configuration.
        '';
        type = coercedTo path singleton (listOf path);
      };
      module = mkOption {
        default = [ ];
        description = mdDoc ''
          Modules to obtain Kerberos configuration from.
        '';
        type = coercedTo path singleton (listOf path);
      };
    };
  };
  generate = let
    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
    formatToplevel = args @ {
      include ? [ ],
      includedir ? [ ],
      module ? [ ],
      ...
    }: let
      sections = removeAttrs args [ "include" "includedir" "module" ];
    in concatStringsSep "\n" (filter (x: x != "") [
      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
      (concatMapStringsSep "\n" (m: "module ${m}") module)
      (concatMapStringsSep "\n" (i: "include ${i}") include)
      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
    ]);
    formatSection = name: section: ''
      [${name}]
      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
    '';
    formatRelation = name: relation:
      if isAttrs relation
      then ''
        ${name} = {
        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
        }''
      else formatValue name relation;
    formatValue = name: value:
      if isList value
      then concatMapStringsSep "\n" (formatAtom name) value
      else formatAtom name value;
    formatAtom = name: atom: let
      v = if isBool atom then boolToString atom else toString atom;
    in "${name} = ${v}";
  in
    name: value: pkgs.writeText name ''
      ${formatToplevel value}
    '';
 }
--- a/hosts/bekkalokk/services/kerberos/krb5.nix
+++ b/hosts/bekkalokk/services/kerberos/krb5.nix
@@ -0,0 +1,90 @@
 { config, lib, pkgs, ... }:
 let
  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
  inherit (lib.types) bool;
  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
    The option `krb5.${name}' has been removed. Use
    `security.krb5.settings.${name}' for structured configuration.
  '';
  cfg = config.security.krb5;
  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
 in {
  imports = [
    (mkRemovedOptionModuleCfg "libdefaults")
    (mkRemovedOptionModuleCfg "realms")
    (mkRemovedOptionModuleCfg "domain_realm")
    (mkRemovedOptionModuleCfg "capaths")
    (mkRemovedOptionModuleCfg "appdefaults")
    (mkRemovedOptionModuleCfg "plugins")
    (mkRemovedOptionModuleCfg "config")
    (mkRemovedOptionModuleCfg "extraConfig")
    (mkRemovedOptionModule' "kerberos" ''
      The option `krb5.kerberos' has been moved to `security.krb5.package'.
    '')
  ];
  options = {
    security.krb5 = {
      enable = mkOption {
        default = false;
        description = mdDoc "Enable and configure Kerberos utilities";
        type = bool;
      };
      package = mkPackageOption pkgs "krb5" {
        example = "heimdal";
      };
      settings = mkOption {
        default = { };
        type = format.type;
        description = mdDoc ''
          Structured contents of the {file}`krb5.conf` file. See
          {manpage}`krb5.conf(5)` for details about configuration.
        '';
        example = {
          include = [ "/run/secrets/secret-krb5.conf" ];
          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
          libdefaults = {
            default_realm = "ATHENA.MIT.EDU";
          };
          realms = {
            "ATHENA.MIT.EDU" = {
              admin_server = "athena.mit.edu";
              kdc = [
                "athena01.mit.edu"
                "athena02.mit.edu"
              ];
            };
          };
          domain_realm = {
            "mit.edu" = "ATHENA.MIT.EDU";
          };
          logging = {
            kdc = "SYSLOG:NOTICE";
            admin_server = "SYSLOG:NOTICE";
            default = "SYSLOG:NOTICE";
          };
        };
      };
    };
  };
  config = mkIf cfg.enable {
    environment = {
      systemPackages = [ cfg.package ];
      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
    };
  };
  meta.maintainers = builtins.attrValues {
    inherit (lib.maintainers) dblsaiko h7x4;
  };
 }
--- a/hosts/bekkalokk/services/kerberos/pam.nix
+++ b/hosts/bekkalokk/services/kerberos/pam.nix
--- a/hosts/bekkalokk/services/keycloak.nix
+++ b/hosts/bekkalokk/services/keycloak.nix
@@ -0,0 +1,24 @@
 { pkgs, config, values, ... }:
 {
  sops.secrets."keys/postgres/keycloak" = {
    owner = "keycloak";
    group = "keycloak";
    restartUnits = [ "keycloak.service" ];
  };
  services.keycloak = {
    enable = true;
    settings = {
      hostname = "auth.pvv.ntnu.no";
      # hostname-strict-backchannel = true;
    };
    database = {
      host = values.hosts.bicep.ipv4;
      createLocally = false;
      passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
      caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
    };
  };
 }
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -0,0 +1,216 @@
 { pkgs, lib, config, values, pkgs-unstable, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
  user = config.systemd.services.mediawiki-init.serviceConfig.User;
  # "mediawiki"
  group = config.users.users.${user}.group;
  simplesamlphp = pkgs.simplesamlphp.override {
    extra_files = {
      "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
      "config/authsources.php" = ./simplesaml-authsources.php;
      "config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
        cp ${./simplesaml-config.php} "$out"
        substituteInPlace "$out" \
          --replace '$SAML_COOKIE_SECURE' 'true' \
          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
          --replace '$SAML_ADMIN_NAME' '"Drift"' \
          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
      '';
    };
  };
 in {
  services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
  sops.secrets = lib.pipe [
    "mediawiki/password"
    "mediawiki/postgres_password"
    "mediawiki/simplesamlphp/postgres_password"
    "mediawiki/simplesamlphp/cookie_salt"
    "mediawiki/simplesamlphp/admin_password"
  ] [
    (map (key: lib.nameValuePair key {
      owner = user;
      group = group;
    }))
    lib.listToAttrs
  ];
  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
    passwordFile = config.sops.secrets."mediawiki/password".path;
    passwordSender = "drift@pvv.ntnu.no";
    database = {
      type = "mysql";
      host = "mysql.pvv.ntnu.no";
      port = 3306;
      user = "mediawiki";
      passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
      createLocally = false;
      # TODO: create a normal database and copy over old data when the service is production ready
      name = "mediawiki";
    };
    # Host through nginx
    webserver = "none";
    poolConfig = let
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
      inherit user group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;
      "catch_workers_output" = true;
      "php_admin_flag[log_errors]" = true;
      # "php_admin_value[error_log]" = "stderr";
      # to accept *.html file
      "security.limit_extensions" = "";
    };
    extensions = {
      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
    };
    extraConfig = ''
      $wgServer = "https://wiki2.pvv.ntnu.no";
      $wgLocaltimezone = "Europe/Oslo";
      # Only allow login through SSO
      $wgEnableEmail = false;
      $wgEnableUserEmail = false;
      $wgEmailAuthentication = false;
      $wgGroupPermissions['*']['createaccount'] = false;
      $wgGroupPermissions['*']['autocreateaccount'] = true;
      $wgPluggableAuth_EnableAutoLogin = false;
      # Misc. permissions
      $wgGroupPermissions['*']['edit'] = false;
      $wgGroupPermissions['*']['read'] = true;
      # Misc. URL rules
      $wgUsePathInfo = true;
      $wgScriptExtension = ".php";
      $wgNamespacesWithSubpages[NS_MAIN] = true;
      # Styling
      $wgLogos = array(
        "2x" => "/PNG/PVV-logo.png",
        "icon" => "/PNG/PVV-logo.svg",
      );
      $wgDefaultSkin = "vector-2022";
      # from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
      $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
      $wgVectorResponsive = true;
      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;
      # SimpleSAML
      $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
      $wgPluggableAuth_Config['Log in using my SAML'] = [
        'plugin' => 'SimpleSAMLphp',
        'data' => [
          'authSourceId' => 'default-sp',
          'usernameAttribute' => 'uid',
          'emailAttribute' => 'mail',
          'realNameAttribute' => 'cn',
        ]
      ];
      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
    '';
  };
  # Cache directory for simplesamlphp
  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
    user = "mediawiki";
    group = "mediawiki";
    mode = "0770";
  };
  users.groups.mediawiki.members = [ "nginx" ];
  services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
    locations =  {
      "/" = {
 	index = "index.php";
      };
      "~ /(.+\\.php)" = {
        extraConfig = ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
          include ${pkgs.nginx}/conf/fastcgi_params;
          include ${pkgs.nginx}/conf/fastcgi.conf;
        '';
      };
      # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
      "^~ /simplesaml/" = {
        alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
        index = "index.php";
        extraConfig = ''
          location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
            include ${pkgs.nginx}/conf/fastcgi_params;
            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
            fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
            # Must be prepended with the baseurlpath
            fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
            fastcgi_param PATH_INFO $pathinfo if_not_empty;
          }
        '';
      };
      "/images/".alias = "${config.services.mediawiki.uploadsDir}/";
      "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
        buildInputs = with pkgs; [ imagemagick ];
      } ''
        convert \
 	  -resize x64 \
 	  -gravity center \
 	  -crop 64x64+0+0 \
 	  ${../../../../assets/logo_blue_regular.png} \
 	  -flatten \
 	  -colors 256 \
 	  -background transparent \
 	  $out
      '';
    };
  };
 }
--- a/hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php
+++ b/hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php
@@ -0,0 +1,11 @@
 <?php
 $config = array(
    'admin' => array(
      'core:AdminPassword'
    ),
    'default-sp' => array(
        'saml:SP',
        'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
        'idp' => 'https://idp2.pvv.ntnu.no/',
    ),
 );
--- a/hosts/bekkalokk/services/mediawiki/simplesaml-config.php
+++ b/hosts/bekkalokk/services/mediawiki/simplesaml-config.php
--- a/hosts/bekkalokk/services/metrics/loki.nix
+++ b/hosts/bekkalokk/services/metrics/loki.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
 }
--- a/hosts/bekkalokk/services/metrics/prometheus.nix
+++ b/hosts/bekkalokk/services/metrics/prometheus.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
 }
--- a/hosts/bekkalokk/services/nginx/default.nix
+++ b/hosts/bekkalokk/services/nginx/default.nix
@@ -1,21 +1,21 @@
-{config, ... }:
+{ pkgs, config, ... }:
 {
  imports = [
    ./ingress.nix
  ];
  security.acme = {
    acceptTerms = true;
-    defaults.email = "danio@pvv.ntnu.no";
+    defaults.email = "drift@pvv.ntnu.no";
  };
  services.nginx = {
    enable = true;
    defaultListenAddresses = [ "129.241.210.169" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::169]" "[::1]" ];
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
--- a/hosts/bekkalokk/services/nginx/ingress.nix
+++ b/hosts/bekkalokk/services/nginx/ingress.nix
@@ -0,0 +1,55 @@
 { config, lib, ... }:
 {
  services.nginx.virtualHosts = {
    "www2.pvv.ntnu.no" = {
      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
      addSSL = true;
      enableACME = true;
      locations = {
        # Proxy home directories
        "/~" = {
          extraConfig = ''
            proxy_redirect off;
            proxy_pass https://tom.pvv.ntnu.no;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
          '';
        };
        # Redirect old wiki entries
        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
        # TODO: Redirect webmail
        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
        # Redirect everything else to the main website
        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
        # Proxy the matrix well-known files
        # Host has be set before proxy_pass
        # The header must be set so nginx on the other side routes it to the right place
        "/.well-known/matrix/" = {
          extraConfig = ''
            proxy_set_header Host matrix.pvv.ntnu.no;
            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
          '';
        };
      };
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/default.nix
+++ b/hosts/bekkalokk/services/webmail/default.nix
@@ -0,0 +1,15 @@
 { config, values, pkgs, lib, ... }:
 {
  imports = [
    ./roundcube.nix
  ];
  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    #locations."/" = lib.mkForce { };
    locations."= /" = {
      return = "301 https://www.pvv.ntnu.no/mail/";
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@@ -0,0 +1,74 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.roundcube;
  domain = "webmail2.pvv.ntnu.no";
 in 
 {
  services.roundcube = {
    enable = true;
    package = pkgs.roundcube.withPlugins (plugins: with plugins; [
      persistent_login
      thunderbird_labels
      contextmenu
      custom_from
    ]);
    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
    maxAttachmentSize = 20;
    hostName = "roundcubeplaceholder.example.com";
    extraConfig = ''
      $config['enable_installer'] = false;
      $config['default_host'] = "ssl://imap.pvv.ntnu.no";
      $config['default_port'] = 993;
      $config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
      $config['smtp_port'] = 465;
      $config['mail_domain'] = "pvv.ntnu.no";
      $config['smtp_user'] = "%u";
      $config['support_url'] = "";
    '';
  };
  services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
  services.nginx.virtualHosts.${domain} = {
    locations."/roundcube" = {
      tryFiles = "$uri $uri/ =404";
      index = "index.php";
      root = pkgs.runCommandLocal "roundcube-dir" { } ''
        mkdir -p $out
        ln -s ${cfg.package} $out/roundcube
      '';
      extraConfig = ''
        location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
        # https://wiki.archlinux.org/title/Roundcube
        "README"
        "INSTALL"
        "LICENSE"
        "CHANGELOG"
        "UPGRADING"
        "bin"
        "SQL"
        ".+\\.md"
        "\\."
        "config"
        "temp"
        "logs"
        ]})/? {
          deny all;
        }
        location ~ ^/roundcube/(.+\.php)(/?.*)$ {
          fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
          include ${config.services.nginx.package}/conf/fastcgi_params;
          include ${config.services.nginx.package}/conf/fastcgi.conf;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
        }
      '';
    };
  };
 }
--- a/hosts/bekkalokk/services/website.nix
+++ b/hosts/bekkalokk/services/website.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
 }
--- a/hosts/bicep/acmeCert.nix
+++ b/hosts/bicep/acmeCert.nix
@@ -0,0 +1,24 @@
 { values, ... }:
 {
  users.groups.acme.members = [ "nginx" ];
  security.acme.certs."postgres.pvv.ntnu.no" = {
    group = "acme";
    extraDomainNames = [
      # "postgres.pvv.org"
      "bicep.pvv.ntnu.no"
      # "bicep.pvv.org"
      # values.hosts.bicep.ipv4
      # values.hosts.bicep.ipv6
    ];
  };
  services.nginx = {
    enable = true;
    virtualHosts."postgres.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      # useACMEHost = "postgres.pvv.ntnu.no";
    };
  };
 }
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -0,0 +1,43 @@
 { pkgs, values, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    ../../misc/metrics-exporters.nix
    ./services/nginx
    ./acmeCert.nix
    ./services/mysql.nix
    ./services/postgres.nix
    ./services/mysql.nix
    # TODO: fix the calendar bot
    # ./services/calendar-bot.nix
    ./services/matrix
  ];
  sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
  networking.hostName = "bicep";
  systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp6s0f0";
    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
      ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
  };
  systemd.network.wait-online = {
    anyInterface = true;
  };
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
 }
--- a/hosts/bicep/hardware-configuration.nix
+++ b/hosts/bicep/hardware-configuration.nix
@@ -0,0 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
      fsType = "ext4";
    };
  fileSystems."/data" =
    { device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
      fsType = "f2fs";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bicep/services/calendar-bot.nix
+++ b/hosts/bicep/services/calendar-bot.nix
@@ -0,0 +1,25 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.pvv-calendar-bot;
 in {
  sops.secrets."calendar-bot/matrix_token" = {
    sopsFile = ../../../secrets/bicep/bicep.yaml;
    key = "calendar-bot/matrix_token";
    owner = cfg.user;
    group = cfg.group;
  };
  services.pvv-calendar-bot = {
    enable = true;
    settings = {
      matrix = {
        homeserver = "https://matrix.pvv.ntnu.no";
        user = "@bot_calendar:pvv.ntnu.no";
        channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
      };
      secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
      onCalendar = "*-*-* 09:00:00";
    };
  };
 }
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -2,10 +2,14 @@
 {
  sops.secrets."matrix/synapse/turnconfig" = {
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
    key = "synapse/turnconfig";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
  };
  sops.secrets."matrix/coturn/static-auth-secret" = {
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
    key = "coturn/static-auth-secret";
    owner = config.users.users.turnserver.name;
    group = config.users.users.turnserver.group;
  };
@@ -114,7 +118,7 @@
  };
  networking.firewall = {
-    interfaces.ens18 = let
+    interfaces.enp6s0f0 = let
      range = with config.services.coturn; [ {
      from = min-port;
      to = max-port;
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -7,6 +7,7 @@
    ./synapse-admin.nix
    ./element.nix
    ./coturn.nix
    ./mjolnir.nix
    ./discord.nix
  ];
--- a/hosts/bicep/services/matrix/discord.nix
+++ b/hosts/bicep/services/matrix/discord.nix
@@ -7,6 +7,8 @@ in
  users.groups.keys-matrix-registrations = { };
  sops.secrets."matrix/registrations/mx-puppet-discord" = {
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
    key = "registrations/mx-puppet-discord";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.groups.keys-matrix-registrations.name;
  };
@@ -30,6 +32,9 @@ in
  services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
-  services.matrix-synapse-next.settings.app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
+  services.matrix-synapse-next.settings = {
    app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
    use_appservice_legacy_authorization = true;
  };
 }
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
-
+let
-{
+  synapse-cfg = config.services.matrix-synapse-next;
 in {
  services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
@@ -23,25 +24,31 @@
        features = {
          feature_latex_maths = true;
          feature_pinning = true;
          feature_render_reaction_images = true;
          feature_state_counters = true;
-          feature_custom_status = false;
+          # element call group calls
          feature_group_calls = true;
        };
        default_theme = "dark";
        # Servers in this list should provide some sort of valuable scoping
        # matrix.org is not useful compared to matrixrooms.info,
        # because it has so many general members, rooms of all topics are on it.
        # Something matrixrooms.info is already providing.
        room_directory.servers = [
          "pvv.ntnu.no"
-          "matrix.omegav.no"
+          "matrixrooms.info" # Searches all public room directories
-          "matrix.org"
+          "matrix.omegav.no" # Friends
-          "libera.chat"
+          "gitter.im" # gitter rooms
-          "gitter.im"
+          "mozilla.org" # mozilla and friends
-          "mozilla.org"
+          "kde.org" # KDE rooms
-          "kde.org"
+          "fosdem.org" # FOSDEM
-          "t2bot.io"
+          "dodsorf.as" # PVV Member
-          "fosdem.org"
+          "nani.wtf" # PVV Member
          "dodsorf.as"
        ];
        enable_presence_by_hs_url = {
          "https://matrix.org" = false;
-          "https://matrix.dodsorf.as" = false;
+          # "https://matrix.dodsorf.as" = false;
          "${synapse-cfg.settings.public_baseurl}" = synapse-cfg.settings.presence.enabled;
        };
      };
    };
--- a/hosts/bicep/services/matrix/mjolnir.nix
+++ b/hosts/bicep/services/matrix/mjolnir.nix
@@ -0,0 +1,56 @@
 { config, lib, ... }:
 {
  sops.secrets."matrix/mjolnir/access_token" = {
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
    key = "mjolnir/access_token";
    owner = config.users.users.mjolnir.name;
    group = config.users.users.mjolnir.group;
  };
  services.mjolnir = {
    enable = true;
    pantalaimon.enable = false;
    homeserverUrl = http://127.0.0.1:8008;
    accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
    managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
    protectedRooms = map (a: "https://matrix.to/#/${a}") [
      "#pvv:pvv.ntnu.no"
      "#stand:pvv.ntnu.no"
      "#music:pvv.ntnu.no"
      "#arts-and-crafts:pvv.ntnu.no"
      "#programming:pvv.ntnu.no"
      "#talks-and-texts:pvv.ntnu.no"
      "#job-offers:pvv.ntnu.no"
      "#vaffling:pvv.ntnu.no"
      "#pvv-fadder:pvv.ntnu.no"
      "#offsite:pvv.ntnu.no"
      "#help:pvv.ntnu.no"
      "#garniske-algoritmer:pvv.ntnu.no"
      "#bouldering:pvv.ntnu.no"
      "#filmclub:pvv.ntnu.no"
      "#video-games:pvv.ntnu.no"
      "#board-games:pvv.ntnu.no"
      "#tabletop-rpgs:pvv.ntnu.no"
      "#anime:pvv.ntnu.no"
      "#general:pvv.ntnu.no"
      "#announcements:pvv.ntnu.no"
      "#memes:pvv.ntnu.no"
      "#drift:pvv.ntnu.no"
      "#notifikasjoner:pvv.ntnu.no"
      "#forespoersler:pvv.ntnu.no"
      "#krisekanalen:pvv.ntnu.no"
      "#styret:pvv.ntnu.no"
    ];
    settings = {
      admin.enableMakeRoomAdminCommand = true;
    };
    # Module wants it even when not using pantalaimon
    # TODO: Fix upstream module in nixpkgs
    pantalaimon.username = "bot_admin";
  };
 }
--- a/hosts/bicep/services/matrix/smtp-authenticator/default.nix
+++ b/hosts/bicep/services/matrix/smtp-authenticator/default.nix
@@ -0,0 +1,17 @@
 { lib, buildPythonPackage, fetchFromGitHub }:
 buildPythonPackage rec {
  pname = "matrix-synapse-smtp-auth";
  version = "0.1.0";
  src = ./.;
  doCheck = false;
  meta = with lib; {
    description = "An SMTP auth provider for Synapse";
    homepage = "pvv.ntnu.no";
    license = licenses.agpl3Only;
    maintainers = with maintainers; [ dandellion ];
  };
 }
--- a/hosts/bicep/services/matrix/smtp-authenticator/setup.py
+++ b/hosts/bicep/services/matrix/smtp-authenticator/setup.py
@@ -0,0 +1,11 @@
 from setuptools import setup
 setup(
    name="matrix-synapse-smtp-auth",
    version="0.1.0",
    py_modules=['smtp_auth_provider'],
    author="Daniel Løvbrøtte Olsen",
    author_email="danio@pvv.ntnu.no",
    description="An SMTP auth provider for Synapse",
    license="AGPL-3.0-only"
 )
--- a/hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py
+++ b/hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py
@@ -0,0 +1,50 @@
 from typing import Awaitable, Callable, Optional, Tuple
 from smtplib import SMTP_SSL as SMTP
 import synapse
 from synapse import module_api
 import re
 class SMTPAuthProvider:
    def __init__(self, config: dict, api: module_api):
        self.api = api
        self.config = config
        api.register_password_auth_provider_callbacks(
            auth_checkers={
                ("m.login.password", ("password",)): self.check_pass,
            },
        )
    async def check_pass(
        self,
        username: str,
        login_type: str,
        login_dict: "synapse.module_api.JsonDict",
    ):
        if login_type != "m.login.password":
            return None
        # Convert `@username:server` to `username`
        match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
        username = match.group(1) if match else username
        result = False
        with SMTP(self.config["smtp_host"]) as smtp:
            password = login_dict.get("password")
            try:
                smtp.login(username, password)
                result = True
            except:
                return None
        if result == True:
            userid = self.api.get_qualified_user_id(username)
            if not self.api.check_user_exists(userid):
                self.api.register_user(username)
            return (userid, None)
        else:
            return None
--- a/hosts/bicep/services/matrix/synapse-admin.nix
+++ b/hosts/bicep/services/matrix/synapse-admin.nix
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -1,38 +1,51 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, values, inputs, ... }:
 let
  cfg = config.services.matrix-synapse-next;
  matrix-lib = inputs.matrix-next.lib;
  imap0Attrs = with lib; f: set:
    listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
 in {
-  sops.secrets."matrix/synapse/dbconfig" = {
+  sops.secrets."matrix/synapse/signing_key" = {
    key = "synapse/signing_key";
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
  };
-  sops.secrets."matrix/synapse/signing_key" = {
+  sops.secrets."matrix/synapse/user_registration" = {
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
    key = "synapse/signing_key";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
  };
  sops.secrets."matrix/sliding-sync/env" = {
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
    key = "sliding-sync/env";
  };
  services.matrix-synapse-next = {
    enable = true;
    plugins = [
      (pkgs.python3Packages.callPackage ./smtp-authenticator { })
    ];
    dataDir = "/data/synapse";
    workers.federationSenders = 2;
-    workers.federationReceivers = 1;
+    workers.federationReceivers = 2;
    workers.initialSyncers = 1;
    workers.normalSyncers = 1;
-    workers.eventPersisters = 1;
+    workers.eventPersisters = 2;
    workers.useUserDirectoryWorker = true;
-    enableNginx = true;
+    enableSlidingSync = true;
-    extraConfigFiles = [
+    enableNginx = true;
      config.sops.secrets."matrix/synapse/dbconfig".path
    ];
    settings = {
      server_name = "pvv.ntnu.no";
@@ -42,6 +55,26 @@ in {
      media_store_path =  "${cfg.dataDir}/media";
      database = {
        name = "psycopg2";
        args = {
          host = "/var/run/postgresql";
          dbname = "synapse";
          user = "matrix-synapse";
          cp_min = 1;
          cp_max = 5;
        };
      };
      presence.enabled = false;
      event_cache_size = "20K"; # Default is 10K but I can't find the factor for this cache
      caches = {
        per_cache_factors = {
          _event_auth_cache = 2.0;
        };
      };
      autocreate_auto_join_rooms = false;
      auto_join_rooms = [
        "#pvv:pvv.ntnu.no" # Main space
@@ -54,10 +87,20 @@ in {
      max_upload_size = "150M";
      enable_metrics = true;
      mau_stats_only = true;
      enable_registration = false;
      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
-      password_config.enabled = lib.mkForce false;
+      password_config.enabled = true;
      modules = [
        { module = "smtp_auth_provider.SMTPAuthProvider";
          config = {
            smtp_host = "smtp.pvv.ntnu.no";
          };
        }
      ];
      trusted_key_servers = [
        { server_name = "matrix.org"; }
@@ -168,41 +211,57 @@ in {
    };
  };
  services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
  services.redis.servers."".enable = true;
-  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
+  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
  ({
    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
      '';
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
      '';
    };
  })
  ({
    locations = let
-      isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
+      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
-      isMetricsListener = l: isListenerType "metrics" l;
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
      firstMetricsListener = w: lib.lists.findFirst isMetricsListener (throw "No metrics endpoint on worker") w.settings.worker_listeners;
      wAddress = w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstMetricsListener w).bind_addresses;
      wPort = w: (firstMetricsListener w).port;
      socketAddress = w: "${wAddress w}:${toString (wPort w)}";
      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
-    in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; }))
+    in lib.mapAttrs' (n: v: lib.nameValuePair
      (metricsPath v) ({
        proxyPass = proxyPath v;
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4};
          allow ${values.hosts.ildkule.ipv6};
          deny all;
        '';
      }))
      cfg.workers.instances;
  })
  ({
    locations."/metrics/master/1" = {
      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
      extraConfig = ''
        allow ${values.hosts.ildkule.ipv4};
        allow ${values.hosts.ildkule.ipv6};
        deny all;
      '';
    };
    locations."/metrics/" = let
-      endpoints = builtins.map (x: "matrix.pvv.ntnu.no/metrics/${x}") [
+      endpoints = lib.pipe cfg.workers.instances [
-        "master/1"
+        (lib.mapAttrsToList (_: v: v))
-        "fed-sender/1"
+        (map (w: "${w.type}/${toString w.index}"))
-        "fed-sender/2"
+        (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
-        "fed-receiver/1"
+      ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
        "initial-sync/1"
        "normal-sync/1"
        "event-persist/1"
        "user-dir/1"
      ];
    in {
      alias = pkgs.writeTextDir "/config.json"
        (builtins.toJSON [
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -0,0 +1,53 @@
 { pkgs, lib, config, values, ... }:
 {
  sops.secrets."mysql/password" = {
    owner = "mysql";
    group = "mysql";
  };
  users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
  services.mysql = {
    enable = true;
    dataDir = "/data/mysql";
    package = pkgs.mariadb;
    settings = {
      mysqld = {
        # PVV allows a lot of connections at the same time
        max_connect_errors = 10000;
 	bind-address = values.services.mysql.ipv4;
 	skip-networking = 0;
 	# This was needed in order to be able to use all of the old users
 	# during migration from knakelibrak to bicep in Sep. 2023
 	secure_auth = 0;
      };
    };
    # Note: This user also has MAX_USER_CONNECTIONS set to 3, and
    #       a password which can be found in /secrets/ildkule/ildkule.yaml
    #       We have also changed both the host and auth plugin of this user
    #       to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
    ensureUsers = [{
      name = "prometheus_mysqld_exporter";
      ensurePermissions = {
        "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
      };
    }];
  };
  services.mysqlBackup = {
    enable = true;
    location = "/var/lib/mysql/backups";
  };
  networking.firewall.allowedTCPPorts = [ 3306 ];
  systemd.services.mysql.serviceConfig = {
    IPAddressDeny = "any";
    IPAddressAllow = [
      values.ipv4-space
      values.ipv6-space
    ];
  };
 }
--- a/hosts/bicep/services/nginx/default.nix
+++ b/hosts/bicep/services/nginx/default.nix
@@ -0,0 +1,45 @@
 { config, values, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "danio@pvv.ntnu.no";
  };
  services.nginx = {
    enable = true;
    enableReload = true;
    defaultListenAddresses = [
      values.hosts.bicep.ipv4
      "[${values.hosts.bicep.ipv6}]"
      "127.0.0.1"
      "127.0.0.2"
      "[::1]"
    ];
    appendConfig = ''
      pcre_jit on;
      worker_processes 8;
      worker_rlimit_nofile 8192;
    '';
    eventsConfig = ''
      multi_accept on;
      worker_connections 4096;
    '';
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedBrotliSettings = true;
    recommendedOptimisation = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  systemd.services.nginx.serviceConfig = {
    LimitNOFILE = 65536;
  };
 }
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -0,0 +1,97 @@
 { config, pkgs, ... }:
 let
  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
 in
 {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_15;
    enableTCPIP = true;
    dataDir = "/data/postgresql";
    authentication = ''
      host all all 129.241.210.128/25 md5
      host all all 2001:700:300:1900::/64 md5
    '';
    # Hilsen https://pgconfigurator.cybertec-postgresql.com/
    settings = {
      # Connectivity
      max_connections = 500;
      superuser_reserved_connections = 3;
      # Memory Settings
      shared_buffers = "8192 MB";
      work_mem = "32 MB";
      maintenance_work_mem = "420 MB";
      effective_cache_size = "22 GB";
      effective_io_concurrency = 100;
      random_page_cost = 1.25;
      # Monitoring
      shared_preload_libraries = "pg_stat_statements";
      track_io_timing = true;
      track_functions = "pl";
      # Replication
      wal_level = "replica";
      max_wal_senders = 0;
      synchronous_commit = false;
      # Checkpointing:
      checkpoint_timeout = "15 min";
      checkpoint_completion_target = 0.9;
      max_wal_size = "1024 MB";
      min_wal_size = "512 MB";
      # WAL writing
      wal_compression = true;
      wal_buffers = -1;
      # Background writer
      bgwriter_delay = "200ms";
      bgwriter_lru_maxpages = 100;
      bgwriter_lru_multiplier = 2.0;
      bgwriter_flush_after = 0;
      # Parallel queries:
      max_worker_processes = 8;
      max_parallel_workers_per_gather = 4;
      max_parallel_maintenance_workers = 4;
      max_parallel_workers = 8;
      parallel_leader_participation = true;
      # Advanced features
      enable_partitionwise_join = true;
      enable_partitionwise_aggregate = true;
      max_slot_wal_keep_size = "1000 MB";
      track_wal_io_timing = true;
      maintenance_io_concurrency = 100;
      wal_recycle = true;
      # SSL
      ssl = true;
      ssl_cert_file = "/run/credentials/postgresql.service/cert";
      ssl_key_file = "/run/credentials/postgresql.service/key";
    };
  };
  systemd.services.postgresql.serviceConfig = {
    LoadCredential = [
      "cert:${sslCert.directory}/cert.pem"
      "key:${sslCert.directory}/key.pem"
    ];
  };
  users.groups.acme.members = [ "postgres" ];
  networking.firewall.allowedTCPPorts = [ 5432 ];
  networking.firewall.allowedUDPPorts = [ 5432 ];
  services.postgresqlBackup = {
    enable = true;
    location = "/var/lib/postgres/backups";
    backupAll = true;
  };
 }
--- a/hosts/bikkje/configuration.nix
+++ b/hosts/bikkje/configuration.nix
@@ -0,0 +1,44 @@
 { config, pkgs, values, ... }:
 {
    networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "ens3";
    # Lazy IPv6 connectivity for the container
    enableIPv6 = true;
  };
  containers.bikkje = {
    autoStart = true;
    config = { config, pkgs, ... }: {
      #import packages
      packages = with pkgs; [
          alpine
          mutt
          mutt-ics
          mutt-wizard
          weechat
          weechatScripts.edit
          hexchat
          irssi
          pidgin
      ];
      networking = {
        firewall = {
          enable = true;
          # Allow SSH and HTTP and ports for email and irc
          allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
        };
        # Use systemd-resolved inside the container
        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
        useHostResolvConf = mkForce false;
      };
      system.stateVersion = "23.11";
      services.resolved.enable = true;
    };
  };
 };
--- a/hosts/bob/configuration.nix
+++ b/hosts/bob/configuration.nix
@@ -0,0 +1,46 @@
 { config, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../base.nix
      ../../misc/metrics-exporters.nix
      ./disks.nix
      ../../misc/builder.nix
    ];
  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  networking.hostName = "bob"; # Define your hostname.
  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
    matchConfig.Name = "en*";
    DHCP = "yes";
    gateway = [ ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/bob/disks.nix
+++ b/hosts/bob/disks.nix
@@ -0,0 +1,39 @@
 # Example to create a bios compatible gpt partition
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/bob/hardware-configuration.nix
+++ b/hosts/bob/hardware-configuration.nix
@@ -0,0 +1,24 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@@ -0,0 +1,36 @@
 { config, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../base.nix
      ../../misc/metrics-exporters.nix
      ./services/grzegorz.nix
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "brzeczyszczykiewicz";
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/brzeczyszczykiewicz/hardware-configuration.nix
+++ b/hosts/brzeczyszczykiewicz/hardware-configuration.nix
@@ -0,0 +1,39 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/82E3-3D03";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/brzeczyszczykiewicz/services/grzegorz.nix
+++ b/hosts/brzeczyszczykiewicz/services/grzegorz.nix
@@ -0,0 +1,11 @@
 { config, ... }:
 {
  imports = [ ../../../modules/grzegorz.nix ];
  services.nginx.virtualHosts."${config.networking.fqdn}" = {
    serverAliases = [
      "bokhylle.pvv.ntnu.no"
      "bokhylle.pvv.org"
    ];
  };
 }
--- a/hosts/buskerud/configuration.nix
+++ b/hosts/buskerud/configuration.nix
@@ -0,0 +1,36 @@
 { config, pkgs, values, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    ../../misc/metrics-exporters.nix
  ];
  # buskerud does not support efi?
  # boot.loader.systemd-boot.enable = true;
  # boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sdb";
  networking.hostName = "buskerud";
  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  networking.tempAddresses = "disabled";
  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp3s0f0";
    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/buskerud/hardware-configuration.nix
+++ b/hosts/buskerud/hardware-configuration.nix
@@ -0,0 +1,37 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
      fsType = "ext4";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -0,0 +1,36 @@
 { config, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../base.nix
      ../../misc/metrics-exporters.nix
      ../../modules/grzegorz.nix
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "georg";
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/georg/hardware-configuration.nix
+++ b/hosts/georg/hardware-configuration.nix
@@ -0,0 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/145E-7362";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/greddost/configuration.nix
+++ b/hosts/greddost/configuration.nix
@@ -1,66 +0,0 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      ../../hardware-configuration.nix
      ../../base.nix
      ../../services/minecraft
    ];
  nixpkgs.config.packageOverrides = pkgs: {
    unstable = (import <nixos-unstable>) { };
  };
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
  networking.hostName = "greddost"; # Define your hostname.
  networking.interfaces.ens18.useDHCP = false;
  networking.defaultGateway = "129.241.210.129";
  networking.interfaces.ens18.ipv4 = {
    addresses = [
      {
        address = "129.241.210.174";
        prefixLength = 25;
      }
    ];
  };
  networking.interfaces.ens18.ipv6 = {
    addresses = [
      {
        address = "2001:700:300:1900::174";
        prefixLength = 64;
      }
    ];
  };
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 25565 ];
  networking.firewall.allowedUDPPorts = [ 25565 ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?
 }
--- a/hosts/greddost/services/minecraft/default.nix
+++ b/hosts/greddost/services/minecraft/default.nix
@@ -1,158 +0,0 @@
 {config, lib, pkgs, ... }:
 {
  imports = [ ./minecraft-server-fabric.nix ];
  environment.systemPackages = with pkgs; [
    mcron
  ];
  pvv.minecraft-server-fabric = {
    enable = true;
    eula = true;
    package = pkgs.callPackage ../../pkgs/minecraft-server-fabric { minecraft-server = (pkgs.callPackage ../../pkgs/minecraft-server/1_18_1.nix { }); };
    jvmOpts = "-Xms10G -Xmx10G -XX:+UnlockExperimentalVMOptions -XX:+UseZGC  -XX:+DisableExplicitGC  -XX:+AlwaysPreTouch -XX:+ParallelRefProcEnabled";
    serverProperties = {
      view-distance = 12;
      simulation-distance = 12;
      enable-command-block = true;
      gamemode = "survival";
      difficulty = "normal";
      white-list = true;
      enable-rcon = true;
      "rcon.password" = "pvv";
    };
    dataDir = "/fast/minecraft-pvv";
    mods = [
      (pkgs.fetchurl { # Fabric API is a common dependency for fabric based mods
        url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
        sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
      })
      (pkgs.fetchurl { # Lithium is a 100% vanilla compatible optimization mod
        url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/mc1.18.1-0.7.6/lithium-fabric-mc1.18.1-0.7.6.jar";
        sha256 = "1fw1ikg578v4i6bmry7810a3q53h8yspxa3awdz7d746g91g8lf7";
      })
      (pkgs.fetchurl { # Starlight is the lighting engine of papermc
        url = "https://cdn.modrinth.com/data/H8CaAYZC/versions/Starlight%201.0.0%201.18.x/starlight-1.0.0+fabric.d0a3220.jar";
        sha256 = "0bv9im45hhc8n6x57lakh2rms0g5qb7qfx8qpx8n6mbrjjz6gla1";
      })
      (pkgs.fetchurl { # Krypton is a linux optimized optimizer for minecrafts networking system
        url = "https://cdn.modrinth.com/data/fQEb0iXm/versions/0.1.6/krypton-0.1.6.jar";
        sha256 = "1ribvbww4msrfdnzlxipk8kpzz7fnwnd4q6ln6mpjlhihcjb3hni";
      })
      (pkgs.fetchurl { # C2ME is a parallelizer for chunk loading and generation, experimental!!!
        url = "https://cdn.modrinth.com/data/VSNURh3q/versions/0.2.0+alpha.5.104%201.18.1/c2me-fabric-mc1.18.1-0.2.0+alpha.5.104-all.jar";
        sha256 = "13zrpsg61fynqnnlm7dvy3ihxk8khlcqsif68ak14z7kgm4py6nw";
      })
      (pkgs.fetchurl { # Spark is a profiler for minecraft
        url = "https://ci.lucko.me/job/spark/251/artifact/spark-fabric/build/libs/spark-fabric.jar";
        sha256 = "1clvi5v7a14ba23jbka9baz99h6wcfjbadc8kkj712fmy2h0sx07";
      })
      #(pkgs.fetchurl { # Carpetmod gives you tps views in the tab menu,
      #  # but also adds a lot of optional serverside vanilla+ features (which we arent using).
      #  # So probably want something else
      #  url = "https://github.com/gnembon/fabric-carpet/releases/download/1.4.56/fabric-carpet-1.18-1.4.56+v211130.jar";
      #  sha256 = "0rvl2yb8xymla8c052j07gqkqfkz4h5pxf6aip2v9v0h8r84p9hf";
      #})
    ];
    whitelist = {
      gunalx = "913a21ae-3a11-4178-a192-401490ca0891";
      eirikwitt = "1689e626-1cc8-4b91-81c4-0632fd34eb19";
      Rockj = "202c0c91-a4e0-4b45-8c1b-fc51a8956c0a";
      paddishar = "326845aa-4b45-4cd9-8108-7816e10a9828";
      nordyorn = "f253cddf-a520-42ab-85d3-713992746e42";
      hell04 = "c681df2a-6a30-4c66-b70d-742eb68bbc04";
      steinarh = "bd8c419e-e6dc-4fc5-ac62-b92f98c1abc9";
      EastTown2000 = "f273ed2e-d3ba-43fc-aff4-3e800cdf25e1";
      DirDanner = "5b5476a2-1138-476b-9ff1-1f39f834a428";
      asgeirbj = "dbd5d89f-3d8a-4662-ad15-6c4802d0098f";
      Linke03 = "0dbc661d-898a-47ff-a371-32b7bd76b78b";
      somaen = "cc0bdd13-4304-4160-80e7-8f043446fa83";
      einaman = "39f45df3-423d-4274-9ef9-c9b7575e3804";
      liseu = "c8f4d9d8-3140-4c35-9f66-22bc351bb7e6";
      torsteno = "ae1e7b15-a0de-4244-9f73-25b68427e34a";
      simtind = "39c03c95-d628-4ccc-843d-ce1332462d9e";
      aellaie = "c585605d-24bb-4d75-ba9c-0064f6a39328";
      PerKjelsvik = "5df69f17-27c9-4426-bcae-88b435dfae73";
      CelestialCry = "9e34d192-364e-4566-883a-afc868c4224d";
      terjesc = "993d70e8-6f9b-4094-813c-050d1a90be62";
      maxelost = "bf465915-871a-4e3e-a80c-061117b86b23";
      "4ce1" = "8a9b4926-0de8-43f0-bcde-df1442dee1d0";
      exponential = "1ebcca9d-0964-48f3-9154-126a9a7e64f6";
      Dodsorbot = "3baa9d58-32e4-465e-80bc-9dcb34e23e1d";
      HFANTOM = "cd74d407-7fb0-4454-b3f4-c0b4341fde18";
      Ghostmaker = "96465eee-e665-49ab-9346-f12d5a040624";
      soonhalle = "61a8e674-7c7a-4120-80d1-4453a5993350";
      MasterMocca = "481e6dac-9a17-4212-9664-645c3abe232f";
      soulprayfree = "cfb1fb23-5115-4fe2-9af9-00a02aea9bf8";
      calibwam = "0d5d5209-bb7c-4006-9451-fb85d7d52618";
      Skuggen = "f0ccee0b-741a-413a-b8e6-d04552b9d78a";
      Sivertsen3 = "cefac1a6-52a7-4781-be80-e7520f758554";
      vafflonaut = "4d864d5c-74e2-4f29-b57d-50dea76aaabd";
      Dhila = "c71d6c23-14d7-4daf-ae59-cbf0caf45681";
      remorino = "2972ab22-96b3-462d-ab4d-9b6b1775b9bb";
      SamuelxJackson = "f140e4aa-0a19-48ab-b892-79b24bd82c1e";
      ToanBuiDuc = "a3c54742-4caf-4334-8bbb-6402a8eb4268";
      Joces123 = "ecbcfbf9-9bcc-49f0-9435-f2ac2b3217c1";
      brunsviken = "75ff5f0e-8adf-4807-a7f0-4cb66f81cb7f";
      oscarsb1 = "9460015a-65cc-4a2f-9f91-b940b6ce7996";
      CVi = "6f5691ce-9f9c-4310-84aa-759d2f9e138e";
      Tawos = "0b98e55c-10cf-4b23-85d3-d15407431ace";
      evenhunn = "8751581b-cc5f-4f8b-ae1e-34d90127e074";
      q41 = "a080e5b4-10ee-4d6f-957e-aa5053bb1046";
      jesper001 = "fbdf3ceb-eaa9-4aeb-94c2-a587cde41774";
      finninde = "f58afd00-28cd-48dd-a74a-6c1d76b57f66";
      GameGuru999 = "535f2188-a4a4-4e54-bec6-74977bee09ab";
      MinusOneKelvin = "b6b973bf-1e35-4a58-803b-a555fd90a172";
      SuperRagna = "e2c32136-e510-41b1-84c0-41baeccfb0b9";
      Zamazaki = "d4411eca-401a-4565-9451-5ced6f48f23f";
      supertheodor = "610c4e86-0ecc-4e7a-bffc-35a2e7d90aa6";
      Minelost = "22ae2a1f-cfd9-4f10-9e41-e7becd34aba8";
      Bjand = "aed136b6-17f7-4ce1-8a7b-a09eb1694ccf";
      Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
      Shogori = "f9d571bd-5754-46e8-aef8-e89b38a6be9b";
      Caragath = "f8d34f3a-55c3-4adc-b8d8-73a277f979e8";
      Shmaapqueen = "425f2eef-1a9d-4626-9ba3-cd58156943dc";
      Liquidlif3 = "420482b3-885f-4951-ba1e-30c22438a7e0";
      newtonseple = "7d8bf9ca-0499-4cb7-9d6a-daabf80482b6";
      nainis = "2eaf3736-decc-4e11-9a44-af2df0ee7c81";
      Devolan = "87016228-76b2-434f-a963-33b005ae9e42";
      zSkyler = "c92169e4-ca14-4bd5-9ea2-410fe956abe2";
      Cryovat = "7127d743-873e-464b-927a-d23b9ad5b74a";
      cybrhuman = "14a67926-cff0-4542-a111-7f557d10cc67";
      stinl = "3a08be01-1e74-4d68-88d1-07d0eb23356f";
      Mirithing = "7b327f51-4f1b-4606-88c7-378eff1b92b1";
      "_dextra" = "4b7b4ee7-eb5b-48fd-88c3-1cc68f06acda";
      Soraryuu = "0d5ffe48-e64f-4d6d-9432-f374ea8ec10c";
      klarken1 = "d6967cb8-2bc6-4db7-a093-f0770cce47df";
    };
  };
  networking.firewall.allowedTCPPorts = [ 25565 ];
  networking.firewall.allowedUDPPorts = [ 25565 ];
  systemd.services."minecraft-backup" = {
    serviceConfig.Type = "oneshot";
    script = ''
      ${pkgs.mcrcon}/bin/mcrcon -p pvv "say Starting Backup" "save-off" "save-all"
      ${pkgs.rsync}/bin/rsync -aiz --delete ${config.pvv.minecraft-server-fabric.dataDir}/world /fast/backup # Where to put backup
      ${pkgs.mcrcon}/bin/mcrcon -p pvv "save-all" "say Completed Backup" "save-on" "save-all"
    '';
  };
  systemd.timers."minecraft-backup" = {
    wantedBy = ["timers.target"];
    timerConfig.OnCalendar = [ "hourly" ];
  };
 }
--- a/hosts/greddost/services/minecraft/minecraft-server-fabric.nix
+++ b/hosts/greddost/services/minecraft/minecraft-server-fabric.nix
@@ -1,180 +0,0 @@
 { lib, pkgs, config, ... }:
 with lib;
 let
  cfg = config.pvv.minecraft-server-fabric;
  # We don't allow eula=false anyways
  eulaFile = builtins.toFile "eula.txt" ''
    # eula.txt managed by NixOS Configuration
    eula=true
  '';
  whitelistFile = pkgs.writeText "whitelist.json"
    (builtins.toJSON
      (mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist));
  cfgToString = v: if builtins.isBool v then boolToString v else toString v;
  serverPropertiesFile = pkgs.writeText "server.properties" (''
    # server.properties managed by NixOS configuration
  '' + concatStringsSep "\n" (mapAttrsToList
    (n: v: "${n}=${cfgToString v}") cfg.serverProperties));
  defaultServerPort = 25565;
  serverPort = cfg.serverProperties.server-port or defaultServerPort;
  rconPort = if cfg.serverProperties.enable-rcon or false
    then cfg.serverProperties."rcon.port" or 25575
    else null;
  queryPort = if cfg.serverProperties.enable-query or false
    then cfg.serverProperties."query.port" or 25565
    else null;
 in
 {
  options.pvv.minecraft-server-fabric = {
    enable = mkEnableOption "minecraft-server-fabric";
    package = mkOption {
      type = types.package;
    };
    eula = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether you agree to
        <link xlink:href="https://account.mojang.com/documents/minecraft_eula">
        Mojangs EULA</link>. This option must be set to
        <literal>true</literal> to run Minecraft server.
      '';
    };
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/minecraft-fabric";
      description = ''
        Directory to store Minecraft database and other state/data files.
      '';
    };
    whitelist = mkOption {
      type = let
        minecraftUUID = types.strMatching
          "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // {
            description = "Minecraft UUID";
          };
        in types.attrsOf minecraftUUID;
      default = {};
      description = ''
        Whitelisted players, only has an effect when
        <option>services.minecraft-server.declarative</option> is
        <literal>true</literal> and the whitelist is enabled
        via <option>services.minecraft-server.serverProperties</option> by
        setting <literal>white-list</literal> to <literal>true</literal>.
        This is a mapping from Minecraft usernames to UUIDs.
        You can use <link xlink:href="https://mcuuid.net/"/> to get a
        Minecraft UUID for a username.
      '';
      example = literalExpression ''
        {
          username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
          username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
        };
      '';
    };
    serverProperties = mkOption {
      type = with types; attrsOf (oneOf [ bool int str ]);
      default = {};
      example = literalExpression ''
        {
          server-port = 43000;
          difficulty = 3;
          gamemode = 1;
          max-players = 5;
          motd = "NixOS Minecraft server!";
          white-list = true;
          enable-rcon = true;
          "rcon.password" = "hunter2";
        }
      '';
      description = ''
        Minecraft server properties for the server.properties file. Only has
        an effect when <option>services.minecraft-server.declarative</option>
        is set to <literal>true</literal>. See
        <link xlink:href="https://minecraft.gamepedia.com/Server.properties#Java_Edition_3"/>
        for documentation on these values.
      '';
    };
    jvmOpts = mkOption {
      type = types.separatedString " ";
      default = "-Xmx2048M -Xms2048M";
      # Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script
      example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing "
        + "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 "
        + "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
      description = "JVM options for the Minecraft server.";
    };
    mods = mkOption {
      type = types.listOf types.package;
      example = literalExpression ''
        [
          (pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
            sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
          })
        ];
      '';
      description = "List of mods to put in the mods folder";
    };
  };
  config = mkIf cfg.enable {
    users.users.minecraft = {
      description     = "Minecraft server service user";
      home            = cfg.dataDir;
      createHome      = true;
      isSystemUser    = true;
      group           = "minecraft";
    };
    users.groups.minecraft = {};
    systemd.services.minecraft-server-fabric = {
      description   = "Minecraft Server Service";
      wantedBy      = [ "multi-user.target" ];
      after         = [ "network.target" ];
      serviceConfig = {
        ExecStart = "${cfg.package}/bin/minecraft-server ${cfg.jvmOpts}";
        Restart = "always";
        User = "minecraft";
        WorkingDirectory = cfg.dataDir;
      };
      preStart = ''
        ln -sf ${eulaFile} eula.txt
        ln -sf ${whitelistFile} whitelist.json
        cp -f ${serverPropertiesFile} server.properties
        ln -sfn ${pkgs.linkFarmFromDrvs "fabric-mods" cfg.mods} mods
      '';
    };
    assertions = [
      { assertion = cfg.eula;
        message = "You must agree to Mojangs EULA to run minecraft-server."
          + " Read https://account.mojang.com/documents/minecraft_eula and"
          + " set `services.minecraft-server.eula` to `true` if you agree.";
      }
    ]; 
  };
 }
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -1,11 +1,13 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../base.nix
-      # Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
+      ../../misc/metrics-exporters.nix
      ./services/nginx
      ./services/metrics
    ];
  sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
@@ -18,26 +20,10 @@
  networking.hostName = "ildkule"; # Define your hostname.
-  networking.interfaces.ens18.useDHCP = false;
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
-
+    matchConfig.Name = "ens18";
-  networking.defaultGateway = "129.241.210.129";
+    address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
  networking.interfaces.ens18.ipv4 = {
    addresses = [
      {
        address = "129.241.210.187";
        prefixLength = 25;
      }
    ];
  };
  networking.interfaces.ens18.ipv6 = {
    addresses = [
      {
        address = "2001:700:300:1900::187";
        prefixLength = 64;
      }
    ];
  };
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
--- a/hosts/ildkule/hardware-configuration.nix
+++ b/hosts/ildkule/hardware-configuration.nix
@@ -0,0 +1,37 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/afe70fe4-681a-4675-8cbd-e5d08cdcf5b5";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/B71A-E5CD";
      fsType = "vfat";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/ildkule/services/metrics/dashboards/go-processes.json
+++ b/hosts/ildkule/services/metrics/dashboards/go-processes.json
--- a/hosts/ildkule/services/metrics/dashboards/mysql.json
+++ b/hosts/ildkule/services/metrics/dashboards/mysql.json
--- a/hosts/ildkule/services/metrics/dashboards/node-exporter-full.json
+++ b/hosts/ildkule/services/metrics/dashboards/node-exporter-full.json
--- a/hosts/ildkule/services/metrics/dashboards/postgres.json
+++ b/hosts/ildkule/services/metrics/dashboards/postgres.json
--- a/hosts/ildkule/services/metrics/dashboards/synapse.json
+++ b/hosts/ildkule/services/metrics/dashboards/synapse.json
--- a/hosts/ildkule/services/metrics/default.nix
+++ b/hosts/ildkule/services/metrics/default.nix
@@ -0,0 +1,9 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./prometheus
    ./grafana.nix
    ./loki.nix
  ];
 }
--- a/hosts/ildkule/services/metrics/grafana.nix
+++ b/hosts/ildkule/services/metrics/grafana.nix
@@ -0,0 +1,105 @@
 { config, pkgs, values, ... }: let
  cfg = config.services.grafana;
 in {
  sops.secrets = let
    owner = "grafana";
    group = "grafana";
  in {
    "keys/grafana/secret_key" = { inherit owner group; };
    "keys/grafana/admin_password" = { inherit owner group; };
    "keys/postgres/grafana" = { inherit owner group; };
  };
  services.grafana = {
    enable = true;
    settings = let
      # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
      secretFile = path: "$__file{${path}}";
    in {
      server = {
        domain = "ildkule.pvv.ntnu.no";
        http_port = 2342;
        http_addr = "127.0.0.1";
      };
      security = {
        secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
        admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
      };
      database = {
        type = "postgres";
        user = "grafana";
        host = "${values.hosts.bicep.ipv4}:5432";
        password = secretFile config.sops.secrets."keys/postgres/grafana".path;
      };
    };
    provision = {
      enable = true;
      datasources.settings.datasources = [
        {
          name = "Ildkule Prometheus";
          type = "prometheus";
          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
         isDefault = true;
        }
        {
          name = "Ildkule loki";
          type = "loki";
          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
        }
      ];
      dashboards.settings.providers = [
        {
          name = "Node Exporter Full";
          type = "file";
          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
          options.path = dashboards/node-exporter-full.json;
        }
        {
          name = "Matrix Synapse";
          type = "file";
          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
 	# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
 	# {
 	#   name = "MySQL";
 	#   type = "file";
 	#   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
 	#   options.path = dashboards/mysql.json;
 	# }
        {
          name = "Postgresql";
          type = "file";
          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
          options.path = dashboards/postgres.json;
        }
        {
          name = "Go Processes (gogs)";
          type = "file";
          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
          options.path = dashboards/go-processes.json;
        }
      ];
    };
  };
  services.nginx.virtualHosts.${cfg.settings.server.domain} = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_buffers 8 1024k;
          proxy_buffer_size 1024k;
        '';
      };
    };
  };
 }
--- a/hosts/ildkule/services/metrics/loki.nix
+++ b/hosts/ildkule/services/metrics/loki.nix
@@ -0,0 +1,86 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.loki;
 in {
  services.loki = {
    enable = true;
    configuration = {
      auth_enabled = false;
      server = {
        http_listen_port = 3100;
        http_listen_address = "0.0.0.0";
        grpc_listen_port = 9096;
      };
      ingester = {
        wal = {
          enabled = true;
          dir = "/var/lib/loki/wal";
        };
        lifecycler = {
          address = "127.0.0.1";
          ring = {
            kvstore = {
              store = "inmemory";
            };
            replication_factor = 1;
          };
          final_sleep = "0s";
        };
        chunk_idle_period = "1h";
      };
      schema_config = {
        configs = [
          {
            from = "2022-12-01";
            store = "boltdb-shipper";
            object_store = "filesystem";
            schema = "v11";
            index = {
              prefix = "index_";
              period = "24h";
            };
          }
        ];
      };
      storage_config = {
        boltdb_shipper = {
          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
          cache_location = "/var/lib/loki/boltdb-shipper-cache";
          shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
          directory = "/var/lib/loki/chunks";
        };
      };
      limits_config = {
        enforce_metric_name = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
      compactor = {
        working_directory = "/var/lib/loki/compactor";
        shared_store = "filesystem";
      };
      # ruler = {
      #   storage = {
      #     type = "local";
      #     local = {
      #       directory = "/var/lib/loki/rules";
      #     };
      #   };
      #   rule_path = "/etc/loki/rules";
      #   alertmanager_url = "http://localhost:9093";
      # };
    };
  };
  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
 }
--- a/hosts/ildkule/services/metrics/prometheus/default.nix
+++ b/hosts/ildkule/services/metrics/prometheus/default.nix
@@ -0,0 +1,18 @@
 { config, ... }: {
  imports = [
    ./gogs.nix
    ./matrix-synapse.nix
    # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
    # ./mysqld.nix
    ./node.nix
    ./postgres.nix
  ];
  services.prometheus = {
    enable = true;
    listenAddress = "127.0.0.1";
    port = 9001;
    ruleFiles = [ rules/synapse-v2.rules ];
  };
 }
--- a/hosts/ildkule/services/metrics/prometheus/gogs.nix
+++ b/hosts/ildkule/services/metrics/prometheus/gogs.nix
@@ -0,0 +1,16 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "git-gogs";
    scheme = "https";
    metrics_path = "/-/metrics";
    static_configs = [
      {
        targets = [
          "essendrop.pvv.ntnu.no:443"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/metrics/prometheus/matrix-synapse.nix
+++ b/hosts/ildkule/services/metrics/prometheus/matrix-synapse.nix
@@ -0,0 +1,40 @@
 { ... }:
 {
  services.prometheus.scrapeConfigs = [{
    job_name = "synapse";
    scrape_interval = "15s";
    scheme = "https";
    http_sd_configs = [{
      url = "https://matrix.pvv.ntnu.no/metrics/config.json";
    }];
    relabel_configs = [
      {
        source_labels = [ "__address__" ];
        regex = "[^/]+(/.*)";
        target_label = "__metrics_path__";
      }
      {
        source_labels = [ "__address__" ];
        regex = "([^/]+)/.*";
        target_label = "instance";
      }
      {
        source_labels = [ "__address__" ];
        regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
        target_label = "job";
      }
      {
        source_labels = [ "__address__" ];
        regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
        target_label = "index";
      }
      {
        source_labels = [ "__address__" ];
        regex = "([^/]+)/.*";
        target_label = "__address__";
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/metrics/prometheus/mysqld.nix
+++ b/hosts/ildkule/services/metrics/prometheus/mysqld.nix
@@ -0,0 +1,25 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
  sops.secrets."config/mysqld_exporter" = { };
  services.prometheus = {
    scrapeConfigs = [{
      job_name = "mysql";
      scheme = "http";
      metrics_path = cfg.exporters.mysqld.telemetryPath;
      static_configs = [
        {
          targets = [
            "localhost:${toString cfg.exporters.mysqld.port}"
          ];
        }
      ];
    }];
    exporters.mysqld = {
      enable = true;
      configFilePath = config.sops.secrets."config/mysqld_exporter".path;
    };
  };
 }
--- a/hosts/ildkule/services/metrics/prometheus/node.nix
+++ b/hosts/ildkule/services/metrics/prometheus/node.nix
@@ -0,0 +1,22 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "node";
    static_configs = [
      {
        targets = [
          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
          "microbel.pvv.ntnu.no:9100"
          "isvegg.pvv.ntnu.no:9100"
          "knakelibrak.pvv.ntnu.no:9100"
          "hildring.pvv.ntnu.no:9100"
          "bicep.pvv.ntnu.no:9100"
          "essendrop.pvv.ntnu.no:9100"
          "andresbu.pvv.ntnu.no:9100"
          "bekkalokk.pvv.ntnu.no:9100"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/metrics/prometheus/postgres.nix
+++ b/hosts/ildkule/services/metrics/prometheus/postgres.nix
@@ -0,0 +1,51 @@
 { pkgs, lib, config, values, ... }: let
  cfg = config.services.prometheus;
 in {
  sops.secrets = {
    "keys/postgres/postgres_exporter_env" = {};
    "keys/postgres/postgres_exporter_knakelibrak_env" = {};
  };
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "postgres";
        scrape_interval = "15s";
        static_configs = [{
          targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
          labels = {
            server = "bicep";
          };
        }];
      }
      {
        job_name = "postgres-knakelibrak";
        scrape_interval = "15s";
        static_configs = [{
          targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
          labels = {
            server = "knakelibrak";
          };
        }];
      }
    ];
    exporters.postgres = {
      enable = true;
      extraFlags = [ "--auto-discover-databases" ];
      environmentFile = config.sops.secrets."keys/postgres/postgres_exporter_env".path;
    };
  };
  systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
    localCfg = config.services.prometheus.exporters.postgres; 
  in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
      EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
      ExecStart = ''
        ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
          --web.listen-address ${localCfg.listenAddress}:${toString (localCfg.port + 1)} \
          --web.telemetry-path ${localCfg.telemetryPath} \
          ${lib.concatStringsSep " \\\n  " localCfg.extraFlags}
      '';
    };
 }
--- a/hosts/ildkule/services/metrics/prometheus/rules/synapse-v2.rules
+++ b/hosts/ildkule/services/metrics/prometheus/rules/synapse-v2.rules
@@ -0,0 +1,74 @@
 groups:
 - name: synapse
  rules:
  ###
  ### Prometheus Console Only
  ### The following rules are only needed if you use the Prometheus Console
  ### in contrib/prometheus/consoles/synapse.html
  ###
  - record: 'synapse_federation_client_sent'
    labels:
      type: "EDU"
    expr: 'synapse_federation_client_sent_edus_total + 0'
  - record: 'synapse_federation_client_sent'
    labels:
      type: "PDU"
    expr: 'synapse_federation_client_sent_pdu_destinations_count_total + 0'
  - record: 'synapse_federation_client_sent'
    labels:
      type: "Query"
    expr: 'sum(synapse_federation_client_sent_queries) by (job)'
  - record: 'synapse_federation_server_received'
    labels:
      type: "EDU"
    expr: 'synapse_federation_server_received_edus_total + 0'
  - record: 'synapse_federation_server_received'
    labels:
      type: "PDU"
    expr: 'synapse_federation_server_received_pdus_total + 0'
  - record: 'synapse_federation_server_received'
    labels:
      type: "Query"
    expr: 'sum(synapse_federation_server_received_queries) by (job)'
  - record: 'synapse_federation_transaction_queue_pending'
    labels:
      type: "EDU"
    expr: 'synapse_federation_transaction_queue_pending_edus + 0'
  - record: 'synapse_federation_transaction_queue_pending'
    labels:
      type: "PDU"
    expr: 'synapse_federation_transaction_queue_pending_pdus + 0'
  ###
  ### End of 'Prometheus Console Only' rules block
  ###
  ###
  ### Grafana Only
  ### The following rules are only needed if you use the Grafana dashboard
  ### in contrib/grafana/synapse.json
  ###
  - record: synapse_storage_events_persisted_by_source_type
    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_type="remote"})
    labels:
      type: remote
  - record: synapse_storage_events_persisted_by_source_type
    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity="*client*",origin_type="local"})
    labels:
      type: local
  - record: synapse_storage_events_persisted_by_source_type
    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity!="*client*",origin_type="local"})
    labels:
      type: bridges
  - record: synapse_storage_events_persisted_by_event_type
    expr: sum without(origin_entity, origin_type) (synapse_storage_events_persisted_events_sep_total)
  - record: synapse_storage_events_persisted_by_origin
    expr: sum without(type) (synapse_storage_events_persisted_events_sep_total)
  ###
  ### End of 'Grafana Only' rules block
  ###
--- a/hosts/ildkule/services/nginx/default.nix
+++ b/hosts/ildkule/services/nginx/default.nix
@@ -1,7 +1,5 @@
-{config, ... }:
+{ config, values, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
@@ -10,6 +8,17 @@
  services.nginx = {
    enable = true;
    enableReload = true;
    defaultListenAddresses = [
      values.hosts.ildkule.ipv4
      "[${values.hosts.ildkule.ipv6}]"
      "127.0.0.1"
      "127.0.0.2"
      "[::1]"
    ];
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
--- a/hosts/jokum/configuration.nix
+++ b/hosts/jokum/configuration.nix
@@ -1,72 +0,0 @@
 { config, pkgs, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../base.nix
      # Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
      ../../misc/rust-motd.nix
      ./services/matrix
      ./services/nginx
    ];
  sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.devices = [ "/dev/sda" ];
  networking.hostName = "jokum"; # Define your hostname.
  networking.interfaces.ens18.useDHCP = false;
  networking.defaultGateway = "129.241.210.129";
  networking.interfaces.ens18.ipv4 = {
    addresses = [
      {
        address = "129.241.210.169";
        prefixLength = 25;
      }
      {
        address = "129.241.210.213";
        prefixLength = 25;
      }
    ];
  };
  networking.interfaces.ens18.ipv6 = {
    addresses = [
      {
        address = "2001:700:300:1900::169";
        prefixLength = 64;
      }
      {
        address = "2001:700:300:1900::213";
        prefixLength = 64;
      }
    ];
  };
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?
 }
--- a/hosts/jokum/hardware-configuration.nix
+++ b/hosts/jokum/hardware-configuration.nix
@@ -1,29 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/1a8bf91a-5948-40c2-a9fd-7a33e46fa441";
      fsType = "ext4";
    };
  fileSystems."/data" =
    { device = "/dev/disk/by-uuid/c812e204-b998-4ec5-9f26-29c5808ed6ba";
      fsType = "ext4";
    };
  swapDevices = [ ];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@@ -0,0 +1,39 @@
 { config, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../base.nix
      ../../misc/metrics-exporters.nix
    ];
  sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "shark"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/shark/hardware-configuration.nix
+++ b/hosts/shark/hardware-configuration.nix
@@ -0,0 +1,38 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/CC37-F5FE";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/misc/builder.nix
+++ b/misc/builder.nix
@@ -0,0 +1,5 @@
 { ... }:
 {
  nix.settings.trusted-users = [ "@nix-builder-users" ];
 }
--- a/misc/metrics-exporters.nix
+++ b/misc/metrics-exporters.nix
@@ -0,0 +1,60 @@
 { config, pkgs, values, ... }:
 {
  services.prometheus.exporters.node = {
    enable = true;
    port = 9100;
    enabledCollectors = [ "systemd" ];
  };
  systemd.services.prometheus-node-exporter.serviceConfig = {
    IPAddressDeny = "any";
    IPAddressAllow = [
      "127.0.0.1"
      "::1"
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
  networking.firewall.allowedTCPPorts = [ 9100 ];
  services.promtail = {
    enable = true;
    configuration = {
      server = {
        http_listen_port = 28183;
        grpc_listen_port = 0;
      };
      clients = [
        {
          url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
        }
      ];
      scrape_configs = [
        {
          job_name = "systemd-journal";
          journal = {
            max_age = "12h";
            labels = {
              job = "systemd-journal";
              host = config.networking.hostName;
            };
          };
          relabel_configs = [
            {
              source_labels = [ "__journal__systemd_unit" ];
              target_label = "unit";
            }
            {
              source_labels = [ "__journal_priority_keyword" ];
              target_label = "level";
            }
          ];
        }
      ];
    };
  };
 }
--- a/modules/debug-locations.nix
+++ b/modules/debug-locations.nix
@@ -0,0 +1,13 @@
 { config, lib, ... }:
 let
  cfg = config.environment.debug-locations;
 in
 {
  options.environment.debug-locations = lib.mkOption {
    description = "Paths and derivations to symlink in `/etc/debug`";
    type = with lib.types; attrsOf path;
    default = { };
  };
  config.environment.etc = lib.mapAttrs' (k: v: lib.nameValuePair "debug/${k}" { source = v; }) cfg;
 }
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -0,0 +1,62 @@
 {config, lib, pkgs, ...}:
 let
  grg = config.services.grzegorz;
  grgw = config.services.grzegorz-webui;
 in {
  services.pipewire.enable = true;
  services.pipewire.alsa.enable = true;
  services.pipewire.alsa.support32Bit = true;
  services.pipewire.pulse.enable = true;
  users.users.pvv = {
    isNormalUser = true;
    description = "pvv";
  };
  services.grzegorz.enable = true;
  services.grzegorz.listenAddr = "localhost";
  services.grzegorz.listenPort = 31337;
  services.grzegorz-webui.enable = true;
  services.grzegorz-webui.listenAddr = "localhost";
  services.grzegorz-webui.listenPort = 42069;
  services.grzegorz-webui.listenWebsocketPort = 42042;
  services.grzegorz-webui.hostName = "${config.networking.fqdn}";
  services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
  services.nginx.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx.virtualHosts."${config.networking.fqdn}" = {
    forceSSL = true;
    enableACME = true;
    serverAliases = [
      "${config.networking.hostName}.pvv.org"
    ];
    extraConfig = ''
      allow 129.241.210.128/25;
      allow 2001:700:300:1900::/64;
      deny all;
    '';
    locations."/" = {
      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}";
    };
    # https://github.com/rawpython/remi/issues/216
    locations."/websocket" = {
      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}";
      proxyWebsockets = true;
    };
    locations."/api" = {
      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
    };
    locations."/docs" = {
      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
    };
  };
 }
--- a/modules/snakeoil-certs.nix
+++ b/modules/snakeoil-certs.nix
@@ -0,0 +1,83 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.environment.snakeoil-certs;
 in
 {
  options.environment.snakeoil-certs = lib.mkOption {
    default = { };
    description = "Self signed certs, which are rotated regularly";
    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
      options = {
        owner = lib.mkOption {
          type = lib.types.str;
          default = "root";
        };
        group = lib.mkOption {
          type = lib.types.str;
          default = "root";
        };
        mode = lib.mkOption {
          type = lib.types.str;
          default = "0660";
        };
        daysValid = lib.mkOption {
          type = lib.types.str;
          default = "90";
        };
        extraOpenSSLArgs = lib.mkOption {
          type = with lib.types; listOf str;
          default = [ ];
        };
        certificate = lib.mkOption {
          type = lib.types.str;
          default = "${name}.crt";
        };
        certificateKey = lib.mkOption {
          type = lib.types.str;
          default = "${name}.key";
        };
 	subject = lib.mkOption {
 	  type = lib.types.str;
 	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
 	};
      };
    }));
  };
  config = {
    systemd.services."generate-snakeoil-certs" = {
      enable = true;
      serviceConfig.Type = "oneshot";
      script = let
        openssl = lib.getExe pkgs.openssl;
      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
        then
           echo "Regenerating '${value.certificate}'"
           ${openssl} req \
             -newkey rsa:4096 \
             -new -x509 \
             -days "${toString value.daysValid}" \
             -nodes \
             -subj "${value.subject}" \
             -out "${value.certificate}" \
             -keyout "${value.certificateKey}" \
             ${lib.escapeShellArgs value.extraOpenSSLArgs}
        fi
        chown "${value.owner}:${value.group}" "${value.certificate}"
        chown "${value.owner}:${value.group}" "${value.certificateKey}"
        chmod "${value.mode}" "${value.certificate}"
        chmod "${value.mode}" "${value.certificateKey}"
      '') (lib.attrsToList cfg);
    };
    systemd.timers."generate-snakeoil-certs" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "*-*-* 02:00:00";
        Persistent = true;
        Unit = "generate-snakeoil-certs.service";
      };
    };
  };
 }
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@@ -0,0 +1,7 @@
 { pkgs, lib }:
 lib.makeScope pkgs.newScope (self: {
  DeleteBatch = self.callPackage ./delete-batch { };
  PluggableAuth = self.callPackage ./pluggable-auth { };
  SimpleSAMLphp = self.callPackage ./simple-saml-php { };
  UserMerge = self.callPackage ./user-merge { };
 })
--- a/packages/mediawiki-extensions/delete-batch/default.nix
+++ b/packages/mediawiki-extensions/delete-batch/default.nix
@@ -0,0 +1,7 @@
 { fetchzip }:
 fetchzip {
  name = "mediawiki-delete-batch";
  url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
  hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
 }
--- a/packages/mediawiki-extensions/pluggable-auth/default.nix
+++ b/packages/mediawiki-extensions/pluggable-auth/default.nix
@@ -0,0 +1,7 @@
 { fetchzip }:
 fetchzip {
  name = "mediawiki-pluggable-auth-source";
  url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
  hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
 }
--- a/packages/mediawiki-extensions/simple-saml-php/default.nix
+++ b/packages/mediawiki-extensions/simple-saml-php/default.nix
@@ -0,0 +1,7 @@
 { fetchzip }:
 fetchzip {
  name = "mediawiki-simple-saml-php-source";
  url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
  hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
 }
--- a/packages/mediawiki-extensions/update-mediawiki-extensions.py
+++ b/packages/mediawiki-extensions/update-mediawiki-extensions.py
@@ -0,0 +1,66 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
 import os
 from pathlib import Path
 import re
 import subprocess
 from collections import defaultdict
 from pprint import pprint
 import bs4
 import requests
 BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
 def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
    content = requests.get(BASE_URL).text
    soup = bs4.BeautifulSoup(content, features="html.parser")
    result = defaultdict(list)
    for a in soup.find_all('a'):
        if skip_master and 'master' in a.text:
            continue
        split = a.text.split('-')
        result[split[0]].append(a.text)
    return result
 def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
    assert package_file.is_file()
    with open(package_file) as file:
        content = file.read()
    tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
    split = tarball.split('-')
    updated_tarball = plugin_list[split[0]][-1]
    _hash = re.search(f'hash = "(.+?)";', content).group(1)
    out, err = subprocess.Popen(
        ["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE
    ).communicate()
    out, err = subprocess.Popen(
        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE
    ).communicate()
    updated_hash = out.decode().strip()
    if tarball == updated_tarball and _hash == updated_hash:
        return
    print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
    updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
    updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
    with open(package_file, 'w') as file:
        file.write(updated_text)
 if __name__ == "__main__":
    plugin_list = fetch_plugin_list()
    for direntry in os.scandir(Path(__file__).parent):
        if direntry.is_dir():
            update(Path(direntry) / "default.nix", plugin_list)
--- a/packages/mediawiki-extensions/user-merge/default.nix
+++ b/packages/mediawiki-extensions/user-merge/default.nix
@@ -0,0 +1,7 @@
 { fetchzip }:
 fetchzip {
  name = "mediawiki-user-merge-source";
  url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
  hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
 }
--- a/packages/simplesamlphp/default.nix
+++ b/packages/simplesamlphp/default.nix
@@ -0,0 +1,38 @@
 { lib
 , php
 , writeText
 , fetchFromGitHub
 , extra_files ? { }
 }:
 php.buildComposerProject rec {
  pname = "simplesamlphp";
  version = "2.2.1";
  src = fetchFromGitHub {
    owner = "simplesamlphp";
    repo = "simplesamlphp";
    rev = "v${version}";
    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
  };
  composerStrictValidation = false;
  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
  # TODO: metadata could be fetched automagically with these:
  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
  #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
  postPatch = lib.pipe extra_files [
    (lib.mapAttrsToList (target_path: source_path: ''
      mkdir -p $(dirname "${target_path}")
      cp -r "${source_path}" "${target_path}"
    ''))
    (lib.concatStringsSep "\n")
  ];
  postInstall = ''
    ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
  '';
 }
--- a/pkgs/minecraft-server-fabric/default.nix
+++ b/pkgs/minecraft-server-fabric/default.nix
@@ -1,43 +0,0 @@
 { callPackage, writeTextFile, writeShellScriptBin, minecraft-server, jre_headless }:
 let
  loader = callPackage ./generate-loader.nix {};
  log4j = writeTextFile {
    name = "log4j.xml";
    text = ''
      <?xml version="1.0" encoding="UTF-8"?>
      <Configuration status="WARN" packages="com.mojang.util">
          <Appenders>
              <Console name="SysOut" target="SYSTEM_OUT">
                  <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
              </Console>
              <Queue name="ServerGuiConsole">
                  <PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
              </Queue>
              <RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
                  <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
                  <Policies>
                      <TimeBasedTriggeringPolicy />
                      <OnStartupTriggeringPolicy />
                  </Policies>
                  <DefaultRolloverStrategy max="1000"/>
              </RollingRandomAccessFile>
          </Appenders>
          <Loggers>
              <Root level="info">
                  <filters>
                      <MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
                  </filters>
                  <AppenderRef ref="SysOut"/>
                  <AppenderRef ref="File"/>
                  <AppenderRef ref="ServerGuiConsole"/>
              </Root>
          </Loggers>
      </Configuration>
    '';
  };
 in
 writeShellScriptBin "minecraft-server" ''
  echo "serverJar=${minecraft-server}/lib/minecraft/server.jar" >> fabric-server-launcher.properties
  exec ${jre_headless}/bin/java -Dlog4j.configurationFile=${log4j} $@ -jar ${loader} nogui
 ''
--- a/Show More
+++ b/Show More