Move bekkalokk files, configure gitea

slightly less stupid this time

.sops.yaml

@@ -1,33 +1,51 @@
 keys:
+  # Users
   - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
   - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
   - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
-  - &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
+
+  # Hosts
+  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
   - &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
+  - &host_bekkalokk age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
+  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
+
 creation_rules:
   # Global secrets
   - path_regex: secrets/[^/]+\.yaml$
     key_groups:
     - age:
-      - *user_danio
       - *host_jokum
+      - *user_danio
+      - *user_felixalb
       pgp:
       - *user_oysteikt
+
   # Host specific secrets
-  ## Jokum
+  
+  - path_regex: secrets/bekkalokk/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_bekkalokk
+      - *user_danio
+      - *user_felixalb
+      pgp:
+      - *user_oysteikt
+
   - path_regex: secrets/jokum/[^/]+\.yaml$
     key_groups:
     - age:
-      - *user_danio
       - *host_jokum
+      - *user_danio
+      - *user_felixalb
       pgp:
       - *user_oysteikt
 
   - path_regex: secrets/ildkule/[^/]+\.yaml$
     key_groups:
     - age:
-      - *user_felixalb
-      - *user_danio
       - *host_ildkule
+      - *user_danio
+      - *user_felixalb
       pgp:
       - *user_oysteikt

README.MD

@@ -16,7 +16,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
 
 som root på maskinen.
 
@@ -37,3 +37,11 @@ for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som
 om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
 
 Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
+
+### Legge til flere keys
+
+Gjør det som gir mening i .sops.yml
+
+Etter det kjør `sops updatekeys secrets/host/file.yml`
+
+MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila

base.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }:
+{ config, lib, pkgs, inputs, values, ... }:
 
 {
   imports = [
@@ -7,10 +7,15 @@
 
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
-  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
+  # networking.tempAddresses = lib.mkDefault "disabled";
+  # networking.defaultGateway = values.hosts.gateway;
 
+  systemd.network.enable = true;
+  
   services.resolved = {
-    enable = true;
+    enable = lib.mkDefault true;
     dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
   };
 
@@ -50,8 +55,11 @@
   environment.systemPackages = with pkgs; [
     file
     git
+    gnupg
     htop
     nano
+    rsync
+    screen
     tmux
     vim
     wget

flake.lock

@@ -1,28 +1,30 @@
 {
   "nodes": {
     "matrix-next": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
       "locked": {
-        "lastModified": 1671009204,
-        "narHash": "sha256-gqA9po/KmHyh44XYqv/LfFJ1+MGufhaaD6DhDqBeaF8=",
+        "lastModified": 1676674799,
+        "narHash": "sha256-NaZWOgNrco5OT0J5VrWg02SCkKz8RV1sxRjh0/MWMEc=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "43dbc17526576cb8e0980cef51c48b6598f97550",
+        "rev": "362496f4aacb680406db3fad36f98d38e8285b30",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
-        "ref": "flake-experiments",
         "repo": "nixos-matrix-modules",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1670946965,
-        "narHash": "sha256-PDJfKgK/aSV3ISnD1TbKpLPW85LO/AQI73yQjbwribA=",
+        "lastModified": 1680879128,
+        "narHash": "sha256-ISFCCZ3/Dw5WK/6kFKwqA6gIEaOjqU/5NoB6Vge87sE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "265caf30fa0a5148395b62777389b57eb0a537fd",
+        "rev": "fa98075869eb8264052548dde5c2ce9e68cf4cf1",
         "type": "github"
       },
       "original": {
@@ -32,13 +34,28 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1673743903,
+        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1670146390,
-        "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
+        "lastModified": 1680390120,
+        "narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "86370507cb20c905800527539fc049a2bf09c667",
+        "rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
         "type": "github"
       },
       "original": {
@@ -64,11 +81,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1670149631,
-        "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
+        "lastModified": 1680404136,
+        "narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "da98a111623101c64474a14983d83dad8f09f93d",
+        "rev": "b93eb910f768f9788737bfed596a598557e5625d",
         "type": "github"
       },
       "original": {
@@ -79,11 +96,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1670918062,
-        "narHash": "sha256-iOhkyBYUU9Jfkk0lvI4ahpjyrTsLXj9uyJWwmjKg+gg=",
+        "lastModified": 1680882415,
+        "narHash": "sha256-trt2pwLDu1+kEtp3bx2DiYgg8CFWNbes+ujdAtSBO/U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "84575b0bd882be979516f4fecfe4d7c8de8f6a92",
+        "rev": "cd07e0258cf73e1bcbd0c9abc5513baa091ee801",
         "type": "github"
       },
       "original": {

flake.nix

@@ -8,10 +8,10 @@
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
 
-    matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments";
+    matrix-next.url = "github:dali99/nixos-matrix-modules";
   };
 
-  outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs: 
+  outputs = { self, nixpkgs, matrix-next, unstable, sops-nix, ... }@inputs: 
   let
     systems = [
       "x86_64-linux"
@@ -19,26 +19,32 @@
     ];
     forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
   in {
-    nixosConfigurations = {
-      jokum = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit unstable inputs; };
-        modules = [
-          ./hosts/jokum/configuration.nix
-          sops-nix.nixosModules.sops
+    nixosConfigurations = let
+      nixosConfig = name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
+        config
+        rec {
+          system = "x86_64-linux";
+          specialArgs = {
+            inherit unstable inputs;
+            values = import ./values.nix;
+          };
+          modules = [
+            ./hosts/${name}/configuration.nix
+            sops-nix.nixosModules.sops
+            matrix-next.nixosModules.synapse
+          ];
+        });
 
-          inputs.matrix-next.nixosModules.synapse
-        ];
-      };
-      ildkule = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit unstable inputs; };
-        modules = [
-          ./hosts/ildkule/configuration.nix
-          sops-nix.nixosModules.sops
-        ];
+    in {
+      bicep = nixosConfig "bicep" { };
+      bekkalokk = nixosConfig "bekkalokk" { };
+      greddost = nixosConfig "greddost" { };
+      ildkule = nixosConfig "ildkule" { };
+      jokum = nixosConfig "jokum" {
+        modules = [ matrix-next.nixosModules.synapse ];
       };
     };
+
     devShells = forAllSystems (system: {
       default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
     });

hosts/bekkalokk/configuration.nix

@@ -0,0 +1,33 @@
+{ pkgs, values, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    ../../base.nix
+
+    # TODO: set up authentication for the following:
+    # ./services/website.nix
+    ./services/nginx.nix
+    ./services/gitea.nix
+    # ./services/mediawiki.nix
+  ];
+
+  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "bekkalokk";
+
+  systemd.network.networks."30-ens33" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens33";
+    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # Do not change, even during upgrades.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "22.11";
+}

hosts/bekkalokk/hardware-configuration.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/cdcafe3a-01d8-4bdf-9a3d-78705b581090";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1CB4-280D";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/3eaace48-91ec-4d46-be86-fd26877d8b86"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens33.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/bekkalokk/services/gitea.nix

@@ -0,0 +1,57 @@
+{ config, values, pkgs, ... }:
+let
+  cfg = config.services.gitea;
+in {
+  sops.secrets."gitea/dbpassword" = { };
+
+  services.gitea = {
+    enable = true;
+    user = "git";
+    rootUrl = "https://gitea.pvv.ntnu.no/";
+    stateDir = "/data/gitea";
+    appName = "PVV Git";
+
+    enableUnixSocket = true;
+
+    database = {
+      type = "postgres";
+      host = values.hosts.bicep.ipv4;
+      port = 5432;
+      passwordFile = config.sops.secrets."gitea/dbpassword".path;
+      createDatabase = false;
+    };
+
+    settings = {
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "gitea.pvv.ntnu.no" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://unix:/run/gitea/gitea.sock";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+    };
+
+    "git2.pvv.ntnu.no" = {
+      globalRedirect = "gitea.pvv.ntnu.no";
+    };
+  };
+
+  users.users.git = {
+    description = "Gitea service";
+    home = cfg.stateDir;
+    #useDefaultShell = true;
+
+    group = "gitea";
+    isSystemUser = true;
+    #uid = config.ids.uids.git;
+    packages = [ pkgs.gitea ];
+  };
+
+}

hosts/bekkalokk/services/mediawiki.nix

@@ -0,0 +1,23 @@
+{ values, config, ... }:
+{
+  sops.secrets = {
+    "mediawiki/password" = { };
+    "postgres/mediawiki/password" = { };
+  };
+
+  services.mediawiki = {
+    enable = true;
+    name = "PVV";
+    passwordFile = config.sops.secrets."mediawiki/password".path;
+
+    virtualHost = {
+    };
+
+    database = {
+      type = "postgres";
+      host = values.bicep.ipv4;
+      port = config.services.postgresql.port;
+      passwordFile = config.sops.secrets."postgres/mediawiki/password".path;
+    };
+  };
+}

hosts/bekkalokk/services/metrics/loki.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}

hosts/bekkalokk/services/metrics/prometheus.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}

hosts/bekkalokk/services/nginx.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "danio@pvv.ntnu.no";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    # virtualHosts = {
+    #   "www.pvv.ntnu.no" = {
+    #     forceSSL = true;
+
+    #     locations = {
+    #       "/pvv" = {
+    #         proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}";
+    #       };
+    #     };
+    #   };
+    # };
+  };
+}

hosts/bekkalokk/services/website.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}

hosts/bicep/configuration.nix

@@ -0,0 +1,35 @@
+{ pkgs, values, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    ../../base.nix
+
+    ./services/postgres.nix
+    ./services/jokum.nix
+  ];
+
+  sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
+
+  networking.hostName = "bicep";
+
+  systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp6s0f0";
+    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+  systemd.network.wait-online = {
+    ignoredInterfaces = [ "enp6s0f1" ];
+    anyInterface = true;
+  };
+
+  # Do not change, even during upgrades.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "22.11";
+}

hosts/bicep/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
+      fsType = "ext4";
+    };
+
+  fileSystems."/data" =
+    { device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
+      fsType = "f2fs";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/bicep/services/jokum.nix

@@ -0,0 +1,51 @@
+{config, lib, pkgs, inputs, values, ...}:
+
+{
+  # lfmao
+  containers.jokum = {
+    autoStart = true;
+    # wtf
+    #path = inputs.self.nixosConfigurations.jokum.config.system.build.toplevel;
+    interfaces = [ "enp6s0f1" ];
+    bindMounts = {
+      "/data" = { hostPath = "/data/jokum"; isReadOnly = false; };
+    };
+    config = {config, pkgs, ...}: let
+      inherit values inputs;
+    in {
+      imports = [
+        inputs.sops-nix.nixosModules.sops
+        inputs.matrix-next.nixosModules.synapse
+
+        ../../jokum/services/matrix
+        ../../jokum/services/nginx
+      ];
+
+      _module.args = {
+        inherit values inputs;
+      };
+
+      sops.defaultSopsFile = ../../../secrets/jokum/jokum.yaml;
+      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+      sops.age.generateKey = true;
+
+      services.openssh = {
+        enable = true;
+        permitRootLogin = "yes";
+      };
+
+      systemd.network.enable = true;
+
+      networking.useHostResolvConf = false;
+
+      systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
+        matchConfig.Name = "enp6s0f1";
+        address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
+          ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
+      };
+
+      system.stateVersion = "21.05";
+    };
+  };
+}

hosts/bicep/services/postgres.nix

@@ -0,0 +1,75 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15;
+    enableTCPIP = true;
+
+    dataDir = "/data/postgresql";
+
+    authentication = ''
+      host all all 129.241.210.128/25 md5
+      host all all 2001:700:300:1900::/64 md5
+    '';
+
+    # Hilsen https://pgconfigurator.cybertec-postgresql.com/
+    settings = {
+      # Connectivity
+      max_connections = 500;
+      superuser_reserved_connections = 3;
+
+      # Memory Settings
+      shared_buffers = "2048 MB";
+      work_mem = "32 MB";
+      maintenance_work_mem = "320 MB";
+      effective_cache_size = "6 GB";
+      effective_io_concurrency = 100;
+      random_page_cost = 1.25;
+
+      # Monitoring
+      shared_preload_libraries = "pg_stat_statements";
+      track_io_timing = true;
+      track_functions = "pl";
+
+      # Replication
+      wal_level = "replica";
+      max_wal_senders = 0;
+      synchronous_commit = false;
+
+      # Checkpointing:
+      checkpoint_timeout = "15 min";
+      checkpoint_completion_target = 0.9;
+      max_wal_size = "1024 MB";
+      min_wal_size = "512 MB";
+
+      # WAL writing
+      wal_compression = true;
+      wal_buffers = -1;
+
+      # Background writer
+      bgwriter_delay = "200ms";
+      bgwriter_lru_maxpages = 100;
+      bgwriter_lru_multiplier = 2.0;
+      bgwriter_flush_after = 0;
+
+      # Parallel queries:
+      max_worker_processes = 8;
+      max_parallel_workers_per_gather = 4;
+      max_parallel_maintenance_workers = 4;
+      max_parallel_workers = 8;
+      parallel_leader_participation = true;
+
+      # Advanced features
+      enable_partitionwise_join = true;
+      enable_partitionwise_aggregate = true;
+      jit = true;
+      max_slot_wal_keep_size = "1000 MB";
+      track_wal_io_timing = true;
+      maintenance_io_concurrency = 100;
+      wal_recycle = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 5432 ];
+  networking.firewall.allowedUDPPorts = [ 5432 ];
+}

hosts/ildkule/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
@@ -20,26 +20,10 @@
 
   networking.hostName = "ildkule"; # Define your hostname.
 
-  networking.interfaces.ens18.useDHCP = false;
-
-  networking.defaultGateway = "129.241.210.129";
-  networking.interfaces.ens18.ipv4 = {
-    addresses = [
-      {
-        address = "129.241.210.187";
-        prefixLength = 25;
-      }
-    ];
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
-  networking.interfaces.ens18.ipv6 = {
-    addresses = [
-      {
-        address = "2001:700:300:1900::187";
-        prefixLength = 64;
-      }
-    ];
-  };
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [

hosts/ildkule/services/metrics/default.nix

@@ -2,7 +2,7 @@
 
 {
   imports = [
-    ./prometheus.nix
+    ./prometheus
     ./grafana.nix
     ./loki.nix
   ];

hosts/ildkule/services/metrics/grafana.nix

@@ -1,15 +1,41 @@
-{ config, pkgs, ... }:
-
-let
+{ config, pkgs, values, ... }: let
   cfg = config.services.grafana;
 in {
+  sops.secrets = let
+    owner = "grafana";
+    group = "grafana";
+  in {
+    "keys/grafana/secret_key" = { inherit owner group; };
+    "keys/grafana/admin_password" = { inherit owner group; };
+    "keys/postgres/grafana" = { inherit owner group; };
+  };
+
   services.grafana = {
     enable = true;
-    settings.server = {
-      domain = "ildkule.pvv.ntnu.no";
-      http_port = 2342;
-      http_addr = "127.0.0.1";
+
+    settings = let
+      # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
+      secretFile = path: "$__file{${path}}";
+    in {
+      server = {
+        domain = "ildkule.pvv.ntnu.no";
+        http_port = 2342;
+        http_addr = "127.0.0.1";
+      };
+
+      security = {
+        secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
+        admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
+      };
+
+      database = {
+        type = "postgres";
+        user = "grafana";
+        host = "${values.hosts.bicep.ipv4}:5432";
+        password = secretFile config.sops.secrets."keys/postgres/grafana".path;
+      };
     };
+
     provision = {
       enable = true;
       datasources.settings.datasources = [
@@ -38,6 +64,18 @@ in {
           url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
           options.path = dashboards/synapse.json;
         }
+        {
+          name = "Postgresql";
+          type = "file";
+          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
+          options.path = dashboards/postgres.json;
+        }
+        {
+          name = "Go Processes (gogs)";
+          type = "file";
+          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
+          options.path = dashboards/go-processes.json;
+        }
       ];
 
     };

hosts/ildkule/services/metrics/prometheus.nix

@@ -1,76 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  cfg = config.services.prometheus;
-in {
-  services.prometheus = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    port = 9001;
-
-    scrapeConfigs = [
-      {
-        job_name = "node";
-        static_configs = [
-          {
-            targets = [
-              "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
-              "microbel.pvv.ntnu.no:9100"
-              "isvegg.pvv.ntnu.no:9100"
-              "knakelibrak.pvv.ntnu.no:9100"
-            ];
-          }
-        ];
-      }
-      {
-        job_name = "exim";
-        scrape_interval = "60s";
-        static_configs = [
-          {
-            targets = [
-              "microbel.pvv.ntnu.no:9636"
-            ];
-          }
-        ];
-      }
-      {
-        job_name = "synapse";
-        scrape_interval = "15s";
-        scheme = "https";
-        http_sd_configs = [
-          {
-            url = "https://matrix.pvv.ntnu.no/metrics/config.json";
-          }
-        ];
-        relabel_configs = [
-          {
-            source_labels = [ "__address__" ];
-            regex = "[^/]+(/.*)";
-            target_label = "__metrics_path__";
-          }
-          {
-            source_labels = [ "__address__" ];
-            regex = "([^/]+)/.*";
-            target_label = "instance";
-          }
-          {
-            source_labels = [ "__address__" ];
-            regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
-            target_label = "job";
-          }
-          {
-            source_labels = [ "__address__" ];
-            regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
-            target_label = "index";
-          }
-          {
-            source_labels = [ "__address__" ];
-            regex = "([^/]+)/.*";
-            target_label = "__address__";
-          }
-        ];
-      }
-    ];
-    ruleFiles = [ rules/synapse-v2.rules ];
-  };
-}

hosts/ildkule/services/metrics/prometheus/default.nix

@@ -0,0 +1,16 @@
+{ config, ... }: {
+  imports = [
+    ./node.nix
+    ./matrix-synapse.nix
+    ./postgres.nix
+    ./gogs.nix
+  ];
+
+  services.prometheus = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    port = 9001;
+
+    ruleFiles = [ rules/synapse-v2.rules ];
+  };
+}

hosts/ildkule/services/metrics/prometheus/gogs.nix

@@ -0,0 +1,16 @@
+{ config, ... }: let
+  cfg = config.services.prometheus;
+in {
+  services.prometheus.scrapeConfigs = [{
+    job_name = "git-gogs";
+    scheme = "https";
+    metrics_path = "/-/metrics";
+    static_configs = [
+      {
+        targets = [
+          "essendrop.pvv.ntnu.no:443"
+        ];
+      }
+    ];
+  }];
+}

hosts/ildkule/services/metrics/prometheus/matrix-synapse.nix

@@ -0,0 +1,40 @@
+{ ... }:
+{
+  services.prometheus.scrapeConfigs = [{
+    job_name = "synapse";
+    scrape_interval = "15s";
+    scheme = "https";
+
+    http_sd_configs = [{
+      url = "https://matrix.pvv.ntnu.no/metrics/config.json";
+    }];
+
+    relabel_configs = [
+      {
+        source_labels = [ "__address__" ];
+        regex = "[^/]+(/.*)";
+        target_label = "__metrics_path__";
+      }
+      {
+        source_labels = [ "__address__" ];
+        regex = "([^/]+)/.*";
+        target_label = "instance";
+      }
+      {
+        source_labels = [ "__address__" ];
+        regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
+        target_label = "job";
+      }
+      {
+        source_labels = [ "__address__" ];
+        regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
+        target_label = "index";
+      }
+      {
+        source_labels = [ "__address__" ];
+        regex = "([^/]+)/.*";
+        target_label = "__address__";
+      }
+    ];
+  }];
+}

hosts/ildkule/services/metrics/prometheus/node.nix

@@ -0,0 +1,22 @@
+{ config, ... }: let
+  cfg = config.services.prometheus;
+in {
+  services.prometheus.scrapeConfigs = [{
+    job_name = "node";
+    static_configs = [
+      {
+        targets = [
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
+          "microbel.pvv.ntnu.no:9100"
+          "isvegg.pvv.ntnu.no:9100"
+          "knakelibrak.pvv.ntnu.no:9100"
+          "hildring.pvv.ntnu.no:9100"
+          "bicep.pvv.ntnu.no:9100"
+          "jokum.pvv.ntnu.no:9100"
+          "essendrop.pvv.ntnu.no:9100"
+          "andresbu.pvv.ntnu.no:9100"
+        ];
+      }
+    ];
+  }];
+}

hosts/ildkule/services/metrics/prometheus/postgres.nix

@@ -0,0 +1,51 @@
+{ pkgs, lib, config, values, ... }: let
+  cfg = config.services.prometheus;
+in {
+  sops.secrets = {
+    "keys/postgres/postgres_exporter_env" = {};
+    "keys/postgres/postgres_exporter_knakelibrak_env" = {};
+  };
+
+  services.prometheus = {
+    scrapeConfigs = [
+      {
+        job_name = "postgres";
+        scrape_interval = "15s";
+        static_configs = [{
+          targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
+          labels = {
+            server = "bicep";
+          };
+        }];
+      }
+      {
+        job_name = "postgres-knakelibrak";
+        scrape_interval = "15s";
+        static_configs = [{
+          targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
+          labels = {
+            server = "knakelibrak";
+          };
+        }];
+      }
+    ];
+
+    exporters.postgres = {
+      enable = true;
+      extraFlags = [ "--auto-discover-databases" ];
+      environmentFile = config.sops.secrets."keys/postgres/postgres_exporter_env".path;
+    };
+  };
+
+  systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
+    localCfg = config.services.prometheus.exporters.postgres; 
+  in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
+      EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
+      ExecStart = ''
+        ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
+          --web.listen-address ${localCfg.listenAddress}:${toString (localCfg.port + 1)} \
+          --web.telemetry-path ${localCfg.telemetryPath} \
+          ${lib.concatStringsSep " \\\n  " localCfg.extraFlags}
+      '';
+    };
+}

hosts/ildkule/services/nginx/default.nix

@@ -1,7 +1,5 @@
-{config, ... }:
-
+{ config, values, ... }:
 {
-
   security.acme = {
     acceptTerms = true;
     defaults.email = "drift@pvv.ntnu.no";
@@ -10,6 +8,17 @@
   services.nginx = {
     enable = true;
 
+    enableReload = true;
+
+    defaultListenAddresses = [
+      values.hosts.ildkule.ipv4
+      "[${values.hosts.ildkule.ipv6}]"
+
+      "127.0.0.1"
+      "127.0.0.2"
+      "[::1]"
+    ];
+
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     recommendedGzipSettings = true;

hosts/jokum/configuration.nix

@@ -1,59 +1,31 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 {
   imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-
       ../../base.nix
-      # Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
-
+#      ../../misc/metrics-exporters.nix
       ../../misc/rust-motd.nix
 
-      ./services/matrix
-      ./services/nginx
+#      ./services/matrix
+#      ./services/nginx
     ];
 
-  sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-  
+#  sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
+#  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+#  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+#  sops.age.generateKey = true;
 
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.devices = [ "/dev/sda" ];
+  boot.kernel.enable = false;
+  boot.isContainer = true;
+  boot.loader.initScript.enable = true;
+  networking.useHostResolvConf = false;
 
   networking.hostName = "jokum"; # Define your hostname.
 
-  networking.interfaces.ens18.useDHCP = false;
-
-  networking.defaultGateway = "129.241.210.129";
-  networking.interfaces.ens18.ipv4 = {
-    addresses = [
-      {
-        address = "129.241.210.169";
-        prefixLength = 25;
-      }
-      {
-        address = "129.241.210.213";
-        prefixLength = 25;
-      }
-    ];
+  systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens10f1";
+    address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
+      ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
   };
-  networking.interfaces.ens18.ipv6 = {
-    addresses = [
-      {
-        address = "2001:700:300:1900::169";
-        prefixLength = 64;
-      }
-      {
-        address = "2001:700:300:1900::213";
-        prefixLength = 64;
-      }
-    ];
-  };
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
@@ -68,5 +40,4 @@
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "21.05"; # Did you read the comment?
-
 }

hosts/jokum/hardware-configuration.nix

@@ -1,29 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/1a8bf91a-5948-40c2-a9fd-7a33e46fa441";
-      fsType = "ext4";
-    };
-
-  fileSystems."/data" =
-    { device = "/dev/disk/by-uuid/c812e204-b998-4ec5-9f26-29c5808ed6ba";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/jokum/services/matrix/default.nix

@@ -7,6 +7,7 @@
     ./synapse-admin.nix
     ./element.nix
     ./coturn.nix
+    ./mjolnir.nix
 
     ./discord.nix
   ];

hosts/jokum/services/matrix/element.nix

@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
-
-{
+let
+  synapse-cfg = config.services.matrix-synapse-next;
+in {
   services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
     enableACME = true;
     forceSSL = true;
@@ -41,7 +42,8 @@
         ];
         enable_presence_by_hs_url = {
           "https://matrix.org" = false;
-          "https://matrix.dodsorf.as" = false;
+          # "https://matrix.dodsorf.as" = false;
+          "${synapse-cfg.settings.public_baseurl}" = synapse-cfg.settings.presence.enabled;
         };
       };
     };

hosts/jokum/services/matrix/mjolnir.nix

@@ -0,0 +1,54 @@
+{ config, lib, ... }:
+
+{
+  sops.secrets."matrix/mjolnir/access_token" = {
+    owner = config.users.users.mjolnir.name;
+    group = config.users.users.mjolnir.group;
+  };
+
+  services.mjolnir = {
+    enable = true;
+    pantalaimon.enable = false;
+    homeserverUrl = http://127.0.0.1:8008;
+    accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
+    managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
+    protectedRooms = map (a: "https://matrix.to/#/${a}") [
+      "#pvv:pvv.ntnu.no"
+      "#stand:pvv.ntnu.no"
+      "#music:pvv.ntnu.no"
+      "#arts-and-crafts:pvv.ntnu.no"
+      "#programming:pvv.ntnu.no"
+      "#talks-and-texts:pvv.ntnu.no"
+      "#job-offers:pvv.ntnu.no"
+      "#vaffling:pvv.ntnu.no"
+      "#pvv-fadder:pvv.ntnu.no"
+      "#offsite:pvv.ntnu.no"
+      "#help:pvv.ntnu.no"
+      "#garniske-algoritmer:pvv.ntnu.no"
+      "#bouldering:pvv.ntnu.no"
+      "#filmclub:pvv.ntnu.no"
+      "#video-games:pvv.ntnu.no"
+      "#board-games:pvv.ntnu.no"
+      "#tabletop-rpgs:pvv.ntnu.no"
+      "#anime:pvv.ntnu.no"
+      "#general:pvv.ntnu.no"
+      "#announcements:pvv.ntnu.no"
+      "#memes:pvv.ntnu.no"
+
+      "#drift:pvv.ntnu.no"
+      "#notifikasjoner:pvv.ntnu.no"
+      "#forespoersler:pvv.ntnu.no"
+      "#krisekanalen:pvv.ntnu.no"
+
+      "#styret:pvv.ntnu.no"
+    ];
+
+    settings = {
+      admin.enableMakeRoomAdminCommand = true;
+    };
+
+    # Module wants it even when not using pantalaimon
+    # TODO: Fix upstream module in nixpkgs
+    pantalaimon.username = "bot_admin";
+  };
+}

hosts/jokum/services/matrix/synapse.nix

@@ -1,8 +1,10 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, values, inputs, ... }:
 
 let
   cfg = config.services.matrix-synapse-next;
 
+  matrix-lib = inputs.matrix-next.lib;
+
   imap0Attrs = with lib; f: set:
     listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
 in {
@@ -16,22 +18,28 @@ in {
     group = config.users.users.matrix-synapse.group;
   };
 
+  sops.secrets."matrix/synapse/user_registration" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+  };
+
   services.matrix-synapse-next = {
     enable = true;
 
     dataDir = "/data/synapse";
 
     workers.federationSenders = 2;
-    workers.federationReceivers = 1;
+    workers.federationReceivers = 2;
     workers.initialSyncers = 1;
     workers.normalSyncers = 1;
-    workers.eventPersisters = 1;
+    workers.eventPersisters = 2;
     workers.useUserDirectoryWorker = true;
 
     enableNginx = true;
 
     extraConfigFiles = [
       config.sops.secrets."matrix/synapse/dbconfig".path
+      config.sops.secrets."matrix/synapse/user_registration".path
     ];
 
     settings = {
@@ -42,6 +50,14 @@ in {
 
       media_store_path =  "${cfg.dataDir}/media";
 
+      presence.enabled = false;
+
+      caches = {
+        per_cache_factors = {
+          _event_auth_cache = 2.0;
+        };
+      };
+
       autocreate_auto_join_rooms = false;
       auto_join_rooms = [
         "#pvv:pvv.ntnu.no" # Main space
@@ -54,6 +70,7 @@ in {
       max_upload_size = "150M";
 
       enable_metrics = true;
+      mau_stats_only = true;
 
       enable_registration = false;
 
@@ -172,37 +189,38 @@ in {
   
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
     locations = let
-      isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
-      isMetricsListener = l: isListenerType "metrics" l;
-
-      firstMetricsListener = w: lib.lists.findFirst isMetricsListener (throw "No metrics endpoint on worker") w.settings.worker_listeners;
-
-      wAddress = w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstMetricsListener w).bind_addresses;
-      wPort = w: (firstMetricsListener w).port;
-
-      socketAddress = w: "${wAddress w}:${toString (wPort w)}";
+      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
 
       metricsPath = w: "/metrics/${w.type}/${toString w.index}";
       proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
-    in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; }))
+    in lib.mapAttrs' (n: v: lib.nameValuePair
+      (metricsPath v) ({
+        proxyPass = proxyPath v;
+        extraConfig = ''
+          allow ${values.hosts.ildkule.ipv4};
+          allow ${values.hosts.ildkule.ipv6};
+          deny all;
+        '';
+      }))
       cfg.workers.instances;
   })
   ({
     locations."/metrics/master/1" = {
       proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
+      extraConfig = ''
+        allow ${values.hosts.ildkule.ipv4};
+        allow ${values.hosts.ildkule.ipv6};
+        deny all;
+      '';
     };
 
     locations."/metrics/" = let
-      endpoints = builtins.map (x: "matrix.pvv.ntnu.no/metrics/${x}") [
-        "master/1"
-        "fed-sender/1"
-        "fed-sender/2"
-        "fed-receiver/1"
-        "initial-sync/1"
-        "normal-sync/1"
-        "event-persist/1"
-        "user-dir/1"
-      ];
+      endpoints = lib.pipe cfg.workers.instances [
+        (lib.mapAttrsToList (_: v: v))
+        (map (w: "${w.type}/${toString w.index}"))
+        (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
+      ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
     in {
       alias = pkgs.writeTextDir "/config.json"
         (builtins.toJSON [

hosts/jokum/services/nginx/default.nix

@@ -1,7 +1,5 @@
-{config, ... }:
-
+{ config, values, ... }:
 {
-
   security.acme = {
     acceptTerms = true;
     defaults.email = "danio@pvv.ntnu.no";
@@ -10,7 +8,16 @@
   services.nginx = {
     enable = true;
 
-    defaultListenAddresses = [ "129.241.210.169" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::169]" "[::1]" ];
+    enableReload = true;
+
+    defaultListenAddresses = [
+      values.hosts.jokum.ipv4
+      "[${values.hosts.jokum.ipv6}]"
+
+      "127.0.0.1"
+      "127.0.0.2"
+      "[::1]"
+    ];
 
     recommendedProxySettings = true;
     recommendedTlsSettings = true;

misc/metrics-exporters.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 
 {
   services.prometheus.exporters.node = {
@@ -7,6 +7,19 @@
     enabledCollectors = [ "systemd" ];
   };
 
+  systemd.services.prometheus-node-exporter.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+    ];
+  };
+
+
+  networking.firewall.allowedTCPPorts = [ 9100 ];
+
   services.promtail = {
     enable = true;
     configuration = {
@@ -34,6 +47,10 @@
               source_labels = [ "__journal__systemd_unit" ];
               target_label = "unit";
             }
+            {
+              source_labels = [ "__journal_priority_keyword" ];
+              target_label = "level";
+            }
           ];
         }
       ];

secrets/bekkalokk/bekkalokk.yaml

@@ -0,0 +1,64 @@
+gitea:
+    dbpassword: ENC[AES256_GCM,data:Tx7bFpHjXev1Q3G5Rdq5/Pg5XVro7hQFyG/FJUsiGeJOezymfk1V84VXPQ==,iv:msn8d2sarb2r+nSy1Qk1IOtkXhKDOXjcUO5dFpln1e4=,tag:Wtm1Q5FzTt1WA+uQjaVQKA==,type:str]
+mediawiki:
+    password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
+postgres:
+    mediawiki: ENC[AES256_GCM,data:JsDjfDrbJHejPDZFn6TyPkDnMIX9Go62ZmRy7P+N1Ncaz5tintspO1YtIA==,iv:7EgzkRf8GP/pIMxxEkI3fzKjxr1sT4vwsqshRtkeYU0=,tag:l3DO/0sicTolInEl2mJNSA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYUR4TjA3WU96TzV6R1V5
+            TFpPUW1CdnRZck50bzJSb3VnUXFYUDhxM2hJCmI2Q0p3ZVZGS0U4UmNaQ0Z3Vmgv
+            MkNyS1hVUWs5UjZ3cTJRU0pWbmFSeEkKLS0tIGlIRGYxTjgzWmVWbXRwTjhHdnRx
+            U3JMU1ZUT1ZhT2xSbHRLVXgzODB1NXcKJ2LTJB2oKffW+aZgkEEwp+xhAY0FpnBl
+            5GqUdZrgkNOV0pvgVAOoXMyCdZbndYLS+dUzggnF91HJOr87wRH4uw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmpzTVdlRlg0OHBFQ2lq
+            eDdmOUlxbzcxakFsS2JHK3JqU0tNTC9mOGhRCjNCbFcxWTFzeTkxcHZLQjBpb2c1
+            V3VHeGhuTkhNbGlsVVlMallPcTVIK0kKLS0tIHRISitSQXBENVY3ejdYa3pXRmJ1
+            TVNBRXQvUmRPdlMreGtzZUNUcnM4aEkKAp/Ofix26q1eeHszIJa4yYF9ycwWodeV
+            216hz9YUYb9aZCoJJzGPceb/ER17yvqFHQlhgEb9EiKaH3vbIu+WRQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVC9Cd01HaWpyUm5mdTh4
+            Uk5mSlBLQTlydkpQc0Irakxmalg1WU92U0JjCnhFbDFNaThIVEVNMldiT3BtL2cw
+            UU4rNEhvTXkzWXlMWUZGeEdJaTg0WjQKLS0tIEZlWkI3SzFOT1NoQWpIM2poMXE4
+            RHN4RDJWWGV2ZDJzVUo1VVorNzhlMGMKCwdWOZOnibpbB5mZSCBGhj+yUZvk/vuK
+            hsiDo74vmsmNZ/zmN6cw60hNwhZ4NgtfXcKG8Axe+1rPUwEcrvWHIQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-22T23:00:19Z"
+    mac: ENC[AES256_GCM,data:/c9N6/qSzeqjzNq1buR5Z7YLp/H1wDgpnpw5G8CcTJkggzn/mDfvyNg/k/TAJl5CzH/mh20yeHTjOGOiTXubkhJya+WT01g0PVinU3+GxTUZOxkaF0rHTCRzuiSbbrJzhtvMmmgbbYSkaGBZ8+Y3VvC8qnNKzadO+QozqZbLuWY=,iv:FiMABv8OBDRJeI6VsuapFS3qOlDP+TzJE8rrYSV/F7A=,tag:GAv2Pk5U7igVAyhch+ZEeA==,type:str]
+    pgp:
+        - created_at: "2023-01-28T23:37:44Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYAQ//foXRhar7kfr0PbxVjk2uWzGBoXpffjZPCoaM3D8RhIM8
+            kod/LMqUUkCvGjBFrmKiN2BCKf3SLDjnZp55J7zQ8x3Go133JdOAB/zZDaT+oxv1
+            kGQneeXRqeD51/25nFTq+ZZSzBP8fXJgmlsR/1ZM1/IjKF5m5JzD2duqNKV3fqto
+            IwdiqvrkMiCQICmvKxwwtbdP8+29eUbnfdOi9MO8wcXuObwz84mmpgjT30mNCWF8
+            Ha7PlcdjpRpYHwUp66+yO4uZ9nOAs7ygzcxKLOMwyaHDv9QJYHtXDUvLv50Jnucw
+            KhukMJHTURzeNgUEtTu7kR0WCEBl4IyZ6GUJhc2bX3JEbYi9xZqMHgh+lf1usd1q
+            bDPe3xUEKKgAPXeZRzqCQoy/MuIPErMWpqAQePtL3KOafX+vTve0lfPtLKKbne8+
+            Tv3eaj3chC255wq6CaJjHO+PI1nt2k29KC6XXxTzkwbRxgT6wVP9uIszeRdREpyX
+            +//TCsvnAwd2l3ojzXwIEv3F6/xeYpj7hur59BopDRX3yEUNZhgfDa+l6+BIHoDZ
+            TY3ocQrIxH40CF4IxL6dDR8OOut9vlDpfZTora7MLiQbTU1t5huGY0zBH1LpQ4u9
+            B/DnBKIuEhZf6eoH5DNHLnzuFYT6Q8QUHfHsM5KOnSEtx2oS2Txd/Ag7dS4FTPPS
+            XgEe6r+BP6ItZlDVBHN9EPkgS96xpQ5EIacTxX7qmA0ToGySIyMC3PVJkO8muIIK
+            /Lmmp6yaBOQN0kqQ26dTuVOMfMzI8zqnOW03Lm35nGnl3x8mGDH48j4Y05pS85k=
+            =t11j
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

secrets/ildkule/ildkule.yaml

@@ -1,13 +1,21 @@
-hello: ENC[AES256_GCM,data:MmbRxfMJf9sbqseEeSWnlGI1/4zmAdlb8ZxWCvOttJ3OlYe4Nng46SCtcSDOQA==,iv:KiD5smLGdIbMg62Q+h/9Gz7ROMdOe2CA02na/f081FM=,tag:tjdO1AzwvQWFR+JGuy4PQg==,type:str]
-example_key: ENC[AES256_GCM,data:yAaiu+Rpb4377U8YIQ==,iv:OE4cpTlEVNE73y6bc5TGQvAnYU8P2c2hqnMFxzL0PHI=,tag:G7D5TJdEA+F9UwaIFKC0KA==,type:str]
-#ENC[AES256_GCM,data:sGYwXL05D45kmWboJUPzjg==,iv:4nOP8F7kGGl6HhuV5Jxjol12pc3f6UO+pp+IcgUrjGU=,tag:tIf9ozHCOBeDprjEv98F1Q==,type:comment]
-example_array:
-    - ENC[AES256_GCM,data:UQ5w4scNH8E49iQo7gM=,iv:dLT/JlTWvscnYre9g9s3YgznNuvdWDyOFozxW50zdWI=,tag:jqtV8Ebfm4Y4ayIIuYGoeg==,type:str]
-    - ENC[AES256_GCM,data:Zfm0FeuICoe4mrSoMRM=,iv:I/IakhKYtIclPQBA8nuAouuGylzCR/RbQLSWNWBQZYs=,tag:V1/WomLShKX0yaXkBQW0rQ==,type:str]
-example_number: ENC[AES256_GCM,data:9wZEFB7/jOt11Q==,iv:5RVyKZe3D9BgRDDMsxUsMMKdVA5B3Ekm2G4WWt/1EuY=,tag:MSIbensfrWKU1d/XbcNtvg==,type:float]
-example_booleans:
-    - ENC[AES256_GCM,data:LLg+sA==,iv:WQSKdlEaQCjdrsSYz0P+pdRD/pl3QMa01d8XV/EZUzY=,tag:QIH98LcUyPXDvs36XPbyxA==,type:bool]
-    - ENC[AES256_GCM,data:9ZQqdg==,iv:wWRmZ0nQg76sAKiPfGUX0KG/p41VnTc1wmANv4Wt2+w=,tag:3vmvuMDTZSEeZBpAE2soAA==,type:bool]
+#ENC[AES256_GCM,data:oyFG9fCzJH8yLB0QY78CVOcYO6Ttp/ARqtIcXwWGYOvL6nW+yLcakrdmVA96sR5toywb32aW,iv:7o3FI0cI6GHCwmQfLYh2iAVr8sELOMoxGSzE5qvuAaI=,tag:z9F1c4dOIiy2FtKpBwm5wg==,type:comment]
+#ENC[AES256_GCM,data:nhDznFCozGpXdYBfumLyhp7TnA7C/IqBCpHJ,iv:3AZN6iVBha8Qh5/X6Yn/5JWsGhDXlE/zdUh1CcO7fQc=,tag:59DaAyKTOmkKty4eyFWFqw==,type:comment]
+#ENC[AES256_GCM,data:vQu+AG19Vy94xxwj196G2uk9,iv:YJGBvoMgOngjn/TeuXeoU82daRvJDxvCQMYb3XCPlw0=,tag:fU6ZhhmAh0yh3/QuXbCNkQ==,type:comment]
+#ENC[AES256_GCM,data:S1UOENn/ewhw8Pb9CmKp,iv:jafOhkCoiTm5HXQ/S611L4VlQFa1Wqr5WIIRzLQm3i0=,tag:6CQ+Y9E/FxWN8K+D9J7+Fg==,type:comment]
+#ENC[AES256_GCM,data:lHHmoCHyP2Tc3waRGeMPEasQiv5+,iv:W6SSFpeWBfTBOEDo4P9hox39eoAiO40Ay4T3QeiI9Tw=,tag:9bLbcEZ9/B1QolDettwcfg==,type:comment]
+#ENC[AES256_GCM,data:DrF4XHSd8QAWn5h1xEGGpDKMQcLF,iv:nPCBbThQh/Aa+uccKJtmiCXSvoJKHxZMJ42yFkV+hi8=,tag:3l50mMn7cPoCnjPcHv1+Vg==,type:comment]
+#ENC[AES256_GCM,data:ADUhFzufaR2xXNOLgiXKu5Cd8Zx3waYeZiLF,iv:WMK2gJwplf6r/EdijrvrOBHgPL57W+UMIQ8dBPp/DBA=,tag:E/q/ccAd7UH3BV7nut6Slg==,type:comment]
+#ENC[AES256_GCM,data:IVFSM6VOWnR0YDRfecsDPlYr,iv:Jxe8pq3lxw5QUGKyspB8tWSquDSMo3mAJBAsQGKxSec=,tag:7bffwY98iTX4/De0coUIxA==,type:comment]
+#ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
+#ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
+keys:
+    grafana:
+        secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
+        admin_password: ENC[AES256_GCM,data:ttKwfC4WuXeL/6x4,iv:x1X+e3z08CR992GzC62YnFIN7SGrE81/nDNrgcgVzx0=,tag:YajUoy61kYbpeGeC7yNrXQ==,type:str]
+    postgres:
+        grafana: ENC[AES256_GCM,data:D6qkg98WZYzKYegSNBb31v8o+KHisGmJ+ab5Ut7EMtsJz36kUup5RS4EbtM=,iv:rfE1uH1QycKMTpSq2p1ntQ2BIvptAh2J3l/QcQhiuLo=,tag:QxmGFcekjFRPf6orN86IxQ==,type:str]
+        postgres_exporter_env: ENC[AES256_GCM,data:8MEoikoA6tFNm9qZbk0DFWANd7nRs5QSqrsGLoLKPIc1xykJaXTlyP5v8ywVGR8j7bfPs4p6QfpUIWK8CCnfQ1QhsFPXUMksl8p+K+xuMakYZr9OoWigGqvOHpFb9blfBN1FBdRrk38REXWAMUn74KSRI9v+0i5lpC4=,iv:anpjWVUadKfSAm9XbkeAKu+jAk+LxcpVYQ+gUe5szYw=,tag:4tzb/8B/e1uVoqTsQGlcKA==,type:str]
+        postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -17,23 +25,52 @@ sops:
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDM2RidW9wYUVHWHhFTmM1
-            c1BIazd5MTRMU3dRNEFyWHIxMzhNL21VNURZCnkzKzNNbXgrcmJtNFZjSHQyWHN1
-            aEpjV1dQVmJTb2F5YXJWazMxTmJUYTAKLS0tIDNRUVlTR1p3eEtRYkVMcjlYS3Ir
-            bWhUaDA1eTJRTGpEb3FmSTlPTFY4c3cKrrQcomMURB9dqT+aAkWbFMzMqB3AIvEl
-            t9Fd5puhhto5/SInssCxpH1p4kbqQZWMfDqE+eFFs2whDVuoiM/Tlg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrN3lJM2xWTUZ3UkRBaENI
+            VmJiWDlQbHd0VUNYdllPdURyQmUvL3lKMzJzCkZlRFVxbmNLOVNqUFg1akJQQlBP
+            VmdOMUdjZ1M4U2lLVEpGaGI5NjNTR2MKLS0tIDRlQUtucEZhZmRYbmpadVdKK01v
+            cWxCQlBRR1VaZTBDQnkzNGE0WGttWm8KK5s/coWNsdCP5lKQ8LMK7/3ku179+Lg1
+            4ujTVn4LhvXy6JvgGTWS/UbMmJjJebVxkulzf5St3YMMs2mcIYjOtA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNkllWlY4L251Z29qOEVX
-            Vmh2YU5BNVhwbXhDaEpYcXoxY0hCOHhPYXdNCjROQ2piWFQ2MWYwbnF4cFdKS0tv
-            dFUveEsrQVRpT1REQ0hib1pla2R5RkUKLS0tIFJOSXNaZitxbWk1cHNGc1k0Zk9m
-            NHU1elF3L2ZRZlVJZTdZU01qNER4a1EK+pvM24FDok4lbbailCspaA1vsZrtsumH
-            c8uHITgStobUmdqsdv9ta8gpar0nZ66N0kztyhW15sJh1vZY8Guxxg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa25taGsxdlhrUS96cXBi
+            cUo3WDVmdEhKN256THJhS2tHSitDRkVraDJNCmhGZzlFUDFkN0JKNkFWUlVLVzcz
+            MjFhcDdmcmpxdTA3V3JRREFNVmNUbEEKLS0tIFNSU2xNZzN2Y1ZzR2hFM0dOK0Zy
+            Tmk4bXd0ZHhPemxDSDREb3IvSjFza1EKsjtC6J3kYGRe8oLAoUZmg1BUmpkMyC98
+            uYq+IQmfJt48R/MKDei00j1w3zIK5+E5GU4o8+jILzwfpzYUUZWwiA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-17T20:25:20Z"
-    mac: ENC[AES256_GCM,data:KKo9xz6vQHKH6tIiU9cTA4ngwbyqeX33QwvJq5dDCJlEDm5CA+akD5Wsqyp+rGuIjiIDi01eRUONA0YRG4DcmmcRWlnmA9hrBfRWJKtV/0gR+yeYCuY95J9twu3pbOODCyMdcLJqB0tLmyqWGHowNk+mIhEw/a+kxZX+kiB8ilY=,iv:3uHmBVnuaTvnNbdtii++8FzFS7SrsO2inTBtzXmhBhU=,tag:OqpHlELdpn6mlUB544HdmA==,type:str]
-    pgp: []
+        - recipient: age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPb09qTTc4cjRMcjIzRmxu
+            RzZWTDBNTGdvaEc2VFJPakYvakRMK1RnS1FnCktHRVkwZGlUUXl4UTBRcGxMQzdn
+            QVBCYVdlWEw5NW9tNytJTGIzRlpwa0UKLS0tIGdDdUtFMUgyT0phMXBxZE41Y1h4
+            a2hQVVprakt5NURpNXdQUjREczJKWTgKn60yrLqco9brlqigAolO8rEkww9z3y3u
+            KmefLVZCGfoko+fnKLVE9UKFS/tAowqgPS1qE76u1Mmkk6yqZoG9rg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-01-26T00:16:54Z"
+    mac: ENC[AES256_GCM,data:T13TG5fwXgAXUD4I8yIsdUQTA4MKZdEWkpVP1H734YBt5c0J0FJ5Ppxvf1n3hPcC6dcyCJ1NonbmmDBeKn0JUlxTlrK645O33RHLHlsMZGVijYyLyvxCxGo22SfdT2OdPv7tggyat9Cpd9bVLd7YdhPxTYDnZ3eNbIwx+5Fnw48=,iv:bYz6k1f30nlCjOuTRu3F2OE9iQIMd2eBGezXQx901zE=,tag:GHGGNlNg+huP6F3uyrbncQ==,type:str]
+    pgp:
+        - created_at: "2023-01-21T19:52:08Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYAQ//Sw5EHNbC9iPXcHSULYVmSMOQCAH7GSGvaaFvey/KffPD
+            5gbFr00vIi1JfjYXmYfn3KKpUfs/mMMo5NzYU2Ou5fWcPsqFLXOwubebuf61X6p7
+            7YfLYQMnjgBzkpb972AJl2tWUlcBcOz89tIw3oMi8R5vvXjRjEdDY8Yp+Z2Apj9V
+            YJCoSIe6RLBlubMs4I6VIOaTaKIM1DWthg95dozlShXYsEgFTYaJ6FbN9RuZOZPa
+            KzFs2DXtbylXXJtiCArQCHnOgA1Jnp80VvMYLO1ldteQhqGdmnxnqwjETx/uqy4l
+            QE31LcRf2JFKi0BBJdQfEqBGW9LD4Mjfwi6tWbHq4Mn29u8IT6z5HJIB99JRAV/9
+            RfBPzF7UVLq2baWxDwG/M6TvZlVJPdAyhJ5QqhkVdrWir7D1D108u+cgtJWw+vlS
+            cP3hT73LWCo2bXUrHXxFnrWdDQQSDpew/x2cTHUNvqdqLZgMJWdZgh+mXOQLjzHP
+            xGkjt0ae5/CEnUIse/Qt3SyoKN3rGVKJgoQ4D0AeBFU5z7NEOx7Ebl9t6IgVnJIB
+            sDJXg+7jJ8A0V1xGan6BP8dFi7m0aAJH0xi8RB9jC1ZRVNxUjFow3Szh0JQ7u2P5
+            4jZ3FT4tWzPzLQsgJUd/H41QyKSd3ke4VMf97mEKULJ7prtXdyxQfRDcE93UgVXS
+            XAF0u7pIl+O2RlJtki+UvuwVDszPBRSmGmfiQa4vsYfXahO4fmBjhdl2hdLtz82F
+            dh+dPu+RSD9OKwIhUwsDLtWWlI/4BvIB1yXbQxP2MyjZm3uVf1CtgUHyjWw8
+            =rri5
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
     version: 3.7.3

secrets/jokum/jokum.yaml

@@ -1,57 +1,69 @@
 matrix:
     synapse:
-        dbconfig: ENC[AES256_GCM,data:a0Bq2ilDZM0GddHZS1WcaSY3kdFDbau4BNMu+rumisYZy5/VQOE6LT/gq3vdwH2T7D3r1/cj7YSRcdjq+SRYHiJ9xgb1m3tx+ZlvNrY8PMaYvtmOpMoXyYlJ2iT7/IiMk5UW50cSZEcww7zS8NknZMzjiNEq3+D88J57J6WRmQqj/w==,iv:BsbOLl/hlQIjOLnik8lZWO3+jhMEZ//fisxLon7HdE0=,tag:WqMGflg5+Sh2zx5QFnjy4A==,type:str]
-        turnconfig: ENC[AES256_GCM,data:lHySrJUpQKAUXsl9LzYlxu4YSCz4qJF6MRLr+LprTEdhGvrnk7U=,iv:Jz7LEOUwTI8LCMOKqB2vN/0Zs+S0IJkHY3wpAC0q5YI=,tag:8KR7duN+Qqpl6B40hSEndw==,type:str]
-        signing_key: ENC[AES256_GCM,data:6RDZWsrRKDGTefIeZZ6UVlcoqVV3fdRas/sox4WkEgtouCh7lwwrSzpuM5R1H0cNVxA/8wBsaHG1xQ==,iv:TDfAdYROu7o7FIwn6oOs60surQ7zFy0+9bqhx8LtwXg=,tag:RNzcTYkDuyz6nz2z43CJwQ==,type:str]
+        dbconfig: ENC[AES256_GCM,data:R7y+867fwnVXHaknUj9RpBtkEATfUo9AoaNId/ODLkHCJyQP1761pJLqeSkQTZAnzZxqACYorV0P57tEQ5bE0aKLOL7tSClx82x7Tki0MiWME4FgxJC2fQk/vP0Ca2zufnw0s697zkfsnyx/1pjjo69amXc207NXAHCtxXO0ztWp0Q==,iv:BsbOLl/hlQIjOLnik8lZWO3+jhMEZ//fisxLon7HdE0=,tag:6sv6ySztGbxAgn+WV0I5NA==,type:str]
+        turnconfig: ENC[AES256_GCM,data:eyUQID6nHiMH1cm418ItI3DEAjAPoR9NR7DvhfYCTvYM1LyHKVg=,iv:Jz7LEOUwTI8LCMOKqB2vN/0Zs+S0IJkHY3wpAC0q5YI=,tag:4SImxB+5JI8VtsZVy0cYIQ==,type:str]
+        user_registration: ENC[AES256_GCM,data:qWtVuNc0YWetsVVtXt+nlaUPq7QzbsDIb+KV2jgEfLZXU/h+vS0PL+k=,iv:72fvhUo3Bhvxj9A16sTL3teLKA0tGEk7pbgKoooOJSo=,tag:Q5vl2+ZJZqtcmMH+tNqVag==,type:str]
+        signing_key: ENC[AES256_GCM,data:3EeV+9X9TtqhBL7QyULTS7tNyH7ayhe88B7UtNZ/TMlQSW2E1WtSVEecqs+097A1SmdKoYVr6iz0ew==,iv:TDfAdYROu7o7FIwn6oOs60surQ7zFy0+9bqhx8LtwXg=,tag:8MpNBw5TbDMxXHF9+tmZfQ==,type:str]
     coturn:
-        static-auth-secret: ENC[AES256_GCM,data:tPz4GUvJwB2osO2vwyyThms=,iv:MVoFWgqHm88JXaCYa5l57SkX3fSmP97Z7IzvwumHWY8=,tag:af7Qs4qiSYQ/OBLJbZGk2A==,type:str]
+        static-auth-secret: ENC[AES256_GCM,data:bDVbTU3QaanU0fPhQF4Fil4=,iv:MVoFWgqHm88JXaCYa5l57SkX3fSmP97Z7IzvwumHWY8=,tag:ZX121OshXiLC6eRxz2Be0g==,type:str]
+    mjolnir:
+        access_token: ENC[AES256_GCM,data:z+BG3nJyUTrJJq0eGNzT3tFatKXffgBzg3E608pqBaPvtJYsnEy4mo1vZig=,iv:VGdnprNYOArhLdY38B1BO/V9YiYGZEy39gnJyh8atgY=,tag:qJ+UryjNPTH0F6ZP5JJlEw==,type:str]
     registrations:
-        mx-puppet-discord: ENC[AES256_GCM,data:jrFvjgWG3qdM8ruIehfBP4WfSUFJHA2SabhVFNuUCWk2HR7Q+2PSGrZ0h9ikFnJhZD5JO0hK5AiYJQ34MWaFEKuOqV1DGOf6VCr3QgeIItvctQyS2DD+R1zt5a32KIJOFMFbH66c/X3POY/ZMsT7UA7BcvqX8uB0Esqa8wRqV4wmzGOmUp2v4uBTihr9O7V61m0t+kSYmMgZnJqmGf7b0/FM/dmTxcp+qXrnRPz9JCNCtYKoVjDUZFNlBKrppDC6GjN1y4cBzzVezlHKCk53x71T2yberFRcK02Ni9RLoH0yqU/1jt2gjaQHal52wF3QxSXKT9rtCGZh2o+9Txpp61LNqBiua/Ija+9ToALlP8ihsFDv7UZ04g5y8u2A5mC1HHB5wU1E94ay0NcYasfdBOwQqpwqunQxjvp1cHHnspUasXXwWoRr7faxkKhBGVoCA5yNsSmp8+4zWjkFendRVZan1UsJsJ8me1nOLji4BKAevh3FzagLjjtANIoNqKr9kGBfDzIOCgPGzBLlhJcMZPwZCV/QNbs583g=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:O+bfssIhPDSKRCpv0YPxTg==,type:str]
+        mx-puppet-discord: ENC[AES256_GCM,data:nvWSaZ4we8BD50Op/bZMrlMXGBwzvG3IXGPGJe2paCZ10tTm9v4+aYGYhILNhcQM095AD9KdEJ44TAyPxZ/c5iYLqb/LJzEpa5X2jKoiF6r7PjNFGevKQs7fzJk4Y9MxHwZ2KJT+uHjtXF8erJvFDs3S3WgmuAQW1U9b5fYQNc4ZF0tY+BsWU2ehqMejpx7w93TkcIiZY7Uoj4kPMEp8aI6v/7VPIjM9g7b+R5KGZ1/yIpiNCzZuT+x2mxCtqGfbOynWON8PaCIojp7sbLaRWhX2bd4GG2wP3T5MsgwjJzQSfyXjK1Dyxzr8fVmh0R2mJoZHTYNQLLwYncLwqXQEHr6tXNWPTwxPslW+BdLsp/8//m0F04vUf4Z0dbf22NSaPkH9GdRLB3zXh07VxqG+B7OvAjDULHUmA5uwgtZq9h0G73TWDJ8U75eAxrTdsgQgmIsyhpLljFW2QSnOPL/93ieovh5qRgXjgyqrljDOkB+fhC0gdQalPeBM8l5zPI8aaJsVp/l15rx4nUIrFka0g+v+SRhAIPtQAKA=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:Vm+zNmA53HIb2dP8FIgP6Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age:
+        - recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXY29wUXJnMURlWk4rUTRh
+            alZsb0xSTlI2MFFTb3B4dzhDT2l5M1pLMWg4CkgzT1h0VHBMTTNhRTJRNEZLWWlk
+            dyt0aCt0c3NTR1ovS1FIM1VBTW9Ha0kKLS0tIHN0eDNqbzJXQUZFcTFGaFEyME5t
+            djJpWDlRNGhGemZXR0tMc0RhYVZpMWcKG/Airf45TgfJ82vPfXxMLtRRLPvZR/Iu
+            teoToXtddxFVY675nFy0gfq9P21qHJ7MvTYwVBhQAT/TitTZ/q2u9A==
+            -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3K29HWS9ZRWxpbzQ3d1V2
-            OEZwYjA5eEE1Z0YrM1o0YnlGbGt3QmQ2YkdBCkpnZHN1TE45dWxqY3lndjBYcWVQ
-            cFdoUi9WaVNibndWdTcwTDRiOTBtWXMKLS0tIGNIYkdIZWo4cUlrM094Qi9KTnJa
-            ZXI1bnZlbmZZQ2dvLys4YllYRG9jNlkKn2UbGP+TOUU5+Q3OQuZTQvr8S5oDX/aN
-            a7iaQn2z/Y5M3tGvFBOiaWZjqtoCHgtZL56LKAaF60yLeUIPnKylbg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQnlmMVE1aDRycXNmclk4
+            OWgyQzhDdzJrdlEvL2NzeURoa3hZa3lEMzJJCk11ai90L0ZGd3U2VUhHdm1mQ1VC
+            eCt0WjVKVEt0N0tkRHl1QW4vRWdtMG8KLS0tIEVjVER2QXlIbnZXQUNONzlGbnRl
+            dDZ4RGFqaktTZ05yNjhqUlhqQmpBcncKTSSe5rZhV/+tsgk3xlV7nEphS8qhxucz
+            0O1J0U8FEdyfrwF2AOobsf4YIgtTrb20gyXsTdPwIbsQToJ+YqVAgQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISzh3QmlzempEMDNsaTQy
-            bGxFZlNLdURhY0NzcjhjdlgzZlFxV0R6cURnCnhqRUlpcFNPUWd0YmF6TjYvK0t4
-            UDVlcFFTbDByTkRZTW9ITC9yVVlzYUkKLS0tIGtkWHF4enhrK004RG00NUt5ZlND
-            TFBiblFGNkdHZkk1L2RXdkpHSGQ1U2cK/mBTDDHOWSGZRflIsxOyDWShQH2EILJr
-            jCrLGbIaGgphIgLCHVmMV8QLRPK+8f9t8KZg7sczRViuDwZsAx5vPA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeDVwdHEvUk1JTW9FSkx2
+            VmlxejM0ZkJmZ3JkemQ2cnkvenY2ZmRJRFZzCmFHbUJzZ0VjYWZuelZHei9SWUo2
+            bjhPSUNrRW5JTWhVWnRzOU9sY25BMlEKLS0tIDF3M3ZFei9qczdDaGVsV0hrTWVU
+            NktTc2Y4ZDV4VGlza1FVdXBQUUVPZUkKYs9b4a+yAzI5kpv0X5/Ogg8sH0zdTim7
+            fXnkXZfAJ9oL/0qjVzFZA3j5aQX0xKMffSE/SFcQxUY2sISnwh1Tfw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-09T05:16:09Z"
-    mac: ENC[AES256_GCM,data:MSKUQkCDCEOcl9Eh2VH9ccZ3Ux0eIyJFyjFVaJZ5WQA4fIB1J6Y/EoK/q7iaLFIH8YkeVPIvXVu9eCXjIyQkSugJwQXk+gSFtssjegUBTcZkRJJ0Lo48IWO4yVFXnDYzyFjcgH4TBmL0uco3BkWHfLHR46fQUJIco9yYlVKtsFU=,iv:d3uWCTVV8o1Nx6WJCF/YQHOeGjTzJk6xaDxMTWeUINU=,tag:KOi1naN2Uhe0NcMl6oW/6A==,type:str]
+    lastmodified: "2023-02-13T00:12:03Z"
+    mac: ENC[AES256_GCM,data:FolV94dIwYSL5r1ZHTPdmqMKVTAhrnePG+5M4S1H/wBYbED3sr6oPPmmxwiwm5E4K0YR1+ou4yR/vGTV3lfRdxIGWhfAT0WW8WGTZVIlcJCEk5H7Rels6rkma12BCjZ1zOGjZZCcFTm+4NI2KNv+zTc29zry4539jkkxk+8Skog=,iv:KBxSFVaFI3S5J9xG2Lc7FINUI8TRKxPtrbP3f2wXkHo=,tag:TWAtix03ZnB71+O7cF8b4A==,type:str]
     pgp:
-        - created_at: "2022-12-17T23:05:08Z"
+        - created_at: "2023-03-26T11:12:37Z"
           enc: |
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYARAAvQ3TCvGiu75Swvd9hyY8rw2TeXiKPbHESzXFSZdR3+wk
-            XkaRTPuxMot5IUmUhC4EWxzUrKKyPsfw685FpojHDUeOWzaAcnbTT3NVg+VoSIAl
-            pDnt7BUZ/23Hd0tYt+VJuX8S4Iqny6xnhzWTaFNrLFhPGvIN3XbDqEsWRLQk9s46
-            rMht6DJkz8itsFTJrwmg52oXP0mIlZkaGFvWBNZlLf/0PiEET4sjZ3cn4rRGRNhf
-            Zk7u7ZgrBFRib0OO/edN6zFh9+/zbculXucqlnvccm6BQluHj2Z66++cyyzEL2xY
-            eU+8sBNWWKHPusPhKNWZsUGQ30fM7Ctdri5PWOzglJ0Ah+lAFgmbqdcSHjAuF9f7
-            9YVA5G4b7B1vT0dCv3MZ3419Gqa9Vimi1xUw+9SbZjACpMraovUKshTsKN/9rBzY
-            YkojmBdaneMoFGvo+aj5vMxG8CJbPV3Oiq1+G0E/fj53W1Qi8boeqcLxw5IbJIbq
-            27hQYm2L1gNBg84cEJfzjtxqPkP4IMb5DOZYo8hNVbXCP4AYjgyecw4tkSnbRkB9
-            GaRYSx2b1HMOxrDnzRUx8cX26a/eNlLhictPUy10Dvcs/xfWzGytL/3AtiAeaIY9
-            4G6rWuUv6XqYMM20bMc+HnKaFpYq2Y98DuLCqddrek8UaMX2b1p1Kw1ebC1i56fS
-            XgFIdcQDWiMi8rsWjAoFE7CDe/FvyCNSE88pvwhH2/BQjowUeMLqqqCHbrEj8sgo
-            icW/6tsXZ5ShJ5bi56Hal5FsAdR6sXTTdm8nYSFdmIfSHUz+auZ41WkLJYXpuFU=
-            =EVJD
+            hQIMA0av/duuklWYAQ/9GHLOAfLgTqVmfJACvt9xMqlzfrXyiACTJg+J5BD8hEtn
+            oe2clo/fO9u6df42hk/szQTQH4rJULdxvUNiBzYS0XbWCa+iWzpiOPN+bQZKoV3X
+            U4sFrHMT0ledUg62rlTbOmqpvLivoP6//DEqHAWl2weUvpplBRFzTFwICo+2+Jjo
+            18dzdYyBa5sxJ/KZKUoNsxRaCFgXs5L6qTuqzmZpnhnH1pKNW3D6e6Hfb0BmebUy
+            wt5NgxWJ/4dHFK84i93E1vxPbSusvQ++6JCSWgZtOwZJehnz5AeHgdDBzcHeJY8O
+            Idq+QrvRsqjisDNvd7blmBleup1Ai0l/CzEtTEYd/h/QipaT1rVaPOP4H/lnHZmO
+            f0HWGxhPCDfiuLK43DBExrj1QUq4LVUZf145fRGMWZfHtlzHM+4dY+/ijyUi7pFY
+            cenrE3/Iz8gaUWqRdaYqK/O/vrHq/siUS8IiWY53ALUF+DlBMuRrtc76T/fkSKbR
+            LuO7MnOnNyBy5HT+MQii1Tat7ODtPXlky+N5leVQQVAUMHrI6ETWAQlctBjDZXyT
+            UzXh8WVT+pijxNYDqUVMJ4d43AuHKayf2m0PftOZv+Q8n5ZqwUoQN6WbpsLvDFTU
+            4XweZaChhoq4K68o6vpOb5b7x+vlisiL2j+kYAgMjlWk1vkDY/GsHY8USi0Rj17S
+            XAGAULPvLDP+ohieT6dP2xLvzu4ghrySCTF6LjQ9sN2gHWfcV2FVw+anA3mxOLGK
+            P4hOgPPfiP/0O9H0KSHq0gXjhBkackFVAOPixvSAJdvkooVW+PisHjl59Jd6
+            =exZj
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

users/oysteikt.nix

@@ -1,9 +1,23 @@
-{pkgs, ...}:
-
+{ pkgs, ... }:
 {
   users.users.oysteikt = {
     isNormalUser = true;
-    #extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [
+      "wheel"
+      "drift"
+    ];
+
     shell = pkgs.zsh;
+    packages = with pkgs; [
+      bottom
+      exa
+      neovim
+      ripgrep
+      tmux
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0aYHsiqfLCA0prSmEi6hZeQPCGxZYR7gp+3U99POUWJyycSVqXMhgVZHT8VEYGf+EZ/y5nL1bvna7ChBwQBzInB2mRW+TCLL3h1w9t/27vTHe3wV+fowTooD/paOErmWFO4yDBEJ3cYFMXowAd3GfvsBSFGPSsvSxghSzWj+kfhIFkXD02LZxn/hBQyCT6irp3Hwx1cBu8ic/l2ln64SLARuEmj4ITaafNC5wD2Gr5Jf3q+T9QtJeFPXSpJD7MtVMJ1VpgpfGBvlEYKggiQjxgu2BXHv1w3KIfyltTwhrcqHvttaJSuR5TreAgQ5+dZHmMr6XX8rFG+HEa8gND6NjGjHrJBxp53qgPtLAmBddvf8xQMYiq6+XST16nlRaAsjU3yr3VqCt7XhJiS2IV8JiIV3dok8nxzDX9sjdZeGchdnAnU6lcxDgnBvAcJRaWHwMCG8Ty9sJ4otgjr5A1GxRBndJIIuKzjpdtsrCAHg/K2zqFoKPJxN/K9zDWKNy0aEy2Akl3LgHF2QIuG5pUOmbyvbF8AoTudaz6Zu6JpVwOb9T9avFJBH4RHQ3mK0faBkrEmnkAg6JnDDMIt0XLALl88rI4kbdkVvJ2kaodvq799TCCw1PwMidgWX63LemWVBx+CL9ebXrsOkOthhMhkeaFXY9Am3Ee7rfD1tq3PGU1w== h7x4"
+    ];
   };
 }

values.nix

@@ -0,0 +1,46 @@
+# Feel free to change the structure of this file
+let
+  pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
+  pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
+in rec {
+  services = {
+    matrix = {
+      ipv4 = hosts.jokum.ipv4;
+      ipv6 = hosts.jokum.ipv6;
+    };
+    # Also on jokum
+    turn = {
+      ipv4 = pvv-ipv4 213;
+      ipv6 = pvv-ipv6 213;
+    };
+  };
+
+  hosts = {
+    gateway = pvv-ipv4 129;
+    bekkalokk = {
+      ipv4 = pvv-ipv4 168;
+      ipv6 = pvv-ipv6 168;
+    };
+    jokum = {
+      ipv4 = pvv-ipv4 169;
+      ipv6 = pvv-ipv6 169; 
+    };
+    ildkule = {
+      ipv4 = pvv-ipv4 187;
+      ipv6 = pvv-ipv6 "1:187";
+    };
+    bicep = {
+      ipv4 = pvv-ipv4 209;
+      ipv6 = pvv-ipv6 209;
+    };
+  };
+
+  defaultNetworkConfig = {
+    networkConfig.IPv6AcceptRA = "no";
+    gateway = [ hosts.gateway ];
+    dns = [ "129.241.0.200" "129.241.0.201" ];
+    domains = [ "pvv.ntnu.no" "pvv.org" ];
+    DHCP = "no";
+  };
+
+}