WIP: grevling/tuba: init

yolo lmao

.gitea/workflows/eval.yml

@@ -0,0 +1,13 @@
+name: "Eval nix flake"
+on:
+  pull_request:
+  push:
+jobs:
+  evals:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - run: apt-get update && apt-get -y install sudo
+    - uses: https://github.com/cachix/install-nix-action@v23
+    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+    - run: nix flake check

README.MD

@@ -10,7 +10,13 @@ Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene m
 
 før du bygger en maskin med:
 
-`nix build .#nixosConfigurations.<maskinavn>.config.system.build.toplevel`
+`nix build .#<maskinnavn>`
+
+hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
+
+`nix build .` for å bygge alle de viktige maskinene.
+
+NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
 
 Husk å hvertfall stage nye filer om du har laget dem!
 

flake.lock

@@ -1,15 +1,55 @@
 {
   "nodes": {
+    "grzegorz": {
+      "inputs": {
+        "nixpkgs": [
+          "unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696346665,
+        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz",
+        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz",
+        "type": "github"
+      }
+    },
+    "grzegorz-clients": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1693864994,
+        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz-clients",
+        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Programvareverkstedet",
+        "repo": "grzegorz-clients",
+        "type": "github"
+      }
+    },
     "matrix-next": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1690488646,
-        "narHash": "sha256-yuceqT8Ev1sdwYvGYHegdTo0yrdRxVYJ2qXSbPtBgTw=",
+        "lastModified": 1697420972,
+        "narHash": "sha256-eFDasOzXAN8VswUntNBBwvKFyVKFvmwRNNVTDfGdB3M=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "bf997073d98670528c6230144e208a37d27fc388",
+        "rev": "1e370b96223b94d52006249a60033caaea605c65",
         "type": "github"
       },
       "original": {
@@ -20,11 +60,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1694048570,
-        "narHash": "sha256-PEQptwFCVaJ+jLFJgrZll2shQ9VI/7xVhrCYkJo8iIw=",
+        "lastModified": 1697706247,
+        "narHash": "sha256-nWLggeUxn/l8JrcQr9f+RfnCXp8cn0BN568PjMJh9ko=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4f77ea639305f1de0a14d9d41eef83313360638c",
+        "rev": "4ee5b576ac2861a818950aea99f609d7a6fc02a3",
         "type": "github"
       },
       "original": {
@@ -51,11 +91,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1693675694,
-        "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
+        "lastModified": 1697332183,
+        "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
+        "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935",
         "type": "github"
       },
       "original": {
@@ -87,6 +127,8 @@
     },
     "root": {
       "inputs": {
+        "grzegorz": "grzegorz",
+        "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
         "nixpkgs": "nixpkgs",
         "pvv-calendar-bot": "pvv-calendar-bot",
@@ -102,11 +144,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1693898833,
-        "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
+        "lastModified": 1697339241,
+        "narHash": "sha256-ITsFtEtRbCBeEH9XrES1dxZBkE1fyNNUfIyQjQ2AYQs=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
+        "rev": "51186b8012068c417dac7c31fb12861726577898",
         "type": "github"
       },
       "original": {
@@ -117,11 +159,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1694068030,
-        "narHash": "sha256-q21JdfZjK4XN5QwWTzCHF/G6uuZtwASNW9/ZBaak65M=",
+        "lastModified": 1697713104,
+        "narHash": "sha256-DN7YOyKMCpAVeZ44N42LrujtTkoerkS9+kTufQiuntY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9e26139b45147aadd25ab7ab3bc4a93d6d5e94e7",
+        "rev": "6be2c349a30fcb489a3153dd331e9df387ab6449",
         "type": "github"
       },
       "original": {

flake.nix

@@ -12,16 +12,30 @@
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
     matrix-next.url = "github:dali99/nixos-matrix-modules";
+
+    grzegorz.url = "github:Programvareverkstedet/grzegorz";
+    grzegorz.inputs.nixpkgs.follows = "unstable";
+    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
+    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
   let
+    nixlib = nixpkgs.lib;
     systems = [
       "x86_64-linux"
       "aarch64-linux"
       "aarch64-darwin"
     ];
-    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
+    forAllSystems = f: nixlib.genAttrs systems (system: f system);
+    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    importantMachines = [
+      "bekkalokk"
+      "bicep"
+      "brzeczyszczykiewicz"
+      "georg"
+      "ildkule"
+    ];
   in {
     nixosConfigurations = let
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
@@ -58,22 +72,64 @@
           ./hosts/bicep/configuration.nix
           sops-nix.nixosModules.sops
 
-          matrix-next.nixosModules.synapse
+          matrix-next.nixosModules.default
           pvv-calendar-bot.nixosModules.default
         ];
       };
       bekkalokk = stableNixosConfig "bekkalokk" { };
-      greddost = stableNixosConfig "greddost" { };
       ildkule = stableNixosConfig "ildkule" { };
-      ildkule-unstable = unstableNixosConfig "ildkule" { };
-      jokum = stableNixosConfig "jokum" {
-        modules = [ matrix-next.nixosModules.synapse ];
-      };
+      #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
+
+      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
+        modules = [
+          ./hosts/brzeczyszczykiewicz/configuration.nix
+          sops-nix.nixosModules.sops
+
+          inputs.grzegorz.nixosModules.grzegorz-kiosk
+          inputs.grzegorz-clients.nixosModules.grzegorz-webui
+        ];
+      };
+      georg = stableNixosConfig "georg" {
+        modules = [
+          ./hosts/georg/configuration.nix
+          sops-nix.nixosModules.sops
+
+          inputs.grzegorz.nixosModules.grzegorz-kiosk
+          inputs.grzegorz-clients.nixosModules.grzegorz-webui
+        ];
+      };
+
+      grevling = stableNixosConfig "grevling" {
+        modules = [
+          ./hosts/grevling/configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
+
+      tuba = stableNixosConfig "grevling" {
+        modules = [
+          ./hosts/tuba/configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
     };
 
     devShells = forAllSystems (system: {
       default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
     });
+
+    packages = {
+      "x86_64-linux" = let
+        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+      in rec {
+        default = important-machines;
+        important-machines = pkgs.linkFarm "important-machines"
+          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
+        all-machines = pkgs.linkFarm "all-machines"
+          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+      } // nixlib.genAttrs allMachines
+        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
+    };
   };
 }

hosts/bekkalokk/configuration.nix

@@ -5,6 +5,7 @@
 
     ../../base.nix
     ../../misc/metrics-exporters.nix
+    ../../modules/wackattack-ctf-stockfish
 
     #./services/keycloak.nix
 
@@ -23,6 +24,8 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  virtualisation.podman.enable = true;
+
   networking.hostName = "bekkalokk";
 
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {

hosts/bekkalokk/services/gitea/ci.nix

@@ -0,0 +1,30 @@
+{ config, lib, values, ... }:
+let
+  mkRunner = name: {
+    # This is unfortunately state, and has to be generated one at a time :(
+    # To do that, comment out all except one of the runners, fill in its token
+    # inside the sops file, rebuild the system, and only after this runner has
+    # successfully registered will gitea give you the next token.
+    # - oysteikt Sep 2023
+    sops.secrets."gitea/runners/${name}".restartUnits = [
+      "gitea-runner-${name}.service"
+    ];
+
+    services.gitea-actions-runner.instances = {
+      ${name} = {
+        enable = true;
+        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
+        labels = [
+	  "debian-latest:docker://node:18-bullseye"
+	  "ubuntu-latest:docker://node:18-bullseye"
+	];
+        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
+      };
+    };
+  };
+in
+lib.mkMerge [
+  (mkRunner "alpha")
+  (mkRunner "beta")
+  (mkRunner "epsilon")
+]

hosts/bekkalokk/services/gitea/default.nix

@@ -4,6 +4,10 @@ let
   domain = "git.pvv.ntnu.no";
   sshPort  = 2222;
 in {
+  imports = [
+    ./ci.nix
+  ];
+
   sops.secrets = {
     "gitea/database" = {
       owner = "gitea";
@@ -33,11 +37,9 @@ in {
         ROOT_URL = "https://${domain}/";
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
-	START_SSH_SERVER = true;
-      };
-      indexer = {
-      	REPO_INDEXER_ENABLED = true;
+	      START_SSH_SERVER = true;
       };
+      indexer.REPO_INDEXER_ENABLED = true;
       service.DISABLE_REGISTRATION = true;
       session.COOKIE_SECURE = true;
       database.LOG_SQL = false;
@@ -45,6 +47,7 @@ in {
         DISABLE_GRAVATAR = true;
         ENABLE_FEDERATED_AVATAR = false;
       };
+      actions.ENABLED = true;
       "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
   };
@@ -81,9 +84,9 @@ in {
   };
 
   systemd.timers.gitea-import-users = {
-    enable = true;
     requires = [ "gitea.service" ];
     after = [ "gitea.service" ];
+    wantedBy = [ "timers.target" ];
     timerConfig = {
       OnCalendar = "*-*-* 02:00:00";
       Persistent = true;

hosts/bicep/configuration.nix

@@ -23,7 +23,6 @@
   sops.age.generateKey = true;
 
   boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
 
   networking.hostName = "bicep";

hosts/bicep/services/calendar-bot.nix

@@ -19,7 +19,7 @@ in {
         channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
       };
       secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
-      onCalendar = "0 9 * * *";
+      onCalendar = "*-*-* 09:00:00";
     };
   };
 }

hosts/bicep/services/matrix/smtp-authenticator/default.nix

@@ -0,0 +1,17 @@
+{ lib, buildPythonPackage, fetchFromGitHub }:
+
+buildPythonPackage rec {
+  pname = "matrix-synapse-smtp-auth";
+  version = "0.1.0";
+
+  src = ./.;
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "An SMTP auth provider for Synapse";
+    homepage = "pvv.ntnu.no";
+    license = licenses.agpl3Only;
+    maintainers = with maintainers; [ dandellion ];
+  };
+}

hosts/bicep/services/matrix/smtp-authenticator/setup.py

@@ -0,0 +1,11 @@
+from setuptools import setup
+
+setup(
+    name="matrix-synapse-smtp-auth",
+    version="0.1.0",
+    py_modules=['smtp_auth_provider'],
+    author="Daniel Løvbrøtte Olsen",
+    author_email="danio@pvv.ntnu.no",
+    description="An SMTP auth provider for Synapse",
+    license="AGPL-3.0-only"
+)

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -0,0 +1,45 @@
+from typing import Awaitable, Callable, Optional, Tuple
+
+from smtplib import SMTP_SSL as SMTP
+
+import synapse
+from synapse import module_api
+
+
+class SMTPAuthProvider:
+    def __init__(self, config: dict, api: module_api):
+        self.api = api
+
+        self.config = config
+
+        api.register_password_auth_provider_callbacks(
+            auth_checkers={
+                ("m.login.password", ("password",)): self.check_pass,
+            },
+        )
+
+    async def check_pass(
+        self,
+        username: str,
+        login_type: str,
+        login_dict: "synapse.module_api.JsonDict",
+    ):
+        if login_type != "m.login.password":
+            return None
+
+        result = False
+        with SMTP(self.config["smtp_host"]) as smtp:
+            password = login_dict.get("password")
+            try:
+                smtp.login(username, password)
+                result = True
+            except:
+                return None
+
+        if result == True:
+            userid = self.api.get_qualified_user_id(username)
+            if not self.api.check_user_exists(userid):
+                self.api.register_user(username)
+            return (userid, None)
+        else:
+            return None

hosts/bicep/services/matrix/synapse.nix

@@ -8,13 +8,6 @@ let
   imap0Attrs = with lib; f: set:
     listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
 in {
-  sops.secrets."matrix/synapse/dbconfig" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
-    key = "synapse/dbconfig";
-    owner = config.users.users.matrix-synapse.name;
-    group = config.users.users.matrix-synapse.group;
-  };
-
   sops.secrets."matrix/synapse/signing_key" = {
     key = "synapse/signing_key";
     sopsFile = ../../../../secrets/bicep/matrix.yaml;
@@ -29,9 +22,18 @@ in {
     group = config.users.users.matrix-synapse.group;
   };
 
+  sops.secrets."matrix/sliding-sync/env" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "sliding-sync/env";
+  };
+
   services.matrix-synapse-next = {
     enable = true;
 
+    plugins = [
+      (pkgs.python3Packages.callPackage ./smtp-authenticator { })
+    ];
+
     dataDir = "/data/synapse";
 
     workers.federationSenders = 2;
@@ -41,12 +43,9 @@ in {
     workers.eventPersisters = 2;
     workers.useUserDirectoryWorker = true;
 
-    enableNginx = true;
+    enableSlidingSync = true;
 
-    extraConfigFiles = [
-      config.sops.secrets."matrix/synapse/dbconfig".path
-      config.sops.secrets."matrix/synapse/user_registration".path
-    ];
+    enableNginx = true;
 
     settings = {
       server_name = "pvv.ntnu.no";
@@ -56,6 +55,17 @@ in {
 
       media_store_path =  "${cfg.dataDir}/media";
 
+      database = {
+        name = "psycopg2";
+        args = {
+          host = "/var/run/postgresql";
+          dbname = "synapse";
+          user = "matrix-synapse";
+          cp_min = 1;
+          cp_max = 5;
+        };
+      };
+
       presence.enabled = false;
 
       event_cache_size = "20K"; # Default is 10K but I can't find the factor for this cache
@@ -80,8 +90,17 @@ in {
       mau_stats_only = true;
 
       enable_registration = false;
+      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
 
-      password_config.enabled = lib.mkForce false;
+      password_config.enabled = true;
+
+      modules = [
+        { module = "smtp_auth_provider.SMTPAuthProvider";
+          config = {
+            smtp_host = "smtp.pvv.ntnu.no";
+          };
+        }
+      ];
 
       trusted_key_servers = [
         { server_name = "matrix.org"; }
@@ -192,6 +211,9 @@ in {
     };
   };
 
+  services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
+
+
   services.redis.servers."".enable = true;
   
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({

hosts/bicep/services/nginx/default.nix

@@ -19,11 +19,27 @@
       "[::1]"
     ];
 
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes 8;
+      worker_rlimit_nofile 8192;
+    '';
+
+    eventsConfig = ''
+      multi_accept on;
+      worker_connections 4096;
+    '';
+
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
     recommendedOptimisation = true;
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.services.nginx.serviceConfig = {
+    LimitNOFILE = 65536;
+  };
 }

hosts/bicep/services/postgres.nix

@@ -22,10 +22,10 @@ in
       superuser_reserved_connections = 3;
 
       # Memory Settings
-      shared_buffers = "2048 MB";
+      shared_buffers = "8192 MB";
       work_mem = "32 MB";
-      maintenance_work_mem = "320 MB";
-      effective_cache_size = "6 GB";
+      maintenance_work_mem = "420 MB";
+      effective_cache_size = "22 GB";
       effective_io_concurrency = 100;
       random_page_cost = 1.25;
 

hosts/brzeczyszczykiewicz/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ../../modules/grzegorz.nix
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "brzeczyszczykiewicz";
+
+  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+    matchConfig.Name = "eno1";
+    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/brzeczyszczykiewicz/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/82E3-3D03";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/georg/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ../../modules/grzegorz.nix
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "georg";
+
+  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+    matchConfig.Name = "eno1";
+    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/georg/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/145E-7362";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/greddost/configuration.nix

@@ -1,66 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [ # Include the results of the hardware scan.
-      ../../hardware-configuration.nix
-
-      ../../base.nix
-
-      ../../services/minecraft
-    ];
-
-  nixpkgs.config.packageOverrides = pkgs: {
-    unstable = (import <nixos-unstable>) { };
-  };
-
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  # boot.loader.grub.efiSupport = true;
-  # boot.loader.grub.efiInstallAsRemovable = true;
-  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  # Define on which hard drive you want to install Grub.
-  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
-
-  networking.hostName = "greddost"; # Define your hostname.
-
-  networking.interfaces.ens18.useDHCP = false;
-
-  networking.defaultGateway = "129.241.210.129";
-  networking.interfaces.ens18.ipv4 = {
-    addresses = [
-      {
-        address = "129.241.210.174";
-        prefixLength = 25;
-      }
-    ];
-  };
-  networking.interfaces.ens18.ipv6 = {
-    addresses = [
-      {
-        address = "2001:700:300:1900::174";
-        prefixLength = 64;
-      }
-    ];
-  };
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 25565 ];
-  networking.firewall.allowedUDPPorts = [ 25565 ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
-
-}
-

hosts/greddost/services/minecraft/default.nix

@@ -1,158 +0,0 @@
-{config, lib, pkgs, ... }:
-
-{
-
-  imports = [ ./minecraft-server-fabric.nix ];
-
-  environment.systemPackages = with pkgs; [
-    mcron
-  ];
-
-  pvv.minecraft-server-fabric = {
-    enable = true;
-    eula = true;
-
-    package = pkgs.callPackage ../../pkgs/minecraft-server-fabric { minecraft-server = (pkgs.callPackage ../../pkgs/minecraft-server/1_18_1.nix { }); };
-    jvmOpts = "-Xms10G -Xmx10G -XX:+UnlockExperimentalVMOptions -XX:+UseZGC  -XX:+DisableExplicitGC  -XX:+AlwaysPreTouch -XX:+ParallelRefProcEnabled";
-
-    serverProperties = {
-      view-distance = 12;
-      simulation-distance = 12;
-
-      enable-command-block = true;
-
-      gamemode = "survival";
-      difficulty = "normal";
-      
-      white-list = true;
-
-      enable-rcon = true;
-      "rcon.password" = "pvv";
-    };
-
-    dataDir = "/fast/minecraft-pvv";
-
-    mods = [
-      (pkgs.fetchurl { # Fabric API is a common dependency for fabric based mods
-        url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
-        sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
-      })
-      (pkgs.fetchurl { # Lithium is a 100% vanilla compatible optimization mod
-        url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/mc1.18.1-0.7.6/lithium-fabric-mc1.18.1-0.7.6.jar";
-        sha256 = "1fw1ikg578v4i6bmry7810a3q53h8yspxa3awdz7d746g91g8lf7";
-      })
-      (pkgs.fetchurl { # Starlight is the lighting engine of papermc
-        url = "https://cdn.modrinth.com/data/H8CaAYZC/versions/Starlight%201.0.0%201.18.x/starlight-1.0.0+fabric.d0a3220.jar";
-        sha256 = "0bv9im45hhc8n6x57lakh2rms0g5qb7qfx8qpx8n6mbrjjz6gla1";
-      })
-      (pkgs.fetchurl { # Krypton is a linux optimized optimizer for minecrafts networking system
-        url = "https://cdn.modrinth.com/data/fQEb0iXm/versions/0.1.6/krypton-0.1.6.jar";
-        sha256 = "1ribvbww4msrfdnzlxipk8kpzz7fnwnd4q6ln6mpjlhihcjb3hni";
-      })
-      (pkgs.fetchurl { # C2ME is a parallelizer for chunk loading and generation, experimental!!!
-        url = "https://cdn.modrinth.com/data/VSNURh3q/versions/0.2.0+alpha.5.104%201.18.1/c2me-fabric-mc1.18.1-0.2.0+alpha.5.104-all.jar";
-        sha256 = "13zrpsg61fynqnnlm7dvy3ihxk8khlcqsif68ak14z7kgm4py6nw";
-      })
-      (pkgs.fetchurl { # Spark is a profiler for minecraft
-        url = "https://ci.lucko.me/job/spark/251/artifact/spark-fabric/build/libs/spark-fabric.jar";
-        sha256 = "1clvi5v7a14ba23jbka9baz99h6wcfjbadc8kkj712fmy2h0sx07";
-      })
-      #(pkgs.fetchurl { # Carpetmod gives you tps views in the tab menu,
-      #  # but also adds a lot of optional serverside vanilla+ features (which we arent using).
-      #  # So probably want something else
-      #  url = "https://github.com/gnembon/fabric-carpet/releases/download/1.4.56/fabric-carpet-1.18-1.4.56+v211130.jar";
-      #  sha256 = "0rvl2yb8xymla8c052j07gqkqfkz4h5pxf6aip2v9v0h8r84p9hf";
-      #})
-    ];
-
-    whitelist = {
-      gunalx = "913a21ae-3a11-4178-a192-401490ca0891";
-      eirikwitt = "1689e626-1cc8-4b91-81c4-0632fd34eb19";
-      Rockj = "202c0c91-a4e0-4b45-8c1b-fc51a8956c0a";
-      paddishar = "326845aa-4b45-4cd9-8108-7816e10a9828";
-      nordyorn = "f253cddf-a520-42ab-85d3-713992746e42";
-      hell04 = "c681df2a-6a30-4c66-b70d-742eb68bbc04";
-      steinarh = "bd8c419e-e6dc-4fc5-ac62-b92f98c1abc9";
-      EastTown2000 = "f273ed2e-d3ba-43fc-aff4-3e800cdf25e1";
-      DirDanner = "5b5476a2-1138-476b-9ff1-1f39f834a428";
-      asgeirbj = "dbd5d89f-3d8a-4662-ad15-6c4802d0098f";
-      Linke03 = "0dbc661d-898a-47ff-a371-32b7bd76b78b";
-      somaen = "cc0bdd13-4304-4160-80e7-8f043446fa83";
-      einaman = "39f45df3-423d-4274-9ef9-c9b7575e3804";
-      liseu = "c8f4d9d8-3140-4c35-9f66-22bc351bb7e6";
-      torsteno = "ae1e7b15-a0de-4244-9f73-25b68427e34a";
-      simtind = "39c03c95-d628-4ccc-843d-ce1332462d9e";
-      aellaie = "c585605d-24bb-4d75-ba9c-0064f6a39328";
-      PerKjelsvik = "5df69f17-27c9-4426-bcae-88b435dfae73";
-      CelestialCry = "9e34d192-364e-4566-883a-afc868c4224d";
-      terjesc = "993d70e8-6f9b-4094-813c-050d1a90be62";
-      maxelost = "bf465915-871a-4e3e-a80c-061117b86b23";
-      "4ce1" = "8a9b4926-0de8-43f0-bcde-df1442dee1d0";
-      exponential = "1ebcca9d-0964-48f3-9154-126a9a7e64f6";
-      Dodsorbot = "3baa9d58-32e4-465e-80bc-9dcb34e23e1d";
-      HFANTOM = "cd74d407-7fb0-4454-b3f4-c0b4341fde18";
-      Ghostmaker = "96465eee-e665-49ab-9346-f12d5a040624";
-      soonhalle = "61a8e674-7c7a-4120-80d1-4453a5993350";
-      MasterMocca = "481e6dac-9a17-4212-9664-645c3abe232f";
-      soulprayfree = "cfb1fb23-5115-4fe2-9af9-00a02aea9bf8";
-      calibwam = "0d5d5209-bb7c-4006-9451-fb85d7d52618";
-      Skuggen = "f0ccee0b-741a-413a-b8e6-d04552b9d78a";
-      Sivertsen3 = "cefac1a6-52a7-4781-be80-e7520f758554";
-      vafflonaut = "4d864d5c-74e2-4f29-b57d-50dea76aaabd";
-      Dhila = "c71d6c23-14d7-4daf-ae59-cbf0caf45681";
-      remorino = "2972ab22-96b3-462d-ab4d-9b6b1775b9bb";
-      SamuelxJackson = "f140e4aa-0a19-48ab-b892-79b24bd82c1e";
-      ToanBuiDuc = "a3c54742-4caf-4334-8bbb-6402a8eb4268";
-      Joces123 = "ecbcfbf9-9bcc-49f0-9435-f2ac2b3217c1";
-      brunsviken = "75ff5f0e-8adf-4807-a7f0-4cb66f81cb7f";
-      oscarsb1 = "9460015a-65cc-4a2f-9f91-b940b6ce7996";
-      CVi = "6f5691ce-9f9c-4310-84aa-759d2f9e138e";
-      Tawos = "0b98e55c-10cf-4b23-85d3-d15407431ace";
-      evenhunn = "8751581b-cc5f-4f8b-ae1e-34d90127e074";
-      q41 = "a080e5b4-10ee-4d6f-957e-aa5053bb1046";
-      jesper001 = "fbdf3ceb-eaa9-4aeb-94c2-a587cde41774";
-      finninde = "f58afd00-28cd-48dd-a74a-6c1d76b57f66";
-      GameGuru999 = "535f2188-a4a4-4e54-bec6-74977bee09ab";
-      MinusOneKelvin = "b6b973bf-1e35-4a58-803b-a555fd90a172";
-      SuperRagna = "e2c32136-e510-41b1-84c0-41baeccfb0b9";
-      Zamazaki = "d4411eca-401a-4565-9451-5ced6f48f23f";
-      supertheodor = "610c4e86-0ecc-4e7a-bffc-35a2e7d90aa6";
-      Minelost = "22ae2a1f-cfd9-4f10-9e41-e7becd34aba8";
-      Bjand = "aed136b6-17f7-4ce1-8a7b-a09eb1694ccf";
-      Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
-      Shogori = "f9d571bd-5754-46e8-aef8-e89b38a6be9b";
-      Caragath = "f8d34f3a-55c3-4adc-b8d8-73a277f979e8";
-      Shmaapqueen = "425f2eef-1a9d-4626-9ba3-cd58156943dc";
-      Liquidlif3 = "420482b3-885f-4951-ba1e-30c22438a7e0";
-      newtonseple = "7d8bf9ca-0499-4cb7-9d6a-daabf80482b6";
-      nainis = "2eaf3736-decc-4e11-9a44-af2df0ee7c81";
-      Devolan = "87016228-76b2-434f-a963-33b005ae9e42";
-      zSkyler = "c92169e4-ca14-4bd5-9ea2-410fe956abe2";
-      Cryovat = "7127d743-873e-464b-927a-d23b9ad5b74a";
-      cybrhuman = "14a67926-cff0-4542-a111-7f557d10cc67";
-      stinl = "3a08be01-1e74-4d68-88d1-07d0eb23356f";
-      Mirithing = "7b327f51-4f1b-4606-88c7-378eff1b92b1";
-      "_dextra" = "4b7b4ee7-eb5b-48fd-88c3-1cc68f06acda";
-      Soraryuu = "0d5ffe48-e64f-4d6d-9432-f374ea8ec10c";
-      klarken1 = "d6967cb8-2bc6-4db7-a093-f0770cce47df";
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 25565 ];
-  networking.firewall.allowedUDPPorts = [ 25565 ];
-
-  systemd.services."minecraft-backup" = {
-    serviceConfig.Type = "oneshot";
-    script = ''
-      ${pkgs.mcrcon}/bin/mcrcon -p pvv "say Starting Backup" "save-off" "save-all"
-      ${pkgs.rsync}/bin/rsync -aiz --delete ${config.pvv.minecraft-server-fabric.dataDir}/world /fast/backup # Where to put backup
-      ${pkgs.mcrcon}/bin/mcrcon -p pvv "save-all" "say Completed Backup" "save-on" "save-all"
-    '';
-  };
-
-  systemd.timers."minecraft-backup" = {
-    wantedBy = ["timers.target"];
-    timerConfig.OnCalendar = [ "hourly" ];
-  };
-
-}

hosts/greddost/services/minecraft/minecraft-server-fabric.nix

@@ -1,180 +0,0 @@
-{ lib, pkgs, config, ... }:
-
-with lib;
-
-let
-  cfg = config.pvv.minecraft-server-fabric;
-  
-  # We don't allow eula=false anyways
-  eulaFile = builtins.toFile "eula.txt" ''
-    # eula.txt managed by NixOS Configuration
-    eula=true
-  '';
-  
-  whitelistFile = pkgs.writeText "whitelist.json"
-    (builtins.toJSON
-      (mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist));
-
-  cfgToString = v: if builtins.isBool v then boolToString v else toString v;
-  
-  serverPropertiesFile = pkgs.writeText "server.properties" (''
-    # server.properties managed by NixOS configuration
-  '' + concatStringsSep "\n" (mapAttrsToList
-    (n: v: "${n}=${cfgToString v}") cfg.serverProperties));
-  
-  defaultServerPort = 25565;
-
-  serverPort = cfg.serverProperties.server-port or defaultServerPort;
-
-  rconPort = if cfg.serverProperties.enable-rcon or false
-    then cfg.serverProperties."rcon.port" or 25575
-    else null;
-
-  queryPort = if cfg.serverProperties.enable-query or false
-    then cfg.serverProperties."query.port" or 25565
-    else null;
-
-in
-{
-
-  options.pvv.minecraft-server-fabric = {
-    enable = mkEnableOption "minecraft-server-fabric";
-
-    package = mkOption {
-      type = types.package;
-    };
-
-    eula = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether you agree to
-        <link xlink:href="https://account.mojang.com/documents/minecraft_eula">
-        Mojangs EULA</link>. This option must be set to
-        <literal>true</literal> to run Minecraft server.
-      '';
-    };
-
-    dataDir = mkOption {
-      type = types.path;
-      default = "/var/lib/minecraft-fabric";
-      description = ''
-        Directory to store Minecraft database and other state/data files.
-      '';
-    };
-
-
-    whitelist = mkOption {
-      type = let
-        minecraftUUID = types.strMatching
-          "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // {
-            description = "Minecraft UUID";
-          };
-        in types.attrsOf minecraftUUID;
-      default = {};
-      description = ''
-        Whitelisted players, only has an effect when
-        <option>services.minecraft-server.declarative</option> is
-        <literal>true</literal> and the whitelist is enabled
-        via <option>services.minecraft-server.serverProperties</option> by
-        setting <literal>white-list</literal> to <literal>true</literal>.
-        This is a mapping from Minecraft usernames to UUIDs.
-        You can use <link xlink:href="https://mcuuid.net/"/> to get a
-        Minecraft UUID for a username.
-      '';
-      example = literalExpression ''
-        {
-          username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
-          username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
-        };
-      '';
-    };
-
-    serverProperties = mkOption {
-      type = with types; attrsOf (oneOf [ bool int str ]);
-      default = {};
-      example = literalExpression ''
-        {
-          server-port = 43000;
-          difficulty = 3;
-          gamemode = 1;
-          max-players = 5;
-          motd = "NixOS Minecraft server!";
-          white-list = true;
-          enable-rcon = true;
-          "rcon.password" = "hunter2";
-        }
-      '';
-      description = ''
-        Minecraft server properties for the server.properties file. Only has
-        an effect when <option>services.minecraft-server.declarative</option>
-        is set to <literal>true</literal>. See
-        <link xlink:href="https://minecraft.gamepedia.com/Server.properties#Java_Edition_3"/>
-        for documentation on these values.
-      '';
-    };
-
-    jvmOpts = mkOption {
-      type = types.separatedString " ";
-      default = "-Xmx2048M -Xms2048M";
-      # Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script
-      example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing "
-        + "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 "
-        + "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
-      description = "JVM options for the Minecraft server.";
-    };
-
-    mods = mkOption {
-      type = types.listOf types.package;
-      example = literalExpression ''
-        [
-          (pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
-            sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
-          })
-        ];
-      '';
-      description = "List of mods to put in the mods folder";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.users.minecraft = {
-      description     = "Minecraft server service user";
-      home            = cfg.dataDir;
-      createHome      = true;
-      isSystemUser    = true;
-      group           = "minecraft";
-    };
-    users.groups.minecraft = {};
-
-    systemd.services.minecraft-server-fabric = {
-      description   = "Minecraft Server Service";
-      wantedBy      = [ "multi-user.target" ];
-      after         = [ "network.target" ];
-
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/minecraft-server ${cfg.jvmOpts}";
-        Restart = "always";
-        User = "minecraft";
-        WorkingDirectory = cfg.dataDir;
-      };
-
-      preStart = ''
-        ln -sf ${eulaFile} eula.txt
-        ln -sf ${whitelistFile} whitelist.json
-        cp -f ${serverPropertiesFile} server.properties
-
-        ln -sfn ${pkgs.linkFarmFromDrvs "fabric-mods" cfg.mods} mods
-      '';
-    };
-
-    assertions = [
-      { assertion = cfg.eula;
-        message = "You must agree to Mojangs EULA to run minecraft-server."
-          + " Read https://account.mojang.com/documents/minecraft_eula and"
-          + " set `services.minecraft-server.eula` to `true` if you agree.";
-      }
-    ]; 
-  };
-}

hosts/grevling/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ./services/openvpn
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "grevling";
+
+  # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+  #   matchConfig.Name = "eno1";
+  #   address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  # };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/grevling/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/145E-7362";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/grevling/services/openvpn/default.nix

@@ -0,0 +1,77 @@
+{ pkgs, lib, values, ... }:
+{
+  services.openvpn.servers."ov-tunnel" = {
+    config = let
+      conf = {
+        # TODO: use aliases
+        local = "129.241.210.191";
+        port = 1194;
+        proto = "udp";
+        dev = "tap";
+
+        # TODO: set up
+        ca = "";
+        cert = "";
+        key = "";
+        dh = "";
+
+        # Maintain a record of client <-> virtual IP address
+        # associations in this file.  If OpenVPN goes down or
+        # is restarted, reconnecting clients can be assigned
+        # the same virtual IP address from the pool that was
+        # previously assigned.
+        ifconfig-pool-persist = ./ipp.txt;
+
+        server-bridge = builtins.concatStringsSep " " [
+          "129.241.210.129"
+          "255.255.255.128"
+          "129.241.210.253"
+          "129.241.210.254"
+        ];
+
+        keepalive = "10 120";
+        cipher = "none";
+
+        user = "nobody";
+        group = "nobody";
+
+        status = "/var/log/openvpn-status.log";
+
+        client-config-dir = pkgs.writeTextDir "tuba" ''
+          # Sett IP-adr. for tap0 til tubas PVV-adr.
+          ifconfig-push ${values.services.tuba-tap} 255.255.255.128
+          # Hvordan skal man faa dette til aa funke, tro?
+          #ifconfig-ipv6-push 2001:700:300:1900::xxx/64
+          
+          # La tuba bruke std. PVV-gateway til all trafikk (unntatt
+          # VPN-tunnellen).
+          push "redirect-gateway"
+        '';
+
+        persist-key = true;
+        persist-tun = true;
+
+        verb = 5;
+
+        explicit-exit-notify = 1;
+      };
+    in lib.pipe conf [
+      (lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
+      (builtins.mapAttrs (_: value:
+        if builtins.isList value then builtins.concatStringsSep " " (map toString value)
+        else if value == true then value
+        else if builtins.any (f: f value) [
+          builtins.isString
+          builtins.isInt
+          builtins.isFloat
+          lib.isPath
+          lib.isDerivation
+        ] then toString value
+        else throw "Unknown value in grevling openvpn config, deading now\n${value}"
+      ))
+      (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
+      (builtins.concatStringsSep "\n")
+      (x: x + "\n\n")
+    ];
+  };
+}

hosts/shark/configuration.nix

@@ -5,9 +5,6 @@
       ./hardware-configuration.nix
       ../../base.nix
       ../../misc/metrics-exporters.nix
-
-      ./services/nginx.nix
-      ./services/kanidm.nix
     ];
 
   sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
@@ -18,16 +15,25 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "shark";
+  networking.hostName = "shark"; # Define your hostname.
 
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "23.05"; # Did you read the comment?
 
 }

hosts/shark/services/kanidm.nix

@@ -1,47 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.kanidm;
-  domain = "idmtest.pvv.ntnu.no";
-  bindaddr_web = "127.0.0.1:8300"; #
-  bindaddr_ldaps = "0.0.0.0:636";
-in {
-  # Kanidm - Identity management / auth provider
-  services.kanidm = {
-    enableServer = true;
-
-    serverSettings = let
-      credsDir = "/run/credentials/kanidm.service";
-    in {
-      inherit domain;
-      ldapbindaddress = bindaddr_ldaps;
-      bindaddress = bindaddr_web;
-      origin = "https://${domain}";
-
-      tls_chain = "${credsDir}/fullchain.pem";
-      tls_key = "${credsDir}/key.pem";
-    };
-  };
-
-  systemd.services.kanidm = {
-    requires = [ "acme-finished-${domain}.target" ];
-    serviceConfig.LoadCredential = let
-      certDir = config.security.acme.certs.${domain}.directory;
-    in [
-      "fullchain.pem:${certDir}/fullchain.pem"
-      "key.pem:${certDir}/key.pem"
-    ];
-  };
-
-  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/".proxyPass = "https://${cfg.serverSettings.bindaddress}";
-  };
-
-  environment = {
-    systemPackages = [ pkgs.kanidm ]; # CLI tool
-    etc."kanidm/config".text = ''
-      uri="${cfg.serverSettings.origin}"
-    '';
-  };
- }

hosts/shark/services/nginx.nix

@@ -1,29 +0,0 @@
-{ config, values, ... }:
-{
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-
-  services.nginx = {
-    enable = true;
-
-    enableReload = true;
-
-    defaultListenAddresses = [
-      values.hosts.shark.ipv4
-      "[${values.hosts.shark.ipv6}]"
-
-      "127.0.0.1"
-      "127.0.0.2"
-      "[::1]"
-    ];
-
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-}

hosts/tuba/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+
+      ./services/openvpn
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "tuba";
+
+  # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
+  #   matchConfig.Name = "eno1";
+  #   address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  # };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/tuba/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/145E-7362";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/tuba/services/openvpn/default.nix

@@ -0,0 +1,54 @@
+{ lib, values, ... }:
+{
+  services.openvpn.servers."ov-tunnel" = {
+    config = let
+      conf = {
+        # TODO: use aliases
+        client = true;
+        dev = "tap";
+        proto = "udp";
+        remote = "129.241.210.191 1194";
+
+        resolv-retry = "infinite";
+        nobind = true;
+
+        # # TODO: set up
+        ca = "";
+        cert = "";
+        key = "";
+        remote-cert-tls = "server";
+        cipher = "none";
+
+        user = "nobody";
+        group = "nobody";
+
+        status = "/var/log/openvpn-status.log";
+
+        persist-key = true;
+        persist-tun = true;
+
+        verb = 5;
+
+        # script-security = 2;
+        # up = "systemctl restart rwhod";
+      };
+    in lib.pipe conf [
+      (lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
+      (builtins.mapAttrs (_: value:
+        if builtins.isList value then builtins.concatStringsSep " " (map toString value)
+        else if value == true then value
+        else if builtins.any (f: f value) [
+          builtins.isString
+          builtins.isInt
+          builtins.isFloat
+          lib.isPath
+          lib.isDerivation
+        ] then toString value
+        else throw "Unknown value in tuba openvpn config, deading now\n${value}"
+      ))
+      (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
+      (builtins.concatStringsSep "\n")
+      (x: x + "\n\n")
+    ];
+  };
+}

modules/grzegorz.nix

@@ -0,0 +1,62 @@
+{config, lib, pkgs, ...}:
+let
+  grg = config.services.grzegorz;
+  grgw = config.services.grzegorz-webui;
+in {
+  services.pipewire.enable = true;
+  services.pipewire.alsa.enable = true;
+  services.pipewire.alsa.support32Bit = true;
+  services.pipewire.pulse.enable = true;
+
+  users.users.pvv = {
+    isNormalUser = true;
+    description = "pvv";
+  };
+
+  services.grzegorz.enable = true;
+  services.grzegorz.listenAddr = "localhost";
+  services.grzegorz.listenPort = 31337;
+
+  services.grzegorz-webui.enable = true;
+  services.grzegorz-webui.listenAddr = "localhost";
+  services.grzegorz-webui.listenPort = 42069;
+  services.grzegorz-webui.listenWebsocketPort = 42042;
+  services.grzegorz-webui.hostName = "${config.networking.fqdn}";
+  services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
+
+  services.nginx.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    serverAliases = [
+      "${config.networking.hostName}.pvv.org"
+    ];
+    extraConfig = ''
+      allow 129.241.210.128/25;
+      allow 2001:700:300:1900::/64;
+      deny all;
+    '';
+
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}";
+    };
+    # https://github.com/rawpython/remi/issues/216
+    locations."/websocket" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}";
+      proxyWebsockets = true;
+    };
+    locations."/api" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
+    };
+    locations."/docs" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
+    };
+  };
+
+}
+

modules/wackattack-ctf-stockfish/chess.py

@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+from stockfish import *
+from inputimeout import inputimeout
+import time
+from datetime import datetime
+import random
+
+thinking_time = 1000
+
+game = Stockfish(path="./stockfish", depth=15, parameters={"Threads": 1, "Minimum Thinking Time": thinking_time, "UCI_Chess960": True})
+
+def create_random_position():
+    pos = "/pppppppp/8/8/8/8/PPPPPPPP/"
+    rank8 = ["r","r","b","q","k","b","n","n"]
+
+    while rank8.index("k") < [i for i, n in enumerate(rank8) if n == "r"][0] or rank8.index("k") > [i for i, n in enumerate(rank8) if n == "r"][1] or [i for i, n in enumerate(rank8) if n == "b"][0] % 2 == [i for i, n in enumerate(rank8) if n == "b"][1] % 2:
+        random.seed(datetime.now().microsecond)
+        random.shuffle(rank8)
+
+    rank1 = [c.upper() for c in rank8]
+    pos = "".join(rank8) + pos + "".join(rank1) + " w KQkq - 0 1"
+    game.set_fen_position(pos)
+
+def player_won():
+    with open("flag.txt") as file:
+        flag = file.read()
+    print(flag)
+    exit()
+
+def get_fast_player_move():
+    try:
+        time_over = inputimeout(prompt='Your move: ', timeout=5)
+    except Exception:
+        time_over = 'Too slow, you lost!'
+        print(time_over)
+        exit()
+    return time_over
+
+def check_game_status():
+    evaluation = game.get_evaluation()
+    turn = game.get_fen_position().split(" ")[1]
+    if evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "w":
+        print("Wow, you beat me!")
+        player_won()
+    elif evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "b":
+        print("Hah, I won again")
+        exit()
+    if evaluation["type"] == "draw":
+        print("It's a draw!")
+        print("Impressive, but I am still undefeated.")
+        exit()
+
+if __name__ == "__main__":
+    create_random_position()
+    print("Welcome to fischer chess.\nYou get 5 seconds per move. Good luck")
+    print(game.get_board_visual())
+    print("Heres the position for this game, Ill give you a few seconds to look at it before we start.")
+    time.sleep(3)
+    while True:
+        server_move = game.get_best_move_time(thinking_time)
+        game.make_moves_from_current_position([server_move])
+        check_game_status()
+        print(game.get_board_visual())
+        print(f"My move: {server_move}")
+        player_move = get_fast_player_move()
+        if type(player_move) != str or len([player_move]) != 1:
+            print("Illegal input")
+            exit()
+        try:
+            game.make_moves_from_current_position([player_move])
+            check_game_status()
+        except:
+            print("Couldn't comprehend that")
+            exit()

modules/wackattack-ctf-stockfish/default.nix

@@ -0,0 +1,108 @@
+{ config, pkgs, lib, ... }: let
+  stockfish = with pkgs.python3Packages; buildPythonPackage rec {
+    pname = "stockfish";
+    version = "3.28.0";
+    disabled = pythonOlder "3.7";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "zhelyabuzhsky";
+      repo = pname;
+      rev = version;
+      hash = "sha256-XLgVjLV2QXeTYPjP/lwc0LH850LKJsymFlrAMkAn8HU=";
+    };
+
+    format = "setuptools";
+    nativeBuildInputs = [
+      setuptools
+    ];
+
+    propagatedBuildInputs = [
+      pytest-runner
+    ];
+
+    doCheck = false;
+  };
+
+  inputimeout = with pkgs.python3Packages; buildPythonPackage rec {
+    pname = "inputimeout";
+    version = "1.0.4";
+    src = pkgs.fetchFromGitHub {
+      owner = "johejo";
+      repo = pname;
+      rev = "v${version}";
+      hash = "sha256-Fh1CaqJOK58nURt4imkhCmZKG2eJlP/Hi10SarUJ+Fs=";
+    };
+
+    format = "setuptools";
+    nativeBuildInputs = [ setuptools ];
+
+    doCheck = false;
+  };
+
+  script = pkgs.writers.writePython3 "chess" {
+    libraries = [
+      stockfish
+      inputimeout   
+    ];
+
+    # Fy!
+    flakeIgnore = [ "F403" "F405" "E231" "E265" "E302" "E305" "E501" "E722" ];
+  } (builtins.replaceStrings [''path="./stockfish"''] [''path="${pkgs.stockfish}/bin/stockfish"''] (builtins.readFile ./chess.py));
+in
+{
+  sops.secrets."keys/wackattack_ctf/flag" = { };
+
+  systemd.sockets."wackattack-ctf-stockfish" = {
+    description = "Save some azure credit for the rest of us";
+    partOf = [ "wackattack-ctf-stockfish.service" ];
+    wantedBy = [ "sockets.target" ];
+
+    socketConfig = {
+      ListenStream = "0.0.0.0:9999";
+      Accept = true;
+    };
+  };
+
+  systemd.services."wackattack-ctf-stockfish@" = {
+    description = "Save some azure credit for the rest of us";
+    after = [ "network.target" ];
+    requires = [ "wackattack-ctf-stockfish.socket" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      DynamicUser = true;
+      WorkingDirectory = "%d";
+      Restart = "always";
+      StandardInput = "socket";
+      LoadCredential = "flag.txt:${config.sops.secrets."keys/wackattack_ctf/flag".path}";
+
+      Exec = script;
+
+      # systemd hardening go barr
+      ProcSubset = "pid";
+      ProtectProc = "invisible";
+      AmbientCapabilities = "";
+      CapabilityBoundingSet = "";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      PrivateUsers = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RemoveIPC = true;
+      PrivateMounts = true;
+      SystemCallArchitectures = "native";
+    };
+  };
+}

pkgs/minecraft-server-fabric/default.nix

@@ -1,43 +0,0 @@
-{ callPackage, writeTextFile, writeShellScriptBin, minecraft-server, jre_headless }:
-
-let
-  loader = callPackage ./generate-loader.nix {};
-  log4j = writeTextFile {
-    name = "log4j.xml";
-    text = ''
-      <?xml version="1.0" encoding="UTF-8"?>
-      <Configuration status="WARN" packages="com.mojang.util">
-          <Appenders>
-              <Console name="SysOut" target="SYSTEM_OUT">
-                  <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
-              </Console>
-              <Queue name="ServerGuiConsole">
-                  <PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
-              </Queue>
-              <RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
-                  <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
-                  <Policies>
-                      <TimeBasedTriggeringPolicy />
-                      <OnStartupTriggeringPolicy />
-                  </Policies>
-                  <DefaultRolloverStrategy max="1000"/>
-              </RollingRandomAccessFile>
-          </Appenders>
-          <Loggers>
-              <Root level="info">
-                  <filters>
-                      <MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
-                  </filters>
-                  <AppenderRef ref="SysOut"/>
-                  <AppenderRef ref="File"/>
-                  <AppenderRef ref="ServerGuiConsole"/>
-              </Root>
-          </Loggers>
-      </Configuration>
-    '';
-  };
-in
-writeShellScriptBin "minecraft-server" ''
-  echo "serverJar=${minecraft-server}/lib/minecraft/server.jar" >> fabric-server-launcher.properties
-  exec ${jre_headless}/bin/java -Dlog4j.configurationFile=${log4j} $@ -jar ${loader} nogui
-''

pkgs/minecraft-server-fabric/generate-loader.nix

@@ -1,38 +0,0 @@
-{ lib, fetchurl, stdenv, unzip, zip, jre_headless }:
-
-let
-  lock = import ./lock.nix;
-  libraries = lib.forEach lock.libraries fetchurl;
-in
-stdenv.mkDerivation {
-  name = "fabric-server-launch.jar";
-  nativeBuildInputs = [ unzip zip jre_headless ];
-
-  libraries = libraries;
-
-  buildPhase = ''
-    for i in $libraries; do
-      unzip -o $i
-    done
-
-    cat > META-INF/MANIFEST.MF << EOF
-    Manifest-Version: 1.0
-    Main-Class: net.fabricmc.loader.impl.launch.server.FabricServerLauncher
-    Name: org/objectweb/asm/
-    Implementation-Version: 9.2
-    EOF
-
-    cat > fabric-server-launch.properties << EOF
-    launch.mainClass=net.fabricmc.loader.impl.launch.knot.KnotServer
-    EOF
-  '';
-
-  installPhase = ''
-    jar cmvf META-INF/MANIFEST.MF "server.jar" .
-    zip -d server.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'
-    cp server.jar "$out"
-  '';
-
-  phases = [ "buildPhase" "installPhase" ];
-}
-

pkgs/minecraft-server-fabric/generate-lock-nix.sh

@@ -1,22 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p bash curl jq
-curl https://meta.fabricmc.net/v2/versions/loader/1.18.1/0.12.12/server/json \
-| jq -r '
-  .mainClass,
-  (.libraries[]
-  | .url as $url
-  | .name | split(":") as [$dir, $name, $version]
-  |"\($name)-\($version).zip|\($url)\($dir|sub("\\.";"/";"g"))/\($name)/\($version)/\($name)-\($version).jar"
-  )' \
-| {
-    echo '{'
-    read mainClass;
-    echo "  mainClass = \"$mainClass\";"
-    echo "  libraries = ["
-    while IFS="|" read name url; do
-        hash=$(nix-prefetch-url $url);
-        echo "    { name = \"$name\"; sha256 = \"$hash\"; url = \"$url\"; }"
-    done
-    echo "  ];"
-    echo '}'
-}

pkgs/minecraft-server-fabric/lock.nix

@@ -1,16 +0,0 @@
-{
-  mainClass = "net.fabricmc.loader.impl.launch.knot.KnotServer";
-  libraries = [
-    { name = "tiny-mappings-parser-0.3.0+build.17.zip"; sha256 = "19kvhxfk5v01f2rvl7j02vqhn3nd2bh5jsgbk44rpzqv9f6074db"; url = "https://maven.fabricmc.net/net/fabricmc/tiny-mappings-parser/0.3.0+build.17/tiny-mappings-parser-0.3.0+build.17.jar"; }
-    { name = "sponge-mixin-0.10.7+mixin.0.8.4.zip"; sha256 = "18m5wksd9vjp676cxapkggnz8s3f8j89phln8gy5n8vxlrli8n0d"; url = "https://maven.fabricmc.net/net/fabricmc/sponge-mixin/0.10.7+mixin.0.8.4/sponge-mixin-0.10.7+mixin.0.8.4.jar"; }
-    { name = "tiny-remapper-0.6.0.zip"; sha256 = "1ynjfxg7cj9rd9c4l450w7yp20p2csjdpnk3mcx5bdkjzhbgvgzf"; url = "https://maven.fabricmc.net/net/fabricmc/tiny-remapper/0.6.0/tiny-remapper-0.6.0.jar"; }
-    { name = "access-widener-2.0.1.zip"; sha256 = "0a7s4x6dbaa9p59ps7pidzwrs0xwy5i17s35xrgh58i26szlsaxm"; url = "https://maven.fabricmc.net/net/fabricmc/access-widener/2.0.1/access-widener-2.0.1.jar"; }
-    { name = "asm-9.2.zip"; sha256 = "1xa7kccwmcqcdw1xly6n2frzhk56m8ma9v7h764g73ckf56zxm5r"; url = "https://maven.fabricmc.net/org/ow2/asm/asm/9.2/asm-9.2.jar"; }
-    { name = "asm-analysis-9.2.zip"; sha256 = "1i1kyirizs5sm2v0f06sdz86mbmyn61vjr9d9p8p5h1i2x9bx3w7"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-analysis/9.2/asm-analysis-9.2.jar"; }
-    { name = "asm-commons-9.2.zip"; sha256 = "19p04mr14ahndba65v4krbvf4p5syf8wz0fp5i9bnf5270qyak5y"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-commons/9.2/asm-commons-9.2.jar"; }
-    { name = "asm-tree-9.2.zip"; sha256 = "04g0zb7v65iz4k2m2grdpbv8jjryrzkkw7ww23yfp94i6399pgxa"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-tree/9.2/asm-tree-9.2.jar"; }
-    { name = "asm-util-9.2.zip"; sha256 = "16759v4hh3ijpf4cglrxybz29x2hiylhsa388y09m2mf679kqnzz"; url = "https://maven.fabricmc.net/org/ow2/asm/asm-util/9.2/asm-util-9.2.jar"; }
-    { name = "intermediary-1.18.1.zip"; sha256 = "1rfz2gazvnivn6hlqiyjpiaycz8va87n5czy1p6w3lnrlfggj2i9"; url = "https://maven.fabricmc.net/net/fabricmc/intermediary/1.18.1/intermediary-1.18.1.jar"; }
-    { name = "fabric-loader-0.12.12.zip"; sha256 = "070dpcp7kcj4xr75wp1j6pb1bgfzllwg8xmqk3sk79jfqiqwzizw"; url = "https://maven.fabricmc.net/net/fabricmc/fabric-loader/0.12.12/fabric-loader-0.12.12.jar"; }
-  ];
-}

pkgs/minecraft-server/1_18_1.nix

@@ -1,38 +0,0 @@
-{ lib, stdenv, fetchurl, nixosTests, jre_headless }:
-stdenv.mkDerivation {
-  pname = "minecraft-server";
-  version = "1.18.1";
-
-  src = fetchurl {
-    url = "https://launcher.mojang.com/v1/objects/125e5adf40c659fd3bce3e66e67a16bb49ecc1b9/server.jar";
-    # sha1 because that comes from mojang via api
-    sha1 = "125e5adf40c659fd3bce3e66e67a16bb49ecc1b9";
-  };
-
-  preferLocalBuild = true;
-
-  installPhase = ''
-    mkdir -p $out/bin $out/lib/minecraft
-    cp -v $src $out/lib/minecraft/server.jar
-    cat > $out/bin/minecraft-server << EOF
-    #!/bin/sh
-    exec ${jre_headless}/bin/java \$@ -jar $out/lib/minecraft/server.jar nogui
-    EOF
-    chmod +x $out/bin/minecraft-server
-  '';
-
-  dontUnpack = true;
-
-  passthru = {
-    tests = { inherit (nixosTests) minecraft-server; };
-    updateScript = ./update.sh;
-  };
-
-  meta = with lib; {
-    description = "Minecraft Server";
-    homepage = "https://minecraft.net";
-    license = licenses.unfreeRedistributable;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ thoughtpolice tomberek costrouc ];
-  };
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -4,11 +4,18 @@ gitea:
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str]
+    runners:
+        alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
+        beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
+        epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
 mediawiki:
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
     database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
 keycloak:
     database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
+keys:
+    wackattack_ctf:
+        flag: ENC[AES256_GCM,data:cZCaGb/u/OZgAvXnuJPL3XqmnIa26Rl2IUpWpG/fpt/dJ7+/KssXVa6A5G6ObQhF7deCmTxuoVP8JU+DQzYRr0ftvKhLJ87rgzrE3j+UkA==,iv:3uFkNqXlVj94klU20yPIUd8tIeyUIfp0++2wkdIkiYM=,tag:OZMyEt118u10F5vSUFZE7A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -42,8 +49,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-03T19:12:38Z"
-    mac: ENC[AES256_GCM,data:Zo6WD3n33nX7bUun9YqaidvqZjFmbIx7QTzOTGOanSbeDmrejRRdBgGMohWG07byxrdlYO6mQwBkz2xic7+Rh3k1UJ65FDNyM7EOrwuc/X7HJy2Tk9WQO0DDbwDh+OfCeLOhrpBWTlsVt9HpN6xU8xBDABVxBQzd47pm1GRs3Ig=,iv:ECl4h15AnDJPcR3eXZ/wXSTUP8QnAuYiWRWx+Ouazd4=,tag:ZkZ/kSrx/5HCDPQhCGuxLw==,type:str]
+    lastmodified: "2023-10-26T19:59:04Z"
+    mac: ENC[AES256_GCM,data:uH0RfKBjjbYvxjl4XyoXWvwUpi+W7IQZjBdC5UoslotToTw0xnici2fKxPNZ9aFJsukLMPLC+tsT/shUqW373f/NyhsJt0Vb2YtuozFQyQstZQEpnm4WuVoFR/MEjAra/PaM4ATHSGgDuHa7qrpdKTLnrMOai5ZqxLfFbLws3dA=,iv:47hHzrnfZG5NtCN0HjziZdDBJTr451/kvY95GpB3G2M=,tag:3TCs7DSeWB6NujDUlQVGjA==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -66,4 +73,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

secrets/bicep/matrix.yaml

@@ -1,8 +1,9 @@
 synapse:
-    dbconfig: ENC[AES256_GCM,data:QQefrFxpxTXlldA+a5xPm1Mx2E7oRzo4DAOGVYP8IR0zFCsqoAGqeXOPrdT9MczTn4Ur537e9RG2OQMRc8JQASRQLHG6RdNPyREiZmJDs24OyXEF+WerHJtRytF9wugt22AdZtGyk9S/RDqoXDe4CS93EtP7SqAcYWJoDE1Xic7G3g==,iv:q1Is8O5k8PZGmJC3EsftmJMNordGLxJiMg+GsnfzxTY=,tag:sbsj9T0jEr+kZJjej5S0jA==,type:str]
     turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
     user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
     signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
+sliding-sync:
+    env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
 coturn:
     static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
 mjolnir:
@@ -42,8 +43,8 @@ sops:
             cGxZVnFhdXRka2drTGdkVk1iM0pFL1kK2ry7b2cLYPfntWi/BV3K2O+mHt3242Ef
             sI2JLLQYHeAhxjFdCzP1RDR+Wu/pRxZje6xuTZ9I9TKNmm+LhAXHQw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-06T21:32:35Z"
-    mac: ENC[AES256_GCM,data:W0I9iLVAyWkqWw1m49cAO4eiv71hv0MMgqp/ZoPB/ImI/PijCJh3d3cSxM4HgDqhN7tPqwqegsR7pxbVNHch+VReLoOKOiXWCAmKNhZ2A5uO+RFnrmyCZ5HSbKmex4unzcX9hvkWl1X53dqiOUXu1tdbOt9M0tLxV2kfjPmqqs0=,iv:r9AHHkBZfk67w/MBpMDLjxrmo8JVpkm8Ko8MB/MHqW8=,tag:KuzAAHUbYGOtUu7sZqyXOw==,type:str]
+    lastmodified: "2023-10-22T00:31:46Z"
+    mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
     pgp:
         - created_at: "2023-05-06T21:31:39Z"
           enc: |

users/adriangl.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+  users.users.adriangl = {
+    isNormalUser = true;
+    description = "(0_0)";
+    extraGroups = [
+      "wheel"
+      "drift"
+    ];
+
+    packages = with pkgs; [
+      exa
+      neovim
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
+    ];
+  };
+}

users/amalieem.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}:
+
+{
+  users.users.amalieem = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; 
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsMtFIj4Dem/onwMoWYbosOcU4y7A5nTjVwqWaU33E1 amalieem@matey-aug22"
+    ];
+  };
+}

values.nix

@@ -4,7 +4,7 @@ let
   pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
 in rec {
   ipv4-space = pvv-ipv4 "128/25";
-  ipv6-space = pvv-ipv4 "/64";
+  ipv6-space = pvv-ipv6 "/64";
 
   services = {
     matrix = {
@@ -21,6 +21,12 @@ in rec {
       ipv4 = pvv-ipv4 213;
       ipv6 = pvv-ipv6 213;
     };
+    grevling-tap = {
+      ipv4 = pvv-ipv4 251;
+    };
+    tuba-tap = {
+      ipv4 = pvv-ipv4 252;
+    };
   };
 
   hosts = {
@@ -41,6 +47,22 @@ in rec {
       ipv4 = pvv-ipv4 196;
       ipv6 = pvv-ipv6 196;
     };
+    brzeczyszczykiewicz = {
+      ipv4 = pvv-ipv4 205;
+      ipv6 = pvv-ipv6 "1:50"; # Wtf peder why
+    };
+    georg = {
+      ipv4 = pvv-ipv4 204;
+      ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
+    };
+    grevling = {
+      ipv4 = pvv-ipv4 198;
+      ipv6 = pvv-ipv6 198;
+    };
+    tuba = {
+      ipv4 = pvv-ipv4 199;
+      ipv6 = pvv-ipv6 199;
+    };
   };
 
   defaultNetworkConfig = {