bicep/postgres: add cleanup timers

bicep/matrix/livekit: open the rtc ports
base/hardening: ban a few more modules
2026-05-21 05:51:12 +02:00 · 2026-05-21 04:14:34 +09:00 · 2026-05-20 20:04:33 +02:00 · 2026-05-20 23:15:25 +09:00 · 2026-05-20 23:15:25 +09:00 · 2026-05-20 06:24:26 +02:00
33 changed files with 741 additions and 483 deletions
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
+| [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
@@ -57,6 +58,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
+[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
--- a/base/default.nix
+++ b/base/default.nix
@@ -13,6 +13,7 @@
    ./mitigations.nix

    ./flake-input-exporter.nix
+    ./hardening.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
@@ -70,8 +71,6 @@
    fi
  '';

-  # security.lockKernelModules = true;
-  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
--- a/base/hardening.nix
+++ b/base/hardening.nix
@@ -0,0 +1,71 @@
+{ ... }:
+{
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "appletalk"
+    "atm"
+    "ax25"
+    "batman-adv"
+    "can"
+    "dccp"
+    "ipx"
+    "llc"
+    "n-hdlc"
+    "netrom"
+    "p8022"
+    "p8023"
+    "psnap"
+    "rds"
+    "rose"
+    "sctp"
+    "tipc"
+
+    # Filesystems we don't use
+    "adfs"
+    "affs"
+    "befs"
+    "bfs"
+    "cifs"
+    "cramfs"
+    "efs"
+    "exofs"
+    "freevxfs"
+    "gfs2"
+    "hfs"
+    "hfsplus"
+    "hpfs"
+    "jffs2"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "orangefs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ubifs"
+    "udf"
+    "ufs"
+
+    # Legacy hardware
+    "pcspkr"
+    "floppy"
+    "parport"
+    "ppdev"
+
+    # Other stuff we don't use
+    "firewire-core"
+    "firewire-ohci"
+    "ksmbd"
+    "ib_core"
+    "l2tp_eth"
+    "l2tp_netlink"
+    "l2tp_ppp"
+    "nfc"
+    "soundwire"
+  ];
+
+  # security.lockKernelModules = true;
+  security.protectKernelImage = true;
+}
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -1,17 +1,24 @@
-{ ... }:
+{ pkgs, lib, ... }:
+let
+  modulesToBan = [
+    # copy.fail
+    "af_alg"
+    "algif_aead"
+    "algif_hash"
+    "algif_rng"
+    "algif_skcipher"

+    # dirtyfrag / Fragnesia
+    "esp4"
+    "esp6"
+    "rxrpc"
+
+    # PinTheft
+    "rds"
+  ];
+in
 {
-  boot.blacklistedKernelModules = [
-  "rxrpc" # dirtyfrag
-  "esp6" # dirtyfrag
-  "esp4" # dirtyfrag
-];
-boot.extraModprobeConfig = ''
-  # dirtyfrag
-  install esp4 /bin/false
-  # dirtyfrag
-  install esp6 /bin/false
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
+  boot.blacklistedKernelModules = modulesToBan;
+
+  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
 }
--- a/flake.lock
+++ b/flake.lock
@@ -232,11 +232,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777808420,
-        "narHash": "sha256-hh9XBz0K1ypZ+neezgIPCSsnWFKEq8VfV/1aUSPu3OA=",
+        "lastModified": 1778407980,
+        "narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "28e9dc901ff38a8fa2d24bccd5f89511d6d8324e",
+        "rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc",
        "type": "github"
      },
      "original": {
@@ -248,11 +248,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1778125667,
-        "narHash": "sha256-swcxqlW+XrZFBqjcV3AV8AR64/eI234AZRFKs6q4DFo=",
-        "rev": "75636a69ad3115ff64d4cb3090e66c8275dda9c2",
+        "lastModified": 1778544512,
+        "narHash": "sha256-VIsPgfIpZ/01XUO6WN+o1NZbP5iKPKPHdHPWqfm4XIg=",
+        "rev": "c417517f9d525181ee5619c683419d308ee29fe8",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10534.75636a69ad31/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10745.c417517f9d52/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
@@ -276,11 +276,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1778157832,
-        "narHash": "sha256-lSl05j1UzI5MioSJWUa7oUp5a88zzv3sXMwWC4d1N70=",
-        "rev": "ec299c6a33eee9baf5b4d72881ca2f15c06b4f01",
+        "lastModified": 1778586796,
+        "narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=",
+        "rev": "b25e938b89759b5f9466fc53c4a970244f84dc39",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre993859.ec299c6a33ee/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
@@ -315,11 +315,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769009806,
-        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
+        "lastModified": 1778960428,
+        "narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
        "ref": "main",
-        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
-        "revCount": 575,
+        "rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
+        "revCount": 583,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -380,17 +380,17 @@
        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
-        "lastModified": 1777418851,
-        "narHash": "sha256-M6LntO3jkxwgcKkaa9de1Vqu+LsV12Yz8Bv3/9/k018=",
+        "lastModified": 1778600367,
+        "narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=",
        "ref": "main",
-        "rev": "16b2bc5c2759e20ecb952374509f1e1f9d6c06e7",
-        "revCount": 83,
+        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
+        "revCount": 91,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      },
      "original": {
        "ref": "main",
-        "rev": "16b2bc5c2759e20ecb952374509f1e1f9d6c06e7",
+        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -32,7 +32,7 @@
    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";

-    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=16b2bc5c2759e20ecb952374509f1e1f9d6c06e7";
+    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939";
    roowho2.inputs.nixpkgs.follows = "nixpkgs";

    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
@@ -49,8 +49,14 @@
    qotd.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
-  let
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-unstable,
+    sops-nix,
+    disko,
+    ...
+  } @ inputs: let
    inherit (nixpkgs) lib;
    systems = [
      "x86_64-linux"
@@ -71,178 +77,196 @@
  in {
    inputs = lib.mapAttrs (_: src: src.outPath) inputs;

-    pkgs = forAllSystems (system: import nixpkgs {
-      inherit system;
-      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-        [
-          "nvidia-x11"
-          "nvidia-settings"
-        ];
-    });
+    pkgs = forAllSystems (system:
+      import nixpkgs {
+        inherit system;
+        config.allowUnfreePredicate = pkg:
+          builtins.elem (lib.getName pkg)
+          [
+            "nvidia-x11"
+            "nvidia-settings"
+          ];
+      });

    nixosConfigurations = let
-      nixosConfig =
-        nixpkgs:
-        name:
-        configurationPath:
-        extraArgs@{
-          localSystem ? "x86_64-linux", # buildPlatform
-          crossSystem ? "x86_64-linux", # hostPlatform
-          specialArgs ? { },
-          modules ? [ ],
-          overlays ? [ ],
-          enableDefaults ? true,
-          ...
-        }:
-        let
-          commonPkgsConfig = {
-            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+      nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
+        localSystem ? "x86_64-linux", # buildPlatform
+        crossSystem ? "x86_64-linux", # hostPlatform
+        specialArgs ? {},
+        modules ? [],
+        overlays ? [],
+        enableDefaults ? true,
+        ...
+      }: let
+        commonPkgsConfig =
+          {
+            config.allowUnfreePredicate = pkg:
+              builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
                "nvidia-settings"
              ];
-            overlays = (lib.optionals enableDefaults [
-              # Global overlays go here
-              inputs.roowho2.overlays.default
-            ]) ++ overlays;
-          } // (if localSystem != crossSystem then {
-            inherit localSystem crossSystem;
-          } else {
-            system = crossSystem;
-          });
-          pkgs = import nixpkgs commonPkgsConfig;
-          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
-        in
-        lib.nixosSystem (lib.recursiveUpdate
-        {
-          system = crossSystem;
-
-          inherit pkgs;
-
-          specialArgs = {
-            inherit inputs unstablePkgs;
-            values = import ./values.nix;
-            fp = path: ./${path};
-          } // specialArgs;
-
-          modules = [
-            {
-              networking.hostName = lib.mkDefault name;
+            overlays =
+              (lib.optionals enableDefaults [
+                # Global overlays go here
+                inputs.roowho2.overlays.default
+              ])
+              ++ overlays;
+          }
+          // (
+            if localSystem != crossSystem
+            then {
+              inherit localSystem crossSystem;
            }
-            configurationPath
-          ] ++ (lib.optionals enableDefaults [
-            sops-nix.nixosModules.sops
-            inputs.roowho2.nixosModules.default
-            self.nixosModules.rsync-pull-targets
-          ]) ++ modules;
-        }
-        (builtins.removeAttrs extraArgs [
-          "localSystem"
-          "crossSystem"
-          "modules"
-          "overlays"
-          "specialArgs"
-          "enableDefaults"
-        ])
-      );
+            else {
+              system = crossSystem;
+            }
+          );
+        pkgs = import nixpkgs commonPkgsConfig;
+        unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
+      in
+        lib.nixosSystem (
+          lib.recursiveUpdate
+          {
+            system = crossSystem;
+
+            inherit pkgs;
+
+            specialArgs =
+              {
+                inherit inputs unstablePkgs;
+                values = import ./values.nix;
+                fp = path: ./${path};
+              }
+              // specialArgs;
+
+            modules =
+              [
+                {
+                  networking.hostName = lib.mkDefault name;
+                }
+                configurationPath
+              ]
+              ++ (lib.optionals enableDefaults [
+                sops-nix.nixosModules.sops
+                inputs.roowho2.nixosModules.default
+                self.nixosModules.rsync-pull-targets
+              ])
+              ++ modules;
+          }
+          (builtins.removeAttrs extraArgs [
+            "localSystem"
+            "crossSystem"
+            "modules"
+            "overlays"
+            "specialArgs"
+            "enableDefaults"
+          ])
+        );

      stableNixosConfig = name: extraArgs:
-          nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
-    in {
-      bicep = stableNixosConfig "bicep" {
-        modules = [
-          inputs.matrix-next.nixosModules.default
-          inputs.pvv-calendar-bot.nixosModules.default
-          inputs.minecraft-heatmap.nixosModules.default
-          self.nixosModules.gickup
-          self.nixosModules.matrix-ooye
-        ];
-        overlays = [
-          inputs.pvv-calendar-bot.overlays.default
-          inputs.minecraft-heatmap.overlays.default
-          (final: prev: {
-            inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
-          })
-        ];
-      };
-      bekkalokk = stableNixosConfig "bekkalokk" {
-        overlays = [
-          (final: prev: {
-            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
-            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
-            bluemap = final.callPackage ./packages/bluemap.nix { };
-          })
-          inputs.pvv-nettsiden.overlays.default
-          inputs.qotd.overlays.default
-        ];
-        modules = [
-          inputs.pvv-nettsiden.nixosModules.default
-          self.nixosModules.bluemap
-          inputs.qotd.nixosModules.default
-        ];
-      };
-      ildkule = stableNixosConfig "ildkule" { };
-      #ildkule-unstable = unstableNixosConfig "ildkule" { };
-      skrot = stableNixosConfig "skrot" {
-        modules = [
-          inputs.disko.nixosModules.disko
-          inputs.dibbler.nixosModules.default
-        ];
-        overlays = [inputs.dibbler.overlays.default];
-      };
-      shark = stableNixosConfig "shark" { };
-      wenche = stableNixosConfig "wenche" { };
-      temmie = stableNixosConfig "temmie" { };
-      gluttony = stableNixosConfig "gluttony" { };
+        nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
+    in
+      {
+        bicep = stableNixosConfig "bicep" {
+          modules = [
+            inputs.matrix-next.nixosModules.default
+            inputs.pvv-calendar-bot.nixosModules.default
+            inputs.minecraft-heatmap.nixosModules.default
+            self.nixosModules.gickup
+            self.nixosModules.matrix-ooye
+          ];
+          overlays = [
+            inputs.pvv-calendar-bot.overlays.default
+            inputs.minecraft-heatmap.overlays.default
+            (final: prev: {
+              inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
+            })
+          ];
+        };
+        bekkalokk = stableNixosConfig "bekkalokk" {
+          overlays = [
+            (final: prev: {
+              mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
+              simplesamlphp = final.callPackage ./packages/simplesamlphp {};
+              bluemap = final.callPackage ./packages/bluemap.nix {};
+            })
+            inputs.pvv-nettsiden.overlays.default
+            inputs.qotd.overlays.default
+          ];
+          modules = [
+            inputs.pvv-nettsiden.nixosModules.default
+            self.nixosModules.bluemap
+            inputs.qotd.nixosModules.default
+          ];
+        };
+        ildkule = stableNixosConfig "ildkule" {
+          modules = [
+            inputs.disko.nixosModules.disko
+          ];
+        };
+        #ildkule-unstable = unstableNixosConfig "ildkule" { };
+        skrot = stableNixosConfig "skrot" {
+          modules = [
+            inputs.disko.nixosModules.disko
+            inputs.dibbler.nixosModules.default
+          ];
+          overlays = [inputs.dibbler.overlays.default];
+        };
+        shark = stableNixosConfig "shark" {};
+        wenche = stableNixosConfig "wenche" {};
+        temmie = stableNixosConfig "temmie" {};
+        gluttony = stableNixosConfig "gluttony" {};

-      kommode = stableNixosConfig "kommode" {
-        overlays = [
-          inputs.nix-gitea-themes.overlays.default
-        ];
-        modules = [
-          inputs.nix-gitea-themes.nixosModules.default
-          inputs.disko.nixosModules.disko
-        ];
-      };
+        kommode = stableNixosConfig "kommode" {
+          overlays = [
+            inputs.nix-gitea-themes.overlays.default
+          ];
+          modules = [
+            inputs.nix-gitea-themes.nixosModules.default
+            inputs.disko.nixosModules.disko
+          ];
+        };

-      ustetind = stableNixosConfig "ustetind" {
-        modules = [
-         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-        ];
-      };
+        ustetind = stableNixosConfig "ustetind" {
+          modules = [
+            "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+          ];
+        };

-      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
-        modules = [
-          inputs.grzegorz-clients.nixosModules.grzegorz-webui
-          inputs.gergle.nixosModules.default
-          inputs.greg-ng.nixosModules.default
-        ];
-        overlays = [
-          inputs.greg-ng.overlays.default
-          inputs.gergle.overlays.default
-        ];
-      };
-      georg = stableNixosConfig "georg" {
-        modules = [
-          inputs.grzegorz-clients.nixosModules.grzegorz-webui
-          inputs.gergle.nixosModules.default
-          inputs.greg-ng.nixosModules.default
-        ];
-        overlays = [
-          inputs.greg-ng.overlays.default
-          inputs.gergle.overlays.default
-        ];
-      };
-    }
-    //
-    (let
-      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
-      stableLupineNixosConfig = name: extraArgs:
+        brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
+          modules = [
+            inputs.grzegorz-clients.nixosModules.grzegorz-webui
+            inputs.gergle.nixosModules.default
+            inputs.greg-ng.nixosModules.default
+          ];
+          overlays = [
+            inputs.greg-ng.overlays.default
+            inputs.gergle.overlays.default
+          ];
+        };
+        georg = stableNixosConfig "georg" {
+          modules = [
+            inputs.grzegorz-clients.nixosModules.grzegorz-webui
+            inputs.gergle.nixosModules.default
+            inputs.greg-ng.nixosModules.default
+          ];
+          overlays = [
+            inputs.greg-ng.overlays.default
+            inputs.gergle.overlays.default
+          ];
+        };
+      }
+      // (let
+        machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
+        stableLupineNixosConfig = name: extraArgs:
          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
-    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
-      modules = [{ networking.hostName = name; }];
-      specialArgs.lupineName = name;
-    }));
+      in
+        lib.genAttrs machineNames (name:
+          stableLupineNixosConfig name {
+            modules = [{networking.hostName = name;}];
+            specialArgs.lupineName = name;
+          }));

    nixosModules = {
      bluemap = ./modules/bluemap.nix;
@@ -264,7 +288,8 @@
            })
          ];
        };
-      in pkgs.callPackage ./shell.nix { };
+      in
+        pkgs.callPackage ./shell.nix {};
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
@@ -273,81 +298,88 @@
            cudaSupport = true;
          };
        };
-      in cuda-pkgs.callPackage ./shells/cuda.nix { };
+      in
+        cuda-pkgs.callPackage ./shells/cuda.nix {};
    });

    packages = {
      "x86_64-linux" = let
        system = "x86_64-linux";
        pkgs = nixpkgs.legacyPackages.${system};
-      in rec {
-        default = important-machines;
-        important-machines = pkgs.linkFarm "important-machines"
-          (lib.getAttrs importantMachines self.packages.${system});
-        all-machines = pkgs.linkFarm "all-machines"
-          (lib.getAttrs allMachines self.packages.${system});
+      in
+        rec {
+          default = important-machines;
+          important-machines =
+            pkgs.linkFarm "important-machines"
+            (lib.getAttrs importantMachines self.packages.${system});
+          all-machines =
+            pkgs.linkFarm "all-machines"
+            (lib.getAttrs allMachines self.packages.${system});

-        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+          simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};

-        bluemap = pkgs.callPackage ./packages/bluemap.nix { };
+          bluemap = pkgs.callPackage ./packages/bluemap.nix {};

-        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
-      }
-      //
-      # Mediawiki extensions
-      (lib.pipe null [
-        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
-        (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
-        (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
-      ])
-      //
-      # Machines
-      lib.genAttrs allMachines
+          out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix {};
+        }
+        //
+        # Mediawiki extensions
+        (lib.pipe null [
+          (_: pkgs.callPackage ./packages/mediawiki-extensions {})
+          (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+          (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
+        ])
+        //
+        # Machines
+        lib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
-      //
-      # Nix-topology
-      (let
-        topology' = import inputs.nix-topology {
-          pkgs = import nixpkgs {
-            inherit system;
-            overlays = [
-              inputs.nix-topology.overlays.default
-              (final: prev: {
-                inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
-              })
+        //
+        # Nix-topology
+        (let
+          topology' = import inputs.nix-topology {
+            pkgs = import nixpkgs {
+              inherit system;
+              overlays = [
+                inputs.nix-topology.overlays.default
+                (final: prev: {
+                  inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
+                })
+              ];
+            };
+
+            specialArgs = {
+              values = import ./values.nix;
+            };
+
+            modules = [
+              ./topology
+              {
+                nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
+                  nixosCfg.extendModules {
+                    modules = [
+                      inputs.nix-topology.nixosModules.default
+                      ./topology/service-extractors/greg-ng.nix
+                      ./topology/service-extractors/postgresql.nix
+                      ./topology/service-extractors/mysql.nix
+                      ./topology/service-extractors/gitea-runners.nix
+                    ];
+                  })
+                self.nixosConfigurations;
+              }
            ];
          };
-
-          specialArgs = {
-            values = import ./values.nix;
-          };
-
-          modules = [
-            ./topology
-            {
-              nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
-                modules = [
-                  inputs.nix-topology.nixosModules.default
-                  ./topology/service-extractors/greg-ng.nix
-                  ./topology/service-extractors/postgresql.nix
-                  ./topology/service-extractors/mysql.nix
-                  ./topology/service-extractors/gitea-runners.nix
-                ];
-              }) self.nixosConfigurations;
-            }
-          ];
-        };
-      in {
-        topology = topology'.config.output;
-        topology-png = pkgs.runCommand "pvv-config-topology-png" {
-          nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
-        } ''
-          mkdir -p "$out"
-          for file in '${topology'.config.output}'/*.svg; do
-            ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
-          done
-        '';
-      });
+        in {
+          topology = topology'.config.output;
+          topology-png =
+            pkgs.runCommand "pvv-config-topology-png" {
+              nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
+            } ''
+              mkdir -p "$out"
+              for file in '${topology'.config.output}'/*.svg; do
+                ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
+              done
+            '';
+        });
    };
  };
 }
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@@ -80,9 +80,40 @@ in {
  };

  services.phpfpm.pools."pvv-nettsiden".settings = {
-    # "php_admin_value[error_log]" = "stderr";
+    "php_admin_value[error_log]" = "syslog";
    "php_admin_flag[log_errors]" = true;
    "catch_workers_output" = true;
+
+    "php_admin_value[max_execution_time]" = "30";
+    "request_terminate_timeout" = "60s";
+
+    "php_admin_value[sendmail_path]" = let
+      fakeSendmail = pkgs.writeShellApplication {
+        name = "fake-sendmail";
+        text = ''
+          TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
+          (
+            echo "SENDMAIL ARGS:"
+            echo "$@"
+            echo "SENDMAIL STDIN:"
+            cat -
+          ) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
+        '';
+      };
+    in lib.getExe fakeSendmail;
+
+    "php_admin_value[disable_functions]" = lib.concatStringsSep "," [
+      "curl_exec"
+      "curl_multi_exec"
+      "exec"
+      "parse_ini_file"
+      "passthru"
+      "popen"
+      "proc_open"
+      "shell_exec"
+      "show_source"
+      "system"
+    ];
  };

  services.nginx.virtualHosts."pvv.ntnu.no" = {
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -40,15 +40,15 @@ in {
    path = with pkgs; [ imagemagick gnutar gzip ];

    script = ''
-      tar ${lib.cli.toGNUCommandLineShell {} {
+      tar ${lib.cli.toCommandLineShellGNU { } {
        extract = true;
        file = "${transferDir}/gallery.tar.gz";
        directory = ".";
      }}

      # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
-      while IFS= read fname; do
+      filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
+      while IFS= read -r fname; do
        rm -f "$fname" ||:
        rm -f ".thumbnails/$fname.png" ||:
      done <<< "$filesToRemove"
@@ -56,9 +56,9 @@ in {
      find . -type d -empty -delete

      mkdir -p .thumbnails
-      images=$(find . -type f -not -path "./.thumbnails*")
+      images=$(find . -type f -not -path './.thumbnails*')

-      while IFS= read fname; do
+      while IFS= read -r fname; do
        # Skip this file if an up-to-date thumbnail already exists
        if [ -f ".thumbnails/$fname.png" ] && \
          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +67,7 @@ in {
        fi

        echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
+        mkdir -p "$(dirname ".thumbnails/$fname")"
        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -64,4 +64,11 @@ in
      '';
    };
  };
+
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = cfg.settings.rtc.port_range_start;
+      to = cfg.settings.rtc.port_range_end;
+    }
+  ];
 }
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -57,7 +57,7 @@ in
      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"

-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -58,7 +58,7 @@ in
      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"

-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
--- a/hosts/bicep/services/postgresql/cleanup-timers.nix
+++ b/hosts/bicep/services/postgresql/cleanup-timers.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.postgresql;
+in
+{
+  config = lib.mkIf cfg.enable {
+    systemd.services = {
+      postgresql-repack = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Repack all PostgreSQL databases";
+        startAt = "Mon 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --port=${builtins.toString cfg.settings.port} --all";
+        };
+      };
+
+      postgresql-vacuum-analyze = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Vacuum and analyze all PostgreSQL databases";
+        startAt = "Tue 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
+        };
+      };
+    };
+  };
+}
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -3,11 +3,15 @@ let
  cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
+    ./backup.nix
+    ./cleanup-timers.nix
+  ];

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_18;
+    extensions = ps: with ps; [ pg_repack ];
    enableTCPIP = true;

    authentication = ''
--- a/hosts/gluttony/hardware-configuration.nix
+++ b/hosts/gluttony/hardware-configuration.nix
@@ -22,7 +22,7 @@
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" = {
@@ -31,7 +31,7 @@
  };

  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/933A-3005";
+    device = "/dev/disk/by-uuid/BD97-FCA0";
    fsType = "vfat";
    options = [
      "fmask=0077"
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -1,17 +1,23 @@
-{ config, fp, pkgs, lib, values, ... }:
 {
+  config,
+  fp,
+  pkgs,
+  lib,
+  values,
+  ...
+}: {
  imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      (fp /base)
+    ./hardware-configuration.nix
+    ./disks.nix
+    (fp /base)

-      ./services/monitoring
-      ./services/nginx
-      ./services/journald-remote.nix
-    ];
+    ./services/monitoring
+    ./services/nginx
+    ./services/journald-remote.nix
+  ];

-  boot.loader.systemd-boot.enable = false;
-  boot.loader.grub.device = "/dev/vda";
+  boot.loader.grub.enable = true;
+  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;

@@ -27,13 +33,22 @@
    nameservers = values.defaultNetworkConfig.dns;
    defaultGateway.address = hostConf.ipv4_internal_gw;

-    interfaces."ens4" = {
+    interfaces."ens3" = {
      ipv4.addresses = [
-        { address = hostConf.ipv4;          prefixLength = 32; }
-        { address = hostConf.ipv4_internal; prefixLength = 24; }
+        {
+          address = hostConf.ipv4;
+          prefixLength = 32;
+        }
+        {
+          address = hostConf.ipv4_internal;
+          prefixLength = 24;
+        }
      ];
      ipv6.addresses = [
-        { address = hostConf.ipv6;          prefixLength = 64; }
+        {
+          address = hostConf.ipv6;
+          prefixLength = 64;
+        }
      ];
    };
  };
--- a/hosts/ildkule/disks.nix
+++ b/hosts/ildkule/disks.nix
@@ -0,0 +1,27 @@
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            bios = {
+              size = "1M";
+              type = "EF02";
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/ildkule/hardware-configuration.nix
+++ b/hosts/ildkule/hardware-configuration.nix
@@ -1,16 +1,24 @@
-{ modulesPath, lib, ... }:
-{
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
-    fsType = "ext4";
-  };
-  fileSystems."/data" = {
-    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
-    fsType = "ext4";
-  };
+# Do not modify this file!  It was generated by 'nixos-generate-config'
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:

+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -99,23 +99,23 @@ in
        ];
      } ''
        # Bigger icons
-        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
+        install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
        sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
      '';
    in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
-      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
-      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+      install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
+      install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
+      install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
+      install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
+      install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
+      install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'

-      install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
-      install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
-      install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
-      install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
+      install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
+      install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
+      install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
+      install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'

-      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
+      '${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
    '';
  };
 }
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -134,9 +134,6 @@ in {
        ALLOW_FORK_INTO_SAME_OWNER = true;
      };
      picture = {
-        DISABLE_GRAVATAR = true;
-        ENABLE_FEDERATED_AVATAR = false;
-
        AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
        # NOTE: go any bigger than this, and gitea will freeze your gif >:(
        AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
@@ -217,7 +214,7 @@ in {

  systemd.services.gitea-dump = {
    serviceConfig.ExecStart = let
-      args = lib.cli.toGNUCommandLineShell { } {
+      args = lib.cli.toCommandLineShellGNU { } {
        type = cfg.dump.type;

        # This should be declarative on nixos, no need to backup.
--- a/hosts/kommode/services/gitea/web-secret-provider/default.nix
+++ b/hosts/kommode/services/gitea/web-secret-provider/default.nix
@@ -53,7 +53,7 @@ in
      Slice = "system-giteaweb.slice";
      Type = "oneshot";
      ExecStart = let
-        args = lib.cli.toGNUCommandLineShell { } {
+        args = lib.cli.toCommandLineShellGNU { } {
          org = "%i";
          token-path = "%d/token";
          api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -6,7 +6,7 @@
    (fp /base)

    ./services/nfs-mounts.nix
-    ./services/userweb.nix
+    ./services/userweb
  ];

  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
--- a/hosts/temmie/services/userweb/default.nix
+++ b/hosts/temmie/services/userweb/default.nix
@@ -4,19 +4,39 @@ let

  homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];

+  phpOptions = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k} = ${v}"){
+    display_errors = "Off";
+    display_startup_errors = "Off";
+    post_max_size = "40M";
+    upload_max_filesize = "40M";
+  });
+
  # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
  phpEnv = pkgs.php.buildEnv {
    extensions = { all, ... }: with all; [
+      bz2
+      curl
+      decimal
+      gd
      imagick
-      opcache
-      protobuf
+      mysqli
+      mysqlnd
+      pgsql
+      posix
+      protobuf sqlite3
+      uuid
+      xml
+      xsl
+      zlib
+      zstd
+
+      pdo
+      pdo_mysql
+      pdo_pgsql
+      pdo_sqlite
    ];

-    extraConfig = ''
-      display_errors=0
-      post_max_size = 40M
-      upload_max_filesize = 40M
-    '';
+    extraConfig = phpOptions;
  };

  perlEnv = pkgs.perl.withPackages (ps: with ps; [
@@ -25,38 +45,15 @@ let
    pkgs.irssi
    pkgs.nix.libs.nix-perl-bindings

-    AlgorithmDiff
-    AnyEvent
-    AnyEventI3
-    ArchiveZip
    CGI
-    CPAN
-    CPANPLUS
    DBDPg
    DBDSQLite
+    DBDmysql
    DBI
-    EmailAddress
-    EmailSimple
-    Env
    Git
-    HTMLMason
-    HTMLParser
-    HTMLTagset
-    HTTPDAV
-    HTTPDaemon
    ImageMagick
    JSON
-    LWP
-    MozillaCA
-    PathTiny
-    Switch
-    SysSyslog
-    TestPostgreSQL
-    TextPDF
-    TieFile
-    Tk
-    URI
-    XMLLibXML
+    TemplateToolkit
  ]);

  # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
@@ -70,102 +67,88 @@ let
    ignoreCollisions = true;
  };

+  sendmailWrapper = pkgs.writeShellApplication {
+    name = "sendmail";
+    runtimeInputs = [ ];
+    text = ''
+      args=("$@")
+
+      if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
+          # Prepend -fusername to the argument list, so bounces go to the user
+          args=("-f$USERDIR_USER" "''${args[@]}")
+      fi
+
+      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
+    '';
+  };
+
  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
  fhsEnv = pkgs.buildEnv {
    name = "userweb-env";
+    ignoreCollisions = true;
    paths = with pkgs; [
      bash

+      sendmailWrapper
+
      perlEnv
      pythonEnv
-
      phpEnv
    ]
    ++ (with phpEnv.packages; [
      # composer
    ])
    ++ [
+      # Useful packages for homepages
+      exiftool
+      gnuplot
+      ikiwiki-full
+      imagemagick
+      jhead
+      ruby
+      sbcl
+      sourceHighlight
+
+      # Missing packages from tom
+      # blosxom
+      # pyblosxom
+      # mediawiki (TODO: do people host their own mediawikis in userweb?)
+      # nanoblogger
+
+      # Version control
+      cvs
+      rcs
+      git
+
+      # Compression/Archival
+      bzip2
+      gnutar
+      gzip
+      lz4
+      unzip
+      xz
+      zip
+      zstd
+
+      # Other tools you might expect to find on a normal system
      acl
-      aspell
-      autoconf
-      autotrash
-      bazel
-      bintools
-      bison
-      bsd-finger
-      catdoc
-      ccache
-      clang
-      cmake
      coreutils-full
      curl
-      devcontainer
      diffutils
-      emacs
-      # exiftags
-      exiftool
-      ffmpeg
      file
      findutils
      gawk
-      gcc
-      glibc
      gnugrep
      gnumake
      gnupg
-      gnuplot
      gnused
-      gnutar
-      gzip
-      html-tidy
-      imagemagick
-      inetutils
-      iproute2
-      jhead
      less
-      libgcc
-      lndir
-      mailutils
-      man # TODO: does this one want a mandb instance?
-      meson
-      more
-      mpc
-      mpi
-      mplayer
-      ninja
-      nix
-      openssh
-      openssl
-      patchelf
-      pkg-config
-      ppp
-      procmail
-      procps
-      qemu
-      rc
-      rhash
-      rsync
-      ruby # TODO: does this one want systemwide packages?
-      salt
-      sccache
-      sourceHighlight
-      spamassassin
-      strace
-      subversion
-      system-sendmail
-      systemdMinimal
-      texliveMedium
-      tmux
-      unzip
+      man
      util-linux
-      valgrind
      vim
      wget
      which
-      wine
      xdg-utils
-      zip
-      zstd
    ];

    extraOutputsToInstall = [
@@ -175,6 +158,10 @@ let
  };
 in
 {
+  imports = [
+    ./mail.nix
+  ];
+
  services.httpd = {
    enable = true;
    adminAddr = "drift@pvv.ntnu.no";
@@ -189,6 +176,7 @@ in

    enablePHP = true;
    phpPackage = phpEnv;
+    inherit phpOptions;

    enablePerl = true;

@@ -225,12 +213,32 @@ in
        UserDir disabled root
        AddHandler cgi-script .cgi
        DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
+        SetEnvIf Request_URI "^/~([^/]+)" USERDIR_USER=$1

        <Directory "/home/pvv/?/*/web-docs">
          Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
          AllowOverride All
          Require all granted
        </Directory>
+
+        <DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
+          "\\.git"
+          "\\.hg"
+          "\\.svn"
+          "\\.ssh"
+          "\\.env"
+          "\\.envrc"
+          "\\.bzr"
+          "\\.venv"
+          "CVS"
+          "RCS"
+          ".*\\.swp"
+          ".*\\.bak"
+          ".*~"
+        ]})(/|$)">
+            AllowOverride All
+            Require all denied
+        </DirectoryMatch>
      '';
    };
  };
--- a/hosts/temmie/services/userweb/mail.nix
+++ b/hosts/temmie/services/userweb/mail.nix
@@ -0,0 +1,12 @@
+{ config, lib, ... }:
+{
+  services.postfix.enable = lib.mkForce false;
+
+  services.nullmailer = {
+    enable = true;
+    config = {
+      me = config.networking.fqdn;
+      remotes = "mail.pvv.ntnu.no smtp --port=25";
+    };
+  };
+}
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -77,29 +77,29 @@ in

        id
        echo "Before if statement"
-        stat ''${REGISTRATION_FILE}
+        stat "''${REGISTRATION_FILE}"

-        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
+        if [[ ! -f "''${REGISTRATION_FILE}" ]]; then
          echo "No registration file found at '$REGISTRATION_FILE'"
-          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+          cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
        fi

        echo "After if statement"
-        stat ''${REGISTRATION_FILE}
+        stat "''${REGISTRATION_FILE}"

-        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
-        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
-        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
-        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
+        AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")"
+        HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")"
+        DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)"
+        DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)"

        # Check if we have all required tokens
        if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
-          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
          echo "Generated new AS token: ''${AS_TOKEN}"
        fi

        if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
-          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
          echo "Generated new HS token: ''${HS_TOKEN}"
        fi

@@ -115,13 +115,13 @@ in
          exit 1
        fi

-        shred -u ''${REGISTRATION_FILE}
-        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+        shred -u "''${REGISTRATION_FILE}"
+        cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"

-        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
+        '${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp"

-        shred -u ''${REGISTRATION_FILE}
-        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
+        shred -u "''${REGISTRATION_FILE}"
+        mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}"
      '';

    in
--- a/modules/snakeoil-certs.nix
+++ b/modules/snakeoil-certs.nix
@@ -51,24 +51,24 @@ in
      script = let
        openssl = lib.getExe pkgs.openssl;
      in lib.concatMapStringsSep "\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+        mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')"
+        if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}'
        then
          echo "Regenerating '${value.certificate}'"
          ${openssl} req \
            -newkey rsa:4096 \
            -new -x509 \
-            -days "${toString value.daysValid}" \
+            -days '${toString value.daysValid}' \
            -nodes \
-            -subj "${value.subject}" \
-            -out "${value.certificate}" \
-            -keyout "${value.certificateKey}" \
+            -subj '${value.subject}' \
+            -out '${value.certificate}' \
+            -keyout '${value.certificateKey}' \
            ${lib.escapeShellArgs value.extraOpenSSLArgs}
        fi
-        chown "${value.owner}:${value.group}" "${value.certificate}"
-        chown "${value.owner}:${value.group}" "${value.certificateKey}"
-        chmod "${value.mode}" "${value.certificate}"
-        chmod "${value.mode}" "${value.certificateKey}"
+        chown '${value.owner}:${value.group}' '${value.certificate}'
+        chown '${value.owner}:${value.group}' '${value.certificateKey}'
+        chmod '${value.mode}' '${value.certificate}'
+        chmod '${value.mode}' '${value.certificateKey}'

        echo "\n-----------------\n"
      '') (lib.attrsToList cfg);
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
  (mw-ext {
    name = "CodeEditor";
-    commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
-    hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
+    commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a";
+    hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A=";
  })
  (mw-ext {
    name = "CodeMirror";
-    commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
-    hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
+    commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441";
+    hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ=";
  })
  (mw-ext {
    name = "DeleteBatch";
-    commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
-    hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
+    commit = "1b947c0f80249cf052b58138f830b379edf080bc";
+    hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI=";
  })
  (mw-ext {
    name = "PluggableAuth";
-    commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
-    hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
+    commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1";
+    hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0=";
  })
  (mw-ext {
    name = "Popups";
-    commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
-    hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
+    commit = "6732d8d195bd8312779d8514e92bad372ef63096";
+    hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU=";
  })
  (mw-ext {
    name = "Scribunto";
-    commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
-    hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
+    commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d";
+    hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk=";
  })
  (mw-ext {
    name = "SimpleSAMLphp";
    kebab-name = "simple-saml-php";
-    commit = "a2f77374713473d594e368de24539aebcc1a800a";
-    hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
+    commit = "4c615a9203860bb908f2476a5467573e3287d224";
+    hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE=";
  })
  (mw-ext {
    name = "TemplateData";
-    commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
-    hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
+    commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3";
+    hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ=";
  })
  (mw-ext {
    name = "TemplateStyles";
-    commit = "7de60a8da6576d7930f293d19ef83529abf52704";
-    hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
+    commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab";
+    hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs=";
  })
  (mw-ext {
    name = "UserMerge";
-    commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
-    hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
+    commit = "6c138ffc65991766fd58ff4739fcb7febf097146";
+    hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU=";
  })
  (mw-ext {
    name = "VisualEditor";
-    commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
-    hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
+    commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9";
+    hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4=";
  })
  (mw-ext {
    name = "WikiEditor";
-    commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
-    hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
+    commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780";
+    hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI=";
  })
 ]
--- a/packages/mediawiki-extensions/update-mediawiki-extensions.py
+++ b/packages/mediawiki-extensions/update-mediawiki-extensions.py
@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
    content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
    soup = bs4.BeautifulSoup(content, features="html.parser")
    try:
-        a = soup.find('li').findChild('a')
+        a = soup.find('li').find('a')
        commit_sha = a['href'].split('/')[-1]
    except AttributeError:
        print(f"ERROR: Could not parse page for {project_name}:")
--- a/packages/simplesamlphp/default.nix
+++ b/packages/simplesamlphp/default.nix
@@ -8,18 +8,18 @@

 php.buildComposerProject rec {
  pname = "simplesamlphp";
-  version = "2.4.3";
+  version = "2.5.0";

  src = fetchFromGitHub {
    owner = "simplesamlphp";
    repo = "simplesamlphp";
    tag = "v${version}";
-    hash = "sha256-vv4gzcnPfMapd8gER2Vsng1SBloHKWrJJltnw2HUnX4=";
+    hash = "sha256-Md07vWhB/5MDUH+SPQEs8PYiUrkEgAyqQl+LO+ap0Sw=";
  };

  composerStrictValidation = false;

-  vendorHash = "sha256-vu3Iz6fRk3Gnh9Psn46jgRYKkmqGte+5xHBRmvdgKG4=";
+  vendorHash = "sha256-GrEoGJXEyI1Ib+06GIuo5eRwxQ0UMKeX5RswShu2CHM=";

  # TODO: metadata could be fetched automagically with these:
  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
--- a/topology/default.nix
+++ b/topology/default.nix
@@ -228,6 +228,7 @@ in {
        (mkConnection "demiurgen" "eno1")
        (mkConnection "sanctuary" "ethernet_0")
        (mkConnection "torskas" "eth0")
+        (mkConnection "skrot" "enp2s0")
        (mkConnection "homeassistant" "eth0")
        (mkConnection "orchid" "eth0")
        (mkConnection "principal" "em0")
--- a/values.nix
+++ b/values.nix
@@ -37,10 +37,10 @@ in rec {
      ipv6 = pvv-ipv6 168;
    };
    ildkule = {
-      ipv4 = "129.241.153.213";
-      ipv4_internal = "192.168.12.209";
-      ipv4_internal_gw = "192.168.12.1";
-      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
+      ipv4 = "129.241.100.145";
+      ipv4_internal = "192.168.1.17";
+      ipv4_internal_gw = "192.168.1.1";
+      ipv6 = "2001:700:305:8a0f:f816:3eff:fef5:e400";
    };
    bicep = {
      ipv4 = pvv-ipv4 209;
@@ -86,10 +86,10 @@ in rec {
      ipv6 = pvv-ipv6 167;
    };
    gluttony = {
-      ipv4 = "129.241.100.118";
-      ipv4_internal = "192.168.20.77";
-      ipv4_internal_gw = "192.168.20.1";
-      ipv6 = "2001:700:305:aa07::3b3";
+      ipv4 = "129.241.100.37";
+      ipv4_internal = "192.168.1.219";
+      ipv4_internal_gw = "192.168.1.1";
+      ipv6 = "2001:700:305:8a0f:f816:3eff:fe9b:7a46";
    };
    wenche = {
      ipv4 = pvv-ipv4 240;
@@ -118,9 +118,9 @@ in rec {
  };

  defaultNetworkConfig = {
-    dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    gateway = [ hosts.gateway hosts.gateway6 ];
+    dns = ["129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201"];
+    domains = ["pvv.ntnu.no" "pvv.org"];
+    gateway = [hosts.gateway hosts.gateway6];

    networkConfig.IPv6AcceptRA = "no";
    DHCP = "no";
Author	SHA1	Message	Date
h7x4	0d7f05e56d	bicep/postgres: add cleanup timers	2026-05-21 04:14:34 +09:00
Daniel Olsen	4a67eddf52	bicep/matrix/livekit: open the rtc ports	2026-05-20 20:04:33 +02:00
h7x4	08a23bd380	base/hardening: ban a few more modules	2026-05-20 23:15:25 +09:00
h7x4	28b67c3578	base/mitigations: blacklist modules for copyfail and pintheft	2026-05-20 23:15:25 +09:00
Vegard Bieker Matthey	e5804c043a	README: add gluttony	2026-05-20 06:24:26 +02:00
Vegard Bieker Matthey	9c227f3022	update gluttony IPs and boot device	2026-05-20 06:07:41 +02:00
Felix Albrigtsen	69fdf709d7	grr: fix the heccin quotes	2026-05-19 16:38:34 +02:00
Adrian G L	30ec70fa5f	fix: ildkule grub duplicated devices, format nix files	2026-05-19 16:26:36 +02:00
Adrian G L	1024b428ac	feat: ildkule disco config	2026-05-19 12:16:39 +02:00
Adrian G L	1e6b692fbf	fix: updated ildkule config and ips to match trd1 new setup	2026-05-19 11:37:05 +02:00
Vegard Bieker Matthey	beac6e91dd	flake.lock: bump pvv-nettsiden	2026-05-17 16:58:04 +02:00
h7x4	0fd41c214a	flake.{nix,lock}: bump deps	2026-05-13 01:19:35 +09:00
h7x4	5c1ee958ea	flake.{nix,lock}: bump roowho2	2026-05-12 00:25:55 +09:00
h7x4	d8e97715c9	flake.lock: bump pvv-nettsiden	2026-05-12 00:24:56 +09:00
h7x4	33297b0436	treewide: `lib.cli.toGNUCommandLineShell` -> `lib.cli.toCommandLineShellGNU`	2026-05-11 23:09:50 +09:00
h7x4	be33c95c83	bekkalokk/website: more logging, specify timeouts, ban spooky funcs, fake sendmail	2026-05-11 21:14:08 +09:00
h7x4	2abf36a9af	packages/simplesamlphp: 2.4.3 -> 2.5.0	2026-05-11 16:12:15 +09:00
h7x4	a60be532ce	packages/mediawiki-extensions: bump all	2026-05-11 16:11:10 +09:00
h7x4	9c142fd56f	kommode/gitea: remove deprecated config options	2026-05-11 16:00:51 +09:00
Øystein Tveit	b98e8679e6	temmie/userweb: set same phpOptions for env and apache	2026-05-11 14:54:56 +09:00
h7x4	ea092ec0b3	temmie/userweb: pass userdir user to sendmail through custom envvar	2026-05-11 14:26:47 +09:00
h7x4	5e50b617fb	temmie/userweb: switch from postfix to nullmailer	2026-05-11 13:52:58 +09:00
h7x4	258c5a7b25	temmie/userweb: set up sendmail wrapper	2026-05-11 12:26:39 +09:00
h7x4	b9eda3dc56	temmie/userweb: reduce package list	2026-05-11 10:17:09 +09:00
Vegard Bieker Matthey	2fcaf5893f	fix deprecation warning for mediawiki update script	2026-05-09 20:40:14 +02:00
h7x4	b009da31af	temmie/userweb: deny a bunch of spooky directories by default It should still be possible for the user to re-enable these with `.htaccess`	2026-05-10 03:33:43 +09:00
h7x4	e9a267e2a3	temmie/userweb: ignore collisions in fhs env	2026-05-10 03:02:27 +09:00
h7x4	338c2f2531	temmie/userweb: adjust perl and php env This adds and removes a few packages to make the environments closer to how they are on tom	2026-05-10 03:02:26 +09:00
Felix Albrigtsen	8db3034baf	Run shellcheck	2026-05-08 09:31:35 +02:00
h7x4	f64f9c944e	topology: hook skrot up to the switch at the office	2026-05-08 16:27:01 +09:00
h7x4	baeb1e5e60	base/hardening: move hardening options from base/default	2026-05-08 16:23:17 +09:00
h7x4	86ca8dcdc3	base/hardening: ban a bunch more unimportant kernel modules	2026-05-08 16:23:17 +09:00