bekkalokk/ingress: proxy matrix well-known files to bicep

Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>

.gitea/workflows/eval.yml

@@ -0,0 +1,13 @@
+name: "Eval nix flake"
+on:
+  pull_request:
+  push:
+jobs:
+  evals:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - run: apt-get update && apt-get -y install sudo
+    - uses: https://github.com/cachix/install-nix-action@v23
+    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+    - run: nix flake check

README.MD

@@ -10,7 +10,13 @@ Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene m
 
 før du bygger en maskin med:
 
-`nix build .#nixosConfigurations.<maskinavn>.config.system.build.toplevel`
+`nix build .#<maskinnavn>`
+
+hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
+
+`nix build .` for å bygge alle de viktige maskinene.
+
+NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
 
 Husk å hvertfall stage nye filer om du har laget dem!
 
@@ -20,7 +26,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
 
 som root på maskinen.
 

base.nix

@@ -32,7 +32,7 @@
     flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
       "--update-input" "nixpkgs"
-      "--update-input" "unstable"
+      "--update-input" "nixpkgs-unstable"
       "--no-write-lock-file"
     ];
   };
@@ -71,6 +71,9 @@
 
   users.groups."drift".name = "drift";
 
+  # Trusted users on the nix builder machines
+  users.groups."nix-builder-users".name = "nix-builder-users";
+
   services.openssh = {
     enable = true;
     extraConfig = ''

flake.lock

@@ -1,15 +1,75 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1699099781,
+        "narHash": "sha256-2WAs839yL6xmIPBLNVwbft46BDh0/RAjq1bAKNRqeR4=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "548962c50b8afad7b8c820c1d6e21dc8394d6e65",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "grzegorz": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696346665,
+        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz",
+        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz",
+        "type": "github"
+      }
+    },
+    "grzegorz-clients": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1693864994,
+        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz-clients",
+        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz-clients",
+        "type": "github"
+      }
+    },
     "matrix-next": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1690488646,
+        "lastModified": 1697936579,
-        "narHash": "sha256-yuceqT8Ev1sdwYvGYHegdTo0yrdRxVYJ2qXSbPtBgTw=",
+        "narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "bf997073d98670528c6230144e208a37d27fc388",
+        "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
         "type": "github"
       },
       "original": {
@@ -20,18 +80,17 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1694048570,
+        "lastModified": 1699110214,
-        "narHash": "sha256-PEQptwFCVaJ+jLFJgrZll2shQ9VI/7xVhrCYkJo8iIw=",
+        "narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4f77ea639305f1de0a14d9d41eef83313360638c",
+        "rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
         "ref": "nixos-23.05-small",
-        "repo": "nixpkgs",
+        "type": "indirect"
-        "type": "github"
       }
     },
     "nixpkgs-lib": {
@@ -51,11 +110,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1693675694,
+        "lastModified": 1699110214,
-        "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
+        "narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
+        "rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee",
         "type": "github"
       },
       "original": {
@@ -65,6 +124,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1699128932,
+        "narHash": "sha256-4Hn/fpR/FRucpXQqMI0OSgxiu2ImowmR0dThAycPt/4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0d2d729bf7091df906a78b69f90620f933ea963f",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable-small",
+        "type": "indirect"
+      }
+    },
     "pvv-calendar-bot": {
       "inputs": {
         "nixpkgs": [
@@ -87,11 +161,14 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
+        "grzegorz": "grzegorz",
+        "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
-        "sops-nix": "sops-nix",
+        "sops-nix": "sops-nix"
-        "unstable": "unstable"
       }
     },
     "sops-nix": {
@@ -102,11 +179,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1693898833,
+        "lastModified": 1699153251,
-        "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
+        "narHash": "sha256-CGx98mbAy9svKTa1dzlrVmkJwgGSXpAQUdMh7U0szts=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
+        "rev": "5bc2cde6e53241e7df0e8f5df5872223983efa72",
         "type": "github"
       },
       "original": {
@@ -114,22 +191,6 @@
         "repo": "sops-nix",
         "type": "github"
       }
-    },
-    "unstable": {
-      "locked": {
-        "lastModified": 1694068030,
-        "narHash": "sha256-q21JdfZjK4XN5QwWTzCHF/G6uuZtwASNW9/ZBaak65M=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "9e26139b45147aadd25ab7ab3bc4a93d6d5e94e7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -2,33 +2,50 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
+    nixpkgs.url = "nixpkgs/nixos-23.05-small";
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
 
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
     matrix-next.url = "github:dali99/nixos-matrix-modules";
+
+    grzegorz.url = "github:Programvareverkstedet/grzegorz";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
+    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
   let
+    nixlib = nixpkgs.lib;
     systems = [
       "x86_64-linux"
       "aarch64-linux"
       "aarch64-darwin"
     ];
-    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
+    forAllSystems = f: nixlib.genAttrs systems (system: f system);
+    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    importantMachines = [
+      "bekkalokk"
+      "bicep"
+      "brzeczyszczykiewicz"
+      "georg"
+      "ildkule"
+    ];
   in {
     nixosConfigurations = let
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
           specialArgs = {
-            inherit unstable inputs;
+            inherit nixpkgs-unstable inputs;
             values = import ./values.nix;
           };
 
@@ -43,7 +60,7 @@
               (final: prev: {
                 mx-puppet-discord = prev.mx-puppet-discord.override { nodejs_14 = final.nodejs_18; };
               })
-              pvv-calendar-bot.overlays.${system}.default
+              inputs.pvv-calendar-bot.overlays.${system}.default
             ];
           };
         }
@@ -51,29 +68,66 @@
       );
 
       stableNixosConfig = nixosConfig nixpkgs;
-      unstableNixosConfig = nixosConfig unstable;
+      unstableNixosConfig = nixosConfig nixpkgs-unstable;
     in {
       bicep = stableNixosConfig "bicep" {
         modules = [
           ./hosts/bicep/configuration.nix
           sops-nix.nixosModules.sops
 
-          matrix-next.nixosModules.synapse
+          inputs.matrix-next.nixosModules.default
-          pvv-calendar-bot.nixosModules.default
+          inputs.pvv-calendar-bot.nixosModules.default
         ];
       };
       bekkalokk = stableNixosConfig "bekkalokk" { };
-      greddost = stableNixosConfig "greddost" { };
+      bob = stableNixosConfig "bob" {
-      ildkule = stableNixosConfig "ildkule" { };
+        modules = [
-      ildkule-unstable = unstableNixosConfig "ildkule" { };
+          ./hosts/bob/configuration.nix
-      jokum = stableNixosConfig "jokum" {
+          sops-nix.nixosModules.sops
-        modules = [ matrix-next.nixosModules.synapse ];
+
+          disko.nixosModules.disko
+          { disko.devices.disk.disk1.device = "/dev/vda"; }
+        ];
       };
+      ildkule = stableNixosConfig "ildkule" { };
+      #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
+
+      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
+        modules = [
+          ./hosts/brzeczyszczykiewicz/configuration.nix
+          sops-nix.nixosModules.sops
+
+          inputs.grzegorz.nixosModules.grzegorz-kiosk
+          inputs.grzegorz-clients.nixosModules.grzegorz-webui
+        ];
+      };
+      georg = stableNixosConfig "georg" {
+        modules = [
+          ./hosts/georg/configuration.nix
+          sops-nix.nixosModules.sops
+
+          inputs.grzegorz.nixosModules.grzegorz-kiosk
+          inputs.grzegorz-clients.nixosModules.grzegorz-webui
+        ];
+      };
     };
 
     devShells = forAllSystems (system: {
       default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
     });
+
+    packages = {
+      "x86_64-linux" = let
+        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+      in rec {
+        default = important-machines;
+        important-machines = pkgs.linkFarm "important-machines"
+          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
+        all-machines = pkgs.linkFarm "all-machines"
+          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+      } // nixlib.genAttrs allMachines
+        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
+    };
   };
 }

hosts/bekkalokk/configuration.nix

@@ -10,8 +10,9 @@
 
     # TODO: set up authentication for the following:
     # ./services/website.nix
-    ./services/nginx.nix
+    ./services/nginx
     ./services/gitea/default.nix
+    ./services/webmail
     # ./services/mediawiki.nix
   ];
 
@@ -23,6 +24,8 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  virtualisation.podman.enable = true;
+
   networking.hostName = "bekkalokk";
 
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {

hosts/bekkalokk/services/gitea/ci.nix

@@ -0,0 +1,30 @@
+{ config, lib, values, ... }:
+let
+  mkRunner = name: {
+    # This is unfortunately state, and has to be generated one at a time :(
+    # To do that, comment out all except one of the runners, fill in its token
+    # inside the sops file, rebuild the system, and only after this runner has
+    # successfully registered will gitea give you the next token.
+    # - oysteikt Sep 2023
+    sops.secrets."gitea/runners/${name}".restartUnits = [
+      "gitea-runner-${name}.service"
+    ];
+
+    services.gitea-actions-runner.instances = {
+      ${name} = {
+        enable = true;
+        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
+        labels = [
+	  "debian-latest:docker://node:18-bullseye"
+	  "ubuntu-latest:docker://node:18-bullseye"
+	];
+        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
+      };
+    };
+  };
+in
+lib.mkMerge [
+  (mkRunner "alpha")
+  (mkRunner "beta")
+  (mkRunner "epsilon")
+]

hosts/bekkalokk/services/gitea/default.nix

@@ -4,6 +4,10 @@ let
   domain = "git.pvv.ntnu.no";
   sshPort  = 2222;
 in {
+  imports = [
+    ./ci.nix
+  ];
+
   sops.secrets = {
     "gitea/database" = {
       owner = "gitea";
@@ -33,11 +37,9 @@ in {
         ROOT_URL = "https://${domain}/";
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
-	START_SSH_SERVER = true;
+	      START_SSH_SERVER = true;
-      };
-      indexer = {
-      	REPO_INDEXER_ENABLED = true;
       };
+      indexer.REPO_INDEXER_ENABLED = true;
       service.DISABLE_REGISTRATION = true;
       session.COOKIE_SECURE = true;
       database.LOG_SQL = false;
@@ -45,6 +47,7 @@ in {
         DISABLE_GRAVATAR = true;
         ENABLE_FEDERATED_AVATAR = false;
       };
+      actions.ENABLED = true;
       "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
   };
@@ -81,9 +84,9 @@ in {
   };
 
   systemd.timers.gitea-import-users = {
-    enable = true;
     requires = [ "gitea.service" ];
     after = [ "gitea.service" ];
+    wantedBy = [ "timers.target" ];
     timerConfig = {
       OnCalendar = "*-*-* 02:00:00";
       Persistent = true;

hosts/bekkalokk/services/nginx/default.nix

@@ -1,5 +1,9 @@
 { pkgs, config, ... }:
 {
+  imports = [
+    ./ingress.nix
+  ];
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "drift@pvv.ntnu.no";

hosts/bekkalokk/services/nginx/ingress.nix

@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+{
+  services.nginx.virtualHosts = {
+    "www2.pvv.ntnu.no" = {
+      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
+      addSSL = true;
+      enableACME = true;
+
+      locations = {
+        # Proxy home directories
+        "/~" = {
+          extraConfig = ''
+            proxy_redirect off;
+            proxy_pass https://tom.pvv.ntnu.no;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+
+        # Redirect old wiki entries
+        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
+        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
+        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
+        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
+        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
+        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
+        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
+        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
+        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
+        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
+        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
+        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
+
+        # TODO: Redirect webmail
+        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
+
+        # Redirect everything else to the main website
+        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
+
+        # Proxy the matrix well-known files
+        # Host has be set before proxy_pass
+        # The header must be set so nginx on the other side routes it to the right place
+        "/.well-known/matrix/" = {
+          extraConfig = ''
+            proxy_set_header Host matrix.pvv.ntnu.no;
+            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          '';
+        };
+      };
+    };
+  };
+}
+

hosts/bekkalokk/services/webmail/default.nix

@@ -0,0 +1,15 @@
+{ config, values, pkgs, lib, ... }:
+{
+  imports = [
+    ./roundcube.nix
+  ];
+
+  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    #locations."/" = lib.mkForce { };
+    locations."= /" = {
+      return = "301 https://www.pvv.ntnu.no/mail/";
+    };
+  };
+}

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -0,0 +1,74 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.services.roundcube;
+  domain = "webmail2.pvv.ntnu.no";
+in 
+{
+  services.roundcube = {
+    enable = true;
+
+    package = pkgs.roundcube.withPlugins (plugins: with plugins; [
+      persistent_login
+      thunderbird_labels
+      contextmenu
+      custom_from
+    ]);
+
+    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
+    maxAttachmentSize = 20;
+    hostName = "roundcubeplaceholder.example.com";
+
+    extraConfig = ''
+      $config['enable_installer'] = false;
+      $config['default_host'] = "ssl://imap.pvv.ntnu.no";
+      $config['default_port'] = 993;
+      $config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
+      $config['smtp_port'] = 465;
+      $config['mail_domain'] = "pvv.ntnu.no";
+      $config['smtp_user'] = "%u";
+      $config['support_url'] = "";
+    '';
+  };
+
+  services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
+
+  services.nginx.virtualHosts.${domain} = {
+    locations."/roundcube" = {
+      tryFiles = "$uri $uri/ =404";
+      index = "index.php";
+      root = pkgs.runCommandLocal "roundcube-dir" { } ''
+        mkdir -p $out
+        ln -s ${cfg.package} $out/roundcube
+      '';
+      extraConfig = ''
+        location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
+        # https://wiki.archlinux.org/title/Roundcube
+        "README"
+        "INSTALL"
+        "LICENSE"
+        "CHANGELOG"
+        "UPGRADING"
+        "bin"
+        "SQL"
+        ".+\\.md"
+        "\\."
+        "config"
+        "temp"
+        "logs"
+        ]})/? {
+          deny all;
+        }
+
+        location ~ ^/roundcube/(.+\.php)(/?.*)$ {
+          fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
+          include ${config.services.nginx.package}/conf/fastcgi_params;
+          include ${config.services.nginx.package}/conf/fastcgi.conf;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
+        }
+      '';
+    };
+  };
+}

hosts/bicep/configuration.nix

@@ -23,7 +23,6 @@
   sops.age.generateKey = true;
 
   boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
 
   networking.hostName = "bicep";

hosts/bicep/services/calendar-bot.nix

@@ -19,7 +19,7 @@ in {
         channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
       };
       secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
-      onCalendar = "0 9 * * *";
+      onCalendar = "*-*-* 09:00:00";
     };
   };
 }

hosts/bicep/services/matrix/smtp-authenticator/default.nix

@@ -0,0 +1,17 @@
+{ lib, buildPythonPackage, fetchFromGitHub }:
+
+buildPythonPackage rec {
+  pname = "matrix-synapse-smtp-auth";
+  version = "0.1.0";
+
+  src = ./.;
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "An SMTP auth provider for Synapse";
+    homepage = "pvv.ntnu.no";
+    license = licenses.agpl3Only;
+    maintainers = with maintainers; [ dandellion ];
+  };
+}

hosts/bicep/services/matrix/smtp-authenticator/setup.py

@@ -0,0 +1,11 @@
+from setuptools import setup
+
+setup(
+    name="matrix-synapse-smtp-auth",
+    version="0.1.0",
+    py_modules=['smtp_auth_provider'],
+    author="Daniel Løvbrøtte Olsen",
+    author_email="danio@pvv.ntnu.no",
+    description="An SMTP auth provider for Synapse",
+    license="AGPL-3.0-only"
+)

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -0,0 +1,45 @@
+from typing import Awaitable, Callable, Optional, Tuple
+
+from smtplib import SMTP_SSL as SMTP
+
+import synapse
+from synapse import module_api
+
+
+class SMTPAuthProvider:
+    def __init__(self, config: dict, api: module_api):
+        self.api = api
+
+        self.config = config
+
+        api.register_password_auth_provider_callbacks(
+            auth_checkers={
+                ("m.login.password", ("password",)): self.check_pass,
+            },
+        )
+
+    async def check_pass(
+        self,
+        username: str,
+        login_type: str,
+        login_dict: "synapse.module_api.JsonDict",
+    ):
+        if login_type != "m.login.password":
+            return None
+
+        result = False
+        with SMTP(self.config["smtp_host"]) as smtp:
+            password = login_dict.get("password")
+            try:
+                smtp.login(username, password)
+                result = True
+            except:
+                return None
+
+        if result == True:
+            userid = self.api.get_qualified_user_id(username)
+            if not self.api.check_user_exists(userid):
+                self.api.register_user(username)
+            return (userid, None)
+        else:
+            return None

hosts/bicep/services/matrix/synapse.nix

@@ -8,13 +8,6 @@ let
   imap0Attrs = with lib; f: set:
     listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
 in {
-  sops.secrets."matrix/synapse/dbconfig" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
-    key = "synapse/dbconfig";
-    owner = config.users.users.matrix-synapse.name;
-    group = config.users.users.matrix-synapse.group;
-  };
-
   sops.secrets."matrix/synapse/signing_key" = {
     key = "synapse/signing_key";
     sopsFile = ../../../../secrets/bicep/matrix.yaml;
@@ -29,9 +22,18 @@ in {
     group = config.users.users.matrix-synapse.group;
   };
 
+  sops.secrets."matrix/sliding-sync/env" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "sliding-sync/env";
+  };
+
   services.matrix-synapse-next = {
     enable = true;
 
+    plugins = [
+      (pkgs.python3Packages.callPackage ./smtp-authenticator { })
+    ];
+
     dataDir = "/data/synapse";
 
     workers.federationSenders = 2;
@@ -41,12 +43,9 @@ in {
     workers.eventPersisters = 2;
     workers.useUserDirectoryWorker = true;
 
-    enableNginx = true;
+    enableSlidingSync = true;
 
-    extraConfigFiles = [
+    enableNginx = true;
-      config.sops.secrets."matrix/synapse/dbconfig".path
-      config.sops.secrets."matrix/synapse/user_registration".path
-    ];
 
     settings = {
       server_name = "pvv.ntnu.no";
@@ -56,6 +55,17 @@ in {
 
       media_store_path =  "${cfg.dataDir}/media";
 
+      database = {
+        name = "psycopg2";
+        args = {
+          host = "/var/run/postgresql";
+          dbname = "synapse";
+          user = "matrix-synapse";
+          cp_min = 1;
+          cp_max = 5;
+        };
+      };
+
       presence.enabled = false;
 
       event_cache_size = "20K"; # Default is 10K but I can't find the factor for this cache
@@ -80,8 +90,17 @@ in {
       mau_stats_only = true;
 
       enable_registration = false;
+      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
 
-      password_config.enabled = lib.mkForce false;
+      password_config.enabled = true;
+
+      modules = [
+        { module = "smtp_auth_provider.SMTPAuthProvider";
+          config = {
+            smtp_host = "smtp.pvv.ntnu.no";
+          };
+        }
+      ];
 
       trusted_key_servers = [
         { server_name = "matrix.org"; }
@@ -192,9 +211,24 @@ in {
     };
   };
 
+  services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
+
+
   services.redis.servers."".enable = true;
   
-  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
+  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
+  ({
+    locations."/.well-known/matrix/server" = {
+      return = ''
+        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
+      '';
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
+  })
+  ({
     locations = let
       connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
       socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";

hosts/bicep/services/nginx/default.nix

@@ -19,11 +19,27 @@
       "[::1]"
     ];
 
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes 8;
+      worker_rlimit_nofile 8192;
+    '';
+
+    eventsConfig = ''
+      multi_accept on;
+      worker_connections 4096;
+    '';
+
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
     recommendedOptimisation = true;
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.services.nginx.serviceConfig = {
+    LimitNOFILE = 65536;
+  };
 }

hosts/bicep/services/postgres.nix

@@ -22,10 +22,10 @@ in
       superuser_reserved_connections = 3;
 
       # Memory Settings
-      shared_buffers = "2048 MB";
+      shared_buffers = "8192 MB";
       work_mem = "32 MB";
-      maintenance_work_mem = "320 MB";
+      maintenance_work_mem = "420 MB";
-      effective_cache_size = "6 GB";
+      effective_cache_size = "22 GB";
       effective_io_concurrency = 100;
       random_page_cost = 1.25;
 

hosts/bob/configuration.nix

@@ -0,0 +1,46 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+      ./disks.nix
+
+      ../../misc/builder.nix
+    ];
+
+  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  networking.hostName = "bob"; # Define your hostname.
+
+  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+    matchConfig.Name = "en*";
+    DHCP = "yes";
+    gateway = [ ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/bob/disks.nix

@@ -0,0 +1,39 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/bob/hardware-configuration.nix

@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/brzeczyszczykiewicz/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ./services/grzegorz.nix
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "brzeczyszczykiewicz";
+
+  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+    matchConfig.Name = "eno1";
+    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/brzeczyszczykiewicz/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/82E3-3D03";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/brzeczyszczykiewicz/services/grzegorz.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  imports = [ ../../../modules/grzegorz.nix ];
+
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+    serverAliases = [
+      "bokhylle.pvv.ntnu.no"
+      "bokhylle.pvv.org"
+    ];
+  };
+}

hosts/georg/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ../../modules/grzegorz.nix
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "georg";
+
+  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+    matchConfig.Name = "eno1";
+    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/georg/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/145E-7362";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/greddost/configuration.nix

@@ -1,66 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [ # Include the results of the hardware scan.
-      ../../hardware-configuration.nix
-
-      ../../base.nix
-
-      ../../services/minecraft
-    ];
-
-  nixpkgs.config.packageOverrides = pkgs: {
-    unstable = (import <nixos-unstable>) { };
-  };
-
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  # boot.loader.grub.efiSupport = true;
-  # boot.loader.grub.efiInstallAsRemovable = true;
-  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  # Define on which hard drive you want to install Grub.
-  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
-
-  networking.hostName = "greddost"; # Define your hostname.
-
-  networking.interfaces.ens18.useDHCP = false;
-
-  networking.defaultGateway = "129.241.210.129";
-  networking.interfaces.ens18.ipv4 = {
-    addresses = [
-      {
-        address = "129.241.210.174";
-        prefixLength = 25;
-      }
-    ];
-  };
-  networking.interfaces.ens18.ipv6 = {
-    addresses = [
-      {
-        address = "2001:700:300:1900::174";
-        prefixLength = 64;
-      }
-    ];
-  };
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 25565 ];
-  networking.firewall.allowedUDPPorts = [ 25565 ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
-
-}
-

hosts/greddost/services/minecraft/default.nix

@@ -1,158 +0,0 @@
-{config, lib, pkgs, ... }:
-
-{
-
-  imports = [ ./minecraft-server-fabric.nix ];
-
-  environment.systemPackages = with pkgs; [
-    mcron
-  ];
-
-  pvv.minecraft-server-fabric = {
-    enable = true;
-    eula = true;
-
-    package = pkgs.callPackage ../../pkgs/minecraft-server-fabric { minecraft-server = (pkgs.callPackage ../../pkgs/minecraft-server/1_18_1.nix { }); };
-    jvmOpts = "-Xms10G -Xmx10G -XX:+UnlockExperimentalVMOptions -XX:+UseZGC  -XX:+DisableExplicitGC  -XX:+AlwaysPreTouch -XX:+ParallelRefProcEnabled";
-
-    serverProperties = {
-      view-distance = 12;
-      simulation-distance = 12;
-
-      enable-command-block = true;
-
-      gamemode = "survival";
-      difficulty = "normal";
-      
-      white-list = true;
-
-      enable-rcon = true;
-      "rcon.password" = "pvv";
-    };
-
-    dataDir = "/fast/minecraft-pvv";
-
-    mods = [
-      (pkgs.fetchurl { # Fabric API is a common dependency for fabric based mods
-        url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
-        sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
-      })
-      (pkgs.fetchurl { # Lithium is a 100% vanilla compatible optimization mod
-        url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/mc1.18.1-0.7.6/lithium-fabric-mc1.18.1-0.7.6.jar";
-        sha256 = "1fw1ikg578v4i6bmry7810a3q53h8yspxa3awdz7d746g91g8lf7";
-      })
-      (pkgs.fetchurl { # Starlight is the lighting engine of papermc
-        url = "https://cdn.modrinth.com/data/H8CaAYZC/versions/Starlight%201.0.0%201.18.x/starlight-1.0.0+fabric.d0a3220.jar";
-        sha256 = "0bv9im45hhc8n6x57lakh2rms0g5qb7qfx8qpx8n6mbrjjz6gla1";
-      })
-      (pkgs.fetchurl { # Krypton is a linux optimized optimizer for minecrafts networking system
-        url = "https://cdn.modrinth.com/data/fQEb0iXm/versions/0.1.6/krypton-0.1.6.jar";
-        sha256 = "1ribvbww4msrfdnzlxipk8kpzz7fnwnd4q6ln6mpjlhihcjb3hni";
-      })
-      (pkgs.fetchurl { # C2ME is a parallelizer for chunk loading and generation, experimental!!!
-        url = "https://cdn.modrinth.com/data/VSNURh3q/versions/0.2.0+alpha.5.104%201.18.1/c2me-fabric-mc1.18.1-0.2.0+alpha.5.104-all.jar";
-        sha256 = "13zrpsg61fynqnnlm7dvy3ihxk8khlcqsif68ak14z7kgm4py6nw";
-      })
-      (pkgs.fetchurl { # Spark is a profiler for minecraft
-        url = "https://ci.lucko.me/job/spark/251/artifact/spark-fabric/build/libs/spark-fabric.jar";
-        sha256 = "1clvi5v7a14ba23jbka9baz99h6wcfjbadc8kkj712fmy2h0sx07";
-      })
-      #(pkgs.fetchurl { # Carpetmod gives you tps views in the tab menu,
-      #  # but also adds a lot of optional serverside vanilla+ features (which we arent using).
-      #  # So probably want something else
-      #  url = "https://github.com/gnembon/fabric-carpet/releases/download/1.4.56/fabric-carpet-1.18-1.4.56+v211130.jar";
-      #  sha256 = "0rvl2yb8xymla8c052j07gqkqfkz4h5pxf6aip2v9v0h8r84p9hf";
-      #})
-    ];
-
-    whitelist = {
-      gunalx = "913a21ae-3a11-4178-a192-401490ca0891";
-      eirikwitt = "1689e626-1cc8-4b91-81c4-0632fd34eb19";
-      Rockj = "202c0c91-a4e0-4b45-8c1b-fc51a8956c0a";
-      paddishar = "326845aa-4b45-4cd9-8108-7816e10a9828";
-      nordyorn = "f253cddf-a520-42ab-85d3-713992746e42";
-      hell04 = "c681df2a-6a30-4c66-b70d-742eb68bbc04";
-      steinarh = "bd8c419e-e6dc-4fc5-ac62-b92f98c1abc9";
-      EastTown2000 = "f273ed2e-d3ba-43fc-aff4-3e800cdf25e1";
-      DirDanner = "5b5476a2-1138-476b-9ff1-1f39f834a428";
-      asgeirbj = "dbd5d89f-3d8a-4662-ad15-6c4802d0098f";
-      Linke03 = "0dbc661d-898a-47ff-a371-32b7bd76b78b";
-      somaen = "cc0bdd13-4304-4160-80e7-8f043446fa83";
-      einaman = "39f45df3-423d-4274-9ef9-c9b7575e3804";
-      liseu = "c8f4d9d8-3140-4c35-9f66-22bc351bb7e6";
-      torsteno = "ae1e7b15-a0de-4244-9f73-25b68427e34a";
-      simtind = "39c03c95-d628-4ccc-843d-ce1332462d9e";
-      aellaie = "c585605d-24bb-4d75-ba9c-0064f6a39328";
-      PerKjelsvik = "5df69f17-27c9-4426-bcae-88b435dfae73";
-      CelestialCry = "9e34d192-364e-4566-883a-afc868c4224d";
-      terjesc = "993d70e8-6f9b-4094-813c-050d1a90be62";
-      maxelost = "bf465915-871a-4e3e-a80c-061117b86b23";
-      "4ce1" = "8a9b4926-0de8-43f0-bcde-df1442dee1d0";
-      exponential = "1ebcca9d-0964-48f3-9154-126a9a7e64f6";
-      Dodsorbot = "3baa9d58-32e4-465e-80bc-9dcb34e23e1d";
-      HFANTOM = "cd74d407-7fb0-4454-b3f4-c0b4341fde18";
-      Ghostmaker = "96465eee-e665-49ab-9346-f12d5a040624";
-      soonhalle = "61a8e674-7c7a-4120-80d1-4453a5993350";
-      MasterMocca = "481e6dac-9a17-4212-9664-645c3abe232f";
-      soulprayfree = "cfb1fb23-5115-4fe2-9af9-00a02aea9bf8";
-      calibwam = "0d5d5209-bb7c-4006-9451-fb85d7d52618";
-      Skuggen = "f0ccee0b-741a-413a-b8e6-d04552b9d78a";
-      Sivertsen3 = "cefac1a6-52a7-4781-be80-e7520f758554";
-      vafflonaut = "4d864d5c-74e2-4f29-b57d-50dea76aaabd";
-      Dhila = "c71d6c23-14d7-4daf-ae59-cbf0caf45681";
-      remorino = "2972ab22-96b3-462d-ab4d-9b6b1775b9bb";
-      SamuelxJackson = "f140e4aa-0a19-48ab-b892-79b24bd82c1e";
-      ToanBuiDuc = "a3c54742-4caf-4334-8bbb-6402a8eb4268";
-      Joces123 = "ecbcfbf9-9bcc-49f0-9435-f2ac2b3217c1";
-      brunsviken = "75ff5f0e-8adf-4807-a7f0-4cb66f81cb7f";
-      oscarsb1 = "9460015a-65cc-4a2f-9f91-b940b6ce7996";
-      CVi = "6f5691ce-9f9c-4310-84aa-759d2f9e138e";
-      Tawos = "0b98e55c-10cf-4b23-85d3-d15407431ace";
-      evenhunn = "8751581b-cc5f-4f8b-ae1e-34d90127e074";
-      q41 = "a080e5b4-10ee-4d6f-957e-aa5053bb1046";
-      jesper001 = "fbdf3ceb-eaa9-4aeb-94c2-a587cde41774";
-      finninde = "f58afd00-28cd-48dd-a74a-6c1d76b57f66";
-      GameGuru999 = "535f2188-a4a4-4e54-bec6-74977bee09ab";
-      MinusOneKelvin = "b6b973bf-1e35-4a58-803b-a555fd90a172";
-      SuperRagna = "e2c32136-e510-41b1-84c0-41baeccfb0b9";
-      Zamazaki = "d4411eca-401a-4565-9451-5ced6f48f23f";
-      supertheodor = "610c4e86-0ecc-4e7a-bffc-35a2e7d90aa6";
-      Minelost = "22ae2a1f-cfd9-4f10-9e41-e7becd34aba8";
-      Bjand = "aed136b6-17f7-4ce1-8a7b-a09eb1694ccf";
-      Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
-      Shogori = "f9d571bd-5754-46e8-aef8-e89b38a6be9b";
-      Caragath = "f8d34f3a-55c3-4adc-b8d8-73a277f979e8";
-      Shmaapqueen = "425f2eef-1a9d-4626-9ba3-cd58156943dc";
-      Liquidlif3 = "420482b3-885f-4951-ba1e-30c22438a7e0";
-      newtonseple = "7d8bf9ca-0499-4cb7-9d6a-daabf80482b6";
-      nainis = "2eaf3736-decc-4e11-9a44-af2df0ee7c81";
-      Devolan = "87016228-76b2-434f-a963-33b005ae9e42";
-      zSkyler = "c92169e4-ca14-4bd5-9ea2-410fe956abe2";
-      Cryovat = "7127d743-873e-464b-927a-d23b9ad5b74a";
-      cybrhuman = "14a67926-cff0-4542-a111-7f557d10cc67";
-      stinl = "3a08be01-1e74-4d68-88d1-07d0eb23356f";
-      Mirithing = "7b327f51-4f1b-4606-88c7-378eff1b92b1";
-      "_dextra" = "4b7b4ee7-eb5b-48fd-88c3-1cc68f06acda";
-      Soraryuu = "0d5ffe48-e64f-4d6d-9432-f374ea8ec10c";
-      klarken1 = "d6967cb8-2bc6-4db7-a093-f0770cce47df";
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 25565 ];
-  networking.firewall.allowedUDPPorts = [ 25565 ];
-
-  systemd.services."minecraft-backup" = {
-    serviceConfig.Type = "oneshot";
-    script = ''
-      ${pkgs.mcrcon}/bin/mcrcon -p pvv "say Starting Backup" "save-off" "save-all"
-      ${pkgs.rsync}/bin/rsync -aiz --delete ${config.pvv.minecraft-server-fabric.dataDir}/world /fast/backup # Where to put backup
-      ${pkgs.mcrcon}/bin/mcrcon -p pvv "save-all" "say Completed Backup" "save-on" "save-all"
-    '';
-  };
-
-  systemd.timers."minecraft-backup" = {
-    wantedBy = ["timers.target"];
-    timerConfig.OnCalendar = [ "hourly" ];
-  };
-
-}

hosts/greddost/services/minecraft/minecraft-server-fabric.nix

@@ -1,180 +0,0 @@
-{ lib, pkgs, config, ... }:
-
-with lib;
-
-let
-  cfg = config.pvv.minecraft-server-fabric;
-  
-  # We don't allow eula=false anyways
-  eulaFile = builtins.toFile "eula.txt" ''
-    # eula.txt managed by NixOS Configuration
-    eula=true
-  '';
-  
-  whitelistFile = pkgs.writeText "whitelist.json"
-    (builtins.toJSON
-      (mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist));
-
-  cfgToString = v: if builtins.isBool v then boolToString v else toString v;
-  
-  serverPropertiesFile = pkgs.writeText "server.properties" (''
-    # server.properties managed by NixOS configuration
-  '' + concatStringsSep "\n" (mapAttrsToList
-    (n: v: "${n}=${cfgToString v}") cfg.serverProperties));
-  
-  defaultServerPort = 25565;
-
-  serverPort = cfg.serverProperties.server-port or defaultServerPort;
-
-  rconPort = if cfg.serverProperties.enable-rcon or false
-    then cfg.serverProperties."rcon.port" or 25575
-    else null;
-
-  queryPort = if cfg.serverProperties.enable-query or false
-    then cfg.serverProperties."query.port" or 25565
-    else null;
-
-in
-{
-
-  options.pvv.minecraft-server-fabric = {
-    enable = mkEnableOption "minecraft-server-fabric";
-
-    package = mkOption {
-      type = types.package;
-    };
-
-    eula = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether you agree to
-        <link xlink:href="https://account.mojang.com/documents/minecraft_eula">
-        Mojangs EULA</link>. This option must be set to
-        <literal>true</literal> to run Minecraft server.
-      '';
-    };
-
-    dataDir = mkOption {
-      type = types.path;
-      default = "/var/lib/minecraft-fabric";
-      description = ''
-        Directory to store Minecraft database and other state/data files.
-      '';
-    };
-
-
-    whitelist = mkOption {
-      type = let
-        minecraftUUID = types.strMatching
-          "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // {
-            description = "Minecraft UUID";
-          };
-        in types.attrsOf minecraftUUID;
-      default = {};
-      description = ''
-        Whitelisted players, only has an effect when
-        <option>services.minecraft-server.declarative</option> is
-        <literal>true</literal> and the whitelist is enabled
-        via <option>services.minecraft-server.serverProperties</option> by
-        setting <literal>white-list</literal> to <literal>true</literal>.
-        This is a mapping from Minecraft usernames to UUIDs.
-        You can use <link xlink:href="https://mcuuid.net/"/> to get a
-        Minecraft UUID for a username.
-      '';
-      example = literalExpression ''
-        {
-          username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
-          username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
-        };
-      '';
-    };
-
-    serverProperties = mkOption {
-      type = with types; attrsOf (oneOf [ bool int str ]);
-      default = {};
-      example = literalExpression ''
-        {
-          server-port = 43000;
-          difficulty = 3;
-          gamemode = 1;
-          max-players = 5;
-          motd = "NixOS Minecraft server!";
-          white-list = true;
-          enable-rcon = true;
-          "rcon.password" = "hunter2";
-        }
-      '';
-      description = ''
-        Minecraft server properties for the server.properties file. Only has
-        an effect when <option>services.minecraft-server.declarative</option>
-        is set to <literal>true</literal>. See
-        <link xlink:href="https://minecraft.gamepedia.com/Server.properties#Java_Edition_3"/>
-        for documentation on these values.
-      '';
-    };
-
-    jvmOpts = mkOption {
-      type = types.separatedString " ";
-      default = "-Xmx2048M -Xms2048M";
-      # Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script
-      example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing "
-        + "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 "
-        + "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
-      description = "JVM options for the Minecraft server.";
-    };
-
-    mods = mkOption {
-      type = types.listOf types.package;
-      example = literalExpression ''
-        [
-          (pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
-            sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
-          })
-        ];
-      '';
-      description = "List of mods to put in the mods folder";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.users.minecraft = {
-      description     = "Minecraft server service user";
-      home            = cfg.dataDir;
-      createHome      = true;
-      isSystemUser    = true;
-      group           = "minecraft";
-    };
-    users.groups.minecraft = {};
-
-    systemd.services.minecraft-server-fabric = {
-      description   = "Minecraft Server Service";
-      wantedBy      = [ "multi-user.target" ];
-      after         = [ "network.target" ];
-
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/minecraft-server ${cfg.jvmOpts}";
-        Restart = "always";
-        User = "minecraft";
-        WorkingDirectory = cfg.dataDir;
-      };
-
-      preStart = ''
-        ln -sf ${eulaFile} eula.txt
-        ln -sf ${whitelistFile} whitelist.json
-        cp -f ${serverPropertiesFile} server.properties
-
-        ln -sfn ${pkgs.linkFarmFromDrvs "fabric-mods" cfg.mods} mods
-      '';
-    };
-
-    assertions = [
-      { assertion = cfg.eula;
-        message = "You must agree to Mojangs EULA to run minecraft-server."
-          + " Read https://account.mojang.com/documents/minecraft_eula and"
-          + " set `services.minecraft-server.eula` to `true` if you agree.";
-      }
-    ]; 
-  };
-}

hosts/ildkule/services/metrics/prometheus/mysqld.nix

@@ -1,4 +1,4 @@
-{ config, unstable, ... }: let
+{ config, ... }: let
   cfg = config.services.prometheus;
 in {
   sops.secrets."config/mysqld_exporter" = { };

misc/builder.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  nix.settings.trusted-users = [ "@nix-builder-users" ];
+}

modules/grzegorz.nix

@@ -0,0 +1,62 @@
+{config, lib, pkgs, ...}:
+let
+  grg = config.services.grzegorz;
+  grgw = config.services.grzegorz-webui;
+in {
+  services.pipewire.enable = true;
+  services.pipewire.alsa.enable = true;
+  services.pipewire.alsa.support32Bit = true;
+  services.pipewire.pulse.enable = true;
+
+  users.users.pvv = {
+    isNormalUser = true;
+    description = "pvv";
+  };
+
+  services.grzegorz.enable = true;
+  services.grzegorz.listenAddr = "localhost";
+  services.grzegorz.listenPort = 31337;
+
+  services.grzegorz-webui.enable = true;
+  services.grzegorz-webui.listenAddr = "localhost";
+  services.grzegorz-webui.listenPort = 42069;
+  services.grzegorz-webui.listenWebsocketPort = 42042;
+  services.grzegorz-webui.hostName = "${config.networking.fqdn}";
+  services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
+
+  services.nginx.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    serverAliases = [
+      "${config.networking.hostName}.pvv.org"
+    ];
+    extraConfig = ''
+      allow 129.241.210.128/25;
+      allow 2001:700:300:1900::/64;
+      deny all;
+    '';
+
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}";
+    };
+    # https://github.com/rawpython/remi/issues/216
+    locations."/websocket" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}";
+      proxyWebsockets = true;
+    };
+    locations."/api" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
+    };
+    locations."/docs" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
+    };
+  };
+
+}
+

pkgs/minecraft-server-fabric/default.nix

@@ -1,43 +0,0 @@
-{ callPackage, writeTextFile, writeShellScriptBin, minecraft-server, jre_headless }:
-
-let
-  loader = callPackage ./generate-loader.nix {};
-  log4j = writeTextFile {
-    name = "log4j.xml";
-    text = ''
-      <?xml version="1.0" encoding="UTF-8"?>
-      <Configuration status="WARN" packages="com.mojang.util">
-          <Appenders>
-              <Console name="SysOut" target="SYSTEM_OUT">
-                  <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
-              </Console>
-              <Queue name="ServerGuiConsole">
-                  <PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
-              </Queue>
-              <RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
-                  <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
-                  <Policies>
-                      <TimeBasedTriggeringPolicy />
-                      <OnStartupTriggeringPolicy />
-                  </Policies>
-                  <DefaultRolloverStrategy max="1000"/>
-              </RollingRandomAccessFile>
-          </Appenders>
-          <Loggers>
-              <Root level="info">
-                  <filters>
-                      <MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
-                  </filters>
-                  <AppenderRef ref="SysOut"/>
-                  <AppenderRef ref="File"/>
-                  <AppenderRef ref="ServerGuiConsole"/>
-              </Root>
-          </Loggers>
-      </Configuration>
-    '';
-  };
-in
-writeShellScriptBin "minecraft-server" ''
-  echo "serverJar=${minecraft-server}/lib/minecraft/server.jar" >> fabric-server-launcher.properties
-  exec ${jre_headless}/bin/java -Dlog4j.configurationFile=${log4j} $@ -jar ${loader} nogui
-''

pkgs/minecraft-server-fabric/generate-loader.nix

@@ -1,38 +0,0 @@
-{ lib, fetchurl, stdenv, unzip, zip, jre_headless }:
-
-let
-  lock = import ./lock.nix;
-  libraries = lib.forEach lock.libraries fetchurl;
-in
-stdenv.mkDerivation {
-  name = "fabric-server-launch.jar";
-  nativeBuildInputs = [ unzip zip jre_headless ];
-
-  libraries = libraries;
-
-  buildPhase = ''
-    for i in $libraries; do
-      unzip -o $i
-    done
-
-    cat > META-INF/MANIFEST.MF << EOF
-    Manifest-Version: 1.0
-    Main-Class: net.fabricmc.loader.impl.launch.server.FabricServerLauncher
-    Name: org/objectweb/asm/
-    Implementation-Version: 9.2
-    EOF
-
-    cat > fabric-server-launch.properties << EOF
-    launch.mainClass=net.fabricmc.loader.impl.launch.knot.KnotServer
-    EOF
-  '';
-
-  installPhase = ''
-    jar cmvf META-INF/MANIFEST.MF "server.jar" .
-    zip -d server.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'
-    cp server.jar "$out"
-  '';
-
-  phases = [ "buildPhase" "installPhase" ];
-}
-

pkgs/minecraft-server-fabric/generate-lock-nix.sh

@@ -1,22 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p bash curl jq
-curl https://meta.fabricmc.net/v2/versions/loader/1.18.1/0.12.12/server/json \
-| jq -r '
-  .mainClass,
-  (.libraries[]
-  | .url as $url
-  | .name | split(":") as [$dir, $name, $version]
-  |"\($name)-\($version).zip|\($url)\($dir|sub("\\.";"/";"g"))/\($name)/\($version)/\($name)-\($version).jar"
-  )' \
-| {
-    echo '{'
-    read mainClass;
-    echo "  mainClass = \"$mainClass\";"
-    echo "  libraries = ["
-    while IFS="|" read name url; do
-        hash=$(nix-prefetch-url $url);
-        echo "    { name = \"$name\"; sha256 = \"$hash\"; url = \"$url\"; }"
-    done
-    echo "  ];"
-    echo '}'
-}

pkgs/minecraft-server-fabric/lock.nix

@@ -1,16 +0,0 @@
-{
-  mainClass = "net.fabricmc.loader.impl.launch.knot.KnotServer";
-  libraries = [
-    { name = "tiny-mappings-parser-0.3.0+build.17.zip"; sha256 = "19kvhxfk5v01f2rvl7j02vqhn3nd2bh5jsgbk44rpzqv9f6074db"; url = "https://maven.fabricmc.net/net/fabricmc/tiny-mappings-parser/0.3.0+build.17/tiny-mappings-parser-0.3.0+build.17.jar"; }
-    { name = "sponge-mixin-0.10.7+mixin.0.8.4.zip"; sha256 = "18m5wksd9vjp676cxapkggnz8s3f8j89phln8gy5n8vxlrli8n0d"; url = "https://maven.fabricmc.net/net/fabricmc/sponge-mixin/0.10.7+mixin.0.8.4/sponge-mixin-0.10.7+mixin.0.8.4.jar"; }
-    { name = "tiny-remapper-0.6.0.zip"; sha256 = "1ynjfxg7cj9rd9c4l450w7yp20p2csjdpnk3mcx5bdkjzhbgvgzf"; url = "https://maven.fabricmc.net/net/fabricmc/tiny-remapper/0.6.0/tiny-remapper-0.6.0.jar"; }
-    { name = "access-widener-2.0.1.zip"; sha256 = "0a7s4x6dbaa9p59ps7pidzwrs0xwy5i17s35xrgh58i26szlsaxm"; url = "https://maven.fabricmc.net/net/fabricmc/access-widener/2.0.1/access-widener-2.0.1.jar"; }
-    { name = "asm-9.2.zip"; sha256 = "1xa7kccwmcqcdw1xly6n2frzhk56m8ma9v7h764g73ckf56zxm5r"; url = "https://maven.fabricmc.net/org/ow2/asm/asm/9.2/asm-9.2.jar"; }
-    { name = "asm-analysis-9.2.zip"; sha256 = "1i1kyirizs5sm2v0f06sdz86mbmyn61vjr9d9p8p5h1i2x9bx3w7"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-analysis/9.2/asm-analysis-9.2.jar"; }
-    { name = "asm-commons-9.2.zip"; sha256 = "19p04mr14ahndba65v4krbvf4p5syf8wz0fp5i9bnf5270qyak5y"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-commons/9.2/asm-commons-9.2.jar"; }
-    { name = "asm-tree-9.2.zip"; sha256 = "04g0zb7v65iz4k2m2grdpbv8jjryrzkkw7ww23yfp94i6399pgxa"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-tree/9.2/asm-tree-9.2.jar"; }
-    { name = "asm-util-9.2.zip"; sha256 = "16759v4hh3ijpf4cglrxybz29x2hiylhsa388y09m2mf679kqnzz"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-util/9.2/asm-util-9.2.jar"; }
-    { name = "intermediary-1.18.1.zip"; sha256 = "1rfz2gazvnivn6hlqiyjpiaycz8va87n5czy1p6w3lnrlfggj2i9"; url = "https://maven.fabricmc.net/net/fabricmc/intermediary/1.18.1/intermediary-1.18.1.jar"; }
-    { name = "fabric-loader-0.12.12.zip"; sha256 = "070dpcp7kcj4xr75wp1j6pb1bgfzllwg8xmqk3sk79jfqiqwzizw"; url = "https://maven.fabricmc.net/net/fabricmc/fabric-loader/0.12.12/fabric-loader-0.12.12.jar"; }
-  ];
-}

pkgs/minecraft-server/1_18_1.nix

@@ -1,38 +0,0 @@
-{ lib, stdenv, fetchurl, nixosTests, jre_headless }:
-stdenv.mkDerivation {
-  pname = "minecraft-server";
-  version = "1.18.1";
-
-  src = fetchurl {
-    url = "https://launcher.mojang.com/v1/objects/125e5adf40c659fd3bce3e66e67a16bb49ecc1b9/server.jar";
-    # sha1 because that comes from mojang via api
-    sha1 = "125e5adf40c659fd3bce3e66e67a16bb49ecc1b9";
-  };
-
-  preferLocalBuild = true;
-
-  installPhase = ''
-    mkdir -p $out/bin $out/lib/minecraft
-    cp -v $src $out/lib/minecraft/server.jar
-    cat > $out/bin/minecraft-server << EOF
-    #!/bin/sh
-    exec ${jre_headless}/bin/java \$@ -jar $out/lib/minecraft/server.jar nogui
-    EOF
-    chmod +x $out/bin/minecraft-server
-  '';
-
-  dontUnpack = true;
-
-  passthru = {
-    tests = { inherit (nixosTests) minecraft-server; };
-    updateScript = ./update.sh;
-  };
-
-  meta = with lib; {
-    description = "Minecraft Server";
-    homepage = "https://minecraft.net";
-    license = licenses.unfreeRedistributable;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ thoughtpolice tomberek costrouc ];
-  };
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -4,6 +4,10 @@ gitea:
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str]
+    runners:
+        alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
+        beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
+        epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
 mediawiki:
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
     database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
@@ -42,8 +46,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-03T19:12:38Z"
+    lastmodified: "2023-09-17T02:02:24Z"
-    mac: ENC[AES256_GCM,data:Zo6WD3n33nX7bUun9YqaidvqZjFmbIx7QTzOTGOanSbeDmrejRRdBgGMohWG07byxrdlYO6mQwBkz2xic7+Rh3k1UJ65FDNyM7EOrwuc/X7HJy2Tk9WQO0DDbwDh+OfCeLOhrpBWTlsVt9HpN6xU8xBDABVxBQzd47pm1GRs3Ig=,iv:ECl4h15AnDJPcR3eXZ/wXSTUP8QnAuYiWRWx+Ouazd4=,tag:ZkZ/kSrx/5HCDPQhCGuxLw==,type:str]
+    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |

secrets/bicep/matrix.yaml

@@ -1,8 +1,9 @@
 synapse:
-    dbconfig: ENC[AES256_GCM,data:QQefrFxpxTXlldA+a5xPm1Mx2E7oRzo4DAOGVYP8IR0zFCsqoAGqeXOPrdT9MczTn4Ur537e9RG2OQMRc8JQASRQLHG6RdNPyREiZmJDs24OyXEF+WerHJtRytF9wugt22AdZtGyk9S/RDqoXDe4CS93EtP7SqAcYWJoDE1Xic7G3g==,iv:q1Is8O5k8PZGmJC3EsftmJMNordGLxJiMg+GsnfzxTY=,tag:sbsj9T0jEr+kZJjej5S0jA==,type:str]
     turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
     user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
     signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
+sliding-sync:
+    env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
 coturn:
     static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
 mjolnir:
@@ -42,8 +43,8 @@ sops:
             cGxZVnFhdXRka2drTGdkVk1iM0pFL1kK2ry7b2cLYPfntWi/BV3K2O+mHt3242Ef
             sI2JLLQYHeAhxjFdCzP1RDR+Wu/pRxZje6xuTZ9I9TKNmm+LhAXHQw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-06T21:32:35Z"
+    lastmodified: "2023-10-22T00:31:46Z"
-    mac: ENC[AES256_GCM,data:W0I9iLVAyWkqWw1m49cAO4eiv71hv0MMgqp/ZoPB/ImI/PijCJh3d3cSxM4HgDqhN7tPqwqegsR7pxbVNHch+VReLoOKOiXWCAmKNhZ2A5uO+RFnrmyCZ5HSbKmex4unzcX9hvkWl1X53dqiOUXu1tdbOt9M0tLxV2kfjPmqqs0=,iv:r9AHHkBZfk67w/MBpMDLjxrmo8JVpkm8Ko8MB/MHqW8=,tag:KuzAAHUbYGOtUu7sZqyXOw==,type:str]
+    mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
     pgp:
         - created_at: "2023-05-06T21:31:39Z"
           enc: |

shell.nix

@@ -3,5 +3,17 @@ pkgs.mkShell {
   nativeBuildInputs = with pkgs; [
     sops
     gnupg
+    openstackclient
   ];
+
+  shellHook = ''
+    export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
+    export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
+    export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
+    export OS_USER_DOMAIN_NAME="NTNU"
+    export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
+    export OS_REGION_NAME="NTNU-IT"
+    export OS_INTERFACE=public
+    export OS_IDENTITY_API_VERSION=3
+  '';
 }

users/adriangl.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+  users.users.adriangl = {
+    isNormalUser = true;
+    description = "(0_0)";
+    extraGroups = [
+      "wheel"
+      "drift"
+    ];
+
+    packages = with pkgs; [
+      exa
+      neovim
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
+    ];
+  };
+}

users/amalieem.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}:
+
+{
+  users.users.amalieem = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; 
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsMtFIj4Dem/onwMoWYbosOcU4y7A5nTjVwqWaU33E1 amalieem@matey-aug22"
+    ];
+  };
+}

users/danio.nix

@@ -3,7 +3,12 @@
 {
   users.users.danio = {
     isNormalUser = true;
-    extraGroups = [ "drift" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [ "drift" "nix-builder-users" ];
     shell = pkgs.zsh;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpGSDczzDOhTETCj+uB5e3/9QbOCaVW1knM+n1ey0n6LXH7uiPPmzuZiqfzmfbB1z4bjM2zpn3D6Et6zRCrBUjhTZqf/5GoNlvhVA6QYmBmBp98b8oY7juj5cmu55voxD0S5rC1mQMnWAAf8e8OPbkhs9Lt0XlOYdotLNIZQubzWqE2DK45g/h17ELJs+jkNXoalFjLvLXWzE/C+3pYoeNJVGHfVMTIwt7o64E6JXhxuYTYdSIuzd+BjntkSCXzcAzBFMRwkdlFVoBtLUMMcMQl39kcXv7lAQ8pv+8b1j1N9WuQVf1qEAcZguaimI1ifbXP5d841pZPApCj5KXectIEldfTrcwg8rZpd2UfYS/3XCcOuidBGprY7XsU/jz8wHbH68UjUrsLyaOMnG2ChYztnf63vm3gRs3Fc6FqTycpgYOPDeZBVTcMyPGgtiZvhnTeY20xFS5lK6M+dmgaDqH24kPLiwYSpUF2NK+Rg/2bZxvt/GaSr4U6fJGi3FCJOM= root@DanixLaptop"
+    ];
   };
 }

users/jonmro.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}:
+
+{
+  users.users.jonmro = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; 
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
+    ];
+  };
+}

values.nix

@@ -4,7 +4,7 @@ let
   pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
 in rec {
   ipv4-space = pvv-ipv4 "128/25";
-  ipv6-space = pvv-ipv4 "/64";
+  ipv6-space = pvv-ipv6 "/64";
 
   services = {
     matrix = {
@@ -37,10 +37,22 @@ in rec {
       ipv4 = pvv-ipv4 209;
       ipv6 = pvv-ipv6 209;
     };
+    bob = {
+      ipv4 = "129.241.152.254";
+      # ipv6 = ;
+    };
     shark = {
       ipv4 = pvv-ipv4 196;
       ipv6 = pvv-ipv6 196;
     };
+    brzeczyszczykiewicz = {
+      ipv4 = pvv-ipv4 205;
+      ipv6 = pvv-ipv6 "1:50"; # Wtf peder why
+    };
+    georg = {
+      ipv4 = pvv-ipv4 204;
+      ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
+    };
   };
 
   defaultNetworkConfig = {