Run shellcheck

update sops keys for skrott
secrets: sops updatekeys
2026-02-20 17:07:51 +01:00 · 2026-02-08 12:10:53 +01:00 · 2026-02-07 22:17:09 +01:00 · 2026-02-08 05:19:26 +09:00 · 2026-02-07 21:12:03 +01:00 · 2026-02-07 01:46:55 +09:00
123 changed files with 13746 additions and 24121 deletions
--- a/.mailmap
+++ b/.mailmap
@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
 Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
 Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
 Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,6 +7,7 @@ keys:
  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
  - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
  # Hosts
  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
@@ -19,6 +20,7 @@ keys:
  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
 creation_rules:
@@ -32,6 +34,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -46,6 +49,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -58,6 +62,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -70,6 +75,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -82,6 +88,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -94,6 +101,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -110,6 +118,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -122,5 +131,19 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrott/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_skrott
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
--- a/README.md
+++ b/README.md
@@ -4,7 +4,33 @@ This repository contains the NixOS configurations for Programvareverkstedet's se
 In addition to machine configurations, it also contains a bunch of shared modules, packages, and
 more.
-## Machines
+> [!WARNING]
 > Please read [Development - working on the PVV machines](./docs/development.md) before making
 > any changes, and [Secret management and `sops-nix`](./docs/secret-management.md) before adding
 > any credentials such as passwords, API tokens, etc. to the configuration.
 ## Deploying to machines
 > [!WARNING]
 > Be careful to think about state when testing changes against the machines. Sometimes, a certain change
 > can lead to irreversible changes to the data stored on the machine. An example would be a set of database
 > migrations applied when testing a newer version of a service. Unless that service also comes with downwards
 > migrations, you can not go back to the previous version without losing data.
 To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
 repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
 ```bash
 # Run this while in the pvv-nixos-config directory
 sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
 ```
 This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
 Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
 revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
 ## Machine overview
 | Name                       | Type     | Description                                               |
 |----------------------------|----------|-----------------------------------------------------------|
@@ -17,6 +43,7 @@ more.
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
 | [skrott][skr]              | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 ## Documentation
@@ -33,4 +60,5 @@ more.
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
 [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
--- a/base/default.nix
+++ b/base/default.nix
@@ -10,19 +10,23 @@
    (fp /users)
    (fp /modules/snakeoil-certs.nix)
    ./flake-input-exporter.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
    ./sops.nix
    ./vm.nix
    ./flake-input-exporter.nix
    ./services/acme.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/journald-upload.nix
    ./services/logrotate.nix
    ./services/nginx.nix
    ./services/openssh.nix
    ./services/polkit.nix
    ./services/postfix.nix
    ./services/prometheus-node-exporter.nix
    ./services/prometheus-systemd-exporter.nix
@@ -38,6 +42,9 @@
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  boot.loader.systemd-boot.enable = lib.mkDefault true;
  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
@@ -46,21 +53,8 @@
    keyMap = "no";
  };
-  environment.systemPackages = with pkgs; [
+  # Don't install the /lib/ld-linux.so.2 stub
-    file
+  environment.ldso32 = null;
    git
    gnupg
    htop
    nano
    ripgrep
    rsync
    screen
    tmux
    vim
    wget
    kitty.terminfo
  ];
  # .bash_profile already works, but lets also use .bashrc like literally every other distro
  # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -74,8 +68,6 @@
    fi
  '';
  programs.zsh.enable = true;
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
@@ -83,6 +75,14 @@
    Defaults lecture = never
  '';
  # These are servers, sleep is for the weak
  systemd.sleep.extraConfig = lib.mkDefault ''
    AllowSuspend=no
    AllowHibernation=no
  '';
  # users.mutableUsers = lib.mkDefault false;
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -37,4 +37,9 @@
      "unstable=${inputs.nixpkgs-unstable}"
    ];
  };
  # Make builds to be more likely killed than important services.
  # 100 is the default for user slices and 500 is systemd-coredumpd@
  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
 }
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -0,0 +1,68 @@
 { pkgs, lib, ... }:
 {
  # We don't need fonts on headless machines
  fonts.fontconfig.enable = lib.mkDefault false;
  # Extra packags for better terminal emulator compatibility in SSH sessions
  environment.enableAllTerminfo = true;
  environment.systemPackages = with pkgs; [
    # Debug dns outside resolvectl
    dig
    # Debug and find files
    file
    # Process json data
    jq
    # Check computer specs
    lshw
    # Check who is keeping open files
    lsof
    # Scan for open ports with netstat
    net-tools
    # Grep for files quickly
    ripgrep
    # Copy files over the network
    rsync
    # Access various state, often in /var/lib
    sqlite-interactive
    # Debug software which won't debug itself
    strace
    # Download files from the internet
    wget
  ];
  # Clone/push nix config and friends
  programs.git.enable = true;
  # Gitea gpg, oysteikt sops, etc.
  programs.gnupg.agent.enable = true;
  # Monitor the wellbeing of the machines
  programs.htop.enable = true;
  # Keep sessions running during work over SSH
  programs.tmux.enable = true;
  # Same reasoning as tmux
  programs.screen.enable = true;
  # Edit files on the system without resorting to joe(1)
  programs.nano.enable = true;
  # Same reasoning as nano
  programs.vim.enable = true;
  # Same reasoning as vim
  programs.neovim.enable = true;
  # Some people like this shell for some reason
  programs.zsh.enable = true;
 }
--- a/base/services/acme.nix
+++ b/base/services/acme.nix
@@ -8,8 +8,6 @@
  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
  virtualisation.vmVariant = {
    security.acme.defaults.server = "https://127.0.0.1";
    security.acme.preliminarySelfsigned = true;
    users.users.root.initialPassword = "root";
  };
-}
+}
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -9,6 +9,8 @@ in
    enable = true;
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "-L"
      "--refresh"
      "--no-write-lock-file"
      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
@@ -26,7 +28,7 @@ in
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
    "current-system-flake-inputs.json".source
      = pkgs.writers.writeJSON "flake-inputs.json" (
        lib.flip lib.mapAttrs inputs (name: input:
--- a/base/services/journald-upload.nix
+++ b/base/services/journald-upload.nix
@@ -0,0 +1,24 @@
 { config, lib, values, ... }:
 let
  cfg = config.services.journald.upload;
 in
 {
  services.journald.upload = {
    enable = lib.mkDefault true;
    settings.Upload = {
      # URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
      URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
      ServerKeyFile = "-";
      ServerCertificateFile = "-";
      TrustedCertificateFile = "-";
    };
  };
  systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
    IPAddressDeny = "any";
    IPAddressAllow = [
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
 }
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -39,29 +39,38 @@
    SystemCallFilter = lib.mkForce null;
  };
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
-    listen = [
+    "_" = {
-      {
+      listen = [
-        addr = "0.0.0.0";
+        {
-        extraParameters = [
+          addr = "0.0.0.0";
-          "default_server"
+          extraParameters = [
-          # Seemingly the default value of net.core.somaxconn
+            "default_server"
-          "backlog=4096"
+            # Seemingly the default value of net.core.somaxconn
-          "deferred"
+            "backlog=4096"
-        ];
+            "deferred"
-      }
+          ];
-      {
+        }
-        addr = "[::0]";
+        {
-        extraParameters = [
+          addr = "[::0]";
-          "default_server"
+          extraParameters = [
-          "backlog=4096"
+            "default_server"
-          "deferred"
+            "backlog=4096"
-        ];
+            "deferred"
-      }
+          ];
-    ];
+        }
-    sslCertificate = "/etc/certs/nginx.crt";
+      ];
-    sslCertificateKey = "/etc/certs/nginx.key";
+      sslCertificate = "/etc/certs/nginx.crt";
-    addSSL = true;
+      sslCertificateKey = "/etc/certs/nginx.key";
-    extraConfig = "return 444;";
+      addSSL = true;
      extraConfig = "return 444;";
    };
    ${config.networking.fqdn} = {
      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
      addSSL = lib.mkDefault true;
      extraConfig = lib.mkDefault "return 444;";
    };
  };
 }
--- a/base/services/polkit.nix
+++ b/base/services/polkit.nix
@@ -0,0 +1,15 @@
 { config, lib, ... }:
 let
  cfg = config.security.polkit;
 in
 {
  security.polkit.enable = true;
  environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
    polkit.addAdminRule(function(action, subject) {
        if(subject.isInGroup("wheel")) {
            return ["unix-user:"+subject.user];
        }
    });
  '';
 }
--- a/base/services/smartd.nix
+++ b/base/services/smartd.nix
@@ -1,7 +1,9 @@
 { config, pkgs, lib, ... }:
 {
  services.smartd = {
-    enable = lib.mkDefault true;
+    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
    #       hosts with disk passthrough.
    enable = lib.mkDefault (!config.services.qemuGuest.enable);
    notifications = {
      mail = {
        enable = true;
--- a/base/sops.nix
+++ b/base/sops.nix
@@ -0,0 +1,12 @@
 { config, fp, lib, ... }:
 {
  sops.defaultSopsFile = let
    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
    keyFile = "/var/lib/sops-nix/key.txt";
    generateKey = true;
  };
 }
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -11,5 +11,6 @@
  };
  config.virtualisation.vmVariant = {
    virtualisation.isVmVariant = true;
    virtualisation.graphics = false;
  };
 }
--- a/docs/development.md
+++ b/docs/development.md
@@ -156,27 +156,6 @@ nix build .#
 > built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
 > if this is the first time.
 ### Deploying to machines
 > [!WARNING]
 > Be careful to think about state when testing changes against the machines. Sometimes, a certain change
 > can lead to irreversible changes to the data stored on the machine. An example would be a set of database
 > migrations applied when testing a newer version of a service. Unless that service also comes with downwards
 > migrations, you can not go back to the previous version without losing data.
 To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
 repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
 ```bash
 # Run this while in the pvv-nixos-config directory
 sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
 ```
 This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
 Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
 revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
 ### Forcefully reset to `main`
 If you ever want to reset a machine to the `main` branch, you can do so by running:
--- a/docs/secret-management.md
+++ b/docs/secret-management.md
@@ -151,7 +151,7 @@ is up to date, you can do the following:
 ```console
 # Fetch gpg (unless you have it already)
-nix-shell -p gpg
+nix shell nixpkgs#gnupg
 # Import oysteikts key to the gpg keychain
 gpg --import ./keys/oysteikt.pub
--- a/flake.lock
+++ b/flake.lock
@@ -1,39 +1,17 @@
 {
  "nodes": {
    "devshell": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1764011051,
        "narHash": "sha256-M7SZyPZiqZUR/EiiBJnmyUbOi5oE/03tCeFrTiUZchI=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "17ed8d9744ebe70424659b0ef74ad6d41fc87071",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "dibbler": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1767906875,
+        "lastModified": 1770133120,
-        "narHash": "sha256-S88Qh7TJwuTkMQqAdXmF3JMkuV2e5GHTdom02QrtdIs=",
+        "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
        "ref": "main",
-        "rev": "b86962ef0e15d1a7de445172d4acea454b119a91",
+        "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
-        "revCount": 220,
+        "revCount": 244,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
      },
@@ -64,54 +42,21 @@
        "type": "github"
      }
    },
-    "flake-compat": {
+    "flake-parts": {
      "flake": false,
      "locked": {
        "lastModified": 1761588595,
        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1731533236,
+        "lastModified": 1765835352,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
-        "owner": "numtide",
+        "owner": "hercules-ci",
-        "repo": "flake-utils",
+        "repo": "flake-parts",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
        "type": "github"
      },
      "original": {
-        "id": "flake-utils",
+        "owner": "hercules-ci",
-        "type": "indirect"
+        "repo": "flake-parts",
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
@@ -136,28 +81,6 @@
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
@@ -251,11 +174,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767906653,
+        "lastModified": 1769500363,
-        "narHash": "sha256-KMiVvnlkRpW4/MVloLURfjv3bvjcae0X9skext2jKVE=",
+        "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
        "ref": "main",
-        "rev": "584fd6379c905a6370484c5b5ba0623b4fcb778f",
+        "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
-        "revCount": 27,
+        "revCount": 47,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      },
@@ -288,19 +211,17 @@
    },
    "nix-topology": {
      "inputs": {
-        "devshell": "devshell",
+        "flake-parts": "flake-parts",
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1767888340,
+        "lastModified": 1769018862,
-        "narHash": "sha256-CccRg4d8TpOUGz2HefBZLNYtGrcAyCMa7GVJHcUd8W4=",
+        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "416ff06f72e810c554761e3f5dbf33b4f331e73e",
+        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
        "type": "github"
      },
      "original": {
@@ -312,53 +233,45 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1767871818,
+        "lastModified": 1769724120,
-        "narHash": "sha256-SOIHRu1sk+dW5f5DNTN5xYoeuZCyGIlKqxZ8RRj4lCM=",
+        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
-        "rev": "6eb8dee465373971d4495d92e23c2f0979384f76",
+        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.3412.6eb8dee46537/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "lastModified": 1765674936,
        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1767870855,
+        "lastModified": 1769813739,
-        "narHash": "sha256-SmrGFE9SdHFz60YbSCF7TtZ+GV8nIiYiI8fTEDyUouc=",
+        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
-        "rev": "719f19e8e447a52152aee8061c7a2951f9254f14",
+        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre924399.719f19e8e447/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1765911976,
        "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "pvv-calendar-bot": {
      "inputs": {
        "nixpkgs": [
@@ -387,11 +300,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767906725,
+        "lastModified": 1769009806,
-        "narHash": "sha256-AZpNzcnbl855mqemSrWbYl2mEgngC2lmiI6yiszEgQw=",
+        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
        "ref": "main",
-        "rev": "65118b6abebd339e071c38f00a23b92dbbb72b38",
+        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
-        "revCount": 537,
+        "revCount": 575,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -401,6 +314,27 @@
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      }
    },
    "qotd": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1768684204,
        "narHash": "sha256-TErBiXxTRPUtZ/Mw8a5p+KCeGCFXa0o8fzwGoo75//Y=",
        "ref": "main",
        "rev": "a86f361bb8cfac3845b96d49fcbb2faea669844f",
        "revCount": 11,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
      }
    },
    "root": {
      "inputs": {
        "dibbler": "dibbler",
@@ -417,6 +351,7 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pvv-calendar-bot": "pvv-calendar-bot",
        "pvv-nettsiden": "pvv-nettsiden",
        "qotd": "qotd",
        "roowho2": "roowho2",
        "sops-nix": "sops-nix"
      }
@@ -429,11 +364,11 @@
        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
-        "lastModified": 1767903580,
+        "lastModified": 1769834595,
-        "narHash": "sha256-UtulIUyFv6HcU5BUcQONtyG29XPTOBMsJ4N0nJGNOUk=",
+        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
        "ref": "main",
-        "rev": "dd23346bda46629788b08aba2e8af3b3f13335af",
+        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
-        "revCount": 38,
+        "revCount": 49,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      },
@@ -493,11 +428,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767322002,
+        "lastModified": 1769309768,
-        "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
+        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
+        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
        "type": "github"
      },
      "original": {
@@ -513,11 +448,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767826491,
+        "lastModified": 1769469829,
-        "narHash": "sha256-WSBENPotD2MIhZwolL6GC9npqgaS5fkM7j07V2i/Ur8=",
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "ea3adcb6d2a000d9a69d0e23cad1f2cacb3a9fbe",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
        "type": "github"
      },
      "original": {
@@ -526,36 +461,6 @@
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -44,6 +44,9 @@
    minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
    minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
    qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
    qotd.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -66,50 +69,32 @@
  in {
    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
-    pkgs = forAllSystems (system:
+    pkgs = forAllSystems (system: import nixpkgs {
-      import nixpkgs {
+      inherit system;
-        inherit system;
+      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-        config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        [
-          [
+          "nvidia-x11"
-            "nvidia-x11"
+          "nvidia-settings"
-            "nvidia-settings"
+        ];
-          ];
+    });
      });
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
      nixosConfig =
        nixpkgs:
        name:
        configurationPath:
        extraArgs@{
-          system ? "x86_64-linux",
+          localSystem ? "x86_64-linux", # buildPlatform
          crossSystem ? "x86_64-linux", # hostPlatform
          specialArgs ? { },
          modules ? [ ],
          overlays ? [ ],
          enableDefaults ? true,
          ...
        }:
-        lib.nixosSystem (lib.recursiveUpdate
+        let
-        {
+          commonPkgsConfig = {
-          inherit system;
+            inherit localSystem crossSystem;
          specialArgs = {
            inherit unstablePkgs inputs;
            values = import ./values.nix;
            fp = path: ./${path};
          } // specialArgs;
          modules = [
            configurationPath
          ] ++ (lib.optionals enableDefaults [
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
          ]) ++ modules;
          pkgs = import nixpkgs {
            inherit system;
            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
@@ -120,9 +105,36 @@
              inputs.roowho2.overlays.default
            ]) ++ overlays;
          };
          pkgs = import nixpkgs commonPkgsConfig;
          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
        in
        lib.nixosSystem (lib.recursiveUpdate
        {
          system = crossSystem;
          inherit pkgs;
          specialArgs = {
            inherit inputs unstablePkgs;
            values = import ./values.nix;
            fp = path: ./${path};
          } // specialArgs;
          modules = [
            {
              networking.hostName = lib.mkDefault name;
            }
            configurationPath
          ] ++ (lib.optionals enableDefaults [
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
            self.nixosModules.rsync-pull-targets
          ]) ++ modules;
        }
        (builtins.removeAttrs extraArgs [
-          "system"
+          "localSystem"
          "crossSystem"
          "modules"
          "overlays"
          "specialArgs"
@@ -135,7 +147,7 @@
    in {
      bakke = stableNixosConfig "bakke" {
        modules = [
-          disko.nixosModules.disko
+          inputs.disko.nixosModules.disko
        ];
      };
      bicep = stableNixosConfig "bicep" {
@@ -157,22 +169,25 @@
      bekkalokk = stableNixosConfig "bekkalokk" {
        overlays = [
          (final: prev: {
            heimdal = unstablePkgs.heimdal;
            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
            bluemap = final.callPackage ./packages/bluemap.nix { };
          })
          inputs.pvv-nettsiden.overlays.default
          inputs.qotd.overlays.default
        ];
        modules = [
          inputs.pvv-nettsiden.nixosModules.default
          self.nixosModules.bluemap
          inputs.qotd.nixosModules.default
        ];
      };
      ildkule = stableNixosConfig "ildkule" { };
      #ildkule-unstable = unstableNixosConfig "ildkule" { };
      shark = stableNixosConfig "shark" { };
      wenche = stableNixosConfig "wenche" { };
      temmie = stableNixosConfig "temmie" { };
      gluttony = stableNixosConfig "gluttony" { };
      kommode = stableNixosConfig "kommode" {
        overlays = [
@@ -180,6 +195,7 @@
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
          inputs.disko.nixosModules.disko
        ];
      };
@@ -211,17 +227,39 @@
          inputs.gergle.overlays.default
        ];
      };
-      skrott = stableNixosConfig "skrott" {
+    }
-        system = "aarch64-linux";
+    //
    (let
      skrottConfig = {
        modules = [
          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
          inputs.dibbler.nixosModules.default
        ];
        overlays = [
          inputs.dibbler.overlays.default
          (final: prev: {
            # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
            atool = prev.emptyDirectory;
            micro = prev.emptyDirectory;
            ncdu = prev.emptyDirectory;
          })
        ];
      };
-    }
+    in {
      skrott = self.nixosConfigurations.skrott-native;
      skrott-native = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "aarch64-linux";
        crossSystem = "aarch64-linux";
      });
      skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "x86_64-linux";
        crossSystem = "aarch64-linux";
      });
      skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "x86_64-linux";
        crossSystem = "x86_64-linux";
      });
    })
    //
    (let
      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
@@ -234,15 +272,25 @@
    nixosModules = {
      bluemap = ./modules/bluemap.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
      robots-txt = ./modules/robots-txt.nix;
      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
    };
    devShells = forAllSystems (system: {
-      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = let
        pkgs = import nixpkgs-unstable {
          inherit system;
          overlays = [
            (final: prev: {
              inherit (inputs.disko.packages.${system}) disko;
            })
          ];
        };
      in pkgs.callPackage ./shell.nix { };
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
@@ -256,19 +304,20 @@
    packages = {
      "x86_64-linux" = let
-        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+        system = "x86_64-linux";
        pkgs = nixpkgs.legacyPackages.${system};
      in rec {
        default = important-machines;
        important-machines = pkgs.linkFarm "important-machines"
-          (lib.getAttrs importantMachines self.packages.x86_64-linux);
+          (lib.getAttrs importantMachines self.packages.${system});
        all-machines = pkgs.linkFarm "all-machines"
-          (lib.getAttrs allMachines self.packages.x86_64-linux);
+          (lib.getAttrs allMachines self.packages.${system});
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        bluemap = pkgs.callPackage ./packages/bluemap.nix { };
-        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
+        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
      }
      //
      # Mediawiki extensions
@@ -284,18 +333,23 @@
      //
      # Skrott is exception
      {
-        skrott = self.nixosConfigurations.skrott.config.system.build.sdImage;
+        skrott = self.packages.${system}.skrott-native-sd;
        skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
        skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
        skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
        skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
        skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
      }
      //
      # Nix-topology
      (let
        topology' = import inputs.nix-topology {
          pkgs = import nixpkgs {
-            system = "x86_64-linux";
+            inherit system;
            overlays = [
              inputs.nix-topology.overlays.default
              (final: prev: {
-                inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
+                inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
              })
            ];
          };
--- a/hosts/bakke/configuration.nix
+++ b/hosts/bakke/configuration.nix
@@ -6,20 +6,13 @@
      ./filesystems.nix
    ];
  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bakke";
  networking.hostId = "99609ffc";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.05";
 }
--- a/hosts/bakke/filesystems.nix
+++ b/hosts/bakke/filesystems.nix
@@ -1,17 +1,17 @@
-{ config, pkgs, lib, ... }:
+{ pkgs,... }:
 {
  # Boot drives:
  boot.swraid.enable = true;
  # ZFS Data pool:
  environment.systemPackages = with pkgs; [ zfs ];
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
-    supportedFilesystems = [ "zfs" ];
+    supportedFilesystems.zfs = true;
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+    # Use stable linux packages, these work with zfs
    kernelPackages = pkgs.linuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
--- a/hosts/bakke/hardware-configuration.nix
+++ b/hosts/bakke/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -16,18 +16,9 @@
    ./services/webmail
    ./services/website
    ./services/well-known
    ./services/qotd
  ];
  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bekkalokk";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -35,7 +26,7 @@
  services.btrfs.autoScrub.enable = true;
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }
--- a/hosts/bekkalokk/hardware-configuration.nix
+++ b/hosts/bekkalokk/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bekkalokk/services/bluemap.nix
+++ b/hosts/bekkalokk/services/bluemap.nix
@@ -21,6 +21,7 @@ in {
      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
    in {
      "verden" = {
        extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:overworld";
@@ -32,12 +33,10 @@ in {
          };
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
          };
        };
      };
      "underverden" = {
        extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_nether";
@@ -57,12 +56,10 @@ in {
          render-mask = [{
            max-y = 90;
          }];
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/nether.hocon") ];
          };
        };
      };
      "enden" = {
        extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_end";
@@ -78,9 +75,6 @@ in {
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
          };
        };
      };
    };
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, fp, config, values, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
@@ -34,6 +34,7 @@ in {
  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
  sops.secrets = lib.pipe [
    "mediawiki/secret-key"
    "mediawiki/password"
    "mediawiki/postgres_password"
    "mediawiki/simplesamlphp/postgres_password"
@@ -48,6 +49,23 @@ in {
    lib.listToAttrs
  ];
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.uploadsDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
    };
  };
  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
@@ -144,6 +162,24 @@ in {
      $wgDBserver = "${toString cfg.database.host}";
      $wgAllowCopyUploads = true;
      # Files
      $wgFileExtensions = [
        'bmp',
        'gif',
        'jpeg',
        'jpg',
        'mp3',
        'odg',
        'odp',
        'ods',
        'odt',
        'pdf',
        'png',
        'tiff',
        'webm',
        'webp',
      ];
      # Misc program paths
      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -179,15 +215,15 @@ in {
  # Cache directory for simplesamlphp
  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
    user = "mediawiki";
    group = "mediawiki";
    mode = "0770";
  };
-  users.groups.mediawiki.members = [ "nginx" ];
+  users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
    kTLS = true;
    forceSSL = true;
    enableACME = true;
@@ -233,4 +269,22 @@ in {
    };
  };
  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
 }
--- a/hosts/bekkalokk/services/qotd/default.nix
+++ b/hosts/bekkalokk/services/qotd/default.nix
@@ -0,0 +1,6 @@
 {
  services.qotd = {
    enable = true;
    quotes = builtins.fromJSON (builtins.readFile ./quotes.json);
  };
 }
--- a/hosts/bekkalokk/services/qotd/quotes.json
+++ b/hosts/bekkalokk/services/qotd/quotes.json
@@ -0,0 +1 @@
 ["quote 1", "quote 2"]
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, values, ... }:
 let
  cfg = config.services.vaultwarden;
  domain = "pw.pvv.ntnu.no";
@@ -99,4 +99,21 @@ in {
      ];
    };
  };
  services.rsync-pull-targets = {
    enable = true;
    locations."/var/lib/vaultwarden" = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/snappymail.nix
+++ b/hosts/bekkalokk/services/webmail/snappymail.nix
@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, ... }:
+{ config, lib, fp, pkgs, values, ... }:
 let
  cfg = config.services.snappymail;
 in {
@@ -14,5 +14,21 @@ in {
    enableACME = true;
    kTLS = true;
  };
 }
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.dataDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
    };
  };
 }
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -1,15 +1,30 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, values, ... }:
 let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
  users.users.${config.services.pvv-nettsiden.user} = {
    # NOTE: the user unfortunately needs a registered shell for rrsync to function...
    #       is there anything we can do to remove this?
    useDefaultShell = true;
  };
-    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
+  # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
+  services.rsync-pull-targets = {
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
+    enable = true;
-    ];
+    locations.${transferDir} = {
      user = config.services.pvv-nettsiden.user;
      rrsyncArgs.wo = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
    };
  };
  systemd.paths.pvv-nettsiden-gallery-update = {
@@ -32,8 +47,8 @@ in {
      }}
      # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf "${transferDir}/gallery.tar.gz" | sed 's|/$||')))
-      while IFS= read fname; do
+      while IFS= read -r fname; do
        rm -f "$fname" ||:
        rm -f ".thumbnails/$fname.png" ||:
      done <<< "$filesToRemove"
@@ -43,7 +58,7 @@ in {
      mkdir -p .thumbnails
      images=$(find . -type f -not -path "./.thumbnails*")
-      while IFS= read fname; do
+      while IFS= read -r fname; do
        # Skip this file if an up-to-date thumbnail already exists
        if [ -f ".thumbnails/$fname.png" ] && \
          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -52,7 +67,7 @@ in {
        fi
        echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
+        mkdir -p "$(dirname ".thumbnails/$fname")"
        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
--- a/hosts/bekkalokk/services/well-known/default.nix
+++ b/hosts/bekkalokk/services/well-known/default.nix
@@ -1,18 +1,25 @@
-{ ... }:
+{ lib, ... }:
 {
-  services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
+  services.nginx.virtualHosts = lib.genAttrs [
-    "^~ /.well-known/" = {
+    "pvv.ntnu.no"
-      alias = (toString ./root) + "/";
+    "www.pvv.ntnu.no"
-    };
+    "pvv.org"
    "www.pvv.org"
  ] (_: {
    locations = {
      "^~ /.well-known/" = {
        alias = (toString ./root) + "/";
      };
-    # Proxy the matrix well-known files
+      # Proxy the matrix well-known files
-    # Host has be set before proxy_pass
+      # Host has be set before proxy_pass
-    # The header must be set so nginx on the other side routes it to the right place
+      # The header must be set so nginx on the other side routes it to the right place
-    "^~ /.well-known/matrix/" = {
+      "^~ /.well-known/matrix/" = {
-      extraConfig = ''
+        extraConfig = ''
-        proxy_set_header Host matrix.pvv.ntnu.no;
+          proxy_set_header Host matrix.pvv.ntnu.no;
-        proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-      '';
+        '';
      };
    };
-  };
+  });
 }
--- a/hosts/bekkalokk/services/well-known/root/security.txt
+++ b/hosts/bekkalokk/services/well-known/root/security.txt
@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
 Preferred-Languages: no, en
 Expires: 2032-12-31T23:59:59.000Z
-# This file was last updated 2024-09-14.
+# This file was last updated 2026-02-27.
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
 # Please note that we are a student organization, and unfortunately we do not
 # have a bug bounty program or offer monetary compensation for disclosure of
 # security vulnerabilities.
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -9,22 +9,12 @@
    ./services/calendar-bot.nix
    #./services/git-mirrors
    ./services/minecraft-heatmap.nix
-    ./services/mysql.nix
+    ./services/mysql
-    ./services/postgres.nix
+    ./services/postgresql
    ./services/matrix
  ];
  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bicep";
  #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    #matchConfig.Name = "enp6s0f0";
@@ -36,17 +26,9 @@
    anyInterface = true;
  };
  # There are no smart devices
  services.smartd.enable = false;
  # we are a vm now
  services.qemuGuest.enable = true;
-  # Enable the OpenSSH daemon.
+  # Don't change (even during upgrades) unless you know what you are doing.
  services.openssh.enable = true;
  services.sshguard.enable = true;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }
--- a/hosts/bicep/hardware-configuration.nix
+++ b/hosts/bicep/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@@ -66,6 +66,7 @@ in
      package = pkgs.callPackage (fp /packages/cgit.nix) { };
      group = "gickup";
      scanPath = "${cfg.dataDir}/linktree";
      gitHttpBackend.checkExportOkFiles = false;
      settings = {
        enable-commit-graph = true;
        enable-follow-links = true;
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -1,13 +1,6 @@
 { config, lib, fp, pkgs, secrets, values, ... }:
 {
  sops.secrets."matrix/synapse/turnconfig" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "synapse/turnconfig";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    restartUnits = [ "coturn.service" ];
  };
  sops.secrets."matrix/coturn/static-auth-secret" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "coturn/static-auth-secret";
@@ -16,9 +9,18 @@
    restartUnits = [ "coturn.service" ];
  };
  sops.templates."matrix-synapse-turnconfig" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    content = ''
      turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
    '';
    restartUnits = [ "matrix-synapse.target" ];
  };
  services.matrix-synapse-next = {
    extraConfigFiles = [
-      config.sops.secrets."matrix/synapse/turnconfig".path
+      config.sops.templates."matrix-synapse-turnconfig".path
    ];
    settings = {
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -1,19 +1,17 @@
 { config, ... }:
 {
  imports = [
    ./synapse.nix
    ./synapse-admin.nix
    ./synapse-auto-compressor.nix
    ./synapse.nix
    ./element.nix
    ./coturn.nix
    ./livekit.nix
    ./mjolnir.nix
    ./well-known.nix
    # ./discord.nix
    ./out-of-your-element.nix
    ./hookshot
  ];
 }
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -2,6 +2,13 @@
 let
  synapse-cfg = config.services.matrix-synapse-next;
 in {
  services.pvv-matrix-well-known.client = {
    "m.homeserver" = {
      base_url = "https://matrix.pvv.ntnu.no";
      server_name = "pvv.ntnu.no";
    };
  };
  services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
@@ -9,10 +16,10 @@ in {
    root = pkgs.element-web.override {
      conf = {
-        default_server_config."m.homeserver" = {
+        # Tries to look up well-known first, else uses bundled config.
-          base_url = "https://matrix.pvv.ntnu.no";
+        default_server_name = "matrix.pvv.ntnu.no";
-          server_name = "pvv.ntnu.no";
+        default_server_config = config.services.pvv-matrix-well-known.client;
-        };
+
        disable_3pid_login = true;
 #        integrations_ui_url = "https://dimension.dodsorf.as/riot";
 #        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
@@ -30,6 +37,7 @@ in {
          # element call group calls
          feature_group_calls = true;
        };
        default_country_code = "NO";
        default_theme = "dark";
        # Servers in this list should provide some sort of valuable scoping
        # matrix.org is not useful compared to matrixrooms.info,
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -14,6 +14,10 @@ in
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/hs_token";
  };
  sops.secrets."matrix/hookshot/passkey" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/passkey";
  };
  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
  };
  systemd.services.matrix-hookshot = {
-    serviceConfig.SupplementaryGroups = [
+    serviceConfig = {
-      config.users.groups.keys-matrix-registrations.name
+      SupplementaryGroups = [
-    ];
+        config.users.groups.keys-matrix-registrations.name
      ];
      LoadCredential = [
        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
      ];
    };
  };
  services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
    package = unstablePkgs.matrix-hookshot;
    registrationFile = config.sops.templates."hookshot-registration.yaml".path;
    settings = {
      passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
      bridge = {
        bindAddress = "127.0.0.1";
        domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
        mediaUrl = "https://matrix.pvv.ntnu.no";
        port = 9993;
      };
      listeners = [
        {
          bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
          ];
        }
      ];
      generic = {
        enabled = true;
        outbound = true;
--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -0,0 +1,67 @@
 { config, lib, fp, ... }:
 let
  synapseConfig = config.services.matrix-synapse-next;
  matrixDomain = "matrix.pvv.ntnu.no";
  cfg = config.services.livekit;
 in
 {
  sops.secrets."matrix/livekit/keyfile/lk-jwt-service" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "livekit/keyfile/lk-jwt-service";
  };
  sops.templates."matrix-livekit-keyfile" = {
    restartUnits = [
      "livekit.service"
      "lk-jwt-service.service"
    ];
    content = ''
      lk-jwt-service: ${config.sops.placeholder."matrix/livekit/keyfile/lk-jwt-service"}
    '';
  };
  services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
    "org.matrix.msc4143.rtc_foci" = [{
      type = "livekit";
      livekit_service_url = "https://${matrixDomain}/livekit/jwt";
    }];
  };
  services.livekit = {
    enable = true;
    openFirewall = true;
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
    # NOTE: needed for ingress/egress workers
    # redis.createLocally = true;
    # settings.room.auto_create = false;
  };
  services.lk-jwt-service = lib.mkIf cfg.enable {
    enable = true;
    livekitUrl = "wss://${matrixDomain}/livekit/sfu";
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
  };
  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
  services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
    locations."^~ /livekit/jwt/" = {
      proxyPass = "http://localhost:${toString config.services.lk-jwt-service.port}/";
    };
    # TODO: load balance to multiple livekit ingress/egress workers
    locations."^~ /livekit/sfu/" = {
      proxyPass = "http://localhost:${toString config.services.livekit.settings.port}/";
      proxyWebsockets = true;
      extraConfig = ''
        proxy_send_timeout 120;
        proxy_read_timeout 120;
        proxy_buffering off;
        proxy_set_header Accept-Encoding gzip;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
      '';
    };
  };
 }
--- a/hosts/bicep/services/matrix/synapse-auto-compressor.nix
+++ b/hosts/bicep/services/matrix/synapse-auto-compressor.nix
@@ -0,0 +1,56 @@
 { config, lib, utils, ... }:
 let
  cfg = config.services.synapse-auto-compressor;
 in
 {
  services.synapse-auto-compressor = {
    # enable = true;
    postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
  };
  # NOTE: nixpkgs has some broken asserts, vendored the entire unit
  systemd.services.synapse-auto-compressor = {
    description = "synapse-auto-compressor";
    requires = [
      "postgresql.target"
    ];
    inherit (cfg) startAt;
    serviceConfig = {
      Type = "oneshot";
      DynamicUser = true;
      User = "matrix-synapse";
      PrivateTmp = true;
      ExecStart = utils.escapeSystemdExecArgs [
        "${cfg.package}/bin/synapse_auto_compressor"
        "-p"
        cfg.postgresUrl
        "-c"
        cfg.settings.chunk_size
        "-n"
        cfg.settings.chunks_to_compress
        "-l"
        (lib.concatStringsSep "," (map toString cfg.settings.levels))
      ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateUsers = true;
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      ProcSubset = "pid";
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
    };
  };
 }
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -15,11 +15,33 @@ in {
    group = config.users.users.matrix-synapse.group;
  };
-  sops.secrets."matrix/synapse/user_registration" = {
+  sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/signing_key";
+    key = "synapse/user_registration/registration_shared_secret";
  };
  sops.templates."matrix-synapse-user-registration" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    content = ''
      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
    '';
  };
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.settings.media_store_path} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
    };
  };
  services.matrix-synapse-next = {
@@ -83,7 +105,7 @@ in {
      mau_stats_only = true;
      enable_registration = false;
-      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
+      registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
      password_config.enabled = true;
@@ -95,6 +117,32 @@ in {
        }
      ];
      experimental_features = {
        # MSC3266: Room summary API. Used for knocking over federation
        msc3266_enabled = true;
        # MSC4222 needed for syncv2 state_after. This allow clients to
        # correctly track the state of the room.
        msc4222_enabled = true;
      };
      # The maximum allowed duration by which sent events can be delayed, as
      # per MSC4140.
      max_event_delay_duration = "24h";
      rc_message = {
        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
        # Note key sharing events are bursty
        per_second = 0.5;
        burst_count = 30;
      };
      rc_delayed_event_mgmt = {
        # This needs to match at least the heart-beat frequency plus a bit of headroom
        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
        per_second = 1;
        burst_count = 20;
      };
      trusted_key_servers = [
        { server_name = "matrix.org"; }
        { server_name = "dodsorf.as"; }
@@ -132,21 +180,12 @@ in {
  services.redis.servers."".enable = true;
  services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
  {
    kTLS = true;
  }
  {
    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
      '';
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
      '';
    };
  }
  {
    locations."/_synapse/admin" = {
      proxyPass = "http://$synapse_backend";
--- a/hosts/bicep/services/matrix/well-known.nix
+++ b/hosts/bicep/services/matrix/well-known.nix
@@ -0,0 +1,44 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.pvv-matrix-well-known;
  format = pkgs.formats.json { };
  matrixDomain = "matrix.pvv.ntnu.no";
 in
 {
  options.services.pvv-matrix-well-known = {
    client = lib.mkOption {
      type = lib.types.submodule { freeformType = format.type; };
      default = { };
      example = {
        "m.homeserver".base_url = "https://${matrixDomain}/";
      };
    };
    server = lib.mkOption {
      type = lib.types.submodule { freeformType = format.type; };
      default = { };
      example = {
        "m.server" = "https://${matrixDomain}/";
      };
    };
  };
  config = {
    services.nginx.virtualHosts.${matrixDomain} = {
      locations."= /.well-known/matrix/client" = lib.mkIf (cfg.client != { }) {
        alias = format.generate "nginx-well-known-matrix-server.json" cfg.client;
        extraConfig = ''
          default_type application/json;
          add_header Access-Control-Allow-Origin *;
        '';
      };
      locations."= /.well-known/matrix/server" = lib.mkIf (cfg.server != { }) {
        alias = format.generate "nginx-well-known-matrix-server.json" cfg.server;
        extraConfig = ''
          default_type application/json;
          add_header Access-Control-Allow-Origin *;
        '';
      };
    };
  };
 }
--- a/hosts/bicep/services/minecraft-heatmap.nix
+++ b/hosts/bicep/services/minecraft-heatmap.nix
@@ -22,7 +22,7 @@ in
    };
  };
-  systemd.services.minecraft-heatmap-ingest-logs = {
+  systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
    serviceConfig.LoadCredential = [
      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
    ];
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -0,0 +1,83 @@
 { config, lib, pkgs, values, ... }:
 let
  cfg = config.services.mysql;
  backupDir = "/data/mysql-backups";
 in
 {
  # services.mysqlBackup = lib.mkIf cfg.enable {
  #   enable = true;
  #   location = "/var/lib/mysql-backups";
  # };
  systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
 	  user = "mysql";
 	  group = "mysql";
 	  mode = "700";
 	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations.${backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
    };
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves.
  systemd.services."backup-mysql" = lib.mkIf cfg.enable {
    description = "Backup MySQL data";
    requires = [ "mysql.service" ];
    path = with pkgs; [
      cfg.package
      coreutils
      zstd
    ];
    script = let
      rotations = 2;
    in ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
      mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
      # NOTE: this needs to be a hardlink for rrsync to allow sending it
      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt "${toString (rotations + 1)}" ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "mysql";
      Group = "mysql";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      StateDirectory = [ "mysql-backups" ];
      BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
      # TODO: hardening
    };
    startAt = "*-*-* 02:15:00";
  };
 }
--- a/hosts/bicep/services/mysql/default.nix
+++ b/hosts/bicep/services/mysql/default.nix
@@ -1,5 +1,11 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
 let
  cfg = config.services.mysql;
  dataDir = "/data/mysql";
 in
 {
  imports = [ ./backup.nix ];
  sops.secrets."mysql/password" = {
    owner = "mysql";
    group = "mysql";
@@ -9,8 +15,7 @@
  services.mysql = {
    enable = true;
-    dataDir = "/data/mysql";
+    package = pkgs.mariadb_118;
    package = pkgs.mariadb;
    settings = {
      mysqld = {
        # PVV allows a lot of connections at the same time
@@ -21,6 +26,9 @@
        # This was needed in order to be able to use all of the old users
        # during migration from knakelibrak to bicep in Sep. 2023
        secure_auth = 0;
        slow-query-log = 1;
        slow-query-log-file = "/var/log/mysql/mysql-slow.log";
      };
    };
@@ -36,20 +44,31 @@
    }];
  };
-  services.mysqlBackup = {
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
-    enable = true;
+
-    location = "/var/lib/mysql/backups";
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
    inherit (cfg) user group;
    mode = "0700";
  };
-  networking.firewall.allowedTCPPorts = [ 3306 ];
+  systemd.services.mysql = lib.mkIf cfg.enable {
-
+    after = [
-  systemd.services.mysql.serviceConfig = {
+      "systemd-tmpfiles-setup.service"
-    IPAddressDeny = "any";
+      "systemd-tmpfiles-resetup.service"
    IPAddressAllow = [
      values.ipv4-space
      values.ipv6-space
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
    serviceConfig = {
      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
      LogsDirectory = "mysql";
      IPAddressDeny = "any";
      IPAddressAllow = [
        values.ipv4-space
        values.ipv6-space
        values.hosts.ildkule.ipv4
        values.hosts.ildkule.ipv6
      ];
    };
  };
 }
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -0,0 +1,84 @@
 { config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
  backupDir = "/data/postgresql-backups";
 in
 {
  # services.postgresqlBackup = lib.mkIf cfg.enable {
  #   enable = true;
  #   location = "/var/lib/postgresql-backups";
  #   backupAll = true;
  # };
  systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
 	  user = "postgres";
 	  group = "postgres";
 	  mode = "700";
 	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations.${backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
    };
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves
  systemd.services."backup-postgresql" = {
    description = "Backup PostgreSQL data";
    requires = [ "postgresql.service" ];
    path = with pkgs; [
      coreutils
      zstd
      cfg.package
    ];
    script = let
      rotations = 2;
    in ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
      pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
      # NOTE: this needs to be a hardlink for rrsync to allow sending it
      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt "${toString (rotations + 1)}" ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "postgres";
      Group = "postgres";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      StateDirectory = [ "postgresql-backups" ];
      BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
      # TODO: hardening
    };
    startAt = "*-*-* 01:15:00";
  };
 }
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -1,8 +1,13 @@
-{ config, pkgs, values, ... }:
+{ config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
 in
 {
  imports = [ ./backup.nix ];
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_18;
    enableTCPIP = true;
    authentication = ''
@@ -74,13 +79,13 @@
    };
  };
-  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
    user = config.systemd.services.postgresql.serviceConfig.User;
    group = config.systemd.services.postgresql.serviceConfig.Group;
    mode = "0700";
  };
-  systemd.services.postgresql-setup = {
+  systemd.services.postgresql-setup = lib.mkIf cfg.enable {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
@@ -95,7 +100,7 @@
    };
  };
-  systemd.services.postgresql = {
+  systemd.services.postgresql = lib.mkIf cfg.enable {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
@@ -110,18 +115,12 @@
    };
  };
-  environment.snakeoil-certs."/etc/certs/postgres" = {
+  environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
    owner = "postgres";
    group = "postgres";
    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
  };
-  networking.firewall.allowedTCPPorts = [ 5432 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
-  networking.firewall.allowedUDPPorts = [ 5432 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
  services.postgresqlBackup = {
    enable = true;
    location = "/var/lib/postgres/backups";
    backupAll = true;
  };
 }
--- a/hosts/bikkje/configuration.nix
+++ b/hosts/bikkje/configuration.nix
@@ -1,6 +1,6 @@
 { config, pkgs, values, ... }:
 {
-    networking.nat = {
+  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "ens3";
@@ -25,6 +25,7 @@
      ];
      networking = {
        hostName = "bikkje";
        firewall = {
          enable = true;
          # Allow SSH and HTTP and ports for email and irc
@@ -36,9 +37,11 @@
        useHostResolvConf = mkForce false;
      };
      system.stateVersion = "23.11";
      services.resolved.enable = true;
      # Don't change (even during upgrades) unless you know what you are doing.
      # See https://search.nixos.org/options?show=system.stateVersion
      system.stateVersion = "23.11";
    };
  };
 };
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@@ -8,28 +8,14 @@
      ./services/grzegorz.nix
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "brzeczyszczykiewicz";
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
-  # List packages installed in system profile
+  fonts.fontconfig.enable = true;
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/brzeczyszczykiewicz/hardware-configuration.nix
+++ b/hosts/brzeczyszczykiewicz/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -8,24 +8,11 @@
      (fp /modules/grzegorz.nix)
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "georg";
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  services.spotifyd = {
    enable = true;
    settings.global = {
@@ -41,15 +28,9 @@
    5353 # spotifyd is its own mDNS service wtf
  ];
  fonts.fontconfig.enable = true;
-
+  # Don't change (even during upgrades) unless you know what you are doing.
-
+  # See https://search.nixos.org/options?show=system.stateVersion
-  # This value determines the NixOS release from which the default
+  system.stateVersion = "25.11";
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/georg/hardware-configuration.nix
+++ b/hosts/georg/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/gluttony/configuration.nix
+++ b/hosts/gluttony/configuration.nix
@@ -0,0 +1,60 @@
 {
  fp,
  lib,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    (fp /base)
  ];
  systemd.network.enable = lib.mkForce false;
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.loader = {
    systemd-boot.enable = false; # no uefi support on this device
    grub.device = "/dev/sda";
    grub.enable = true;
  };
  boot.tmp.cleanOnBoot = true;
  networking =
    let
      hostConf = values.hosts.gluttony;
    in
    {
      tempAddresses = "disabled";
      useDHCP = false;
      search = values.defaultNetworkConfig.domains;
      nameservers = values.defaultNetworkConfig.dns;
      defaultGateway.address = hostConf.ipv4_internal_gw;
      interfaces."ens3" = {
        ipv4.addresses = [
          {
            address = hostConf.ipv4;
            prefixLength = 32;
          }
          {
            address = hostConf.ipv4_internal;
            prefixLength = 24;
          }
        ];
        ipv6.addresses = [
          {
            address = hostConf.ipv6;
            prefixLength = 64;
          }
        ];
      };
    };
  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/gluttony/hardware-configuration.nix
+++ b/hosts/gluttony/hardware-configuration.nix
@@ -0,0 +1,50 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/mapper/pool-root";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/933A-3005";
    fsType = "vfat";
    options = [
      "fmask=0077"
      "dmask=0077"
    ];
  };
  swapDevices = [
    {
      device = "/var/lib/swapfile";
      size = 8 * 1024;
    }
  ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -7,13 +7,10 @@
      ./services/monitoring
      ./services/nginx
      ./services/journald-remote.nix
    ];
-  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
+  boot.loader.systemd-boot.enable = false;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.device = "/dev/vda";
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
@@ -23,7 +20,6 @@
  networking = let
    hostConf = values.hosts.ildkule;
  in {
    hostName = "ildkule";
    tempAddresses = "disabled";
    useDHCP = lib.mkForce true;
@@ -42,13 +38,9 @@
    };
  };
-  # List packages installed in system profile
+  services.qemuGuest.enable = true;
  environment.systemPackages = with pkgs; [
  ];
  # No devices with SMART
  services.smartd.enable = false;
  system.stateVersion = "23.11"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "23.11";
 }
--- a/hosts/ildkule/services/journald-remote.nix
+++ b/hosts/ildkule/services/journald-remote.nix
@@ -0,0 +1,58 @@
 { config, lib, values, ... }:
 let
  cfg = config.services.journald.remote;
  domainName = "journald.pvv.ntnu.no";
 in
 {
  security.acme.certs.${domainName} = {
    webroot = "/var/lib/acme/acme-challenge/";
    group = config.services.nginx.group;
  };
  services.nginx = {
    enable = true;
    virtualHosts.${domainName} = {
      forceSSL = true;
      useACMEHost = "${domainName}";
      locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
    };
  };
  services.journald.upload.enable = lib.mkForce false;
  services.journald.remote = {
    enable = true;
    settings.Remote = let
      inherit (config.security.acme.certs.${domainName}) directory;
    in {
      ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
      ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
      TrustedCertificateFile = "-";
    };
  };
  systemd.sockets."systemd-journal-remote" = {
    socketConfig = {
      IPAddressDeny = "any";
      IPAddressAllow = [
        "127.0.0.1"
        "::1"
        values.ipv4-space
        values.ipv6-space
      ];
    };
  };
  networking.firewall.allowedTCPPorts = [ cfg.port ];
  systemd.services."systemd-journal-remote" = {
    serviceConfig = {
      LoadCredential = let
        inherit (config.security.acme.certs.${domainName}) directory;
      in [
        "key.pem:${directory}/key.pem"
        "cert.pem:${directory}/cert.pem"
      ];
    };
  };
 }
--- a/hosts/ildkule/services/monitoring/dashboards/go-processes.json
+++ b/hosts/ildkule/services/monitoring/dashboards/go-processes.json
--- a/hosts/ildkule/services/monitoring/dashboards/mysql.json
+++ b/hosts/ildkule/services/monitoring/dashboards/mysql.json
@@ -13,7 +13,7 @@
    ]
  },
  "description": "",
-  "editable": true,
+  "editable": false,
  "gnetId": 11323,
  "graphTooltip": 1,
  "id": 31,
@@ -3690,7 +3690,7 @@
        },
        "hide": 0,
        "includeAll": false,
-        "label": "Data Source",
+        "label": "Data source",
        "multi": false,
        "name": "datasource",
        "options": [],
@@ -3713,12 +3713,12 @@
        "definition": "label_values(mysql_up, job)",
        "hide": 0,
        "includeAll": true,
-        "label": "job",
+        "label": "Job",
        "multi": true,
        "name": "job",
        "options": [],
        "query": "label_values(mysql_up, job)",
-        "refresh": 1,
+        "refresh": 2,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
@@ -3742,12 +3742,12 @@
        "definition": "label_values(mysql_up, instance)",
        "hide": 0,
        "includeAll": true,
-        "label": "instance",
+        "label": "Instance",
        "multi": true,
        "name": "instance",
        "options": [],
        "query": "label_values(mysql_up, instance)",
-        "refresh": 1,
+        "refresh": 2,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
--- a/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
+++ b/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
--- a/hosts/ildkule/services/monitoring/dashboards/postgres.json
+++ b/hosts/ildkule/services/monitoring/dashboards/postgres.json
@@ -328,7 +328,7 @@
        "rgba(50, 172, 45, 0.97)"
      ],
      "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
      "gauge": {
        "maxValue": 100,
        "minValue": 0,
@@ -411,7 +411,7 @@
        "rgba(50, 172, 45, 0.97)"
      ],
      "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
      "gauge": {
        "maxValue": 100,
        "minValue": 0,
@@ -1410,7 +1410,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "pg_settings_seq_page_cost",
+          "expr": "pg_settings_seq_page_cost{instance=\"$instance\"}",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -1872,7 +1872,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -1966,7 +1966,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2060,7 +2060,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2251,7 +2251,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2439,7 +2439,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2589,35 +2589,35 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_backend",
          "refId": "A"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_alloc",
          "refId": "B"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "backend_fsync",
          "refId": "C"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_checkpoint",
          "refId": "D"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
          "refId": "B"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
@@ -3164,4 +3164,4 @@
  "title": "PostgreSQL Database",
  "uid": "000000039",
  "version": 1
-}
+}
--- a/hosts/ildkule/services/monitoring/dashboards/synapse.json
+++ b/hosts/ildkule/services/monitoring/dashboards/synapse.json
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -47,13 +47,13 @@ in {
        {
          name = "Node Exporter Full";
          type = "file";
-          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
+          url = "https://grafana.com/api/dashboards/1860/revisions/42/download";
          options.path = dashboards/node-exporter-full.json;
        }
        {
          name = "Matrix Synapse";
          type = "file";
-          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
+          url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
        {
@@ -65,15 +65,9 @@ in {
        {
          name = "Postgresql";
          type = "file";
-          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
+          url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
          options.path = dashboards/postgres.json;
        }
        {
          name = "Go Processes (gogs)";
          type = "file";
          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
          options.path = dashboards/go-processes.json;
        }
        {
          name = "Gitea Dashboard";
          type = "file";
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -19,15 +19,18 @@ in {
      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
--- a/hosts/kommode/configuration.nix
+++ b/hosts/kommode/configuration.nix
@@ -4,21 +4,12 @@
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    ./disks.nix
    ./services/gitea
    ./services/nginx.nix
  ];
  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "kommode"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -26,7 +17,9 @@
  services.btrfs.autoScrub.enable = true;
-  environment.systemPackages = with pkgs; [];
+  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/hosts/kommode/disks.nix
+++ b/hosts/kommode/disks.nix
@@ -0,0 +1,80 @@
 { lib, ... }:
 {
  disko.devices = {
    disk = {
      sda = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
            root = {
              name = "root";
              label = "root";
              start = "1MiB";
              end = "-5G";
              content = {
                type = "btrfs";
                extraArgs = [ "-f" ]; # Override existing partition
                # subvolumes = let
                #   makeSnapshottable = subvolPath: mountOptions: let
                #     name = lib.replaceString "/" "-" subvolPath;
                #   in {
                #     "@${name}/active" = {
                #       mountpoint = subvolPath;
                #       inherit mountOptions;
                #     };
                #     "@${name}/snapshots" = {
                #       mountpoint = "${subvolPath}/.snapshots";
                #       inherit mountOptions;
                #     };
                #   };
                # in {
                #   "@" = { };
                #   "@/swap" = {
                #     mountpoint = "/.swapvol";
                #     swap.swapfile.size = "4G";
                #   };
                #   "@/root" = {
                #     mountpoint = "/";
                #     mountOptions = [ "compress=zstd" "noatime" ];
                #   };
                # }
                # // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
                # swap.swapfile.size = "4G";
                mountpoint = "/";
              };
            };
            swap = {
              name = "swap";
              label = "swap";
              start = "-5G";
              end = "-1G";
              content.type = "swap";
            };
            ESP = {
              name = "ESP";
              label = "ESP";
              start = "-1G";
              end = "100%";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/kommode/hardware-configuration.nix
+++ b/hosts/kommode/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
@@ -13,21 +13,6 @@
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/86CD-4C23";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -50,14 +50,14 @@ in
        sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
      '';
    in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      install -Dm444 ${logo-svg} "${cfg.customDir}/public/assets/img/logo.svg"
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+      install -Dm444 ${logo-png} "${cfg.customDir}/public/assets/img/logo.png"
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 ${./loading.apng} "${cfg.customDir}/public/assets/img/loading.png"
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+      install -Dm444 ${extraLinks} "${cfg.customDir}/templates/custom/extra_links.tmpl"
-      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
+      install -Dm444 ${extraLinksFooter} "${cfg.customDir}/templates/custom/extra_links_footer.tmpl"
-      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+      install -Dm444 ${project-labels} "${cfg.customDir}/options/label/project-labels.yaml"
-      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
+      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" "${cfg.customDir}/templates/"
    '';
  };
 }
--- a/hosts/kommode/services/gitea/customization/labels/projects.json
+++ b/hosts/kommode/services/gitea/customization/labels/projects.json
@@ -35,6 +35,12 @@
    "color": "#ed1111",
    "description": "Report an oopsie"
  },
  {
    "name": "developer experience",
    "exclusive": false,
    "color": "#eb6420",
    "description": "Think about the developers"
  },
  {
    "name": "disputed",
    "exclusive": false,
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -195,6 +195,23 @@ in {
  networking.firewall.allowedTCPPorts = [ sshPort ];
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.dump.backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
    };
  };
  systemd.services.gitea-dump = {
    serviceConfig.ExecStart = let
      args = lib.cli.toGNUCommandLineShell { } {
--- a/hosts/kommode/services/gitea/web-secret-provider/default.nix
+++ b/hosts/kommode/services/gitea/web-secret-provider/default.nix
@@ -28,7 +28,7 @@ in
  users.users."gitea-web" = {
    group = "gitea-web";
    isSystemUser = true;
-    shell = pkgs.bash;
+    useDefaultShell = true;
  };
  sops.secrets."gitea/web-secret-provider/token" = {
--- a/hosts/lupine/configuration.nix
+++ b/hosts/lupine/configuration.nix
@@ -9,12 +9,6 @@
  ];
  sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp0s31f6";
@@ -28,7 +22,7 @@
  # There are no smart devices
  services.smartd.enable = false;
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.05";
 }
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-2.nix
+++ b/hosts/lupine/hardware-configuration/lupine-2.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-4.nix
+++ b/hosts/lupine/hardware-configuration/lupine-4.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@@ -6,33 +6,14 @@
      (fp /base)
    ];
  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "shark"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
-  # List packages installed in system profile
+  services.qemuGuest.enable = true;
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/shark/hardware-configuration.nix
+++ b/hosts/shark/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/skrott/configuration.nix
+++ b/hosts/skrott/configuration.nix
@@ -1,41 +1,75 @@
-{ pkgs, lib, fp, ... }: {
+{ config, pkgs, lib, modulesPath, fp, values, ... }: {
  imports = [
-    # ./hardware-configuration.nix
+    (modulesPath + "/profiles/perlless.nix")
    (fp /base)
  ];
  # Disable import of a bunch of tools we don't need from nixpkgs.
  disabledModules = [ "profiles/base.nix" ];
  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
  boot = {
    consoleLogLevel = 0;
    enableContainers = false;
    loader.grub.enable = false;
    loader.systemd-boot.enable = false;
    kernelPackages = pkgs.linuxPackages;
  };
  hardware = {
    enableAllHardware = lib.mkForce false;
    firmware = [ pkgs.raspberrypiWirelessFirmware ];
  };
  # Now turn off a bunch of stuff lol
  # TODO: can we reduce further?
  # See also https://nixcademy.com/posts/minimizing-nixos-images/
  system.autoUpgrade.enable = lib.mkForce false;
  services.irqbalance.enable = lib.mkForce false;
  services.logrotate.enable = lib.mkForce false;
  services.nginx.enable = lib.mkForce false;
  services.postfix.enable = lib.mkForce false;
  services.smartd.enable = lib.mkForce false;
  services.udisks2.enable = lib.mkForce false;
  services.thermald.enable = lib.mkForce false;
  services.promtail.enable = lib.mkForce false;
  # There aren't really that many firmware updates for rbpi3 anyway
  services.fwupd.enable = lib.mkForce false;
-  # TODO: can we reduce further?
+  documentation.enable = lib.mkForce false;
-  system.stateVersion = "25.05";
+  environment.enableAllTerminfo = lib.mkForce false;
-  # sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
+  programs.neovim.enable = lib.mkForce false;
-  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  programs.zsh.enable = lib.mkForce false;
-  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  programs.git.package = pkgs.gitMinimal;
-  # sops.age.generateKey = true;
+
  nix.registry = lib.mkForce { };
  nix.nixPath = lib.mkForce [ ];
  sops.secrets = {
    "dibbler/postgresql/password" = {
      owner = "dibbler";
      group = "dibbler";
    };
  };
  # zramSwap.enable = true;
  networking = {
    hostName = "skrot";
    defaultGateway = values.hosts.gateway;
    defaultGateway6 = values.hosts.gateway6;
    interfaces.eth0 = {
      useDHCP = false;
      ipv4.addresses = [{
-        address = "129.241.210.235";
+        address = values.hosts.skrott.ipv4;
        prefixLength = 25;
      }];
      ipv6.addresses = [{
        address = values.hosts.skrott.ipv6;
        prefixLength = 25;
      }];
    };
@@ -46,16 +80,33 @@
    kioskMode = true;
    limitScreenWidth = 80;
    limitScreenHeight = 42;
    settings = {
      general.quit_allowed = false;
      database = {
        type = "postgresql";
        postgresql = {
          username = "pvv_vv";
          dbname = "pvv_vv";
          host = "postgres.pvv.ntnu.no";
          password_file = config.sops.secrets."dibbler/postgresql/password".path;
        };
      };
    };
  };
  # https://github.com/NixOS/nixpkgs/issues/84105
-  boot.kernelParams = [
+  boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
    "console=ttyUSB0,9600"
    # "console=tty1" # Already part of the module
  ];
-  systemd.services."serial-getty@ttyUSB0" = {
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
    enable = true;
    wantedBy = [ "getty.target" ]; # to start at boot
    serviceConfig.Restart = "always"; # restart when session is closed
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -0,0 +1,24 @@
 { config, fp, pkgs, values, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    ./services/nfs-mounts.nix
    ./services/userweb.nix
  ];
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  services.nginx.enable = false;
  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/temmie/hardware-configuration.nix
+++ b/hosts/temmie/hardware-configuration.nix
@@ -0,0 +1,30 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/A367-83FD";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/temmie/services/nfs-mounts.nix
+++ b/hosts/temmie/services/nfs-mounts.nix
@@ -0,0 +1,57 @@
 { lib, values, ... }:
 let
  # See microbel:/etc/exports
  letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
 in
 {
  systemd.targets."pvv-homedirs" = {
    description = "PVV Homedir Partitions";
  };
  systemd.mounts = map (l: {
    description = "PVV Homedir Partition ${l}";
    before = [ "remote-fs.target" ];
    wantedBy = [ "multi-user.target" ];
    requiredBy = [ "pvv-homedirs.target" ];
    type = "nfs";
    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
    where = "/run/pvv-home-mounts/${l}";
    options = lib.concatStringsSep "," [
      "nfsvers=3"
      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
      "proto=tcp"
      "addr=${values.hosts.microbel.ipv4}"
      "mountproto=tcp"
      "mounthost=${values.hosts.microbel.ipv4}"
      "port=2049"
      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
      #       quite sure how to fix it. Living life on dangerous mode for now.
      "nolock"
      # Don't wait on every read/write
      "async"
      # Always keep mounted
      "noauto"
      # We don't want to update access time constantly
      "noatime"
      # No SUID/SGID, no special devices
      "nosuid"
      "nodev"
      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
      # "ro"
      "rw"
    ];
  }) letters;
 }
--- a/hosts/temmie/services/userweb.nix
+++ b/hosts/temmie/services/userweb.nix
@@ -0,0 +1,344 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.httpd;
  homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
  # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
  phpEnv = pkgs.php.buildEnv {
    extensions = { all, ... }: with all; [
      imagick
      opcache
      protobuf
    ];
    extraConfig = ''
      display_errors=0
      post_max_size = 40M
      upload_max_filesize = 40M
    '';
  };
  perlEnv = pkgs.perl.withPackages (ps: with ps; [
    pkgs.exiftool
    pkgs.ikiwiki
    pkgs.irssi
    pkgs.nix.libs.nix-perl-bindings
    AlgorithmDiff
    AnyEvent
    AnyEventI3
    ArchiveZip
    CGI
    CPAN
    CPANPLUS
    DBDPg
    DBDSQLite
    DBI
    EmailAddress
    EmailSimple
    Env
    Git
    HTMLMason
    HTMLParser
    HTMLTagset
    HTTPDAV
    HTTPDaemon
    ImageMagick
    JSON
    LWP
    MozillaCA
    PathTiny
    Switch
    SysSyslog
    TestPostgreSQL
    TextPDF
    TieFile
    Tk
    URI
    XMLLibXML
  ]);
  # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
  pythonEnv = pkgs.python3.buildEnv.override {
    extraLibs = with pkgs.python3Packages; [
      legacy-cgi
      matplotlib
      requests
    ];
    ignoreCollisions = true;
  };
  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
  fhsEnv = pkgs.buildEnv {
    name = "userweb-env";
    paths = with pkgs; [
      bash
      perlEnv
      pythonEnv
      phpEnv
    ]
    ++ (with phpEnv.packages; [
      # composer
    ])
    ++ [
      acl
      aspell
      autoconf
      autotrash
      bazel
      bintools
      bison
      bsd-finger
      catdoc
      ccache
      clang
      cmake
      coreutils-full
      curl
      devcontainer
      diffutils
      emacs
      # exiftags
      exiftool
      ffmpeg
      file
      findutils
      gawk
      gcc
      glibc
      gnugrep
      gnumake
      gnupg
      gnuplot
      gnused
      gnutar
      gzip
      html-tidy
      imagemagick
      inetutils
      iproute2
      jhead
      less
      libgcc
      lndir
      mailutils
      man # TODO: does this one want a mandb instance?
      meson
      more
      mpc
      mpi
      mplayer
      ninja
      nix
      openssh
      openssl
      patchelf
      pkg-config
      ppp
      procmail
      procps
      qemu
      rc
      rhash
      rsync
      ruby # TODO: does this one want systemwide packages?
      salt
      sccache
      sourceHighlight
      spamassassin
      strace
      subversion
      system-sendmail
      systemdMinimal
      texliveMedium
      tmux
      unzip
      util-linux
      valgrind
      vim
      wget
      which
      wine
      xdg-utils
      zip
      zstd
    ];
    extraOutputsToInstall = [
      "man"
      "doc"
    ];
  };
 in
 {
  services.httpd = {
    enable = true;
    adminAddr = "drift@pvv.ntnu.no";
    # TODO: consider upstreaming systemd support
    # TODO: mod_log_journald in v2.5
    package = pkgs.apacheHttpd.overrideAttrs (prev: {
      nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
      buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
      configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
    });
    enablePHP = true;
    phpPackage = phpEnv;
    enablePerl = true;
    # TODO: mod_log_journald in v2.5
    extraModules = [
      "systemd"
      "userdir"
      # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
      #       incorrect or restrictive assumptions upstream, either nixpkgs or source
      # {
      #   name = "perl";
      #   path = let
      #     mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
      #       apacheHttpd = cfg.package.out;
      #       perl = perlEnv;
      #     };
      #   in "${mod_perl}/modules/mod_perl.so";
      # }
    ];
    extraConfig = ''
      TraceEnable on
      LogLevel warn rewrite:trace3
      ScriptLog ${cfg.logDir}/cgi.log
    '';
    # virtualHosts."userweb.pvv.ntnu.no" = {
    virtualHosts."temmie.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
        UserDir disabled root
        AddHandler cgi-script .cgi
        DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
        <Directory "/home/pvv/?/*/web-docs">
          Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
          AllowOverride All
          Require all granted
        </Directory>
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  # socket activation comes in v2.5
  # systemd.sockets.httpd = {
  #   wantedBy = [ "sockets.target" ];
  #   description = "HTTPD socket";
  #   listenStreams = [
  #     "0.0.0.0:80"
  #     "0.0.0.0:443"
  #   ];
  # };
  systemd.services.httpd = {
    after = [ "pvv-homedirs.target" ];
    requires = [ "pvv-homedirs.target" ];
    environment = {
      PATH = lib.mkForce "/usr/bin";
    };
    serviceConfig = {
      Type = lib.mkForce "notify";
      ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
      ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
      ExecStop = lib.mkForce "";
      KillMode = "mixed";
      ConfigurationDirectory = [ "httpd" ];
      LogsDirectory = [ "httpd" ];
      LogsDirectoryMode = "0700";
      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
      LockPersonality = true;
      PrivateDevices = true;
      PrivateTmp = true;
      # NOTE: this removes CAP_NET_BIND_SERVICE...
      # PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = "tmpfs";
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectSystem = true;
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
        "AF_NETLINK"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SocketBindDeny = "any";
      SocketBindAllow = [
        "tcp:80"
        "tcp:443"
      ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
         "@system-service"
      ];
      UMask = "0077";
      RuntimeDirectory = [ "httpd/root-mnt" ];
      RootDirectory = "/run/httpd/root-mnt";
      MountAPIVFS = true;
      BindReadOnlyPaths = [
        builtins.storeDir
        "/etc"
        # NCSD socket
        "/var/run"
        "/var/lib/acme"
        "${fhsEnv}/bin:/bin"
        "${fhsEnv}/sbin:/sbin"
        "${fhsEnv}/lib:/lib"
        "${fhsEnv}/share:/share"
      ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
        parent = [
          "/local"
          "/opt"
          "/opt/local"
          "/store"
          "/store/gnu"
          "/usr"
          "/usr/local"
        ];
        child = [
          "/bin"
          "/sbin"
          "/lib"
          "/libexec"
          "/include"
          "/share"
        ];
      });
      BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
    };
  };
  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
 }
--- a/hosts/ustetind/configuration.nix
+++ b/hosts/ustetind/configuration.nix
@@ -7,12 +7,7 @@
    ./services/gitea-runners.nix
  ];
-  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
+  boot.loader.systemd-boot.enable = false;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  networking.hostName = "ustetind";
  networking.useHostResolvConf = lib.mkForce false;
@@ -39,5 +34,7 @@
    };
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/hosts/wenche/configuration.nix
+++ b/hosts/wenche/configuration.nix
@@ -14,15 +14,9 @@
    "armv7l-linux"
  ];
-  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
+  boot.loader.systemd-boot.enable = false;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.device = "/dev/sda";
  networking.hostName = "wenche"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,9 +30,9 @@
    package = config.boot.kernelPackages.nvidiaPackages.production;
  };
-  # List packages installed in system profile
+  services.qemuGuest.enable = true;
  environment.systemPackages = with pkgs; [
  ];
-  system.stateVersion = "24.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/modules/bluemap.nix
+++ b/modules/bluemap.nix
@@ -13,11 +13,32 @@ let
        (format.generate "${name}.conf" value))
      cfg.storage);
-  mapsFolder = pkgs.linkFarm "maps"
+  generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }:
-    (lib.attrsets.mapAttrs' (name: value:
+    assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { });
-      lib.nameValuePair "${name}.conf"
+    lib.pipe settings (
-        (format.generate "${name}.conf" value.settings))
+      (lib.optionals (extraHoconMarkersFile != null) [
-      cfg.maps);
+        (settings: lib.recursiveUpdate settings {
          marker-placeholder = "###ASDF###";
        })
      ]) ++ [
        (format.generate "${name}.conf")
      ] ++ (lib.optionals (extraHoconMarkersFile != null) [
        (hoconFile: pkgs.runCommand "${name}-patched.conf" { } ''
          mkdir -p "$(dirname "$out")"
          cp '${hoconFile}' "$out"
          substituteInPlace "$out" \
            --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
        '')
      ])
    );
  mapsFolder = lib.pipe cfg.maps [
    (lib.attrsets.mapAttrs' (name: value: {
      name = "${name}.conf";
      value = generateMapConfigWithMarkerData name value;
    }))
    (pkgs.linkFarm "maps")
  ];
  webappConfigFolder = pkgs.linkFarm "bluemap-config" {
    "maps" = mapsFolder;
@@ -30,7 +51,7 @@ let
  renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
    "maps" = pkgs.linkFarm "maps" {
-      "${name}.conf" = (format.generate "${name}.conf" value.settings);
+      "${name}.conf" = generateMapConfigWithMarkerData name value;
    };
    "storages" = storageFolder;
    "core.conf" = coreConfig;
@@ -160,6 +181,18 @@ in {
            defaultText = lib.literalExpression "config.services.bluemap.packs";
            description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
          };
          extraHoconMarkersFile = mkOption {
            type = lib.types.nullOr lib.types.path;
            default = null;
            description = ''
              Path to a hocon file containing marker data.
              The content of this file will be injected into the map config file in a separate derivation.
              DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
            '';
          };
          settings = mkOption {
            type = (lib.types.submodule {
              freeformType = format.type;
--- a/modules/gickup/update-linktree.nix
+++ b/modules/gickup/update-linktree.nix
@@ -16,6 +16,8 @@ in
    # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
    systemd.services."gickup-linktree" = {
      after = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
      wantedBy = [ "gickup.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = let
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -37,19 +37,23 @@ in {
  services.nginx.enable = true;
  services.nginx.virtualHosts = {
    ${config.networking.fqdn} = {
      # NOTE: this overrides the default config in base/services/nginx.nix
      addSSL = false;
      forceSSL = true;
      enableACME = true;
      kTLS = true;
      serverAliases = [
        "${machine}.pvv.org"
      ];
      extraConfig = ''
        # pvv
-        allow ${values.ipv4-space}
+        allow ${values.ipv4-space};
-        allow ${values.ipv6-space}
+        allow ${values.ipv6-space};
        # ntnu
-        allow ${values.ntnu.ipv4-space}
+        allow ${values.ntnu.ipv4-space};
-        allow ${values.ntnu.ipv6-space}
+        allow ${values.ntnu.ipv6-space};
        deny all;
      '';
@@ -72,11 +76,11 @@ in {
      ];
      extraConfig = ''
        # pvv
-        allow ${values.ipv4-space}
+        allow ${values.ipv4-space};
-        allow ${values.ipv6-space}
+        allow ${values.ipv6-space};
        # ntnu
-        allow ${values.ntnu.ipv4-space}
+        allow ${values.ntnu.ipv4-space};
-        allow ${values.ntnu.ipv6-space}
+        allow ${values.ntnu.ipv6-space};
        deny all;
      '';
@@ -95,11 +99,11 @@ in {
      ];
      extraConfig = ''
        # pvv
-        allow ${values.ipv4-space}
+        allow ${values.ipv4-space};
-        allow ${values.ipv6-space}
+        allow ${values.ipv6-space};
        # ntnu
-        allow ${values.ntnu.ipv4-space}
+        allow ${values.ntnu.ipv4-space};
-        allow ${values.ntnu.ipv6-space}
+        allow ${values.ntnu.ipv6-space};
        deny all;
      '';
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -81,7 +81,7 @@ in
        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
          echo "No registration file found at '$REGISTRATION_FILE'"
-          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+          cp --no-preserve=mode,ownership "${baseConfig}" ''${REGISTRATION_FILE}
        fi
        echo "After if statement"
@@ -116,7 +116,7 @@ in
        fi
        shred -u ''${REGISTRATION_FILE}
-        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+        cp --no-preserve=mode,ownership "${baseConfig}" ''${REGISTRATION_FILE}
        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
@@ -181,6 +181,9 @@ in
          #NoNewPrivileges = true;
          #PrivateDevices = true;
          Restart = "on-failure";
          RestartSec = "5s";
          StartLimitIntervalSec = "5s";
          StartLimitBurst = "5";
          DynamicUser = true;
        };
      };
--- a/modules/rsync-pull-targets.nix
+++ b/modules/rsync-pull-targets.nix
@@ -0,0 +1,146 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.rsync-pull-targets;
 in
 {
  options.services.rsync-pull-targets = {
    enable = lib.mkEnableOption "";
    rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
    locations = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
        options = {
          enable = lib.mkEnableOption "" // {
            default = true;
            example = false;
          };
          user = lib.mkOption {
            type = lib.types.str;
            description = "Which user to use as SSH login";
            example = "root";
          };
          location = lib.mkOption {
            type = lib.types.path;
            default = name;
            defaultText = lib.literalExpression "<name>";
            example = "/path/to/rsyncable/item";
          };
          # TODO: handle autogeneration of keys
          # autoGenerateSSHKeypair = lib.mkOption {
          #   type = lib.types.bool;
          #   default = config.publicKey == null;
          #   defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
          #   example = true;
          # };
          publicKey = lib.mkOption {
            type = lib.types.str;
            # type = lib.types.nullOr lib.types.str;
            # default = null;
            example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
          };
          rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
            default = cfg.rrsyncPackage;
            defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
          };
          enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
          rrsyncArgs = {
            ro = lib.mkEnableOption "" // {
              description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
            };
            wo = lib.mkEnableOption "" // {
              description = "Allow only writing to the DIR.";
            };
            munge = lib.mkEnableOption "" // {
              description = "Enable rsync's --munge-links on the server side.";
              # TODO: set a default?
            };
            no-del = lib.mkEnableOption "" // {
              description = "Disable rsync's --delete* and --remove* options.";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
            no-lock = lib.mkEnableOption "" // {
              description = "Avoid the single-run (per-user) lock check.";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
            no-overwrite = lib.mkEnableOption "" // {
              description = "Prevent overwriting existing files by enforcing --ignore-existing";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
          };
          authorizedKeysAttrs = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
              "restrict"
              "no-agent-forwarding"
              "no-port-forwarding"
              "no-pty"
              "no-X11-forwarding"
            ];
            defaultText = lib.literalExpression ''
              lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
                "restrict"
                "no-agent-forwarding"
                "no-port-forwarding"
                "no-pty"
                "no-X11-forwarding"
              ]
            '';
            example = [
              "restrict"
              "no-agent-forwarding"
              "no-port-forwarding"
              "no-pty"
              "no-X11-forwarding"
            ];
          };
        };
      }));
    };
  };
  config = lib.mkIf cfg.enable {
    # assertions = lib.pipe cfg.locations [
    #   (lib.filterAttrs (_: value: value.enable))
      # TODO: assert that there are no duplicate (user, publicKey) pairs.
      #       if there are then ssh won't know which command to provide and might provide a random one, not sure.
      # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
      #   assertion =
      #   message = "";
      # })
    # ];
    services.openssh.enable = true;
    users.users = lib.pipe cfg.locations [
      (lib.filterAttrs (_: value: value.enable))
      lib.attrValues
      # Index locations by SSH user
      (lib.foldl (acc: location: acc // {
        ${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
      }) { })
      (lib.mapAttrs (_name: locations: {
        openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
          rrsyncArgString = lib.cli.toCommandLineShellGNU {
            isLong = _: false;
          } rrsyncArgs;
          # TODO: handle " in location
        in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
        ) locations;
      }))
    ];
  };
 }
--- a/modules/snakeoil-certs.nix
+++ b/modules/snakeoil-certs.nix
@@ -51,8 +51,8 @@ in
      script = let
        openssl = lib.getExe pkgs.openssl;
      in lib.concatMapStringsSep "\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
+        mkdir -p "$(dirname "${value.certificate}")" "$(dirname "${value.certificateKey}")"
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+        if ! ${openssl} x509 -checkend 86400 -noout -in "${value.certificate}"
        then
          echo "Regenerating '${value.certificate}'"
          ${openssl} req \
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
  (mw-ext {
    name = "CodeEditor";
-    commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
+    commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
-    hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
+    hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
  })
  (mw-ext {
    name = "CodeMirror";
-    commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
+    commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
-    hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
+    hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
  })
  (mw-ext {
    name = "DeleteBatch";
-    commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
+    commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
-    hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
+    hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
  })
  (mw-ext {
    name = "PluggableAuth";
-    commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
+    commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
-    hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
+    hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
  })
  (mw-ext {
    name = "Popups";
-    commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
+    commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
-    hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
+    hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
  })
  (mw-ext {
    name = "Scribunto";
-    commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
+    commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
-    hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
+    hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
  })
  (mw-ext {
    name = "SimpleSAMLphp";
    kebab-name = "simple-saml-php";
-    commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
+    commit = "a2f77374713473d594e368de24539aebcc1a800a";
-    hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
+    hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
  })
  (mw-ext {
    name = "TemplateData";
-    commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
+    commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
-    hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
+    hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
  })
  (mw-ext {
    name = "TemplateStyles";
-    commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
+    commit = "7de60a8da6576d7930f293d19ef83529abf52704";
-    hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
+    hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
  })
  (mw-ext {
    name = "UserMerge";
-    commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
+    commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
-    hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
+    hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
  })
  (mw-ext {
    name = "VisualEditor";
-    commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
+    commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
-    hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
+    hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
  })
  (mw-ext {
    name = "WikiEditor";
-    commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
+    commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
-    hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
+    hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
  })
 ]
--- a/packages/ooye/fix-lockfile.patch
+++ b/packages/ooye/fix-lockfile.patch
--- a/packages/ooye/generate-lock-patch.sh
+++ b/packages/ooye/generate-lock-patch.sh
@@ -0,0 +1,40 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash -p bash git gnugrep gnused nodejs_24
 GIT_TOPLEVEL=$(git rev-parse --show-toplevel)
 PACKAGE_NIX="$GIT_TOPLEVEL/packages/ooye/package.nix"
 REV="$(grep -oP '(?<=rev = ")[a-z0-9]+(?=")' "$PACKAGE_NIX")"
 TMPDIR="$(mktemp -d)"
 cleaning() {
  rm -rf "$TMPDIR"
 }
 trap 'cleaning' SIGINT
 git clone --depth 1 --revision="$REV" https://git.pvv.ntnu.no/Drift/delete-your-element.git "$TMPDIR/ooye"
 pushd "$TMPDIR/ooye" || exit
  sed -i 's/\s*"glob@<11.1": "^12"//' package.json
  git diff --quiet --exit-code package.json && {
    echo "Sed did't do it's job, please fix" >&2
    cleaning
    exit 1
  }
  rm -rf package-lock.json
  npm install --package-lock-only
  export GIT_AUTHOR_NAME='Lockinator 9000'
  export GIT_AUTHOR_EMAIL='locksmith@lockal.local'
  export GIT_AUTHOR_DATE='Sun, 01 Jan 1984 00:00:00 +0000'
  export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME"
  export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL"
  export GIT_COMMITTER_DATE="$GIT_AUTHOR_DATE"
  git commit -am "package-lock.json: bomp" --no-gpg-sign
  git format-patch HEAD~
  mv 0001-package-lock.json-bomp.patch "$GIT_TOPLEVEL/packages/ooye/fix-lockfile.patch"
  git reset --hard HEAD~
 popd || exit
 cleaning
--- a/packages/out-of-your-element.nix
+++ b/packages/out-of-your-element.nix
@@ -2,31 +2,28 @@
  lib,
  fetchFromGitea,
  makeWrapper,
-  nodejs,
+  nodejs_24,
  buildNpmPackage,
  fetchpatch,
 }:
 let
  nodejs = nodejs_24;
 in
 buildNpmPackage {
  pname = "delete-your-element";
-  version = "3.3-unstable-2025-12-09";
+  version = "3.3-unstable-2026-01-21";
  src = fetchFromGitea {
    domain = "git.pvv.ntnu.no";
    owner = "Drift";
    repo = "delete-your-element";
-    rev = "1c0c545a024ef7215a1a3483c10acce853f79765";
+    rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
-    hash = "sha256-ow/PdlHfU7PCwsjJUEzoETzONs1KoKTRMRQ9ADN0tGk=";
+    hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
  };
-  patches = [
+  inherit nodejs;
    (fetchpatch {
      name = "ooye-fix-package-lock-0001.patch";
      url = "https://cgit.rory.gay/nix/OOYE-module.git/plain/pl.patch?h=ee126389d997ba14be3fe3ef360ba37b3617a9b2";
      hash = "sha256-dP6WEHb0KksDraYML+jcR5DftH9BiXvwevUg38ALOrc=";
    })
  ];
-  npmDepsHash = "sha256-OXOyO6LxK/WYYVysSxkol0ilMUZB+osLYUE5DpJlbps=";
+  patches = [ ./fix-lockfile.patch ];
-  # npmDepsHash = "sha256-Y+vgp7+7pIDm64AYSs8ltoAiON0EPpJInbmgn3/LkVA=";
+
  npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
  dontNpmBuild = true;
  makeCacheWritable = true;
--- a/secrets/bakke/bakke.yaml
+++ b/secrets/bakke/bakke.yaml
@@ -12,78 +12,87 @@ sops:
        - recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0NNRFlYaDVtY2taK2xZ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOE50MkkxV1p0UlVUT0dE
-            R1pJKzhzOFJJbVI1ZEtQZTJJd1JiejdwaHpJCjlyZVZLZUpVeG1HNHo1UTlaa1gz
+            WCtLMEk0ZSttY25UMjNHSHB1QzJ4N2l5WnpFCkNpdmlCY1VxWVo0ZStVclZ0amo4
-            Q2JOTmpibndlcERXaWw3Ujd3OGo2aU0KLS0tIEhKcjFKYm82VFdHWTkvcFBDam5H
+            dGhSRWY1SElRZXZzdWo5UDNjUHMzUjAKLS0tIDI3elNXSXJHQU5qb3hCSHYwWnoy
-            bzhGbFF6ZmRPTXpzMWgzWGJJbGlkUTAKtNREtgj4kXKDymmbBt2YVFUqrAaGY72z
+            N3BhNmJQZjIrbWlVRytxZ3dFMjBtL1kKn7/DTPfJtdBomSplnBomYhsxJbX7kJQa
-            8fUEIz/2/kPeb4QBpYt4HQabXDLCZXZ0Q5qhHRFOSER8o+TrkJDEow==
+            1Qsr+bmugWxHFIPhoDwPIBpChQkLvAo8exQpduos18FsXgvMmB0guQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbEJRNjVJSE5qSk1VcVR6
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdnNSSEJoaUQwdTNTMDY4
-            VTh6ZU93Q2dGclhZWXA4YTh5WXZ4MWFMRzNRCkJ6Z1F6a20za3ZxLzRsZGg2aHpn
+            QUxuLzRIWVNkM25QNTZ5VTBwQlYvT2p3SURzCnJmd2g1YUY0cmdLL3FkQTQ4NURL
-            Nll0NW9XRndIOFpzMVgwK3RxWm1BUkEKLS0tIGF0MUYwblY4a3haelJYRkNyd3lS
+            YncyY3VROTFUeDc5ZlB1aWdXVGNNdjgKLS0tIEtXeDdRLzl4RXhpS2o5ZUE4YkpI
-            S0ZuSUVXWGVXbnJocm1LRjZRSGVrMFkKQcwZk7mlF96kPdvZyLNR2i5CnU/qR7/i
+            RjBObVhlWncrRnVidEtGN2N0ZitzNlUK/ooEeWCY5nDgny43q45wvl/e6qq/X4B/
-            u897JxtxmXuuNDKPA80pFxfwkOwzcUVrYiwOlAbMENwJWH1SwFO3Cg==
+            7Q/DPj13BcrWRgoCYeHlq6VlIerz5ERNgxyR/qKuVSGAVroSVY6spA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWa2c5d0RvR21jQ21ZRVBL
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRy9CaHY1WEEzOXdUSjd2
-            dkR2RDhMMmJKTXk4UnFTbEZCbE5vV2cwRTNnCkFFT05kYUhXREtzSGkyY1VYQ2ZE
+            aFlGU3NGcW5MeHg3U2d0UEk0SXJIcmg4RVFzCkpwODhBWld6T1VNS2haSkpxL0hn
-            bU0xZnlUN0draW5DZXRqQlloVi9NaFkKLS0tIDdHb05weWlzcDN4bFdzYnpUVjVV
+            b0VRWVNFcTE5c0t3VkFZQ1R1d2dnbmMKLS0tIDdNMHBrU0RRSmlBZUJobXQxZUt2
-            ZkVXK01odnZJeGhoaFFLbEVSMFJsMHcK/mgeA6aMlr7T35rHL3GriYHu2DQE45sI
+            MzZSYlM5bjYzUlRYNXkzNzZlWmx3L0UKkH6WOXHFRRbCprSjxcONSVUN/9NEQvtS
-            8RdxdErESmpx0bneFbmsBgXOYu+iT64zatPEGVSu1taW/nMa8Ucpzw==
+            Jg+dJSMviq6GvUfUNmNvPJHfyy+CYT6a2Zd+4NdYCetRLsRJPc6p3A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbm4wL1pHeVVRYzJrb0RZ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUckpiMzYrU1NnNFJ4MGps
-            VHA5ZGRTUHkxbk9qenpNRGE4bjQ0SzN6UVFvCkRHQ0VDaUhRRDI3Yy90UXZCdTlo
+            OEt0c0o3Ty9QejhEM29wZFMrNTNyMHlHWlRBCnBHUUdvcmxoL0FqVEtBSHlma25P
-            dnBHSmU5WlBlczlBbDBZRHFvLzFBWVkKLS0tIFVNVG5qRDZlcWZ4R00zc0N5bkli
+            c2tITUtZTGVzOGdidC84OUYvRlpxSjAKLS0tIFNMVmdiWmJNZUdLS1g3T3ZINUh6
-            d0Z4TEJzdEFuV3NnTndFZlpPMTNYSHMK1d1Use9/w4ClrCfShBymIxHZppCXmhmQ
+            Mjg5RHdKYnV3Z2V0L3E3ZlA2WDB0WlkKJr4Vg6rnKqGpL6N143QYfLqS4lQIED/J
-            vIW5vI4Ui0jSX9Rwhd17CLT66mQYBbaHTGB9fiGNQpFRc/ztaFbbnw==
+            SYQds8mCiyCNGvV6ON4k096jXcuMAZ1w+0bA16AHlTXnqgIgfaHpKA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNmF2ZTFreDdzdVZHRWt4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL1QvSUlWUTN4OTBKOURa
-            VW1TNXFWRW13T3VBN04wMi95VkRCeHJIalVNClRLZGFDY2ZIREkweXp5dU9yYVRD
+            VkVVb29McWgxa3gwb2lkVTdSZmUrVVZpSERjCm9oTTFRckg3SUM1a0tJRVlaU3RL
-            T1N5QVh0eWczd3VIWEthbTZRVXM0L00KLS0tIFlWeDZmQzYrQXdoZ3dycS9udEFW
+            dUtsU0FpY1JyNkx6K1U1MWcrSjNYbUUKLS0tICtvTjJVdG1PSXF4TVltZ204SnVu
-            TGg0bGwxQjQ1UkR5OC9FajI1RHprUXMK8NRbkEjLEW6pANEkB0QyBcgMin/Aaf5A
+            VE9aT3l2dGgxMWNHUXQ0bDN2RjVOek0KwOa/vczHZa+SRr8j6KvkfZZ0kajxXOq0
-            dkFYo01G3XM7AmlnnM9UCc56Gc/ZfcsVaUhMAZoEvEvuU0++ufCIZg==
+            5AoDz2Mtcs+qBctTuogdLCZoL2ZpRVV7v1dGI+Fm1cVLoutV19IvTQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNE04cmdoYnc4cGhmMmlW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVFp0ZlRhU29DNUhMSmRy
-            aU1MNXpacVp2eGV1dU1GUUNyd3dFRDI0and3CllsSG9qR1IwaG1iU2FpWEduanhx
+            Y3VVV2pmajJmaU9qN0tHR1E3ekFMS3o0K2pRClIwek5GYzNNZEliK2ZTT1NVZklQ
-            WVE2SWZBblp5RWd3Mi8rc2s3M2F6cXcKLS0tIFBnaCtIelBPdEtqRUIrTnY3VytC
+            YWpqY3poN0E1ZTVOTVRhL3FQSVZmZW8KLS0tIHpuWktoa1EwcXc1bEJJYk5VbEw3
-            K3dUNVgrYlVnRjRKVVRDQmxsUC9tOG8KFE/pU3tSnyohg58FTWWc2j1Yk0+QHRyH
+            blE2VXBuTDdlbHJTVjRzOWdyem1UWTQKg5uZRhcLpmiVcadqdJoscqsBD2u6UGx+
-            VakZTPA8l2j7X01KOwEDaZBZrzFd8059GBUMRnylcVOCg5a5VjXpEg==
+            qT0IoSVOzsBlJw2t9rH1zR7WfRSlCXT1NYzu9aTWGqQaB8qvEtyk4g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdjhMM1ZpM2xFVXlvOXZK
            MlRZT2U5YzhMUVR1L0FqVVdiSTFTYUpyN25rCjB6ajMwTnNTaWk5d21vM0Zza243
            dHhSOHM0c3cwS1c5dGxhbzBNVm9DeFEKLS0tIEpOY1lWVE04UkNYNDdCcUdnTUhI
            NC9xOENWZUNyay9SeXRjSUdkMlE4UXcKiygSIWelRUZQPbiK2ASQya7poe1KCXmo
            XIlgOaUe1+lvY8s2bjdud0+7QlPOKeyciCSFNNqIxzHMYSEKwNCbpg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-15T21:42:17Z"
    mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
    pgp:
-        - created_at: "2025-12-22T06:10:02Z"
+        - created_at: "2026-01-16T06:34:38Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ/+Jcq2EiWutguXVgFJsG0eU9CmM/ZrSfN7Of6MeGh53vw5
+            hQIMA0av/duuklWYAQ/+O1tft/OfS52K8cmcQE7I7aFb85P2L+7u1TdmTjHwNFkC
-            F125rivlWf56nEjAnW0u0Ai1MRUUvL6cSqnIxH0y0NcgllkUVrMDJPtsp4/1pFG3
+            3jhvzPkNDQDkMIc5EPZKX5WLUS8F1UaqCw4b8zZtqoTqKDpu0S92KL500iXwBxft
-            pMhQuaoun7mmHbMwFD/WIGk3NeQA2WRm8vCa2yHuOHKG5rISZDgY/5WdkLGK9Vll
+            D3cRMFFb6GBoSlPJVBt6LMRJjGLWCkBihlYL1AknoVV7VERj8m1cvcstdp3qbEd7
-            A3eBaz2r+jQwZNHMTu9Sgmuya7EAGCb/7oSTyE+ZyG9zDwyvbKcuS+xMx/Sqx5a+
+            c+X6t5B+7N0/QPdh2KyrHWXyCzFc/6emVjNGy2EoXRt7idFF2yTbafobCs/hZ8LZ
-            a1a38fJCdwTHNGR293kMhVK75z0aOvGp4t92bulAe0Tp0Efc43TNGYIGjOQT7r3J
+            RJyhpGyR9QPtAwFP9Und62tCd4ZwG5FazZBLevRrmD7AOW1WnQhyYvxBvqQp/Oz+
-            k4YQ0OcR+fezp8GSLxoewWBpCMFaRliSnLh7XJwd2jTURbzlpQFFKNXW4pLxrAIr
+            lFmhcirLw5CaC1AbF2k3uNoAHXVWyexaQeu2gsNYXq+lpsdCWT8WtrAtNCyC2StI
-            ZJXZ6Hloz91MRoQ8HLCs7WqhLptXGnqXsJPCwdBJEeVzutyt3cZIzq11bNgf9sNv
+            PtdrdQ9oikJptmoWQ0zEBXKXdV8AhukLSX0wtis74KbmcS+2YyNKvQksGF2ZfHBh
-            Ydj86FmGTMFK5d9kNYAqxwnfcVIc3/AdbyKNoky1Muu0z5XvUdgUcYu5RK9yL3DA
+            U9ycfJr1kwm7TAg5Lg6XOmKrdOJkPoIcUCk2QW7MfS3nwwMLt3BjhhpRVUfeUmjB
-            dUJVI5uam+ONUatFeTbS2Vz7KEbwh1H3gfQUQTrE6FOSrh8bk0lp1aG1geL69ram
+            Jjjs+jUXEusnmwmvGGgEU2pT944FLuFClSI8JTnIZ61YkjF7zAtrURvsNKlqu/UG
-            XXh/uHkvzTgbq+oiyiqbodurrEQHcdhrYJwvPELLQwtIq+0iVu7xNIFz+LNuAMqK
+            JLrWR+dnnh1YK0qQEcqt6giNSX2IWrw5SpJ8Jekt0TWfB1HDHybQUyFC/n/je/XK
-            d1lualLK7xHNqCOhihY1nKR3PjDrE4tUKjtwu1lp2Ae+VEXg1FgrqdkquxlE+0XS
+            0ouAeDL9oqh0eRU3ng4KKhOXNn+WO3/HrnG//KFwokc//BNNvP8qM0CTtPQbQ1HS
-            XgG0jfeGqwQKM1qGkaj9UX/xXe8Io5KhOAqRhnkauU9nZ4Uaj5X1rFpbLAOT2/FZ
+            XgFjhTfzV0T4LyUryuict4rLVI+DDbzWGRp0umdobvQE1CGLhKCanrd2/Ng6fAny
-            rHjT46gUUh1hK2TEnL14yJ8ttIntlcXh6lJ6zbkIL7G+56GlqhPmr8M6N67VEq8=
+            9G09vYF5zK95uzqFBCTh1zFr6+rhfbMI501TwBu1KxOaJdYs3vzLiTGWoyI48JM=
-            =8M3y
+            =5fyo
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@@ -9,6 +9,7 @@ gitea:
    ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
    import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
 mediawiki:
    secret-key: ENC[AES256_GCM,data:ixG9vGifYcz44y/copU+eHIjWLcxJ4v7pi8l1P3YHIdGwAk5DNZQWlaA/L3w0g50zM0ESEXL9k2r3jNI1nLGJw==,iv:fwHV4hYDEjP9f/8Bw74EhYDUN8UV+qIwqd6yXa5KtFs=,tag:3c9J/lVoJeRE1b/TTWJNZw==,type:str]
    password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
    postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
    simplesamlphp:
@@ -39,79 +40,88 @@ sops:
        - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQjZvVEplU2pMQmgrQXE2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMVM0T0Y4Wjg1OGNsR0Iv
-            Qy9FY1NRZEhpSTVCdy9rVEFHekM4NHJEVlRvCkNnVUlCQzdGenlKOW56ZGY4bzJm
+            VmxoNmRMcjlWRHFhc3l2Sy9aZnF4b0ZsTnhnCkd6UnEvWi9kRU9qSmVLZkdiWGJh
-            K1c1N25ZbDFNMDY0YzlGMTlMN2htSEEKLS0tIEYvWEVoMUVtVDRkeEt5eWFZckJs
+            SW1SS3FDWnZTZnBhTmFvTW5FMCtUK0UKLS0tIFJDdHFoT3pPaEJLZmR3R2Jsd2pt
-            aFRsYmhNMkQwdFlDa1ROWXdhWGFKUUEKqixofKZBMXpV8q801HtVoHzZWJhsifSB
+            R0RmcXJwRlkvSVhRbGwxZytLNmlqeFkKw/0nGPzgzH39udFyJVkjNTMTmffiQh6/
-            DLPHbOAWpXjKygNJ1ogi66FWBFfRL0KGffQEuaIozTA1r1NafSCLKA==
+            HT1O7imvPymx5kXrnfciAP9bnCV4o/HiVkuDxBP7gG5nBUgY6PIC7Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YmhFNHNuaXlFZXMxNmtR
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV2ptWkhqNjcrM0hXOWEv
-            S3ZIM25xVnYxNE5kL0RJR0lpNWo1c2ZTczFRCkRKakRNek8xdVcxcFN5Wkc1VDJ5
+            Y21GNkVJUXY3dHV1OUdUdlJZNHhka3g3QVdNCk9vak0wSDBhS3pZSWk2anVsMnVY
-            QjJuQjcwZ25RVkpoMXFpQXltU21MOTQKLS0tIFVrNVJ1alAwM1RtTy9zUUIzMkpi
+            UmVuamF3ZGw1MGZ5M3ppSThWK3FPR2sKLS0tIDlQRENlQjh6THZRZlpEWnE0djNo
-            bnFVWG5xWW1hSDZob0NzZVZNOHdqRTAKci5uPZI7K/ljVRZ1j2qQFABpf+Anuj2a
+            cXl3S2tRdExvSjRNUHpwbFNzVXdQVmcK65zb8MPh67TyHkjLA2vLgv2eOQOSUDih
-            yqz92A7DbMUSUqmUNCHWg2vKmMwuRL3CXLPzZoXgIN07dpYQlk6qgg==
+            JeHkryWGQXzlYL5tZZ24ae1mqYiYQ6DsbWXopA0q0OmndYByXct6FA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZExMODZvbUo5VWt4UWs4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSnU5dml1bjY5ejZHUGRQ
-            ZXRXWkdDczQxcGRJbUFyU3V5bDllampVWTF3CndVSzZESmlwUFcxMjZKODhPY1pz
+            V1pNQnBXWUx0c1R5WkY5d3NFOFlKTkFrMUN3CkNqMjc5NDRMb05tSW9wV3lkUUVU
-            WHo5aC9JOUg0VndhdGIxeU1PU2t2QWMKLS0tIExQelVMSWUrMkUrY3htMVIxTHFo
+            Mml0VWc5N2NBZDQzVXMrWGpqVzY4NUEKLS0tIHBoNTZlOVBMdFJXOC9QRjJ4bHh2
-            blNkNG02ZTFHR1ZjL1dBbjlDNXk5VmMK+EbzW0Rdq5cxIm8EnQ2P87BTxfMKywyM
+            SzM4Rml4dFNjMWxxYXlVdTdxTTB1ZzQKvoBpb4PPNM5yl85wTcTTqZmkXmwZGyvS
-            Q3LGAw4RDR/Gstj9hzpTPnNjb4D5tMcQmeQlAvBriZPFXCrmq5WCXA==
+            PMPFNqEkzcZFtC1BfYGIlKAuisGhQ6rFAkyTZXTLP0HjPEcH00+WMw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSGFIdjJwTkpRdzdIQ2Iz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbGdTVUU3UVUwZytQancy
-            WW1jamZFY1JrTTBZRjM5enZmNkNEMTRaQ24wCjdJY2l4OVJyU2pVR3dQZFg0cHRl
+            ZXY1Ullmck9qZ0dsSmZqUHF0NGpSZlJWRjBJCndmbGh6Y3lUWmdEWUdHNkZwd0dM
-            dU1xS0gwbWM0MktPL2d6dG1wN1ZsWEkKLS0tIHJscElDRVFrakJCZmtMbk0xaVp4
+            OWpaTk4xdzlLak1iMFhhU3BnT1NYTE0KLS0tIElxOFVmUnVDUXhUeVBEVjJhR0Rv
-            MDBoekhiMWZaeU9IWkcybFNWczVtUUUK4BOBttXkGhmUYTjR68ZvaT0BpbIw67rr
+            NmloODFNNXU1TG9FeWxKYTBGOG5qR1kKXGAQyRVO6Sh0LNlFD5nx0F3m2KYP8hYl
-            Ls5XV6Azkid7GAttNayqb/OjshUco1xIbAyGRz77b5uzMzM1cM6+dA==
+            /g3mwi4NI4UIR2dYXsgNJuF7axxP1IbaZ/j2NLNYbVe2+iZvscvBTw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSmVyNkNiWkxob05lakJI
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWkVyLzJWM01ybHB3cmpq
-            N1dWVWl4bnd0cWV0bzlzQTdhMTZ6aWZJMFU4CkYwc29NTW5PODVVTU5DNFdCV0RO
+            cTJTM3VWaEk3djcxb0RnbVZXUGRyMWQxcWlFCmhQUmtGZm0wczdsLzZUNHFqRnZW
-            RTJHaDVmbWZ1WFdSRVE4Tk9SbHhsdUkKLS0tIFhiN3M1aGJtY2ZqTkIwYjB6S095
+            R0JaUDhmUXB6OTBwNEFja2xhbm1JNXMKLS0tIHNVUFltMjZjalJya2x2UzVHcUoy
-            WkpCQWlab2s5anVIa2Vlak1vNzI5U0kKRhPzmr9IW0fVDRKzfR1du7KgevNUchxJ
+            RGs3aStCRUJmMG9JRFZyRFJWeTZKWGsK8oTccCGCXPsQEGnn57ml5IwYCHgYoBpC
-            GDz5B/EekvwZwhcAGvkE6uwHIAIMaau49S9iwqK4NjIcBIGagoqiDQ==
+            2U7uT/Z10crtrqgPGi3/jYr5IEacLBvbuGLBwSlCo7NGz/6XnVIyaQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXJKL3RzUEMzZXN5Qmsw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTlJPQk9DTFNKMjA2bTRj
-            aFRrMXE2b2dNU05NeWNuaEZOdkcyMWpvUlM0ClVkMVJoS3Y5SnJxQ3RtaUtncDcw
+            OE5uaWxEQkhUdmRvT2h4TDJvREo4TlQ4MFZrCjNjd2ErOXcxQkJrNzlOdGNFSDNW
-            cWRKYjdFbEJ3aWE1ei9wYnpVRGhBd00KLS0tIFFycFgyWGVvMFc3azN3T2Z4aHln
+            S1gyaG1SSGpyNmtXZXpqZzVnN3o2MkUKLS0tIGdkbEROYUNjNk54RmFuR2VkK0Zq
-            UzR0dUp5MHFWdDFya0hlRXM4M1d5YVUKhaXAFsId/SGv5wmKvjTLSAAlDNuSH80H
+            RlRMc0R3dDllUGRHcmNDTDBSS09mUUUKhdxXMEuwLviNY134uA4SELXiHo4rCC9h
-            SahjRm7nj5Z6ZHJfBZu9cGoZ5ZdvPsr1DtLgErSndnOnh7TWA8SgGQ==
+            pT2iqOV+VDquwE99h9OIo2Kfmblzje/TGpok1i4cxytg8fly3LZD+Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T21:18:23Z"
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
-    mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
+          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcHVjN3MvVUEwazNraXFQ
            anVTbU1EY1JUQ0FyeSt3bWJ6TVcwY1UwZ1cwClRtOTE1QWNXaUdzejh5a3BUdTFv
            M25HcGZBY1IrVkdXV21vWnVMTHY2VXcKLS0tIGVKMFFCRjhJaGJPWjhlNEFna1hB
            SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
            29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-26T08:40:13Z"
    mac: ENC[AES256_GCM,data:ppgpARft/YDKP24QF4bLYVhxN4nRrCsf4wBug3UD4MXgQwdFyWPAHn086uONeMbVOvH8IdwlaNBc8h36I7M66cqwK1VsRc/vf9Ud2VnD/WkWijMSrJ80frIvuvREp7aMNlYbD20bjrp4sYohjcJ8KPqyPUFPj71dA+9LZvXJthQ=,iv:lr3R14lRx7RzclknKbOa/bHa6axGbMPqj1FRTjx34xE=,tag:pBHzSArxYs4bqq355T4yog==,type:str]
    pgp:
-        - created_at: "2025-12-01T10:58:17Z"
+        - created_at: "2026-01-16T06:34:44Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ/+IxSo/UF0bv0ktR4aYDhZF/7y8Xv56jaZbW+bI8os57SY
+            hQIMA0av/duuklWYAQ/7BX4o2qvoL2bJN4zkyjqUBgFi0rS3UXsP2D81nxDmlEYP
-            mk7MbCqMmujf31gDlWwvytn3sEBTs69tre2rJH0JhDnfxrfL4uHJqD2Idtfhejgv
+            iAm7uQ56/QLbxQ4nW+aBy+ijy4+a9w6yOEfy4DBwXQLebWJUFn2BJ88+6rOlAz51
-            6ezh37/aFy0GgkUKUMpVG3sksZjQrKrSvJiHgfIAaiEiNU6grc6EDLPqDrgO0s1V
+            hxHlAOAkN7aFm5a2Y8SQVGnsM/HFx3xJJU5seD5QhJgoPcaDlD/f3zrmmKzvgwX9
-            RBUiv2VMyg6a2MBf6TSrdoHw/HtK/PvOgrQ/C3q3jjUzVLUnScIsewwTq0zdmVf6
+            CHPI4lmQjzwjyG8BJRDlCdXtjXqYT2prs0raLUESwt9p3Hu+zZ5DZfZcnx0s5F2y
-            WPG5/sTjKoIYRdjrEZOIZglU61Q2/d0GTGkI7nkr5xl+iJicRO8O4cYmZ2NivMLt
+            nj7cFncmFci204EUzCoYrJNkjYKZSDhlNGyzZzF+7ve6LYW2snet86gDFWNsJqfj
-            pjsYGQ+Kyuxzmgqjh2aRv5uu7p4g1fYIBZdcqmm14Jc/IznNUAdfpgoRGUxEbnGW
+            /1Xp+pDSZVFs3Sp2iSTKqG0wQaRgmyP/r9IagNwTJxjgCjJall2qmdrj4xi4EJef
-            R6C2eTzvhZGFj0+jssLwcWtGxa2xxPAHL8TbAvroffzx7W9IdyWkmOEaMuyHFAWT
+            40ZGn9BGmk5EBAVhErqwFwZTlEDuGRWSzStRMpyi8YMA8DMd/mNxdXetrg7zw+ro
-            FpsdlSkYmQs1H5YCdRnapFkNbaIPsQy/c4dQhzYakrheMdpXo6efSPmk9RdjKZrd
+            iaj+izF+FDjPAm2dCaO9r1zZiFKZk84Q2tYNVAs+2t3a/GJYGAs0qzqWcyJzYk8q
-            HvJaepwJA7Uf9+eY+LgPVTKY4ObJziJEEIM8QwmBW4h7ZujbntUHXhL1dt2Bc8nZ
+            CHpXUDHVGFXFjgm067nowjtETLyBtegM1bIfoFJEqJUgWT+NU9kON638Dp0HuV/X
-            5foSRmLA0lsd59QSPA3lg30TpJARC8aq4dlYsTFqQgHVTHA2W1m5gYvIgNKlhR/F
+            DkBbwYCRCRSnumslEHlUxw/I1pZijCiJf6m0hbjWEKxUM8N0fKLLxdoYLSY36/8L
-            NGNaAWW0+3V6NeQF5UVp/ug4RbJK+qbrQw/+jeyRaPj3TWaFobOfs+Ad5zcL5QfS
+            kyA9T59+qwNIfpKmpF9jvyIX7/Chers8ebgwwpJrP1UwueKQoxhO2mL99by9+P3S
-            XgG1ix1Re4pnbeGbTE0QsFQ/Ir0mwPGuNzr1CFuVQWvPUYqA4iv8nlxIj2E43gcL
+            XgE5D3lqS+OQqJfRd5VMjy6Skq5N1kRhtP+dujwBnX/MxClrh1HbgVaNKqwiBKBj
-            4ihGEE6dKrrwLJuALNq4p7mqnCMJ7/kjLNTRUSmWY8fHaVmX/QL0uGZwYH1Y5P4=
+            CV9oTxtI8LDC06KOws841HmUuGe9/4H0MNu/dz+VMh62RD0MVher7JYs5fuFHVo=
-            =2j4b
+            =7yLr
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.11.0
--- a/secrets/bicep/bicep.yaml
+++ b/secrets/bicep/bicep.yaml
@@ -15,78 +15,87 @@ sops:
        - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWXVrN3MwSkh4RUJHcmRu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeFE5T1FHeVczVU1aVmhC
-            V0YrMkhIVGZtLzFsbEZ4dmNSV1FmT1Y2M3prCnhWOSs5VElEOUhuQU1xa2FmRlIw
+            UE9aKzRHVWdDOG4xMXBtV1Y5dW5sVmZzcWtVCjd1ck1CRmZxZHduZmMzRnRodi9n
-            YXQvZFpGYXh1eTMwVkZEempxdHA5eGsKLS0tIHlGQXlHc1ZJaWlPNitrSlQ3R25h
+            ZVRNckIyQzErVmJUaDdDb1A1bkRUNkEKLS0tIEJWL3EzTkFYQ2tNRnliRWJISHVr
-            a28xWWRwbTlaZjIrbUpxUDJzMnp1alkK3awAxPMvmrh42Pwhv4mBUvWH5ev+OK+i
+            aCtGUFhRYkdPdG1uTVdGN3lITzJJc2MKt9TDBg1CV3a6FhlROVZ3ruKVdehQcuSN
-            nKWXHOMyYPudYg062Ex7iAHS5WTw71bsMkUEwmU0Mt5XbopkXCyyZA==
+            hv0vUdbR1uOX89+P1oqNMRMQJI0V4oWi138m+uqA+jozvz+Vn5z/3w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZ3k1VjN4SlVPcHhkNXpw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYUNsemZ4TDR3S3EzcnNI
-            MTFncDF6cDdKVmVSQUdDQUQwNW5scjZ6TUdFCnY0UkJjdE5DaUFNZm00VEVmZG92
+            eTduanpyc09XYnBSTk04dEZSME8rYjdvalZFCnd5dDluWStCR0lvRFlkYnpKUVlz
-            U0VINHJqbDd4RGFnOWdxaVhoMjRYN0EKLS0tICtESEFUbHBDamFJelphbTlMNmNQ
+            dzR6cHU4T01TUGdFamRqZlBGb2NBYUEKLS0tIGRCTTdjVnU4ZjY1czZjZnhJdzdw
-            amJIdU5iaWNLQ28wYXJxZ0ptVUxRQVEKZtVEIcBrGHpmg/wGCzDshYZ83pJUf5CY
+            M0swSS9wQVpIQ29XeGRJelk3aHVNcTQKv2Nuia6fkUIu+P2RcP/iHonc6B3y5GJL
-            I4hmsoPRnq7Zh45eCuE7j+RNhGiQWGi8q/+sUnSJQMGjzIHf0QfVkA==
+            eiGHywJ5QnQAVOkaNiMZSNfo6OWL/49GnULWJwvbaS/Hong/ax9GBQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TXZuS2pvOTd0RmdtU1ZE
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOHJGNWN4ajA0Q2xrWHlX
-            MmIzUUxFV2NKcXJtempJdVpUQVZwWVBlZm5ZCkJZeVZiUjNPdW1XZlJ0YWxDa092
+            UkZYVGRtcXkrTkl0YWRVd2JOa3o3b215cWlBCkRjWlJCWXlmWTdia1pUOTIvdlNI
-            aGs5R3VUYkdBbVQ0V2dzcGV5alZxQ00KLS0tIHJqdGExb05DVFhka3duRTY1dFhz
+            aHowK29KT3d3a2xuTWlwd01JK3VPZ0kKLS0tIGkxUElSUVVXODZtZHFuTGpqZTd1
-            MGFxVlJDcEZjc0Jxc3loV1ZjNkl0TjQKu+gUS5uyfWBNn67WFt1NwjzkwYWG4r04
+            TzIwUHBIRG0vSHRpM05vQUJYQ01HYVEKFrDzolWZAsiOLhls4hdIkjRXAsYYVq9k
-            hFh9hxB8efiMxYiDp2fc9EKvn1FlTBQJE1KWyiD88twzhKDKaDqQJg==
+            aKbS+DAKVP6AnhMC+Xz8zp7N1bvcXI6tKTmrlg+mo7bsc+vOl12AGg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQTF3bXhXa1AxazZqZWZv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZmg1a3d0ZU9idCtMelYw
-            dWFpWGwyUDZkZnczc2NpbnBWeTJGQUVBSFFzCkwyRFVVa0l3dS9GaGN3Mm5TY3dh
+            YnZlaFZSc0pCWG4yYVMrZXNkN3RVOXhJTFFVClBXa0NqZjB6TDFCWGRRaG9JWHZx
-            Z0VkRU1uZGVscnlLNXArZVMyVFhxTWMKLS0tIHV2ZExtVnFONTlQRVNMTFRzQnFu
+            SVZ0SXExU3hBb08xNVQvU3FRRkRXSFkKLS0tIFlmUXJSc25jZVVhaFFNejY5d1Ux
-            ZmtGTVJqKzlGWDBaUWs1Qk1PSnc2WE0KrIJy3b1TdI7ur02ZzOfWJGWl6WuSUFV4
+            TWVyQVRjWFBpOGc2Z0xCRlBBclVmQlEKwdADPZ/JtBznYW5ngAehdFD7dJKjy826
-            h9Bb3uSpVZLWb0MRKTK5RIeedQZ0NuVOqAP3hCglzzNkZ10/r7ly2Q==
+            G9JaApg1xGj3OQzB88rlyQwE+WSV9yCdJ1BzIK8HVSaBOsitRoJDKQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5L0hVVnE0bVp4d3MwQXo3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ05hM2N0QUNHWmpHMHdq
-            bnl5aWMxajZRNHFHQzhXVDZtK2k3TjJGRlFZCnRORzNTVEJOeTZ6OGZFNDNlQzZG
+            cHJLTWdaMkIxSlRsZ205VjJYU0IwNmtEb0h3CmhBN3hmQ0pscFVQMmNwemY2UnhT
-            MmFHRFpQMW0vSVl1c29yTFoySFEyNEkKLS0tIHVPUlhIdHlxWHV3a1Nra0lEN21Z
+            OFlRL1VPa01NaDh4Q2xxdUYzU1E1QzgKLS0tIDB4ZjEwRmtSb1hXWFpSdHA1ZzZL
-            cWxLUTBIeEZ0Sy9Ta2Jsajh5eVd4bTQKvmpiIPGbgPjqssx4sc/bqaCLeGIPcRfF
+            YStGSVJYUGE2cDhiYkJhY3dMQ1F0dEEKLexDk8xrQ/7SGGUjGIjt+PiL98LeIm6z
-            BVWm8tEpDmpjvFPgRKhgIKFAQZXumd/9ykWAJE02OWeOOD/LjfSSMA==
+            Bs+2xr/egd8X8ISwPTjgTutDqTM4Oc6HaDJ/mG8H3ewic4ey7TmuPQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUczg1MEI0VFhFNUxYcCtj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNkxBQjBDSEt2MllQbzJL
-            UXZZaUhPNEZ3cDkvc2lZMm9ZYnZGTit4U3lnCmR0cC94dDVQcjJYWTh0Zkhkclps
+            VzJrUFhHRzduTDZLUGlTZlBFVUozc1VlY1g4CjM5VzIrbTdZMlJzcTh3MWlGNWNK
-            WkVrZmdCSE0wdzYwNXMra0hLYWEzU1UKLS0tIHY5MG1LZkFpeisxeDNXQkFrdm9J
+            amVnbnJwbzFxalNSYUJQRjZ0dFllL28KLS0tIFV2SmV3TkNxSEhDTTAweStMUVIy
-            dndlQmsyTFBOQlIrcnJlOVdWS214aTAK4RSsxV89Ccb5K8JP20J+R621LWdtuQJ6
+            UHVhenNpRGxweWpIQXl6N1B2NEtuYXcKgE62N2ThlFFp+b0T2Rix+H+rmBwrfQDx
-            vwWhWkbtBU1Ck3NeEa4UanRqFJxl0bkpdFzHWoQnCm9TmzRf+Oikfw==
+            5jXxPFWOdeEowXMM6kUi4xzeUH7/CGXlg+5uNF9jWMpJ09eAKPoO/g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIa3dxbkQwWktRcFI2ZW80
            S0N5MXZWaWxBTmkwV1o2bzVvZlQ2MldiY0d3CmFyRWk1clJCeEptNkcwVkdwUURR
            MGVzcldGbUpxWDN6K2RGT3ErajBZRU0KLS0tIFZadXVXbDNsT2Q5eGtJaEtOaTlX
            U3IrZTB3YUJiREZDQkgzUFMvb3VxU1kKJhYYVcCT8hNJkEK1nD3GBekVGDOI3Nin
            iBat3LwB4Ijzx1jA+jKJ1Ilf4MgdoL2ox6l/uWft27vvsRaQ501VvA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-08-25T12:27:53Z"
    mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
    pgp:
-        - created_at: "2025-12-02T00:51:13Z"
+        - created_at: "2026-01-16T06:34:45Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ//eMoBqyI6G8T7c+LwLWl0KxVl4bPv8B1w6l2h+DbwYbki
+            hQIMA0av/duuklWYAQ//Wr/FkredBdFTg1pft56pSfVNVScGeETZXT/EVr0esNb1
-            s/u0EToWGFKNTcoio1Xwwhb8pVnUprLONKe1LHgDSsWhvZXBaq3OHxWJuGQ+T0lS
+            8bO2SUxWSSKAFaHy5YJ/C7B9Ok267dmecvDiCpBN/UwAVKnbXIwMwQVEpdwFI7Zp
-            1nEOZt1aRp9ff4RA4BLS2LIB5+2lkVvQ2jWhgzzrEgC4FXI+d5XMhgXtPlO8Dgv7
+            g41BaxZ87ogphyXmmPmTtekbV6hJZE1FJ2D1rDlEuIHECGhn+lViuF2T+WmCE5iN
-            Dwp+zTkYyCRny3FzL/AhHCYkqxHuuH19u4j9taN5VidKp9a1EKvjYZW4+xPM0gek
+            UvcU194RjL5cWy4Rgap7bo9UaowDXRHYTuvc0lEBkoCaNbb252KhC+C/4OXIjV3z
-            9AR89EIzVeLGMSVUFToAfmZ2jFOfMj42pmbQg29Dr3iUVvOZ1sP+w6Jt/1j4FoNe
+            BoOxF3jF7xLgeK/7swMfwVpQjwD/aM1IKkCLFdf7GbUfUjdKdEiPCpRCMSmSUtXk
-            iylriaZtSMLb6kjqN6xf0TnA6exa7hHuAlK3WbPv6JAYrGxs7+l9lGLJkgdXqkzt
+            JDAJz7lzej6r/fCHSsmntSf2RoaHDk3kKMNSvqR9UkCiF/LHBhIeDz2rJiOx+suR
-            oxyJTilv1+YJuXy4O2oW6hV8yymOfAKGHt/dkEnPX6UtddH+RDCo+HdWmXWy1Feo
+            gPQLehedeF66+A6m7WwQarklPqMhPRw/IiVxXgsDR8Ws7Dr5wPmNkuQ+LvO4rPEG
-            skEfvwsbzKPCHInPGbo9Yq5NIgJgaisJlHVf5XHxuVVWdEgmpPZ1XxRvmk5B/9lu
+            iC8pOTs2+Eb0ulxtjY9o3DNkCbXGzorSLZ6MBkhQhNUmCuubVQ0gpw6RR7uflgGL
-            gvr+kG4nN2ZxjBC8sZmHQrvuF93x3mXmHIyu/W2LV5era7Q7tUjaikBMba3a3Rpo
+            AYvv8GYpoY+uWWAbsnVdeK8XuGccjP5toK25PiOKzIdRXczngGMLdhNpQmS2cfh/
-            OQw0auB1OBSmZOFWMa4ppWU3H5V1hOBoD6tygpJvRvuKxJIVGMg1XWBuLJuAhLF8
+            A69QRFprjTt1/sAqzbe9V68PZ1Opa3EH/fvWgXbUTJbxhAMJoZy03KGnQC8kNw0O
-            Sdz9AtHR7zeHtNG+4/da/5iYFLi8e0j0H16TlKlW+BuN9kXfmuw1UC1cl+gRLPrS
+            RFMSmX2fnK4ppmahnO5rn+5InF1TGSd34O9yPacSB9glb3hvClmNOsC9b/Ow/FnS
-            XAEXT6KxURapNNTZTbM66rJNdP60J4u8LhvBD4RLQNGXYQe8Q6RrOdrVRCYO1cjx
+            XgGY8d7IGU6zlCwJyIEKsekexJ+UiooT1AoyORHvzHw1J9jlrybSZTK+IzSGlpzf
-            71Sydx+N+XLbNHfgi1AnaVXmWmZ5PRsAxt4xXPWZb0lV8heh8T1FBKeQM35p
+            bfiUk6yOyYNU82LhJBc+gdl6QVeO7VoQrN8iJq752A9yrk5eZsBWOeZybezJQos=
-            =Ur6q
+            =WTmp
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@@ -1,6 +1,6 @@
 synapse:
-    turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
+    user_registration:
-    user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
+        registration_shared_secret: ENC[AES256_GCM,data:Ch0JzTJ7OqZQxr+L,iv:6hSTsBwieRg6oy0feBaqJQaY/AvIUyIlcclzlK0GmVE=,tag:Z55kxXppzmU+YP5JkU0jLw==,type:str]
    signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
 coturn:
    static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
@@ -17,84 +17,98 @@ ooye:
 hookshot:
    as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
    hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
    passkey: ENC[AES256_GCM,data:sR3ZdvNe+321WalGA57Nsb7eIRnOgAWX4P4aahynS5kD8nZ40axO3H29pciTn3rgBLsKPYAbJ24Ch40SL5emlz9UL1nH//khCEAXUXR5+RA83TvRrog1BdiCTX3wYY6SvM8BRwAEcWbAavfRHyNM0stSRjamdam70OvEEHlOUafs4lfQghYXVN+YV6bT+gan9eMRwhTsuWB/V01SAUot5pgFtprpvFs/l90E9sZFxxejlLniy/4nHjO9rcXAeCz/8cw5P56AqCzqyliYxKM3qbhwp+Pz/RVH+7PKQwABP80tw4HLvBz2nwYzPHJrSejIH/lxE1sJH8ttUQ8mHIFpv0GGB0oENyfYCekoSXWL+wuFEE+xjyak1KUDfohaJ9QMZa+A4jHiGoWHAwfU083uNFNdE1NxPpa55xQ/Q5fGE58qmZVbHUoL1EFOi0Nc15vp9kRojjQoEENvEQKwZHlauhm+940s6IwBE/bHk5WBjWM6BM/7Y8dj23uo1Vj0gy5IK0xYk62+IXNINPeDnS5sZJJweOKvS9JDYNw/9oC5ptmsqkGWryWm22Mwq9AIWm1Zt+0nIZRrOM+JHWJCtCqXhD5+UL1fl6wt7IgvOqgOtsFUM39n2hS4UWyVohToLy2u8VFKDIx1yb530y+Q2HfT6oKPYtcm5+b/dgDaqph1JSuqxWoiXMdx/DvGLhM6nIfPnAi5EImXDQIxkh4tJ6P+z+4vOPiX5fKflXk2eioVL77BQ4jXLunu4zBu/bOCePHigAD/+E9IgHnVSMxpTgDQ3w7WI7FCY9wjbXqbsL3QB1BOizIFNqHDcX2COeJV7X8Aia0HBpZgQpFX5XtMJAKnO2BR2EA94xSk9/rAPgZpJkZXTHl5MpPz9+WLv4uFy0daIJ/y7jkxLXK2UNw9VVfkq/I6cteQMwHPe0V9XZc1DIXOjJ23r9qNtx11Dx7Zumh3EQvp/8D/i0G6lhW1y3xP0Uu1iuxfnvhacBTwiRTSrKhT0HKlFG9cG2SaZH5D8zLyhrQhp8V5AdAdikmQUfDigDTzd45YpWRaNEGM1wcAI5cWBdPHY6Hv3NHQoX3yx6jm3Qo1QqIVlhqHqEeM6++H1Sfd3xg8zMSSGXlQT6EYE0+raOvKrmbnGCW3GnguHEjU1vCE/w7u8LCct7IBCSL7XQpLg39SmSx/MdL5OWXaUCxbVMM38q/4PXNzRVNaHRZFXm35+q1gZ/fx9a3vY/YS9+qEhcsvNQaNyuVcbigz9fqEWoAnFh2rCIMT3XMc+N0V0+TSIF4nU/Im82wu1+ujcrJ6OpGubcf208y8giwOgdKAARTKtybInUx31+JkzMw9A4q+CxRLHcrYYhIHz0MyhAVY3JKQp6DvoRwT58/MEENv6hSvsf0PhrgIkPTYeNeasJwFt8tKPmEkFYINhigC3XPmid+hMJfp/w8MnFLAIX9Cp+7adQPPW5RZqHuuf0rV+vdVqU3nFmnet8KZd3SrZiWAXcKViyHYAWb3c60TMO2C37goHkTMd6olZ09ZEfrTpdX+MEHswW65p4rJgNZIbVquD73DpZuE30HsrUBsPeWpQy2JGNUPq8tCvcREVgmnIt7yJn8sC8D+RwgXCXHf6qDMjANi7nvD6uWTik4P68e9lVztO4QudwdZdPieflfFADH4sFPhXwCpGOkR37RSrqe6t3CR3ZI0aXqHdZ1l1JcJv+5WEXmJZfNUOPBGpvatmc7ygJYDxuQoJ5FDFsyZffrAYOcEXC6gDaq6NTGgo4JZAYQsHg8JaFWQPEToagiSQhhErMeA5nTUvNjJ4/0HHIvsjsGabAv3GiT2lcVnowt8qwEyLnQStNiAxv0bURhW82BLCHq5cHx7mtUNqDQjrc48iQZiZd20orTq7PmxwWBa6T9EwuEOQiX69inIbSU7kGbRmVUS+RPKfFoCXXOSlBjzoLM448Ymbf0FsEgATb0I5sJ6R2k9mlh3WgRur/u8ODtXJO9TLjVvAm1WmHWXn8ZSvKRS+/VSGg3RzKGyVqh2gJmpDJmF4BwzqslhaCdvdkwBW+7oZN///1h41NX6Fo68l+P/Rl/ZFvCF2VD18E1EjmnOs8sxmMjsDct3HNd7xB1PJLKtNTCLEF0vLDOM5qGaWfBVZtwHiz7fhbPxeE4ND8ygHhUUVzDsC3uHeVHwBMghSY92wnNq6SJP5HMC5knoEFxGnr5te8GcMT6iD6KMKjzqPnp7raGSFo96d5qDiug8krD3vEpbE+3L0XRye5m+2N/wVL7u888JZ0Yj9uWZoAmg41G9y5NU1g8Sns9gY1jalZFaY1+S2nCAfgZRNzx0gLa4CY7SClib1+qDCKIVLJyCqlbKRkIbNXV/B+/L6MAUwTRn8NLhm1+U1QgqD3X+cTJoys/1laSEBXcupT0CrCkR2wguGh1tfkyZ0yLJcbyIfRHzmEooMHWgL5N+mNYCwxLyIfDmBSacZI7AUBfGD+RT24W0vl976zd/sBzIZtQGFPKDtb5bzNE5FNfSfser+afqBG+S+gr1GUn2ZQMGN2095uqnYiwCUtxmczGlOLixbQMnYPbxClB7i4NFvZj2GbnX+yRgv8OFWTnp0C1aPsQHgZzWKAe0cDaRJpAOTTbaGaSJiwIIu689xqYGKej3oQLaAHqlRyRhJngUOj4panxNb/ZFbP6lfUF0fehNJFJaR3WKSiRAjv6ommtSFDQ26TrhYE9d+yG1KApzkhlPTLNA4fVRQxfZi41hbfHDg4kwZMpc86BSCq85qnzW+nMJiWTLxTKYSzjpiWSnMzBvBYf0vntz5+ltwJwyVMX/TdAoYGyHOCINLSxhKoajORJ0g6zEyBRdG+kg0qZCFi894fR4eAz5/fvbrhOhhnCOaVCJlvLo2jXiizQlsqbvLr8bTbyMF5yJPEPV8H/B8uhzzjCIxvbbc3Ac3rPX47FBdEc5869c7JgL/2HD9GZzJXfRBzyhSTFMMh7J+K7LgEIGsItTsJM9wa4BC9ZicZRifuGxBKATOIVeTpJJHA80yhmL6lsazUrrAlyA93mR4CsuInmum6QMyjkmcXBnEtybSeuUjX7aFmzSz9Il7C9iR/4QRWyzgSIh7sbqEl/v4mQtJMlydbZdd0aT65AShTHUIkNZxOg/IuEW26v8pyZi5msfPBjwmknQkXPTf1fCcgVuY6OoQBPzYR1BFTjpY5lTfAMYH9sDW+xxRTFftsNNRzIctX0IEv5haWxLDhuN7eagltf2v3GubrbsYTeVwuCFJnabgzXan4vvpPVIPhrhE2k6G0FfDhIpQL9oweNBG2hefoXoOr+piHYcc1hJSHnSUp9qRxQxXzjvaFulfRO+2GoMAg6E6pz1Fz8e8mHRubREH6NOLvz070D0u1o7Tb6LE2cmw2XdRaVqO+Jo3u7pZUUVYllF31Uxb8ngHarWQ3dOBneZQHsW3AFpRofz9BcHII6dd4BhAM+sl7+cBEFuNn9nkDBR8PLx7O0G+b99qSAnOdvY6wWTwMbWC2JLcv6QTwqe/bAdEg3hNi2GOoqwvs0e6BO/7GS88egcwqZEe2Tpvtzb+NCia/A3oc/VNWTucmQcv9K10QaloZjHMXAMsDESr3LJ0enaoqc90bbHWEuoyRJoDDuW2NXHpCILLAxCUDZnArlE78J2B15Yc2sBkgHyYrILaZo1dBVR23R+QX4bZXt69EZC74IdcELt4qw4ANK+xKtSRJ5vnVml58/71IukUp5GOwEzImEC4YG5G7O7hpMWZmM48RvOuhmqk3LvCggjHPploLqw3PY46twgbKTBai4PbYZ2NaFAHkgc4jqoKSgzQD0jqUkNxFZNSXmvC6QGksns/GaI/qZJVSWAxr95P3oEyZrsfY+KFvhpGJWAa/TIyJslTsKjSv+VFg9jm93yT6P+Jfp1sR+tnyTgrDUF3SIi1/HbM4DlgbyHon25B+4fabgbGajl0Ua/zNyFmWcGN4yRQfXgK47vhQFyfAaOliIKbvsCEnfLniDhPg9FlnxBHSVPHNxeEufocboCUJzm0pU2r2iRRN6fKiiIZubjxeXDjRHTsJAffstPp6pSDxgtZzivquUkj1669QmZaHhV6VyAhGOz/A3VWWB0FGdToeuS5FciNyYVmfJ8moHP1skV/jR4Ke3R/gHato0Un0nUr39ftB81uVomTYlVYuXAUUfJnAU/i8PbdjWCXSlAIeqCUeEf9oLq4n/xtUvJGBzxPgRJPaWxnckS2umi+6CRCs9f1EzwORgOosnQDJxALsGV3Nl4dR1o8ygAHkiBiqKyaEk0ulVM6XrfGFcQMkRgK2PVIZHNCEY72jU42/LlzWumXH2uoivR0toT7kk919VJYa5+2ac=,iv:BqwTfYEtqtFazQGfhL6rxfIUrZ2cin+jy070FDaGIuc=,tag:MMUGNmH6m4aNR4U8KAac6w==,type:str]
 livekit:
    keyfile:
        #ENC[AES256_GCM,data:M+SfmEuhPL8sqxOl3uL8mE6Z6pC6naQNxFRskMPbVpLVWYM1Be+QOoLEiTMtWqH2PAf2NZXLcNY63Q99bYINz+BTt/ekllye,iv:DSZJxoZUlUZxPpzfpXyZ4ECeJjq6/WW8I2fvTXIjmfU=,tag:HwHhdQA8yuSKYxM5LcZV/w==,type:comment]
        lk-jwt-service: ENC[AES256_GCM,data:6OjQCG2lztUGBojhfxzv7YdflNemhMToibOPTmnZD6q5T/EVRTV36Meg68E=,iv:UahvMi5ssAKuIsr5RlCdAm7XK/B2dLZLi6hcGAJ42DE=,tag:BEV3Clg6Sr9f9tPeJTiIOQ==,type:str]
 sops:
    age:
        - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPL2Z6RVEyWnBPSXZXZFNn
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVGNjVTQyWHloRkxWWjJy
-            dTlKd2xPREVLVjIrcnB4MTRHNU9LQklodGo4CjNuZmwrV2hCSlBXbWMzQk56WStE
+            ODJ1cEg0aCt3YjkwY2pKa2d4a2N1VUwzcXhVCkpKbkFsZ3lNY2tkdXhuRXRLeTdU
-            MW9uVk1ZOWtZb0dFQjZFS1VUZ2ZOd2cKLS0tIFkvU0s4L0h4TS9zemVLc1JyTVhB
+            b3U1OThkT1BubUVnbHBOaDY3ZDB5enMKLS0tIGZYUU9QeHFRT1BwRVpDdDZRUXVn
-            WEU3d1ZsMVdyYXNFNVpyallMSk1QaG8KYtDGiTY2Cf5YmmAKgr2s0FNeZDRpUCUD
+            M2lmWTRiMG5oaUs4NFZCb1NXUVdUZ0kKq28skWDPKQ8U4H+vRu7N3I8vURHj5eMX
-            vJEm+1XFJI4fkOytpOZt0ZywTDZZd6JkXD1V713Kvr+sDCvuT6HW2A==
+            XKYf6wQ8kyrpT2+nZhWeVP26kpDvHcsMSqQR1ldHOGQAq7fAz8Qwyg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeTFLdGNER2lRZWlWT3RS
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZSt0QnRMb0lvYlBYTnVq
-            RXQ5UmMyNm4wRklwRTUyK2RsVlRxMUU3RGdJCmtLa0VTNmFoSWRsc3Nhc0ZhQklJ
+            RHNha08xWS9KNURKTTRpQkZUYVJTeXMwc2xNCkplb0JDU2hyakFCN1JjdWd3elZ5
-            MVV6M3pvQzdtVTR5Lyt4VmpjMkFhcGcKLS0tIDZzcnpDclZLM21MYjFlbkRKUi9P
+            QUtzSksrVjhZajJ2Rm5HbkF4aGo3TnMKLS0tIFR3ZFpGZVRNY0MxTEIwbm4wL2oy
-            L1NFL3RQSlh5c0hjVXJ4RWZObUExaWsKyU9dDDimP60N7aF8wda4g+Uqw1Hcx13R
+            VFdEczZXV2ZlbElQSjR2MER1YzhMV0EKHT3aX1BnddpVNuzzCKf7f4lqe4hTYPYt
-            9kuemMqS1cj9HPRuEhCOINAHIqtnYGmHaow6UlEc/nuKrsV6Ibbvmw==
+            +udTQ6pc0XqXEiJmEJN/XrhkS1BOtMBbP4rIse4x663KHREEG1K1OQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFphcGt3V2I1UGdVcFJW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZEluNjRwRjNHaEZzNHR5
-            RUt2cXNIaUlJbjE3bVRLcFlRalhZODM4ajNrCjdjSC92a0cweG0yWFVBR3BBOUsz
+            ZW5RVll2K0NwUWtOTERwL05HZXJuMUxhUDNZCld6Yjh3Y1N6NHRzSG50Wmh1cUxv
-            OVloN1craG1PdGVnTFdXSllOVkpRb2sKLS0tIDI0UE1QMFpwUG9Xemp2TjJRWTRS
+            MW1OWXB6aWR6cHdHUU0rNGZML3pocVkKLS0tIHA5a0JmdFQ3cUdQYXBKTWxpdUty
-            UUFYczFnSExjZEJkQzhYc0M3ZFJOOVEKxqyXt/2CmKiuIBKdA24atjD8Ns84mV3C
+            dFJhWnBsSzVyVkdMSHhEcWNvUmp1WG8KRB4/5AeDmkJ9I/ZMvqs9Rnrtl0FmOpYP
-            6i2H1P7+XCDTjT+MyaRV7TlOyGPv/AqcXnAgKxk0CNX5O3qoAXmjqg==
+            hwV87Zznh0jA7vxqB21wH4spqu47VrFo9A7OhTp8e/ogtSJjyJkQHA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVTVyMy9mOGtnK01hRG02
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocEU3amQvazVLRjFzOE1X
-            TG56MSt6Mzk5Qm9jNE1uTVQ4bUh6M1ZJS3hJCkxlZ004TXJwZUxIYTQrRy9KaGdQ
+            dHpkQXlIWFptTFNTZmJtak84ODVZZThKSDNzClJrYzBrU01TK3ZNM2prQk5mU01H
-            U0VHdHptVmIzazBMMmVjMmt1WXhlOFUKLS0tIGJpNHZxbEhFWENhdDNBS3JZbVBO
+            T1Zyd2N3YVcwQkpsMWJIK3hKaUVQWm8KLS0tIFU2QnZVaHRaZjR3RVlveEVmTjdu
-            WFdFdjNPNXRRdUFBZERjRVhLbWhYa1kKDULOz7tab3nP/o3W+2lYQVZy+5R1r5dg
+            SVlaajJ0SThZdUpQUTZBZks4RDcxNnMK33zYR5DuSOe1gJQmaW61Z/CNRvSV5LzC
-            V82DVkqygJwhjMD+UHV9KnkHSnaSfwQxF1pVKq1ZZN1l+mgNcISbjA==
+            +UeqdUsYxOPUzFHRLwUd1YD/uPO+wfQph/WVDh8ELqsG4i0o/l3ycQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFl6VUtDN0JFeDB5ODUx
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYTRCeXJpVi81WE4xWGli
-            Q3dEeUFlWWtCV3p3TWUyWHFMc0pTamo2Q1RNCllyR211ZmdTaTdRNzBDVXhqc2xi
+            TDQ5M0g0MDRYb2ovbzFjbkloeG5LWmdBTUI0CmZSV1FleDhtb3Q3WGhwcEN2OEhN
-            Rk1Tc2thTGZLNW1hejJzdUpOOTBDUDAKLS0tIEFhb3BPQTcrMXhlenZpeExCNHNH
+            YW1rVEJNVGtWeTNmWnpsQ0J4b1k2b0EKLS0tIHBkVU15a09DdHBQa0x5L3p2THd1
-            OU9sN3hoTHIxWXUxRGFQekJDaVB2S1UK20kKBwClp4zSlgMShCC5l9EmhbTZ4jwT
+            VFBQUFZXZ1pKVVoycHVuNnVxem9Gd3cKW6ZqzSjbVZDZcv/cWN31AF+5HlyvbThj
-            m82tXz1tCuYqJeyklyHW5vol4jE5To2AL3im7WyepD9C5pgA1xNiZA==
+            W/qDquapYsf6dybP9F3GJ3pyDdSJbkVvInBL1aZWz/mzvny4SPSJLA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQjFGZVdKTGRXdHBtMjY4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhN2V0ajNZTWhlb2RlTllF
-            Yi83alRTNnpZTnl1c1R2ajJYRXYrRnZUYUY0CkE5THJVSXYwT0lHTGZvMGFCcnY2
+            KzdCd29lenR3dEJTclhvTnJDTkFNbVA5QUNFCjd3VFFtOUZxeFR2TmNLTGlZQ3k0
-            YTJhS3ZyY1ZqNTZmL0ZnZHRUNmhmWmcKLS0tIC9nc0xIMmIzSGl3aG9kaEM1Kzlo
+            SStaKzJHRHdYVEVqTDNnQyttVWFPZm8KLS0tIHNQMHk5QXJQQUZyUmZyUzE1czZk
-            aENqOUhnSjZpNi93SDBaRy96MWhjblUKqvy6v1CdL1pqOt3N1gEPCT01ypwd/SG5
+            ZmNETDhaT01VL0pQTDhXQnRxUUpWdVUKLxDyNyTKs5hl9CkPGQLOe4JVz1EZN6sR
-            dVaVKV2nEWoAS0/+mho0KmdHQNJi1Qejhk5RSkoaZRd/jSC8sR8hdA==
+            drKTDoEOPdMT+ki0DwfLUcmEOJGg2ZOtmlee6s5jalBIrPZ8MXEndg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-21T21:23:24Z"
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
-    mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
+          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSUNaM0gzTzJ2d2VQUWd3
            RlVCdkNUblBKcnV3VEx3dmFXeTI0VEJHMUY4CmpoWHVsdHJzZlJXcjRNWCtVa29E
            dkNLcnExUUJLQ1NiYWVhSkhMMXFnczAKLS0tIFlhd3c4clBYNDNDKzNuZkhRNmhW
            Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
            OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-26T12:49:23Z"
    mac: ENC[AES256_GCM,data:+rkFq7pYZrGTtLIjjwa5DQC6WFpeV3JS80w6xADcn+kNnjg94p70GVZ3zP6p+f4PZ/Rupjg1cmm3w0g/ranx+FEmmX43N+zSY97NYOC2oxOhlNDDyrnRDElaiCOq41Jd13FxnjX3Jg9gxkD3szGS9hG+gv3wSf9NabOhFFL79GQ=,iv:+9UDVsvfr581CSNdtLRTfrjQ7rsLgMLmyK4cof0NZUU=,tag:9/xq9ThqrDzg+Snh3vSkVw==,type:str]
    pgp:
-        - created_at: "2025-12-02T00:51:22Z"
+        - created_at: "2026-01-16T06:34:46Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ//ScZ/w12TKrcPdjlPMgE25vVMG3oH5ozWfVdnzSpDJF/O
+            hQIMA0av/duuklWYAQ/+L4rjUWtF3NuYc9UlnyPpwSQvsLbw7gsPuLHYd4cq2VGd
-            ELT0FRqoDOQfW+XCi6os3ovWQUqDSxuflLdLUkWJFC801LV9gn63loCZlwvMga5C
+            p8s0Vreq6smVJlFV64PySIJjFuFhc1IuDDYtgym2Lf4PTOSv3brbO3ypMb+J2yKC
-            TWcw1ZwGw+El4I8GklzHc5t+vcWvfICjBj9c0s6b+NlmPhRDt9k9cCtvX2QTHbTm
+            pH7xwOQBn+YzKfLu4sX26S2IGSKeytXdHv6hlkt9Ca1i5RKS0ymYfn94vf6e56ZX
-            9tO9371o3CuEwzPCBou1WvAvhQHH61j6KmWo+gfaGv2MjF+spB2CDhKGlQZAfaPy
+            SLVjq2GprTTt4oNymxkZ5JvDNXyG8XjW3MjowfQcNHUqAhmYN8ngv7HMdiIb7GGN
-            Q5SspigrBwv6JhqqqrBMT364OI/mNUfm+y8yX+EdQ/4ZIDmA9JCLmDmA1GMaXBqS
+            JL9u999H4MCi932Nyc1+/OP4nPdUkiqFxDfo4Zgmj/F+LketzV6QCiV7Es9Vmz1I
-            XjANHb0rGStNuQKhluUmqYEguzicDWpHDaoFXiJ4C3x9NF2u56cb8IauJ5rBqdC1
+            OX/NXzYKYnEl2FLvPZLEtge2qTFs6/Ur+VBPz5tOP9J0Xejmz62+HgtwaJI7Q4mP
-            xyeCc1Ja8dUIHQkTwEvIOXfyxtDrVT2B8gM1AYHHTxNjRgJTXIVBUo826ccN4Uyb
+            O+5FCOh/Jxf0QWq+OPQf+Rxj/dxuMHUfXF9IELmBwpGDslKcyxTOCR0kw3aZO+1F
-            GdprWu7Dy0RjC8v2IyVvQiDGzekE4l5ddSgz1N9HIAfbo+j/6vCMTycdsp2FRJ9O
+            Zs3QOoUpz46fTXs94h+7dLoboppug0P4jAwKLbdqmyEDTqiWOfR/ZIbp7RCLFq0F
-            1CHzgcQfBRnIgOkgSfxh+b7eKKkL11x4SbT36f9zWL+wSSCtO6p66BxK5kJgQO0X
+            wNPWnB03RTgSKRIXyBhNqP62ZOohHhFSA0oo+IDPzqFWOLTnD8FBJ3SPDFjpHwNJ
-            ACWE1gqKdJJlgw3QcBZwCxFT/cIGjfqRE9Rwyi26NvHyd4EnH/BU6xcKtZ3cZkIl
+            3bjzqZRPU15dk286S3hMkp47H2iIBW3hlhl9g03UTdlt+MRiUHIXyt053TK2cbuo
-            D599+UTygoyWz7l2s6h0O2t5KFNP0DarcRHlv6BPJ4KuNwq0+nGa1E54kDHeqfzS
+            Jy7YiQr+dq09NoBBVxEo5hszJ154NNF9JxvN1TNHwouw3DxokQWokRtF4g9MSPbS
-            XgEg7wqYz9QXtiHHofPEgVOo2MD6FTYNTBQ3Fj91CW65ME0hBfzsliqoLq9B2mvZ
+            XgFrAw/VlobYHBXNczlKyIaTdHQbosz9EZ7wO8Q1jLlzGF8a2e8F5ca+2I3begns
-            3t7SL3uR1vngmtFaXxCyERcsAnAQz1ClSK9Ee5vzAWLazC58xvctwam1eXKkuew=
+            CM4iU9uUpReZC4672sqHX622dZAGf7m0Dt3vVaNjGj90rezeGuajNMnYOEd+PAU=
-            =G9kW
+            =Lgup
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Felix Albrigtsen	81b458d59c	Run shellcheck	2026-02-08 12:10:53 +01:00
Vegard Bieker Matthey	35907be4f2	update sops keys for skrott	2026-02-07 22:17:09 +01:00
h7x4	210f74dc59	secrets: sops updatekeys	2026-02-08 05:19:26 +09:00
Vegard Bieker Matthey	d35de940c1	update gpg install cmd for secrets	2026-02-07 21:12:03 +01:00
h7x4	daa4b9e271	bekkalokk/mediawiki: adjust umask	2026-02-07 01:46:55 +09:00
h7x4	12eb0b3f53	bekkalokk/mediawiki: allow uploading more filetypes	2026-02-07 00:56:38 +09:00
h7x4	02bdb8d45b	kommode/gitea/web: use default login shell	2026-02-05 13:25:06 +09:00
h7x4	a5143c0aaa	bekkalokk/nettsiden: fix gallery rsync target	2026-02-05 13:19:29 +09:00
Vegard Bieker Matthey	561404cd87	bump dibbler	2026-02-04 04:11:56 +01:00
System administrator	3338b4cd61	gluttony: fix ipv4 addr	2026-02-03 21:05:53 +01:00
Vegard Bieker Matthey	2354dcf578	gluttony: update disk id	2026-02-03 16:18:43 +01:00
h7x4	304304185c	base: add `lsof` to list of default installed packages	2026-02-02 23:59:35 +09:00
h7x4	b712f3cda3	temmie/userweb: add a few more packages	2026-01-31 21:53:12 +09:00
h7x4	cc272a724c	temmie/userweb: add directory index search path	2026-01-31 21:30:23 +09:00
h7x4	fcaa97884e	temmie/userweb: add a bunch more normal packages	2026-01-31 21:20:26 +09:00
h7x4	11f2cf504f	temmie/userweb: add a bunch more perl packages	2026-01-31 20:31:03 +09:00
h7x4	7ab16bc949	temmie/userweb: restrict log access	2026-01-31 19:08:02 +09:00
h7x4	c4d5cfde56	temmie/userweb: add `legacy-cgi` to the python package set	2026-01-31 18:53:44 +09:00
h7x4	100d09f6b7	temmie/userweb: get first iteration working	2026-01-31 18:41:17 +09:00
h7x4	3b0742bfac	temmie: combine homedirs in overlayfs	2026-01-31 18:41:17 +09:00
h7x4	3ba1ea2e4f	flake.lock: bump	2026-01-31 13:44:39 +09:00
h7x4	91de031896	treewide: limit rsync pull target access to principal	2026-01-31 11:14:18 +09:00
h7x4	c3ce6a40ea	ildkule/grafana: update a bunch of dashboards	2026-01-31 01:07:26 +09:00
h7x4	beee0ddc75	ildkule/grafana: remove dashboard for gogs	2026-01-31 00:58:34 +09:00
h7x4	359f599655	bekkalokk/snappymail: add rsync pull target for principal	2026-01-31 00:19:09 +09:00
h7x4	5b1c6f16d1	bekkalokk/vaultwarden: add rsync pull target for principal	2026-01-31 00:18:57 +09:00
h7x4	cec69d89a8	bicep/{postgres,mysql}: fix old backup deletion (again)	2026-01-30 13:26:10 +09:00
h7x4	af0bf7b254	bicep/{postgres,mysql}: fix old backup deletion	2026-01-29 14:57:46 +09:00
h7x4	bcf8b1607f	bicep/{postgres,mysql}: use hardlink for latest backup file	2026-01-29 14:53:07 +09:00
h7x4	1d46fd1ec6	bicep/{postgres,mysql}: keep multiple backups, point at latest with symlink	2026-01-29 14:16:34 +09:00
h7x4	bac53be707	bicep/{postgres,mysql}: use zstd for backup compression	2026-01-29 13:50:35 +09:00
h7x4	f08bd96b74	bicep/{postgres,mysql}: move backups to `/data`	2026-01-29 13:41:06 +09:00
h7x4	25f2a13391	packages/mediawiki-extensions: bump all	2026-01-29 13:34:42 +09:00
h7x4	8774c81d23	bicep/{postgres,mysql}: custom backup units	2026-01-29 13:32:28 +09:00
h7x4	d6eca5c4e3	bicep/{postgres,mysql}: split config into several files	2026-01-29 13:18:25 +09:00
h7x4	49d1122ee5	bicep/mysql: enable slow query logs	2026-01-28 14:55:52 +09:00
h7x4	31bbf4b25f	bicep/synapse: enable auto-compressor timer	2026-01-28 14:50:57 +09:00
h7x4	2f7e1439d0	bicep/mysql: pin version, upgrade from 11.4 -> 11.8	2026-01-28 14:01:14 +09:00
h7x4	fa31a84bd2	bicep/postgres: upgrade from 15 -> 18	2026-01-28 14:00:25 +09:00
h7x4	b77c8eb5c0	modules/rsync-pull-targets: fix multiple pull targets with same user	2026-01-27 21:10:17 +09:00
h7x4	949661113e	bicep/mysql: move backup dir	2026-01-27 20:47:40 +09:00
h7x4	f442c4d65f	bicep/minecraft-heatmap: gate remaining config behind `cfg.enable`	2026-01-27 20:44:20 +09:00
h7x4	690aee634b	bicep/postgres: gate remaining config behind `cfg.enable`	2026-01-27 20:44:20 +09:00
h7x4	2ed1c83858	bicep/{postgres,mysql}: add rsync pull targets for backups	2026-01-27 20:39:12 +09:00
h7x4	d43de08a3b	flake.lock: bump	2026-01-27 19:44:45 +09:00
h7x4	e8c7f177e8	kommode: use disko to configure disks	2026-01-27 19:00:12 +09:00
h7x4	fb59a242fb	kommode/gitea: add rsync pull target for gitea dump dir	2026-01-27 18:55:25 +09:00
h7x4	65d095feb1	bekkalokk/mediawiki, bicep/matrix/synapse: add keys for rsync targets	2026-01-27 18:55:03 +09:00
h7x4	8273d98788	flake.nix: add `disko` to default devshell	2026-01-27 18:35:18 +09:00
h7x4	8a84069dcf	bicep/mysql: use `BindPaths` to access `dataDir`	2026-01-27 17:23:38 +09:00
h7x4	cda84be5b0	bekkalokk/well-known: add note about bug bounty program to `security.txt`	2026-01-27 17:11:07 +09:00
h7x4	79a46ce3f6	bicep/element: set default country code	2026-01-27 04:11:40 +09:00
h7x4	19e45be83a	.mailmap: further dedup	2026-01-27 04:07:25 +09:00
h7x4	a8892e2fb2	hosts/various: bump `stateVersion`	2026-01-27 04:00:48 +09:00
h7x4	a149f97ac0	bicep: bump `stateVersion` from 22.11 -> 25.11	2026-01-27 03:59:40 +09:00
h7x4	e76c656378	bekkalokk: bump `stateVersion` from 22.11 -> 25.11	2026-01-27 03:52:34 +09:00
h7x4	5877ef60b1	modules/rsync-pull-targets: leave TODO about assertion	2026-01-27 00:27:00 +09:00
h7x4	73456de527	bekkalokk/mediawiki, bicep/matrix/synapse: leave principal rsync target stubs	2026-01-27 00:26:42 +09:00
h7x4	2f8e9ea190	modules/rsync-pull-targets: init, migrate bekkalokk/website/fetch-gallery	2026-01-26 23:57:20 +09:00
h7x4	c3c98392ad	bicep/hookshot: add passkey to sops	2026-01-26 21:52:58 +09:00
h7x4	e01fd902eb	bekkalokk/mediawiki: move `secret.key` to sops	2026-01-26 17:55:55 +09:00
h7x4	ce8d759f79	skrott: yeet 700MB worth of firmware, leave raspberry-specific firmware be	2026-01-26 17:09:18 +09:00
h7x4	ea6296f47a	base/vm: disable graphics for vms by default	2026-01-26 17:08:35 +09:00
h7x4	c28fc3f229	ildkule/prometheus: add temmie,gluttony, re-enable lupine-2	2026-01-26 17:04:55 +09:00
h7x4	c124183d95	ildkule/prometheus: scrape skrott	2026-01-26 17:04:52 +09:00
h7x4	d7bb316056	skrott: yeetus ncdu	2026-01-26 15:45:10 +09:00
h7x4	c78c29aaa6	skrott: don't pull in nixpkgs/nixpkgs-unstable source tarballs	2026-01-26 15:43:23 +09:00
h7x4	7d451f1db5	base/auto-upgrade: don't install `flake-inputs.json` when disabled	2026-01-26 15:42:56 +09:00
h7x4	1d57cec04d	base/acme: remove deprecated argument	2026-01-26 15:07:40 +09:00
h7x4	f50372fabd	.sops.yaml: remove yet more remains of jokum	2026-01-26 13:53:30 +09:00
h7x4	0f355046de	.sops.yaml: add skrott	2026-01-26 13:53:16 +09:00
h7x4	285f5b6a84	flake.nix: point `skrott-x86_64` at correct nixosConfiguration, add `-sd` variants	2026-01-26 13:46:15 +09:00
h7x4	20eec03cd4	bakke: fix eval warnings about kernel packages	2026-01-26 13:46:14 +09:00
h7x4	fffdf77d6f	skrott: disable more stuff	2026-01-26 13:46:13 +09:00
h7x4	42bbb1eca1	flake.nix: make native skrott default, misc cleaning	2026-01-26 13:28:42 +09:00
h7x4	34fdc9159c	bekkalokk/mediawiki: remove nonused module import	2026-01-26 13:19:48 +09:00
h7x4	1b6ff9876d	Remove global packages from users, skrott: remove neovim properly	2026-01-26 13:16:06 +09:00
h7x4	0206c159a2	skrott: cross compile and further minimize	2026-01-26 13:15:46 +09:00
h7x4	15004829a8	flake.lock: bump dibbler	2026-01-26 02:30:53 +09:00
h7x4	48ffb3cda1	skrott/dibbler: fix postgres url	2026-01-26 02:27:21 +09:00
h7x4	9bbc64afc8	skrott: disable promtail, documentation	2026-01-26 02:25:12 +09:00
h7x4	1cf956f37b	skrott: disable thermald	2026-01-26 02:04:03 +09:00
h7x4	38a1d38c7f	skrott: disable zfs, udisks2	2026-01-26 01:31:46 +09:00
h7x4	f1a6e47e67	skrott: disable smartd	2026-01-26 00:48:36 +09:00
h7x4	c061c5be0c	base: re-enable `mutableUsers` (absolute state)	2026-01-26 00:25:20 +09:00
h7x4	08e3e1a287	README: add skrott to machine overview	2026-01-25 23:30:41 +09:00
h7x4	034f6540d9	secrets/skrott: add database password	2026-01-25 23:30:41 +09:00
h7x4	695fe48ba8	skrott: set gateway	2026-01-25 23:30:41 +09:00
h7x4	b37551209a	flake.nix: bump dibbler	2026-01-25 22:54:52 +09:00
Felix Albrigtsen	19059b742e	users/felixalb: update SSH keys	2026-01-25 13:17:39 +01:00
h7x4	e336c119a5	skrott: bump `stateVersion`	2026-01-25 21:08:28 +09:00
h7x4	52ac4ca775	skrott: update dibbler + config	2026-01-25 20:56:33 +09:00
Vegard Bieker Matthey	6b352507a3	Merge pull request 'gluttony: use grub as bootloader because of no uefi support' (!121 ) from gluttony-boot into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/121	2026-01-24 22:25:28 +01:00
Vegard Bieker Matthey	604b528dd3	use grub as bootloader because of no uefi support	2026-01-24 22:04:54 +01:00
h7x4	689d6582ae	topology: fix ntnu gateway <-> knutsen connection network	2026-01-23 00:56:32 +09:00
h7x4	ccdaeaf4a3	topology: fix gluttony network interface	2026-01-23 00:51:30 +09:00
h7x4	72fdca4998	topology: more connections to powerpuff cluster	2026-01-23 00:50:16 +09:00
h7x4	9ccdeb6ac9	topology: fix new machines	2026-01-23 00:43:20 +09:00
h7x4	8072121b3c	skrott: fix sops file location	2026-01-22 19:44:05 +09:00
h7x4	95f6463171	temmie: set up httpd	2026-01-22 19:41:52 +09:00
h7x4	39d3773a10	skrott: move networking config to values, add ipv6 address	2026-01-22 19:30:04 +09:00
h7x4	0e963f8cf0	gluttony: fix eval	2026-01-22 19:17:28 +09:00
h7x4	ba6c1c8205	temmie/nfs-mounts: generate systemd units ourselves	2026-01-22 19:10:30 +09:00
h7x4	1d47409d96	base: configure sops	2026-01-22 16:48:59 +09:00
h7x4	f7757d697d	base: don't install dynamic loader stub	2026-01-22 16:13:36 +09:00
h7x4	9f43ea887e	base: OOM early on nixos rebuilds	2026-01-22 16:13:20 +09:00
h7x4	5f94345a91	hosts/various: enable qemu guest agent, disable smartd for vms by default	2026-01-22 16:05:36 +09:00
h7x4	28baf322ce	hosts/various: formatting, add consistent warnings to `stateVersion`	2026-01-22 15:57:12 +09:00
h7x4	12477aeb34	flake.nix: set default hostname for most nixos hosts	2026-01-22 15:49:50 +09:00
h7x4	e2d553af19	bikkje: set `hostName`	2026-01-22 15:49:50 +09:00
h7x4	89ea5b321a	hosts/various: use systemd-boot as default bootloader	2026-01-22 15:49:50 +09:00
h7x4	3940f52760	hosts/various: remove empty `environment.systemPackages` lists	2026-01-22 15:45:43 +09:00
h7x4	e2f3c81ecd	base: move package list to separate file	2026-01-22 15:35:18 +09:00
h7x4	a4c3aaa402	base: provide reasoning for packages, add a few new ones	2026-01-22 15:31:48 +09:00
h7x4	5714efc668	modules/grzegorz: override base certificate config	2026-01-22 15:10:50 +09:00
h7x4	d5199779a6	base: disable fontconfig by default	2026-01-22 14:57:00 +09:00
h7x4	ae3c7019ef	base: disable hibernation and sleep	2026-01-22 14:54:35 +09:00
h7x4	73dc9306f1	base: no mutable users by default	2026-01-22 14:51:24 +09:00
h7x4	09d72305e2	base/nginx: return 444 on fqdn virtualHost by default	2026-01-21 23:17:47 +09:00
h7x4	2ace7b649f	nix-topology: remove postgresql icon override	2026-01-21 14:56:41 +09:00
h7x4	7703a94b19	flake.lock: bump	2026-01-21 14:49:00 +09:00
h7x4	ebd40fc2d7	bekkalokk/well-known: reply to well-known for all domains	2026-01-21 14:47:31 +09:00
h7x4	9eb5cd869a	bicep/element: fetch correct well-known file	2026-01-21 14:34:35 +09:00
h7x4	fa37f34028	packages/ooye: bump	2026-01-21 13:46:06 +09:00
h7x4	7111d00df8	modules/ooye: calm yo ass (set restart timer + counter)	2026-01-21 13:17:28 +09:00
h7x4	833a74a6fb	bicep/matrix: remove some whitespace lol	2026-01-21 13:14:41 +09:00
h7x4	d82cc2e605	update and fix `packages.out-of-your-element	2026-01-21 12:49:13 +09:00
h7x4	93cf6f4a63	bicep/sshguard: disable sshguard doesn't actually work as it currently stands, also the builtin PerSourcePenalty functionality in SSH is more aggressive than sshguard is able to catch anyway. It might've been reasonable if we were using it for anything other than SSH, but it doesn't seem like we are.	2026-01-21 11:13:27 +09:00
h7x4	0f11cca8ec	bicep/matrix: use sops templates to render structured files	2026-01-21 11:08:26 +09:00
h7x4	d892acb331	bicep/matrix: have element-web source well-known from config	2026-01-21 10:49:09 +09:00
h7x4	aa07687a94	bicep/matrix: add synapse config to help with livekit	2026-01-21 10:48:37 +09:00
h7x4	e5dd5b6325	bicep/matrix: attempt to set up livekit	2026-01-21 10:14:08 +09:00
h7x4	75c52f63cc	bicep/matrix: add module for adding stuff to well-known	2026-01-21 10:14:07 +09:00
Felix Albrigtsen	6b5c12a4b8	Merge pull request 'Fix the heccin quotes - mikrobel 2026' (!120 ) from fix-quotes into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/120 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2026-01-20 09:43:33 +01:00
h7x4	633efc1a7d	ildkule: unbreak eval	2026-01-20 17:12:25 +09:00
Felix Albrigtsen	14e2ed7e32	Fix the heccin quotes	2026-01-19 21:09:41 +01:00
Vegard Bieker Matthey	489551a8e2	hosts/gluttony: init (!119 ) Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/119 Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no> Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com> Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>	2026-01-19 17:39:01 +01:00
h7x4	5e5a7f1969	flake.lock: bump minecraft-kartverket	2026-01-19 00:18:06 +09:00
fredrik	b933d19f91	bekkalokk/qotd: init	2026-01-17 22:11:37 +01:00
h7x4	60b6cd137f	flake.lock: bump pvv-nettsiden	2026-01-17 16:55:20 +09:00
h7x4	3a0ea9c338	base/polkit: default to username if in group `wheel`	2026-01-17 03:59:55 +09:00
h7x4	d66aab1e61	flake.lock: bump minecraft-kartverket	2026-01-17 03:59:29 +09:00
h7x4	a9b1e11eea	flake.lock: bump	2026-01-16 23:25:15 +09:00
h7x4	1fc3eb24cf	flake.lock: bump minecraft-kartverket	2026-01-16 19:50:51 +09:00
h7x4	9984af36f4	modules/gickup: fix linktree config eval	2026-01-16 15:38:34 +09:00
h7x4	1080589aef	secrets//: update keys	2026-01-16 07:36:43 +01:00
Vegard Bieker Matthey	1a62eee464	add vegardbm to sops.yaml	2026-01-16 07:36:43 +01:00
h7x4	586a7c3ee5	flake.lock: bump	2026-01-16 11:51:31 +09:00
h7x4	8ff879d830	modules/gickup: run linktree after gickup fetches are done	2026-01-16 11:51:01 +09:00
h7x4	005d987ead	bicep/git-mirrors: fix cgit config	2026-01-16 11:50:31 +09:00
h7x4	e72fb76fff	ildkule/journald-remote: move `LoadCredential` to correct unit	2026-01-15 18:37:44 +09:00
h7x4	1c021cd789	base/packages: add net-tools	2026-01-15 17:49:42 +09:00
h7x4	d93bdd8493	journald-upload: use ipv4 temporarily, restrict firewall to ildkule	2026-01-15 17:38:27 +09:00
h7x4	024dae4226	journald-{remote,upload}: init	2026-01-15 15:50:49 +09:00
h7x4	5d0b2c6e0a	temmie: mount nfs shares from microbel	2026-01-15 00:47:53 +09:00
Øystein Tveit	edeed67528	hosts/temmie: init	2026-01-14 16:43:29 +01:00
h7x4	9e19d9a9bb	bekkalokk/bluemap: include markers with concatenation	2026-01-14 17:40:47 +09:00
h7x4	46d7220479	Move deployment section from dev docs to README, add warning	2026-01-13 22:54:51 +09:00
h7x4	cd6f35a42d	base/auto-upgrade: display build logs in journalctl	2026-01-13 19:59:43 +09:00
h7x4	643dcb091f	kommode/gitea: add `developer experience` label	2026-01-13 19:59:43 +09:00
h7x4	06d6a08938	flake.nix: bump pvv-nettsiden	2026-01-13 19:59:43 +09:00
h7x4	f67a24648a	skrott: dont allow quitting	2026-01-12 02:32:21 +09:00
h7x4	5e18855c7c	skrott: register sops with dibbler db url	2026-01-12 02:32:21 +09:00
Vegard Bieker Matthey	26325c60d4	Merge pull request 'add missing ;' (!117 ) from syntax_error into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/117 Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no> Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2026-01-09 16:51:17 +01:00
Vegard Bieker Matthey	15c9c492cb	add missing ;	2026-01-09 16:28:44 +01:00