bicep/postgres: bindmount datadir

New backup server just dropped!
This server is awfully slow, and the mdraid setup is awfully slow, and I doubt that this will be a good experience, but we now have a backup server again?

- Tried Disko and nixos-anywhere
- Tried using mdraid
- Found that md is ancient and bad
- Found that disko is 100% extra steps, and a lot more complicated and noisy than just formatting your disks yourself
- Found that systemd-boot doesn't support mdraid
- Found that we probably don't need to mirror the boot partition :)
- Found that old hardware is slow
- Found that old hardware can have poor support for iPXE with UEFI, and might do weird BIOS stuff on you when you least expect it
- Reaffirmed that zfs is love

Current disk layout:
- mdraid for boot/root disk
    - 4TB WD Red with 500MiB ESP with systemd-boot, Remaining mdraid - Old?
    - 4TB WD Red with 500MiB Unused partition, Remaining mdraid - Old?
- zfs pool "tank" for the actual backup data
    - 8TB Toshiba MG08 - New
    - 8TB Exos 7E10 - New

TODO:

- Document the death of Toriel on the wiki
- Document Bakke on the wiki
  - ... describing the poco loco disk layout
- Start backing stuff up
  - Restic? Borg? Rsync?
  - Make backup retention policy and zfs snapshot system
  - Document backup procedures

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/87
Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>
Co-committed-by: Felix Albrigtsen <felix@albrigtsen.it>

.gitea/workflows/eval.yml

@@ -4,10 +4,10 @@ on:
   push:
 jobs:
   evals:
-    runs-on: ubuntu-latest
+    runs-on: debian-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - run: apt-get update && apt-get -y install sudo
-    - uses: https://github.com/cachix/install-nix-action@v23
+    - uses: https://github.com/cachix/install-nix-action@v31
     - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
     - run: nix flake check

.mailmap

@@ -0,0 +1,25 @@
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
+Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
+
+
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
+Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
+
+Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
+Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
+Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
+
+Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
+
+Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
+Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
+
+Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
+Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>

.sops.yaml

@@ -1,19 +1,25 @@
 keys:
   # Users
-  - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+  - &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
   - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
   - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
-  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
-  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
-  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
   - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
 
   # Hosts
-  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
-  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
-  - &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
+  - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
+  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
+  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
+  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
+  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
+  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
 
 creation_rules:
   # Global secrets
@@ -44,6 +50,18 @@ creation_rules:
       pgp:
       - *user_oysteikt
 
+  - path_regex: secrets/kommode/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_kommode
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      pgp:
+      - *user_oysteikt
+
   - path_regex: secrets/jokum/[^/]+\.yaml$
     key_groups:
     - age:
@@ -79,9 +97,43 @@ creation_rules:
       - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
-  
-  - path_regex: secrets/kvernberg/[^/]+$
+
+  - path_regex: secrets/ustetind/[^/]+\.yaml$
     key_groups:
-      - age:
-          - *host_kvernberg
-          - *user_danio
+    - age:
+      - *host_ustetind
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      pgp:
+      - *user_oysteikt
+
+  - path_regex: secrets/lupine/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_lupine-1
+      - *host_lupine-2
+      - *host_lupine-3
+      - *host_lupine-4
+      - *host_lupine-5
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      pgp:
+      - *user_oysteikt
+
+  - path_regex: secrets/bakke/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_bakke
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      pgp:
+      - *user_oysteikt

base/default.nix

@@ -1,4 +1,9 @@
-{ pkgs, lib, fp, ... }:
+{
+  pkgs,
+  lib,
+  fp,
+  ...
+}:
 
 {
   imports = [
@@ -7,9 +12,14 @@
 
     ./networking.nix
     ./nix.nix
+    ./vm.nix
+    ./flake-input-exporter.nix
 
     ./services/acme.nix
+    ./services/uptimed.nix
     ./services/auto-upgrade.nix
+    ./services/dbus.nix
+    ./services/fwupd.nix
     ./services/irqbalance.nix
     ./services/logrotate.nix
     ./services/nginx.nix
@@ -17,9 +27,12 @@
     ./services/postfix.nix
     ./services/smartd.nix
     ./services/thermald.nix
+    ./services/userborn.nix
+    ./services/userdbd.nix
   ];
 
   boot.tmp.cleanOnBoot = lib.mkDefault true;
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
   time.timeZone = "Europe/Oslo";
 
@@ -45,8 +58,22 @@
     kitty.terminfo
   ];
 
+  # .bash_profile already works, but lets also use .bashrc like literally every other distro
+  # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
+  # home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
+  # btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
+  programs.bash.shellInit = ''
+    if [ -n "''${BASH_VERSION:-}" ]; then
+      if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
+       [[ -f ~/.bashrc ]] && . ~/.bashrc
+      fi
+    fi
+  '';
+
   programs.zsh.enable = true;
 
+  # security.lockKernelModules = true;
+  security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
   security.sudo.extraConfig = ''
     Defaults lecture = never
@@ -57,4 +84,3 @@
   # Trusted users on the nix builder machines
   users.groups."nix-builder-users".name = "nix-builder-users";
 }
-

base/flake-input-exporter.nix

@@ -0,0 +1,55 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  values,
+  ...
+}:
+let
+  data = lib.flip lib.mapAttrs inputs (
+    name: input: {
+      inherit (input)
+        lastModified
+        ;
+    }
+  );
+  folder = pkgs.writeTextDir "share/flake-inputs" (
+    lib.concatMapStringsSep "\n" (
+      { name, value }: ''nixos_last_modified_input{flake="${name}"} ${toString value.lastModified}''
+    ) (lib.attrsToList data)
+  );
+  port = 9102;
+in
+{
+  services.nginx.virtualHosts."${config.networking.fqdn}-nixos-metrics" = {
+    serverName = config.networking.fqdn;
+    serverAliases = [
+      "${config.networking.hostName}.pvv.org"
+    ];
+    locations."/metrics" = {
+      root = "${folder}/share";
+      tryFiles = "/flake-inputs =404";
+      extraConfig = ''
+        default_type text/plain;
+      '';
+    };
+    listen = [
+      {
+        inherit port;
+        addr = "0.0.0.0";
+      }
+    ];
+    extraConfig = ''
+      allow ${values.hosts.ildkule.ipv4}/32;
+      allow ${values.hosts.ildkule.ipv6}/128;
+      allow 127.0.0.1/32;
+      allow ::1/128;
+      allow ${values.ipv4-space};
+      allow ${values.ipv6-space};
+      deny all;
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ port ];
+}

base/nix.nix

@@ -1,16 +1,17 @@
-{ inputs, ... }:
+{ lib, config, inputs, ... }:
 {
   nix = {
     gc = {
       automatic = true;
       options = "--delete-older-than 2d";
     };
+    optimise.automatic = true;
 
     settings = {
       allow-dirty = true;
-      auto-optimise-store = true;
+      auto-allocate-uids = true;
       builders-use-substitutes = true;
-      experimental-features = [ "nix-command" "flakes" ];
+      experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
       log-lines = 50;
       use-xdg-base-directories = true;
     };
@@ -21,11 +22,16 @@
     ** use the same channel the system
     ** was built with
     */
-    registry = {
-      "nixpkgs".flake = inputs.nixpkgs;
-      "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
-      "pvv-nix".flake = inputs.self;
-    };
+    registry = lib.mkMerge [
+      {
+        "nixpkgs".flake = inputs.nixpkgs;
+        "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
+      }
+      # We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
+      (lib.mkIf (!config.virtualisation.isVmVariant) {
+        "pvv-nix".flake = inputs.self;
+      })
+    ];
     nixPath = [
       "nixpkgs=${inputs.nixpkgs}"
       "unstable=${inputs.nixpkgs-unstable}"

base/services/auto-upgrade.nix

@@ -1,26 +1,39 @@
-{ inputs, pkgs, lib, ... }:
+{ config, inputs, pkgs, lib, ... }:
+
+let
+  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
+in
+
 {
   system.autoUpgrade = {
     enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
-      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
-      # https://git.lix.systems/lix-project/lix/issues/400
       "--refresh"
-      "--override-input" "nixpkgs" "github:NixOS/nixpkgs/refs/pull/332699/merge"
-      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
       "--no-write-lock-file"
-    ];
+      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
+      # as such we instead use --override-input combined with --refresh
+      # https://git.lix.systems/lix-project/lix/issues/400
+    ] ++ (lib.pipe inputUrls [
+      (lib.intersectAttrs {
+        nixpkgs = { };
+        nixpkgs-unstable = { };
+      })
+      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
+      lib.concatLists
+    ]);
   };
 
   # workaround for https://github.com/NixOS/nix/issues/6895
   # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc."current-system-flake-inputs.json".source
-    = pkgs.writers.writeJSON "flake-inputs.json" (
-      lib.flip lib.mapAttrs inputs (name: input:
-        # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
-        lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
-          // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
-      )
-    );
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+    "current-system-flake-inputs.json".source
+      = pkgs.writers.writeJSON "flake-inputs.json" (
+        lib.flip lib.mapAttrs inputs (name: input:
+          # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
+          lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
+            // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
+        )
+      );
+  };
 }

base/services/dbus.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services.dbus = {
+    enable = true;
+    implementation = "broker";
+  };
+}

base/services/fwupd.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.fwupd.enable = true;
+}

base/services/logrotate.nix

@@ -1,41 +1,8 @@
 { ... }:
 {
-  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
   systemd.services.logrotate = {
     documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
     unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig = {
-      Nice = 19;
-      IOSchedulingClass = "best-effort";
-      IOSchedulingPriority = 7;
-
-      ReadWritePaths = [ "/var/log" ];
-
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DeviceAllow = [ "" ];
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true; # disable for third party rotate scripts
-      PrivateDevices = true;
-      PrivateNetwork = true; # disable for mail delivery
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true; # disable for userdir logs
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "full";
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      SocketBindDeny = [ "any" ];
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-      ];
-    };
+    serviceConfig.ReadWritePaths = [ "/var/log" ];
   };
 }

base/services/nginx.nix

@@ -20,19 +20,23 @@
     recommendedGzipSettings = true;
 
     appendConfig = ''
-      pcre_jit on;
+      # pcre_jit on;
       worker_processes auto;
       worker_rlimit_nofile 100000;
     '';
     eventsConfig = ''
       worker_connections 2048;
       use epoll;
-      multi_accept on;
+      # multi_accept on;
     '';
   };
 
   systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
     LimitNOFILE = 65536;
+    # We use jit my dudes
+    MemoryDenyWriteExecute = lib.mkForce false;
+    # What the fuck do we use that where the defaults are not enough???
+    SystemCallFilter = lib.mkForce null;
   };
 
   services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
@@ -41,4 +45,4 @@
     addSSL = true;
     extraConfig = "return 444;";
   };
-}
+}

base/services/postfix.nix

@@ -6,18 +6,17 @@ in
   services.postfix = {
     enable = true;
 
-    hostname = "${config.networking.hostName}.pvv.ntnu.no";
-    domain = "pvv.ntnu.no";
+    settings.main = {
+      myhostname = "${config.networking.hostName}.pvv.ntnu.no";
+      mydomain = "pvv.ntnu.no";
 
-    relayHost = "smtp.pvv.ntnu.no";
-    relayPort = 465;
+      # Nothing should be delivered to this machine
+      mydestination = [ ];
+
+      relayhost = [ "smtp.pvv.ntnu.no:465" ];
 
-    config = {
       smtp_tls_wrappermode = "yes";
       smtp_tls_security_level = "encrypt";
     };
-
-    # Nothing should be delivered to this machine
-    destination = [ ];
   };
-}
+}

base/services/smartd.nix

@@ -1,8 +1,20 @@
 { config, pkgs, lib, ... }:
 {
-  services.smartd.enable = lib.mkDefault true;
+  services.smartd = {
+    enable = lib.mkDefault true;
+    notifications = {
+      mail = {
+        enable = true;
+        sender = "root@pvv.ntnu.no";
+        recipient = "root@pvv.ntnu.no";
+      };
+      wall.enable = false;
+    };
+  };
 
   environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
     smartmontools
   ]);
-}
+
+  systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
+}

base/services/uptimed.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.uptimed;
+in
+{
+  options.services.uptimed.settings = lib.mkOption {
+    description = "";
+    default = { };
+    type = lib.types.submodule {
+      freeformType = with lib.types; attrsOf (either str (listOf str));
+    };
+  };
+
+  config = {
+    services.uptimed = {
+      enable = true;
+
+      settings = let
+        stateDir = "/var/lib/uptimed";
+      in {
+        PIDFILE = "${stateDir}/pid";
+        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
+      };
+    };
+
+    systemd.services.uptimed = lib.mkIf (cfg.enable) {
+      serviceConfig = let
+        uptimed = pkgs.uptimed.overrideAttrs (prev: {
+          postPatch = ''
+             substituteInPlace Makefile.am \
+               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+             substituteInPlace src/Makefile.am \
+               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+          '';
+        });
+
+      in {
+        Type = "notify";
+
+        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
+
+        BindReadOnlyPaths = let
+          configFile = lib.pipe cfg.settings [
+            (lib.mapAttrsToList
+              (k: v:
+                if builtins.isList v
+                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
+                  else "${k}=${v}")
+            )
+            (lib.concatStringsSep "\n")
+            (pkgs.writeText "uptimed.conf")
+          ];
+        in [
+          "${configFile}:/var/lib/uptimed/uptimed.conf"
+        ];
+      };
+    };
+  };
+}

base/services/userborn.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.userborn.enable = true;
+}

base/services/userdbd.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.userdbd.enable = true;
+}

base/vm.nix

@@ -0,0 +1,15 @@
+{ lib, ... }:
+
+# This enables
+#     lib.mkIf (!config.virtualisation.isVmVariant) { ... }
+
+{
+  options.virtualisation.isVmVariant = lib.mkOption {
+    description = "`true` if system is build with 'nixos-rebuild build-vm'";
+    type = lib.types.bool;
+    default = false;
+  };
+  config.virtualisation.vmVariant = {
+    virtualisation.isVmVariant = true;
+  };
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731746438,
-        "narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
+        "lastModified": 1764627417,
+        "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
+        "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
         "type": "github"
       },
       "original": {
@@ -20,6 +20,26 @@
         "type": "github"
       }
     },
+    "gergle": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764868579,
+        "narHash": "sha256-rfTUOIc0wnC4+19gLVfPbHfXx/ilfuUix6bWY+yaM2U=",
+        "ref": "refs/heads/main",
+        "rev": "9c923d1d50daa6a3b28c3214ad2300bfaf6c8fcd",
+        "revCount": 22,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
+      }
+    },
     "greg-ng": {
       "inputs": {
         "nixpkgs": [
@@ -28,17 +48,17 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1730249639,
-        "narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
+        "lastModified": 1764868843,
+        "narHash": "sha256-ZXYLXKO+VjAJr2f5zz+7SuKFICfI2eZnmTgS/626YE0=",
         "ref": "refs/heads/main",
-        "rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
-        "revCount": 34,
+        "rev": "c095533c50e80dd18ac48046f1479cf4d83c631c",
+        "revCount": 52,
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
       }
     },
     "grzegorz-clients": {
@@ -48,17 +68,17 @@
         ]
       },
       "locked": {
-        "lastModified": 1726861934,
-        "narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
+        "lastModified": 1764867811,
+        "narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=",
         "ref": "refs/heads/master",
-        "rev": "546d921ec46735dbf876e36f4af8df1064d09432",
-        "revCount": 78,
+        "rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3",
+        "revCount": 81,
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
       }
     },
     "matrix-next": {
@@ -68,33 +88,58 @@
         ]
       },
       "locked": {
-        "lastModified": 1727410897,
-        "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
+        "lastModified": 1764844095,
+        "narHash": "sha256-Drf1orxsmFDzO+UbPo85gHjXW7QzAM+6oTPvI7vOSik=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
+        "rev": "25b9f31ef1dbc3987b4c716de716239f2b283701",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
-        "ref": "v0.6.1",
+        "ref": "v0.8.0",
         "repo": "nixos-matrix-modules",
         "type": "github"
       }
     },
-    "minecraft-data": {
+    "minecraft-heatmap": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1725277886,
-        "narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
-        "ref": "refs/heads/master",
-        "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
-        "revCount": 2,
+        "lastModified": 1756124334,
+        "narHash": "sha256-DXFmSpgI8FrqcdqY7wg5l/lpssWjslHq5ufvyp/5k4o=",
+        "ref": "refs/heads/main",
+        "rev": "83760b1ebcd9722ddf58a4117d29555da65538ad",
+        "revCount": 13,
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
+      }
+    },
+    "minecraft-kartverket": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765903589,
+        "narHash": "sha256-JRLmckeM4G2hkH2V3VdfjHrrsWgJ8j7rZDYYjHTkRqA=",
+        "ref": "refs/heads/main",
+        "rev": "7c86d342e68506fcd83cb74af3336f99ff522a0a",
+        "revCount": 24,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
       }
     },
     "nix-gitea-themes": {
@@ -104,65 +149,43 @@
         ]
       },
       "locked": {
-        "lastModified": 1714416973,
-        "narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
+        "lastModified": 1743881366,
+        "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
         "ref": "refs/heads/main",
-        "rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
-        "revCount": 6,
+        "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
+        "revCount": 11,
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731779898,
-        "narHash": "sha256-oxxCrYZM0WNRoaokDyVXcPIlTc8Z2yX4QjKbgXGI3IM=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "9972661139e27eed0237df4dde34839e09028cd5",
-        "type": "github"
+        "lastModified": 1764806471,
+        "narHash": "sha256-Qk0SArnS83KqyS9wNt1YoTkkYKDraNrjRWKUtB9DKoM=",
+        "rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.896.6707b1809330/nixexprs.tar.xz"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "refs/pull/332699/merge",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730602179,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1731745710,
-        "narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
-        "type": "github"
+        "lastModified": 1764854611,
+        "narHash": "sha256-MVzFp4ZKwdh6U1wy4fJe/GY3Hb4cvvyJbAZOhaeBQoo=",
+        "rev": "3a4b875aef660bbd148e86b92cffea2a360c3275",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre906534.3a4b875aef66/nixexprs.tar.xz"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
       }
     },
     "pvv-calendar-bot": {
@@ -172,11 +195,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723850344,
-        "narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
+        "lastModified": 1764869785,
+        "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
         "ref": "refs/heads/main",
-        "rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
-        "revCount": 19,
+        "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
+        "revCount": 23,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       },
@@ -192,11 +215,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725212759,
-        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
-        "ref": "refs/heads/master",
-        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
-        "revCount": 473,
+        "lastModified": 1757332682,
+        "narHash": "sha256-4p4aVQWs7jHu3xb6TJlGik20lqbUU/Fc0/EHpzoRlO0=",
+        "ref": "refs/heads/main",
+        "rev": "da1113341ad9881d8d333d1e29790317bd7701e7",
+        "revCount": 518,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -208,10 +231,12 @@
     "root": {
       "inputs": {
         "disko": "disko",
+        "gergle": "gergle",
         "greg-ng": "greg-ng",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
-        "minecraft-data": "minecraft-data",
+        "minecraft-heatmap": "minecraft-heatmap",
+        "minecraft-kartverket": "minecraft-kartverket",
         "nix-gitea-themes": "nix-gitea-themes",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
@@ -228,11 +253,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729391507,
-        "narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
+        "lastModified": 1764816035,
+        "narHash": "sha256-F0IQSmSj4t2ThkbWZooAhkCTO+YpZSd2Pqiv2uoYEHo=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "784981a9feeba406de38c1c9a3decf966d853cca",
+        "rev": "74d9abb7c5c030469f90d97a67d127cc5d76c238",
         "type": "github"
       },
       "original": {
@@ -245,15 +270,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1731748189,
-        "narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
+        "lastModified": 1764483358,
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,8 +2,8 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/refs/pull/332699/merge"; # remember to also update the url in base/services/auto-upgrade.nix
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
+    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,29 +17,35 @@
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
-    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
+    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
     nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
 
-    greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
+    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git";
+    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
+
+    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
     greg-ng.inputs.nixpkgs.follows = "nixpkgs";
-    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
+    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
+    gergle.inputs.nixpkgs.follows = "nixpkgs";
+    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
 
-    minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
+    minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
+    minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
   let
-    nixlib = nixpkgs.lib;
+    inherit (nixpkgs) lib;
     systems = [
       "x86_64-linux"
       "aarch64-linux"
       "aarch64-darwin"
     ];
-    forAllSystems = f: nixlib.genAttrs systems f;
+    forAllSystems = f: lib.genAttrs systems f;
     allMachines = builtins.attrNames self.nixosConfigurations;
     importantMachines = [
       "bekkalokk"
@@ -49,44 +55,74 @@
       "ildkule"
     ];
   in {
-    inherit inputs;
+    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
 
     nixosConfigurations = let
       unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
-        rec {
+
+      nixosConfig =
+        nixpkgs:
+        name:
+        configurationPath:
+        extraArgs:
+        lib.nixosSystem (lib.recursiveUpdate
+        (let
           system = "x86_64-linux";
+        in {
+          inherit system;
+
           specialArgs = {
             inherit unstablePkgs inputs;
             values = import ./values.nix;
             fp = path: ./${path};
-          };
+          } // extraArgs.specialArgs or { };
 
           modules = [
-            ./hosts/${name}/configuration.nix
+            configurationPath
             sops-nix.nixosModules.sops
-          ] ++ config.modules or [];
+          ] ++ extraArgs.modules or [];
 
           pkgs = import nixpkgs {
             inherit system;
+            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+              [
+                "nvidia-x11"
+                "nvidia-settings"
+              ];
             overlays = [
               # Global overlays go here
-            ] ++ config.overlays or [ ];
+            ] ++ extraArgs.overlays or [ ];
           };
-        }
-        (removeAttrs config [ "modules" "overlays" ])
+        })
+        (builtins.removeAttrs extraArgs [
+          "modules"
+          "overlays"
+          "specialArgs"
+        ])
       );
 
-      stableNixosConfig = nixosConfig nixpkgs;
-      unstableNixosConfig = nixosConfig nixpkgs-unstable;
+      stableNixosConfig = name: extraArgs:
+          nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
     in {
+      bakke = stableNixosConfig "bakke" {
+        modules = [
+          disko.nixosModules.disko
+        ];
+      };
       bicep = stableNixosConfig "bicep" {
         modules = [
           inputs.matrix-next.nixosModules.default
           inputs.pvv-calendar-bot.nixosModules.default
+          inputs.minecraft-heatmap.nixosModules.default
+          self.nixosModules.gickup
+          self.nixosModules.matrix-ooye
         ];
         overlays = [
-          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
+          inputs.pvv-calendar-bot.overlays.default
+          inputs.minecraft-heatmap.overlays.default
+          (final: prev: {
+            inherit (self.packages.${prev.system}) out-of-your-element;
+          })
         ];
       };
       bekkalokk = stableNixosConfig "bekkalokk" {
@@ -97,57 +133,84 @@
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
             bluemap = final.callPackage ./packages/bluemap.nix { };
           })
-          inputs.nix-gitea-themes.overlays.default
           inputs.pvv-nettsiden.overlays.default
         ];
         modules = [
-          inputs.nix-gitea-themes.nixosModules.default
           inputs.pvv-nettsiden.nixosModules.default
         ];
       };
-      bob = stableNixosConfig "bob" {
-        modules = [
-          disko.nixosModules.disko
-          { disko.devices.disk.disk1.device = "/dev/vda"; }
-        ];
-      };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
+      wenche = stableNixosConfig "wenche" { };
+
+      kommode = stableNixosConfig "kommode" {
+        overlays = [
+          inputs.nix-gitea-themes.overlays.default
+        ];
+        modules = [
+          inputs.nix-gitea-themes.nixosModules.default
+        ];
+      };
+
+      ustetind = stableNixosConfig "ustetind" {
+        modules = [
+         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+        ];
+      };
 
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
+          inputs.gergle.nixosModules.default
           inputs.greg-ng.nixosModules.default
         ];
         overlays = [
           inputs.greg-ng.overlays.default
+          inputs.gergle.overlays.default
         ];
       };
       georg = stableNixosConfig "georg" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
+          inputs.gergle.nixosModules.default
           inputs.greg-ng.nixosModules.default
         ];
         overlays = [
           inputs.greg-ng.overlays.default
+          inputs.gergle.overlays.default
         ];
       };
-      kvernberg = stableNixosConfig "kvernberg" {
-        modules = [
-          disko.nixosModules.disko
-          { disko.devices.disk.disk1.device = "/dev/sda"; }
-        ];
-      };
-    };
+    }
+    //
+    (let
+      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
+      stableLupineNixosConfig = name: extraArgs:
+          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
+    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
+      modules = [{ networking.hostName = name; }];
+      specialArgs.lupineName = name;
+    }));
 
     nixosModules = {
       snakeoil-certs = ./modules/snakeoil-certs.nix;
       snappymail = ./modules/snappymail.nix;
+      robots-txt = ./modules/robots-txt.nix;
+      gickup = ./modules/gickup;
+      matrix-ooye = ./modules/matrix-ooye.nix;
     };
 
     devShells = forAllSystems (system: {
-      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      cuda = let
+        cuda-pkgs = import nixpkgs-unstable {
+          inherit system;
+          config = {
+            allowUnfree = true;
+            cudaSupport = true;
+          };
+        };
+      in cuda-pkgs.callPackage ./shells/cuda.nix { };
     });
 
     packages = {
@@ -156,19 +219,20 @@
       in rec {
         default = important-machines;
         important-machines = pkgs.linkFarm "important-machines"
-          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
+          (lib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
-          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+          (lib.getAttrs allMachines self.packages.x86_64-linux);
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
+        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
       } //
-      (nixlib.pipe null [
+      (lib.pipe null [
         (_: pkgs.callPackage ./packages/mediawiki-extensions { })
-        (nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
-        (nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
+        (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+        (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
       ])
-      // nixlib.genAttrs allMachines
+      // lib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };
   };

hosts/bakke/configuration.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      ./hardware-configuration.nix
+      ../../base
+      ../../misc/metrics-exporters.nix
+      ./filesystems.nix
+    ];
+
+  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "bakke";
+  networking.hostId = "99609ffc";
+  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp2s0";
+    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  system.stateVersion = "24.05";
+}

hosts/bakke/disks.nix

@@ -0,0 +1,83 @@
+{
+  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
+  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
+  disko.devices = {
+    disk = {
+      one = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "mdraid";
+                name = "boot";
+              };
+            };
+            mdadm = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid1";
+              };
+            };
+          };
+        };
+      };
+      two = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "mdraid";
+                name = "boot";
+              };
+            };
+            mdadm = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid1";
+              };
+            };
+          };
+        };
+      };
+    };
+    mdadm = {
+      boot = {
+        type = "mdadm";
+        level = 1;
+        metadata = "1.0";
+        content = {
+          type = "filesystem";
+          format = "vfat";
+          mountpoint = "/boot";
+        };
+      };
+      raid1 = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "gpt";
+          partitions.primary = {
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/bakke/filesystems.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot drives:
+  boot.swraid.enable = true;
+
+  # ZFS Data pool:
+  environment.systemPackages = with pkgs; [ zfs ];
+  boot = {
+    zfs = {
+      extraPools = [ "tank" ];
+      requestEncryptionCredentials = false;
+    };
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  };
+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "Wed *-*-8..14 00:00:00";
+  };
+
+  # NFS Exports:
+  #TODO
+
+  # NFS Import mounts:
+  #TODO
+}

hosts/bakke/hardware-configuration.nix

@@ -0,0 +1,52 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+      fsType = "btrfs";
+      options = [ "subvol=nix" "noatime" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/sdc2";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault false;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/bekkalokk/configuration.nix

@@ -7,9 +7,8 @@
     (fp /misc/metrics-exporters.nix)
 
     ./services/bluemap/default.nix
-    ./services/gitea/default.nix
     ./services/idp-simplesamlphp
-    ./services/kerberos
+    ./services/kerberos.nix
     ./services/mediawiki
     ./services/nginx.nix
     ./services/phpfpm.nix

hosts/bekkalokk/services/bluemap/default.nix

@@ -1,31 +1,38 @@
 { config, lib, pkgs, inputs, ... }:
 let
   vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
+  format = pkgs.formats.hocon { };
 in {
   imports = [
     ./module.nix # From danio, pending upstreaming
   ];
 
-  disabledModules = [ "services/web-servers/bluemap.nix" ];
+  disabledModules = [ "services/web-apps/bluemap.nix" ];
 
   sops.secrets."bluemap/ssh-key" = { };
   sops.secrets."bluemap/ssh-known-hosts" = { };
 
   services.bluemap = {
     enable = true;
+    package = pkgs.callPackage ./package.nix { };
+
     eula = true;
     onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
 
     host = "minecraft.pvv.ntnu.no";
 
-    maps = {
+    maps = let
+      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
+    in {
       "verden" = {
         settings = {
           world = vanillaSurvival;
           sorting = 0;
           ambient-light = 0.1;
           cave-detection-ocean-floor = -5;
-          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
+          marker-sets = {
+            _includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
+          };
         };
       };
       "underverden" = {
@@ -40,7 +47,9 @@ in {
           cave-detection-ocean-floor = -5;
           cave-detection-uses-block-light = true;
           max-y = 90;
-          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
+          marker-sets = {
+            _includes = [ (format.lib.mkInclude "${bluemap-export}/nether.hocon") ];
+          };
         };
       };
       "enden" = {
@@ -53,6 +62,9 @@ in {
           world-sky-light = 0;
           remove-caves-below-y = -10000;
           cave-detection-ocean-floor = -5;
+          marker-sets = {
+            _includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
+          };
         };
       };
     };

hosts/bekkalokk/services/bluemap/module.nix

@@ -26,7 +26,6 @@ let
     "webapp.conf" = webappConfig;
     "webserver.conf" = webserverConfig;
     "packs" = cfg.resourcepacks;
-    "addons" = cfg.resourcepacks; # TODO
   };
 
   renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
@@ -38,13 +37,13 @@ let
     "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
     "webserver.conf" = webserverConfig;
     "packs" = value.resourcepacks;
-    "addons" = cfg.resourcepacks; # TODO
   };
 
   inherit (lib) mkOption;
 in {
   options.services.bluemap = {
     enable = lib.mkEnableOption "bluemap";
+    package = lib.mkPackageOption pkgs "bluemap" { };
 
     eula = mkOption {
       type = lib.types.bool;
@@ -159,7 +158,7 @@ in {
             type = lib.types.path;
             default = cfg.resourcepacks;
             defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
-            description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
+            description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
           };
           settings = mkOption {
             type = (lib.types.submodule {
@@ -310,9 +309,18 @@ in {
         Group = "nginx";
         UMask = "026";
       };
-      script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
-        (name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
-        cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
+      script = ''
+        # If web folder doesnt exist generate it
+        test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
+
+        # Render each minecraft map
+        ${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
+          (name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
+          cfg.maps)}
+
+        # Generate updated webapp
+        ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
+      '';
     };
 
     systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {

hosts/bekkalokk/services/bluemap/package.nix

@@ -0,0 +1,30 @@
+{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "bluemap";
+  version = "5.7";
+
+  src = fetchurl {
+    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
+    hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
+  };
+
+  dontUnpack = true;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    runHook preInstall
+    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "3D minecraft map renderer";
+    homepage = "https://bluemap.bluecolored.de/";
+    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dandellion h7x4 ];
+    mainProgram = "bluemap";
+  };
+}

hosts/bekkalokk/services/kerberos/krb5-conf-format.nix

@@ -1,88 +0,0 @@
-{ pkgs, lib, ... }:
-
-# Based on
-# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
-# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
-
-let
-  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
-    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
-  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
-    str submodule;
-in
-{ }: {
-  type = let
-    section = attrsOf relation;
-    relation = either (attrsOf value) value;
-    value = either (listOf atom) atom;
-    atom = oneOf [int str bool];
-  in submodule {
-    freeformType = attrsOf section;
-    options = {
-      include = mkOption {
-        default = [ ];
-        description = mdDoc ''
-          Files to include in the Kerberos configuration.
-        '';
-        type = coercedTo path singleton (listOf path);
-      };
-      includedir = mkOption {
-        default = [ ];
-        description = mdDoc ''
-          Directories containing files to include in the Kerberos configuration.
-        '';
-        type = coercedTo path singleton (listOf path);
-      };
-      module = mkOption {
-        default = [ ];
-        description = mdDoc ''
-          Modules to obtain Kerberos configuration from.
-        '';
-        type = coercedTo path singleton (listOf path);
-      };
-    };
-  };
-
-  generate = let
-    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
-
-    formatToplevel = args @ {
-      include ? [ ],
-      includedir ? [ ],
-      module ? [ ],
-      ...
-    }: let
-      sections = removeAttrs args [ "include" "includedir" "module" ];
-    in concatStringsSep "\n" (filter (x: x != "") [
-      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
-      (concatMapStringsSep "\n" (m: "module ${m}") module)
-      (concatMapStringsSep "\n" (i: "include ${i}") include)
-      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
-    ]);
-
-    formatSection = name: section: ''
-      [${name}]
-      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
-    '';
-
-    formatRelation = name: relation:
-      if isAttrs relation
-      then ''
-        ${name} = {
-        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
-        }''
-      else formatValue name relation;
-
-    formatValue = name: value:
-      if isList value
-      then concatMapStringsSep "\n" (formatAtom name) value
-      else formatAtom name value;
-
-    formatAtom = name: atom: let
-      v = if isBool atom then boolToString atom else toString atom;
-    in "${name} = ${v}";
-  in
-    name: value: pkgs.writeText name ''
-      ${formatToplevel value}
-    '';
-}

hosts/bekkalokk/services/kerberos/krb5.nix

@@ -1,90 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
-  inherit (lib.types) bool;
-
-  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
-  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
-    The option `krb5.${name}' has been removed. Use
-    `security.krb5.settings.${name}' for structured configuration.
-  '';
-
-  cfg = config.security.krb5;
-  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
-in {
-  imports = [
-    (mkRemovedOptionModuleCfg "libdefaults")
-    (mkRemovedOptionModuleCfg "realms")
-    (mkRemovedOptionModuleCfg "domain_realm")
-    (mkRemovedOptionModuleCfg "capaths")
-    (mkRemovedOptionModuleCfg "appdefaults")
-    (mkRemovedOptionModuleCfg "plugins")
-    (mkRemovedOptionModuleCfg "config")
-    (mkRemovedOptionModuleCfg "extraConfig")
-    (mkRemovedOptionModule' "kerberos" ''
-      The option `krb5.kerberos' has been moved to `security.krb5.package'.
-    '')
-  ];
-
-  options = {
-    security.krb5 = {
-      enable = mkOption {
-        default = false;
-        description = mdDoc "Enable and configure Kerberos utilities";
-        type = bool;
-      };
-
-      package = mkPackageOption pkgs "krb5" {
-        example = "heimdal";
-      };
-
-      settings = mkOption {
-        default = { };
-        type = format.type;
-        description = mdDoc ''
-          Structured contents of the {file}`krb5.conf` file. See
-          {manpage}`krb5.conf(5)` for details about configuration.
-        '';
-        example = {
-          include = [ "/run/secrets/secret-krb5.conf" ];
-          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
-
-          libdefaults = {
-            default_realm = "ATHENA.MIT.EDU";
-          };
-
-          realms = {
-            "ATHENA.MIT.EDU" = {
-              admin_server = "athena.mit.edu";
-              kdc = [
-                "athena01.mit.edu"
-                "athena02.mit.edu"
-              ];
-            };
-          };
-
-          domain_realm = {
-            "mit.edu" = "ATHENA.MIT.EDU";
-          };
-
-          logging = {
-            kdc = "SYSLOG:NOTICE";
-            admin_server = "SYSLOG:NOTICE";
-            default = "SYSLOG:NOTICE";
-          };
-        };
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    environment = {
-      systemPackages = [ cfg.package ];
-      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
-    };
-  };
-
-  meta.maintainers = builtins.attrValues {
-    inherit (lib.maintainers) dblsaiko h7x4;
-  };
-}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -61,7 +61,6 @@ in {
       user = "mediawiki";
       passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
       createLocally = false;
-      # TODO: create a normal database and copy over old data when the service is production ready
       name = "mediawiki";
     };
 
@@ -215,11 +214,11 @@ in {
       "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
         buildInputs = with pkgs; [ imagemagick ];
       } ''
-        convert \
+        magick \
+          ${fp /assets/logo_blue_regular.png} \
           -resize x64 \
           -gravity center \
           -crop 64x64+0+0 \
-          ${fp /assets/logo_blue_regular.png} \
           -flatten \
           -colors 256 \
           -background transparent \

hosts/bekkalokk/services/vaultwarden.nix

@@ -83,7 +83,6 @@ in {
       ProtectKernelLogs = true;
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
-      ProtectProc = "invisible";
       RestrictAddressFamilies = [
         "AF_INET"
         "AF_INET6"
@@ -98,7 +97,6 @@ in {
         "@system-service"
         "~@privileged"
       ];
-      UMask = "0007";
     };
   };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -21,7 +21,7 @@ in
       custom_from
     ]);
 
-    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
+    dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
     maxAttachmentSize = 20;
     hostName = "roundcubeplaceholder.example.com";
 

hosts/bekkalokk/services/website/default.nix

@@ -18,11 +18,16 @@ in {
     restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
   });
 
+  security.acme.certs."www.pvv.ntnu.no" = {
+    extraDomainNames = [
+      "pvv.ntnu.no"
+      "www.pvv.org"
+      "pvv.org"
+    ];
+  };
+
   services.idp.sp-remote-metadata = [
     "https://www.pvv.ntnu.no/simplesaml/"
-    "https://pvv.ntnu.no/simplesaml/"
-    "https://www.pvv.org/simplesaml/"
-    "https://pvv.org/simplesaml/"
   ];
 
   services.pvv-nettsiden = {
@@ -67,7 +72,9 @@ in {
         ADMIN_NAME = "PVV Drift";
         ADMIN_EMAIL = "drift@pvv.ntnu.no";
         ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
-        TRUSTED_DOMAINS = [ cfg.domainName ];
+        TRUSTED_DOMAINS = [
+          "www.pvv.ntnu.no"
+        ];
       };
     };
   };
@@ -78,13 +85,28 @@ in {
     "catch_workers_output" = true;
   };
 
-  services.nginx.virtualHosts.${cfg.domainName} = {
-    serverAliases = [
-      "pvv.ntnu.no"
-      "www.pvv.org"
-      "pvv.org"
-    ];
+  services.nginx.virtualHosts."pvv.ntnu.no" = {
+    globalRedirect = cfg.domainName;
+    redirectCode = 307;
+    forceSSL = true;
+    useACMEHost = "www.pvv.ntnu.no";
+  };
 
+  services.nginx.virtualHosts."www.pvv.org" = {
+    globalRedirect = cfg.domainName;
+    redirectCode = 307;
+    forceSSL = true;
+    useACMEHost = "www.pvv.ntnu.no";
+  };
+
+  services.nginx.virtualHosts."pvv.org" = {
+    globalRedirect = cfg.domainName;
+    redirectCode = 307;
+    forceSSL = true;
+    useACMEHost = "www.pvv.ntnu.no";
+  };
+
+  services.nginx.virtualHosts.${cfg.domainName} = {
     locations = {
       # Proxy home directories
       "^~ /~" = {

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -53,7 +53,7 @@ in {
 
         echo "Creating thumbnail for $fname"
         mkdir -p $(dirname ".thumbnails/$fname")
-        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
+        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
         touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
       done <<< "$images"
     '';

hosts/bicep/configuration.nix

@@ -7,10 +7,11 @@
     (fp /misc/metrics-exporters.nix)
     ./services/nginx
 
+    ./services/calendar-bot.nix
+    #./services/git-mirrors
+    ./services/minecraft-heatmap.nix
     ./services/mysql.nix
     ./services/postgres.nix
-    ./services/mysql.nix
-    ./services/calendar-bot.nix
 
     ./services/matrix
   ];
@@ -20,13 +21,15 @@
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;
 
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
 
   networking.hostName = "bicep";
 
-  systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
-    matchConfig.Name = "enp6s0f0";
+  #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+    #matchConfig.Name = "enp6s0f0";
+    matchConfig.Name = "ens18";
     address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
       ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
   };
@@ -37,6 +40,13 @@
   # There are no smart devices
   services.smartd.enable = false;
 
+  # we are a vm now
+  services.qemuGuest.enable = true;
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.sshguard.enable = true;
+
   # Do not change, even during upgrades.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";

hosts/bicep/hardware-configuration.nix

@@ -5,22 +5,29 @@
 
 {
   imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
+    { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
       fsType = "ext4";
     };
 
+  # temp data disk, only 128gb not enough until we can add another disk to the system.
   fileSystems."/data" =
-    { device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
-      fsType = "f2fs";
+    { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/198B-E363";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];
@@ -30,11 +37,7 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/bicep/services/git-mirrors/default.nix

@@ -0,0 +1,100 @@
+{ config, pkgs, lib, fp, ... }:
+let
+  cfg = config.services.gickup;
+in
+{
+  sops.secrets."gickup/github-token" = {
+    owner = "gickup";
+  };
+
+  services.gickup = {
+    enable = true;
+
+    dataDir = "/data/gickup";
+
+    destinationSettings = {
+      structured = true;
+      zip = false;
+      keep = 10;
+      bare = true;
+      lfs = false;
+    };
+
+    instances = let
+      defaultGithubConfig = {
+        settings.token_file = config.sops.secrets."gickup/github-token".path;
+      };
+      defaultGitlabConfig = {
+        # settings.token_file = ...
+      };
+    in {
+      "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
+      "github:NixOS/nixpkgs" = defaultGithubConfig;
+      "github:go-gitea/gitea" = defaultGithubConfig;
+      "github:heimdal/heimdal" = defaultGithubConfig;
+      "github:saltstack/salt" = defaultGithubConfig;
+      "github:typst/typst" = defaultGithubConfig;
+      "github:unmojang/FjordLauncher" = defaultGithubConfig;
+      "github:unmojang/drasl" = defaultGithubConfig;
+      "github:yushijinhun/authlib-injector" = defaultGithubConfig;
+
+      "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
+      "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
+      "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
+      "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
+      "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
+
+      "any:glibc" = {
+        settings.url = "https://sourceware.org/git/glibc.git";
+      };
+
+      "any:out-of-your-element" = {
+        settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
+      };
+
+      "any:out-of-your-element-module" = {
+        settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
+      };
+    };
+  };
+
+  services.cgit = let
+    domain = "mirrors.pvv.ntnu.no";
+  in {
+    ${domain} = {
+      enable = true;
+      package = pkgs.callPackage (fp /packages/cgit.nix) { };
+      group = "gickup";
+      scanPath = "${cfg.dataDir}/linktree";
+      settings = {
+        enable-commit-graph = true;
+        enable-follow-links = true;
+        enable-http-clone = true;
+        enable-remote-branches = true;
+        clone-url = "https://${domain}/$CGIT_REPO_URL";
+        remove-suffix = true;
+        root-title = "PVVSPPP";
+        root-desc = "PVV Speiler Praktisk og Prominent Programvare";
+        snapshots = "all";
+        logo = "/PVV-logo.png";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+
+    locations."= /PVV-logo.png".alias = let
+      small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
+        nativeBuildInputs = [ pkgs.imagemagick ];
+      } ''
+        magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
+      '';
+    in toString small-pvv-logo;
+  };
+
+  systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
+    serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
+  };
+}

hosts/bicep/services/matrix/coturn.nix

@@ -42,12 +42,15 @@
 
   security.acme.certs.${config.services.coturn.realm} = {
     email = "drift@pvv.ntnu.no";
-    listenHTTP = "129.241.210.213:80";
+    listenHTTP = "${values.services.turn.ipv4}:80";
     reloadServices = [ "coturn.service" ];
   };
 
   users.users.turnserver.extraGroups = [ "acme" ];
 
+  # It needs this to be allowed to access the files with the acme group
+  systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
+
   systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
     AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
   };
@@ -66,7 +69,7 @@
 
     listening-ips = [
       values.services.turn.ipv4
-      # values.services.turn.ipv6
+      values.services.turn.ipv6
     ];
 
     tls-listening-port = 443;

hosts/bicep/services/matrix/default.nix

@@ -9,7 +9,8 @@
     ./coturn.nix
     ./mjolnir.nix
 
-    ./discord.nix
+    # ./discord.nix
+    ./out-of-your-element.nix
     ./hookshot
   ];
 

hosts/bicep/services/matrix/discord.nix

@@ -45,7 +45,7 @@ in
   };
 
 
-  services.mx-puppet-discord.enable = true;
+  services.mx-puppet-discord.enable = false;
   services.mx-puppet-discord.settings = {
     bridge = {
       bindAddress = "localhost";

hosts/bicep/services/matrix/hookshot/default.nix

@@ -6,10 +6,6 @@ let
   webhookListenPort = 8435;
 in
 {
-  imports = [
-    ./module.nix
-  ];
-
   sops.secrets."matrix/hookshot/as_token" = {
     sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "hookshot/as_token";
@@ -81,14 +77,14 @@ in
         outbound = true;
         urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
         userIdPrefix = "_webhooks_";
-        allowJsTransformationFunctions = false;
+        allowJsTransformationFunctions = true;
         waitForComplete = false;
       };
       feeds = {
         enabled = true;
         pollIntervalSeconds = 600;
       };
-      
+
       serviceBots = [
         { localpart = "bot_feeds";
           displayname = "Aya";
@@ -98,6 +94,11 @@ in
         }
       ];
 
+      widgets = {
+        roomSetupWidget.addOnInvite = false;
+        publicUrl = "https://hookshot.pvv.ntnu.no/widgetapi/v1/static";
+      };
+
       permissions = [
         # Users of the PVV Server
         { actor = "pvv.ntnu.no";
@@ -132,6 +133,7 @@ in
 
   services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
     enableACME = true;
+    addSSL = true;
     locations."/" = {
       proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
     };

hosts/bicep/services/matrix/hookshot/module.nix

@@ -1,127 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.services.matrix-hookshot;
-  settingsFormat = pkgs.formats.yaml { };
-  configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
-in
-{
-  options = {
-    services.matrix-hookshot = {
-      enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
-
-      package = lib.mkPackageOption pkgs "matrix-hookshot" { };
-
-      registrationFile = lib.mkOption {
-        type = lib.types.path;
-        description = ''
-          Appservice registration file.
-          As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
-        '';
-        example = lib.literalExpression ''
-          pkgs.writeText "matrix-hookshot-registration" \'\'
-            id: matrix-hookshot
-            as_token: aaaaaaaaaa
-            hs_token: aaaaaaaaaa
-            namespaces:
-              rooms: []
-              users:
-                - regex: "@_webhooks_.*:foobar"
-                  exclusive: true
-
-            sender_localpart: hookshot
-            url: "http://localhost:9993"
-            rate_limited: false
-            \'\'
-        '';
-      };
-
-      settings = lib.mkOption {
-        description = ''
-          {file}`config.yml` configuration as a Nix attribute set.
-
-          For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
-        '';
-        example = {
-          bridge = {
-            domain = "example.com";
-            url = "http://localhost:8008";
-            mediaUrl = "https://example.com";
-            port = 9993;
-            bindAddress = "127.0.0.1";
-          };
-          listeners = [
-            {
-              port = 9000;
-              bindAddress = "0.0.0.0";
-              resources = [ "webhooks" ];
-            }
-            {
-              port = 9001;
-              bindAddress = "localhost";
-              resources = [
-                "metrics"
-                "provisioning"
-              ];
-            }
-          ];
-        };
-        default = { };
-        type = lib.types.submodule {
-          freeformType = settingsFormat.type;
-          options = {
-            passFile = lib.mkOption {
-              type = lib.types.path;
-              default = "/var/lib/matrix-hookshot/passkey.pem";
-              description = ''
-                A passkey used to encrypt tokens stored inside the bridge.
-                File will be generated if not found.
-              '';
-            };
-          };
-        };
-      };
-
-      serviceDependencies = lib.mkOption {
-        type = with lib.types; listOf str;
-        default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
-        defaultText = lib.literalExpression ''
-          lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
-        '';
-        description = ''
-          List of Systemd services to require and wait for when starting the application service,
-          such as the Matrix homeserver if it's running on the same host.
-        '';
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.matrix-hookshot = {
-      description = "a bridge between Matrix and multiple project management services";
-
-      wantedBy = [ "multi-user.target" ];
-      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
-      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
-
-      preStart = ''
-        if [ ! -f '${cfg.settings.passFile}' ]; then
-          mkdir -p $(dirname '${cfg.settings.passFile}')
-          ${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
-        fi
-      '';
-
-      serviceConfig = {
-        Type = "simple";
-        Restart = "always";
-        ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
-      };
-    };
-  };
-
-  meta.maintainers = with lib.maintainers; [ flandweber ];
-}

hosts/bicep/services/matrix/out-of-your-element.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, fp, ... }:
+let
+  cfg = config.services.matrix-ooye;
+in
+{
+  users.groups.keys-matrix-registrations = { };
+
+  sops.secrets = {
+    "matrix/ooye/as_token" = {
+      sopsFile = fp /secrets/bicep/matrix.yaml;
+      key = "ooye/as_token";
+    };
+    "matrix/ooye/hs_token" = {
+      sopsFile = fp /secrets/bicep/matrix.yaml;
+      key = "ooye/hs_token";
+    };
+    "matrix/ooye/discord_token" = {
+      sopsFile = fp /secrets/bicep/matrix.yaml;
+      key = "ooye/discord_token";
+    };
+    "matrix/ooye/discord_client_secret" = {
+      sopsFile = fp /secrets/bicep/matrix.yaml;
+      key = "ooye/discord_client_secret";
+    };
+  };
+
+  services.matrix-ooye = {
+    enable = true;
+    homeserver = "https://matrix.pvv.ntnu.no";
+    homeserverName = "pvv.ntnu.no";
+    discordTokenPath = config.sops.secrets."matrix/ooye/discord_token".path;
+    discordClientSecretPath = config.sops.secrets."matrix/ooye/discord_client_secret".path;
+    bridgeOrigin = "https://ooye.pvv.ntnu.no";
+
+    enableSynapseIntegration = false;
+  };
+
+  systemd.services."matrix-synapse" = {
+    after = [
+      "matrix-ooye-pre-start.service"
+      "network-online.target"
+    ];
+    requires = [ "matrix-ooye-pre-start.service" ];
+    serviceConfig = {
+      LoadCredential = [
+        "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
+      ];
+      ExecStartPre = [
+        "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
+        "+${pkgs.coreutils}/bin/chown matrix-synapse:keys-matrix-registrations ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
+      ];
+    };
+  };
+
+  services.matrix-synapse-next.settings = {
+    app_service_config_files = [
+      "${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
+    ];
+  };
+
+  services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${cfg.socket}";
+  };
+}

hosts/bicep/services/matrix/smtp-authenticator/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildPythonPackage, fetchFromGitHub }:
+{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
 
 buildPythonPackage rec {
   pname = "matrix-synapse-smtp-auth";
@@ -6,6 +6,9 @@ buildPythonPackage rec {
 
   src = ./.;
 
+  pyproject = true;
+  build-system = [ setuptools ];
+
   doCheck = false;
 
   meta = with lib; {

hosts/bicep/services/matrix/synapse.nix

@@ -124,8 +124,8 @@ in {
         "fec0::/10"
 
         # NTNU
-        "129.241.0.0/16"
-        "2001:700:300::/44"
+        values.ntnu.ipv4-space
+        values.ntnu.ipv6-space
       ];
     };
   };

hosts/bicep/services/minecraft-heatmap.nix

@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.minecraft-heatmap;
+in
+{
+  sops.secrets."minecraft-heatmap/ssh-key/private" = {
+    mode = "600";
+  };
+
+  sops.secrets."minecraft-heatmap/postgres-passwd" = {
+    mode = "600";
+  };
+
+  services.minecraft-heatmap = {
+    enable = true;
+    database = {
+      host = "postgres.pvv.ntnu.no";
+      port = 5432;
+      name = "minecraft_heatmap";
+      user = "minecraft_heatmap";
+      passwordFile = config.sops.secrets."minecraft-heatmap/postgres-passwd".path;
+    };
+  };
+
+  systemd.services.minecraft-heatmap-ingest-logs = {
+    serviceConfig.LoadCredential = [
+      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
+    ];
+
+    preStart = let
+      knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
+        innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
+        innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
+        innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
+      '';
+    in ''
+      mkdir -p '${cfg.minecraftLogsDir}'
+      "${lib.getExe pkgs.rsync}" \
+      --archive \
+      --verbose \
+      --progress \
+      --no-owner \
+      --no-group \
+      --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
+      root@innovation.pvv.ntnu.no:/ \
+      '${cfg.minecraftLogsDir}'/
+    '';
+  };
+}

hosts/bicep/services/mysql.nix

@@ -48,6 +48,8 @@
     IPAddressAllow = [
       values.ipv4-space
       values.ipv6-space
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
     ];
   };
 }

hosts/bicep/services/postgres.nix

@@ -1,15 +1,15 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 {
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_15;
     enableTCPIP = true;
 
-    dataDir = "/data/postgresql";
-
     authentication = ''
-      host all all 129.241.210.128/25 md5
-      host all all 2001:700:300:1900::/64 md5
+      host all all ${values.ipv4-space} md5
+      host all all ${values.ipv6-space} md5
+      host all all ${values.hosts.ildkule.ipv4}/32 md5
+      host all all ${values.hosts.ildkule.ipv6}/32 md5
     '';
 
     # Hilsen https://pgconfigurator.cybertec-postgresql.com/
@@ -74,11 +74,40 @@
     };
   };
 
-  systemd.services.postgresql.serviceConfig = {
-    LoadCredential = [
-      "cert:/etc/certs/postgres.crt"
-      "key:/etc/certs/postgres.key"
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
+    user = config.systemd.services.postgresql.serviceConfig.User;
+    group = config.systemd.services.postgresql.serviceConfig.Group;
+    mode = "0700";
+  };
+
+  systemd.services.postgresql-setup = {
+    after = [
+      "systemd-tmpfiles-setup.service"
+      "systemd-tmpfiles-resetup.service"
     ];
+    serviceConfig = {
+      LoadCredential = [
+        "cert:/etc/certs/postgres.crt"
+        "key:/etc/certs/postgres.key"
+      ];
+
+      BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
+    };
+  };
+
+  systemd.services.postgresql = {
+    after = [
+      "systemd-tmpfiles-setup.service"
+      "systemd-tmpfiles-resetup.service"
+    ];
+    serviceConfig = {
+      LoadCredential = [
+        "cert:/etc/certs/postgres.crt"
+        "key:/etc/certs/postgres.key"
+      ];
+
+      BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
+    };
   };
 
   environment.snakeoil-certs."/etc/certs/postgres" = {

hosts/bob/configuration.nix

@@ -1,46 +0,0 @@
-{ config, fp, pkgs, values, ... }:
-{
-  imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      (fp /base)
-      (fp /misc/metrics-exporters.nix)
-      ./disks.nix
-
-      (fp /misc/builder.nix)
-    ];
-
-  sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = true;
-    efiInstallAsRemovable = true;
-  };
-
-  networking.hostName = "bob"; # Define your hostname.
-
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
-    matchConfig.Name = "en*";
-    DHCP = "yes";
-    gateway = [ ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
-}

hosts/bob/disks.nix

@@ -1,39 +0,0 @@
-# Example to create a bios compatible gpt partition
-{ lib, ... }:
-{
-  disko.devices = {
-    disk.disk1 = {
-      device = lib.mkDefault "/dev/sda";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "ESP";
-            size = "500M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              type = "filesystem";
-              format = "ext4";
-              mountpoint = "/";
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/georg/configuration.nix

@@ -25,6 +25,26 @@
 
   # List services that you want to enable:
 
+
+
+  services.spotifyd = {
+    enable = true;
+    settings.global = {
+      device_name = "georg";
+      use_mpris = false;
+      #dbus_type = "system";
+      #zeroconf_port = 1234;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    # config.services.spotifyd.settings.zeroconf_port
+    5353 # spotifyd is its own mDNS service wtf
+  ];
+
+
+
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/ildkule/services/monitoring/dashboards/gitea-dashboard.json

@@ -1539,8 +1539,8 @@
     ]
   },
   "timezone": "browser",
-  "title": "Gitea Dashbaord",
+  "title": "Gitea Dashboard",
   "uid": "nNq1Iw5Gz",
   "version": 29,
   "weekStart": ""
-}
+}

hosts/ildkule/services/monitoring/grafana.nix

@@ -56,13 +56,12 @@ in {
           url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
           options.path = dashboards/synapse.json;
         }
-        # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
-        # {
-        #   name = "MySQL";
-        #   type = "file";
-        #   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
-        #   options.path = dashboards/mysql.json;
-        # }
+        {
+          name = "MySQL";
+          type = "file";
+          url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
+          options.path = dashboards/mysql.json;
+        }
         {
           name = "Postgresql";
           type = "file";
@@ -76,10 +75,10 @@ in {
           options.path = dashboards/go-processes.json;
         }
         {
-          name = "Gitea Dashbaord";
+          name = "Gitea Dashboard";
           type = "file";
           url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
-          options.path = dashboards/gitea-dashbaord.json;
+          options.path = dashboards/gitea-dashboard.json;
         }
       ];
 

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -2,12 +2,12 @@
   stateDir = "/data/monitoring/prometheus";
 in {
   imports = [
+    ./exim.nix
     ./gitea.nix
-    ./matrix-synapse.nix
-    # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
-    # ./mysqld.nix
-    ./postgres.nix
     ./machines.nix
+    ./matrix-synapse.nix
+    ./mysqld.nix
+    ./postgres.nix
   ];
 
   services.prometheus = {

hosts/ildkule/services/monitoring/prometheus/exim.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.prometheus = {
+    scrapeConfigs = [
+      {
+        job_name = "exim";
+        scrape_interval = "15s";
+        static_configs = [{
+          targets = [ "microbel.pvv.ntnu.no:9636" ];
+        }];
+      }
+    ];
+  };
+}

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -1,54 +1,37 @@
 { config, ... }: let
   cfg = config.services.prometheus;
+
+  mkHostScrapeConfig = name: ports: {
+    labels.hostname = name;
+    targets = map (port: "${name}.pvv.ntnu.no:${toString port}") ports;
+  };
+
+  defaultNodeExporterPort = 9100;
+  defaultSystemdExporterPort = 9101;
+  defaultNixosExporterPort = 9102;
 in {
   services.prometheus.scrapeConfigs = [{
     job_name = "base_info";
     static_configs = [
-      { labels.hostname = "ildkule";
-        targets = [
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
-        ];
-      }
-      { labels.hostname = "bekkalokk";
-        targets = [
-          "bekkalokk.pvv.ntnu.no:9100"
-          "bekkalokk.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname = "bicep";
-        targets = [
-          "bicep.pvv.ntnu.no:9100"
-          "bicep.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname = "brzeczyszczykiewicz";
-        targets = [
-          "brzeczyszczykiewicz.pvv.ntnu.no:9100"
-          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname = "georg";
-        targets = [
-          "georg.pvv.ntnu.no:9100"
-          "georg.pvv.ntnu.no:9101"
-        ];
-      }
-      { labels.hostname =  "hildring";
-        targets = [
-          "hildring.pvv.ntnu.no:9100"
-        ];
-      }
-      { labels.hostname =  "isvegg";
-        targets = [
-          "isvegg.pvv.ntnu.no:9100"
-        ];
-      }
-      { labels.hostname =  "microbel";
-        targets = [
-          "microbel.pvv.ntnu.no:9100"
-        ];
-      }
+      (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
+
+      (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+
+      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+
+      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
+      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
+      (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
     ];
   }];
 }

hosts/ildkule/services/monitoring/prometheus/mysqld.nix

@@ -1,7 +1,22 @@
 { config, ... }: let
   cfg = config.services.prometheus;
 in {
-  sops.secrets."config/mysqld_exporter" = { };
+  sops = {
+    secrets."config/mysqld_exporter_password" = { };
+
+    templates."mysqld_exporter.conf" = {
+      restartUnits = [ "prometheus-mysqld-exporter.service" ];
+      content = let
+        inherit (config.sops) placeholder;
+      in ''
+        [client]
+        host = mysql.pvv.ntnu.no
+        port = 3306
+        user = prometheus_mysqld_exporter
+        password = ${placeholder."config/mysqld_exporter_password"}
+      '';
+    };
+  };
 
   services.prometheus = {
     scrapeConfigs = [{
@@ -19,7 +34,7 @@ in {
 
     exporters.mysqld = {
       enable = true;
-      configFilePath = config.sops.secrets."config/mysqld_exporter".path;
+      configFile = config.sops.templates."mysqld_exporter.conf".path;
     };
   };
 }

hosts/kommode/configuration.nix

@@ -0,0 +1,34 @@
+{ pkgs, values, fp, ... }:
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
+
+    ./services/gitea
+    ./services/nginx.nix
+  ];
+
+  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "kommode"; # Define your hostname.
+
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  services.btrfs.autoScrub.enable = true;
+
+  environment.systemPackages = with pkgs; [];
+
+  system.stateVersion = "24.11";
+}
+

hosts/kommode/hardware-configuration.nix

@@ -13,7 +13,20 @@
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  swapDevices = [ ];
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/86CD-4C23";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

hosts/kommode/services/gitea/customization/default.nix

@@ -0,0 +1,63 @@
+{ config, pkgs, lib, fp, ... }:
+let
+  cfg = config.services.gitea;
+in
+{
+  services.gitea-themes = {
+    monokai = pkgs.gitea-theme-monokai;
+    earl-grey = pkgs.gitea-theme-earl-grey;
+    pitch-black = pkgs.gitea-theme-pitch-black;
+    catppuccin = pkgs.gitea-theme-catppuccin;
+  };
+
+  systemd.services.gitea-customization = lib.mkIf cfg.enable {
+    description = "Install extra customization in gitea's CUSTOM_DIR";
+    wantedBy = [ "gitea.service" ];
+    requiredBy = [ "gitea.service" ];
+
+    serviceConfig =  {
+      Type = "oneshot";
+      User = cfg.user;
+      Group = cfg.group;
+    };
+
+    script = let
+      logo-svg = fp /assets/logo_blue_regular.svg;
+      logo-png = fp /assets/logo_blue_regular.png;
+
+      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
+        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
+      '';
+
+      extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
+        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
+        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
+        <a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
+      '';
+
+      project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
+        labels = lib.importJSON ./labels/projects.json;
+      };
+
+      customTemplates = pkgs.runCommandLocal "gitea-templates" {
+        nativeBuildInputs = with pkgs; [
+          coreutils
+          gnused
+        ];
+      } ''
+        # Bigger icons
+        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
+        sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
+      '';
+    in ''
+      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
+      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+
+      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
+    '';
+  };
+}

hosts/kommode/services/gitea/customization/labels/projects.json

@@ -0,0 +1,116 @@
+[
+  {
+    "name": "art",
+    "exclusive": false,
+    "color": "#006b75",
+    "description": "Requires some creativity"
+  },
+  {
+    "name": "big",
+    "exclusive": false,
+    "color": "#754bc4",
+    "description": "This is gonna take a while"
+  },
+  {
+    "name": "blocked",
+    "exclusive": false,
+    "color": "#850021",
+    "description": "This issue/PR depends on one or more other issues/PRs"
+  },
+  {
+    "name": "bug",
+    "exclusive": false,
+    "color": "#f05048",
+    "description": "Something brokey"
+  },
+  {
+    "name": "ci-cd",
+    "exclusive": false,
+    "color": "#d1ff78",
+    "description": "Continuous integrals and continuous derivation"
+  },
+  {
+    "name": "crash report",
+    "exclusive": false,
+    "color": "#ed1111",
+    "description": "Report an oopsie"
+  },
+  {
+    "name": "disputed",
+    "exclusive": false,
+    "color": "#5319e7",
+    "description": "Kranglefanter"
+  },
+  {
+    "name": "documentation",
+    "exclusive": false,
+    "color": "#fbca04",
+    "description": "Documentation changes required"
+  },
+  {
+    "name": "duplicate",
+    "exclusive": false,
+    "color": "#cccccc",
+    "description": "This issue or pull request already exists"
+  },
+  {
+    "name": "feature request",
+    "exclusive": false,
+    "color": "#0052cc",
+    "description": ""
+  },
+  {
+    "name": "good first issue",
+    "exclusive": false,
+    "color": "#009800",
+    "description": "Get your hands dirty with a new project here"
+  },
+  {
+    "name": "me gusta",
+    "exclusive": false,
+    "color": "#30ff36",
+    "description": "( ͡° ͜ʖ ͡°)"
+  },
+  {
+    "name": "packaging",
+    "exclusive": false,
+    "color": "#bf642b",
+    "description": ""
+  },
+  {
+    "name": "question",
+    "exclusive": false,
+    "color": "#cc317c",
+    "description": ""
+  },
+  {
+    "name": "security",
+    "exclusive": false,
+    "color": "#ed1111",
+    "description": "Skommel"
+  },
+  {
+    "name": "techdebt spring cleaning",
+    "exclusive": false,
+    "color": "#8c6217",
+    "description": "The code is smelly 👃"
+  },
+  {
+    "name": "testing",
+    "exclusive": false,
+    "color": "#52b373",
+    "description": "Poke it and see if it explodes"
+  },
+  {
+    "name": "ui/ux",
+    "exclusive": false,
+    "color": "#f28852",
+    "description": "User complaints about ergonomics and economics and whatever"
+  },
+  {
+    "name": "wontfix",
+    "exclusive": false,
+    "color": "#ffffff",
+    "description": "Nei, vil ikke"
+  }
+]

hosts/kommode/services/gitea/default.nix

@@ -1,30 +1,35 @@
-{ config, values, fp, pkgs, lib, ... }:
+{ config, values, lib, pkgs, unstablePkgs, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.pvv.ntnu.no";
   sshPort  = 2222;
 in {
   imports = [
-    ./ci.nix
+    ./customization
+    ./gpg.nix
     ./import-users
     ./web-secret-provider
   ];
 
-  sops.secrets = {
-    "gitea/database" = {
-      owner = "gitea";
-      group = "gitea";
-    };
-    "gitea/email-password" = {
+  sops.secrets = let
+    defaultConfig = {
       owner = "gitea";
       group = "gitea";
     };
+  in {
+    "gitea/database" = defaultConfig;
+    "gitea/email-password" = defaultConfig;
+    "gitea/lfs-jwt-secret" = defaultConfig;
+    "gitea/oauth2-jwt-secret" = defaultConfig;
+    "gitea/secret-key" = defaultConfig;
   };
 
   services.gitea = {
     enable = true;
     appName = "PVV Git";
 
+    package = unstablePkgs.gitea;
+
     database = {
       type = "postgres";
       host = "postgres.pvv.ntnu.no";
@@ -42,9 +47,19 @@ in {
         ROOT_URL = "https://${domain}/";
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
+        LANDING_PAGE = "explore";
         START_SSH_SERVER = true;
         START_LFS_SERVER = true;
-        LANDING_PAGE = "explore";
+        LFS_JWT_SECRET = lib.mkForce "";
+        LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
+      };
+      oauth2 = {
+        JWT_SECRET = lib.mkForce "";
+        JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
+      };
+      "git.timeout" = {
+        MIGRATE = 3600;
+        MIRROR = 1800;
       };
       mailer = {
         ENABLED = true;
@@ -68,6 +83,10 @@ in {
       };
       admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
       session.COOKIE_SECURE = true;
+      security = {
+        SECRET_KEY = lib.mkForce "";
+        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
+      };
       database.LOG_SQL = false;
       repository = {
         PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -102,6 +121,10 @@ in {
       picture = {
         DISABLE_GRAVATAR = true;
         ENABLE_FEDERATED_AVATAR = false;
+
+        AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
+        # NOTE: go any bigger than this, and gitea will freeze your gif >:(
+        AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
       };
       actions.ENABLED = true;
       ui = {
@@ -130,10 +153,23 @@ in {
       };
       "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
+
+    dump = {
+      enable = true;
+      interval = "weekly";
+      type = "tar.gz";
+    };
   };
 
   environment.systemPackages = [ cfg.package ];
 
+  systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
+
+  systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
+  systemd.services.gitea.serviceConfig.BindPaths = [
+    "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
+  ];
+
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
     enableACME = true;
@@ -149,6 +185,7 @@ in {
         proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4}/32;
+          allow ${values.hosts.ildkule.ipv6}/128;
           deny all;
         '';
       };
@@ -157,34 +194,30 @@ in {
 
   networking.firewall.allowedTCPPorts = [ sshPort ];
 
-  # Extra customization
+  systemd.services.gitea-dump = {
+    serviceConfig.ExecStart = let
+      args = lib.cli.toGNUCommandLineShell { } {
+        type = cfg.dump.type;
 
-  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
+        # This should be declarative on nixos, no need to backup.
+        skip-custom-dir = true;
 
-  systemd.services.install-gitea-customization = {
-    description = "Install extra customization in gitea's CUSTOM_DIR";
-    wantedBy = [ "gitea.service" ];
-    requiredBy = [ "gitea.service" ];
+        # This can be regenerated, no need to backup
+        skip-index = true;
 
-    serviceConfig =  {
-      Type = "oneshot";
-      User = cfg.user;
-      Group = cfg.group;
-    };
+        # Logs are stored in the systemd journal
+        skip-log = true;
+      };
+    in lib.mkForce "${lib.getExe cfg.package} ${args}";
 
-    script = let
-      logo-svg = fp /assets/logo_blue_regular.svg;
-      logo-png = fp /assets/logo_blue_regular.png;
-      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
-        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
-        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
-        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
-      '';
+    # Only keep n backup files at a time
+    postStop = let
+      cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
+      backupCount = 3;
     in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
-    '';
+      for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
+        ${cu "rm"} "$file"
+      done
+      '';
   };
 }

hosts/kommode/services/gitea/gpg.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea;
+  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
+in
+{
+  sops.secrets."gitea/gpg-signing-key" = {
+    owner = cfg.user;
+    inherit (cfg) group;
+  };
+
+  systemd.services.gitea.environment = { inherit GNUPGHOME; };
+
+  systemd.tmpfiles.settings."20-gitea-gnugpg".${GNUPGHOME}.d = {
+    inherit (cfg) user group;
+    mode = "700";
+  };
+
+  systemd.services.gitea-ensure-gnupg-homedir = {
+    description = "Import gpg key for gitea";
+    environment = { inherit GNUPGHOME; };
+    serviceConfig = {
+      Type = "oneshot";
+      User = cfg.user;
+      PrivateNetwork = true;
+    };
+    script = ''
+      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
+    '';
+  };
+
+  services.gitea.settings."repository.signing" = {
+    SIGNING_KEY = "0549C43374D2253C";
+    SIGNING_NAME = "PVV Git";
+    SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
+    INITIAL_COMMIT = "always";
+  };
+}

hosts/kommode/services/gitea/import-users/default.nix

@@ -11,7 +11,8 @@ in
 
   systemd.services.gitea-import-users = lib.mkIf cfg.enable {
     enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
+    environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
     serviceConfig = {
       ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
         flakeIgnore = [
@@ -25,6 +26,7 @@ in
       ];
       DynamicUser="yes";
       EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
+      RuntimeDirectory = "gitea-import-users";
     };
   };
 

hosts/kommode/services/gitea/import-users/gitea-import-users.py

@@ -17,6 +17,10 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
     GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 
+PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
+if PASSWD_FILE_PATH is None:
+    PASSWD_FILE_PATH = '/tmp/passwd-import'
+
 
 def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
     r = requests.get(
@@ -177,6 +181,7 @@ def ensure_gitea_user_is_part_of_team(
 # List of teams that all users should be part of by default
 COMMON_USER_TEAMS = [
     ("Projects", "Members"),
+    ("Grzegorz", "Members"),
     ("Kurs", "Members"),
 ]
 
@@ -186,7 +191,8 @@ def main():
     if existing_users is None:
         exit(1)
 
-    for username, name in passwd_file_parser("/tmp/passwd-import"):
+    print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
+    for username, name in passwd_file_parser(PASSWD_FILE_PATH):
         print(f"Processing {username}")
         add_or_patch_gitea_user(username, name, existing_users)
         for org, team_name in COMMON_USER_TEAMS:

hosts/kommode/services/gitea/web-secret-provider/default.nix

@@ -3,6 +3,7 @@ let
   organizations = [
     "Drift"
     "Projects"
+    "Grzegorz"
     "Kurs"
   ];
 
@@ -27,6 +28,7 @@ in
   users.users."gitea-web" = {
     group = "gitea-web";
     isSystemUser = true;
+    shell = pkgs.bash;
   };
 
   sops.secrets."gitea/web-secret-provider/token" = {
@@ -58,6 +60,7 @@ in
           key-dir = "/var/lib/gitea-web/keys/%i";
           authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
           rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
+            mkdir -p "$1"
             ${lib.getExe pkgs.rrsync} -wo "$1"
             ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
           '';

hosts/kommode/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@@ -34,7 +34,21 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
         f"{args.api_url}/orgs/{args.org}/repos",
         headers = { 'Authorization': 'token ' + token },
     )
-    return [repo["name"] for repo in result.json()]
+
+    results = [repo["name"] for repo in result.json()]
+    target = int(result.headers['X-Total-Count'])
+
+    i = 2
+    while len(results) < target:
+        result = requests.get(
+            f"{args.api_url}/orgs/{args.org}/repos",
+            params = { 'page': i },
+            headers = { 'Authorization': 'token ' + token },
+        )
+        results += [repo["name"] for repo in result.json()]
+        i += 1
+
+    return results
 
 
 def generate_ssh_key(args: argparse.Namespace, repository: str):

hosts/kommode/services/nginx.nix

@@ -1,5 +1,4 @@
-{ config, lib, ... }:
-
+{ ... }:
 {
   services.nginx.enable = true;
 }

hosts/kvernberg/configuration.nix

@@ -1,45 +0,0 @@
-{ config, fp, pkgs, values, ... }:
-{
-  imports = [
-    # Include the results of the hardware scan.
-    ./hardware-configuration.nix
-    (fp /base)
-    (fp /misc/metrics-exporters.nix)
-    ./disks.nix
-
-    ./services/nginx.nix
-    ./services/pvvvvvv
-  ];
-
-  sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
- 
-  networking.hostName = "kvernberg"; # Define your hostname.
-
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
-    matchConfig.Name = "en*";
-    address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-    
-  ];
-
-  # No devices with SMART
-  services.smartd.enable = false;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
-
-}

hosts/kvernberg/disks.nix

@@ -1,39 +0,0 @@
-# Example to create a bios compatible gpt partition
-{ lib, ... }:
-{
-  disko.devices = {
-    disk.disk1 = {
-      device = lib.mkDefault "/dev/sda";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "ESP";
-            size = "500M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              type = "filesystem";
-              format = "ext4";
-              mountpoint = "/";
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/kvernberg/services/pvvvvvv/bank.nix

@@ -1,51 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.libeufin.bank;
-  tcfg = config.services.taler;
-  inherit (tcfg.settings.taler) CURRENCY;
-in {
-  services.libeufin.bank = {
-    enable = true;
-    debug = true;
-    createLocalDatabase = true;
-    initialAccounts = [
-      { username = "exchange";
-        password = "exchange";
-        name = "Exchange";
-      }
-    ];
-    settings = {
-      libeufin-bank = {
-        WIRE_TYPE = "x-taler-bank";
-        X_TALER_BANK_PAYTO_HOSTNAME = "bank.kvernberg.pvv.ntnu.no";
-        BASE_URL = "bank.kvernberg.pvv.ntnu.no/";
-
-        ALLOW_REGISTRATION = "yes";
-
-        REGISTRATION_BONUS_ENABLED = "yes";
-        REGISTRATION_BONUS = "${CURRENCY}:500";
-
-        DEFAULT_DEBT_LIMIT = "${CURRENCY}:0";
-
-        ALLOW_CONVERSION = "no";
-        ALLOW_EDIT_CASHOUT_PAYTO_URI = "yes";
-
-        SUGGESTED_WITHDRAWAL_EXCHANGE = "https://exchange.kvernberg.pvv.ntnu.no/";
-
-        inherit CURRENCY;
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."bank.kvernberg.pvv.ntnu.no" = {
-    enableACME = true;
-    forceSSL = true;
-    kTLS = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:8082";
-      extraConfig = ''
-         proxy_read_timeout 300s; 
-      '';
-    };
-  };
-}

hosts/kvernberg/services/pvvvvvv/default.nix

@@ -1,13 +0,0 @@
-{
-  imports = [
-    ./exchange.nix
-    ./bank.nix
-  ];
-
-  services.taler = {
-    settings = {
-      taler.CURRENCY = "SCHPENN";
-      taler.CURRENCY_ROUND_UNIT = "${cfg.settings.taler.CURRENCY}:1";
-    };
-  };
-}

hosts/kvernberg/services/pvvvvvv/exchange.nix

@@ -1,187 +0,0 @@
-{ config, lib, fp, pkgs, ... }:
-let
-  cfg = config.services.taler;
-  inherit (cfg.settings.taler) CURRENCY;
-in {
-  sops.secrets.exchange-offline-master = {
-    format = "binary";
-    sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
-  };
-
-  services.taler.exchange = {
-    enable = true;
-    debug = true;
-    denominationConfig = ''
-      ## Old denomination names cannot be used again
-      # [COIN-${CURRENCY}-k1-1-0]
-
-      ## NOK Denominations
-      [coin-${CURRENCY}-nok-1-0]
-      VALUE = ${CURRENCY}:1
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-5-0]
-      VALUE = ${CURRENCY}:5
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-
-      [coin-${CURRENCY}-nok-10-0]
-      VALUE = ${CURRENCY}:10
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-20-0]
-      VALUE = ${CURRENCY}:20
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-50-0]
-      VALUE = ${CURRENCY}:50
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-100-0]
-      VALUE = ${CURRENCY}:100
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-200-0]
-      VALUE = ${CURRENCY}:200
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-500-0]
-      VALUE = ${CURRENCY}:500
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-      
-      [coin-${CURRENCY}-nok-1000-0]
-      VALUE = ${CURRENCY}:1000
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-
-      ## PVV Special Prices
-      # 2024 pizza egenandel
-      [coin-${CURRENCY}-pvv-64-0]
-      VALUE = ${CURRENCY}:64
-      DURATION_WITHDRAW = 7 days
-      DURATION_SPEND = 1 years
-      DURATION_LEGAL = 3 years
-      FEE_WITHDRAW = ${CURRENCY}:0
-      FEE_DEPOSIT = ${CURRENCY}:0
-      FEE_REFRESH = ${CURRENCY}:0
-      FEE_REFUND = ${CURRENCY}:0
-      RSA_KEYSIZE = 2048
-      CIPHER = RSA
-    '';
-    settings = {
-      exchange = {
-        inherit (config.services.taler.settings.taler) CURRENCY CURRENCY_ROUND_UNIT; 
-        MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
-        BASE_URL = "https://exchange.kvernberg.pvv.ntnu.no/";
-        TERMS_DIR = "${./terms}";
-        TERMS_ETAG = "0";
-        ENABLE_KYC = "NO";
-      };
-      exchange-offline = {
-        MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
-      };
-      exchange-account-test = {
-        PAYTO_URI = "payto://x-taler-bank/bank.kvernberg.pvv.ntnu.no/exchange?receiver-name=Exchange";
-        ENABLE_DEBIT = "YES";
-        ENABLE_CREDIT = "YES";
-      };
-      exchange-accountcredentials-test = {
-        WIRE_GATEWAY_URL = "https://bank.kvernberg.pvv.ntnu.no/accounts/exchange/taler-wire-gateway/";
-        WIRE_GATEWAY_AUTH_METHOD = "BASIC";
-        USERNAME = "exchange";
-        PASSWORD = "exchange";
-      };
-      "currency-${CURRENCY}" = {
-        ENABLED = "YES";
-        CODE = "SCHPENN";
-        NAME = "SCHPENN";
-        FRACTIONAL_NORMAL_DIGITS = 0;
-        FRACTIONAL_INPUT_DIGITS = 0;
-        FRACTIONAL_TRAILING_ZERO_DIGITS = 0;
-        ALT_UNIT_NAMES = "{\"0\": \"S\"}";
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."exchange.kvernberg.pvv.ntnu.no" = {
-    enableACME = true;
-    forceSSL = true;
-    kTLS = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:8081";
-      extraConfig = ''
-        proxy_read_timeout 300s;
-      '';
-    };
-  };
-}

hosts/kvernberg/services/pvvvvvv/terms/en/0.txt

@@ -1,147 +0,0 @@
-Terms of Service
-================
-
-Last update: 19.11.2024
-----------------------
-
-Welcome! A subset of PVVers who cares about Dibbler (“we,” “our,” or “us”) provides a experimental payment service
-through our Internet presence (collectively the “Services”). Before using our
-Services, please read the Terms of Service (the “Terms” or the “Agreement”)
-carefully.
-
-Overview
---------
-
-This section provides a brief summary of the highlights of this
-Agreement. Please note that when you accept this Agreement, you are accepting
-all of the terms and conditions and not just this section. We and possibly
-other third parties provide Internet services which interact with the Taler
-Wallet’s self-hosted personal payment application. When using the Taler Wallet
-to interact with our Services, you are agreeing to our Terms, so please read
-carefully.
-
-Research
-----------
-
-This is research, any dibbler credits sent to the dibbler account could be lost at any time.
-We would make an effort to send the credits back to their canonical owners, but this may be difficult.
-We make no guarantees on the state of this. The dibbler economy is totally unsecured, and so are these services!
-Usage is wholly on your own risk.
-
-Highlights:
------------
-
-* You are responsible for keeping the data in your Taler Wallet at all times under your control. Any losses arising from you not being in control of your private information are your problem.
-
-* For our Services, we may charge transaction fees. The specific fee structure is provided based on the Taler protocol and should be shown to you when you withdraw electronic coins using a Taler Wallet. You agree and understand that the Taler protocol allows for the fee structure to change.
-
-* You agree to not intentionally overwhelm our systems with requests and follow responsible disclosure if you find security issues in our services.
-
-* We cannot be held accountable for our Services not being available due to circumstances beyond our control. If we modify or terminate our services, we will try to give you the opportunity to recover your funds. However, given the experimental state of the Services today, this may not be possible. You are strongly advised to limit your use of the Service to small-scale experiments expecting total loss of all funds.
-
-These terms outline approved uses of our Services. The Services and these
-Terms are still at an experimental stage. If you have any questions or
-comments related to this Agreement, please send us a message on IRC, or on our Matrix server.
-If you do not agree to this Agreement, you must not use our Services.
-
-How you accept this policy
---------------------------
-
-By sending funds to us (to top-up your Taler Wallet), you acknowledge that you
-have read, understood, and agreed to these Terms. We reserve the right to
-change these Terms at any time. If you disagree with the change, we may in the
-future offer you with an easy option to recover your unspent funds. However,
-in the current experimental period you acknowledge that this feature is not
-yet available, resulting in your funds being lost unless you accept the new
-Terms. If you continue to use our Services other than to recover your unspent
-funds, your continued use of our Services following any such change will
-signify your acceptance to be bound by the then current Terms. Please check
-the effective date above to determine if there have been any changes since you
-have last reviewed these Terms.
-
-Services
---------
-
-We will try to transfer funds that we hold in escrow for our users to any
-legal recipient to the best of our ability and within the limitations of the
-law and our implementation. However, the Services offered today are highly
-experimental and the set of recipients of funds is severely restricted. The
-Taler Wallet can be loaded by exchanging ordinary dibbler credit for electronic
-coins. We are providing this exchange service. Once your Taler Wallet is
-loaded with electronic coins they can be spent for purchases if the seller is
-accepting Taler as a means of payment. We are not guaranteeing that any seller
-is accepting Taler at all or a particular seller. The seller or recipient of
-deposits of electronic coins must specify the target account, as per the
-design of the Taler protocol. They are responsible for following the protocol
-and specifying the correct dibbler account, and are solely liable for any losses
-that may arise from specifying the wrong account. We will allow the government
-to link wire transfers to the underlying contract hash. It is the
-responsibility of recipients to preserve the full contracts and to pay
-whatever taxes and charges may be applicable. Technical issues may lead to
-situations where we are unable to make transfers at all or lead to incorrect
-transfers that cannot be reversed. We will only refuse to execute transfers if
-the transfers are prohibited by a competent legal authority and we are ordered
-to do so.
-
-When using our Services, you agree to not take any action that intentionally
-imposes an unreasonable load on our infrastructure. If you find security
-problems in our Services, you agree to first report them to
-security@taler-systems.com and grant us the right to publish your report. We
-warrant that we will ourselves publicly disclose any issues reported within 3
-months, and that we will not prosecute anyone reporting security issues if
-they did not exploit the issue beyond a proof-of-concept, and followed the
-above responsible disclosure practice.
-
-Fees
-----
-
-You agree to pay the fees for exchanges and withdrawals completed via the
-Taler Wallet ("Fees") as defined by us, which we may change from time to
-time.
-
-
-Copyrights and trademarks
--------------------------
-
-The Taler Wallet is released under the terms of the GNU General Public License
-(GNU GPL). You have the right to access, use, and share the Taler Wallet, in
-modified or unmodified form. However, the GPL is a strong copyleft license,
-which means that any derivative works must be distributed under the same
-license terms as the original software. If you have any questions, you should
-review the GNU GPL’s full terms and conditions on the GNU GPL Licenses page 
-(https://www.gnu.org/licenses/). “Taler” itself is a trademark
-of Taler Systems SA. You are welcome to use the name in relation to processing
-payments based on the Taler protocol, assuming your use is compatible with an
-official release from the GNU Project that is not older than two years.
-
-
-
-Discontinuance of services and Force majeure
---------------------------------------------
-
-We may, in our sole discretion and without cost to you, with or without prior
-notice, and at any time, modify or discontinue, temporarily or permanently,
-any portion of our Services. We will use the Taler protocol’s provisions to
-notify Wallets if our Services are to be discontinued. It is your
-responsibility to ensure that the Taler Wallet is online at least once every
-three months to observe these notifications. We shall not be held responsible
-or liable for any loss of funds in the event that we discontinue or depreciate
-the Services and your Taler Wallet fails to transfer out the coins within a
-three months notification period.
-
-We shall not be held liable for any delays, failure in performance, or
-interruptions of service which result directly or indirectly from any cause or
-condition beyond our reasonable control, including but not limited to: any
-delay or failure due to any act of God, act of civil or military authorities,
-act of terrorism, civil disturbance, war, strike or other labor dispute, fire,
-interruption in telecommunications or Internet services or network provider
-services, failure of equipment and/or software, other catastrophe, or any
-other occurrence which is beyond our reasonable control and shall not affect
-the validity and enforceability of any remaining provisions.
-
-
-Questions or comments
----------------------
-
-We welcome comments, questions, concerns, or suggestions. Please send us a
-message via the usual communication channels at PVV

hosts/lupine/configuration.nix

@@ -0,0 +1,35 @@
+{ fp, values, lupineName, ... }:
+{
+  imports = [
+    ./hardware-configuration/${lupineName}.nix
+
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
+
+    ./services/gitea-runner.nix
+  ];
+
+  sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp0s31f6";
+    address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
+    networkConfig.LLDP = false;
+  };
+  systemd.network.wait-online = {
+    anyInterface = true;
+  };
+
+  # There are no smart devices
+  services.smartd.enable = false;
+
+  # Do not change, even during upgrades.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.05";
+}

hosts/lupine/hardware-configuration/lupine-1.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/81D6-38D3";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/lupine/hardware-configuration/lupine-2.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/4A34-6AE5";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/lupine/hardware-configuration/lupine-3.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/63FA-297B";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/lupine/hardware-configuration/lupine-4.nix

@@ -5,20 +5,30 @@
 
 {
   imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
+    ];
+
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/lupine/hardware-configuration/lupine-5.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/F372-37DF";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/lupine/services/gitea-runner.nix

@@ -0,0 +1,71 @@
+{ config, lupineName, ... }:
+{
+  # This is unfortunately state, and has to be generated one at a time :(
+  # To do that, comment out all except one of the runners, fill in its token
+  # inside the sops file, rebuild the system, and only after this runner has
+  # successfully registered will gitea give you the next token.
+  # - oysteikt Sep 2023
+  sops = {
+    secrets."gitea/runners/token" = {
+      key = "gitea/runners/${lupineName}";
+    };
+
+    templates."gitea-runner-envfile" = {
+      restartUnits = [
+        "gitea-runner-${lupineName}.service"
+      ];
+      content = ''
+        TOKEN="${config.sops.placeholder."gitea/runners/token"}"
+      '';
+    };
+  };
+
+  services.gitea-actions-runner.instances = {
+    ${lupineName} = {
+      enable = true;
+      name = "git-runner-${lupineName}";
+      url = "https://git.pvv.ntnu.no";
+      # NOTE: gitea actions runners need node inside their docker images,
+      #       so we are a bit limited here.
+      labels = [
+        "debian-latest:docker://node:current-trixie"
+        "debian-trixie:docker://node:current-trixie"
+        "debian-bookworm:docker://node:current-bookworm"
+        "debian-bullseye:docker://node:current-bullseye"
+
+        "debian-latest-slim:docker://node:current-trixie-slim"
+        "debian-trixie-slim:docker://node:current-trixie-slim"
+        "debian-bookworm-slim:docker://node:current-bookworm-slim"
+        "debian-bullseye-slim:docker://node:current-bullseye-slim"
+
+        "alpine-latest:docker://node:current-alpine"
+        "alpine-3.22:docker://node:current-alpine3.22"
+        "alpine-3.21:docker://node:current-alpine3.21"
+
+        # See https://gitea.com/gitea/runner-images
+        "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
+        "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
+        "ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
+        "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
+        "ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
+
+        "ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
+        "ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
+        "ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
+        "ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
+        "ubuntu-jammy-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
+      ];
+      tokenFile = config.sops.templates."gitea-runner-envfile".path;
+    };
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    defaultNetwork.settings.dns_enabled = true;
+    autoPrune.enable = true;
+  };
+
+  networking.dhcpcd.IPv6rs = false;
+
+  networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
+}

hosts/ustetind/configuration.nix

@@ -0,0 +1,44 @@
+{ config, fp, pkgs, lib, values, ... }:
+
+{
+  imports = [
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
+
+    ./services/gitea-runners.nix
+  ];
+
+  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  networking.hostName = "ustetind";
+
+  networking.useHostResolvConf = lib.mkForce false;
+
+  systemd.network.networks = {
+    "30-lxc-eth" = values.defaultNetworkConfig // {
+      matchConfig = {
+        Type = "ether";
+        Kind = "veth";
+        Name = [
+          "eth*"
+        ];
+      };
+      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
+    };
+    "40-podman-veth" = values.defaultNetworkConfig // {
+      matchConfig = {
+        Type = "ether";
+        Kind = "veth";
+        Name = [
+          "veth*"
+        ];
+      };
+      DHCP = "yes";
+    };
+  };
+
+  system.stateVersion = "24.11";
+}

hosts/ustetind/services/gitea-runners.nix

@@ -15,8 +15,8 @@ let
         enable = true;
         name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
         labels = [
-          "debian-latest:docker://node:18-bullseye"
-          "ubuntu-latest:docker://node:18-bullseye"
+          "debian-latest:docker://node:current-bookworm"
+          "ubuntu-latest:docker://node:current-bookworm"
         ];
         tokenFile = config.sops.secrets."gitea/runners/${name}".path;
       };
@@ -27,5 +27,15 @@ lib.mkMerge [
   (mkRunner "alpha")
   (mkRunner "beta")
   (mkRunner "epsilon")
-  { virtualisation.podman.enable = true; }
+  {
+    virtualisation.podman = {
+      enable = true;
+      defaultNetwork.settings.dns_enabled = true;
+      autoPrune.enable = true;
+    };
+
+    networking.dhcpcd.IPv6rs = false;
+
+    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
+  }
 ]

hosts/wenche/configuration.nix

@@ -0,0 +1,39 @@
+{ config, fp, pkgs, values, lib, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      (fp /base)
+      (fp /misc/metrics-exporters.nix)
+
+      (fp /misc/builder.nix)
+    ];
+
+  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.grub.device = "/dev/sda";
+
+  networking.hostName = "wenche"; # Define your hostname.
+
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  hardware.graphics.enable = true;
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.nvidia = {
+    modesetting.enable = true;
+    open = false;
+    package = config.boot.kernelPackages.nvidiaPackages.production;
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  system.stateVersion = "24.11"; # Did you read the comment?
+}

hosts/wenche/hardware-configuration.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "nvidia"  ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ {
+    device = "/var/lib/swapfile";
+    size = 16*1024;
+  } ];
+
+  networking.useDHCP = lib.mkDefault false;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

justfile

@@ -1,25 +1,56 @@
+set positional-arguments # makes variables accesible as $1 $2 $@
 export GUM_FILTER_HEIGHT := "15"
-nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
+nom := `if [[ -t 1 ]] && command -v nom >/dev/null; then echo nom; else echo nix; fi`
+nix_eval_opts := "--log-format raw --option warn-dirty false"
 
 @_default:
   just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
 
-check:
-  nix flake check --keep-going
+check *_:
+  nix flake check --keep-going "$@"
 
-build-machine machine=`just _a_machine`:
-  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
+build-machine machine=`just _a_machine` *_:
+  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel "${@:2}"
 
-run-vm machine=`just _a_machine`:
-  nixos-rebuild build-vm --flake .#{{ machine }}
+run-vm machine=`just _a_machine` *_:
+  nixos-rebuild build-vm --flake .#{{ machine }} "${@:2}"
   QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
 
-@update-inputs:
-  nix eval .#inputs --apply builtins.attrNames --json \
-    | jq '.[]' -r \
-    | gum choose --no-limit --height=15 \
-    | xargs -L 1 nix flake lock --update-input
+@update-inputs *_:
+  @git reset flake.lock
+  @git restore flake.lock
+  nix eval {{nix_eval_opts}} --file flake.nix --apply 'x: builtins.attrNames x.inputs' --json \
+    | { printf "%s\n" --commit-lock-file; jq '.[]' -r | grep -vxF "self" ||:; } \
+    | gum choose --no-limit --header "Choose extra arguments:" \
+    | tee >(xargs -d'\n' echo + nix flake update "$@" >&2) \
+    | xargs -d'\n' nix flake update "$@"
+
+@repl $machine=`just _a_machine` *_:
+  set -v; nixos-rebuild --flake .#"$machine" repl "${@:2}"
+
+@eval $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
+  set -v; nix eval {{nix_eval_opts}} ".#nixosConfigurations.\"$machine\".config.$attrpath" --show-trace "${@:3}"
+
+@eval-vm $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
+  just eval "$machine" "virtualisation.vmVariant.$attrpath" "${@:3}"
 
 
+# helpers
+
+[no-exit-message]
 _a_machine:
-  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter
+  #!/usr/bin/env -S sh -euo pipefail
+  machines="$(
+    nix eval {{nix_eval_opts}} .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r
+  )"
+  [ -n "$machines" ] || { echo >&2 "ERROR: no machines found"; false; }
+  if [ -s .direnv/vars/last-machine.txt ]; then
+    machines="$(
+      grep <<<"$machines" -xF  "$(cat .direnv/vars/last-machine.txt)" ||:
+      grep <<<"$machines" -xFv "$(cat .direnv/vars/last-machine.txt)" ||:
+    )"
+  fi
+  choice="$(gum filter <<<"$machines")"
+  mkdir -p .direnv/vars
+  cat <<<"$choice" >.direnv/vars/last-machine.txt
+  cat <<<"$choice"

keys/oysteikt.pub

@@ -8,34 +8,58 @@ FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM
 N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA
 Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK
 KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH
-EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3
-eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF
-AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+
-IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB
-3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk
-jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5
-Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs
-xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO
-c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT
-ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7
-Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx
-VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM
-s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss
-gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD
-XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID
-MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu
-MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys
-KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2
-dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU
-aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR
-eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r
-VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ
-dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm
-W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y
-QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW
-RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK
-KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa
-T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR
-SNkE
-=oTMO
+EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLiJAEExYKADgWIQT303iQIoqQdEDh/UhG
+uSKOgUoqrAUCYuaF5AIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKO
+gUoqrKWiAQC1yFpodz5PGsZbFgihEA0UQ5jcoXBojoAlVRgmkwm41gEA782rsvyl
+87ExoluDD3eV/Z5ILp7Ex6JeaE3JUix8Sgi0Jmg3eDQgKGFsdGVybmF0aXZlKSA8
+aDd4NC5hbHRAbmFuaS53dGY+iJAEExYKADgWIQT303iQIoqQdEDh/UhGuSKOgUoq
+rAUCYvuPSgIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKOgUoqrK3L
+AP4h0cjFuNFwMQlg6oVfWvjCvKZO+ePP+SnTNRKvKbAxSgEA/yG48r9im6M0Xr9z
+DAHcDlbClaONX4X+6rZ6OoU6hw24MwRi5oZHFgkrBgEEAdpHDwEBB0CyZzQZNAiz
+OmSMNjCBK3rMjzU/b6T1a8GDogQhKfK5VYj1BBgWCgAmFiEE99N4kCKKkHRA4f1I
+RrkijoFKKqwFAmLmhkcCGwIFCQPCZwAAgQkQRrkijoFKKqx2IAQZFgoAHRYhBPPN
+qGzFWp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323T
+aM5zdJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9
+CpNl4GzpD4CRDu55AP9mpAyRoKt3yjYvTaHz1TpsXHLzqfJO6sYBRXH3YXyNTAEA
+prtmn/S9HltHijnsLs1PEHmRua14XQBdL1HuzFID8ASI9QQYFgoAJgIbAhYhBPfT
+eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
+Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
+dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
+4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
+Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLiPUEGBYKACYC
+GwIWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCaI6lzgUJCWqGhwCBdiAEGRYKAB0W
+IQTzzahsxVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYe
+Jt9t02jOc3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFa
+azcz/QqTZeBs6Q+AkQ4JEEa5Io6BSiqsCG0BALDNFlploZWjQ0Xn3B9fd+1sTUmY
++e0s95lEY7XqVkF2AQCkKzMd2mHsymyVtY32bSsZ0iJxHTmxomS0uQ/TGIugB7kC
+DQRi5oZ6ARAA2tcgStDSsVSLaN4UodtYaKGKVnBF1qjD1xzt+K3AIZLVRTjhyJdm
+xRknEAGV7YwHKlJjMgvjzLNQ2aKHBZPvTybde4QGv7Ogka8PLyvtX1aoY9Fzi7Xr
+xlfYguiEb4T8c07DmnjrLIDBiFPMQ5jCk9pxhxjVJKjlxpXetxNzSrCt5Z5fgQna
+SdH9xhAe2kkPqZOpNbszg11/5oQFCZi9TJFWeoyQN74bK3tCn2vafguZj+ISyeox
+fqBErwOBwvi7gkhpuuoCAzAt/Y5y6OocGBBI3z1w+wlADeEtniEkhXfmXJTdr2HK
+ymILAmUtIQRToA4SighwbjMD9dgCDPMvC+uP3jlhaUe7NkrQD442G2XmRAhy1mbd
+cxlb5Eu16epbAIOv0/BMrChu705dkKvVtAZszYJNjg02ZIb9IKql6aXa/HkYqvod
+KjHyabRtBsnDr6m/T6BDtnXzQo4yCPFX2khn0hGKPFMLKmE7X4HaDZxQlynda+0J
+r63WzbBQ0ZpL/sFiaIqcFGlarsm9ijeudo0pacDBAlun0hLE/+Qt5iS4AJoupesq
+LMOh3SGOo4KQhrcZx1ts0XiEuns2XbcWAQpBByu9MgEsmiB6yyw5J8Pg7ir1wFjg
+HnKG/BjQRzo12Xty8wbdq1YDgkWvlu5opTYI1ArM/kd6zPF30fsDRBsAEQEAAYh+
+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmLmhnoCGwwFCQPCZwAACgkQ
+RrkijoFKKqwxNAEAwcUbJlvS+tJsRgqdQqTVgVw9k+g+tOT5TYjQnDPnDgoA/3Nj
+orUkhudDNGEW8odSz2C+mEHjy9HUJGLI5ul1ZqwCiH4EGBYKACYCGwwWIQT303iQ
+IoqQdEDh/UhGuSKOgUoqrAUCZqqeBQUJBaVLCAAKCRBGuSKOgUoqrMnbAP4oQbpa
+Uki4OAfaSbH36qYTIbe8k9w58+e4nsVBII94wQEA3nSPoMKWZTI1eiHR/xKc9uOI
+/Nk2tOHKpEjs9mOtywaIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9SEa5Io6BSiqs
+BQJojqXOBQkJaoZUAAoJEEa5Io6BSiqsiXkBAJ0JTRmdQQpEK9KSh8V7FEkblIsm
+Ngko2cs+OhNSUgW9AQD0a7FHM3Dx32a7yD0zE3QwWi5VgeZZVIPyhItrOaANDbgz
+BGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1OWOoVU3mZX/K
+7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGxQIbIAUJA8Jn
+AAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9duIJ7zdR0U15tO
+NAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQYFgoAJgIbIBYh
+BPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5Io6BSiqsjF0B
+AJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/lDkrvOytuFnKb
+kDrCaTrtLh/JAmBXpSERIejmD4h+BBgWCgAmAhsgFiEE99N4kCKKkHRA4f1IRrki
+joFKKqwFAmiOpc4FCQlqhgkACgkQRrkijoFKKqwSMAD/bbO/uwwdFEJVgcNRexZU
+6aoSxAGI1vjS92hSyfxZ9AABAK8KYO8sBGGCiVu+vWUpoUYmp3lfYTJHtf+36WMc
+D5MD
+=Gubf
 -----END PGP PUBLIC KEY BLOCK-----

misc/builder.nix

@@ -2,4 +2,10 @@
 
 {
   nix.settings.trusted-users = [ "@nix-builder-users" ];
+  nix.daemonCPUSchedPolicy = "batch";
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+    "armv7l-linux"
+  ];
 }

modules/gickup/default.nix

@@ -0,0 +1,310 @@
+{ config, pkgs, lib, utils, ... }:
+let
+  cfg = config.services.gickup;
+  format = pkgs.formats.yaml { };
+in
+{
+  imports = [
+    ./set-description.nix
+    ./hardlink-files.nix
+    ./import-from-toml.nix
+    ./update-linktree.nix
+  ];
+
+  options.services.gickup = {
+    enable = lib.mkEnableOption "gickup, a git repository mirroring service";
+
+    package = lib.mkPackageOption pkgs "gickup" { };
+    gitPackage = lib.mkPackageOption pkgs "git" { };
+    gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
+
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      description = "The directory to mirror repositories to.";
+      default = "/var/lib/gickup";
+      example = "/data/gickup";
+    };
+
+    destinationSettings = lib.mkOption {
+      description = ''
+        Settings for destination local, see gickup configuration file
+
+        Note that `path` will be set automatically to `/var/lib/gickup`
+      '';
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+      default = { };
+      example = {
+        structured = true;
+        zip = false;
+        keep = 10;
+        bare = true;
+        lfs = true;
+      };
+    };
+
+    instances = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
+        submoduleName = name;
+
+        nameParts = rec {
+          repoType = builtins.head (lib.splitString ":" submoduleName);
+
+          owner = if repoType == "any"
+                  then null
+                  else lib.pipe submoduleName [
+                    (lib.removePrefix "${repoType}:")
+                    (lib.splitString "/")
+                    builtins.head
+                  ];
+
+          repo = if repoType == "any"
+                 then null
+                 else lib.pipe submoduleName [
+                    (lib.removePrefix "${repoType}:")
+                    (lib.splitString "/")
+                    lib.last
+                  ];
+
+          slug = if repoType == "any"
+                 then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
+                 else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
+        };
+      in {
+        options = {
+          interval = lib.mkOption {
+            type = lib.types.str;
+            default = "daily";
+            example = "weekly";
+            description = ''
+              Specification (in the format described by {manpage}`systemd.time(7)`) of the time
+              interval at which to run the service.
+            '';
+          };
+
+          type = lib.mkOption {
+            type = lib.types.enum [
+              "github"
+              "gitlab"
+              "gitea"
+              "gogs"
+              "bitbucket"
+              "onedev"
+              "sourcehut"
+              "any"
+            ];
+            example = "github";
+            default = nameParts.repoType;
+            description = ''
+              The type of the repository to mirror.
+            '';
+          };
+
+          owner = lib.mkOption {
+            type = with lib.types; nullOr str;
+            example = "go-gitea";
+            default = nameParts.owner;
+            description = ''
+              The owner of the repository to mirror (if applicable)
+            '';
+          };
+
+          repo = lib.mkOption {
+            type = with lib.types; nullOr str;
+            example = "gitea";
+            default = nameParts.repo;
+            description = ''
+              The name of the repository to mirror (if applicable)
+            '';
+          };
+
+          slug = lib.mkOption {
+            type = lib.types.str;
+            default = nameParts.slug;
+            example = "github-go-gitea-gitea";
+            description = ''
+              The slug of the repository to mirror.
+            '';
+          };
+
+          description = lib.mkOption {
+            type = with lib.types; nullOr str;
+            example = "A project which does this and that";
+            description = ''
+              A description of the project. This isn't used directly by gickup for anything,
+              but can be useful if gickup is used together with cgit or similar.
+            '';
+          };
+
+          settings = lib.mkOption {
+            description = "Instance specific settings, see gickup configuration file";
+            type = lib.types.submodule {
+              freeformType = format.type;
+            };
+            default = { };
+            example = {
+              username = "gickup";
+              password = "hunter2";
+              wiki = true;
+              issues = true;
+            };
+          };
+        };
+      }));
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.gickup = {
+      isSystemUser = true;
+      group = "gickup";
+      home = "/var/lib/gickup";
+    };
+
+    users.groups.gickup = { };
+
+    services.gickup.destinationSettings.path = "/var/lib/gickup/raw";
+
+    systemd.tmpfiles.settings."10-gickup" = lib.mkIf (cfg.dataDir != "/var/lib/gickup") {
+      ${cfg.dataDir}.d = {
+        user = "gickup";
+        group = "gickup";
+        mode = "0755";
+      };
+    };
+
+    systemd.slices."system-gickup" = {
+      description = "Gickup git repository mirroring service";
+      after = [ "network.target" ];
+    };
+
+    systemd.targets.gickup = {
+      description = "Gickup git repository mirroring service";
+      wants = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
+    };
+
+    systemd.timers = {
+      "gickup@" = {
+        description = "Gickup git repository mirroring service for %i";
+
+        timerConfig = {
+          OnCalendar = "daily";
+          RandomizedDelaySec = "1h";
+          Persistent = true;
+          AccuracySec = "1s";
+        };
+      };
+    }
+    //
+    # Overrides for mirrors which are not "daily"
+    (lib.pipe cfg.instances [
+      builtins.attrValues
+      (builtins.filter (instance: instance.interval != "daily"))
+      (map ({ slug, interval, ... }: {
+        name = "gickup@${slug}";
+        value = {
+          overrideStrategy = "asDropin";
+          timerConfig.OnCalendar = interval;
+        };
+      }))
+      builtins.listToAttrs
+    ]);
+
+    systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
+
+    systemd.services = {
+      "gickup@" = let
+        configDir = lib.pipe cfg.instances [
+          (lib.mapAttrsToList (name: instance: {
+            name = "${instance.slug}.yml";
+            path = format.generate "gickup-configuration-${name}.yml" {
+              destination.local = [ cfg.destinationSettings ];
+              source.${instance.type} = [
+                (
+                  (lib.optionalAttrs (instance.type != "any") {
+                    user = instance.owner;
+                    includeorgs = [ instance.owner ];
+                    include = [ instance.repo ];
+                  })
+                  //
+                  instance.settings
+                )
+              ];
+            };
+          }))
+          (pkgs.linkFarm "gickup-configuration-files")
+        ];
+      in {
+        description = "Gickup git repository mirroring service for %i";
+        after = [ "network.target" ];
+
+        path = [
+          cfg.gitPackage
+          cfg.gitLfsPackage
+        ];
+
+        restartIfChanged = false;
+
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
+          ExecStartPost = "";
+
+          User = "gickup";
+          Group = "gickup";
+
+          BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
+            "${cfg.dataDir}:/var/lib/gickup"
+          ];
+
+          Slice = "system-gickup.slice";
+
+          SyslogIdentifier = "gickup-%i";
+          StateDirectory = "gickup";
+          # WorkingDirectory = "gickup";
+          # RuntimeDirectory = "gickup";
+          # RuntimeDirectoryMode = "0700";
+
+          # https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
+          RemainAfterExit = true;
+
+          # Hardening options
+          AmbientCapabilities = [];
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          # ProtectProc = "invisible";
+          # ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          # SystemCallFilter = [
+          #   "@system-service"
+          #   "~@resources"
+          #   "~@privileged"
+          # ];
+          UMask = "0002";
+          CapabilityBoundingSet = [];
+        };
+      };
+    };
+  };
+}

modules/gickup/hardlink-files.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.gickup;
+in
+{
+  config = lib.mkIf cfg.enable {
+    # TODO: add a service that will look at the backed up files and hardlink
+    #       the ones that have a matching hash together to save space. This can
+    #       either run routinely (i.e. trigger by systemd-timer), or be activated
+    #       whenever a gickup@<slug>.service finishes. The latter is probably better.
+
+    # systemd.services."gickup-hardlink" = {
+    #   serviceConfig = {
+    #     Type = "oneshot";
+    #     ExecStart = let
+    #       script = pkgs.writeShellApplication {
+    #         name = "gickup-hardlink-files.sh";
+    #         runtimeInputs = [ pkgs.coreutils pkgs.jdupes ];
+    #         text = ''
+
+    #         '';
+    #       };
+    #     in lib.getExe script;
+
+    #     User = "gickup";
+    #     Group = "gickup";
+
+    #     BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
+    #       "${cfg.dataDir}:/var/lib/gickup"
+    #     ];
+
+    #     Slice = "system-gickup.slice";
+
+    #     StateDirectory = "gickup";
+
+    #     # Hardening options
+    #     # TODO:
+    #     PrivateNetwork = true;
+    #   };
+    # };
+  };
+}

modules/gickup/import-from-toml.nix

@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.gickup;
+in
+{
+  config = lib.mkIf cfg.enable {
+    # TODO: import cfg.instances from a toml file to make it easier for non-nix users
+    #       to add repositories to mirror
+  };
+}

modules/gickup/set-description.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.gickup;
+in
+{
+  config = lib.mkIf cfg.enable {
+    # TODO: create .git/description files for each repo where cfg.instances.<instance>.description is set
+  };
+}

modules/gickup/update-linktree.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.gickup;
+in
+{
+  config = lib.mkIf cfg.enable {
+    # TODO: run upon completion of cloning a repository
+    systemd.timers."gickup-linktree" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+        Unit = "gickup-linktree.service";
+      };
+    };
+
+    # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
+    systemd.services."gickup-linktree" = {
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = let
+          script = pkgs.writeShellApplication {
+            name = "gickup-update-symlink-tree.sh";
+            runtimeInputs = [
+              pkgs.coreutils
+              pkgs.findutils
+            ];
+            text = ''
+              shopt -s nullglob
+
+              for repository in ./*/*/*; do
+                REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
+
+                echo "Checking $REPOSITORY_RELATIVE_DIRS"
+
+                declare -a REVISIONS
+                readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
+
+                if [[ "''${#REVISIONS[@]}" == 0 ]]; then
+                  echo "Found no revisions for $repository, continuing"
+                  continue
+                fi
+
+                LAST_REVISION="''${REVISIONS[0]}"
+                SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
+
+                mkdir -p "$(dirname "$SYMLINK_PATH")"
+
+                EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
+                EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
+
+                if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
+                  echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
+                  rm "$SYMLINK_PATH" ||:
+                  ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
+                else
+                  echo "Symlink already up to date, continuing..."
+                fi
+
+                echo "---"
+              done
+            '';
+          };
+        in lib.getExe script;
+
+        User = "gickup";
+        Group = "gickup";
+
+        BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
+          "${cfg.dataDir}:/var/lib/gickup"
+        ];
+
+        Slice = "system-gickup.slice";
+
+        StateDirectory = "gickup";
+        WorkingDirectory = "/var/lib/gickup/raw";
+
+        # Hardening options
+        # TODO:
+        PrivateNetwork = true;
+      };
+    };
+  };
+}

modules/grzegorz.nix

@@ -1,7 +1,9 @@
-{config, lib, pkgs, ...}:
+{config, lib, pkgs, unstablePkgs, values, ...}:
 let
   grg = config.services.greg-ng;
   grgw = config.services.grzegorz-webui;
+
+  machine = config.networking.hostName;
 in {
   services.greg-ng = {
     enable = true;
@@ -9,6 +11,13 @@ in {
     settings.port = 31337;
     enableSway = true;
     enablePipewire = true;
+
+    mpvPackage = unstablePkgs.mpv;
+  };
+
+  systemd.user.services.restart-greg-ng = {
+    script = "systemctl --user restart greg-ng.service";
+    startAt = "*-*-* 06:30:00";
   };
 
   services.grzegorz-webui = {
@@ -16,37 +25,98 @@ in {
     listenAddr = "localhost";
     listenPort = 42069;
     listenWebsocketPort = 42042;
-    hostName = "${config.networking.fqdn}";
-    apiBase = "http://${grg.settings.host}:${toString grg.settings.port}/api";
+    hostName = "${machine}-old.pvv.ntnu.no";
+    apiBase = "https://${machine}-backend.pvv.ntnu.no/api";
+  };
+
+  services.gergle = {
+    enable = true;
+    virtualHost = config.networking.fqdn;
   };
 
   services.nginx.enable = true;
-  services.nginx.virtualHosts."${config.networking.fqdn}" = {
-    forceSSL = true;
-    enableACME = true;
-    kTLS = true;
-    serverAliases = [
-      "${config.networking.hostName}.pvv.org"
-    ];
-    extraConfig = ''
-      allow 129.241.210.128/25;
-      allow 2001:700:300:1900::/64;
-      deny all;
-    '';
+  services.nginx.virtualHosts = {
+    ${config.networking.fqdn} = {
+      forceSSL = true;
+      enableACME = true;
+      kTLS = true;
+      serverAliases = [
+        "${machine}.pvv.org"
+      ];
+      extraConfig = ''
+        # pvv
+        allow ${values.ipv4-space}
+        allow ${values.ipv6-space}
+        # ntnu
+        allow ${values.ntnu.ipv4-space}
+        allow ${values.ntnu.ipv6-space}
+        deny all;
+      '';
 
-    locations."/" = {
-      proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
+      locations."/docs" = {
+        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+      };
+
+      locations."/api" = {
+        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+        proxyWebsockets = true;
+      };
     };
-    # https://github.com/rawpython/remi/issues/216
-    locations."/websocket" = {
-      proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
-      proxyWebsockets = true;
+
+    "${machine}-backend.pvv.ntnu.no" = {
+      forceSSL = true;
+      enableACME = true;
+      kTLS = true;
+      serverAliases = [
+        "${machine}-backend.pvv.org"
+      ];
+      extraConfig = ''
+        # pvv
+        allow ${values.ipv4-space}
+        allow ${values.ipv6-space}
+        # ntnu
+        allow ${values.ntnu.ipv4-space}
+        allow ${values.ntnu.ipv6-space}
+        deny all;
+      '';
+
+      locations."/" = {
+        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+        proxyWebsockets = true;
+      };
     };
-    locations."/api" = {
-      proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
-    };
-    locations."/docs" = {
-      proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+
+    "${machine}-old.pvv.ntnu.no" = {
+      forceSSL = true;
+      enableACME = true;
+      kTLS = true;
+      serverAliases = [
+        "${machine}-old.pvv.org"
+      ];
+      extraConfig = ''
+        # pvv
+        allow ${values.ipv4-space}
+        allow ${values.ipv6-space}
+        # ntnu
+        allow ${values.ntnu.ipv4-space}
+        allow ${values.ntnu.ipv6-space}
+        deny all;
+      '';
+
+      locations."/" = {
+        proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
+      };
+      # https://github.com/rawpython/remi/issues/216
+      locations."/websocket" = {
+        proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
+        proxyWebsockets = true;
+      };
+      locations."/api" = {
+        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+      };
+      locations."/docs" = {
+        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+      };
     };
   };
 }

modules/matrix-ooye.nix

@@ -0,0 +1,211 @@
+# Original from: https://cgit.rory.gay/nix/OOYE-module.git/
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.matrix-ooye;
+  mkStringOption =
+    name: default:
+    lib.mkOption {
+      type = lib.types.str;
+      default = default;
+    };
+in
+{
+  options = {
+    services.matrix-ooye = {
+      enable = lib.mkEnableOption "Enable OOYE service";
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.out-of-your-element;
+      };
+      appserviceId = mkStringOption "The ID of the appservice." "ooye";
+      homeserver = mkStringOption "The homeserver to connect to." "http://localhost:8006";
+      homeserverName = mkStringOption "The name of the homeserver to connect to." "localhost";
+      namespace = mkStringOption "The prefix to use for the MXIDs/aliases of bridged users/rooms. Should end with a _!" "_ooye_";
+      discordTokenPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-token";
+      discordClientSecretPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-client-secret";
+      socket = mkStringOption "The socket to listen on, can either be a port number or a unix socket path." "6693";
+      bridgeOrigin = mkStringOption "The web frontend URL for the bridge, defaults to http://localhost:{socket}" "";
+
+      enableSynapseIntegration = lib.mkEnableOption "Enable Synapse integration";
+    };
+  };
+  config = lib.mkIf cfg.enable (
+    let
+      baseConfig = pkgs.writeText "matrix-ooye-config.json" (
+        builtins.toJSON {
+          id = cfg.appserviceId;
+          namespaces = {
+            users = [
+              {
+                exclusive = true;
+                regex = "@${cfg.namespace}.*:${cfg.homeserverName}";
+              }
+            ];
+            aliases = [
+              {
+                exclusive = true;
+                regex = "#${cfg.namespace}.*:${cfg.homeserverName}";
+              }
+            ];
+          };
+          protocols = [ "discord" ];
+          sender_localpart = "${cfg.namespace}bot";
+          rate_limited = false;
+          socket = cfg.socket; # Can either be a TCP port or a unix socket path
+          url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
+          ooye = {
+            server_name = cfg.homeserverName;
+            namespace_prefix = cfg.namespace;
+            max_file_size = 5000000;
+            content_length_workaround = false;
+            include_user_id_in_mxid = true;
+            server_origin = cfg.homeserver;
+            bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
+          };
+        }
+      );
+
+      script = pkgs.writeScript "matrix-ooye-pre-start.sh" ''
+        #!${lib.getExe pkgs.bash}
+        REGISTRATION_FILE=registration.yaml
+
+        id
+        echo "Before if statement"
+        stat ''${REGISTRATION_FILE}
+
+        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
+          echo "No registration file found at '$REGISTRATION_FILE'"
+          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+        fi
+
+        echo "After if statement"
+        stat ''${REGISTRATION_FILE}
+
+        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
+        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
+        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
+        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
+
+        # Check if we have all required tokens
+        if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
+          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          echo "Generated new AS token: ''${AS_TOKEN}"
+        fi
+
+        if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
+          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          echo "Generated new HS token: ''${HS_TOKEN}"
+        fi
+
+        if [[ -z "$DISCORD_TOKEN" ]]; then
+          echo "No Discord token found at '${cfg.discordTokenPath}'"
+          echo "You can find this on the 'Bot' tab of your Discord application."
+          exit 1
+        fi
+
+        if [[ -z "$DISCORD_CLIENT_SECRET" ]]; then
+          echo "No Discord client secret found at '${cfg.discordTokenPath}'"
+          echo "You can find this on the 'OAuth2' tab of your Discord application."
+          exit 1
+        fi
+
+        shred -u ''${REGISTRATION_FILE}
+        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+
+        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
+
+        shred -u ''${REGISTRATION_FILE}
+        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
+      '';
+
+    in
+    {
+      warnings =
+        lib.optionals ((builtins.substring (lib.stringLength cfg.namespace - 1) 1 cfg.namespace) != "_") [
+          "OOYE namespace does not end with an underscore! This is recommended to have better ID formatting. Provided: '${cfg.namespace}'"
+        ]
+        ++ lib.optionals ((builtins.substring 0 1 cfg.namespace) != "_") [
+          "OOYE namespace does not start with an underscore! This is recommended to avoid conflicts with registered users. Provided: '${cfg.namespace}'"
+        ];
+
+      environment.systemPackages = [ cfg.package ];
+
+      systemd.services."matrix-ooye-pre-start" = {
+        enable = true;
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          ExecStart = script;
+          WorkingDirectory = "/var/lib/matrix-ooye";
+          StateDirectory = "matrix-ooye";
+          DynamicUser = true;
+          RemainAfterExit = true;
+          Type = "oneshot";
+
+          LoadCredential = [
+            "discord_token:${cfg.discordTokenPath}"
+            "discord_client_secret:${cfg.discordClientSecretPath}"
+          ];
+        };
+      };
+
+      systemd.services."matrix-ooye" = {
+        enable = true;
+        description = "Out of Your Element - a Discord bridge for Matrix.";
+
+        wants = [
+          "network-online.target"
+          "matrix-synapse.service"
+          "conduit.service"
+          "dendrite.service"
+        ];
+        after = [
+          "matrix-ooye-pre-start.service"
+          "network-online.target"
+        ];
+        requires = [ "matrix-ooye-pre-start.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig = {
+          ExecStart = lib.getExe config.services.matrix-ooye.package;
+          WorkingDirectory = "/var/lib/matrix-ooye";
+          StateDirectory = "matrix-ooye";
+          #ProtectSystem = "strict";
+          #ProtectHome = true;
+          #PrivateTmp = true;
+          #NoNewPrivileges = true;
+          #PrivateDevices = true;
+          Restart = "on-failure";
+          DynamicUser = true;
+        };
+      };
+
+      systemd.services."matrix-synapse" = lib.mkIf cfg.enableSynapseIntegration {
+
+        after = [
+          "matrix-ooye-pre-start.service"
+          "network-online.target"
+        ];
+        requires = [ "matrix-ooye-pre-start.service" ];
+        serviceConfig = {
+          LoadCredential = [
+            "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
+          ];
+          ExecStartPre = [
+            "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
+            "+${pkgs.coreutils}/bin/chown matrix-synapse:matrix-synapse ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
+          ];
+        };
+      };
+
+      services.matrix-synapse.settings.app_service_config_files = lib.mkIf cfg.enableSynapseIntegration [
+        "${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
+      ];
+    }
+  );
+}

modules/robots-txt.nix

@@ -0,0 +1,116 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.environment.robots-txt;
+
+  robots-txt-format = {
+    type = let
+      coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str);
+    in lib.types.listOf (lib.types.submodule {
+      freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
+      options = {
+        pre_comment = lib.mkOption {
+          description = "Comment to add before the rule";
+          type = lib.types.lines;
+          default = "";
+        };
+        post_comment = lib.mkOption {
+          description = "Comment to add after the rule";
+          type = lib.types.lines;
+          default = "";
+        };
+      };
+    });
+
+    generate = name: value: let
+      makeComment = comment: lib.pipe comment [
+        (lib.splitString "\n")
+        (lib.map (line: if line == "" then "#" else "# ${line}"))
+        (lib.concatStringsSep "\n")
+      ];
+
+      ruleToString = rule: let
+        user_agent = rule.User-agent or [];
+        pre_comment = rule.pre_comment;
+        post_comment = rule.post_comment;
+        rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ];
+      in lib.concatStringsSep "\n" (lib.filter (x: x != null) [
+        (if (pre_comment != "") then makeComment pre_comment else null)
+        (let
+          user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
+        in
+          if user_agent == [] then null else user-agents
+        )
+        (lib.pipe rest [
+          (lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
+          lib.concatLists
+          (lib.concatStringsSep "\n")
+        ])
+        (if (post_comment != "") then makeComment post_comment else null)
+      ]);
+
+      content = lib.concatMapStringsSep "\n\n" ruleToString value;
+    in pkgs.writeText name content;
+  };
+in
+{
+  options.environment.robots-txt = lib.mkOption {
+    default = { };
+    description = ''
+      Different instances of robots.txt to use with web services.
+    '';
+    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
+      options = {
+        enable = lib.mkEnableOption "this instance of robots.txt" // {
+          default = true;
+        };
+
+        path = lib.mkOption {
+          description = "The resulting path of the dir containing the robots.txt file";
+          type = lib.types.path;
+          readOnly = true;
+          default = "/etc/robots-txt/${name}";
+        };
+
+        rules = lib.mkOption {
+          description = "Rules to include in robots.txt";
+          default = [ ];
+          example = [
+            { User-agent = "Googlebot"; Disallow = "/no-googlebot"; }
+            { User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; }
+          ];
+          type = robots-txt-format.type;
+        };
+
+        virtualHost = lib.mkOption {
+          description = "An nginx virtual host to add the robots.txt to";
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+      };
+    }));
+  };
+
+  config = {
+    environment.etc = lib.mapAttrs' (name: value: {
+      name = "robots-txt/${name}/robots.txt";
+      value.source = robots-txt-format.generate name value.rules;
+    }) cfg;
+
+    services.nginx.virtualHosts = lib.pipe cfg [
+      (lib.filterAttrs (_: value: value.virtualHost != null))
+      (lib.mapAttrs' (name: value: {
+        name = value.virtualHost;
+        value = {
+          locations = {
+            "= /robots.txt" = {
+              extraConfig = ''
+                add_header Content-Type text/plain;
+              '';
+              root = cfg.${name}.path;
+            };
+          };
+        };
+      }))
+    ];
+  };
+}

packages/cgit.nix

@@ -0,0 +1,21 @@
+{ cgit, fetchurl, ... }:
+let
+  pname = cgit.pname;
+  commit = "09d24d7cd0b7e85633f2f43808b12871bb209d69";
+in
+cgit.overrideAttrs (_: {
+  version = "1.2.3-unstable-2024.07.16";
+
+  src = fetchurl {
+    url = "https://git.zx2c4.com/cgit/snapshot/${pname}-${commit}.tar.xz";
+    hash = "sha256-gfgjAXnWRqVCP+4cmYOVdB/3OFOLJl2WBOc3bFVDsjw=";
+  };
+
+  # cgit is tightly coupled with git and needs a git source tree to build.
+  # IMPORTANT: Remember to check which git version cgit needs on every version
+  # bump (look for "GIT_VER" in the top-level Makefile).
+  gitSrc = fetchurl {
+    url = "mirror://kernel/software/scm/git/git-2.46.0.tar.xz";
+    hash = "sha256-fxI0YqKLfKPr4mB0hfcWhVTCsQ38FVx+xGMAZmrCf5U=";
+  };
+})