Added back old ssphp login theme

base/default.nix

@@ -10,10 +10,12 @@
     (fp /users)
     (fp /modules/snakeoil-certs.nix)
 
+    ./flake-input-exporter.nix
     ./networking.nix
     ./nix.nix
+    ./programs.nix
+    ./sops.nix
     ./vm.nix
-    ./flake-input-exporter.nix
 
     ./services/acme.nix
     ./services/auto-upgrade.nix
@@ -40,6 +42,9 @@
   boot.tmp.cleanOnBoot = lib.mkDefault true;
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
+  boot.loader.systemd-boot.enable = lib.mkDefault true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
+
   time.timeZone = "Europe/Oslo";
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -48,22 +53,8 @@
     keyMap = "no";
   };
 
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    net-tools
-    ripgrep
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-  ];
+  # Don't install the /lib/ld-linux.so.2 stub
+  environment.ldso32 = null;
 
   # .bash_profile already works, but lets also use .bashrc like literally every other distro
   # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -77,8 +68,6 @@
     fi
   '';
 
-  programs.zsh.enable = true;
-
   # security.lockKernelModules = true;
   security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
@@ -86,6 +75,14 @@
     Defaults lecture = never
   '';
 
+  # These are servers, sleep is for the weak
+  systemd.sleep.extraConfig = lib.mkDefault ''
+    AllowSuspend=no
+    AllowHibernation=no
+  '';
+
+  users.mutableUsers = lib.mkDefault false;
+
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/nix.nix

@@ -37,4 +37,9 @@
       "unstable=${inputs.nixpkgs-unstable}"
     ];
   };
+
+  # Make builds to be more likely killed than important services.
+  # 100 is the default for user slices and 500 is systemd-coredumpd@
+  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
 }

base/programs.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, ... }:
+{
+  # We don't need fonts on headless machines
+  fonts.fontconfig.enable = lib.mkDefault false;
+
+  # Extra packags for better terminal emulator compatibility in SSH sessions
+  environment.enableAllTerminfo = true;
+
+  environment.systemPackages = with pkgs; [
+    # Debug dns outside resolvectl
+    dig
+
+    # Debug and find files
+    file
+
+    # Check computer specs
+    lshw
+
+    # Scan for open ports with netstat
+    net-tools
+
+    # Grep for files quickly
+    ripgrep
+
+    # Copy files over the network
+    rsync
+
+    # Access various state, often in /var/lib
+    sqlite-interactive
+
+    # Debug software which won't debug itself
+    strace
+
+    # Download files from the internet
+    wget
+  ];
+
+  # Clone/push nix config and friends
+  programs.git.enable = true;
+
+  # Gitea gpg, oysteikt sops, etc.
+  programs.gnupg.agent.enable = true;
+
+  # Monitor the wellbeing of the machines
+  programs.htop.enable = true;
+
+  # Keep sessions running during work over SSH
+  programs.tmux.enable = true;
+
+  # Same reasoning as tmux
+  programs.screen.enable = true;
+
+  # Edit files on the system without resorting to joe(1)
+  programs.nano.enable = true;
+  # Same reasoning as nano
+  programs.vim.enable = true;
+
+  # Some people like this shell for some reason
+  programs.zsh.enable = true;
+}

base/services/nginx.nix

@@ -39,29 +39,38 @@
     SystemCallFilter = lib.mkForce null;
   };
 
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    listen = [
-      {
-        addr = "0.0.0.0";
-        extraParameters = [
-          "default_server"
-          # Seemingly the default value of net.core.somaxconn
-          "backlog=4096"
-          "deferred"
-        ];
-      }
-      {
-        addr = "[::0]";
-        extraParameters = [
-          "default_server"
-          "backlog=4096"
-          "deferred"
-        ];
-      }
-    ];
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
+  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
+    "_" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          extraParameters = [
+            "default_server"
+            # Seemingly the default value of net.core.somaxconn
+            "backlog=4096"
+            "deferred"
+          ];
+        }
+        {
+          addr = "[::0]";
+          extraParameters = [
+            "default_server"
+            "backlog=4096"
+            "deferred"
+          ];
+        }
+      ];
+      sslCertificate = "/etc/certs/nginx.crt";
+      sslCertificateKey = "/etc/certs/nginx.key";
+      addSSL = true;
+      extraConfig = "return 444;";
+    };
+
+    ${config.networking.fqdn} = {
+      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
+      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
+      addSSL = lib.mkDefault true;
+      extraConfig = lib.mkDefault "return 444;";
+    };
   };
 }

base/services/smartd.nix

@@ -1,7 +1,9 @@
 { config, pkgs, lib, ... }:
 {
   services.smartd = {
-    enable = lib.mkDefault true;
+    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
+    #       hosts with disk passthrough.
+    enable = lib.mkDefault (!config.services.qemuGuest.enable);
     notifications = {
       mail = {
         enable = true;

base/sops.nix

@@ -0,0 +1,12 @@
+{ config, fp, lib, ... }:
+{
+  sops.defaultSopsFile = let
+    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
+  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
+
+  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
+    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
+    keyFile = "/var/lib/sops-nix/key.txt";
+    generateKey = true;
+  };
+}

flake.nix

@@ -105,6 +105,9 @@
           } // specialArgs;
 
           modules = [
+            {
+              networking.hostName = lib.mkDefault name;
+            }
             configurationPath
           ] ++ (lib.optionals enableDefaults [
             sops-nix.nixosModules.sops

hosts/bakke/configuration.nix

@@ -6,20 +6,13 @@
       ./filesystems.nix
     ];
 
-  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bakke";
   networking.hostId = "99609ffc";
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp2s0";
     address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.05";
 }

hosts/bekkalokk/configuration.nix

@@ -19,16 +19,6 @@
     ./services/qotd
   ];
 
-  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bekkalokk";
-
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp2s0";
     address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,7 +26,7 @@
 
   services.btrfs.autoScrub.enable = true;
 
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";
 }

hosts/bekkalokk/services/idp-simplesamlphp/config.php

@@ -556,6 +556,7 @@ $config = [
     'module.enable' => [
         'admin' => true,
 	'authpwauth' => true,
+	'themepvv' => true,
     ],
 
 
@@ -858,7 +859,7 @@ $config = [
     /*
      * Which theme directory should be used?
      */
-    'theme.use' => 'default',
+    'theme.use' => 'themepvv:pvv',
 
     /*
      * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -1,8 +1,24 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
+  themePvv = pkgs.fetchFromGitea {
+    domain = "git.pvv.ntnu.no";
+    owner = "Drift";
+    repo = "ssp-theme";
+    rev = "bda4314030be5f81aeaf2fb1927aee582f1194d9";
+    hash = "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=";
+  };
+
   pwAuthScript = pkgs.writeShellApplication {
     name = "pwauth";
-    runtimeInputs = with pkgs; [ coreutils heimdal ];
+    runtimeInputs = with pkgs; [
+      coreutils
+      heimdal
+    ];
     text = ''
       read -r user1
       user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -33,7 +49,7 @@ let
 
       "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
         <?php
-          ${ lib.pipe config.services.idp.sp-remote-metadata [
+          ${lib.pipe config.services.idp.sp-remote-metadata [
             (map (url: ''
               $metadata['${url}'] = [
                 'SingleLogoutService' => [
@@ -85,18 +101,27 @@ let
 
         substituteInPlace "$out" \
           --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+            config.sops.secrets."idp/cookie_salt".path
+          }")' \
           --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
           --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+            config.sops.secrets."idp/admin_password".path
+          }")' \
           --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
           --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
           --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+            config.sops.secrets."idp/postgres_password".path
+          }")' \
           --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+
+      # PVV theme module (themepvv).
+      "modules/themepvv" = themePvv;
     };
   };
 in
@@ -158,23 +183,25 @@ in
     services.phpfpm.pools.idp = {
       user = "idp";
       group = "idp";
-      settings = let
-        listenUser = config.services.nginx.user;
-        listenGroup = config.services.nginx.group;
-      in {
-        "pm" = "dynamic";
-        "pm.max_children" = 32;
-        "pm.max_requests" = 500;
-        "pm.start_servers" = 2;
-        "pm.min_spare_servers" = 2;
-        "pm.max_spare_servers" = 4;
-        "listen.owner" = listenUser;
-        "listen.group" = listenGroup;
+      settings =
+        let
+          listenUser = config.services.nginx.user;
+          listenGroup = config.services.nginx.group;
+        in
+        {
+          "pm" = "dynamic";
+          "pm.max_children" = 32;
+          "pm.max_requests" = 500;
+          "pm.start_servers" = 2;
+          "pm.min_spare_servers" = 2;
+          "pm.max_spare_servers" = 4;
+          "listen.owner" = listenUser;
+          "listen.group" = listenGroup;
 
-        "catch_workers_output" = true;
-        "php_admin_flag[log_errors]" = true;
-        # "php_admin_value[error_log]" = "stderr";
-      };
+          "catch_workers_output" = true;
+          "php_admin_flag[log_errors]" = true;
+          # "php_admin_value[error_log]" = "stderr";
+        };
     };
 
     services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
@@ -182,7 +209,7 @@ in
       enableACME = true;
       kTLS = true;
       root = "${package}/share/php/simplesamlphp/public";
-      locations =  {
+      locations = {
         # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
         "/" = {
           alias = "${package}/share/php/simplesamlphp/public/";

hosts/bicep/configuration.nix

@@ -15,16 +15,6 @@
     ./services/matrix
   ];
 
-  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bicep";
-
   #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     #matchConfig.Name = "enp6s0f0";
@@ -36,16 +26,9 @@
     anyInterface = true;
   };
 
-  # There are no smart devices
-  services.smartd.enable = false;
-
-  # we are a vm now
   services.qemuGuest.enable = true;
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";
 }

hosts/bikkje/configuration.nix

@@ -1,6 +1,6 @@
 { config, pkgs, values, ... }:
 {
-    networking.nat = {
+  networking.nat = {
     enable = true;
     internalInterfaces = ["ve-+"];
     externalInterface = "ens3";
@@ -25,6 +25,7 @@
       ];
 
       networking = {
+        hostName = "bikkje";
         firewall = {
           enable = true;
           # Allow SSH and HTTP and ports for email and irc
@@ -36,9 +37,11 @@
         useHostResolvConf = mkForce false;
       };
 
-      system.stateVersion = "23.11";
       services.resolved.enable = true;
+
+      # Don't change (even during upgrades) unless you know what you are doing.
+      # See https://search.nixos.org/options?show=system.stateVersion
+      system.stateVersion = "23.11";
     };
   };
-
 };

hosts/brzeczyszczykiewicz/configuration.nix

@@ -8,28 +8,14 @@
       ./services/grzegorz.nix
     ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "brzeczyszczykiewicz";
-
   systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
     matchConfig.Name = "eno1";
     address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  fonts.fontconfig.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/georg/configuration.nix

@@ -8,24 +8,11 @@
       (fp /modules/grzegorz.nix)
     ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "georg";
-
   systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
     matchConfig.Name = "eno1";
     address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-
-
   services.spotifyd = {
     enable = true;
     settings.global = {
@@ -41,15 +28,9 @@
     5353 # spotifyd is its own mDNS service wtf
   ];
 
+  fonts.fontconfig.enable = true;
 
-
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/gluttony/configuration.nix

@@ -10,16 +10,12 @@
     (fp /base)
   ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
   systemd.network.enable = lib.mkForce false;
   networking =
     let
       hostConf = values.hosts.gluttony;
     in
     {
-      hostName = "gluttony";
       tempAddresses = "disabled";
       useDHCP = false;
 
@@ -47,5 +43,9 @@
       };
     };
 
-  system.stateVersion = "25.11"; # Don't change unless you know what you are doing.
+  services.qemuGuest.enable = true;
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/ildkule/configuration.nix

@@ -10,11 +10,7 @@
       ./services/journald-remote.nix
     ];
 
-  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
+  boot.loader.systemd-boot.enable = false;
   boot.loader.grub.device = "/dev/vda";
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -24,7 +20,6 @@
   networking = let
     hostConf = values.hosts.ildkule;
   in {
-    hostName = "ildkule";
     tempAddresses = "disabled";
     useDHCP = lib.mkForce true;
 
@@ -43,13 +38,9 @@
     };
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # No devices with SMART
-  services.smartd.enable = false;
-
-  system.stateVersion = "23.11"; # Did you read the comment?
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.11";
 }

hosts/kommode/configuration.nix

@@ -9,16 +9,6 @@
     ./services/nginx.nix
   ];
 
-  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "kommode"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -26,7 +16,9 @@
 
   services.btrfs.autoScrub.enable = true;
 
-  environment.systemPackages = with pkgs; [];
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.11";
 }

hosts/lupine/configuration.nix

@@ -9,12 +9,6 @@
   ];
 
   sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
 
   systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp0s31f6";
@@ -28,7 +22,7 @@
   # There are no smart devices
   services.smartd.enable = false;
 
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "25.05";
 }

hosts/shark/configuration.nix

@@ -6,33 +6,14 @@
       (fp /base)
     ];
 
-  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "shark"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/skrott/configuration.nix

@@ -1,14 +1,17 @@
-{ config, pkgs, lib, fp, ... }: {
+{ config, pkgs, lib, fp, values, ... }: {
   imports = [
     # ./hardware-configuration.nix
 
     (fp /base)
   ];
 
+  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
+
   boot = {
     consoleLogLevel = 0;
     enableContainers = false;
     loader.grub.enable = false;
+    loader.systemd-boot.enable = false;
     kernelPackages = pkgs.linuxPackages;
   };
 
@@ -21,13 +24,6 @@
 
   # TODO: can we reduce further?
 
-  system.stateVersion = "25.05";
-
-  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
   sops.secrets = {
     "dibbler/postgresql/url" = {
       owner = "dibbler";
@@ -42,7 +38,11 @@
     interfaces.eth0 = {
       useDHCP = false;
       ipv4.addresses = [{
-        address = "129.241.210.235";
+        address = values.hosts.skrott.ipv4;
+        prefixLength = 25;
+      }];
+      ipv6.addresses = [{
+        address = values.hosts.skrott.ipv6;
         prefixLength = 25;
       }];
     };
@@ -70,4 +70,8 @@
     wantedBy = [ "getty.target" ]; # to start at boot
     serviceConfig.Restart = "always"; # restart when session is closed
   };
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.05";
 }

hosts/temmie/configuration.nix

@@ -1,39 +1,24 @@
 { config, fp, pkgs, values, ... }:
 {
   imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      (fp /base)
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    (fp /base)
 
-      ./services/nfs-mounts.nix
-    ];
-
-  # sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
-  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  # sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "temmie"; # Define your hostname.
+    ./services/nfs-mounts.nix
+    ./services/userweb.nix
+  ];
 
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
+  services.nginx.enable = false;
 
-  # List services that you want to enable:
+  services.qemuGuest.enable = true;
 
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/temmie/services/nfs-mounts.nix

@@ -1,21 +1,60 @@
-{ pkgs, lib, ... }:
+{ lib, values, ... }:
+let
+  # See microbel:/etc/exports
+  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+in
 {
-  fileSystems = let
-    # See microbel:/etc/exports
-    shorthandAreas = lib.listToAttrs (map
-      (l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
-      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]);
-  in { }
-  //
-  (lib.mapAttrs (_: device: {
-    inherit device;
-    fsType = "nfs";
-    options = [
+  systemd.targets."pvv-homedirs" = {
+    description = "PVV Homedir Partitions";
+  };
+
+  systemd.mounts = map (l: {
+    description = "PVV Homedir Partition ${l}";
+
+    before = [ "remote-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+    requiredBy = [ "pvv-homedirs.target" ];
+
+    type = "nfs";
+    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
+    where = "/run/pvv-home-mounts/${l}";
+
+    options = lib.concatStringsSep "," [
       "nfsvers=3"
-      "noauto"
+
+      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
+      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
+      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
       "proto=tcp"
-      "x-systemd.automount"
-      "x-systemd.idle-timeout=300"
+      "addr=${values.hosts.microbel.ipv4}"
+      "mountproto=tcp"
+      "mounthost=${values.hosts.microbel.ipv4}"
+      "port=2049"
+
+      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
+      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
+      #       quite sure how to fix it. Living life on dangerous mode for now.
+      "nolock"
+
+      # Don't wait on every read/write
+      "async"
+
+      # Always keep mounted
+      "noauto"
+
+      # We don't want to update access time constantly
+      "noatime"
+
+      # No SUID/SGID, no special devices
+      "nosuid"
+      "nodev"
+
+      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
+      # "ro"
+      "rw"
+
+      # TODO: can we enable this and still run cgi stuff?
+      # "noexec"
     ];
-  }) shorthandAreas);
+  }) letters;
 }

hosts/temmie/services/userweb.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  services.httpd = {
+    enable = true;
+
+    # extraModules = [];
+
+    # virtualHosts."userweb.pvv.ntnu.no" = {
+    virtualHosts."temmie.pvv.ntnu.no" = {
+
+      forceSSL = true;
+      enableACME = true;
+    };
+  };
+
+  systemd.services.httpd = {
+    after = [ "pvv-homedirs.target" ];
+    requires = [ "pvv-homedirs.target" ];
+
+    serviceConfig = {
+      ProtectHome = "tmpfs";
+      BindPaths = let
+        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
+    };
+  };
+
+  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
+}

hosts/ustetind/configuration.nix

@@ -7,12 +7,7 @@
     ./services/gitea-runners.nix
   ];
 
-  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  networking.hostName = "ustetind";
+  boot.loader.systemd-boot.enable = false;
 
   networking.useHostResolvConf = lib.mkForce false;
 
@@ -39,5 +34,7 @@
     };
   };
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.11";
 }

hosts/wenche/configuration.nix

@@ -14,15 +14,9 @@
     "armv7l-linux"
   ];
 
-  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
+  boot.loader.systemd-boot.enable = false;
   boot.loader.grub.device = "/dev/sda";
 
-  networking.hostName = "wenche"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,9 +30,9 @@
     package = config.boot.kernelPackages.nvidiaPackages.production;
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
+  services.qemuGuest.enable = true;
 
-  system.stateVersion = "24.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "24.11";
 }

modules/grzegorz.nix

@@ -37,9 +37,13 @@ in {
   services.nginx.enable = true;
   services.nginx.virtualHosts = {
     ${config.networking.fqdn} = {
+      # NOTE: this overrides the default config in base/services/nginx.nix
+      addSSL = false;
       forceSSL = true;
       enableACME = true;
+
       kTLS = true;
+
       serverAliases = [
         "${machine}.pvv.org"
       ];

topology/default.nix

@@ -53,7 +53,7 @@ in {
   nodes.ntnu-pvv-router = mkRouter "NTNU PVV Gateway" {
     interfaceGroups = [ ["wan1"] ["eth1"] ];
     connections.eth1 = mkConnection "knutsen" "em1";
-    interfaces.eth1.network = "pvv";
+    interfaces.eth1.network = "ntnu";
   };
 
   nodes.knutsen = mkRouter "knutsen" {
@@ -82,6 +82,8 @@ in {
         (mkConnection "buskerud" "eth1")
         # (mkConnection "knutsen" "eth1")
         (mkConnection "powerpuff-cluster" "eth1")
+        (mkConnection "powerpuff-cluster" "eth2")
+        (mkConnection "powerpuff-cluster" "eth3")
         (mkConnection "lupine-1" "enp0s31f6")
         (mkConnection "lupine-2" "enp0s31f6")
         (mkConnection "lupine-3" "enp0s31f6")
@@ -139,7 +141,7 @@ in {
 
     hardware.info = "Dell PowerEdge R730 x 3";
 
-    interfaceGroups = [ [ "eth1" ] ];
+    interfaceGroups = [ [ "eth1" "eth2" "eth3" ] ];
 
     services = {
       proxmox = {
@@ -167,6 +169,13 @@ in {
     interfaces.ens18.network = "pvv";
   };
 
+  nodes.temmie = {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+
+    interfaces.ens18.network = "pvv";
+  };
+
   nodes.ustetind = {
     guestType = "proxmox LXC";
     parent = config.nodes.powerpuff-cluster.id;
@@ -219,7 +228,7 @@ in {
         (mkConnection "demiurgen" "eno1")
         (mkConnection "sanctuary" "ethernet_0")
         (mkConnection "torskas" "eth0")
-        (mkConnection "skrott" "eth0")
+        (mkConnection "skrot" "eth0")
         (mkConnection "homeassistant" "eth0")
         (mkConnection "orchid" "eth0")
         (mkConnection "principal" "em0")
@@ -249,6 +258,12 @@ in {
 
     interfaces.ens4.network = "ntnu";
   };
+  nodes.gluttony = {
+    guestType = "openstack";
+    parent = config.nodes.stackit.id;
+
+    interfaces.ens3.network = "ntnu";
+  };
   nodes.wenche = {
     guestType = "openstack";
     parent = config.nodes.stackit.id;

topology/non-nixos-machines.nix

@@ -290,21 +290,6 @@ in {
     };
   };
 
-  nodes.skrott = mkDevice "skrott" {
-    # TODO: the interface name is likely wrong
-    interfaceGroups = [ [ "eth0" ] ];
-    interfaces.eth0 = {
-      # mac = "";
-      addresses = [
-        "129.241.210.235"
-      ];
-      gateways = [
-        values.hosts.gateway
-        values.hosts.gateway6
-      ];
-    };
-  };
-
   nodes.torskas = mkDevice "torskas" {
     deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/arch_linux.svg";
 

values.nix

@@ -69,10 +69,18 @@ in rec {
       ipv4 = pvv-ipv4 223;
       ipv6 = pvv-ipv6 223;
     };
+    microbel = {
+      ipv4 = pvv-ipv4 179;
+      ipv6 = pvv-ipv6 "1:2";
+    };
     ustetind = {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;
     };
+    skrott = {
+      ipv4 = pvv-ipv4 235;
+      ipv6 = pvv-ipv6 235;
+    };
     temmie = {
       ipv4 = pvv-ipv4 167;
       ipv6 = pvv-ipv6 167;