feat: add error pages to nginx on bekkalokk

base/nixos-exporter: allow localhost to fetch
bicep/matrix/hookshot: enable widgets and js transformations
2026-01-12 10:28:25 +01:00 · 2025-10-25 22:13:02 +02:00 · 2025-10-13 06:41:28 +02:00 · 2025-10-13 06:02:33 +02:00 · 2025-10-13 05:42:06 +02:00 · 2025-10-12 16:42:42 +02:00
104 changed files with 3274 additions and 1191 deletions
--- a/.mailmap
+++ b/.mailmap
@@ -0,0 +1,25 @@
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
 Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
 Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
 Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,7 +13,13 @@ keys:
  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
-  - &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
+  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
 creation_rules:
  # Global secrets
@@ -44,6 +50,18 @@ creation_rules:
      pgp:
      - *user_oysteikt
  - path_regex: secrets/kommode/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_kommode
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
  - path_regex: secrets/jokum/[^/]+\.yaml$
    key_groups:
    - age:
@@ -79,9 +97,31 @@ creation_rules:
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
-  
+
-  - path_regex: secrets/kvernberg/[^/]+$
+  - path_regex: secrets/ustetind/[^/]+\.yaml$
    key_groups:
-      - age:
+    - age:
-          - *host_kvernberg
+      - *host_ustetind
-          - *user_danio
+      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
  - path_regex: secrets/lupine/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_lupine-1
      - *host_lupine-2
      - *host_lupine-3
      - *host_lupine-4
      - *host_lupine-5
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
--- a/base/default.nix
+++ b/base/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, fp, ... }:
+{
  pkgs,
  lib,
  fp,
  ...
 }:
 {
  imports = [
@@ -7,9 +12,14 @@
    ./networking.nix
    ./nix.nix
    ./vm.nix
    ./flake-input-exporter.nix
    ./services/acme.nix
    ./services/uptimed.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/logrotate.nix
    ./services/nginx.nix
@@ -17,9 +27,12 @@
    ./services/postfix.nix
    ./services/smartd.nix
    ./services/thermald.nix
    ./services/userborn.nix
    ./services/userdbd.nix
  ];
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  time.timeZone = "Europe/Oslo";
@@ -45,8 +58,22 @@
    kitty.terminfo
  ];
  # .bash_profile already works, but lets also use .bashrc like literally every other distro
  # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
  # home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
  # btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
  programs.bash.shellInit = ''
    if [ -n "''${BASH_VERSION:-}" ]; then
      if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
       [[ -f ~/.bashrc ]] && . ~/.bashrc
      fi
    fi
  '';
  programs.zsh.enable = true;
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
@@ -57,4 +84,3 @@
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
 }
--- a/base/flake-input-exporter.nix
+++ b/base/flake-input-exporter.nix
@@ -0,0 +1,55 @@
 {
  config,
  inputs,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  data = lib.flip lib.mapAttrs inputs (
    name: input: {
      inherit (input)
        lastModified
        ;
    }
  );
  folder = pkgs.writeTextDir "share/flake-inputs" (
    lib.concatMapStringsSep "\n" (
      { name, value }: ''nixos_last_modified_input{flake="${name}"} ${toString value.lastModified}''
    ) (lib.attrsToList data)
  );
  port = 9102;
 in
 {
  services.nginx.virtualHosts."${config.networking.fqdn}-nixos-metrics" = {
    serverName = config.networking.fqdn;
    serverAliases = [
      "${config.networking.hostName}.pvv.org"
    ];
    locations."/metrics" = {
      root = "${folder}/share";
      tryFiles = "/flake-inputs =404";
      extraConfig = ''
        default_type text/plain;
      '';
    };
    listen = [
      {
        inherit port;
        addr = "0.0.0.0";
      }
    ];
    extraConfig = ''
      allow ${values.hosts.ildkule.ipv4}/32;
      allow ${values.hosts.ildkule.ipv6}/128;
      allow 127.0.0.1/32;
      allow ::1/128;
      allow 129.241.210.128/25;
      allow 2001:700:300:1900::/64;
      deny all;
    '';
  };
  networking.firewall.allowedTCPPorts = [ port ];
 }
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -1,14 +1,14 @@
-{ inputs, ... }:
+{ lib, config, inputs, ... }:
 {
  nix = {
    gc = {
      automatic = true;
      options = "--delete-older-than 2d";
    };
    optimise.automatic = true;
    settings = {
      allow-dirty = true;
      auto-optimise-store = true;
      builders-use-substitutes = true;
      experimental-features = [ "nix-command" "flakes" ];
      log-lines = 50;
@@ -21,11 +21,16 @@
    ** use the same channel the system
    ** was built with
    */
-    registry = {
+    registry = lib.mkMerge [
-      "nixpkgs".flake = inputs.nixpkgs;
+      {
-      "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
+        "nixpkgs".flake = inputs.nixpkgs;
-      "pvv-nix".flake = inputs.self;
+        "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
-    };
+      }
      # We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
      (lib.mkIf (!config.virtualisation.isVmVariant) {
        "pvv-nix".flake = inputs.self;
      })
    ];
    nixPath = [
      "nixpkgs=${inputs.nixpkgs}"
      "unstable=${inputs.nixpkgs-unstable}"
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -1,26 +1,39 @@
-{ inputs, pkgs, lib, ... }:
+{ config, inputs, pkgs, lib, ... }:
 let
  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
 in
 {
  system.autoUpgrade = {
    enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
      # https://git.lix.systems/lix-project/lix/issues/400
      "--refresh"
      "--override-input" "nixpkgs" "github:NixOS/nixpkgs/refs/pull/332699/merge"
      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
      "--no-write-lock-file"
-    ];
+      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
      # as such we instead use --override-input combined with --refresh
      # https://git.lix.systems/lix-project/lix/issues/400
    ] ++ (lib.pipe inputUrls [
      (lib.intersectAttrs {
        nixpkgs = { };
        nixpkgs-unstable = { };
      })
      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
      lib.concatLists
    ]);
  };
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc."current-system-flake-inputs.json".source
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
-    = pkgs.writers.writeJSON "flake-inputs.json" (
+    "current-system-flake-inputs.json".source
-      lib.flip lib.mapAttrs inputs (name: input:
+      = pkgs.writers.writeJSON "flake-inputs.json" (
-        # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
+        lib.flip lib.mapAttrs inputs (name: input:
-        lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
+          # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
-          // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
+          lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
-      )
+            // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
-    );
+        )
      );
  };
 }
--- a/base/services/dbus.nix
+++ b/base/services/dbus.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  services.dbus = {
    enable = true;
    implementation = "broker";
  };
 }
--- a/base/services/fwupd.nix
+++ b/base/services/fwupd.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  services.fwupd.enable = true;
 }
--- a/base/services/logrotate.nix
+++ b/base/services/logrotate.nix
@@ -1,41 +1,8 @@
 { ... }:
 {
  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
  systemd.services.logrotate = {
    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
    unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig = {
+    serviceConfig.ReadWritePaths = [ "/var/log" ];
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      ReadWritePaths = [ "/var/log" ];
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true; # disable for third party rotate scripts
      PrivateDevices = true;
      PrivateNetwork = true; # disable for mail delivery
      PrivateTmp = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true; # disable for userdir logs
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "full";
      RestrictNamespaces = true;
      RestrictRealtime = true;
      SocketBindDeny = [ "any" ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
      ];
    };
  };
 }
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -20,19 +20,23 @@
    recommendedGzipSettings = true;
    appendConfig = ''
-      pcre_jit on;
+      # pcre_jit on;
      worker_processes auto;
      worker_rlimit_nofile 100000;
    '';
    eventsConfig = ''
      worker_connections 2048;
      use epoll;
-      multi_accept on;
+      # multi_accept on;
    '';
  };
  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
    LimitNOFILE = 65536;
    # We use jit my dudes
    MemoryDenyWriteExecute = lib.mkForce false;
    # What the fuck do we use that where the defaults are not enough???
    SystemCallFilter = lib.mkForce null;
  };
  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
@@ -41,4 +45,4 @@
    addSSL = true;
    extraConfig = "return 444;";
  };
-}
+}
--- a/base/services/smartd.nix
+++ b/base/services/smartd.nix
@@ -1,8 +1,20 @@
 { config, pkgs, lib, ... }:
 {
-  services.smartd.enable = lib.mkDefault true;
+  services.smartd = {
    enable = lib.mkDefault true;
    notifications = {
      mail = {
        enable = true;
        sender = "root@pvv.ntnu.no";
        recipient = "root@pvv.ntnu.no";
      };
      wall.enable = false;
    };
  };
  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
    smartmontools
  ]);
-}
+
  systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
 }
--- a/base/services/uptimed.nix
+++ b/base/services/uptimed.nix
@@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.uptimed;
 in
 {
  options.services.uptimed.settings = lib.mkOption {
    description = "";
    default = { };
    type = lib.types.submodule {
      freeformType = with lib.types; attrsOf (either str (listOf str));
    };
  };
  config = {
    services.uptimed = {
      enable = true;
      settings = let
        stateDir = "/var/lib/uptimed";
      in {
        PIDFILE = "${stateDir}/pid";
        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
      };
    };
    systemd.services.uptimed = lib.mkIf (cfg.enable) {
      serviceConfig = let
        uptimed = pkgs.uptimed.overrideAttrs (prev: {
          postPatch = ''
             substituteInPlace Makefile.am \
               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
             substituteInPlace src/Makefile.am \
               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
          '';
        });
      in {
        Type = "notify";
        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
        BindReadOnlyPaths = let
          configFile = lib.pipe cfg.settings [
            (lib.mapAttrsToList
              (k: v:
                if builtins.isList v
                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
                  else "${k}=${v}")
            )
            (lib.concatStringsSep "\n")
            (pkgs.writeText "uptimed.conf")
          ];
        in [
          "${configFile}:/var/lib/uptimed/uptimed.conf"
        ];
      };
    };
  };
 }
--- a/base/services/userborn.nix
+++ b/base/services/userborn.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  services.userborn.enable = true;
 }
--- a/base/services/userdbd.nix
+++ b/base/services/userdbd.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  services.userdbd.enable = true;
 }
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -0,0 +1,15 @@
 { lib, ... }:
 # This enables
 #     lib.mkIf (!config.virtualisation.isVmVariant) { ... }
 {
  options.virtualisation.isVmVariant = lib.mkOption {
    description = "`true` if system is build with 'nixos-rebuild build-vm'";
    type = lib.types.bool;
    default = false;
  };
  config.virtualisation.vmVariant = {
    virtualisation.isVmVariant = true;
  };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731746438,
+        "lastModified": 1758287904,
-        "narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
+        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
+        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
        "type": "github"
      },
      "original": {
@@ -20,6 +20,26 @@
        "type": "github"
      }
    },
    "gergle": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1758384693,
        "narHash": "sha256-zakdGo9micgEXGiC5Uq0gE5GkHtX12qaRYLcstKPek4=",
        "ref": "refs/heads/main",
        "rev": "5f6a462d87cbe25834e8f31283f39fb46c9c3561",
        "revCount": 21,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      }
    },
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
@@ -28,17 +48,17 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1730249639,
+        "lastModified": 1758919016,
-        "narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
+        "narHash": "sha256-TSJMOWq9dO7P1iQB4httzWwAtpM1veacLcaS7FAyTpo=",
        "ref": "refs/heads/main",
-        "rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
+        "rev": "c87263b784954d20485d108e70934c9316935d75",
-        "revCount": 34,
+        "revCount": 51,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
      }
    },
    "grzegorz-clients": {
@@ -48,17 +68,17 @@
        ]
      },
      "locked": {
-        "lastModified": 1726861934,
+        "lastModified": 1736178795,
-        "narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
+        "narHash": "sha256-mPdi8cgvIDYcgG3FRG7A4BOIMu2Jef96TPMnV00uXlM=",
        "ref": "refs/heads/master",
-        "rev": "546d921ec46735dbf876e36f4af8df1064d09432",
+        "rev": "fde738910de1fd8293535a6382c2f0c2749dd7c1",
-        "revCount": 78,
+        "revCount": 79,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
      }
    },
    "matrix-next": {
@@ -68,16 +88,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1727410897,
+        "lastModified": 1753216555,
-        "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
+        "narHash": "sha256-qfgVfgXjVPV7vEER4PVFiGUOUW08GHH71CVXgYW8EVc=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
+        "rev": "099db715d1eba526a464f271b05cead5166fd9a9",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
-        "ref": "v0.6.1",
+        "ref": "v0.7.1",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
@@ -90,11 +110,31 @@
        "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
        "revCount": 2,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      }
    },
    "minecraft-heatmap": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1756124334,
        "narHash": "sha256-DXFmSpgI8FrqcdqY7wg5l/lpssWjslHq5ufvyp/5k4o=",
        "ref": "refs/heads/main",
        "rev": "83760b1ebcd9722ddf58a4117d29555da65538ad",
        "revCount": 13,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
      }
    },
    "nix-gitea-themes": {
@@ -104,65 +144,43 @@
        ]
      },
      "locked": {
-        "lastModified": 1714416973,
+        "lastModified": 1743881366,
-        "narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
+        "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
        "ref": "refs/heads/main",
-        "rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
+        "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
-        "revCount": 6,
+        "revCount": 11,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731779898,
+        "lastModified": 1760254360,
-        "narHash": "sha256-oxxCrYZM0WNRoaokDyVXcPIlTc8Z2yX4QjKbgXGI3IM=",
+        "narHash": "sha256-Npp92Joy2bRyickrrVP9+85z31aGS8kVNiLlKvd5pC4=",
-        "owner": "NixOS",
+        "rev": "bafe987a29b8bea2edbb3aba76b51464b3d222f0",
-        "repo": "nixpkgs",
+        "type": "tarball",
-        "rev": "9972661139e27eed0237df4dde34839e09028cd5",
+        "url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.811161.bafe987a29b8/nixexprs.tar.xz"
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "type": "tarball",
-        "ref": "refs/pull/332699/merge",
+        "url": "https://nixos.org/channels/nixos-25.05-small/nixexprs.tar.xz"
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1730602179,
        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1731745710,
+        "lastModified": 1760252326,
-        "narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
+        "narHash": "sha256-5v32B25kSE++E+KtP4DO687r/AlWL9qOlOjtYyfcDSw=",
-        "owner": "NixOS",
+        "rev": "66e5020bfe0af40ffa127426f8405edbdadbb40b",
-        "repo": "nixpkgs",
+        "type": "tarball",
-        "rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre876242.66e5020bfe0a/nixexprs.tar.xz"
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "type": "tarball",
-        "ref": "nixos-unstable-small",
+        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "pvv-calendar-bot": {
@@ -172,11 +190,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723850344,
+        "lastModified": 1742225512,
-        "narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
+        "narHash": "sha256-OB0ndlrGLE5wMUeYP4lmxly9JUEpPCeZRQyMzITKCB0=",
        "ref": "refs/heads/main",
-        "rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
+        "rev": "c4a6a02c84d8227abf00305dc995d7242176e6f6",
-        "revCount": 19,
+        "revCount": 21,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      },
@@ -192,11 +210,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1725212759,
+        "lastModified": 1757332682,
-        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
+        "narHash": "sha256-4p4aVQWs7jHu3xb6TJlGik20lqbUU/Fc0/EHpzoRlO0=",
-        "ref": "refs/heads/master",
+        "ref": "refs/heads/main",
-        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
+        "rev": "da1113341ad9881d8d333d1e29790317bd7701e7",
-        "revCount": 473,
+        "revCount": 518,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -208,10 +226,12 @@
    "root": {
      "inputs": {
        "disko": "disko",
        "gergle": "gergle",
        "greg-ng": "greg-ng",
        "grzegorz-clients": "grzegorz-clients",
        "matrix-next": "matrix-next",
        "minecraft-data": "minecraft-data",
        "minecraft-heatmap": "minecraft-heatmap",
        "nix-gitea-themes": "nix-gitea-themes",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
@@ -228,11 +248,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1729391507,
+        "lastModified": 1758335443,
-        "narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
+        "narHash": "sha256-2jaGMj32IckpZgBjn7kG4zyJl66T+2A1Fn2ppkHh91o=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "784981a9feeba406de38c1c9a3decf966d853cca",
+        "rev": "f1ccb14649cf87e48051a6ac3a571b4a57d84ff3",
        "type": "github"
      },
      "original": {
@@ -245,15 +265,14 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1731748189,
+        "lastModified": 1760240450,
-        "narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
+        "narHash": "sha256-sa9bS9jSyc4vH0jSWrUsPGdqtMvDwmkLg971ntWOo2U=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
+        "rev": "41fd1f7570c89f645ee0ada0be4e2d3c4b169549",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -2,8 +2,8 @@
  description = "PVV System flake";
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/refs/pull/332699/merge"; # remember to also update the url in base/services/auto-upgrade.nix
+    nixpkgs.url = "https://nixos.org/channels/nixos-25.05-small/nixexprs.tar.xz";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,29 +17,34 @@
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
-    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.7.1";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
-    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
+    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
-    greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
+    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git";
    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
    greg-ng.inputs.nixpkgs.follows = "nixpkgs";
-    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
+    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
    gergle.inputs.nixpkgs.follows = "nixpkgs";
    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
-    minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
+    minecraft-data.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
  };
  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
  let
-    nixlib = nixpkgs.lib;
+    inherit (nixpkgs) lib;
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      "aarch64-darwin"
    ];
-    forAllSystems = f: nixlib.genAttrs systems f;
+    forAllSystems = f: lib.genAttrs systems f;
    allMachines = builtins.attrNames self.nixosConfigurations;
    importantMachines = [
      "bekkalokk"
@@ -49,44 +54,69 @@
      "ildkule"
    ];
  in {
-    inherit inputs;
+    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
+
-        rec {
+      nixosConfig =
        nixpkgs:
        name:
        configurationPath:
        extraArgs:
        lib.nixosSystem (lib.recursiveUpdate
        (let
          system = "x86_64-linux";
        in {
          inherit system;
          specialArgs = {
            inherit unstablePkgs inputs;
            values = import ./values.nix;
            fp = path: ./${path};
-          };
+          } // extraArgs.specialArgs or { };
          modules = [
-            ./hosts/${name}/configuration.nix
+            configurationPath
            sops-nix.nixosModules.sops
-          ] ++ config.modules or [];
+          ] ++ extraArgs.modules or [];
          pkgs = import nixpkgs {
            inherit system;
            extraArgs.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
                "nvidia-settings"
              ];
            overlays = [
              # Global overlays go here
-            ] ++ config.overlays or [ ];
+            ] ++ extraArgs.overlays or [ ];
          };
-        }
+        })
-        (removeAttrs config [ "modules" "overlays" ])
+        (builtins.removeAttrs extraArgs [
          "modules"
          "overlays"
          "specialArgs"
        ])
      );
-      stableNixosConfig = nixosConfig nixpkgs;
+      stableNixosConfig = name: extraArgs:
-      unstableNixosConfig = nixosConfig nixpkgs-unstable;
+          nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
    in {
      bicep = stableNixosConfig "bicep" {
        modules = [
          inputs.matrix-next.nixosModules.default
          inputs.pvv-calendar-bot.nixosModules.default
          inputs.minecraft-heatmap.nixosModules.default
          self.nixosModules.gickup
          self.nixosModules.matrix-ooye
        ];
        overlays = [
          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
          inputs.minecraft-heatmap.overlays.default
          (final: prev: {
            inherit (self.packages.${prev.system}) out-of-your-element;
          })
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" {
@@ -97,57 +127,84 @@
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
            bluemap = final.callPackage ./packages/bluemap.nix { };
          })
          inputs.nix-gitea-themes.overlays.default
          inputs.pvv-nettsiden.overlays.default
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
          inputs.pvv-nettsiden.nixosModules.default
        ];
      };
      bob = stableNixosConfig "bob" {
        modules = [
          disko.nixosModules.disko
          { disko.devices.disk.disk1.device = "/dev/vda"; }
        ];
      };
      ildkule = stableNixosConfig "ildkule" { };
      #ildkule-unstable = unstableNixosConfig "ildkule" { };
      shark = stableNixosConfig "shark" { };
      wenche = stableNixosConfig "wenche" { };
      kommode = stableNixosConfig "kommode" {
        overlays = [
          inputs.nix-gitea-themes.overlays.default
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
        ];
      };
      ustetind = stableNixosConfig "ustetind" {
        modules = [
         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
        ];
      };
      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
        modules = [
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
          inputs.gergle.nixosModules.default
          inputs.greg-ng.nixosModules.default
        ];
        overlays = [
          inputs.greg-ng.overlays.default
          inputs.gergle.overlays.default
        ];
      };
      georg = stableNixosConfig "georg" {
        modules = [
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
          inputs.gergle.nixosModules.default
          inputs.greg-ng.nixosModules.default
        ];
        overlays = [
          inputs.greg-ng.overlays.default
          inputs.gergle.overlays.default
        ];
      };
-      kvernberg = stableNixosConfig "kvernberg" {
+    }
-        modules = [
+    //
-          disko.nixosModules.disko
+    (let
-          { disko.devices.disk.disk1.device = "/dev/sda"; }
+      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
-        ];
+      stableLupineNixosConfig = name: extraArgs:
-      };
+          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
-    };
+    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
      modules = [{ networking.hostName = name; }];
      specialArgs.lupineName = name;
    }));
    nixosModules = {
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
    };
    devShells = forAllSystems (system: {
-      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
          config = {
            allowUnfree = true;
            cudaSupport = true;
          };
        };
      in cuda-pkgs.callPackage ./shells/cuda.nix { };
    });
    packages = {
@@ -156,19 +213,20 @@
      in rec {
        default = important-machines;
        important-machines = pkgs.linkFarm "important-machines"
-          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
+          (lib.getAttrs importantMachines self.packages.x86_64-linux);
        all-machines = pkgs.linkFarm "all-machines"
-          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+          (lib.getAttrs allMachines self.packages.x86_64-linux);
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
      } //
-      (nixlib.pipe null [
+      (lib.pipe null [
        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
-        (nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+        (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
-        (nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
+        (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
      ])
-      // nixlib.genAttrs allMachines
+      // lib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
    };
  };
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -7,7 +7,6 @@
    (fp /misc/metrics-exporters.nix)
    ./services/bluemap/default.nix
    ./services/gitea/default.nix
    ./services/idp-simplesamlphp
    ./services/kerberos
    ./services/mediawiki
--- a/hosts/bekkalokk/services/500.html
+++ b/hosts/bekkalokk/services/500.html
@@ -0,0 +1,99 @@
 <!DOCTYPE html>
 <html lang="no">
 <head>
  <meta charset="utf-8">
  <title>500 – Intern serverfeil | PVV</title>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <style>
    body {
      margin: 0;
      padding: 0;
      font-family: 'Open Sans', sans-serif;
      background-color: #002244;
      color: #f0f0f0;
      display: flex;
      align-items: center;
      justify-content: center;
      height: 100vh;
      text-align: center;
    }
    .box {
      max-width: 480px;
      padding: 2rem;
    }
    .logo {
      width: 30%;
      height: auto;
      margin: 0 auto 2rem;
    }
    h1 {
      margin: 0 0 1rem;
      font-size: 2.25rem;
      font-weight: 700;
    }
    p {
      margin: 0 0 1.25rem;
      font-size: 1.05rem;
      line-height: 1.4;
    }
    .error-code {
      margin: 1.5rem 0;
      opacity: 0.7;
    }
    .contact {
      margin-top: 1.75rem;
      font-size: 0.93rem;
      line-height: 1.4;
    }
    .contact a {
      color: #bcd025;
      text-decoration: none;
    }
    ul {
      padding: 0;
      list-style: none;
      margin: 0.5rem 0 0;
    }
    li {
      margin: 0.35rem 0;
    }
  </style>
 </head>
 <body>
  <div class="box">
    <div class="logo">
      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200">
        <path fill="#283681" d="M0 0h200v200H0z"/>
        <g fill="none" fill-opacity="0" stroke="#fff" stroke-width="1.1">
          <path d="M119.6 180H78.3"/>
          <path d="M179.3 55.8v124.3h-55"/>
          <path stroke-linecap="square" d="M124.6 180a2.5 2.5 0 0 0-2.5-2.5 2.5 2.5 0 0 0-2.6 2.6H78.6a2.5 2.5 0 0 0-2.5-2.6 2.5 2.5 0 0 0-2.6 2.6H19.2V19.9h160v30H175v6.2h4.3"/>
        </g>
        <circle cx="396.8" cy="400" r="320.3" fill="none" stroke="#fff" stroke-miterlimit="10" stroke-width="4.2" transform="scale(.25)"/>
        <g fill="none" fill-opacity="0" stroke="#fff" stroke-width="1.1">
          <path stroke-linejoin="bevel" d="M128.6 43.4h-86v113.3h113.2V53.8l-9.7-10.5h-6.8L137 45h-5.4"/>
          <path d="M131.6 83c0 1.9-1.3 3.4-3 3.4H57c-1.6 0-3-1.6-3-3.5v-36c0-1.9 1.4-3.4 3-3.4h71.7c1.7 0 3 1.5 3 3.4z"/>
          <path d="M131.7 83.4a3 3 0 0 1-3 3H74.2a3 3 0 0 1-3-3v-37a3 3 0 0 1 3-3h54.5a3 3 0 0 1 3 3zm12.8 70a3 3 0 0 1-3 3H56.9a3 3 0 0 1-3-3V95.3a3 3 0 0 1 3-3h84.6a3 3 0 0 1 3 3zM45 147.6h6.4v5.7H45zm101.9 0h6.4v5.7H147z"/>
          <path d="M108.4 48.4h16.2v34.4h-16.2z"/>
        </g>
        <path fill="#fff" stroke="#fff" stroke-miterlimit="10" stroke-width="4.2" d="M275 541.6c0 3.5 2.7 6.4 6.2 6.4 3.6 0 6.5-2.9 6.5-6.4v-31h30.8c10.5 0 19.2-8.7 19.2-19.2v-22.7c0-10.3-8.7-19-19.2-19H275zm12.7-43.8v-35.4h30.8c3.3 0 6.5 3 6.5 6.3v22.7c0 3.6-3 6.5-6.5 6.5zm78.3-19 25.3 65.2a6.4 6.4 0 0 0 12 0l25.4-65.3V456c0-3.4-2.9-6.3-6.4-6.3a6.3 6.3 0 0 0-6.3 6.3v20.3l-18.6 47.6-18.7-47.6V456c0-3.4-2.9-6.3-6.4-6.3a6.3 6.3 0 0 0-6.3 6.3zm91 0 25.4 65.2a6.4 6.4 0 0 0 12 0l25.4-65.3V456c0-3.4-2.9-6.3-6.4-6.3a6.3 6.3 0 0 0-6.3 6.3v20.3l-18.7 47.6-18.6-47.6V456c0-3.4-3-6.3-6.5-6.3a6.3 6.3 0 0 0-6.3 6.3z" transform="scale(.25)"/>
      </svg>
    </div>
    <h1>50X: Intern serverfeil</h1>
    <p>Beklager, noe gikk galt.</p>
    <p>Vennligst prøv igjen senere eller gå til forsiden.</p>
    <div class="error-code">Feilkode: 50X</div>
    <div class="contact">
      <p>Kontakt drift hvis problemet vedvarer:</p>
      <ul>
        <li><strong>Discord:</strong> <a href="https://discord.gg/pyDDFpbG2x" target="_blank">discord.gg/pyDDFpbG2x</a></li>
        <li><strong>Matrix:</strong> <a href="https://matrix.to/#/#pvv:pvv.ntnu.no" target="_blank">#pvv:pvv.ntnu.no</a></li>
        <li><strong>E‑post:</strong> <a href="mailto:drift@pvv.ntnu.no">drift@pvv.ntnu.no</a></li>
      </ul>
    </div>
  </div>
 </body>
 </html>
--- a/hosts/bekkalokk/services/bluemap/default.nix
+++ b/hosts/bekkalokk/services/bluemap/default.nix
@@ -6,13 +6,15 @@ in {
    ./module.nix # From danio, pending upstreaming
  ];
-  disabledModules = [ "services/web-servers/bluemap.nix" ];
+  disabledModules = [ "services/web-apps/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    package = pkgs.callPackage ./package.nix { };
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
--- a/hosts/bekkalokk/services/bluemap/module.nix
+++ b/hosts/bekkalokk/services/bluemap/module.nix
@@ -26,7 +26,6 @@ let
    "webapp.conf" = webappConfig;
    "webserver.conf" = webserverConfig;
    "packs" = cfg.resourcepacks;
    "addons" = cfg.resourcepacks; # TODO
  };
  renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
@@ -38,13 +37,13 @@ let
    "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
    "webserver.conf" = webserverConfig;
    "packs" = value.resourcepacks;
    "addons" = cfg.resourcepacks; # TODO
  };
  inherit (lib) mkOption;
 in {
  options.services.bluemap = {
    enable = lib.mkEnableOption "bluemap";
    package = lib.mkPackageOption pkgs "bluemap" { };
    eula = mkOption {
      type = lib.types.bool;
@@ -159,7 +158,7 @@ in {
            type = lib.types.path;
            default = cfg.resourcepacks;
            defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
-            description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
+            description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
          };
          settings = mkOption {
            type = (lib.types.submodule {
@@ -310,9 +309,18 @@ in {
        Group = "nginx";
        UMask = "026";
      };
-      script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
+      script = ''
-        (name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
+        # If web folder doesnt exist generate it
-        cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
+        test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
        # Render each minecraft map
        ${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
          (name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
          cfg.maps)}
        # Generate updated webapp
        ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
      '';
    };
    systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
--- a/hosts/bekkalokk/services/bluemap/package.nix
+++ b/hosts/bekkalokk/services/bluemap/package.nix
@@ -0,0 +1,30 @@
 { lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
 stdenvNoCC.mkDerivation rec {
  pname = "bluemap";
  version = "5.7";
  src = fetchurl {
    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
    hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
  };
  dontUnpack = true;
  nativeBuildInputs = [ makeWrapper ];
  installPhase = ''
    runHook preInstall
    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
    runHook postInstall
  '';
  meta = {
    description = "3D minecraft map renderer";
    homepage = "https://bluemap.bluecolored.de/";
    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
    license = lib.licenses.mit;
    maintainers = with lib.maintainers; [ dandellion h7x4 ];
    mainProgram = "bluemap";
  };
 }
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -61,7 +61,6 @@ in {
      user = "mediawiki";
      passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
      createLocally = false;
      # TODO: create a normal database and copy over old data when the service is production ready
      name = "mediawiki";
    };
@@ -215,11 +214,11 @@ in {
      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
        buildInputs = with pkgs; [ imagemagick ];
      } ''
-        convert \
+        magick \
          ${fp /assets/logo_blue_regular.png} \
          -resize x64 \
          -gravity center \
          -crop 64x64+0+0 \
          ${fp /assets/logo_blue_regular.png} \
          -flatten \
          -colors 256 \
          -background transparent \
--- a/hosts/bekkalokk/services/nginx.nix
+++ b/hosts/bekkalokk/services/nginx.nix
@@ -1,4 +1,10 @@
 { pkgs, config, ... }:
 {
-  services.nginx.enable = true;
+  services.nginx = {
    enable = true;
    appendHttpConfig = ''
      error_page 500 502 503 504 /500.html;
    '';
  };
  environment.etc."nginx/html/500.html".source = ./500.html;
 }
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -83,7 +83,6 @@ in {
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
@@ -98,7 +97,6 @@ in {
        "@system-service"
        "~@privileged"
      ];
      UMask = "0007";
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@@ -21,7 +21,7 @@ in
      custom_from
    ]);
-    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
+    dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
    maxAttachmentSize = 20;
    hostName = "roundcubeplaceholder.example.com";
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@@ -67,7 +67,12 @@ in {
        ADMIN_NAME = "PVV Drift";
        ADMIN_EMAIL = "drift@pvv.ntnu.no";
        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
-        TRUSTED_DOMAINS = [ cfg.domainName ];
+        TRUSTED_DOMAINS = [
          "www.pvv.ntnu.no"
          "pvv.ntnu.no"
          "www.pvv.org"
          "pvv.org"
        ];
      };
    };
  };
@@ -117,5 +122,17 @@ in {
      "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
      "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
    };
    extraConfig = ''
      error_page 500 502 503 504 /500.html;
    '';
    locations."/500.html" = {
      root = "/etc/static/nginx/html";
      extraConfig = ''
        internal;
      '';
    };
  };
 }
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -53,7 +53,7 @@ in {
        echo "Creating thumbnail for $fname"
        mkdir -p $(dirname ".thumbnails/$fname")
-        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
+        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
    '';
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -7,10 +7,11 @@
    (fp /misc/metrics-exporters.nix)
    ./services/nginx
    ./services/calendar-bot.nix
    ./services/git-mirrors
    ./services/minecraft-heatmap.nix
    ./services/mysql.nix
    ./services/postgres.nix
    ./services/mysql.nix
    ./services/calendar-bot.nix
    ./services/matrix
  ];
--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@@ -0,0 +1,100 @@
 { config, pkgs, lib, fp, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  sops.secrets."gickup/github-token" = {
    owner = "gickup";
  };
  services.gickup = {
    enable = true;
    dataDir = "/data/gickup";
    destinationSettings = {
      structured = true;
      zip = false;
      keep = 10;
      bare = true;
      lfs = false;
    };
    instances = let
      defaultGithubConfig = {
        settings.token_file = config.sops.secrets."gickup/github-token".path;
      };
      defaultGitlabConfig = {
        # settings.token_file = ...
      };
    in {
      "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
      "github:NixOS/nixpkgs" = defaultGithubConfig;
      "github:go-gitea/gitea" = defaultGithubConfig;
      "github:heimdal/heimdal" = defaultGithubConfig;
      "github:saltstack/salt" = defaultGithubConfig;
      "github:typst/typst" = defaultGithubConfig;
      "github:unmojang/FjordLauncher" = defaultGithubConfig;
      "github:unmojang/drasl" = defaultGithubConfig;
      "github:yushijinhun/authlib-injector" = defaultGithubConfig;
      "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
      "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
      "any:glibc" = {
        settings.url = "https://sourceware.org/git/glibc.git";
      };
      "any:out-of-your-element" = {
        settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
      };
      "any:out-of-your-element-module" = {
        settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
      };
    };
  };
  services.cgit = let
    domain = "mirrors.pvv.ntnu.no";
  in {
    ${domain} = {
      enable = true;
      package = pkgs.callPackage (fp /packages/cgit.nix) { };
      group = "gickup";
      scanPath = "${cfg.dataDir}/linktree";
      settings = {
        enable-commit-graph = true;
        enable-follow-links = true;
        enable-http-clone = true;
        enable-remote-branches = true;
        clone-url = "https://${domain}/$CGIT_REPO_URL";
        remove-suffix = true;
        root-title = "PVVSPPP";
        root-desc = "PVV Speiler Praktisk og Prominent Programvare";
        snapshots = "all";
        logo = "/PVV-logo.png";
      };
    };
  };
  services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    locations."= /PVV-logo.png".alias = let
      small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
        nativeBuildInputs = [ pkgs.imagemagick ];
      } ''
        magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
      '';
    in toString small-pvv-logo;
  };
  systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
    serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
  };
 }
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -48,6 +48,9 @@
  users.users.turnserver.extraGroups = [ "acme" ];
  # It needs this to be allowed to access the files with the acme group
  systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
  systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
  };
@@ -66,7 +69,7 @@
    listening-ips = [
      values.services.turn.ipv4
-      # values.services.turn.ipv6
+      values.services.turn.ipv6
    ];
    tls-listening-port = 443;
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -9,7 +9,8 @@
    ./coturn.nix
    ./mjolnir.nix
-    ./discord.nix
+    # ./discord.nix
    ./out-of-your-element.nix
    ./hookshot
  ];
--- a/hosts/bicep/services/matrix/discord.nix
+++ b/hosts/bicep/services/matrix/discord.nix
@@ -45,7 +45,7 @@ in
  };
-  services.mx-puppet-discord.enable = true;
+  services.mx-puppet-discord.enable = false;
  services.mx-puppet-discord.settings = {
    bridge = {
      bindAddress = "localhost";
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -6,10 +6,6 @@ let
  webhookListenPort = 8435;
 in
 {
  imports = [
    ./module.nix
  ];
  sops.secrets."matrix/hookshot/as_token" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/as_token";
@@ -81,14 +77,14 @@ in
        outbound = true;
        urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
        userIdPrefix = "_webhooks_";
-        allowJsTransformationFunctions = false;
+        allowJsTransformationFunctions = true;
        waitForComplete = false;
      };
      feeds = {
        enabled = true;
        pollIntervalSeconds = 600;
      };
-      
+
      serviceBots = [
        { localpart = "bot_feeds";
          displayname = "Aya";
@@ -98,6 +94,11 @@ in
        }
      ];
      widgets = {
        roomSetupWidget.addOnInvite = false;
        publicUrl = "https://hookshot.pvv.ntnu.no/widgetapi/v1/static";
      };
      permissions = [
        # Users of the PVV Server
        { actor = "pvv.ntnu.no";
@@ -132,6 +133,7 @@ in
  services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
    enableACME = true;
    addSSL = true;
    locations."/" = {
      proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
    };
--- a/hosts/bicep/services/matrix/hookshot/module.nix
+++ b/hosts/bicep/services/matrix/hookshot/module.nix
@@ -1,127 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.matrix-hookshot;
  settingsFormat = pkgs.formats.yaml { };
  configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
 in
 {
  options = {
    services.matrix-hookshot = {
      enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
      package = lib.mkPackageOption pkgs "matrix-hookshot" { };
      registrationFile = lib.mkOption {
        type = lib.types.path;
        description = ''
          Appservice registration file.
          As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
        '';
        example = lib.literalExpression ''
          pkgs.writeText "matrix-hookshot-registration" \'\'
            id: matrix-hookshot
            as_token: aaaaaaaaaa
            hs_token: aaaaaaaaaa
            namespaces:
              rooms: []
              users:
                - regex: "@_webhooks_.*:foobar"
                  exclusive: true
            sender_localpart: hookshot
            url: "http://localhost:9993"
            rate_limited: false
            \'\'
        '';
      };
      settings = lib.mkOption {
        description = ''
          {file}`config.yml` configuration as a Nix attribute set.
          For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
        '';
        example = {
          bridge = {
            domain = "example.com";
            url = "http://localhost:8008";
            mediaUrl = "https://example.com";
            port = 9993;
            bindAddress = "127.0.0.1";
          };
          listeners = [
            {
              port = 9000;
              bindAddress = "0.0.0.0";
              resources = [ "webhooks" ];
            }
            {
              port = 9001;
              bindAddress = "localhost";
              resources = [
                "metrics"
                "provisioning"
              ];
            }
          ];
        };
        default = { };
        type = lib.types.submodule {
          freeformType = settingsFormat.type;
          options = {
            passFile = lib.mkOption {
              type = lib.types.path;
              default = "/var/lib/matrix-hookshot/passkey.pem";
              description = ''
                A passkey used to encrypt tokens stored inside the bridge.
                File will be generated if not found.
              '';
            };
          };
        };
      };
      serviceDependencies = lib.mkOption {
        type = with lib.types; listOf str;
        default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
        defaultText = lib.literalExpression ''
          lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
        '';
        description = ''
          List of Systemd services to require and wait for when starting the application service,
          such as the Matrix homeserver if it's running on the same host.
        '';
      };
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.matrix-hookshot = {
      description = "a bridge between Matrix and multiple project management services";
      wantedBy = [ "multi-user.target" ];
      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
      preStart = ''
        if [ ! -f '${cfg.settings.passFile}' ]; then
          mkdir -p $(dirname '${cfg.settings.passFile}')
          ${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
        fi
      '';
      serviceConfig = {
        Type = "simple";
        Restart = "always";
        ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
      };
    };
  };
  meta.maintainers = with lib.maintainers; [ flandweber ];
 }
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -0,0 +1,66 @@
 { config, pkgs, fp, ... }:
 let
  cfg = config.services.matrix-ooye;
 in
 {
  users.groups.keys-matrix-registrations = { };
  sops.secrets = {
    "matrix/ooye/as_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/as_token";
    };
    "matrix/ooye/hs_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/hs_token";
    };
    "matrix/ooye/discord_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/discord_token";
    };
    "matrix/ooye/discord_client_secret" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/discord_client_secret";
    };
  };
  services.matrix-ooye = {
    enable = true;
    homeserver = "https://matrix.pvv.ntnu.no";
    homeserverName = "pvv.ntnu.no";
    discordTokenPath = config.sops.secrets."matrix/ooye/discord_token".path;
    discordClientSecretPath = config.sops.secrets."matrix/ooye/discord_client_secret".path;
    bridgeOrigin = "https://ooye.pvv.ntnu.no";
    enableSynapseIntegration = false;
  };
  systemd.services."matrix-synapse" = {
    after = [
      "matrix-ooye-pre-start.service"
      "network-online.target"
    ];
    requires = [ "matrix-ooye-pre-start.service" ];
    serviceConfig = {
      LoadCredential = [
        "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
      ];
      ExecStartPre = [
        "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
        "+${pkgs.coreutils}/bin/chown matrix-synapse:keys-matrix-registrations ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
      ];
    };
  };
  services.matrix-synapse-next.settings = {
    app_service_config_files = [
      "${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
    ];
  };
  services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${cfg.socket}";
  };
 }
--- a/hosts/bicep/services/minecraft-heatmap.nix
+++ b/hosts/bicep/services/minecraft-heatmap.nix
@@ -0,0 +1,49 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.minecraft-heatmap;
 in
 {
  sops.secrets."minecraft-heatmap/ssh-key/private" = {
    mode = "600";
  };
  sops.secrets."minecraft-heatmap/postgres-passwd" = {
    mode = "600";
  };
  services.minecraft-heatmap = {
    enable = true;
    database = {
      host = "postgres.pvv.ntnu.no";
      port = 5432;
      name = "minecraft_heatmap";
      user = "minecraft_heatmap";
      passwordFile = config.sops.secrets."minecraft-heatmap/postgres-passwd".path;
    };
  };
  systemd.services.minecraft-heatmap-ingest-logs = {
    serviceConfig.LoadCredential = [
      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
    ];
    preStart = let
      knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
        innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
        innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
        innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
      '';
    in ''
      mkdir -p '${cfg.minecraftLogsDir}'
      "${lib.getExe pkgs.rsync}" \
      --archive \
      --verbose \
      --progress \
      --no-owner \
      --no-group \
      --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
      root@innovation.pvv.ntnu.no:/ \
      '${cfg.minecraftLogsDir}'/
    '';
  };
 }
--- a/hosts/bob/configuration.nix
+++ b/hosts/bob/configuration.nix
@@ -1,46 +0,0 @@
 { config, fp, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      (fp /base)
      (fp /misc/metrics-exporters.nix)
      ./disks.nix
      (fp /misc/builder.nix)
    ];
  sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  networking.hostName = "bob"; # Define your hostname.
  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
    matchConfig.Name = "en*";
    DHCP = "yes";
    gateway = [ ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/bob/disks.nix
+++ b/hosts/bob/disks.nix
@@ -1,39 +0,0 @@
 # Example to create a bios compatible gpt partition
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -25,6 +25,26 @@
  # List services that you want to enable:
  services.spotifyd = {
    enable = true;
    settings.global = {
      device_name = "georg";
      use_mpris = false;
      #dbus_type = "system";
      #zeroconf_port = 1234;
    };
  };
  networking.firewall.allowedTCPPorts = [
    # config.services.spotifyd.settings.zeroconf_port
    5353 # spotifyd is its own mDNS service wtf
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/ildkule/services/monitoring/dashboards/gitea-dashboard.json
+++ b/hosts/ildkule/services/monitoring/dashboards/gitea-dashboard.json
@@ -1539,8 +1539,8 @@
    ]
  },
  "timezone": "browser",
-  "title": "Gitea Dashbaord",
+  "title": "Gitea Dashboard",
  "uid": "nNq1Iw5Gz",
  "version": 29,
  "weekStart": ""
-}
+}
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -56,13 +56,12 @@ in {
          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
-        # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
+        {
-        # {
+          name = "MySQL";
-        #   name = "MySQL";
+          type = "file";
-        #   type = "file";
+          url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
-        #   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
+          options.path = dashboards/mysql.json;
-        #   options.path = dashboards/mysql.json;
+        }
        # }
        {
          name = "Postgresql";
          type = "file";
@@ -76,10 +75,10 @@ in {
          options.path = dashboards/go-processes.json;
        }
        {
-          name = "Gitea Dashbaord";
+          name = "Gitea Dashboard";
          type = "file";
          url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
-          options.path = dashboards/gitea-dashbaord.json;
+          options.path = dashboards/gitea-dashboard.json;
        }
      ];
--- a/hosts/ildkule/services/monitoring/prometheus/default.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/default.nix
@@ -2,12 +2,12 @@
  stateDir = "/data/monitoring/prometheus";
 in {
  imports = [
    ./exim.nix
    ./gitea.nix
    ./matrix-synapse.nix
    # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
    # ./mysqld.nix
    ./postgres.nix
    ./machines.nix
    ./matrix-synapse.nix
    ./mysqld.nix
    ./postgres.nix
  ];
  services.prometheus = {
--- a/hosts/ildkule/services/monitoring/prometheus/exim.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/exim.nix
@@ -0,0 +1,14 @@
 { ... }:
 {
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "exim";
        scrape_interval = "15s";
        static_configs = [{
          targets = [ "microbel.pvv.ntnu.no:9636" ];
        }];
      }
    ];
  };
 }
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -1,54 +1,37 @@
 { config, ... }: let
  cfg = config.services.prometheus;
  mkHostScrapeConfig = name: ports: {
    labels.hostname = name;
    targets = map (port: "${name}.pvv.ntnu.no:${toString port}") ports;
  };
  defaultNodeExporterPort = 9100;
  defaultSystemdExporterPort = 9101;
  defaultNixosExporterPort = 9102;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "base_info";
    static_configs = [
-      { labels.hostname = "ildkule";
+      (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
-        targets = [
+
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
+      (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
+      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        ];
+      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      }
+      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      { labels.hostname = "bekkalokk";
+      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        targets = [
+      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          "bekkalokk.pvv.ntnu.no:9100"
+      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          "bekkalokk.pvv.ntnu.no:9101"
+
-        ];
+      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      }
+      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
-      { labels.hostname = "bicep";
+      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        targets = [
+      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          "bicep.pvv.ntnu.no:9100"
+      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          "bicep.pvv.ntnu.no:9101"
+
-        ];
+      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
-      }
+      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
-      { labels.hostname = "brzeczyszczykiewicz";
+      (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
        targets = [
          "brzeczyszczykiewicz.pvv.ntnu.no:9100"
          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
        ];
      }
      { labels.hostname = "georg";
        targets = [
          "georg.pvv.ntnu.no:9100"
          "georg.pvv.ntnu.no:9101"
        ];
      }
      { labels.hostname =  "hildring";
        targets = [
          "hildring.pvv.ntnu.no:9100"
        ];
      }
      { labels.hostname =  "isvegg";
        targets = [
          "isvegg.pvv.ntnu.no:9100"
        ];
      }
      { labels.hostname =  "microbel";
        targets = [
          "microbel.pvv.ntnu.no:9100"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
@@ -1,7 +1,22 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
-  sops.secrets."config/mysqld_exporter" = { };
+  sops = {
    secrets."config/mysqld_exporter_password" = { };
    templates."mysqld_exporter.conf" = {
      restartUnits = [ "prometheus-mysqld-exporter.service" ];
      content = let
        inherit (config.sops) placeholder;
      in ''
        [client]
        host = bicep.pvv.ntnu.no
        port = 3306
        user = prometheus_mysqld_exporter
        password = ${placeholder."config/mysqld_exporter_password"}
      '';
    };
  };
  services.prometheus = {
    scrapeConfigs = [{
@@ -19,7 +34,7 @@ in {
    exporters.mysqld = {
      enable = true;
-      configFilePath = config.sops.secrets."config/mysqld_exporter".path;
+      configFile = config.sops.templates."mysqld_exporter.conf".path;
    };
  };
 }
--- a/hosts/kommode/configuration.nix
+++ b/hosts/kommode/configuration.nix
@@ -0,0 +1,34 @@
 { pkgs, values, fp, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    (fp /misc/metrics-exporters.nix)
    ./services/gitea
    ./services/nginx.nix
  ];
  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "kommode"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  services.btrfs.autoScrub.enable = true;
  environment.systemPackages = with pkgs; [];
  system.stateVersion = "24.11";
 }
--- a/hosts/kvernberg/hardware-configuration.nix
+++ b/hosts/kvernberg/hardware-configuration.nix
@@ -13,7 +13,20 @@
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
-  swapDevices = [ ];
+  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/86CD-4C23";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -0,0 +1,57 @@
 { config, pkgs, lib, fp, ... }:
 let
  cfg = config.services.gitea;
 in
 {
  services.gitea-themes = {
    monokai = pkgs.gitea-theme-monokai;
    earl-grey = pkgs.gitea-theme-earl-grey;
    pitch-black = pkgs.gitea-theme-pitch-black;
    catppuccin = pkgs.gitea-theme-catppuccin;
  };
  systemd.services.gitea-customization = lib.mkIf cfg.enable {
    description = "Install extra customization in gitea's CUSTOM_DIR";
    wantedBy = [ "gitea.service" ];
    requiredBy = [ "gitea.service" ];
    serviceConfig =  {
      Type = "oneshot";
      User = cfg.user;
      Group = cfg.group;
    };
    script = let
      logo-svg = fp /assets/logo_blue_regular.svg;
      logo-png = fp /assets/logo_blue_regular.png;
      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
      '';
      project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
        labels = lib.importJSON ./labels/projects.json;
      };
      customTemplates = pkgs.runCommandLocal "gitea-templates" {
        nativeBuildInputs = with pkgs; [
          coreutils
          gnused
        ];
      } ''
        # Bigger icons
        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
        sed -i -e 's/24/48/g' "$out/repo/icon.tmpl"
      '';
    in ''
      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
    '';
  };
 }
--- a/hosts/kommode/services/gitea/customization/labels/projects.json
+++ b/hosts/kommode/services/gitea/customization/labels/projects.json
@@ -0,0 +1,116 @@
 [
  {
    "name": "art",
    "exclusive": false,
    "color": "#006b75",
    "description": "Requires some creativity"
  },
  {
    "name": "big",
    "exclusive": false,
    "color": "#754bc4",
    "description": "This is gonna take a while"
  },
  {
    "name": "blocked",
    "exclusive": false,
    "color": "#850021",
    "description": "This issue/PR depends on one or more other issues/PRs"
  },
  {
    "name": "bug",
    "exclusive": false,
    "color": "#f05048",
    "description": "Something brokey"
  },
  {
    "name": "ci-cd",
    "exclusive": false,
    "color": "#d1ff78",
    "description": "Continuous integrals and continuous derivation"
  },
  {
    "name": "crash report",
    "exclusive": false,
    "color": "#ed1111",
    "description": "Report an oopsie"
  },
  {
    "name": "disputed",
    "exclusive": false,
    "color": "#5319e7",
    "description": "Kranglefanter"
  },
  {
    "name": "documentation",
    "exclusive": false,
    "color": "#fbca04",
    "description": "Documentation changes required"
  },
  {
    "name": "duplicate",
    "exclusive": false,
    "color": "#cccccc",
    "description": "This issue or pull request already exists"
  },
  {
    "name": "feature request",
    "exclusive": false,
    "color": "#0052cc",
    "description": ""
  },
  {
    "name": "good first issue",
    "exclusive": false,
    "color": "#009800",
    "description": "Get your hands dirty with a new project here"
  },
  {
    "name": "me gusta",
    "exclusive": false,
    "color": "#30ff36",
    "description": "( ͡° ͜ʖ ͡°)"
  },
  {
    "name": "packaging",
    "exclusive": false,
    "color": "#bf642b",
    "description": ""
  },
  {
    "name": "question",
    "exclusive": false,
    "color": "#cc317c",
    "description": ""
  },
  {
    "name": "security",
    "exclusive": false,
    "color": "#ed1111",
    "description": "Skommel"
  },
  {
    "name": "techdebt spring cleaning",
    "exclusive": false,
    "color": "#8c6217",
    "description": "The code is smelly 👃"
  },
  {
    "name": "testing",
    "exclusive": false,
    "color": "#52b373",
    "description": "Poke it and see if it explodes"
  },
  {
    "name": "ui/ux",
    "exclusive": false,
    "color": "#f28852",
    "description": "User complaints about ergonomics and economics and whatever"
  },
  {
    "name": "wontfix",
    "exclusive": false,
    "color": "#ffffff",
    "description": "Nei, vil ikke"
  }
 ]
--- a/hosts/kommode/services/gitea/customization/loading.apng
+++ b/hosts/kommode/services/gitea/customization/loading.apng
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@@ -1,30 +1,35 @@
-{ config, values, fp, pkgs, lib, ... }:
+{ config, values, lib, pkgs, unstablePkgs, ... }:
 let
  cfg = config.services.gitea;
  domain = "git.pvv.ntnu.no";
  sshPort  = 2222;
 in {
  imports = [
-    ./ci.nix
+    ./customization
    ./gpg.nix
    ./import-users
    ./web-secret-provider
  ];
-  sops.secrets = {
+  sops.secrets = let
-    "gitea/database" = {
+    defaultConfig = {
      owner = "gitea";
      group = "gitea";
    };
    "gitea/email-password" = {
      owner = "gitea";
      group = "gitea";
    };
  in {
    "gitea/database" = defaultConfig;
    "gitea/email-password" = defaultConfig;
    "gitea/lfs-jwt-secret" = defaultConfig;
    "gitea/oauth2-jwt-secret" = defaultConfig;
    "gitea/secret-key" = defaultConfig;
  };
  services.gitea = {
    enable = true;
    appName = "PVV Git";
    package = unstablePkgs.gitea;
    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
@@ -42,9 +47,19 @@ in {
        ROOT_URL = "https://${domain}/";
        PROTOCOL = "http+unix";
        SSH_PORT = sshPort;
        LANDING_PAGE = "explore";
        START_SSH_SERVER = true;
        START_LFS_SERVER = true;
-        LANDING_PAGE = "explore";
+        LFS_JWT_SECRET = lib.mkForce "";
        LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
      };
      oauth2 = {
        JWT_SECRET = lib.mkForce "";
        JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
      };
      "git.timeout" = {
        MIGRATE = 3600;
        MIRROR = 1800;
      };
      mailer = {
        ENABLED = true;
@@ -68,6 +83,10 @@ in {
      };
      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
      session.COOKIE_SECURE = true;
      security = {
        SECRET_KEY = lib.mkForce "";
        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
      };
      database.LOG_SQL = false;
      repository = {
        PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -130,10 +149,27 @@ in {
      };
      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
    };
    dump = {
      enable = true;
      interval = "weekly";
      type = "tar.gz";
    };
  };
  environment.systemPackages = [ cfg.package ];
  systemd.services.gitea.serviceConfig.Type = lib.mkForce "notify";
  systemd.services.gitea.serviceConfig.WatchdogSec = "60";
  systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
  systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
  systemd.services.gitea.serviceConfig.BindPaths = [
    "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
  ];
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
@@ -149,6 +185,7 @@ in {
        proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4}/32;
          allow ${values.hosts.ildkule.ipv6}/128;
          deny all;
        '';
      };
@@ -157,34 +194,30 @@ in {
  networking.firewall.allowedTCPPorts = [ sshPort ];
-  # Extra customization
+  systemd.services.gitea-dump = {
    serviceConfig.ExecStart = let
      args = lib.cli.toGNUCommandLineShell { } {
        type = cfg.dump.type;
-  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
+        # This should be declarative on nixos, no need to backup.
        skip-custom-dir = true;
-  systemd.services.install-gitea-customization = {
+        # This can be regenerated, no need to backup
-    description = "Install extra customization in gitea's CUSTOM_DIR";
+        skip-index = true;
    wantedBy = [ "gitea.service" ];
    requiredBy = [ "gitea.service" ];
-    serviceConfig =  {
+        # Logs are stored in the systemd journal
-      Type = "oneshot";
+        skip-log = true;
-      User = cfg.user;
+      };
-      Group = cfg.group;
+    in lib.mkForce "${lib.getExe cfg.package} ${args}";
    };
-    script = let
+    # Only keep n backup files at a time
-      logo-svg = fp /assets/logo_blue_regular.svg;
+    postStop = let
-      logo-png = fp /assets/logo_blue_regular.png;
+      cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
-      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
+      backupCount = 3;
        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
      '';
    in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+        ${cu "rm"} "$file"
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      done
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+      '';
    '';
  };
 }
--- a/hosts/kommode/services/gitea/gpg.nix
+++ b/hosts/kommode/services/gitea/gpg.nix
@@ -0,0 +1,38 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.gitea;
  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
 in
 {
  sops.secrets."gitea/gpg-signing-key" = {
    owner = cfg.user;
    inherit (cfg) group;
  };
  systemd.services.gitea.environment = { inherit GNUPGHOME; };
  systemd.tmpfiles.settings."20-gitea-gnugpg".${GNUPGHOME}.d = {
    inherit (cfg) user group;
    mode = "700";
  };
  systemd.services.gitea-ensure-gnupg-homedir = {
    description = "Import gpg key for gitea";
    environment = { inherit GNUPGHOME; };
    serviceConfig = {
      Type = "oneshot";
      User = cfg.user;
      PrivateNetwork = true;
    };
    script = ''
      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
    '';
  };
  services.gitea.settings."repository.signing" = {
    SIGNING_KEY = "0549C43374D2253C";
    SIGNING_NAME = "PVV Git";
    SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
    INITIAL_COMMIT = "always";
  };
 }
--- a/hosts/bekkalokk/services/gitea/import-users/default.nix
+++ b/hosts/bekkalokk/services/gitea/import-users/default.nix
@@ -11,7 +11,8 @@ in
  systemd.services.gitea-import-users = lib.mkIf cfg.enable {
    enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
    environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
    serviceConfig = {
      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
        flakeIgnore = [
@@ -25,6 +26,7 @@ in
      ];
      DynamicUser="yes";
      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
      RuntimeDirectory = "gitea-import-users";
    };
  };
--- a/hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py
+++ b/hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py
@@ -17,6 +17,10 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
 if PASSWD_FILE_PATH is None:
    PASSWD_FILE_PATH = '/tmp/passwd-import'
 def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
    r = requests.get(
@@ -177,6 +181,7 @@ def ensure_gitea_user_is_part_of_team(
 # List of teams that all users should be part of by default
 COMMON_USER_TEAMS = [
    ("Projects", "Members"),
    ("Grzegorz", "Members"),
    ("Kurs", "Members"),
 ]
@@ -186,7 +191,8 @@ def main():
    if existing_users is None:
        exit(1)
-    for username, name in passwd_file_parser("/tmp/passwd-import"):
+    print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
    for username, name in passwd_file_parser(PASSWD_FILE_PATH):
        print(f"Processing {username}")
        add_or_patch_gitea_user(username, name, existing_users)
        for org, team_name in COMMON_USER_TEAMS:
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
@@ -3,6 +3,7 @@ let
  organizations = [
    "Drift"
    "Projects"
    "Grzegorz"
    "Kurs"
  ];
@@ -27,6 +28,7 @@ in
  users.users."gitea-web" = {
    group = "gitea-web";
    isSystemUser = true;
    shell = pkgs.bash;
  };
  sops.secrets."gitea/web-secret-provider/token" = {
@@ -58,6 +60,7 @@ in
          key-dir = "/var/lib/gitea-web/keys/%i";
          authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
          rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
            mkdir -p "$1"
            ${lib.getExe pkgs.rrsync} -wo "$1"
            ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
          '';
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
@@ -34,7 +34,21 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
        f"{args.api_url}/orgs/{args.org}/repos",
        headers = { 'Authorization': 'token ' + token },
    )
-    return [repo["name"] for repo in result.json()]
+
    results = [repo["name"] for repo in result.json()]
    target = int(result.headers['X-Total-Count'])
    i = 2
    while len(results) < target:
        result = requests.get(
            f"{args.api_url}/orgs/{args.org}/repos",
            params = { 'page': i },
            headers = { 'Authorization': 'token ' + token },
        )
        results += [repo["name"] for repo in result.json()]
        i += 1
    return results
 def generate_ssh_key(args: argparse.Namespace, repository: str):
--- a/hosts/kvernberg/services/nginx.nix
+++ b/hosts/kvernberg/services/nginx.nix
@@ -1,5 +1,4 @@
-{ config, lib, ... }:
+{ ... }:
 {
  services.nginx.enable = true;
 }
--- a/hosts/kvernberg/configuration.nix
+++ b/hosts/kvernberg/configuration.nix
@@ -1,45 +0,0 @@
 { config, fp, pkgs, values, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    (fp /misc/metrics-exporters.nix)
    ./disks.nix
    ./services/nginx.nix
    ./services/pvvvvvv
  ];
  sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "kvernberg"; # Define your hostname.
  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
    matchConfig.Name = "en*";
    address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # No devices with SMART
  services.smartd.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
 }
--- a/hosts/kvernberg/disks.nix
+++ b/hosts/kvernberg/disks.nix
@@ -1,39 +0,0 @@
 # Example to create a bios compatible gpt partition
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/kvernberg/services/pvvvvvv/bank.nix
+++ b/hosts/kvernberg/services/pvvvvvv/bank.nix
@@ -1,51 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.libeufin.bank;
  tcfg = config.services.taler;
  inherit (tcfg.settings.taler) CURRENCY;
 in {
  services.libeufin.bank = {
    enable = true;
    debug = true;
    createLocalDatabase = true;
    initialAccounts = [
      { username = "exchange";
        password = "exchange";
        name = "Exchange";
      }
    ];
    settings = {
      libeufin-bank = {
        WIRE_TYPE = "x-taler-bank";
        X_TALER_BANK_PAYTO_HOSTNAME = "bank.kvernberg.pvv.ntnu.no";
        BASE_URL = "bank.kvernberg.pvv.ntnu.no/";
        ALLOW_REGISTRATION = "yes";
        REGISTRATION_BONUS_ENABLED = "yes";
        REGISTRATION_BONUS = "${CURRENCY}:500";
        DEFAULT_DEBT_LIMIT = "${CURRENCY}:0";
        ALLOW_CONVERSION = "no";
        ALLOW_EDIT_CASHOUT_PAYTO_URI = "yes";
        SUGGESTED_WITHDRAWAL_EXCHANGE = "https://exchange.kvernberg.pvv.ntnu.no/";
        inherit CURRENCY;
      };
    };
  };
  services.nginx.virtualHosts."bank.kvernberg.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8082";
      extraConfig = ''
         proxy_read_timeout 300s; 
      '';
    };
  };
 }
--- a/hosts/kvernberg/services/pvvvvvv/default.nix
+++ b/hosts/kvernberg/services/pvvvvvv/default.nix
@@ -1,13 +0,0 @@
 {
  imports = [
    ./exchange.nix
    ./bank.nix
  ];
  services.taler = {
    settings = {
      taler.CURRENCY = "SCHPENN";
      taler.CURRENCY_ROUND_UNIT = "${cfg.settings.taler.CURRENCY}:1";
    };
  };
 }
--- a/hosts/kvernberg/services/pvvvvvv/exchange.nix
+++ b/hosts/kvernberg/services/pvvvvvv/exchange.nix
@@ -1,187 +0,0 @@
 { config, lib, fp, pkgs, ... }:
 let
  cfg = config.services.taler;
  inherit (cfg.settings.taler) CURRENCY;
 in {
  sops.secrets.exchange-offline-master = {
    format = "binary";
    sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
  };
  services.taler.exchange = {
    enable = true;
    debug = true;
    denominationConfig = ''
      ## Old denomination names cannot be used again
      # [COIN-${CURRENCY}-k1-1-0]
      ## NOK Denominations
      [coin-${CURRENCY}-nok-1-0]
      VALUE = ${CURRENCY}:1
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-5-0]
      VALUE = ${CURRENCY}:5
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-10-0]
      VALUE = ${CURRENCY}:10
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-20-0]
      VALUE = ${CURRENCY}:20
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-50-0]
      VALUE = ${CURRENCY}:50
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-100-0]
      VALUE = ${CURRENCY}:100
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-200-0]
      VALUE = ${CURRENCY}:200
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-500-0]
      VALUE = ${CURRENCY}:500
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      [coin-${CURRENCY}-nok-1000-0]
      VALUE = ${CURRENCY}:1000
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
      ## PVV Special Prices
      # 2024 pizza egenandel
      [coin-${CURRENCY}-pvv-64-0]
      VALUE = ${CURRENCY}:64
      DURATION_WITHDRAW = 7 days
      DURATION_SPEND = 1 years
      DURATION_LEGAL = 3 years
      FEE_WITHDRAW = ${CURRENCY}:0
      FEE_DEPOSIT = ${CURRENCY}:0
      FEE_REFRESH = ${CURRENCY}:0
      FEE_REFUND = ${CURRENCY}:0
      RSA_KEYSIZE = 2048
      CIPHER = RSA
    '';
    settings = {
      exchange = {
        inherit (config.services.taler.settings.taler) CURRENCY CURRENCY_ROUND_UNIT; 
        MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
        BASE_URL = "https://exchange.kvernberg.pvv.ntnu.no/";
        TERMS_DIR = "${./terms}";
        TERMS_ETAG = "0";
        ENABLE_KYC = "NO";
      };
      exchange-offline = {
        MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
      };
      exchange-account-test = {
        PAYTO_URI = "payto://x-taler-bank/bank.kvernberg.pvv.ntnu.no/exchange?receiver-name=Exchange";
        ENABLE_DEBIT = "YES";
        ENABLE_CREDIT = "YES";
      };
      exchange-accountcredentials-test = {
        WIRE_GATEWAY_URL = "https://bank.kvernberg.pvv.ntnu.no/accounts/exchange/taler-wire-gateway/";
        WIRE_GATEWAY_AUTH_METHOD = "BASIC";
        USERNAME = "exchange";
        PASSWORD = "exchange";
      };
      "currency-${CURRENCY}" = {
        ENABLED = "YES";
        CODE = "SCHPENN";
        NAME = "SCHPENN";
        FRACTIONAL_NORMAL_DIGITS = 0;
        FRACTIONAL_INPUT_DIGITS = 0;
        FRACTIONAL_TRAILING_ZERO_DIGITS = 0;
        ALT_UNIT_NAMES = "{\"0\": \"S\"}";
      };
    };
  };
  services.nginx.virtualHosts."exchange.kvernberg.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8081";
      extraConfig = ''
        proxy_read_timeout 300s;
      '';
    };
  };
 }
--- a/hosts/kvernberg/services/pvvvvvv/terms/en/0.txt
+++ b/hosts/kvernberg/services/pvvvvvv/terms/en/0.txt
@@ -1,147 +0,0 @@
 Terms of Service
 ================
 Last update: 19.11.2024
 ----------------------
 Welcome! A subset of PVVers who cares about Dibbler (“we,” “our,” or “us”) provides a experimental payment service
 through our Internet presence (collectively the “Services”). Before using our
 Services, please read the Terms of Service (the “Terms” or the “Agreement”)
 carefully.
 Overview
 --------
 This section provides a brief summary of the highlights of this
 Agreement. Please note that when you accept this Agreement, you are accepting
 all of the terms and conditions and not just this section. We and possibly
 other third parties provide Internet services which interact with the Taler
 Wallet’s self-hosted personal payment application. When using the Taler Wallet
 to interact with our Services, you are agreeing to our Terms, so please read
 carefully.
 Research
 ----------
 This is research, any dibbler credits sent to the dibbler account could be lost at any time.
 We would make an effort to send the credits back to their canonical owners, but this may be difficult.
 We make no guarantees on the state of this. The dibbler economy is totally unsecured, and so are these services!
 Usage is wholly on your own risk.
 Highlights:
 -----------
 * You are responsible for keeping the data in your Taler Wallet at all times under your control. Any losses arising from you not being in control of your private information are your problem.
 * For our Services, we may charge transaction fees. The specific fee structure is provided based on the Taler protocol and should be shown to you when you withdraw electronic coins using a Taler Wallet. You agree and understand that the Taler protocol allows for the fee structure to change.
 * You agree to not intentionally overwhelm our systems with requests and follow responsible disclosure if you find security issues in our services.
 * We cannot be held accountable for our Services not being available due to circumstances beyond our control. If we modify or terminate our services, we will try to give you the opportunity to recover your funds. However, given the experimental state of the Services today, this may not be possible. You are strongly advised to limit your use of the Service to small-scale experiments expecting total loss of all funds.
 These terms outline approved uses of our Services. The Services and these
 Terms are still at an experimental stage. If you have any questions or
 comments related to this Agreement, please send us a message on IRC, or on our Matrix server.
 If you do not agree to this Agreement, you must not use our Services.
 How you accept this policy
 --------------------------
 By sending funds to us (to top-up your Taler Wallet), you acknowledge that you
 have read, understood, and agreed to these Terms. We reserve the right to
 change these Terms at any time. If you disagree with the change, we may in the
 future offer you with an easy option to recover your unspent funds. However,
 in the current experimental period you acknowledge that this feature is not
 yet available, resulting in your funds being lost unless you accept the new
 Terms. If you continue to use our Services other than to recover your unspent
 funds, your continued use of our Services following any such change will
 signify your acceptance to be bound by the then current Terms. Please check
 the effective date above to determine if there have been any changes since you
 have last reviewed these Terms.
 Services
 --------
 We will try to transfer funds that we hold in escrow for our users to any
 legal recipient to the best of our ability and within the limitations of the
 law and our implementation. However, the Services offered today are highly
 experimental and the set of recipients of funds is severely restricted. The
 Taler Wallet can be loaded by exchanging ordinary dibbler credit for electronic
 coins. We are providing this exchange service. Once your Taler Wallet is
 loaded with electronic coins they can be spent for purchases if the seller is
 accepting Taler as a means of payment. We are not guaranteeing that any seller
 is accepting Taler at all or a particular seller. The seller or recipient of
 deposits of electronic coins must specify the target account, as per the
 design of the Taler protocol. They are responsible for following the protocol
 and specifying the correct dibbler account, and are solely liable for any losses
 that may arise from specifying the wrong account. We will allow the government
 to link wire transfers to the underlying contract hash. It is the
 responsibility of recipients to preserve the full contracts and to pay
 whatever taxes and charges may be applicable. Technical issues may lead to
 situations where we are unable to make transfers at all or lead to incorrect
 transfers that cannot be reversed. We will only refuse to execute transfers if
 the transfers are prohibited by a competent legal authority and we are ordered
 to do so.
 When using our Services, you agree to not take any action that intentionally
 imposes an unreasonable load on our infrastructure. If you find security
 problems in our Services, you agree to first report them to
 security@taler-systems.com and grant us the right to publish your report. We
 warrant that we will ourselves publicly disclose any issues reported within 3
 months, and that we will not prosecute anyone reporting security issues if
 they did not exploit the issue beyond a proof-of-concept, and followed the
 above responsible disclosure practice.
 Fees
 ----
 You agree to pay the fees for exchanges and withdrawals completed via the
 Taler Wallet ("Fees") as defined by us, which we may change from time to
 time.
 Copyrights and trademarks
 -------------------------
 The Taler Wallet is released under the terms of the GNU General Public License
 (GNU GPL). You have the right to access, use, and share the Taler Wallet, in
 modified or unmodified form. However, the GPL is a strong copyleft license,
 which means that any derivative works must be distributed under the same
 license terms as the original software. If you have any questions, you should
 review the GNU GPL’s full terms and conditions on the GNU GPL Licenses page 
 (https://www.gnu.org/licenses/). “Taler” itself is a trademark
 of Taler Systems SA. You are welcome to use the name in relation to processing
 payments based on the Taler protocol, assuming your use is compatible with an
 official release from the GNU Project that is not older than two years.
 Discontinuance of services and Force majeure
 --------------------------------------------
 We may, in our sole discretion and without cost to you, with or without prior
 notice, and at any time, modify or discontinue, temporarily or permanently,
 any portion of our Services. We will use the Taler protocol’s provisions to
 notify Wallets if our Services are to be discontinued. It is your
 responsibility to ensure that the Taler Wallet is online at least once every
 three months to observe these notifications. We shall not be held responsible
 or liable for any loss of funds in the event that we discontinue or depreciate
 the Services and your Taler Wallet fails to transfer out the coins within a
 three months notification period.
 We shall not be held liable for any delays, failure in performance, or
 interruptions of service which result directly or indirectly from any cause or
 condition beyond our reasonable control, including but not limited to: any
 delay or failure due to any act of God, act of civil or military authorities,
 act of terrorism, civil disturbance, war, strike or other labor dispute, fire,
 interruption in telecommunications or Internet services or network provider
 services, failure of equipment and/or software, other catastrophe, or any
 other occurrence which is beyond our reasonable control and shall not affect
 the validity and enforceability of any remaining provisions.
 Questions or comments
 ---------------------
 We welcome comments, questions, concerns, or suggestions. Please send us a
 message via the usual communication channels at PVV
--- a/hosts/lupine/configuration.nix
+++ b/hosts/lupine/configuration.nix
@@ -0,0 +1,35 @@
 { fp, values, lupineName, ... }:
 {
  imports = [
    ./hardware-configuration/${lupineName}.nix
    (fp /base)
    (fp /misc/metrics-exporters.nix)
    ./services/gitea-runner.nix
  ];
  sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp0s31f6";
    address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
    networkConfig.LLDP = false;
  };
  systemd.network.wait-online = {
    anyInterface = true;
  };
  # There are no smart devices
  services.smartd.enable = false;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.05";
 }
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -0,0 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/81D6-38D3";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-2.nix
+++ b/hosts/lupine/hardware-configuration/lupine-2.nix
@@ -0,0 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/4A34-6AE5";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -0,0 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/63FA-297B";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-4.nix
+++ b/hosts/lupine/hardware-configuration/lupine-4.nix
@@ -5,20 +5,30 @@
 {
  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -0,0 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/F372-37DF";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/services/gitea-runner.nix
+++ b/hosts/lupine/services/gitea-runner.nix
@@ -0,0 +1,45 @@
 { config, lupineName, ... }:
 {
  # This is unfortunately state, and has to be generated one at a time :(
  # To do that, comment out all except one of the runners, fill in its token
  # inside the sops file, rebuild the system, and only after this runner has
  # successfully registered will gitea give you the next token.
  # - oysteikt Sep 2023
  sops = {
    secrets."gitea/runners/token" = {
      key = "gitea/runners/${lupineName}";
    };
    templates."gitea-runner-envfile" = {
      restartUnits = [
        "gitea-runner-${lupineName}.service"
      ];
      content = ''
        TOKEN="${config.sops.placeholder."gitea/runners/token"}"
      '';
    };
  };
  services.gitea-actions-runner.instances = {
    ${lupineName} = {
      enable = true;
      name = "git-runner-${lupineName}";
      url = "https://git.pvv.ntnu.no";
      labels = [
        "debian-latest:docker://node:current-bookworm"
        "ubuntu-latest:docker://node:current-bookworm"
      ];
      tokenFile = config.sops.templates."gitea-runner-envfile".path;
    };
  };
  virtualisation.podman = {
    enable = true;
    defaultNetwork.settings.dns_enabled = true;
    autoPrune.enable = true;
  };
  networking.dhcpcd.IPv6rs = false;
  networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
 }
--- a/hosts/ustetind/configuration.nix
+++ b/hosts/ustetind/configuration.nix
@@ -0,0 +1,44 @@
 { config, fp, pkgs, lib, values, ... }:
 {
  imports = [
    (fp /base)
    (fp /misc/metrics-exporters.nix)
    ./services/gitea-runners.nix
  ];
  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  networking.hostName = "ustetind";
  networking.useHostResolvConf = lib.mkForce false;
  systemd.network.networks = {
    "30-lxc-eth" = values.defaultNetworkConfig // {
      matchConfig = {
        Type = "ether";
        Kind = "veth";
        Name = [
          "eth*"
        ];
      };
      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
    };
    "40-podman-veth" = values.defaultNetworkConfig // {
      matchConfig = {
        Type = "ether";
        Kind = "veth";
        Name = [
          "veth*"
        ];
      };
      DHCP = "yes";
    };
  };
  system.stateVersion = "24.11";
 }
--- a/hosts/ustetind/services/gitea-runners.nix
+++ b/hosts/ustetind/services/gitea-runners.nix
@@ -15,8 +15,8 @@ let
        enable = true;
        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
        labels = [
-          "debian-latest:docker://node:18-bullseye"
+          "debian-latest:docker://node:current-bookworm"
-          "ubuntu-latest:docker://node:18-bullseye"
+          "ubuntu-latest:docker://node:current-bookworm"
        ];
        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
      };
@@ -27,5 +27,15 @@ lib.mkMerge [
  (mkRunner "alpha")
  (mkRunner "beta")
  (mkRunner "epsilon")
-  { virtualisation.podman.enable = true; }
+  {
    virtualisation.podman = {
      enable = true;
      defaultNetwork.settings.dns_enabled = true;
      autoPrune.enable = true;
    };
    networking.dhcpcd.IPv6rs = false;
    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
  }
 ]
--- a/hosts/wenche/configuration.nix
+++ b/hosts/wenche/configuration.nix
@@ -0,0 +1,39 @@
 { config, fp, pkgs, values, lib, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      (fp /base)
      (fp /misc/metrics-exporters.nix)
      (fp /misc/builder.nix)
    ];
  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.device = "/dev/sda";
  networking.hostName = "wenche"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  hardware.graphics.enable = true;
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.nvidia = {
    modesetting.enable = true;
    open = false;
    package = config.boot.kernelPackages.nvidiaPackages.production;
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/wenche/hardware-configuration.nix
+++ b/hosts/wenche/hardware-configuration.nix
@@ -0,0 +1,27 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "nvidia"  ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
      fsType = "ext4";
    };
  swapDevices = [ {
    device = "/var/lib/swapfile";
    size = 16*1024;
  } ];
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/57
+++ b/57
@@ -1,25 +1,56 @@
 set positional-arguments # makes variables accesible as $1 $2 $@
 export GUM_FILTER_HEIGHT := "15"
-nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
+nom := `if [[ -t 1 ]] && command -v nom >/dev/null; then echo nom; else echo nix; fi`
 nix_eval_opts := "--log-format raw --option warn-dirty false"
@_default:
  just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
-check:
+check *_:
-  nix flake check --keep-going
+  nix flake check --keep-going "$@"
-build-machine machine=`just _a_machine`:
+build-machine machine=`just _a_machine` *_:
-  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
+  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel "${@:2}"
-run-vm machine=`just _a_machine`:
+run-vm machine=`just _a_machine` *_:
-  nixos-rebuild build-vm --flake .#{{ machine }}
+  nixos-rebuild build-vm --flake .#{{ machine }} "${@:2}"
  QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
-@update-inputs:
+@update-inputs *_:
-  nix eval .#inputs --apply builtins.attrNames --json \
+  @git reset flake.lock
-    | jq '.[]' -r \
+  @git restore flake.lock
-    | gum choose --no-limit --height=15 \
+  nix eval {{nix_eval_opts}} --file flake.nix --apply 'x: builtins.attrNames x.inputs' --json \
-    | xargs -L 1 nix flake lock --update-input
+    | { printf "%s\n" --commit-lock-file; jq '.[]' -r | grep -vxF "self" ||:; } \
    | gum choose --no-limit --header "Choose extra arguments:" \
    | tee >(xargs -d'\n' echo + nix flake update "$@" >&2) \
    | xargs -d'\n' nix flake update "$@"
@repl $machine=`just _a_machine` *_:
  set -v; nixos-rebuild --flake .#"$machine" repl "${@:2}"
@eval $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
  set -v; nix eval {{nix_eval_opts}} ".#nixosConfigurations.\"$machine\".config.$attrpath" --show-trace "${@:3}"
@eval-vm $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
  just eval "$machine" "virtualisation.vmVariant.$attrpath" "${@:3}"
 # helpers
 [no-exit-message]
 _a_machine:
-  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter
+  #!/usr/bin/env -S sh -euo pipefail
  machines="$(
    nix eval {{nix_eval_opts}} .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r
  )"
  [ -n "$machines" ] || { echo >&2 "ERROR: no machines found"; false; }
  if [ -s .direnv/vars/last-machine.txt ]; then
    machines="$(
      grep <<<"$machines" -xF  "$(cat .direnv/vars/last-machine.txt)" ||:
      grep <<<"$machines" -xFv "$(cat .direnv/vars/last-machine.txt)" ||:
    )"
  fi
  choice="$(gum filter <<<"$machines")"
  mkdir -p .direnv/vars
  cat <<<"$choice" >.direnv/vars/last-machine.txt
  cat <<<"$choice"
--- a/keys/oysteikt.pub
+++ b/keys/oysteikt.pub
@@ -8,34 +8,58 @@ FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM
 N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA
 Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK
 KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH
-EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3
+EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLiJAEExYKADgWIQT303iQIoqQdEDh/UhG
-eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF
+uSKOgUoqrAUCYuaF5AIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKO
-AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+
+gUoqrKWiAQC1yFpodz5PGsZbFgihEA0UQ5jcoXBojoAlVRgmkwm41gEA782rsvyl
-IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB
+87ExoluDD3eV/Z5ILp7Ex6JeaE3JUix8Sgi0Jmg3eDQgKGFsdGVybmF0aXZlKSA8
-3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk
+aDd4NC5hbHRAbmFuaS53dGY+iJAEExYKADgWIQT303iQIoqQdEDh/UhGuSKOgUoq
-jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5
+rAUCYvuPSgIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKOgUoqrK3L
-Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs
+AP4h0cjFuNFwMQlg6oVfWvjCvKZO+ePP+SnTNRKvKbAxSgEA/yG48r9im6M0Xr9z
-xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO
+DAHcDlbClaONX4X+6rZ6OoU6hw24MwRi5oZHFgkrBgEEAdpHDwEBB0CyZzQZNAiz
-c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT
+OmSMNjCBK3rMjzU/b6T1a8GDogQhKfK5VYj1BBgWCgAmFiEE99N4kCKKkHRA4f1I
-ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7
+RrkijoFKKqwFAmLmhkcCGwIFCQPCZwAAgQkQRrkijoFKKqx2IAQZFgoAHRYhBPPN
-Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx
+qGzFWp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323T
-VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM
+aM5zdJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9
-s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss
+CpNl4GzpD4CRDu55AP9mpAyRoKt3yjYvTaHz1TpsXHLzqfJO6sYBRXH3YXyNTAEA
-gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD
+prtmn/S9HltHijnsLs1PEHmRua14XQBdL1HuzFID8ASI9QQYFgoAJgIbAhYhBPfT
-XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID
+eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
-MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu
+Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
-MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys
+dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
-KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2
+4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
-dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU
+Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLiPUEGBYKACYC
-aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR
+GwIWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCaI6lzgUJCWqGhwCBdiAEGRYKAB0W
-eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r
+IQTzzahsxVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYe
-VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ
+Jt9t02jOc3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFa
-dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm
+azcz/QqTZeBs6Q+AkQ4JEEa5Io6BSiqsCG0BALDNFlploZWjQ0Xn3B9fd+1sTUmY
-W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y
+e0s95lEY7XqVkF2AQCkKzMd2mHsymyVtY32bSsZ0iJxHTmxomS0uQ/TGIugB7kC
-QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW
+DQRi5oZ6ARAA2tcgStDSsVSLaN4UodtYaKGKVnBF1qjD1xzt+K3AIZLVRTjhyJdm
-RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK
+xRknEAGV7YwHKlJjMgvjzLNQ2aKHBZPvTybde4QGv7Ogka8PLyvtX1aoY9Fzi7Xr
-KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa
+xlfYguiEb4T8c07DmnjrLIDBiFPMQ5jCk9pxhxjVJKjlxpXetxNzSrCt5Z5fgQna
-T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR
+SdH9xhAe2kkPqZOpNbszg11/5oQFCZi9TJFWeoyQN74bK3tCn2vafguZj+ISyeox
-SNkE
+fqBErwOBwvi7gkhpuuoCAzAt/Y5y6OocGBBI3z1w+wlADeEtniEkhXfmXJTdr2HK
-=oTMO
+ymILAmUtIQRToA4SighwbjMD9dgCDPMvC+uP3jlhaUe7NkrQD442G2XmRAhy1mbd
 cxlb5Eu16epbAIOv0/BMrChu705dkKvVtAZszYJNjg02ZIb9IKql6aXa/HkYqvod
 KjHyabRtBsnDr6m/T6BDtnXzQo4yCPFX2khn0hGKPFMLKmE7X4HaDZxQlynda+0J
 r63WzbBQ0ZpL/sFiaIqcFGlarsm9ijeudo0pacDBAlun0hLE/+Qt5iS4AJoupesq
 LMOh3SGOo4KQhrcZx1ts0XiEuns2XbcWAQpBByu9MgEsmiB6yyw5J8Pg7ir1wFjg
 HnKG/BjQRzo12Xty8wbdq1YDgkWvlu5opTYI1ArM/kd6zPF30fsDRBsAEQEAAYh+
 BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmLmhnoCGwwFCQPCZwAACgkQ
 RrkijoFKKqwxNAEAwcUbJlvS+tJsRgqdQqTVgVw9k+g+tOT5TYjQnDPnDgoA/3Nj
 orUkhudDNGEW8odSz2C+mEHjy9HUJGLI5ul1ZqwCiH4EGBYKACYCGwwWIQT303iQ
 IoqQdEDh/UhGuSKOgUoqrAUCZqqeBQUJBaVLCAAKCRBGuSKOgUoqrMnbAP4oQbpa
 Uki4OAfaSbH36qYTIbe8k9w58+e4nsVBII94wQEA3nSPoMKWZTI1eiHR/xKc9uOI
 /Nk2tOHKpEjs9mOtywaIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9SEa5Io6BSiqs
 BQJojqXOBQkJaoZUAAoJEEa5Io6BSiqsiXkBAJ0JTRmdQQpEK9KSh8V7FEkblIsm
 Ngko2cs+OhNSUgW9AQD0a7FHM3Dx32a7yD0zE3QwWi5VgeZZVIPyhItrOaANDbgz
 BGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1OWOoVU3mZX/K
 7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGxQIbIAUJA8Jn
 AAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9duIJ7zdR0U15tO
 NAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQYFgoAJgIbIBYh
 BPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5Io6BSiqsjF0B
 AJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/lDkrvOytuFnKb
 kDrCaTrtLh/JAmBXpSERIejmD4h+BBgWCgAmAhsgFiEE99N4kCKKkHRA4f1IRrki
 joFKKqwFAmiOpc4FCQlqhgkACgkQRrkijoFKKqwSMAD/bbO/uwwdFEJVgcNRexZU
 6aoSxAGI1vjS92hSyfxZ9AABAK8KYO8sBGGCiVu+vWUpoUYmp3lfYTJHtf+36WMc
 D5MD
 =Gubf
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/builder.nix
+++ b/misc/builder.nix
@@ -2,4 +2,10 @@
 {
  nix.settings.trusted-users = [ "@nix-builder-users" ];
  nix.daemonCPUSchedPolicy = "batch";
  boot.binfmt.emulatedSystems = [
    "aarch64-linux"
    "armv7l-linux"
  ];
 }
--- a/modules/gickup/default.nix
+++ b/modules/gickup/default.nix
@@ -0,0 +1,310 @@
 { config, pkgs, lib, utils, ... }:
 let
  cfg = config.services.gickup;
  format = pkgs.formats.yaml { };
 in
 {
  imports = [
    ./set-description.nix
    ./hardlink-files.nix
    ./import-from-toml.nix
    ./update-linktree.nix
  ];
  options.services.gickup = {
    enable = lib.mkEnableOption "gickup, a git repository mirroring service";
    package = lib.mkPackageOption pkgs "gickup" { };
    gitPackage = lib.mkPackageOption pkgs "git" { };
    gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
    dataDir = lib.mkOption {
      type = lib.types.path;
      description = "The directory to mirror repositories to.";
      default = "/var/lib/gickup";
      example = "/data/gickup";
    };
    destinationSettings = lib.mkOption {
      description = ''
        Settings for destination local, see gickup configuration file
        Note that `path` will be set automatically to `/var/lib/gickup`
      '';
      type = lib.types.submodule {
        freeformType = format.type;
      };
      default = { };
      example = {
        structured = true;
        zip = false;
        keep = 10;
        bare = true;
        lfs = true;
      };
    };
    instances = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
        submoduleName = name;
        nameParts = rec {
          repoType = builtins.head (lib.splitString ":" submoduleName);
          owner = if repoType == "any"
                  then null
                  else lib.pipe submoduleName [
                    (lib.removePrefix "${repoType}:")
                    (lib.splitString "/")
                    builtins.head
                  ];
          repo = if repoType == "any"
                 then null
                 else lib.pipe submoduleName [
                    (lib.removePrefix "${repoType}:")
                    (lib.splitString "/")
                    lib.last
                  ];
          slug = if repoType == "any"
                 then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
                 else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
        };
      in {
        options = {
          interval = lib.mkOption {
            type = lib.types.str;
            default = "daily";
            example = "weekly";
            description = ''
              Specification (in the format described by {manpage}`systemd.time(7)`) of the time
              interval at which to run the service.
            '';
          };
          type = lib.mkOption {
            type = lib.types.enum [
              "github"
              "gitlab"
              "gitea"
              "gogs"
              "bitbucket"
              "onedev"
              "sourcehut"
              "any"
            ];
            example = "github";
            default = nameParts.repoType;
            description = ''
              The type of the repository to mirror.
            '';
          };
          owner = lib.mkOption {
            type = with lib.types; nullOr str;
            example = "go-gitea";
            default = nameParts.owner;
            description = ''
              The owner of the repository to mirror (if applicable)
            '';
          };
          repo = lib.mkOption {
            type = with lib.types; nullOr str;
            example = "gitea";
            default = nameParts.repo;
            description = ''
              The name of the repository to mirror (if applicable)
            '';
          };
          slug = lib.mkOption {
            type = lib.types.str;
            default = nameParts.slug;
            example = "github-go-gitea-gitea";
            description = ''
              The slug of the repository to mirror.
            '';
          };
          description = lib.mkOption {
            type = with lib.types; nullOr str;
            example = "A project which does this and that";
            description = ''
              A description of the project. This isn't used directly by gickup for anything,
              but can be useful if gickup is used together with cgit or similar.
            '';
          };
          settings = lib.mkOption {
            description = "Instance specific settings, see gickup configuration file";
            type = lib.types.submodule {
              freeformType = format.type;
            };
            default = { };
            example = {
              username = "gickup";
              password = "hunter2";
              wiki = true;
              issues = true;
            };
          };
        };
      }));
    };
  };
  config = lib.mkIf cfg.enable {
    users.users.gickup = {
      isSystemUser = true;
      group = "gickup";
      home = "/var/lib/gickup";
    };
    users.groups.gickup = { };
    services.gickup.destinationSettings.path = "/var/lib/gickup/raw";
    systemd.tmpfiles.settings."10-gickup" = lib.mkIf (cfg.dataDir != "/var/lib/gickup") {
      ${cfg.dataDir}.d = {
        user = "gickup";
        group = "gickup";
        mode = "0755";
      };
    };
    systemd.slices."system-gickup" = {
      description = "Gickup git repository mirroring service";
      after = [ "network.target" ];
    };
    systemd.targets.gickup = {
      description = "Gickup git repository mirroring service";
      wants = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
    };
    systemd.timers = {
      "gickup@" = {
        description = "Gickup git repository mirroring service for %i";
        timerConfig = {
          OnCalendar = "daily";
          RandomizedDelaySec = "1h";
          Persistent = true;
          AccuracySec = "1s";
        };
      };
    }
    //
    # Overrides for mirrors which are not "daily"
    (lib.pipe cfg.instances [
      builtins.attrValues
      (builtins.filter (instance: instance.interval != "daily"))
      (map ({ slug, interval, ... }: {
        name = "gickup@${slug}";
        value = {
          overrideStrategy = "asDropin";
          timerConfig.OnCalendar = interval;
        };
      }))
      builtins.listToAttrs
    ]);
    systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
    systemd.services = {
      "gickup@" = let
        configDir = lib.pipe cfg.instances [
          (lib.mapAttrsToList (name: instance: {
            name = "${instance.slug}.yml";
            path = format.generate "gickup-configuration-${name}.yml" {
              destination.local = [ cfg.destinationSettings ];
              source.${instance.type} = [
                (
                  (lib.optionalAttrs (instance.type != "any") {
                    user = instance.owner;
                    includeorgs = [ instance.owner ];
                    include = [ instance.repo ];
                  })
                  //
                  instance.settings
                )
              ];
            };
          }))
          (pkgs.linkFarm "gickup-configuration-files")
        ];
      in {
        description = "Gickup git repository mirroring service for %i";
        after = [ "network.target" ];
        path = [
          cfg.gitPackage
          cfg.gitLfsPackage
        ];
        restartIfChanged = false;
        serviceConfig = {
          Type = "oneshot";
          ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
          ExecStartPost = "";
          User = "gickup";
          Group = "gickup";
          BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
            "${cfg.dataDir}:/var/lib/gickup"
          ];
          Slice = "system-gickup.slice";
          SyslogIdentifier = "gickup-%i";
          StateDirectory = "gickup";
          # WorkingDirectory = "gickup";
          # RuntimeDirectory = "gickup";
          # RuntimeDirectoryMode = "0700";
          # https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
          RemainAfterExit = true;
          # Hardening options
          AmbientCapabilities = [];
          LockPersonality = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateMounts = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProcSubset = "pid";
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          # ProtectProc = "invisible";
          # ProtectSystem = "strict";
          RemoveIPC = true;
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          # SystemCallFilter = [
          #   "@system-service"
          #   "~@resources"
          #   "~@privileged"
          # ];
          UMask = "0002";
          CapabilityBoundingSet = [];
        };
      };
    };
  };
 }
--- a/modules/gickup/hardlink-files.nix
+++ b/modules/gickup/hardlink-files.nix
@@ -0,0 +1,42 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  config = lib.mkIf cfg.enable {
    # TODO: add a service that will look at the backed up files and hardlink
    #       the ones that have a matching hash together to save space. This can
    #       either run routinely (i.e. trigger by systemd-timer), or be activated
    #       whenever a gickup@<slug>.service finishes. The latter is probably better.
    # systemd.services."gickup-hardlink" = {
    #   serviceConfig = {
    #     Type = "oneshot";
    #     ExecStart = let
    #       script = pkgs.writeShellApplication {
    #         name = "gickup-hardlink-files.sh";
    #         runtimeInputs = [ pkgs.coreutils pkgs.jdupes ];
    #         text = ''
    #         '';
    #       };
    #     in lib.getExe script;
    #     User = "gickup";
    #     Group = "gickup";
    #     BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
    #       "${cfg.dataDir}:/var/lib/gickup"
    #     ];
    #     Slice = "system-gickup.slice";
    #     StateDirectory = "gickup";
    #     # Hardening options
    #     # TODO:
    #     PrivateNetwork = true;
    #   };
    # };
  };
 }
--- a/modules/gickup/import-from-toml.nix
+++ b/modules/gickup/import-from-toml.nix
@@ -0,0 +1,11 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  config = lib.mkIf cfg.enable {
    # TODO: import cfg.instances from a toml file to make it easier for non-nix users
    #       to add repositories to mirror
  };
 }
--- a/modules/gickup/set-description.nix
+++ b/modules/gickup/set-description.nix
@@ -0,0 +1,9 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  config = lib.mkIf cfg.enable {
    # TODO: create .git/description files for each repo where cfg.instances.<instance>.description is set
  };
 }
--- a/modules/gickup/update-linktree.nix
+++ b/modules/gickup/update-linktree.nix
@@ -0,0 +1,84 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  config = lib.mkIf cfg.enable {
    # TODO: run upon completion of cloning a repository
    systemd.timers."gickup-linktree" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
        Unit = "gickup-linktree.service";
      };
    };
    # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
    systemd.services."gickup-linktree" = {
      serviceConfig = {
        Type = "oneshot";
        ExecStart = let
          script = pkgs.writeShellApplication {
            name = "gickup-update-symlink-tree.sh";
            runtimeInputs = [
              pkgs.coreutils
              pkgs.findutils
            ];
            text = ''
              shopt -s nullglob
              for repository in ./*/*/*; do
                REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
                echo "Checking $REPOSITORY_RELATIVE_DIRS"
                declare -a REVISIONS
                readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
                if [[ "''${#REVISIONS[@]}" == 0 ]]; then
                  echo "Found no revisions for $repository, continuing"
                  continue
                fi
                LAST_REVISION="''${REVISIONS[0]}"
                SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
                mkdir -p "$(dirname "$SYMLINK_PATH")"
                EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
                EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
                if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
                  echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
                  rm "$SYMLINK_PATH" ||:
                  ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
                else
                  echo "Symlink already up to date, continuing..."
                fi
                echo "---"
              done
            '';
          };
        in lib.getExe script;
        User = "gickup";
        Group = "gickup";
        BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
          "${cfg.dataDir}:/var/lib/gickup"
        ];
        Slice = "system-gickup.slice";
        StateDirectory = "gickup";
        WorkingDirectory = "/var/lib/gickup/raw";
        # Hardening options
        # TODO:
        PrivateNetwork = true;
      };
    };
  };
 }
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -1,7 +1,9 @@
-{config, lib, pkgs, ...}:
+{ config, lib, pkgs, unstablePkgs, ... }:
 let
  grg = config.services.greg-ng;
  grgw = config.services.grzegorz-webui;
  machine = config.networking.hostName;
 in {
  services.greg-ng = {
    enable = true;
@@ -9,6 +11,13 @@ in {
    settings.port = 31337;
    enableSway = true;
    enablePipewire = true;
    mpvPackage = unstablePkgs.mpv;
  };
  systemd.user.services.restart-greg-ng = {
    script = "systemctl --user restart greg-ng.service";
    startAt = "*-*-* 06:30:00";
  };
  services.grzegorz-webui = {
@@ -16,37 +25,86 @@ in {
    listenAddr = "localhost";
    listenPort = 42069;
    listenWebsocketPort = 42042;
-    hostName = "${config.networking.fqdn}";
+    hostName = "${machine}-old.pvv.ntnu.no";
-    apiBase = "http://${grg.settings.host}:${toString grg.settings.port}/api";
+    apiBase = "https://${machine}-backend.pvv.ntnu.no/api";
  };
  services.gergle = {
    enable = true;
    virtualHost = config.networking.fqdn;
  };
  services.nginx.enable = true;
-  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+  services.nginx.virtualHosts = {
-    forceSSL = true;
+    ${config.networking.fqdn} = {
-    enableACME = true;
+      forceSSL = true;
-    kTLS = true;
+      enableACME = true;
-    serverAliases = [
+      kTLS = true;
-      "${config.networking.hostName}.pvv.org"
+      serverAliases = [
-    ];
+        "${machine}.pvv.org"
-    extraConfig = ''
+      ];
-      allow 129.241.210.128/25;
+      extraConfig = ''
-      allow 2001:700:300:1900::/64;
+        allow 129.241.210.128/25;
-      deny all;
+        allow 2001:700:300:1900::/64;
-    '';
+        deny all;
      '';
-    locations."/" = {
+      locations."/docs" = {
-      proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
+        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
      };
      locations."/api" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
        proxyWebsockets = true;
      };
    };
-    # https://github.com/rawpython/remi/issues/216
+
-    locations."/websocket" = {
+    "${machine}-backend.pvv.ntnu.no" = {
-      proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
+      forceSSL = true;
-      proxyWebsockets = true;
+      enableACME = true;
      kTLS = true;
      serverAliases = [
        "${machine}-backend.pvv.org"
      ];
      extraConfig = ''
        allow 129.241.210.128/25;
        allow 2001:700:300:1900::/64;
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
        proxyWebsockets = true;
      };
    };
-    locations."/api" = {
+
-      proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+    "${machine}-old.pvv.ntnu.no" = {
-    };
+      forceSSL = true;
-    locations."/docs" = {
+      enableACME = true;
-      proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+      kTLS = true;
      serverAliases = [
        "${machine}-old.pvv.org"
      ];
      extraConfig = ''
        allow 129.241.210.128/25;
        allow 2001:700:300:1900::/64;
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
      };
      # https://github.com/rawpython/remi/issues/216
      locations."/websocket" = {
        proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
        proxyWebsockets = true;
      };
      locations."/api" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
      };
      locations."/docs" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
      };
    };
  };
 }
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -0,0 +1,211 @@
 # Original from: https://cgit.rory.gay/nix/OOYE-module.git/
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.matrix-ooye;
  mkStringOption =
    name: default:
    lib.mkOption {
      type = lib.types.str;
      default = default;
    };
 in
 {
  options = {
    services.matrix-ooye = {
      enable = lib.mkEnableOption "Enable OOYE service";
      package = lib.mkOption {
        type = lib.types.package;
        default = pkgs.out-of-your-element;
      };
      appserviceId = mkStringOption "The ID of the appservice." "ooye";
      homeserver = mkStringOption "The homeserver to connect to." "http://localhost:8006";
      homeserverName = mkStringOption "The name of the homeserver to connect to." "localhost";
      namespace = mkStringOption "The prefix to use for the MXIDs/aliases of bridged users/rooms. Should end with a _!" "_ooye_";
      discordTokenPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-token";
      discordClientSecretPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-client-secret";
      socket = mkStringOption "The socket to listen on, can either be a port number or a unix socket path." "6693";
      bridgeOrigin = mkStringOption "The web frontend URL for the bridge, defaults to http://localhost:{socket}" "";
      enableSynapseIntegration = lib.mkEnableOption "Enable Synapse integration";
    };
  };
  config = lib.mkIf cfg.enable (
    let
      baseConfig = pkgs.writeText "matrix-ooye-config.json" (
        builtins.toJSON {
          id = cfg.appserviceId;
          namespaces = {
            users = [
              {
                exclusive = true;
                regex = "@${cfg.namespace}.*:${cfg.homeserverName}";
              }
            ];
            aliases = [
              {
                exclusive = true;
                regex = "#${cfg.namespace}.*:${cfg.homeserverName}";
              }
            ];
          };
          protocols = [ "discord" ];
          sender_localpart = "${cfg.namespace}bot";
          rate_limited = false;
          socket = cfg.socket; # Can either be a TCP port or a unix socket path
          url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
          ooye = {
            server_name = cfg.homeserverName;
            namespace_prefix = cfg.namespace;
            max_file_size = 5000000;
            content_length_workaround = false;
            include_user_id_in_mxid = true;
            server_origin = cfg.homeserver;
            bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
          };
        }
      );
      script = pkgs.writeScript "matrix-ooye-pre-start.sh" ''
        #!${lib.getExe pkgs.bash}
        REGISTRATION_FILE=registration.yaml
        id
        echo "Before if statement"
        stat ''${REGISTRATION_FILE}
        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
          echo "No registration file found at '$REGISTRATION_FILE'"
          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
        fi
        echo "After if statement"
        stat ''${REGISTRATION_FILE}
        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
        # Check if we have all required tokens
        if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
          echo "Generated new AS token: ''${AS_TOKEN}"
        fi
        if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
          echo "Generated new HS token: ''${HS_TOKEN}"
        fi
        if [[ -z "$DISCORD_TOKEN" ]]; then
          echo "No Discord token found at '${cfg.discordTokenPath}'"
          echo "You can find this on the 'Bot' tab of your Discord application."
          exit 1
        fi
        if [[ -z "$DISCORD_CLIENT_SECRET" ]]; then
          echo "No Discord client secret found at '${cfg.discordTokenPath}'"
          echo "You can find this on the 'OAuth2' tab of your Discord application."
          exit 1
        fi
        shred -u ''${REGISTRATION_FILE}
        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
        shred -u ''${REGISTRATION_FILE}
        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
      '';
    in
    {
      warnings =
        lib.optionals ((builtins.substring (lib.stringLength cfg.namespace - 1) 1 cfg.namespace) != "_") [
          "OOYE namespace does not end with an underscore! This is recommended to have better ID formatting. Provided: '${cfg.namespace}'"
        ]
        ++ lib.optionals ((builtins.substring 0 1 cfg.namespace) != "_") [
          "OOYE namespace does not start with an underscore! This is recommended to avoid conflicts with registered users. Provided: '${cfg.namespace}'"
        ];
      environment.systemPackages = [ cfg.package ];
      systemd.services."matrix-ooye-pre-start" = {
        enable = true;
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = script;
          WorkingDirectory = "/var/lib/matrix-ooye";
          StateDirectory = "matrix-ooye";
          DynamicUser = true;
          RemainAfterExit = true;
          Type = "oneshot";
          LoadCredential = [
            "discord_token:${cfg.discordTokenPath}"
            "discord_client_secret:${cfg.discordClientSecretPath}"
          ];
        };
      };
      systemd.services."matrix-ooye" = {
        enable = true;
        description = "Out of Your Element - a Discord bridge for Matrix.";
        wants = [
          "network-online.target"
          "matrix-synapse.service"
          "conduit.service"
          "dendrite.service"
        ];
        after = [
          "matrix-ooye-pre-start.service"
          "network-online.target"
        ];
        requires = [ "matrix-ooye-pre-start.service" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = lib.getExe config.services.matrix-ooye.package;
          WorkingDirectory = "/var/lib/matrix-ooye";
          StateDirectory = "matrix-ooye";
          #ProtectSystem = "strict";
          #ProtectHome = true;
          #PrivateTmp = true;
          #NoNewPrivileges = true;
          #PrivateDevices = true;
          Restart = "on-failure";
          DynamicUser = true;
        };
      };
      systemd.services."matrix-synapse" = lib.mkIf cfg.enableSynapseIntegration {
        after = [
          "matrix-ooye-pre-start.service"
          "network-online.target"
        ];
        requires = [ "matrix-ooye-pre-start.service" ];
        serviceConfig = {
          LoadCredential = [
            "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
          ];
          ExecStartPre = [
            "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
            "+${pkgs.coreutils}/bin/chown matrix-synapse:matrix-synapse ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
          ];
        };
      };
      services.matrix-synapse.settings.app_service_config_files = lib.mkIf cfg.enableSynapseIntegration [
        "${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
      ];
    }
  );
 }
--- a/modules/robots-txt.nix
+++ b/modules/robots-txt.nix
@@ -0,0 +1,116 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.environment.robots-txt;
  robots-txt-format = {
    type = let
      coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str);
    in lib.types.listOf (lib.types.submodule {
      freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
      options = {
        pre_comment = lib.mkOption {
          description = "Comment to add before the rule";
          type = lib.types.lines;
          default = "";
        };
        post_comment = lib.mkOption {
          description = "Comment to add after the rule";
          type = lib.types.lines;
          default = "";
        };
      };
    });
    generate = name: value: let
      makeComment = comment: lib.pipe comment [
        (lib.splitString "\n")
        (lib.map (line: if line == "" then "#" else "# ${line}"))
        (lib.concatStringsSep "\n")
      ];
      ruleToString = rule: let
        user_agent = rule.User-agent or [];
        pre_comment = rule.pre_comment;
        post_comment = rule.post_comment;
        rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ];
      in lib.concatStringsSep "\n" (lib.filter (x: x != null) [
        (if (pre_comment != "") then makeComment pre_comment else null)
        (let
          user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
        in
          if user_agent == [] then null else user-agents
        )
        (lib.pipe rest [
          (lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
          lib.concatLists
          (lib.concatStringsSep "\n")
        ])
        (if (post_comment != "") then makeComment post_comment else null)
      ]);
      content = lib.concatMapStringsSep "\n\n" ruleToString value;
    in pkgs.writeText name content;
  };
 in
 {
  options.environment.robots-txt = lib.mkOption {
    default = { };
    description = ''
      Different instances of robots.txt to use with web services.
    '';
    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
      options = {
        enable = lib.mkEnableOption "this instance of robots.txt" // {
          default = true;
        };
        path = lib.mkOption {
          description = "The resulting path of the dir containing the robots.txt file";
          type = lib.types.path;
          readOnly = true;
          default = "/etc/robots-txt/${name}";
        };
        rules = lib.mkOption {
          description = "Rules to include in robots.txt";
          default = [ ];
          example = [
            { User-agent = "Googlebot"; Disallow = "/no-googlebot"; }
            { User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; }
          ];
          type = robots-txt-format.type;
        };
        virtualHost = lib.mkOption {
          description = "An nginx virtual host to add the robots.txt to";
          type = lib.types.nullOr lib.types.str;
          default = null;
        };
      };
    }));
  };
  config = {
    environment.etc = lib.mapAttrs' (name: value: {
      name = "robots-txt/${name}/robots.txt";
      value.source = robots-txt-format.generate name value.rules;
    }) cfg;
    services.nginx.virtualHosts = lib.pipe cfg [
      (lib.filterAttrs (_: value: value.virtualHost != null))
      (lib.mapAttrs' (name: value: {
        name = value.virtualHost;
        value = {
          locations = {
            "= /robots.txt" = {
              extraConfig = ''
                add_header Content-Type text/plain;
              '';
              root = cfg.${name}.path;
            };
          };
        };
      }))
    ];
  };
 }
--- a/packages/cgit.nix
+++ b/packages/cgit.nix
@@ -0,0 +1,21 @@
 { cgit, fetchurl, ... }:
 let
  pname = cgit.pname;
  commit = "09d24d7cd0b7e85633f2f43808b12871bb209d69";
 in
 cgit.overrideAttrs (_: {
  version = "1.2.3-unstable-2024.07.16";
  src = fetchurl {
    url = "https://git.zx2c4.com/cgit/snapshot/${pname}-${commit}.tar.xz";
    hash = "sha256-gfgjAXnWRqVCP+4cmYOVdB/3OFOLJl2WBOc3bFVDsjw=";
  };
  # cgit is tightly coupled with git and needs a git source tree to build.
  # IMPORTANT: Remember to check which git version cgit needs on every version
  # bump (look for "GIT_VER" in the top-level Makefile).
  gitSrc = fetchurl {
    url = "mirror://kernel/software/scm/git/git-2.46.0.tar.xz";
    hash = "sha256-fxI0YqKLfKPr4mB0hfcWhVTCsQ38FVx+xGMAZmrCf5U=";
  };
 })
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@@ -12,7 +12,7 @@ let
    name
  , commit
  , hash
-  , tracking-branch ? "REL1_41"
+  , tracking-branch ? "REL1_42"
  , kebab-name ? kebab-case-name name
  , fetchgit ? pkgs.fetchgit
  }:
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
  (mw-ext {
    name = "CodeEditor";
-    commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
+    commit = "9f69f2cf7616342d236726608a702d651b611938";
-    hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
+    hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
  })
  (mw-ext {
    name = "CodeMirror";
-    commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
+    commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
-    hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
+    hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
  })
  (mw-ext {
    name = "DeleteBatch";
-    commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
+    commit = "b76bb482e026453079104d00f9675b4ab851947e";
-    hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
+    hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
  })
  (mw-ext {
    name = "PluggableAuth";
-    commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
+    commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
-    hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
+    hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
  })
  (mw-ext {
    name = "Popups";
-    commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
+    commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
-    hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
+    hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
  })
  (mw-ext {
    name = "Scribunto";
-    commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
+    commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
-    hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
+    hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
  })
  (mw-ext {
    name = "SimpleSAMLphp";
    kebab-name = "simple-saml-php";
-    commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
+    commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
-    hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
+    hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
  })
  (mw-ext {
    name = "TemplateData";
-    commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
+    commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
-    hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
+    hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
  })
  (mw-ext {
    name = "TemplateStyles";
-    commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
+    commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
-    hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
+    hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
  })
  (mw-ext {
    name = "UserMerge";
-    commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
+    commit = "41759d0c61377074d159f7d84130a095822bc7a3";
-    hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
+    hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
  })
  (mw-ext {
    name = "VisualEditor";
-    commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
+    commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
-    hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
+    hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
  })
  (mw-ext {
    name = "WikiEditor";
-    commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
+    commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
-    hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
+    hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
  })
 ]
--- a/packages/out-of-your-element.nix
+++ b/packages/out-of-your-element.nix
@@ -0,0 +1,42 @@
 {
  lib,
  fetchgit,
  makeWrapper,
  nodejs,
  buildNpmPackage,
 }:
 buildNpmPackage {
  pname = "delete-your-element";
  version = "3.1-unstable-2025-06-23";
  src = fetchgit {
    url = "https://git.pvv.ntnu.no/Drift/delete-your-element.git";
    rev = "67658bf68026918163a2e5c2a30007364c9b2d2d";
    sha256 = "sha256-jSQ588kwvAYCe6ogmO+jDB6Hi3ACJ/3+rC8M94OVMNw=";
  };
  npmDepsHash = "sha256-HNHEGez8X7CsoGYXqzB49o1pcCImfmGYIw9QKF2SbHo=";
  dontNpmBuild = true;
  nativeBuildInputs = [makeWrapper];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/share
    cp -a . $out/share/ooye
    makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye --add-flags $out/share/ooye/start.js
    makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye-addbot --add-flags $out/share/ooye/addbot.js
    runHook postInstall
  '';
  meta = with lib; {
    description = "Matrix-Discord bridge with modern features.";
    homepage = "https://gitdab.com/cadence/out-of-your-element";
    longDescription = ''
      Modern Matrix-to-Discord appservice bridge, created by @cadence:cadence.moe.
    '';
    license = licenses.gpl3;
    # maintainers = with maintainers; [ RorySys ];
    mainProgram = "matrix-ooye";
  };
 }
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@@ -5,12 +5,9 @@ gitea:
    database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
    email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
    passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
    gpg-signing-key: ENC[AES256_GCM,data:y/g1rpsEgiGEJ9BGii6te166ABpg1jgsyYMT1Ji5njLbT8/juBBMc7BFEM5BcIxKpQGijymsB+Htl8CZAN4Bl3FHSRyrnXGuMCnveJfw1qTVjMa6soriHv7EdTDFPCp3TYMbs1OgY/bhGJIvp8e4hCVd4F3x8eAlFmiwHhkxr62qQNHjH7SRNIyUNibf/TTttOeEcercxOy7FeUE99D+CWG4pnJNEYyRHDdddalgpSJyZIJvPpXoKmeCDk3futnxiZ15Vr7bDS5u4dqnE+no7DKoZ5fvk38f/77JH3w/Qom7NCYSG6L+unJ3r3RKuuGMRDjdz09TPZ4APpmrlyOElfGMmm134g6mdhgXmwNCo65Z7VOd1OKFA/uyZm2b7XsT3tCgRalE8gBa0R3MBMi3JK+5KUdS6ZUvYXDt8D8C68ldM3K9E7lyeeHn775rV6L4JIXcj/NL1O23sXtjeVuUPQmsUesgYlllRaiTSTfY7K+yOIG3wqqCuCDSAeILQICkvod4iw4xdVMQzd8eQtbD6bCjOzHwvBcu+rOSN6ti+xOQ7bJ9+6xhCgJJsiADkp2q09cUu8mDbUh+YJxfu+oZhPomOJVDMSqfS4qNXcVM9mbak/L9KPR4b83GqTpmXHnDMlGe4BHGXrkIUKPsBQ5TmdckXbpRDBQFrnjVvFT+Gfx3xwHxWc9fbxcFID2wp69EzQrGC77bDPCFxBT5vAVwffGYUezPQEo25bKRpCWxTFTpiIQfACrwzZc/O9cmwDgrYN7bTZyrrp8cbyBtllZGYmXxLDkDOzIqzpLG3b0yJC2jSnw0f1DkU6M2mD/j9FRTVW1MVymyLPiZQ7T9QyZ3MekHEEY1QqmyiJMIOekSzC5+3Us6Nl32MeBrIry6NuV8ewIQF5bcZEHtSmZ0k/wBtK0fpFHUuc/vETFuRUiQw/InhN5W8iH78vFvflxBfg61Qp7PzEx0k0axwEc6VAKbEg/uFNL+fhUKKt7sYiEBmwg2Vsj3pyZgdmjPZEsOQ86+psaxv+2feH94wog47jDHFRrc4iRC5w7kZ6UJXHfZt9lkBbwl4qNwiOLlPnUUcR+CpTBpPoKD9ulidQGfcYY49+iE+PM5dAI2CtisKpLQiwmrvjOzB1a/rC9QnH679frgH5Ebb57WRL4uSAVNRdIvIGzAF5MNwQOu+cxKoiW6ZmuNJSb547XUB1UO,iv:aKzrgAV30sLfPEpgdQ26ZzdM3+gYtoSpZ9mNyqCqf/M=,tag:vjywN4qxh2zsCE3RPG6Yrw==,type:str]
    ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
    import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
    runners:
        alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
        beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
        epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
 mediawiki:
    password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
    postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
@@ -97,8 +94,8 @@ sops:
            UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
            4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-12T21:56:27Z"
+    lastmodified: "2024-12-09T21:18:23Z"
-    mac: ENC[AES256_GCM,data:bZ1BbVC6D+B6SFze2ReeCUcQamK/O14zH3YxCjWBwMC++w3niIiEx4Bq7Ulci5yuMld0luVsfUzHoqFN/+zvZbV2rGVk8lVRiTrpFoSZ78aUUgeHG9ROLXsR7T7rVhLWbl86y1G5LcKws7G55V0wAh6f58WjYYzwR8fnBmfW1Ko=,iv:7xtMdtXQB9uZirE/CkUSmeu0qnG++R7DUR7zn/Bo0lM=,tag:DH/BJPpAp//quDqKNXyHcg==,type:str]
+    mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
    pgp:
        - created_at: "2024-08-04T00:03:28Z"
          enc: |-
--- a/secrets/bicep/bicep.yaml
+++ b/secrets/bicep/bicep.yaml
@@ -3,11 +3,14 @@ calendar-bot:
    mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
 mysql:
    password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
 gickup:
    github-token: ENC[AES256_GCM,data:H/yBDLIvEXunmaUha3c2vUWKLRIbl9QrC0t13AQDRCTnrvhabeiUFLNxZ/F+4B6sZ2aPSgZoB69WwnHvh1wLdiFp1qLWKW/jQPvzZOxE4n+jXrnSOutUWktbPzVj,iv:KFW4jRru93JIl9doVFtcNkJDWp89NlzWjPDflHxcL/U=,tag:YtgyRxkoZO9MkuP3DJh7zA==,type:str]
 minecraft-heatmap:
    postgres-passwd: ENC[AES256_GCM,data:T8s9xct07AJ4/Z6MQjNrqZQq7FerHz8Op+ea8zO2MDLPWWgU7/hBfrr+T4sc1TgT3e5vtE0dVcqCSbZCZj+6zQ==,iv:prx6d8c92OvbL8IjBLAvi1Vqk69D6ZIkAp7E8CSljok=,tag:UA5YS4YwViYZJ2PWzIIM3g==,type:str]
    ssh-key:
        private: ENC[AES256_GCM,data:h9OtD6hxrxyokFDe9bveAkMICrs3YrsAEqg0RVHV+xCkgkNAdoh85wb1QI8FJ0tga4Bfq8ZxZTdMnexQvbYWL8m/N/P6gWoPPJd7dwGuxaUZu5lqngVuHIhH0yWFWtPXjQ0Zyl5Q1aBKyjzJMvJc/H2iprgVH4YFs/fWf/KDEp17Plvvz0AoPGPrOZErDmne4MtLbW3pUm1r5ACo/41OyXYwjHk1Ywgsoz1CMxe/DrmkADnf7jSDWL6Q0mz8hIIYi8GbToJS4BIJ2plttraxV9sqpIPzS/1jMERNchItlkCppSYIy/eohVmskP8dAySm5Z7HNGGtzWSSGLxq15xKc7OVFYPMI+B35nPnp1LVOUWqBHAqVo7dwxc3VXOlVat7AMknUZnr67d4TIIl5BOdy/rvAxzXS/fDV0zntIs5o3phKStVvq07eZFaOVva45B7Pyyn0PdBhHBt2JcBtm+Xtg9i3xvZdwQgbeeJRhnYgDqK6BVhmtTuirwp1GOyslqaFCjg0MJj+W+d8R9gbbfyFR6YrZQAkcd/o/yZGg86z7Phe18=,iv:nt/+qPBwPZKQt43VJ9FbKjLYioFwCxD7VK9WNCJCmpQ=,tag:MuDfnTiro3VVJq9x5rkEQg==,type:str]
        public: ENC[AES256_GCM,data:+fiCO8VRSmV7tmyweYSpZJMOuMORLHkWetYbr20aTQ1vRYr927nYGes4E464t+Dv9OyJPCLmHBdgt7UvxJWuC3pZE8iStnBYnej3D4ebMzi2SMfOkJjGuQSplXtl8QeAYe1YvROmtQ==,iv:thgGQUyWdXfwUt1E/vudoNjl8JjnksFd1rb/asTry+g=,tag:t1iQPocvfI+JafuJycaLuw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
          enc: |
@@ -63,8 +66,8 @@ sops:
            cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
            0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-15T21:18:33Z"
+    lastmodified: "2025-08-25T12:27:53Z"
-    mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
+    mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
    pgp:
        - created_at: "2024-08-04T00:03:40Z"
          enc: |-
@@ -87,4 +90,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2
--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@@ -9,14 +9,15 @@ mjolnir:
 discord:
    as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
    hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
 ooye:
    hs_token: ENC[AES256_GCM,data:QBrdRt4ozAh2XYJtssm82uHlk9aGO1Nr0fEZetmWfLvmw52FZEq8ijyKOgwS6uTcndMi4gGKkq9r4eapLwcMdQ==,iv:VHOAqxR1WGzZ9dmNx+FmjGAKRpUFjWOwyOVmgDswpE0=,tag:k5it/yx7pOfGbJXZUlV69Q==,type:str]
    as_token: ENC[AES256_GCM,data:RMkY0xVj14FwDbYaAysSmzB0IlJuk0ucicNhhTmVAEgiU05PxWG+qk3/elFcaFwaXRFgQQtVyGFZEcK5gpE9hA==,iv:8JgNrTe7GQqPMdUCxEaxJ9qV7Uec2fkYBmF9LmH4X3o=,tag:tRnFpRAZs9kO3u2SDMwNnA==,type:str]
    discord_token: ENC[AES256_GCM,data:6rzv3glW03jcYiJ7sAvDcvDmQHs9iVbV11tIFwgD3GuTkVn6mbAoQhjUaz3zpb/OeoGt+j/pCBRlZgk=,iv:JwkqLpeGYhgwLX7SACNh0AUO53XSx9IKgncI0+KkvyU=,tag:30C0X9nVSlEYPITVzuN0qA==,type:str]
    discord_client_secret: ENC[AES256_GCM,data:wbM7bPZCWa2+UNUqXi27fP0ppdinRkEC4N9KB68TJzg=,iv:Y2j+8oI+kI7DMrBfFU3G5HtFWguNxDpxbNvJkpK5lQs=,tag:GntocbTCybCVqZ2T3lNSIQ==,type:str]
 hookshot:
    as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
    hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
          enc: |
@@ -72,8 +73,8 @@ sops:
            WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
            pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-13T23:30:01Z"
+    lastmodified: "2025-06-21T21:23:24Z"
-    mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
+    mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
    pgp:
        - created_at: "2024-08-04T00:03:46Z"
          enc: |-
@@ -96,4 +97,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.10.2
--- a/secrets/ildkule/ildkule.yaml
+++ b/secrets/ildkule/ildkule.yaml
@@ -1,15 +1,5 @@
 #ENC[AES256_GCM,data:oyFG9fCzJH8yLB0QY78CVOcYO6Ttp/ARqtIcXwWGYOvL6nW+yLcakrdmVA96sR5toywb32aW,iv:7o3FI0cI6GHCwmQfLYh2iAVr8sELOMoxGSzE5qvuAaI=,tag:z9F1c4dOIiy2FtKpBwm5wg==,type:comment]
 #ENC[AES256_GCM,data:nhDznFCozGpXdYBfumLyhp7TnA7C/IqBCpHJ,iv:3AZN6iVBha8Qh5/X6Yn/5JWsGhDXlE/zdUh1CcO7fQc=,tag:59DaAyKTOmkKty4eyFWFqw==,type:comment]
 #ENC[AES256_GCM,data:vQu+AG19Vy94xxwj196G2uk9,iv:YJGBvoMgOngjn/TeuXeoU82daRvJDxvCQMYb3XCPlw0=,tag:fU6ZhhmAh0yh3/QuXbCNkQ==,type:comment]
 #ENC[AES256_GCM,data:S1UOENn/ewhw8Pb9CmKp,iv:jafOhkCoiTm5HXQ/S611L4VlQFa1Wqr5WIIRzLQm3i0=,tag:6CQ+Y9E/FxWN8K+D9J7+Fg==,type:comment]
 #ENC[AES256_GCM,data:lHHmoCHyP2Tc3waRGeMPEasQiv5+,iv:W6SSFpeWBfTBOEDo4P9hox39eoAiO40Ay4T3QeiI9Tw=,tag:9bLbcEZ9/B1QolDettwcfg==,type:comment]
 #ENC[AES256_GCM,data:DrF4XHSd8QAWn5h1xEGGpDKMQcLF,iv:nPCBbThQh/Aa+uccKJtmiCXSvoJKHxZMJ42yFkV+hi8=,tag:3l50mMn7cPoCnjPcHv1+Vg==,type:comment]
 #ENC[AES256_GCM,data:ADUhFzufaR2xXNOLgiXKu5Cd8Zx3waYeZiLF,iv:WMK2gJwplf6r/EdijrvrOBHgPL57W+UMIQ8dBPp/DBA=,tag:E/q/ccAd7UH3BV7nut6Slg==,type:comment]
 #ENC[AES256_GCM,data:IVFSM6VOWnR0YDRfecsDPlYr,iv:Jxe8pq3lxw5QUGKyspB8tWSquDSMo3mAJBAsQGKxSec=,tag:7bffwY98iTX4/De0coUIxA==,type:comment]
 #ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
 #ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
 config:
-    mysqld_exporter: ENC[AES256_GCM,data:w4muNsWmsW1fPx9nqtDGPCZ9faO3W5Pagn/DfWrb5yf88GQOzOsN4z7TH3QeW0Xs6I5jDIktGmFml6RDxCjD8UX9eer1pvC7Kxyl2DQKLHwmsgx1DUFNTRUzE1Sgx8rZAJ8HM7DO7L/6aXS0ndY4J+huyhDDVd+cIetgiQ==,iv:Q4cZD9CKd/EDOm4bjAE2EOstwKpwexF2pxhMEF0/5/k=,tag:S0rOLJS+b9ualtxcHKdHlw==,type:str]
+    mysqld_exporter_password: ENC[AES256_GCM,data:I9K+QMqaN3FOOVKzeOR9Q6UERStXX0P8WEHyN1jzzbM=,iv:UxvIdlfAyJvNuxPkU4+guKPa0fiD0vVLzHOTYktcmso=,tag:ltnIqEwESYx9HBu8UN0ZLw==,type:str]
 keys:
    grafana:
        secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
@@ -77,8 +67,8 @@ sops:
            WDRSdDZRa1lIbEVTdDlhU1dwUXUzQTgK5iE4Cf/zjsPYHKcqYA0rFqY0TNcCnzNU
            vTM+cEPaA+/FXTwLfPpaiSkg5Fq8k2XdeMQsjQnglTBSWCwAJin27g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-20T23:41:59Z"
+    lastmodified: "2025-03-16T20:08:18Z"
-    mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
+    mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
    pgp:
        - created_at: "2024-08-04T00:03:54Z"
          enc: |-
@@ -101,4 +91,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4
--- a/secrets/kommode/kommode.yaml
+++ b/secrets/kommode/kommode.yaml
@@ -0,0 +1,94 @@
 gitea:
    web-secret-provider:
        token: ENC[AES256_GCM,data:7ljFuW0CApzvvGSpWa7fiITIXtejhZk5aed70NNup6AS2GpDOv1NMw==,iv:vi+0BM4QkpnMatlGU6rdEYnCgGUU3U8SuE3imbwKfdE=,tag:uTFaeS/56t/MfBwb1hpkvA==,type:str]
    password: ENC[AES256_GCM,data:1Hr2M95xT6J4SxnQLWe9ZQ7q4BIAACnpQXEGyCEm2OgRb/kqyv2s+gJAsw==,iv:95CbOJzeGl+jT8OsSSSx+DH8KYD1HtbXOyZhR60QwnU=,tag:dheIVvgqpiFrKvLLpFlPBg==,type:str]
    database: ENC[AES256_GCM,data:nDZqnSBKijyhslBjhSu9weqLVJzUiBD8Ltu/nmllicadraeISylyEk3pOA==,iv:XFzM1pGv98jehdgvlZN217LrsK8TcAMFK5eDrPi2bm0=,tag:+YpXqMmvMTrnt7cDK/Sa7A==,type:str]
    email-password: ENC[AES256_GCM,data:tasMZ2Zu449o/mH6uSSPM7cFOlBg4vC+,iv:lDNMvXh5P3HNy9pW6nBsSLCyij/3HiSRunVuLeKAmbI=,tag:ApqGWYE9MSE8m6iYLK6Yww==,type:str]
    passwd-ssh-key: ENC[AES256_GCM,data:VOp8vqVoX9IFJhzpKy0J+AzyX3TvxEIBvv3dXpD1f8szmUyPwd4gDOlaFpqTSDu8ebmK3m/D0FMTkfBkPVhUG6XTPo7YIV37gLhfsBF6CuwCMXxTQAd23nfpwJKcDIn3R5h8Mu4MMme2Ev/4PNDztktmIYv3KoEbPglzBMS4LrZqJsDilvIYKEIDUExhSAkESKQZiIzK1TdtWDQSUzvUZ3OsbxONZgaTw5e+xz3qk/q+IR5eRNp9fpeZQ8EkpC7aa/JDIwxzNIuMFi8W9PWh6ANmAOm6GK7JSKiHYQL8GofVifhUGUanAnjgDTYkIWpDiSsuHjfDPGupFCeONNd+Wd4NpJZsej3p9ldLOVxa01Le2tIVYY80jUWT0dpV9IJ5syp4gVaky5Vk6i2QhvjunDoEUnArSRGyMTxWfxAxZLvbLYMNAJDoWzy25vf3jteNB43lVHckEW1F8w/RtzoKzbjKYiANHg+eNLVq0HK67gX2twpblNN4OBt9d03ZbV2lZjTMXGzJXHGFT5ZPDwTkxcDooNvoRuCMe8t8dpuksHFaIp4=,iv:3sgiIgGD9pmCMLVRk0Q8+7GZajYIWsokDUx9JuNrO2c=,tag:WDXyNYtqjdAMePEsnA0hbw==,type:str]
    gpg-signing-key: ENC[AES256_GCM,data:AyafTF3H8p1qDk9xsNvT68BksoKGLwE2uE3hjz0TrT2XPxCRDOIlfAVYEPSu2Ih6l5a2uruEJhHPtU2fPCB2hln3Bv3gZfFGLb3GFWkSvdePIYFxG56uqGK5dE1KaMccc2cTi+raDImKqSTbp7Qpdo/c6C0WYVglYrD+2l8Y4QOiFuazyLY9zwcX0qG7pIjJ+akCUjfE4rJDAW6H/v+OqvHpcED3q4iXOYuw9sj/UeIgZfJ5Xc/uVrRmPewP4yALnA8o9gsaaLdjWRFIILe7VRwPr0YqwQ6XGgc+pEartkV8AzxjCq6DOtifOOzmu8EI1U1yoaOViYCAMbSHfP6SIKr7pJbrdU+YDBq9mvRx8KPXWUU2uNGrMObATEzlqMYAYA/HJeOdV4w3Axvq8RG2FLkJxJJniwNP5VZRF3bbbI3w+hprRP2yAwgeQw19KBU8yF8upKga/GdMNScpKJvRyVLjZtI0rsfvSC81lHawouuje6aPXT3dH1S5ROJBHMTeV0sP0vK6liBevz9RZpvNs6JVyNCgiRRtRSSYqsgwPJonDKuPeI/Zpgih7HboA8HqhIibqpO96h5/4yO69oJAbLUYV3zlKQcMDTaqadL4Ox5Z+8ygSAL3l1ufZIFGSj73SNHGQqQlIS/a3dAccRi5fPqv0gOmGFAAUJPKfeauFn3TclwojKzu5vwmQxZ5g50txEpTSTaYOy++qq6UZa/dXEyDC7fle75dXhqXyqMCf9kDwZZl5E9eBsabNdTF+auQCp82iLQivdBy7uJX2hkJFSg84fF9MLgH4mOcMQc2E/z961uNzEgoyvVhbDY6+SIJ+6SGmnardbFW7mYrj/QqnSUiMc4tHukAB4NGQYHgjOYRZMpHfVO/6dLbjmTOljnPsnfQUCepvb9rGim8NazvnARaVzezx4t3tfbNR8uLQudSeLZzn/Fu1mKSQvpP+IjdglmyAgp6QhB4OCDPbiaMRDUtOQIzlVILdz1/geUVzhZkJ4xzkm5klGukhtv+3TqjiTcEnoVJC+A1jRvxBQUfEE92GFuupJUfrw8bIDqsWQLkHPCNUMgdoKa/q2OkrWeQz2zm2yUqMAJn1/puoLHdSH5aCELUggx1gQZoc480pSBUvSCML+Qc4B4Cd6hX2PPp+/KQeKtfqHIsKz2I+DMT6KDirReX6WHxqk+s2DtLw7Wx/j65PWCIWLCz,iv:c9BDRxQImWTmwq11+T2CW0S00Dixd8d0od5xn5zZmY8=,tag:brnMedsdTwlkbaHaLa2w2g==,type:str]
    ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str]
    import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str]
    secret-key: ENC[AES256_GCM,data:YqwSJazPqz1OOsUVIPKsGvIHbX7SyJqryan1KWSRGRJkt9yZlaiRtQG/mQugAM6IvLFD3pj+gPTcXyqenaAQKA==,iv:nyPnL7wuhpb0kl0tm1JhOHmF7KI9vVcTN1SRGTgD2o8=,tag:Rt/IPC/YtBcmTx5osGlbBg==,type:str]
    oauth2-jwt-secret: ENC[AES256_GCM,data:YUVbf0xgnzeNoahu57yzoib2XSB0rR2AAIkdlEe8eC9AFEdv4vE0S372jw==,iv:k1cEa/sWqJZ9b/NetVSR37BYy6UUOM4qAnbsfLEw+5Y=,tag:CrUh0xDWA77dAFp8FY0jPA==,type:str]
    lfs-jwt-secret: ENC[AES256_GCM,data:fAirrt7Ue1XpHYB12e8l+47x1dY/eIsDV61KrDA/sRSKvZherRNnahtLQw==,iv:S6+rQHf3TL/1tKcknX/jHJ7k79GCU1BRBZHhuqXSRME=,tag:WUjNaP8bb1HvZnAX3+vXoQ==,type:str]
 sops:
    age:
        - recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWnlOa1NGME00dVhBQ3Z2
            UE1HZlc0Nldrb1VwZTk0Z2I2Nm5ZazV6WndFCnNoM2JaWFJnazJaWlltVW9uNGhm
            UmdPSWlsdllORFhyMzRhYXBKQjRqWmcKLS0tIC91RmRCNG91UW1xb1pETXczSDlM
            aStmM20xL0hHT3VnMWpTSEltZEpqT1kKj7Io72QSR/dgggQRBZ0gjs0Q7Y3GIP9K
            GPgvKGxEi8CcrUj5J9u7rDUed1/TowgWWs/ujt/8q2zfli7AjTpS1w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclROelpuQUFPQlFpREJr
            NjhlUDA0TGw4R2FKbmRwWEVCSldrem9neVI0CmU1Q29qUUNZbmZDSkx0UmZmNkVL
            dmNQMEJjRjJtcWFYNE1SamV5SUozZVUKLS0tIFBMdFB5TTV4dGRoeVNnYWV5dERY
            ejV3RTlSMjNlcGNreXM0YjhpUkVxUzQK2xB69WIRrMPNdZuJUzwuNM/a/Qzpyp7b
            nInPmTCCOhqc3eNFSc+od6y5urMeW+r2i2iNV4B2rIdJTdLl1434eg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVFEyaWtlV0F1d0QvMGpU
            KzUxdGpXRUMzOWhSODJNYU1Id1Evbm1QelVzCmNZS3NSNWZlZDhPYUVCS3ZIUXRM
            aVdScUI5aFI0aXU1ZUx0VjBBQW1hRUUKLS0tIGtOcmFNTXIxdEV0RlI0akJpWEM0
            bk9lWDZkS3BrM0t6V2xEbVdtZlQ1aTgKv7bIQpdGIoXMxPZDmLzqunIEaqQ5M63r
            Qu1oFC+yZh2UlkjGxKE6HMlMGn0CnBcTa8XvBaEVMfchVR/2WVq8TQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQWM5dlFCbTIrSXlZYnBw
            VVQzK1ZiaXpQcTcwQzV5YVV3d1A2L012K1NBCmpXNnNnenNrNTZDUjdXdzNXd2R2
            T3FSc3BLdUUxWEs2OXlRNEdieXU1bEkKLS0tIFJkU0ZGcjd4bEUyOWFZeHVUMHow
            dVNTbk41S0VUNndQLzRoZ2ZpVTVqNU0Kp6okYalYtbI1CFuJq/881ZyOVpFoRq0j
            DvG2E2U+go6XftSaJ59DIUC6rzVBg1JKpJX3TS6SJhe+T+1paoxG/A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYVdXc2hrQ0JFQnF6NFpG
            UWVMVTN5U0JuQkRxU1ExdUlpWkV4RHlvYUNZCmIzOFI5QnVrMU84VTV6WmcxdjdZ
            aTZpOWZNdGNoSnJ2c0R2UzJ2cU1TRmMKLS0tIGFxTkxaYjUvaUxsRmhxRmpVeFFD
            aWt5dnlUYWxoUUlHTjRnWEVBU0NzODQKQ2v9oCbXhUhRnURyHWbAIJHGjgb/eVp1
            h9Tdld0TWTxxbyN8JkRa80B8JpUVwHgeqJmq2krnhDrYLN9zaugVMQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bFd5OGpvY0YxczdkVnVY
            ZXExNnY1UXBtb0d4MFNYR3JrMTN1SXhNOUhrCi9xVm1HZDhHZmpEdmdJNVBFcWhv
            UjI3VDNycEpKdTNnbVU1eVFUeUZuZTAKLS0tIE5GdEJ3Nk1oam9KYUVCMk9CVmpL
            OCtLcUZwL084TUp0QmpSQXNtSFhHYkUKwGvXXE9AWlrlDgRl2ECCmej7IMztO+fx
            852Vu610cI9FLv5oghlKM769+/A2QP82KwdxZ4MaRSDvJwXKBi16aw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-08-03T01:35:52Z"
    mac: ENC[AES256_GCM,data:wQPIW9zRhB6IjK1OQy69Ln+dj6OMNLnNKIzFIhv/vbQ4GllMJ3N/gZjuzMJIumcVND+jEY/qiYnsCFSptStlDYtB3/zHWo1e6It2pM4igtoTP29uiQME0vPJSz0guakZlDMa20mOTN0vVZODEbeBiQNXWtnTbl93R2JVJlZrWcI=,iv:L9Dk5S+hbBO0LTM0irfLuqjLYHzVtY5Tq+Q7m65u6p8=,tag:0GT9IyPeGY5YM6PP/LNs/Q==,type:str]
    pgp:
        - created_at: "2025-03-16T13:02:45Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA0av/duuklWYAQ/9Ey8zpaRU7DuvVaKTaybgkLCPTKNyq6mKXAusKqC0adMu
            9G4M8G18uEoo6/Oa1LpJsQneU05EFuStZPaCs9+zxe5ZU2YhcVcDGAHgCDFBbI27
            7kzUVxA/n5cK61CfIslNYdJolceJeLyH9HSrS3k3eI3V6zEQL9Yz05dDz7Nlma4q
            AKsnGtLY4og0j2k7HZcK39ikhJGkllZHhsM4RT8/UVeVZF9CxKzwQ2OKbHkhJZyn
            LGEpioYAKuIIWm/20y/DQwIYpAilltWkg+RWQUnYeAINAZKSzFNi9vd3N4n6e41t
            ikq8Ukpjbesy42w0ju9sbNWayga14OG5STg/qacrCDjp+wY55VJCcEEM/6kPj1rf
            e2dBR+eN8VMgcPOlexOf1pkrVhNqz9eDfEfaEtDbFDIgznt0pmLeeYcL3NBa5+Xf
            vpGXG3fmgoXvQYW05yY4efBRiex9f70lbhnnngeY9ZbmSpy3ZuzIKq8RgBxy1ve+
            4B6RYC2Ag8Tndj1xYfHcrqSNfmxq+xNieFV49PMGDO1hjJF++VASqPuRtX9lz3tZ
            Y7E7VPtTESaxEp9IuUgLYYnvSHh1SNIRl3OtcctL+bwbF2wNk5iBha+jC/aXNRU/
            PoRv1y+G+0R6aV3hLJjoC+Hrm2JX3FIksk64LRDM9mSI7Yl7MfEFrIzcH4HEzlTS
            XAHugaMjpRCntUxlaP2tq4jlrv+PQLh7+uBzzbhLBK6qSjybKiqHBKeluxfYVsDs
            rJJicnclRfI1eJPfZDlCr2iggd+2ABYG7uINQVrZYuw2dfb4IvvrqCQz/fBy
            =Qb5k
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/secrets/kvernberg/exhange-offline-master.priv
+++ b/secrets/kvernberg/exhange-offline-master.priv
@@ -1,24 +0,0 @@
 {
 	"data": "ENC[AES256_GCM,data:dhVo1B+ZG1B6s0bTLgph4ipPmi0mveaObbJAffDQbpY=,iv:P5plvu4DQYa99cQZQ6B/gEFcSffu3lTY3+Z80Cfoj94=,tag:4xcqCbn6fFSmCbYmmEgQEg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MzVHSE15Nk9MODQxc2g0\nbHlqNmFKclBYbUNKQTNUOGo0VThiaEZTVzJFCmU2YkYwMXlyeHM3ZzAxOWZpa3k4\nUUJLanVFbkNMa25RcGZmOTBsVmtzazQKLS0tIE1sTTBqT3VJMDFOYXl0T1JvcDRV\nRFpsZGNOZzFzMFc3YzcxeXdIK1d6QUUKzy0n7DJsOmrNvU03Tn6Zcj/l/kAylzzP\nhNnFLXfStdKl3A/qrzBPhTVbYD73yFkZuQ+bDr7/IMsHAmDsztuA9g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbEdBWjdEbmtNYWJHQnFj\nSU1yb0NYVG4xVlZkYTdUWUpDcGdmbFF6U1NrCjBlWFZkcC9FMVJLYUtDNlBTUWcw\nNHBwWFNESDBQQmJNb3NDN2tDekM4eUUKLS0tICtMVGc1L2JFQ1BqKzM3eWFPRmRQ\nWXlQUWpvdUdOUlZ1OFhtS0ErL0JKSlUKzxLKbsnXvEqnR2HVsTxNqmM7YPjWfCjG\nZ4Bf046NdseomkNuTvWuPzjzPTe4GvjudMYc4ODchkIMOo6hXyf5kw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-17T01:12:23Z",
 		"mac": "ENC[AES256_GCM,data:aXIM/pmgVmfNSa+PwpfK6Efh/kCWXUqZNcKLkyhRwl++vaIBQUIQgQjv09hWHOF77V3ZjRQjh2E1uNe2baBLEmrDT5Au+7VABW+j49KX/vKMd+1l4w47l3DukOVnoo50bsOQFtH+amSl2P2imxpO15sjVDu9/nUeu2qXrtbIUh8=,iv:BQVs3P9p86uzTH2BfuSOxycpE6di4ZIwSz7OTZdcQPg=,tag:mT4Ek8dDbVINGp4Odt62zw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/secrets/lupine/lupine.yaml
+++ b/secrets/lupine/lupine.yaml
@@ -0,0 +1,124 @@
 gitea:
    runners:
        lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str]
        lupine-2: null
        lupine-3: null
        lupine-4: null
        lupine-5: null
 sops:
    age:
        - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncnd2NVdqdjU1WWx4YWJr
            RUVuSThBWWdyVnpFT0kzZjBrVjZiN1FiU0ZBCmNCbGVZK09YaFNGSUE2QWpidEFw
            aEZEVndkODRzYmNLWDRzSGMzOWZKajAKLS0tIE00b3NiclFrOEk3R1lkeWM0VHY3
            dUFQcG04bWNwYjRjTlNWV0pXNnlTN28KEc8nM7jzMuh2B6Q9vDS9apmVZDH9fAGi
            dyze2SHCvfbr6So6GtJnZQy5J7tPoHBd3zwjojYV11kR9Ci1GszrVw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVzdFdXdETEN3bjdIY0hi
            TUV3YjFSUHBhNTIyUDd6MC93R2xRZmZGTkd3CkZuNWRZY25nY1FMZjV1QzJuUUZN
            d0hzMUplY0w4c0hVK0dCbHVzVURvUm8KLS0tIGt2UEozYTdzMDRGUlRYeWpLY0Q3
            bmFMZGRhWGZQZlpwMFZsV3VwdEljRUkKwS1gGaLCY/+wv2blCiDWHXOTl7eRVDPH
            NPk33fXDa0y4AxFmwJ9caHL+UHWhSCVvi6odl1F6OA4blNLHRZAyzQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdmZXREhrUk5kWHgyMzI0
            RnR0bVE1cm9GQkpwc0VWZ3ZmUjMxMzF2WVhFCkcrcEI4enlRN09wNzF4M0tTNXZi
            TWg1TTkwUlNYUU1ReUVSU1dTdFoxeWcKLS0tIGZaMmVmZ1kxbFVVMmsxTzczYU9j
            N3Y3Qm9SQ2Z0bWNhM043czdnWC9RR0kK61W5sqXybAbjTUR8D05dYMInLl683Rzj
            G+0MZEzvfYONGU1gduRB5quHAwZLG5b9N6zorRSFON1meni+v/Ciww==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBod1RDR1NLZlhQQWw4Nk8z
            TTZHZitTNjFxUHVIZWY3N2VDd3pXRGt4N0JFClNzQ2REbSt5T0FXaVBhS09zcS9y
            TW5PTW1mSzlyOHppSm1yMWp6by9ZUWMKLS0tIFVsYkJZbHE3K3B5TS95amJhbDYy
            dFV1REdKYmIweWw1MDJ4L3p0cW9nVWMKQndDoniGQOn01SnscX7u7y6l119Eb++q
            JoTZELALPIyGdI4pXd6zCfRyLFaqWd4CO0RFtl8FTcm75W+ETmqqlQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdlhET094ZGJsZU9tZnhz
            d20wcnltVU1MS09Qb3lzV2RjNi9OZjhDdFRBCndRY3hwQ3VHQWF2MVRFUU1MQkhh
            bGRQdEVaSzF0YTgxTGdITGN2dDlYc1kKLS0tIEw1MmFkUHJaKzZGRU93T2VTTkxK
            VU0xV0gwQ1NnbVIrS3lHTnJ5bU9IcGMKDWSWfA7iBQ+8iclmXDVf5Qjv67D2WbJg
            ovrYcT1F5+qE4xkuUkzVaGn9vgT+/kkzFucBz0c0iD5KCoa52z5AlQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtV2R5VzdCbkFDTGRJUG81
            bUk3Y3F6NkJGYUk1VW1XQnFOSTlwMTduL0Y0CjJ4N1Q5MXZjQXhsTk5Hbk40U1pU
            aFNxeFIyaGJpd3dMZFpQL0R2M1dHbk0KLS0tIGpUVGMyRSt6aDZVOERRWnRSY1Ns
            dXptcUNmeGRHcEs3WStpL3BuZUtJbjAKhqJEec4vjSC18oRl1dTNkF2Ev4YtudE4
            Lp2vbcSHXwrZhqbFlQ8stCpUJvjCBEr2cT/shrG38aP0MzgeSmMacQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURXhRWEFHU2Rtd0pyZGUw
            b09VQ1JhYjhJYlpnY2FCZndEcU1Ed3k1K0UwCit1NVIyL2xuZlAzbEJwY3V0UTB3
            Unk1L3p6cHlVWjllMjcvcTdDcnlxcGcKLS0tIGdGa3MvTmJiSGF4YnBZbE1wdGEv
            eFArZE5MaXlvOE9XN1I4eEtNMEpzcU0KVNUfcUJM+IVY/+b8mQiHKvuFnsih+zHx
            ZdUD+FPjghqrzJB4MOl/PYAxJ4lga6gPbcRWD5UUDuyDGOUwRpOt7w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUnhIOHVLUG1meWFlZ24w
            SVlFenR1aWZXK21HSXpHU1NSZ2llQ1EwSnpnCmJYRXR3b3IvclZvaGpGdEpOUk9D
            eDg2eFFJQ0M4TEJqZDVUQUZGa2h3V3cKLS0tIEhWTzhoMVg1UEM2M1k1TVZTUDlL
            RDE1RCtUV2dDR3haclBMZDFhYXcyV2sKjwEI2dY4rluumihyEggLYDDvZZAK4SZw
            FWkwIUpMCZzg2fCeDMnTSAWfAZbiDcPLoCieJ2bpGXPTzyasRlOakg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxamdXMXJ4K3hMV2g1WmUy
            Ry80dG5wdWlLc1paY1VoSE8vWk1ra1g5cldFClN1eXlVUGVndnovQ3dxQTdzQjRV
            Wm9NNWg5VVR4NVNsRjM0VHFya1FQeWsKLS0tIG43bTdKVjNrQlBUWHJoNjIyOW85
            TGd1Tng1akExRDd0TFZmQ3JnS3FtK3cKn2t7/4yIDZT2oy8fyJibF62usPjhuBOb
            9qQjChRm5h5mNSWdAzyf48wID7czzJiZjqtfE4vjLYLsWKMzz9j3xg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQm5UalBhV1NWa2ZQNzVQ
            OEZXODkrYXRGR2lRMzMwSk5KV01WK3pLZlZ3ClNwZTV6aGRvZlV2UXJaNm9IOVVR
            VFZscVZhVkFaMlk5a1ZCcWJReVN5YWcKLS0tIEhHMnRKdWJvTkREbFlWb25YRXg3
            YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ
            /jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-07-30T18:29:08Z"
    mac: ENC[AES256_GCM,data:47cki5ucPTVd4JuEyK0QkDCCEqj1pW6SA5I6ihC/MEja6TIuHTcEPFpje8+LvpGjpP9uobKX4g3UcyvkJ63j/k3hU0xPYQX3Z1ee00KIMKB0GHNjUR8ENtnwd3TU7kp5ohtXeCtcyzCjdFFuXp8AINGv3vpbU2MzauctUxn5B1Y=,iv:1mpk/f1QlRtHfA9dqyNLBrvfVPgtLnZ7ibj8qNrEGD8=,tag:drEK1+qeJy97rgeQJyqucA==,type:str]
    pgp:
        - created_at: "2025-07-30T18:27:50Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA0av/duuklWYAQ/9HdDiIXAQjcAbokD7yliGC+p7j+RxD2FDh5aXtDIS14dM
            pF7wdTdY7PvcXoSCQ5ZC7bjIY86MDfD+BT63MwjOczIgBJJ9wrGDZ2o9DnzzYsI1
            XdUgQscjtbAycNlaczI6IXrYlWqjt6qpp/OADXdMXZo3W+pTR3aSdrj/FcMzJad1
            AMQt8raqrD5LxIj0yWEYvob5z7NA6slBvVJRszsbYgz3aJWqG2DhlUBph6j2Rgmq
            /W796+fywrunmY/dmzptT5Epp5gZ55BAqg09qHj/+crTxIt7SNpsfps2ki8JBVq0
            4ooaUktBBMnhsZBA8NIauesokZkLO0MvyvjMBPGR8jun2EXoNtFmWZqUqD1fb0B5
            xe0SVg8XIzS/AFnKVAWfj6h9lM4guLL/kxu3aPAJwOj+YtIAXx4vojs81Led8nlQ
            jXvfy7Y94EQhKTLWuK12QC+bw2vy4V9L98nyDKB3ZuN2l3A2CN1ZLXArk/oez56d
            5t/0C43qEPfzQH87kygGuuQmlZvQupnHN4iCvExmoiX362/3S9h1wS5QcKdC3Lk/
            f3yr0+r1uOYuoQuofwitLZaq66aCmqYUmXhLvGujPjg8YuNXQ5k1MlOilDqoZnxk
            0V8RQbTpvUcqRLgczofC0ovgE2W13khS2BGxG3ZPmAbUGiaIP9OkfebI7hJJE7LS
            XgE4cU06C5jj4wLkOj3y4nEKwaFrEGRO3YQa1kl5/sExOg0Jd7fehozVh8+opGOZ
            MhmVHghd/RYZzBi3NZL28xnAvsawE1m6h6WEGk6JaVEdJh9W009AQCtVyChs9Og=
            =4gbo
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/secrets/ustetind/ustetind.yaml
+++ b/secrets/ustetind/ustetind.yaml
@@ -0,0 +1,90 @@
 gitea:
    runners:
        alpha: ENC[AES256_GCM,data:Hnq2guka4oERPIFCv1/ggrLjaePA7907VHXMStDQ7ll3hntTioT76qGOUJgfIw==,iv:wDPYuuL6VAWJakrz6asVRrzwRxqw0JDRes13MgJIT6E=,tag:ogFUeUirHVkCLN63nctxOw==,type:str]
        beta: ENC[AES256_GCM,data:HmdjBvW8eO5MkzXf7KEzSNQAptF/RKN8Bh03Ru7Ru/Ky+eJJtk91aqSSIjFa+Q==,iv:Hz9HE3U6CFfZFcPmYMd6wSzZkSvszt92L2gV+pUlMis=,tag:LG3NfsS7B1EdRFvnP3XESQ==,type:str]
        epsilon: ENC[AES256_GCM,data:wfGxwWwDzb6AJaFnxe/93WNZGtuTpCkLci/Cc5MTCTKJz6XlNuy3m/1Xsnw0hA==,iv:I6Zl+4BBAUTXym2qUlFfdnoLTHShu+VyxPMjRlFzMis=,tag:jjTyZs1Nzqlhjd8rAldxDw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYVl6ZnI5TkhxK0JKNnlL
            WE5YZUZ2T1JEbCtvSVUxemZ1QUs4R2pjMWc0ClJ0cnU0c0d5bU5jWU1aVGd6WE45
            Wm9OT0xPaTJ3Y2kxMU5RTHdRKy81b2sKLS0tIEx4SkFoV240VUJieWFlc3hRWU1Y
            SWlwZnNOT3paRHRsTC9CQUp5SlBvTncKdcMI8pWtsfBpgeUagOmZUXIC6svkfmwE
            QF3GpWZgeVvo8e2oT2kBjerCDlUlzd0jJ8aK+B56xifTm7ii3oCAIA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3QVBaQWlSZk43dEtHVWF1
            WmFBcmx3eFUvU2lrd0RCUGx3a2hDWHEzTUR3Cm9BclM3OU9SUnpySDZJZHRudmtO
            Ulp5OEZvZmMyRGJvQXJnUDVLdVRJUVkKLS0tIHE3M3MycE9pU1huYUREN3luWEZV
            WlNuN3BWeHhqL1dEOUJBSVNTaVJ3eTgKb5MRfeaay22PI9V5hni5mhnb0QF8PG8H
            bKWbc2SwdMNolrxhUiiIhdppEtXGHqLyBel786tuOdtEwVcy+m/rtA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaDB6enozMFpqcWxFdU93
            MEg5RTRzZExzWGppenlBTlZZRlpqWDBPT0UwCnhOaXI5R3Jrd0hWY0xqc1VXaDJZ
            TUxwSTZDcHd0bnZPR2N2d0JVTUJONnMKLS0tIENzOW9PM0tQSndVNmF1bTZ4anpw
            b1RzL0NEOWg0dGZUa0Jpd3hiTlRGSm8KleRV5c/Xoe0B1VtnR3y0sgXpmhMS8pKl
            TWaAQTRlM9X2Pk5M/J/bu369ncmw/kycJKjK6W1yluaGwBNuEP+K4Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N1JvRVE0Y0xOMERMVXdB
            enZiNk1DZTJTUnluRVBIWm9WNmFPc21rU0FZCjBIeHErSHgveFFFdk9ybWwrRXZG
            WGpVcHliUW9Qb3dLb2Q0aWlrZmpiVm8KLS0tIG0wcXJVK2dMeG9NUTFQSzVtY2RG
            UE1FS3MvSXlxdEtJVWxJVDRFSkRmQkkK/2z7Lu6LVd6RLZAXKs+JsPc+1kcqFAET
            0zlTTTU0goTBLuXZ7uxFVZtqc1Nmoarf5Ksm/zcZ2B80P5ox9CzcWQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SFpKcVBTTlp3SXhVaGQy
            QVVEV3h6dTZVcmx6aFc1eHF4UzJPbXQ2RnhvCkZiOEYydWhCYUtwcUdieGpBeTZh
            Z3dYVno5bFNkOUszNHBJNTdQWS9jUTQKLS0tIEhPVEdLK0RaclVvdklFNUJCcHNi
            OXVobVJCTjhQZ2RTQ21xK2dUY0h5RGcKcPBgD5FIWuyQBhmPt5aqrWgEG1tzhtr0
            gVyLxgtMFGeeShjdpivgcWI/GZZlhWJilJOoZo7f6TknvCIIKsrUSA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlhiS1dxekZGZkRCQU9O
            SktHRHRXL2VhNUJSRVhBeEM5UEZ1R0pFdXdrCnZQOUZaYitpSlJ0aXFpZXFrRFJj
            MmZiLytvekZtVXYzamJDakc1RjdIREEKLS0tICtiOTZMRGZuWEdHTmZwRjZ2dUNT
            aU4xWjVYYlNvSmYxajVGdzk5dTQ4WG8Klq12bSegsW29xp4qteuCB5Tzis6EhVCk
            53jqtYe5UG9MjFVQYiSi2jJz5/dxfqSINMZ/Y/EB5LxbwgbFws8Yuw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-12T12:20:19Z"
    mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
    pgp:
        - created_at: "2024-12-09T21:17:27Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA0av/duuklWYARAAv2XS2jzoymOzpRHquUbYpUtbIeKXhPS8i9uk2zBvSKnr
            b/jZCpvtkCcSz1UFm+HzSn/i1eNkj9ghObisifvqY6JbO0DIa1jFlx1TfE9pj8dE
            rrNTsYfxNwdGOvklPBHm3vKY5qPiGlE71TaKkJcO79vE5jxwhUqzWI9SWAZY3cFw
            IVJN44DT0I4ctTlwPM9eAYYodL8QP8OMXHJ/mjI4SPODRsvrOyy6rpip40Q+dU/N
            DwRupzrRlxJ8BDSh/x6J/AryZSwkmChX9cYyGaDknJ3ONQ0XLhVUtLkAvPWtWeow
            6NVHmUOJ39ockT1clhYy2P5rQTraZESuI7vaSS9zVIuScBnJwbSRZ5xgxSD6Fj+C
            Y/JyogXa8FtyG6xeMgIwW7t/m/rbXL5OkP4w8D+CJs+4I55WXz054XOZ937EisVH
            XAlNBIHixjQVckbb+sS7rEmegfoC+rvOXA0irpwXFiapAbMGUePCwQHdSBMP8orC
            Tb3E8kqHATN40b8CpUBcPw6HCQKmbhe8o+R8NG6TZh6JH7kSztl2+SIIuMzhDflr
            1AphY047Ku2RANaWfo+xyVZMWgAQcnoaUOeYaHJ9nZ7f2klJ3fnRtdXJn1gcO3i3
            NZVRjjYHJgzCVCIZJa1b1TMGep84naF7NmRkNlS4wyv6MXGqSpHHZUGUBAQOCMPS
            XAEqjZt8va0LKtsPsBOTGQDuzTar+2069fu6TjS07mJM2sTp/G8bGBnvjc0TIplZ
            M5FOiCilI9yX7vQ0O3LUKJW5zELWnW2d+3okpGjgkr0BFERtM7BMCp6nxR6+
            =rEY5
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
    version: 3.9.2
--- a/shell.nix
+++ b/shell.nix
@@ -11,14 +11,14 @@ pkgs.mkShellNoCC {
    editorconfig-checker
  ];
-  shellHook = ''
+  env = {
-    export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
+    OS_AUTH_URL = "https://api.stack.it.ntnu.no:5000";
-    export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
+    OS_PROJECT_ID = "b78432a088954cdc850976db13cfd61c";
-    export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
+    OS_PROJECT_NAME = "STUDORG_Programvareverkstedet";
-    export OS_USER_DOMAIN_NAME="NTNU"
+    OS_USER_DOMAIN_NAME = "NTNU";
-    export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
+    OS_PROJECT_DOMAIN_ID = "d3f99bcdaf974685ad0c74c2e5d259db";
-    export OS_REGION_NAME="NTNU-IT"
+    OS_REGION_NAME = "NTNU-IT";
-    export OS_INTERFACE=public
+    OS_INTERFACE = "public";
-    export OS_IDENTITY_API_VERSION=3
+    OS_IDENTITY_API_VERSION = "3";
-  '';
+  };
 }
--- a/shells/cuda.nix
+++ b/shells/cuda.nix
@@ -0,0 +1,45 @@
 # nix develop .#cuda
 # Copied from https://nixos.wiki/wiki/CUDA
 { pkgs }:
 pkgs.mkShell {
  name = "cuda-env-shell";
  buildInputs = with pkgs; [
    autoconf
    binutils
    curl
    freeglut
    git
    gitRepo
    gnumake
    gnupg
    gperf
    libGL
    libGLU
    m4
    ncurses5
    procps
    stdenv.cc
    unzip
    util-linux
    xorg.libX11
    xorg.libXext
    xorg.libXi
    xorg.libXmu
    xorg.libXrandr
    xorg.libXv
    zlib
    cudatoolkit
    linuxPackages.nvidia_x11
    # Other applications, like
    hashcat
  ];
  env = {
    CUDA_PATH = pkgs.cudatoolkit;
    EXTRA_LDFLAGS = "-L/lib -L${pkgs.linuxPackages.nvidia_x11}/lib";
    EXTRA_CCFLAGS = "-I/usr/include";
  };
 }
--- a/users/albertba.nix
+++ b/users/albertba.nix
@@ -0,0 +1,23 @@
 { pkgs, ... }:
 {
  users.users.albertba = {
    isNormalUser = true;
    extraGroups = [ "wheel" "drift" "nix-builder-users" ];
    packages = with pkgs; [
      htop
      neovim
      ripgrep
      fd
      tmux
    ];
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICheSCAxsYc/6g8hq2lXXHoUWPjWvntzzTA7OhG8waMN albert@Arch"
    ];
  };
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Adrian G L	914458d4b0	feat: add error pages to nginx on bekkalokk	2025-10-25 22:13:02 +02:00
Daniel Olsen	3faad36418	base/nixos-exporter: allow localhost to fetch	2025-10-13 06:41:28 +02:00
Daniel Olsen	0b74907f76	bicep/matrix/hookshot: enable widgets and js transformations	2025-10-13 06:02:33 +02:00
Daniel Olsen	bacfdeff23	bicep/matrix/hookshot: try fix up widgets and SSL	2025-10-13 05:42:06 +02:00
Daniel Olsen	9e51bdb373	base/nixos-exporter: listen on own server block	2025-10-12 16:42:42 +02:00
Daniel Olsen	df5557698f	ildkule: scrape the nixos-flake exporters	2025-10-12 06:09:15 +02:00
fredrikr79	c7930b793a	base: create flake input exporter	2025-10-12 05:23:54 +02:00
h7x4	dbe9dbe6f4	flake.lock: bump	2025-09-20 18:59:35 +02:00
h7x4	2e75f31d3e	kommode/gitea: skip some parts in the dumps	2025-09-10 11:27:44 +02:00
Vegard Matthey	1166161858	oppdatere nettsiden	2025-09-08 13:59:41 +02:00
Vegard Matthey	a0164a4038	oppdatere nettsiden	2025-09-08 12:20:09 +02:00
h7x4	470cc451e0	kommode/gitea: fix backup count	2025-09-04 00:02:58 +02:00
h7x4	a803de2b23	kommode/gitea: enable sd_notify, enable hardware watchdog	2025-09-03 23:48:22 +02:00
h7x4	1dc78b6101	kommode/gitea: bindmount repo-archives to `/var/cache/gitea`	2025-09-03 23:23:16 +02:00
h7x4	54434b7f93	kommode/gitea: only keep 3 backups	2025-09-03 22:46:13 +02:00
Felix Albrigtsen	736dc44008	flake: update input pvv-nettsiden (fadderuke -> normal events)	2025-09-01 20:16:50 +02:00
h7x4	9e68287f1b	bicep/minecraft-heatmap: change postgres password, add to sops	2025-08-25 14:38:25 +02:00
Øystein Tveit	b821d36f40	bicep/minecraft-heatmap: init	2025-08-25 14:26:37 +02:00
h7x4	0b7fbcac32	modules/grzegorz: use unstable mpv for greg-ng	2025-08-23 14:04:48 +02:00
Vegard Bieker Matthey	f3c60d0551	add vegardbm Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/114	2025-08-21 14:21:39 +02:00
Vegard Bieker Matthey	f0d2d989d1	Merge pull request 'remove duplicated button at /hendelser' (!113 ) from vegardbm/pvv-nixos-config:main into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/113	2025-08-18 02:08:05 +02:00
Vegard Matthey	57d0c6247b	remove duplicated button at /hendelser	2025-08-18 02:05:57 +02:00
Vegard Bieker Matthey	95840bfa3c	Merge pull request 'fix dead link at /tjenester' (!112 ) from vegardbm/pvv-nixos-config:main into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/112	2025-08-17 20:59:45 +02:00
Vegard Matthey	72da80f93f	fix dead link at /tjenester	2025-08-17 20:58:31 +02:00
Vegard Bieker Matthey	8ffc2acea7	Merge pull request 'fix dead links for VMs at /tjenester' (!111 ) from vegardbm/pvv-nixos-config:main into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/111	2025-08-17 20:48:40 +02:00
Vegard Matthey	0d1423ab22	fix dead links for VMs at /tjenester	2025-08-17 20:47:30 +02:00
Adrian Gunnar Lauterer	809fcefbcf	Merge pull request 'fix dead minecraft map link at /tjenester' (!110 ) from vegardbm/pvv-nixos-config:main into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/110	2025-08-17 19:52:37 +02:00
Vegard Matthey	203358a207	fix dead minecraft map link at /tjenester	2025-08-17 19:48:56 +02:00
Albert Bayazidi	d11b189f95	Merge pull request 'forgot to write my whole name LAMO' (!109 ) from new-user-part-two into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/109	2025-08-16 10:45:57 +02:00
Albert	b439ddd6f6	forgot to write my whole name LAMO	2025-08-15 19:57:23 +02:00
h7x4	a22747bb66	flake.lock: bump pvv-nettsiden	2025-08-14 22:49:05 +02:00
h7x4	efc79ee189	fix import-gitea-users script	2025-08-14 20:48:23 +02:00
Albert Bayazidi	8715fb220f	Merge pull request 'added user alb' (!108 ) from new_user into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/108 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2025-08-14 19:07:30 +02:00
Albert	649c21de01	added user alb	2025-08-14 18:08:43 +02:00
h7x4	2010556643	kommode/gitea: fix declarative secrets	2025-08-03 04:44:37 +02:00
h7x4	8dcd471a6f	base: don't lock kernel modules lmao	2025-08-03 04:36:10 +02:00
h7x4	234a7030f0	kommode/gitea: make secrets declarative	2025-08-03 03:39:18 +02:00
h7x4	0a7f559869	keys/oysteikt: update	2025-08-03 02:25:57 +02:00
h7x4	d482eb332d	flake.nix: bump nixos-matrix-modules: `0.7.0` -> `v0.7.1`	2025-08-03 02:21:05 +02:00
h7x4	0600fce2ca	ildkule/prometheus/exim: init	2025-08-03 02:21:04 +02:00
h7x4	f5fed06381	ildkule/prometheus/machines: add `lupine-{1,3,4,5}` + `wenche`	2025-08-03 02:21:02 +02:00
h7x4	579ed180a3	ildkule/prometheus: add utility function	2025-08-03 02:20:58 +02:00
Albert	043099eb37	hosts/lupine: init Co-authored-by: h7x4 <h7x4@nani.wtf>	2025-07-30 20:30:28 +02:00
Albert	59969b9ec8	Allow configuring configuration src path in `nixosConfig` Co-authored-by: h7x4 <h7x4@nani.wtf>	2025-07-20 03:54:00 +02:00
Felix Albrigtsen	febc0940f8	flake: update pvv-nettsiden	2025-07-18 21:06:17 +02:00
Daniel Olsen	76c251c277	kommode/gitea: use unstable package again	2025-07-14 07:51:49 +02:00
Daniel Olsen	1d48a63e3d	Merge branch '25.05'	2025-07-14 01:58:04 +02:00
h7x4	ddd405f534	nixpkgs 25.05 🎉	2025-07-11 18:43:21 +02:00
Daniel Olsen	a2dcd3019f	fix package grr	2025-06-24 08:06:36 +02:00
Daniel Olsen	410d4e44a8	bicep/matrix/ooye: use pvv fork for now	2025-06-22 19:29:15 +02:00
Daniel Olsen	195163fd7b	fix ooye somewhat	2025-06-22 19:00:50 +02:00
h7x4	4fa544b430	WIP: bicep/ooye: init	2025-06-22 00:59:23 +02:00
h7x4	7601734651	modules/ooye: init	2025-06-21 19:54:57 +02:00
h7x4	cafeef827f	packages/ooye: init	2025-06-21 19:52:37 +02:00
h7x4	9e00d143f8	grzegorz: add and shortcut on main domain	2025-06-07 18:43:21 +02:00
Peder Bergebakken Sundt	eceb2ce4c7	Merge pull request 'base: stabilize system.build.toplevel.outPath for vmVariant' (!105 ) from no-flake-in-vm into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/105 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2025-06-01 05:29:00 +02:00
Peder Bergebakken Sundt	518008527d	Merge pull request 'flake: evaluate devShells with nixpkgs-unstable' (!107 ) from shell-unstable into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/107 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>	2025-06-01 05:26:39 +02:00
Peder Bergebakken Sundt	9e82ca3d15	flake: evaluate devShells with nixpkgs-unstable	2025-06-01 00:37:52 +02:00
Peder Bergebakken Sundt	da7cb17f9e	base: stabilize system.build.toplevel.outPath for vmVariant This is done by not depending on the flake itself, allowing the bits of a dirty tree to not affect the hash. This enables equivalence testing with `just eval-vm bob` and checking if the system closure hash changes or not.	2025-05-31 19:13:33 +02:00
Peder Bergebakken Sundt	1caa0cc7be	Merge pull request 'base: add option config.virtualisation.vmVariant' (!101 ) from vm into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/101 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2025-05-31 19:01:47 +02:00
Peder Bergebakken Sundt	752141f97f	base: add option config.virtualisation.vmVariant	2025-05-31 18:53:04 +02:00
Peder Bergebakken Sundt	23c1c17607	Merge pull request 'justfile: add more swag' (!104 ) from justfile-swag into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/104 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2025-05-31 18:37:25 +02:00
Peder Bergebakken Sundt	9560eab82b	Merge pull request 'flake: switch to nixos.org nixpkgs tarballs' (!103 ) from switch-inputs into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/103 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2025-05-31 18:35:28 +02:00
h7x4	5e4ededab3	.mailmap: init	2025-05-31 14:25:33 +02:00
h7x4	7fb3e29d7b	base/uptimed: init	2025-05-31 14:05:43 +02:00
h7x4	9053dda57c	kommode/gitea: install the rest of the themes	2025-05-31 13:59:51 +02:00
Peder Bergebakken Sundt	4ab133e541	justfile: update 'update-inputs' to changed nix3 cli, make more robust to dirty tree	2025-05-30 19:17:59 +02:00
Peder Bergebakken Sundt	e5b38cd2c1	justfile: add repl, eval and eval-vm	2025-05-30 19:17:59 +02:00
Peder Bergebakken Sundt	3e156a8649	justfile: only use nom if stdout is a tty	2025-05-30 19:17:59 +02:00
Peder Bergebakken Sundt	b40cde891e	justfile: passthru extra args with 'set positional-arguments'	2025-05-30 19:17:59 +02:00
Peder Bergebakken Sundt	dca6862045	justfile: silence 'nix eval' spam	2025-05-30 19:17:59 +02:00
Peder Bergebakken Sundt	4e44da29b5	justfil: _a_machine: remember last choice	2025-05-30 19:17:51 +02:00
Peder Bergebakken Sundt	ca9ac0e0fc	flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/9204750b34cae1a8347ab4b5588115edfeebc6d7' (2025-04-24) → 'https://releases.nixos.org/nixos/24.11-small/nixos-24.11.718472.97d3ce1ceb66/nixexprs.tar.xz?narHash=sha256-8sjG4sNIonQPK2olCGvq3/j1qtjwPaTOFU5nkz1gj2Q%3D&rev=97d3ce1ceb663a24184aac92b7e9e8f5452111c1' (2025-05-30) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/6a2957c7978b189202e03721aab901c0a9dc1e1a' (2025-04-26) → 'https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre807945.b8af95f4cf51/nixexprs.tar.xz?narHash=sha256-YCnUqO9k39p0oMIBndxYTbu8m0fOA/KVcq3IekXPy9c%3D&rev=b8af95f4cf511c5f056b463c3a45d2b63c7cfb03' (2025-05-30)	2025-05-30 19:05:27 +02:00
Peder Bergebakken Sundt	c8d29c363f	flake: switch to nixos.org nixpkgs tarballs no rate limiting and supports ipv6	2025-05-30 19:05:27 +02:00
Peder Bergebakken Sundt	e387656be8	base/auto-upgrade: fetch input urls from flake	2025-05-30 19:05:24 +02:00
h7x4	48a5f4e79e	bicep/git-mirrors: move to mirrors.pvv.ntnu.no	2025-05-30 12:59:32 +02:00
h7x4	29c4029486	bicep/git-mirrors: disable lfs by default	2025-05-30 12:45:40 +02:00
Daniel Olsen	5d704840ce	brutally murder bob	2025-05-25 11:32:44 +02:00
Daniel Olsen	43d3ef1fed	georg: configure spotifyd to maybe not crash, might even be functional?	2025-05-25 10:32:40 +02:00
Daniel Olsen	e8df081894	kommode/gitea: use stable package again	2025-05-25 09:59:44 +02:00
Daniel Olsen	f40f2ae89d	update inputs to 25.05	2025-05-25 09:59:44 +02:00
h7x4	a3c3ceac49	users/oysteikt: remove diskonaut	2025-05-20 21:17:04 +02:00
h7x4	7f3d288a15	bekkalokk/mediawiki: fix favicon derivation	2025-05-20 21:16:45 +02:00
Adrian Gunnar Lauterer	f9f2304939	add spotifyd on georg Signed-off-by: Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no>	2025-05-20 12:42:54 +02:00
larshalvorhansen	02c752e596	modules/grzegorz:Grzegorz wakes up every morning at 6:30!	2025-05-18 00:40:18 +02:00
larshalvorhansen	e44b2e8d0d	treewide: convert 2 instances of 'convert' into 'magick'	2025-05-17 22:47:09 +02:00
Daniel Olsen	13a270b8ed	disable nginx jit and multi_accept	2025-05-10 11:13:51 +02:00
h7x4	20ade0d619	bicep: add git-mirroring service	2025-05-08 23:41:43 +02:00
h7x4	20e3f89b79	flake.lock: update greg-ng	2025-05-06 22:34:09 +02:00
Daniel Olsen	f0e6521fbb	update flake.lock	2025-04-26 22:50:00 +02:00
h7x4	d59a3f6ec0	bicep: remove duplicate import of mysql service module	2025-03-30 17:43:15 +02:00
h7x4	b730bdc34d	flake.nix: fix nix-gitea-themes input url	2025-03-30 17:22:04 +02:00
Felix Albrigtsen	f1f4da9ff6	Merge pull request 'Init wenche' (!94 ) from init-wenche into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/94 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2025-03-29 22:15:02 +01:00
Felix Albrigtsen	cd40bd6178	Wenche: add swapfile	2025-03-29 22:08:44 +01:00
h7x4	41e7f09c8b	kommode/gitea: take a dump weekly	2025-03-23 17:08:58 +01:00
h7x4	30bedecd72	kommode/gitea: increase timeouts	2025-03-23 00:39:06 +01:00
h7x4	29ad65bfef	kommode/gitea: fix eval	2025-03-23 00:36:24 +01:00
h7x4	b5a95eac90	bekkalokk/website/sp: trust all domain variants	2025-03-19 01:49:12 +01:00
Oystein Kristoffer Tveit	b2adb38a8b	Merge pull request 'base: source ~/.bashrc' (!100 ) from bashrc into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/100 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2025-03-19 01:40:56 +01:00
Peder Bergebakken Sundt	3a707b00d3	base: source ~/.bashrc Now by default we source .bashrc and .profile unless the user has actually read the manual. Tested in vm	2025-03-18 22:57:18 +01:00
h7x4	decd69d9ae	kommode/gitea: move customization.nix to separate dir	2025-03-17 20:37:15 +01:00
h7x4	b7fca76ea5	ildkule/mysqld_exporter: use nix-sops template for config	2025-03-16 21:09:12 +01:00
h7x4	c6b7e7f555	bekkalokk/mediawiki: remove outdated TODO	2025-03-16 20:59:03 +01:00
h7x4	32a529e60f	ildkule/prometheus: reenable mysqld exporter	2025-03-16 20:57:26 +01:00
h7x4	493ab057f4	ildkule/grafana: fix gitea dashboard typo	2025-03-16 20:42:52 +01:00
h7x4	c683e2184a	kommode/gitea: allow ildkule's ipv6 address to read metrics	2025-03-16 20:40:07 +01:00
h7x4	5c32798dcf	ildkule/prometheus: add kommode and ustetind to machine list	2025-03-16 20:20:40 +01:00
Øystein Tveit	e5cbd66769	kommode/gitea: use batch scheduling	2025-03-16 19:56:27 +01:00
Øystein Tveit	8b34f31e3f	Move gitea from bekkalokk to kommode	2025-03-16 19:02:30 +01:00
h7x4	08b010cb93	kommode/sops: init	2025-03-16 14:04:09 +01:00
Øystein Tveit	a408ef6688	hosts/kommode: init	2025-03-16 13:19:29 +01:00
Felix Albrigtsen	c83005983e	shells/cuda: Reformat, replace shellhook with env attr	2025-03-15 23:37:53 +01:00
h7x4	30d31956c6	keys/oysteikt: update	2025-03-15 22:43:01 +01:00
h7x4	c8bf3b7c01	modules/robots-txt: init	2025-03-15 14:58:30 +01:00
h7x4	069da36895	shell.nix: replace shellHook with env	2025-03-15 03:09:26 +01:00
h7x4	83f83a91b7	flake.{nix,lock}: bump inputs	2025-03-15 02:23:16 +01:00
h7x4	6372a4111e	common/userdbd: init	2025-03-15 01:47:10 +01:00
h7x4	bdfb7384c2	common/userborn: init	2025-03-15 01:46:52 +01:00
h7x4	ace351c0a7	misc/builder: add binfmt systems	2025-03-15 01:23:15 +01:00
h7x4	cd5c2c0e01	misc/builder: set cpu sched policy batch	2025-03-15 01:21:57 +01:00
h7x4	2be9eb16fe	base/nix: defer store optimization	2025-03-15 01:20:34 +01:00
h7x4	64bd33a213	base: enable fwupd	2025-03-15 01:19:59 +01:00
h7x4	7b5e114944	base: use dbus-broker as dbus implementation	2025-03-15 01:19:33 +01:00
h7x4	ee8965e18c	base: use latest kernel by default	2025-03-15 01:18:28 +01:00
h7x4	7125fd2478	flake.lock: bump pvv-nettsiden	2025-03-12 02:39:46 +01:00
h7x4	0c1762619a	bekkalokk/gitea: use unstable package (1.23)	2025-03-12 02:13:13 +01:00
Øystein Tveit	84d1ae13c0	flake.lock: bump pvv-nettsiden	2025-03-12 00:51:10 +01:00
h7x4	a3c88b7869	bekkalokk/gitea: take a dump	2025-03-10 20:06:29 +01:00
h7x4	4aa994e7a3	bekkalokk/gitea: rename gitea customization service to have gitea prefix	2025-03-10 19:59:16 +01:00
h7x4	fc64139739	bekkalokk/gitea: bigger icons	2025-03-10 19:58:53 +01:00
h7x4	75b0c00212	bekkalokk/gitea: move customization to different file	2025-03-10 18:01:31 +01:00
Daniel Olsen	94d73b34ad	bluemap: generate web folder if it doesnt exist before rendering	2025-03-02 02:32:32 +01:00
Daniel Olsen	bf50d6478b	bluemap: 5.4 -> 5.7	2025-03-02 01:27:09 +01:00
h7x4	e9dc0d85a0	flake.lock: bump	2025-03-01 21:31:56 +01:00
Felix Albrigtsen	4f28815018	wenche: Fix nvidia driver. flake: add shells/cuda.	2025-02-22 19:45:26 +01:00
Felix Albrigtsen	bdaa765dbb	wenche: start adding NVIDIA support	2025-02-19 23:28:42 +01:00
Felix Albrigtsen	c0e551eb8b	wenche: init new host	2025-02-19 22:48:28 +01:00
Daniel Olsen	a009b05977	bicep/matrix/coturn: coturn is actually fixed	2025-02-16 02:01:29 +01:00
Øystein Tveit	8a8f5659fb	gergle: big if true	2025-01-25 19:59:43 +01:00
Felix Albrigtsen	13c921c47b	bekkalokk: Update nettsiden (re-enable events)	2025-01-17 23:11:19 +01:00
h7x4	819fcef4c2	flake.lock: bump greg-ng	2025-01-11 15:02:00 +01:00
h7x4	102a6f9011	flake.lock: bump nix-gitea-themes	2025-01-10 18:51:41 +01:00
h7x4	86e68f496e	bekkalokk/gitea: add declarative label set 'projects'	2025-01-10 18:51:40 +01:00
h7x4	394ff94033	flake.nix: move grz projects from `Projects` to `Grzegorz`	2025-01-06 16:34:22 +01:00
h7x4	6cb7f576a5	bekkalokk/gitea-scripts: add `Grzegorz` organization	2025-01-06 16:34:22 +01:00
Øystein Tveit	edb448f7a0	ustetind/gitea-runners: update docker image, update registration keys	2024-12-22 23:17:41 +01:00
h7x4	4507ffe2ab	base/auto-upgrade: switch ref back to main	2024-12-22 23:04:08 +01:00
Felix Albrigtsen	882a8f2e88	bekkalokk: Update nettsiden	2024-12-21 23:50:53 +01:00
Øystein Tveit	65da25da7e	packages/mediawiki-extensions: update all	2024-12-10 21:05:21 +01:00
h7x4	fd81d61a56	common/logrotate: remove custom hardening now that nixpkgs provides it	2024-12-10 21:05:21 +01:00
Daniel Olsen	2776273a27	flake update	2024-12-10 21:05:20 +01:00
Daniel Olsen	ebc5b269ef	24.11	2024-12-10 21:05:20 +01:00
h7x4	850d0b0ec5	bekkalokk/gitea-web: fix SSH access	2024-12-10 21:05:06 +01:00
h7x4	02792fc20e	bekkalokk/gitea: fix api pagination for web secret provider	2024-12-10 19:35:10 +01:00
Øystein Tveit	40dd069a52	ustetind/gitea-runners: fix podman dns	2024-12-09 23:25:54 +01:00
h7x4	04a838fc62	flake.nix: nixlib -> lib	2024-12-09 22:33:39 +01:00
Øystein Tveit	1f85208587	hosts/ustetind: set up gitea-runners	2024-12-09 22:24:54 +01:00
Øystein Tveit	c10c6d5a09	hosts/ustetind: init	2024-12-09 21:31:30 +01:00
h7x4	6301688c95	common/smartd: only run on non-virtualized hardware It's still part of the simulation tho	2024-12-09 21:03:50 +01:00
h7x4	0ed0a3a504	flake.nix: make `outputs.inputs` buildable	2024-12-08 00:29:59 +01:00
h7x4	5242d99260	bekkalokk/gitea: add gpg signing key	2024-11-24 03:23:54 +01:00
Fredrik Robertsen	c60597dc5a	Merge pull request 'Let smartd send mail notification' (!92 ) from add-mail-to-smartd into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/92 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Closes #92	2024-11-24 01:09:58 +01:00
frero	69462bf486	let smartd send mail notification	2024-11-24 01:01:55 +01:00
Oystein Kristoffer Tveit	7d4ccf1972	Merge pull request 'Add user frero' (!91 ) from add-user-frero into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/91	2024-11-23 22:40:43 +01:00
frero	c87a81eeee	users: add `frero`	2024-11-23 22:39:53 +01:00