WIP

add eirikwit to sops
flake update: matrix module bug fix
2024-03-29 23:26:31 +01:00 · 2024-03-16 22:38:16 +01:00 · 2024-03-13 07:41:12 +01:00 · 2024-03-13 06:33:43 +01:00 · 2024-03-05 05:52:31 +01:00 · 2024-03-05 05:28:23 +01:00
48 changed files with 1168 additions and 325 deletions
--- a/.gitea/workflows/eval.yml
+++ b/.gitea/workflows/eval.yml
@ -0,0 +1,13 @@
+name: "Eval nix flake"
+on:
+  pull_request:
+  push:
+jobs:
+  evals:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - run: apt-get update && apt-get -y install sudo
+    - uses: https://github.com/cachix/install-nix-action@v23
+    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+    - run: nix flake check
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,6 +3,7 @@ keys:
  - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
  - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
  - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5

  # Hosts
  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
@ -18,6 +19,7 @@ creation_rules:
      - *host_jokum
      - *user_danio
      - *user_felixalb
+      - *user_eirikwit
      pgp:
      - *user_oysteikt

--- a/README.MD
+++ b/README.MD
@ -10,7 +10,13 @@ Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene m

 før du bygger en maskin med:

-`nix build .#nixosConfigurations.<maskinavn>.config.system.build.toplevel`
+`nix build .#<maskinnavn>`
+
+hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
+
+`nix build .` for å bygge alle de viktige maskinene.
+
+NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches

 Husk å hvertfall stage nye filer om du har laget dem!

@ -20,7 +26,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.

 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`

 som root på maskinen.

--- a/base.nix
+++ b/base.nix
@ -32,7 +32,7 @@
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "--update-input" "nixpkgs"
-      "--update-input" "unstable"
+      "--update-input" "nixpkgs-unstable"
      "--no-write-lock-file"
    ];
  };
@ -71,6 +71,9 @@

  users.groups."drift".name = "drift";

+  # Trusted users on the nix builder machines
+  users.groups."nix-builder-users".name = "nix-builder-users";
+
  services.openssh = {
    enable = true;
    extraConfig = ''
--- a/flake.lock
+++ b/flake.lock
@ -1,15 +1,77 @@
 {
  "nodes": {
-    "matrix-next": {
+    "disko": {
      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
      },
      "locked": {
-        "lastModified": 1694383459,
-        "narHash": "sha256-Y7VuBz74Go1QlvSLGXsXzPgOeeV73bbsDou3uXX9oa8=",
+        "lastModified": 1710169806,
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "grzegorz": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696346665,
+        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz",
+        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz",
+        "type": "github"
+      }
+    },
+    "grzegorz-clients": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1693864994,
+        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz-clients",
+        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz-clients",
+        "type": "github"
+      }
+    },
+    "matrix-next": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1710311999,
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "66ff528912d95e6a2ee0aea6404a6b7e0d7fd83c",
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
        "type": "github"
      },
      "original": {
@ -20,51 +82,50 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1694526311,
-        "narHash": "sha256-Y9LCYQBNX7McW0o8x6wT9tx2qy9TVuF84fe62zrQzyA=",
+        "lastModified": 1710248792,
+        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "36bee398beca22e2428074e0a2e068d87f801718",
+        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.05-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
+        "id": "nixpkgs",
+        "ref": "nixos-23.11-small",
+        "type": "indirect"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1693675694,
-        "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
+        "lastModified": 1710033658,
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1710247538,
+        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable-small",
+        "type": "indirect"
+      }
+    },
    "pvv-calendar-bot": {
      "inputs": {
        "nixpkgs": [
@ -87,11 +148,14 @@
    },
    "root": {
      "inputs": {
+        "disko": "disko",
+        "grzegorz": "grzegorz",
+        "grzegorz-clients": "grzegorz-clients",
        "matrix-next": "matrix-next",
        "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable",
        "pvv-calendar-bot": "pvv-calendar-bot",
-        "sops-nix": "sops-nix",
-        "unstable": "unstable"
+        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
@ -102,11 +166,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1694495315,
-        "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=",
+        "lastModified": 1710195194,
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
        "type": "github"
      },
      "original": {
@ -114,22 +178,6 @@
        "repo": "sops-nix",
        "type": "github"
      }
-    },
-    "unstable": {
-      "locked": {
-        "lastModified": 1694534540,
-        "narHash": "sha256-Cc0Ku0qJZDDx/0kII+0xD94L25EKw4EQzOLm0R9iZO4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "f22a472661d66c655eae5b0a01ada71e4e13e405",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -2,33 +2,51 @@
  description = "PVV System flake";

  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";

    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";

+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";

    matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
+
+    grzegorz.url = "github:Programvareverkstedet/grzegorz";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
+    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
  let
+    nixlib = nixpkgs.lib;
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      "aarch64-darwin"
    ];
-    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
+    forAllSystems = f: nixlib.genAttrs systems (system: f system);
+    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    importantMachines = [
+      "bekkalokk"
+      "bicep"
+      "brzeczyszczykiewicz"
+      "georg"
+      "ildkule"
+    ];
  in {
    nixosConfigurations = let
      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
        rec {
          system = "x86_64-linux";
          specialArgs = {
-            inherit unstable inputs;
+            inherit nixpkgs-unstable inputs;
            values = import ./values.nix;
          };

@ -40,10 +58,7 @@
          pkgs = import nixpkgs {
            inherit system;
            overlays = [
-              (final: prev: {
-                mx-puppet-discord = prev.mx-puppet-discord.override { nodejs_14 = final.nodejs_18; };
-              })
-              pvv-calendar-bot.overlays.${system}.default
+              inputs.pvv-calendar-bot.overlays.${system}.default
            ];
          };
        }
@ -51,25 +66,72 @@
      );

      stableNixosConfig = nixosConfig nixpkgs;
-      unstableNixosConfig = nixosConfig unstable;
+      unstableNixosConfig = nixosConfig nixpkgs-unstable;
    in {
      bicep = stableNixosConfig "bicep" {
        modules = [
          ./hosts/bicep/configuration.nix
          sops-nix.nixosModules.sops

-          matrix-next.nixosModules.synapse
-          pvv-calendar-bot.nixosModules.default
+          inputs.matrix-next.nixosModules.default
+          inputs.pvv-calendar-bot.nixosModules.default
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" { };
+      bob = stableNixosConfig "bob" {
+        modules = [
+          ./hosts/bob/configuration.nix
+          sops-nix.nixosModules.sops
+
+          disko.nixosModules.disko
+          { disko.devices.disk.disk1.device = "/dev/vda"; }
+        ];
+      };
      ildkule = stableNixosConfig "ildkule" { };
      #ildkule-unstable = unstableNixosConfig "ildkule" { };
      shark = stableNixosConfig "shark" { };
+
+      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
+        modules = [
+          ./hosts/brzeczyszczykiewicz/configuration.nix
+          sops-nix.nixosModules.sops
+
+          inputs.grzegorz.nixosModules.grzegorz-kiosk
+          inputs.grzegorz-clients.nixosModules.grzegorz-webui
+        ];
+      };
+      georg = stableNixosConfig "georg" {
+        modules = [
+          ./hosts/georg/configuration.nix
+          sops-nix.nixosModules.sops
+
+          inputs.grzegorz.nixosModules.grzegorz-kiosk
+          inputs.grzegorz-clients.nixosModules.grzegorz-webui
+        ];
+      };
+      buskerud = stableNixosConfig "buskerud" {
+        modules = [
+          ./hosts/buskerud/configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
    };

    devShells = forAllSystems (system: {
      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
    });
+
+    packages = {
+      "x86_64-linux" = let
+        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+      in rec {
+        default = important-machines;
+        important-machines = pkgs.linkFarm "important-machines"
+          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
+        all-machines = pkgs.linkFarm "all-machines"
+          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+      } // nixlib.genAttrs allMachines
+        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
+    };
  };
 }
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@ -10,9 +10,10 @@

    # TODO: set up authentication for the following:
    # ./services/website.nix
-    ./services/nginx.nix
+    ./services/nginx
    ./services/gitea/default.nix
-    ./services/mediawiki.nix
+    ./services/webmail
+    # ./services/mediawiki.nix
  ];

  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@ -1,4 +1,4 @@
-{ config, values, pkgs, ... }:
+{ config, values, pkgs, lib, ... }:
 let
  cfg = config.services.gitea;
  domain = "git.pvv.ntnu.no";
@ -32,12 +32,18 @@ in {
    };

    settings = {
+      dump = {
+        enable = true;
+        interval = "monthly";
+      };
+
      server = {
        DOMAIN   = domain;
        ROOT_URL = "https://${domain}/";
        PROTOCOL = "http+unix";
        SSH_PORT = sshPort;
 	      START_SSH_SERVER = true;
+        LFS_START_SERVER = true;
      };
      indexer.REPO_INDEXER_ENABLED = true;
      service.DISABLE_REGISTRATION = true;
@ -49,6 +55,35 @@ in {
      };
      actions.ENABLED = true;
      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
+      "ui.svg".RENDER = true;
+
+      markup = {
+        asciidoc = { 
+          ENABLED = true;
+          NEED_POSTPROCESS = true;
+          FILE_EXTENSIONS = ".adoc,.asciidoc";
+          RENDER_COMMAND = "${lib.getExe pkgs.asciidoctor} --embedded --safe-mode=secure --out-file=- -";
+          IS_INPUT_FILE = false;
+        };
+
+        html = {
+          ENABLED         = true;
+          FILE_EXTENSIONS = ".html,.htm";
+          RENDER_COMMAND  = "cat";
+          # Input is not a standard input but a file
+          IS_INPUT_FILE   = true;
+        };
+        
+        sanitizer.html.1 = {
+          ELEMENT = "div";
+          ALLOW_ATTR = "class";
+        };
+        
+        sanitizer.html.2 = {
+          ELEMENT = "a";
+          ALLOW_ATTR = "class";
+        };
+      };
    };
  };

@ -84,9 +119,9 @@ in {
  };

  systemd.timers.gitea-import-users = {
-    enable = true;
    requires = [ "gitea.service" ];
    after = [ "gitea.service" ];
+    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "*-*-* 02:00:00";
      Persistent = true;
--- a/hosts/bekkalokk/services/gitea/gitea-import-users.py
+++ b/hosts/bekkalokk/services/gitea/gitea-import-users.py
@ -32,7 +32,6 @@ def add_user(username, name):
            "full_name": name,
            "username": username,
            "login_name": username,
-            "visibility": "public",
            "source_id": 1,  # 1 = SMTP
    }

@ -52,6 +51,7 @@ def add_user(username, name):
        existing_users[username] = user

    else:
+        user["visibility"] = existing_users[username]["visibility"]
        r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
                           json=user,
                           headers={'Authorization': 'token ' + API_TOKEN})
--- a/hosts/bekkalokk/services/mediawiki.nix
+++ b/hosts/bekkalokk/services/mediawiki.nix
@ -7,16 +7,17 @@
  # "mediawiki"
  group = config.users.users.${user}.group;
 in {
-  sops.secrets = let
-    secret = opts: {
+  sops.secrets = {
+    "mediawiki/password" = {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
-    } // opts;
-  in {
-    "mediawiki/password" = secret { };
-    "mediawiki/database" = secret { };
-    "mediawiki/oidc/clientsecret" = secret { };
+    };
+    "keys/postgres/mediawiki" = {
+      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
+      owner = user;
+      group = group;
+    };
  };

  services.mediawiki = {
@ -26,12 +27,13 @@ in {
    passwordSender = "drift@pvv.ntnu.no";

    database = {
-      type = "mysql";
-      host = "mysql.pvv.ntnu.no";
+      type = "postgres";
+      host = "postgres.pvv.ntnu.no";
+      port = config.services.postgresql.port;
+      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
      createLocally = false;
-      user = "bekkalokk_mediawiki_test";
-      name = "bekkalokk_mediawiki_test";
-      passwordFile = config.sops.secrets."mediawiki/database".path;
+      # TODO: create a normal database and copy over old data when the service is production ready
+      name = "mediawiki_test";
    };

    # Host through nginx
@ -40,51 +42,70 @@ in {
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
-      # Worker settings
+      inherit user group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
-
-      # Socket settings
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;
-
-      # Misc
-      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
-      # to accept *.html file
-      "security.limit_extensions" = "";
-      inherit user group;
-
-      # Debug logging
-      "catch_workers_output" = "yes";
-      "php_flag[display_errors]" = "on";
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = "on";
+      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
+      "catch_workers_output" = true;
+      # to accept *.html file
+      "security.limit_extensions" = "";
    };

    extensions = {
      DeleteBatch = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-6852fb7.tar.gz";
-        hash = "sha256-m6l8Cs6mFLu1qfovBFO2l8HhtYZXnpZkajWXNob2wbU=";
+        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
+	sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
      };
      UserMerge = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-56f6dcf.tar.gz";
-        hash = "sha256-zO7ti7fZPlJp3TXSJbYrXPRyElwO57zoU+RH7LBwVGU=";
+        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
+	sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
      };
      PluggableAuth = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-8104ed9.tar.gz";
-        hash = "sha256-fFz9+pJ/Ucdg340I/JWe4S/W05oVSfns9EF84rxN8yI=";
+        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
+	sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
      };
-      OpenIDConnect = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-3edc735.tar.gz";
-        hash = "sha256-Osp4m2Sp9uGNt3QEmRsw0LA3KQCQzqJosgy3AFs11hY=";
+      SimpleSAMLphp = pkgs.fetchzip {
+        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
+        sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
      };
    };

-    extraConfig = ''
+    extraConfig = let
+
+      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
+        pname = "configuredSimpleSAML";
+	version = "2.0.4";
+        src = pkgs.fetchzip {
+          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
+          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
+        };
+
+	buildPhase = ''
+          cat > config/authsources.php << EOF
+          <?php
+          $config = array(
+            'default-sp' => array(
+              'saml:SP',
+              'idp' => 'https://idp.pvv.ntnu.no/',
+            ),
+          );
+	  EOF
+	'';
+
+	installPhase = ''
+	  cp -r . $out
+	'';
+      };
+
+    in ''
      $wgServer = "https://bekkalokk.pvv.ntnu.no";
      $wgLocaltimezone = "Europe/Oslo";

@ -94,60 +115,61 @@ in {
      $wgEmailAuthentication = false;
      $wgGroupPermissions['*']['createaccount'] = false;
      $wgGroupPermissions['*']['autocreateaccount'] = true;
-      $wgPluggableAuth_EnableAutoLogin = false;
-
-      # SSO config
-      $wgPluggableAuth_Config[] = [
-          'plugin' => 'OpenIDConnect',
-          'data' => [
-              'providerURL' => 'https://git.pvv.ntnu.no/login/oauth/authorize',
-              'clientID' => 'be86ec39-d89c-4973-a163-633339539db2',
-              'clientsecret' => file_get_contents('${config.sops.secrets."mediawiki/oidc/clientsecret".path}')
-          ]
-      ];
+      $wgPluggableAuth_EnableAutoLogin = true;

      # Disable anonymous editing
      $wgGroupPermissions['*']['edit'] = false;

      # Styling
-      $wgLogos = [
-        'svg' => "${../../../assets/logo_blue_regular.svg}",
-      ];
+      $wgLogo = "/PNG/PVV-logo.png";
      $wgDefaultSkin = "monobook";

-      # Enable debugging
-      error_reporting( -1 );
-      ini_set( 'display_errors', 1 );
-
      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;

+      # SimpleSAML
+      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
+      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
+      $wgSimpleSAMLphp_RealNameAttribute = "cn";
+      $wgSimpleSAMLphp_EmailAttribute = "mail";
+      $wgSimpleSAMLphp_UsernameAttribute = "uid";
+
      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
    '';
  };

-  # services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
-  services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = {
-    forceSSL = true;
-    enableACME = true;
-    root = "${cfg.finalPackage}/share/mediawiki";
-    locations = {
-      "/" = {
-        recommendedProxySettings = true;
-        extraConfig = ''
-          fastcgi_split_path_info ^(.+\.php)(/.+)$;
-          fastcgi_index index.php;
-          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
-          include ${pkgs.nginx}/conf/fastcgi_params;
-          include ${pkgs.nginx}/conf/fastcgi.conf;
-        '';
-      };
-      "/images".root = config.services.mediawiki.uploadsDir;
-    };
-    
-  };
+  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
+  systemd.services.mediawiki-init.script = let
+    # According to module
+    stateDir = "/var/lib/mediawiki";
+    pkg = cfg.finalPackage;
+    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
+    inherit (lib) optionalString mkForce;
+  in mkForce ''
+    if ! test -e "${stateDir}/secret.key"; then
+      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
+    fi
+
+    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
+      --confpath /tmp \
+      --scriptpath / \
+      --dbserver "${cfg.database.host}" \
+      --dbport ${toString cfg.database.port} \
+      --dbname ${cfg.database.name} \
+      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
+      --dbuser ${cfg.database.user} \
+      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
+      --passfile ${cfg.passwordFile} \
+      --dbtype ${cfg.database.type} \
+      ${cfg.name} \
+      admin
+
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
+  '';
 }
--- a/hosts/bekkalokk/services/nginx/default.nix
+++ b/hosts/bekkalokk/services/nginx/default.nix
@ -1,5 +1,9 @@
 { pkgs, config, ... }:
 {
+  imports = [
+    ./ingress.nix
+  ];
+
  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
--- a/hosts/bekkalokk/services/nginx/ingress.nix
+++ b/hosts/bekkalokk/services/nginx/ingress.nix
@ -0,0 +1,55 @@
+{ config, lib, ... }:
+{
+  services.nginx.virtualHosts = {
+    "www2.pvv.ntnu.no" = {
+      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
+      addSSL = true;
+      enableACME = true;
+
+      locations = {
+        # Proxy home directories
+        "/~" = {
+          extraConfig = ''
+            proxy_redirect off;
+            proxy_pass https://tom.pvv.ntnu.no;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+
+        # Redirect old wiki entries
+        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
+        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
+        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
+        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
+        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
+        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
+        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
+        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
+        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
+        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
+        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
+        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
+
+        # TODO: Redirect webmail
+        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
+
+        # Redirect everything else to the main website
+        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
+
+        # Proxy the matrix well-known files
+        # Host has be set before proxy_pass
+        # The header must be set so nginx on the other side routes it to the right place
+        "/.well-known/matrix/" = {
+          extraConfig = ''
+            proxy_set_header Host matrix.pvv.ntnu.no;
+            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          '';
+        };
+      };
+    };
+  };
+}
+
--- a/hosts/bekkalokk/services/webmail/default.nix
+++ b/hosts/bekkalokk/services/webmail/default.nix
@ -0,0 +1,15 @@
+{ config, values, pkgs, lib, ... }:
+{
+  imports = [
+    ./roundcube.nix
+  ];
+
+  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    #locations."/" = lib.mkForce { };
+    locations."= /" = {
+      return = "301 https://www.pvv.ntnu.no/mail/";
+    };
+  };
+}
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@ -0,0 +1,74 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.services.roundcube;
+  domain = "webmail2.pvv.ntnu.no";
+in 
+{
+  services.roundcube = {
+    enable = true;
+
+    package = pkgs.roundcube.withPlugins (plugins: with plugins; [
+      persistent_login
+      thunderbird_labels
+      contextmenu
+      custom_from
+    ]);
+
+    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
+    maxAttachmentSize = 20;
+    hostName = "roundcubeplaceholder.example.com";
+
+    extraConfig = ''
+      $config['enable_installer'] = false;
+      $config['default_host'] = "ssl://imap.pvv.ntnu.no";
+      $config['default_port'] = 993;
+      $config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
+      $config['smtp_port'] = 465;
+      $config['mail_domain'] = "pvv.ntnu.no";
+      $config['smtp_user'] = "%u";
+      $config['support_url'] = "";
+    '';
+  };
+
+  services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
+
+  services.nginx.virtualHosts.${domain} = {
+    locations."/roundcube" = {
+      tryFiles = "$uri $uri/ =404";
+      index = "index.php";
+      root = pkgs.runCommandLocal "roundcube-dir" { } ''
+        mkdir -p $out
+        ln -s ${cfg.package} $out/roundcube
+      '';
+      extraConfig = ''
+        location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
+        # https://wiki.archlinux.org/title/Roundcube
+        "README"
+        "INSTALL"
+        "LICENSE"
+        "CHANGELOG"
+        "UPGRADING"
+        "bin"
+        "SQL"
+        ".+\\.md"
+        "\\."
+        "config"
+        "temp"
+        "logs"
+        ]})/? {
+          deny all;
+        }
+
+        location ~ ^/roundcube/(.+\.php)(/?.*)$ {
+          fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
+          include ${config.services.nginx.package}/conf/fastcgi_params;
+          include ${config.services.nginx.package}/conf/fastcgi.conf;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
+        }
+      '';
+    };
+  };
+}
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@ -12,7 +12,8 @@
    ./services/mysql.nix
    ./services/postgres.nix
    ./services/mysql.nix
-    ./services/calendar-bot.nix
+    # TODO: fix the calendar bot
+    # ./services/calendar-bot.nix

    ./services/matrix
  ];
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@ -24,21 +24,26 @@ in {
        features = {
          feature_latex_maths = true;
          feature_pinning = true;
+          feature_render_reaction_images = true;
          feature_state_counters = true;
-          feature_custom_status = false;
+          # element call group calls
+          feature_group_calls = true;
        };
        default_theme = "dark";
+        # Servers in this list should provide some sort of valuable scoping
+        # matrix.org is not useful compared to matrixrooms.info,
+        # because it has so many general members, rooms of all topics are on it.
+        # Something matrixrooms.info is already providing.
        room_directory.servers = [
          "pvv.ntnu.no"
-          "matrix.omegav.no"
-          "matrix.org"
-          "libera.chat"
-          "gitter.im"
-          "mozilla.org"
-          "kde.org"
-          "t2bot.io"
-          "fosdem.org"
-          "dodsorf.as"
+          "matrixrooms.info" # Searches all public room directories
+          "matrix.omegav.no" # Friends
+          "gitter.im" # gitter rooms
+          "mozilla.org" # mozilla and friends
+          "kde.org" # KDE rooms
+          "fosdem.org" # FOSDEM
+          "dodsorf.as" # PVV Member
+          "nani.wtf" # PVV Member
        ];
        enable_presence_by_hs_url = {
          "https://matrix.org" = false;
--- a/hosts/bicep/services/matrix/smtp-authenticator/default.nix
+++ b/hosts/bicep/services/matrix/smtp-authenticator/default.nix
@ -0,0 +1,17 @@
+{ lib, buildPythonPackage, fetchFromGitHub }:
+
+buildPythonPackage rec {
+  pname = "matrix-synapse-smtp-auth";
+  version = "0.1.0";
+
+  src = ./.;
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "An SMTP auth provider for Synapse";
+    homepage = "pvv.ntnu.no";
+    license = licenses.agpl3Only;
+    maintainers = with maintainers; [ dandellion ];
+  };
+}
--- a/hosts/bicep/services/matrix/smtp-authenticator/setup.py
+++ b/hosts/bicep/services/matrix/smtp-authenticator/setup.py
@ -0,0 +1,11 @@
+from setuptools import setup
+
+setup(
+    name="matrix-synapse-smtp-auth",
+    version="0.1.0",
+    py_modules=['smtp_auth_provider'],
+    author="Daniel Løvbrøtte Olsen",
+    author_email="danio@pvv.ntnu.no",
+    description="An SMTP auth provider for Synapse",
+    license="AGPL-3.0-only"
+)
--- a/hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py
+++ b/hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py
@ -0,0 +1,50 @@
+from typing import Awaitable, Callable, Optional, Tuple
+
+from smtplib import SMTP_SSL as SMTP
+
+import synapse
+from synapse import module_api
+
+import re
+
+class SMTPAuthProvider:
+    def __init__(self, config: dict, api: module_api):
+        self.api = api
+
+        self.config = config
+
+        api.register_password_auth_provider_callbacks(
+            auth_checkers={
+                ("m.login.password", ("password",)): self.check_pass,
+            },
+        )
+
+    async def check_pass(
+        self,
+        username: str,
+        login_type: str,
+        login_dict: "synapse.module_api.JsonDict",
+    ):
+        if login_type != "m.login.password":
+            return None
+
+        # Convert `@username:server` to `username`
+        match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
+        username = match.group(1) if match else username
+
+        result = False
+        with SMTP(self.config["smtp_host"]) as smtp:
+            password = login_dict.get("password")
+            try:
+                smtp.login(username, password)
+                result = True
+            except:
+                return None
+
+        if result == True:
+            userid = self.api.get_qualified_user_id(username)
+            if not self.api.check_user_exists(userid):
+                self.api.register_user(username)
+            return (userid, None)
+        else:
+            return None
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@ -22,9 +22,18 @@ in {
    group = config.users.users.matrix-synapse.group;
  };

+  sops.secrets."matrix/sliding-sync/env" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "sliding-sync/env";
+  };
+
  services.matrix-synapse-next = {
    enable = true;

+    plugins = [
+      (pkgs.python3Packages.callPackage ./smtp-authenticator { })
+    ];
+
    dataDir = "/data/synapse";

    workers.federationSenders = 2;
@ -34,6 +43,8 @@ in {
    workers.eventPersisters = 2;
    workers.useUserDirectoryWorker = true;

+    enableSlidingSync = true;
+
    enableNginx = true;

    settings = {
@ -81,7 +92,15 @@ in {
      enable_registration = false;
      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;

-      password_config.enabled = lib.mkForce false;
+      password_config.enabled = true;
+
+      modules = [
+        { module = "smtp_auth_provider.SMTPAuthProvider";
+          config = {
+            smtp_host = "smtp.pvv.ntnu.no";
+          };
+        }
+      ];

      trusted_key_servers = [
        { server_name = "matrix.org"; }
@ -192,9 +211,24 @@ in {
    };
  };

+  services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
+
+
  services.redis.servers."".enable = true;
  
-  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
+  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
+  ({
+    locations."/.well-known/matrix/server" = {
+      return = ''
+        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
+      '';
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
+  })
+  ({
    locations = let
      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
--- a/hosts/bikkje/configuration.nix
+++ b/hosts/bikkje/configuration.nix
@ -0,0 +1,44 @@
+{ config, pkgs, values, ... }:
+{
+    networking.nat = {
+    enable = true;
+    internalInterfaces = ["ve-+"];
+    externalInterface = "ens3";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.bikkje = {
+    autoStart = true;
+    config = { config, pkgs, ... }: {
+      #import packages
+      packages = with pkgs; [
+          alpine
+          mutt
+          mutt-ics
+          mutt-wizard
+          weechat
+          weechatScripts.edit
+          hexchat
+          irssi
+          pidgin
+      ];
+
+      networking = {
+        firewall = {
+          enable = true;
+          # Allow SSH and HTTP and ports for email and irc
+          allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+        };
+        # Use systemd-resolved inside the container
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+        useHostResolvConf = mkForce false;
+      };
+      
+      system.stateVersion = "23.11";
+      services.resolved.enable = true;
+    };
+  };
+
+};
--- a/hosts/bob/configuration.nix
+++ b/hosts/bob/configuration.nix
@ -0,0 +1,46 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+      ./disks.nix
+
+      ../../misc/builder.nix
+    ];
+
+  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  networking.hostName = "bob"; # Define your hostname.
+
+  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+    matchConfig.Name = "en*";
+    DHCP = "yes";
+    gateway = [ ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}
--- a/hosts/bob/disks.nix
+++ b/hosts/bob/disks.nix
@ -0,0 +1,39 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/bob/hardware-configuration.nix
+++ b/hosts/bob/hardware-configuration.nix
@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ./services/grzegorz.nix
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "brzeczyszczykiewicz";
+
+  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+    matchConfig.Name = "eno1";
+    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}
--- a/hosts/brzeczyszczykiewicz/hardware-configuration.nix
+++ b/hosts/brzeczyszczykiewicz/hardware-configuration.nix
@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/82E3-3D03";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/brzeczyszczykiewicz/services/grzegorz.nix
+++ b/hosts/brzeczyszczykiewicz/services/grzegorz.nix
@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  imports = [ ../../../modules/grzegorz.nix ];
+
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+    serverAliases = [
+      "bokhylle.pvv.ntnu.no"
+      "bokhylle.pvv.org"
+    ];
+  };
+}
--- a/hosts/buskerud/configuration.nix
+++ b/hosts/buskerud/configuration.nix
@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+  ];
+
+  # buskerud does not support efi?
+  # boot.loader.systemd-boot.enable = true;
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sdb";
+
+  networking.hostName = "buskerud";
+  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
+  networking.tempAddresses = "disabled";
+
+  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp3s0f0";
+    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}
--- a/hosts/buskerud/hardware-configuration.nix
+++ b/hosts/buskerud/hardware-configuration.nix
@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ../../modules/grzegorz.nix
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "georg";
+
+  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+    matchConfig.Name = "eno1";
+    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}
--- a/hosts/georg/hardware-configuration.nix
+++ b/hosts/georg/hardware-configuration.nix
@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/145E-7362";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/ildkule/services/metrics/prometheus/mysqld.nix
+++ b/hosts/ildkule/services/metrics/prometheus/mysqld.nix
@ -1,4 +1,4 @@
-{ config, unstable, ... }: let
+{ config, ... }: let
  cfg = config.services.prometheus;
 in {
  sops.secrets."config/mysqld_exporter" = { };
--- a/misc/builder.nix
+++ b/misc/builder.nix
@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  nix.settings.trusted-users = [ "@nix-builder-users" ];
+}
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@ -0,0 +1,62 @@
+{config, lib, pkgs, ...}:
+let
+  grg = config.services.grzegorz;
+  grgw = config.services.grzegorz-webui;
+in {
+  services.pipewire.enable = true;
+  services.pipewire.alsa.enable = true;
+  services.pipewire.alsa.support32Bit = true;
+  services.pipewire.pulse.enable = true;
+
+  users.users.pvv = {
+    isNormalUser = true;
+    description = "pvv";
+  };
+
+  services.grzegorz.enable = true;
+  services.grzegorz.listenAddr = "localhost";
+  services.grzegorz.listenPort = 31337;
+
+  services.grzegorz-webui.enable = true;
+  services.grzegorz-webui.listenAddr = "localhost";
+  services.grzegorz-webui.listenPort = 42069;
+  services.grzegorz-webui.listenWebsocketPort = 42042;
+  services.grzegorz-webui.hostName = "${config.networking.fqdn}";
+  services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
+
+  services.nginx.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    serverAliases = [
+      "${config.networking.hostName}.pvv.org"
+    ];
+    extraConfig = ''
+      allow 129.241.210.128/25;
+      allow 2001:700:300:1900::/64;
+      deny all;
+    '';
+
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}";
+    };
+    # https://github.com/rawpython/remi/issues/216
+    locations."/websocket" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}";
+      proxyWebsockets = true;
+    };
+    locations."/api" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
+    };
+    locations."/docs" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
+    };
+  };
+
+}
+
--- a/pkgs/minecraft-server-fabric/default.nix
+++ b/pkgs/minecraft-server-fabric/default.nix
@ -1,43 +0,0 @@
-{ callPackage, writeTextFile, writeShellScriptBin, minecraft-server, jre_headless }:
-
-let
-  loader = callPackage ./generate-loader.nix {};
-  log4j = writeTextFile {
-    name = "log4j.xml";
-    text = ''
-      <?xml version="1.0" encoding="UTF-8"?>
-      <Configuration status="WARN" packages="com.mojang.util">
-          <Appenders>
-              <Console name="SysOut" target="SYSTEM_OUT">
-                  <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
-              </Console>
-              <Queue name="ServerGuiConsole">
-                  <PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
-              </Queue>
-              <RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
-                  <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
-                  <Policies>
-                      <TimeBasedTriggeringPolicy />
-                      <OnStartupTriggeringPolicy />
-                  </Policies>
-                  <DefaultRolloverStrategy max="1000"/>
-              </RollingRandomAccessFile>
-          </Appenders>
-          <Loggers>
-              <Root level="info">
-                  <filters>
-                      <MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
-                  </filters>
-                  <AppenderRef ref="SysOut"/>
-                  <AppenderRef ref="File"/>
-                  <AppenderRef ref="ServerGuiConsole"/>
-              </Root>
-          </Loggers>
-      </Configuration>
-    '';
-  };
-in
-writeShellScriptBin "minecraft-server" ''
-  echo "serverJar=${minecraft-server}/lib/minecraft/server.jar" >> fabric-server-launcher.properties
-  exec ${jre_headless}/bin/java -Dlog4j.configurationFile=${log4j} $@ -jar ${loader} nogui
-''
--- a/pkgs/minecraft-server-fabric/generate-loader.nix
+++ b/pkgs/minecraft-server-fabric/generate-loader.nix
@ -1,38 +0,0 @@
-{ lib, fetchurl, stdenv, unzip, zip, jre_headless }:
-
-let
-  lock = import ./lock.nix;
-  libraries = lib.forEach lock.libraries fetchurl;
-in
-stdenv.mkDerivation {
-  name = "fabric-server-launch.jar";
-  nativeBuildInputs = [ unzip zip jre_headless ];
-
-  libraries = libraries;
-
-  buildPhase = ''
-    for i in $libraries; do
-      unzip -o $i
-    done
-
-    cat > META-INF/MANIFEST.MF << EOF
-    Manifest-Version: 1.0
-    Main-Class: net.fabricmc.loader.impl.launch.server.FabricServerLauncher
-    Name: org/objectweb/asm/
-    Implementation-Version: 9.2
-    EOF
-
-    cat > fabric-server-launch.properties << EOF
-    launch.mainClass=net.fabricmc.loader.impl.launch.knot.KnotServer
-    EOF
-  '';
-
-  installPhase = ''
-    jar cmvf META-INF/MANIFEST.MF "server.jar" .
-    zip -d server.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'
-    cp server.jar "$out"
-  '';
-
-  phases = [ "buildPhase" "installPhase" ];
-}
-
--- a/pkgs/minecraft-server-fabric/generate-lock-nix.sh
+++ b/pkgs/minecraft-server-fabric/generate-lock-nix.sh
@ -1,22 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p bash curl jq
-curl https://meta.fabricmc.net/v2/versions/loader/1.18.1/0.12.12/server/json \
-| jq -r '
-  .mainClass,
-  (.libraries[]
-  | .url as $url
-  | .name | split(":") as [$dir, $name, $version]
-  |"\($name)-\($version).zip|\($url)\($dir|sub("\\.";"/";"g"))/\($name)/\($version)/\($name)-\($version).jar"
-  )' \
-| {
-    echo '{'
-    read mainClass;
-    echo "  mainClass = \"$mainClass\";"
-    echo "  libraries = ["
-    while IFS="|" read name url; do
-        hash=$(nix-prefetch-url $url);
-        echo "    { name = \"$name\"; sha256 = \"$hash\"; url = \"$url\"; }"
-    done
-    echo "  ];"
-    echo '}'
-}
--- a/pkgs/minecraft-server-fabric/lock.nix
+++ b/pkgs/minecraft-server-fabric/lock.nix
@ -1,16 +0,0 @@
-{
-  mainClass = "net.fabricmc.loader.impl.launch.knot.KnotServer";
-  libraries = [
-    { name = "tiny-mappings-parser-0.3.0+build.17.zip"; sha256 = "19kvhxfk5v01f2rvl7j02vqhn3nd2bh5jsgbk44rpzqv9f6074db"; url = "https://maven.fabricmc.net/net/fabricmc/tiny-mappings-parser/0.3.0+build.17/tiny-mappings-parser-0.3.0+build.17.jar"; }
-    { name = "sponge-mixin-0.10.7+mixin.0.8.4.zip"; sha256 = "18m5wksd9vjp676cxapkggnz8s3f8j89phln8gy5n8vxlrli8n0d"; url = "https://maven.fabricmc.net/net/fabricmc/sponge-mixin/0.10.7+mixin.0.8.4/sponge-mixin-0.10.7+mixin.0.8.4.jar"; }
-    { name = "tiny-remapper-0.6.0.zip"; sha256 = "1ynjfxg7cj9rd9c4l450w7yp20p2csjdpnk3mcx5bdkjzhbgvgzf"; url = "https://maven.fabricmc.net/net/fabricmc/tiny-remapper/0.6.0/tiny-remapper-0.6.0.jar"; }
-    { name = "access-widener-2.0.1.zip"; sha256 = "0a7s4x6dbaa9p59ps7pidzwrs0xwy5i17s35xrgh58i26szlsaxm"; url = "https://maven.fabricmc.net/net/fabricmc/access-widener/2.0.1/access-widener-2.0.1.jar"; }
-    { name = "asm-9.2.zip"; sha256 = "1xa7kccwmcqcdw1xly6n2frzhk56m8ma9v7h764g73ckf56zxm5r"; url = "https://maven.fabricmc.net/org/ow2/asm/asm/9.2/asm-9.2.jar"; }
-    { name = "asm-analysis-9.2.zip"; sha256 = "1i1kyirizs5sm2v0f06sdz86mbmyn61vjr9d9p8p5h1i2x9bx3w7"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-analysis/9.2/asm-analysis-9.2.jar"; }
-    { name = "asm-commons-9.2.zip"; sha256 = "19p04mr14ahndba65v4krbvf4p5syf8wz0fp5i9bnf5270qyak5y"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-commons/9.2/asm-commons-9.2.jar"; }
-    { name = "asm-tree-9.2.zip"; sha256 = "04g0zb7v65iz4k2m2grdpbv8jjryrzkkw7ww23yfp94i6399pgxa"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-tree/9.2/asm-tree-9.2.jar"; }
-    { name = "asm-util-9.2.zip"; sha256 = "16759v4hh3ijpf4cglrxybz29x2hiylhsa388y09m2mf679kqnzz"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-util/9.2/asm-util-9.2.jar"; }
-    { name = "intermediary-1.18.1.zip"; sha256 = "1rfz2gazvnivn6hlqiyjpiaycz8va87n5czy1p6w3lnrlfggj2i9"; url = "https://maven.fabricmc.net/net/fabricmc/intermediary/1.18.1/intermediary-1.18.1.jar"; }
-    { name = "fabric-loader-0.12.12.zip"; sha256 = "070dpcp7kcj4xr75wp1j6pb1bgfzllwg8xmqk3sk79jfqiqwzizw"; url = "https://maven.fabricmc.net/net/fabricmc/fabric-loader/0.12.12/fabric-loader-0.12.12.jar"; }
-  ];
-}
--- a/pkgs/minecraft-server/1_18_1.nix
+++ b/pkgs/minecraft-server/1_18_1.nix
@ -1,38 +0,0 @@
-{ lib, stdenv, fetchurl, nixosTests, jre_headless }:
-stdenv.mkDerivation {
-  pname = "minecraft-server";
-  version = "1.18.1";
-
-  src = fetchurl {
-    url = "https://launcher.mojang.com/v1/objects/125e5adf40c659fd3bce3e66e67a16bb49ecc1b9/server.jar";
-    # sha1 because that comes from mojang via api
-    sha1 = "125e5adf40c659fd3bce3e66e67a16bb49ecc1b9";
-  };
-
-  preferLocalBuild = true;
-
-  installPhase = ''
-    mkdir -p $out/bin $out/lib/minecraft
-    cp -v $src $out/lib/minecraft/server.jar
-    cat > $out/bin/minecraft-server << EOF
-    #!/bin/sh
-    exec ${jre_headless}/bin/java \$@ -jar $out/lib/minecraft/server.jar nogui
-    EOF
-    chmod +x $out/bin/minecraft-server
-  '';
-
-  dontUnpack = true;
-
-  passthru = {
-    tests = { inherit (nixosTests) minecraft-server; };
-    updateScript = ./update.sh;
-  };
-
-  meta = with lib; {
-    description = "Minecraft Server";
-    homepage = "https://minecraft.net";
-    license = licenses.unfreeRedistributable;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ thoughtpolice tomberek costrouc ];
-  };
-}
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@ -11,8 +11,6 @@ gitea:
 mediawiki:
    password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
    database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
-    oidc:
-        clientsecret: ENC[AES256_GCM,data:bh016Qlijs5hoNY1iYsx6uEa5oEG9aX4T9BMiqnDRhSh7iVXpj9A6glcr8OGmWN7Om7yXE4AdlY=,iv:BnZjxbK6oB1eALx3RidpkwzU8xz1x0luwZC7ioqTjQE=,tag:HX8uUevimnAcqBH8NaMQXA==,type:str]
 keycloak:
    database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
 sops:
@ -48,8 +46,8 @@ sops:
            akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
            GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-17T21:12:05Z"
-    mac: ENC[AES256_GCM,data:wfq3FTwwJh2eHbw5PW32IEp4jWeSQLaBLJzrbgfXUPP8VuPK3Q7puQtchsQ3Xrv2+c9FI536luhwaUPfgn+/JE8rn8KEhabMPrX2lYMVH8I4OkCYEivpbWNfmm3gfNU2SrEFZ2jBBLLCWDgBAA7SfyApiQiyZ3qpJ2aZCfgaUoM=,iv:5/R2tnjiQ6BPgU+eAChm2EsWuGurqumnzl4pfjZclLw=,tag:xdECs8muNv9c/68IRbWzCw==,type:str]
+    lastmodified: "2023-09-17T02:02:24Z"
+    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
    pgp:
        - created_at: "2023-05-21T00:28:40Z"
          enc: |
--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@ -2,6 +2,8 @@ synapse:
    turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
    user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
    signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
+sliding-sync:
+    env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
 coturn:
    static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
 mjolnir:
@ -41,8 +43,8 @@ sops:
            cGxZVnFhdXRka2drTGdkVk1iM0pFL1kK2ry7b2cLYPfntWi/BV3K2O+mHt3242Ef
            sI2JLLQYHeAhxjFdCzP1RDR+Wu/pRxZje6xuTZ9I9TKNmm+LhAXHQw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-15T04:40:21Z"
-    mac: ENC[AES256_GCM,data:ZJVHLbpSu/nIzl5FJfRdg2ymRN5M+zJXNUpi1hBt2MBmvK+1ed2ElhMe5x7pyasSDdaUtXDo7ghkUF7vE46Wo6Z9dvlAvhwWm7Y2AWfUe5SFVwzqlOCjSKRPFrQrL7PcDBtMj4twtwhc4XsfJoUSuigWW2m21BKtEZSuuxLRqLA=,iv:ufFbfMaNHydbkwq6lxN1dQJldkAbtqais/CZFkoDhb4=,tag:uMj0LaiU0obIlw/+HJJdKg==,type:str]
+    lastmodified: "2023-10-22T00:31:46Z"
+    mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
    pgp:
        - created_at: "2023-05-06T21:31:39Z"
          enc: |
--- a/shell.nix
+++ b/shell.nix
@ -3,5 +3,17 @@ pkgs.mkShell {
  nativeBuildInputs = with pkgs; [
    sops
    gnupg
+    openstackclient
  ];
+
+  shellHook = ''
+    export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
+    export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
+    export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
+    export OS_USER_DOMAIN_NAME="NTNU"
+    export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
+    export OS_REGION_NAME="NTNU-IT"
+    export OS_INTERFACE=public
+    export OS_IDENTITY_API_VERSION=3
+  '';
 }
--- a/users/adriangl.nix
+++ b/users/adriangl.nix
@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+  users.users.adriangl = {
+    isNormalUser = true;
+    description = "(0_0)";
+    extraGroups = [
+      "wheel"
+      "drift"
+    ];
+
+    packages = with pkgs; [
+      eza
+      neovim
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
+    ];
+  };
+}
--- a/users/danio.nix
+++ b/users/danio.nix
@ -3,7 +3,12 @@
 {
  users.users.danio = {
    isNormalUser = true;
-    extraGroups = [ "drift" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [ "drift" "nix-builder-users" ];
    shell = pkgs.zsh;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpGSDczzDOhTETCj+uB5e3/9QbOCaVW1knM+n1ey0n6LXH7uiPPmzuZiqfzmfbB1z4bjM2zpn3D6Et6zRCrBUjhTZqf/5GoNlvhVA6QYmBmBp98b8oY7juj5cmu55voxD0S5rC1mQMnWAAf8e8OPbkhs9Lt0XlOYdotLNIZQubzWqE2DK45g/h17ELJs+jkNXoalFjLvLXWzE/C+3pYoeNJVGHfVMTIwt7o64E6JXhxuYTYdSIuzd+BjntkSCXzcAzBFMRwkdlFVoBtLUMMcMQl39kcXv7lAQ8pv+8b1j1N9WuQVf1qEAcZguaimI1ifbXP5d841pZPApCj5KXectIEldfTrcwg8rZpd2UfYS/3XCcOuidBGprY7XsU/jz8wHbH68UjUrsLyaOMnG2ChYztnf63vm3gRs3Fc6FqTycpgYOPDeZBVTcMyPGgtiZvhnTeY20xFS5lK6M+dmgaDqH24kPLiwYSpUF2NK+Rg/2bZxvt/GaSr4U6fJGi3FCJOM= root@DanixLaptop"
+    ];
  };
 }
--- a/users/eirikwit.nix
+++ b/users/eirikwit.nix
@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  users.users.eirikwit = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "drift"
+    ];
+
+    packages = with pkgs; [
+      micro
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZusOSiUVSMjrvNdUq4R91Gafq4XVs9C77Zt+LMPhCU eirikw@live.no"
+    ];
+  };
+}
--- a/users/jonmro.nix
+++ b/users/jonmro.nix
@ -0,0 +1,12 @@
+{pkgs, ...}:
+
+{
+  users.users.jonmro = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "drift" "nix-builder-users" ]; 
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
+    ];
+  };
+}
--- a/users/oysteikt.nix
+++ b/users/oysteikt.nix
@ -6,11 +6,12 @@
    extraGroups = [
      "wheel"
      "drift"
+      "nix-builder-users"
    ];

    packages = with pkgs; [
      bottom
-      exa
+      eza
      neovim
      diskonaut
      ripgrep
--- a/values.nix
+++ b/values.nix
@ -4,7 +4,7 @@ let
  pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
 in rec {
  ipv4-space = pvv-ipv4 "128/25";
-  ipv6-space = pvv-ipv4 "/64";
+  ipv6-space = pvv-ipv6 "/64";

  services = {
    matrix = {
@ -37,10 +37,29 @@ in rec {
      ipv4 = pvv-ipv4 209;
      ipv6 = pvv-ipv6 209;
    };
+    bob = {
+      ipv4 = "129.241.152.254";
+      # ipv6 = ;
+    };
+    knutsen = {
+      ipv4 = pvv-ipv4 191;
+    };
    shark = {
      ipv4 = pvv-ipv4 196;
      ipv6 = pvv-ipv6 196;
    };
+    brzeczyszczykiewicz = {
+      ipv4 = pvv-ipv4 205;
+      ipv6 = pvv-ipv6 "1:50"; # Wtf peder why
+    };
+    georg = {
+      ipv4 = pvv-ipv4 204;
+      ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
+    };
+    buskerud = {
+      ipv4 = pvv-ipv4 231;
+      ipv6 = pvv-ipv6 231;
+    };
  };

  defaultNetworkConfig = {
Author	SHA1	Message	Date
h7x4	1fbee584a2	WIP	2024-03-29 23:26:31 +01:00
Daniel Olsen	fe4dd21acb	add eirikwit to sops	2024-03-16 22:38:16 +01:00
Daniel Olsen	0336744124	flake update: matrix module bug fix	2024-03-13 07:41:12 +01:00
Daniel Olsen	b4d6e00622	Update flake.lock to get new matrix module	2024-03-13 06:33:43 +01:00
Daniel Olsen	7c6d4d31c7	bicep/matrix/element: update room directories	2024-03-05 05:52:31 +01:00
Daniel Olsen	9f46be1ca1	bicep/matrix: update element lab flags and room directoriy listings	2024-03-05 05:28:23 +01:00
jovre	545583cf04	bekkalokk/gitea: Do not change the user visibility	2024-03-03 00:29:24 +01:00
Felix Albrigtsen	62b269637a	bekkalokk/gitea: unset visibility when updating users	2024-02-12 11:24:14 +01:00
Adrian Gunnar Lauterer	7fd9a1e646	started on bikkje container for new loginbox - work in progress	2024-01-07 01:21:11 +01:00
Daniel Olsen	4ea90380ad	bicep/matrix: use synapse package from stable It's fixed now	2023-12-16 00:22:02 +01:00
Daniel Olsen	bcd5292f78	update flake.lock	2023-12-13 20:02:09 +01:00
Felix Albrigtsen	1ab1b3a84e	Merge pull request 'Buskerud: Comment out openvpn-client' (#23 ) from buskerud-no-vpn into main Reviewed-on: Drift/pvv-nixos-config#23	2023-12-12 18:09:31 +01:00
Felix Albrigtsen	80ef1ce4fa	Buskerud: Remove OV-link, general cleanup	2023-12-12 15:27:20 +01:00
Felix Albrigtsen	2b834eee14	Buskerud: Comment out openvpn-client	2023-12-12 11:39:33 +01:00
Daniel Lovbrotte Olsen	9ed2ca8883	Merge pull request 'Update users/jonmro.nix' (#21 ) from jonmro/pvv-nixos-config:main into main Reviewed-on: Drift/pvv-nixos-config#21	2023-12-10 05:46:20 +01:00
Daniel Lovbrotte Olsen	fe12e5441a	Merge pull request '🎉 nixpkgs 23.11' (#20 ) from upgrade-to-nixpkgs-23-11 into main Reviewed-on: Drift/pvv-nixos-config#20	2023-12-10 05:43:01 +01:00
Daniel Olsen	2b305678df	update flake.lock	2023-12-10 05:41:45 +01:00
Daniel Olsen	dd8b677a79	buskerud: bootloader - 3.3TB, OS - 256GB 👍	2023-12-10 05:27:58 +01:00
Daniel Olsen	eabd8df3d8	bicep/matrix: use package with fixed pythonEnv	2023-12-10 04:32:26 +01:00
Eirik Wittersø	8a0ebe761e	Add user eirikwit	2023-12-10 02:00:18 +01:00
Jon Martinus Rodtang	0c816068fe	Update users/jonmro.nix Added "drift" "nix-builder-users" groups	2023-12-10 00:25:04 +01:00
h7x4	0b5e03471f	upgrade to nixpkgs 23.11	2023-12-05 00:36:09 +01:00
Daniel Lovbrotte Olsen	d8031ecca1	Merge pull request 'replace-knakelibrak-nginx-reverse-proxy' (#18 ) from replace-knakelibrak-nginx-reverse-proxy into main Reviewed-on: Drift/pvv-nixos-config#18	2023-12-03 07:01:13 +01:00
Daniel Olsen	28e3f5672c	pin matrix-synapse-next module to last one compatible with 23.05 When we upgrade we can go back to tracking master	2023-12-02 10:05:27 +01:00
h7x4	8ced91a285	hosts/buskerud: init Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>	2023-11-30 19:42:05 +01:00
Daniel Olsen	1ef033c754	bekkalokk/ingress: proxy matrix well-known files to bicep	2023-11-28 10:24:18 +01:00
Felix Albrigtsen	d900dc1b1b	Redirect subpages like ./well-known, add @-domains	2023-11-28 10:24:18 +01:00
h7x4	d5985e02f3	Prepare to replace knakelibrak Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>	2023-11-28 10:23:02 +01:00
Daniel Olsen	2c42b120a6	Merge branch 'extend_smtp'	2023-11-28 08:39:15 +01:00
Daniel Olsen	27ba3f7a7f	bicep/matrix: serve server well-known	2023-11-28 08:36:56 +01:00
Daniel Olsen	c1c58122ea	bicep/matrix: Improve flexibility of username login It should be possible to log in with @username:pvv.ntnu.no now That way client well-known in third party clients will work it might also fix the weird logout of session issues in element	2023-11-28 05:14:04 +01:00
h7x4	7ac960c5ff	users/oysteikt: add to nix-builder-users	2023-11-26 07:22:12 +01:00
Oystein Kristoffer Tveit	54a54ad0f5	Merge pull request 'Roundcube testing on bekkalokk now working.' (#14 ) from roundcube into main Reviewed-on: https://bekkalokk.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/14	2023-11-26 05:17:28 +01:00
Oystein Kristoffer Tveit	f7e892fad9	Merge pull request 'Added user jonmro' (#17 ) from jonmro-user into main Reviewed-on: https://bekkalokk.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/17	2023-11-26 05:07:22 +01:00
h7x4	2a1e649eed	bekkalokk: fix roundcube, and move to webmail2.pvv.ntnu.no/roundcube	2023-11-26 05:05:15 +01:00
Daniel Olsen	d7638138ed	brzeczyszczykiewicz: add bokhylle as alias for the grzegorz service	2023-11-26 02:36:23 +01:00
Adrian Gunnar Lauterer	c8d383c9ab	bekkalokk-roundcube init at roundcube.pvv.ntnu.no	2023-11-25 21:23:06 +01:00
Jon Martinus Rodtang	c807d6ec2b	Added user jonmro	2023-11-24 18:46:14 +01:00
Daniel Olsen	42c1803c9b	clean up flake input function parameters We dont need thelse seldomly used things in the main function call	2023-11-05 10:54:50 +01:00
Daniel Olsen	c4df999058	bob: init Cool beeg nix builder for now anyways	2023-11-05 06:06:57 +01:00
h7x4	3caa66fb64	rename input: unstable -> nixpkgs-unstable	2023-11-05 01:22:48 +01:00
Daniel Olsen	b458801f95	Revert "bekkalokk: add wackattack ctf systemd service" CTF is over This reverts commit `fa843c4a59`.	2023-10-30 09:03:27 +01:00
Daniel Olsen	1a683d2a92	shell: add openstack resources	2023-10-30 09:02:09 +01:00
h7x4	fa843c4a59	bekkalokk: add wackattack ctf systemd service	2023-10-26 22:10:30 +02:00
Daniel Olsen	e07945d49c	bicep/matrix: enable sliding sync	2023-10-22 02:33:40 +02:00
Daniel Olsen	32885891fe	bicep/matrix: enable smtp auth yolo lmao	2023-10-22 01:59:25 +02:00
Daniel Olsen	a6196e67fe	workflows/eval: init - evaluate flake in gitea actions Building doesnt work without the sandbox	2023-10-19 23:20:51 +02:00
Daniel Olsen	7a0946fb1c	update flake.lock	2023-10-19 19:55:52 +02:00
Daniel Olsen	05cac3cb93	make packages for each system derivation Makes it easier to test build each machine also makes nom go brr	2023-10-19 18:40:24 +02:00
Daniel Olsen	b8f6aa2f62	clean up unused packages	2023-10-19 18:38:16 +02:00
Daniel Olsen	9b44087693	bekkalokk/gitea: make import user script run by default Systemd stuff are generally turned on by default but need to be wanted Much like me	2023-10-14 22:47:56 +02:00
Daniel Olsen	59008d213c	update flake.lock	2023-10-14 22:47:56 +02:00
h7x4	4fc7a16909	resolve an ipv6-space bruh moment	2023-10-10 17:14:57 +02:00
Adrian Gunnar Lauterer	1e841e0397	Merge pull request 'added adriangl to users' (#13 ) from adriangl-add-user into main Reviewed-on: Drift/pvv-nixos-config#13	2023-10-05 19:01:58 +02:00
Adrian Gunnar Lauterer	6e2876f67f	added adriangl to users	2023-10-05 18:56:38 +02:00
Daniel Olsen	6fd71598cb	update flake.lock updates the matrix flake to enable sliding sync	2023-09-24 04:42:31 +02:00
Daniel Olsen	be341622fe	georg: init	2023-09-17 04:57:30 +02:00
Daniel Olsen	87a7b17b49	brzeczyszczykiewicz: init	2023-09-17 04:57:30 +02:00