base/roowho2: init

2026-02-20 08:57:53 +01:00 · 2026-01-06 01:49:53 +09:00
135 changed files with 24141 additions and 14260 deletions
--- a/.mailmap
+++ b/.mailmap
@@ -23,9 +23,3 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
 Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
 Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
 Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,7 +7,6 @@ keys:
  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
  - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
  # Hosts
  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
@@ -20,9 +19,7 @@ keys:
  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
 creation_rules:
  # Global secrets
@@ -35,7 +32,6 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -50,7 +46,6 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -63,7 +58,6 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -76,7 +70,6 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -89,7 +82,6 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -102,7 +94,6 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -119,7 +110,6 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -132,31 +122,5 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrott/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_skrott
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrot/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_skrot
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
--- a/README.md
+++ b/README.md
@@ -4,33 +4,7 @@ This repository contains the NixOS configurations for Programvareverkstedet's se
 In addition to machine configurations, it also contains a bunch of shared modules, packages, and
 more.
-> [!WARNING]
+## Machines
 > Please read [Development - working on the PVV machines](./docs/development.md) before making
 > any changes, and [Secret management and `sops-nix`](./docs/secret-management.md) before adding
 > any credentials such as passwords, API tokens, etc. to the configuration.
 ## Deploying to machines
 > [!WARNING]
 > Be careful to think about state when testing changes against the machines. Sometimes, a certain change
 > can lead to irreversible changes to the data stored on the machine. An example would be a set of database
 > migrations applied when testing a newer version of a service. Unless that service also comes with downwards
 > migrations, you can not go back to the previous version without losing data.
 To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
 repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
 ```bash
 # Run this while in the pvv-nixos-config directory
 sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
 ```
 This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
 Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
 revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
 ## Machine overview
 | Name                       | Type     | Description                                               |
 |----------------------------|----------|-----------------------------------------------------------|
@@ -43,7 +17,6 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
 | [skrot/skrott][skr]        | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 ## Documentation
@@ -60,5 +33,4 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
 [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
--- a/base/default.nix
+++ b/base/default.nix
@@ -10,23 +10,19 @@
    (fp /users)
    (fp /modules/snakeoil-certs.nix)
    ./flake-input-exporter.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
    ./sops.nix
    ./vm.nix
    ./flake-input-exporter.nix
    ./services/acme.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/journald-upload.nix
    ./services/logrotate.nix
    ./services/nginx.nix
    ./services/openssh.nix
    ./services/polkit.nix
    ./services/postfix.nix
    ./services/prometheus-node-exporter.nix
    ./services/prometheus-systemd-exporter.nix
@@ -42,9 +38,6 @@
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  boot.loader.systemd-boot.enable = lib.mkDefault true;
  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
@@ -53,8 +46,21 @@
    keyMap = "no";
  };
-  # Don't install the /lib/ld-linux.so.2 stub
+  environment.systemPackages = with pkgs; [
-  environment.ldso32 = null;
+    file
    git
    gnupg
    htop
    nano
    ripgrep
    rsync
    screen
    tmux
    vim
    wget
    kitty.terminfo
  ];
  # .bash_profile already works, but lets also use .bashrc like literally every other distro
  # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -68,6 +74,8 @@
    fi
  '';
  programs.zsh.enable = true;
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
@@ -75,14 +83,6 @@
    Defaults lecture = never
  '';
  # These are servers, sleep is for the weak
  systemd.sleep.extraConfig = lib.mkDefault ''
    AllowSuspend=no
    AllowHibernation=no
  '';
  # users.mutableUsers = lib.mkDefault false;
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -37,9 +37,4 @@
      "unstable=${inputs.nixpkgs-unstable}"
    ];
  };
  # Make builds to be more likely killed than important services.
  # 100 is the default for user slices and 500 is systemd-coredumpd@
  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
 }
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -1,68 +0,0 @@
 { pkgs, lib, ... }:
 {
  # We don't need fonts on headless machines
  fonts.fontconfig.enable = lib.mkDefault false;
  # Extra packags for better terminal emulator compatibility in SSH sessions
  environment.enableAllTerminfo = true;
  environment.systemPackages = with pkgs; [
    # Debug dns outside resolvectl
    dig
    # Debug and find files
    file
    # Process json data
    jq
    # Check computer specs
    lshw
    # Check who is keeping open files
    lsof
    # Scan for open ports with netstat
    net-tools
    # Grep for files quickly
    ripgrep
    # Copy files over the network
    rsync
    # Access various state, often in /var/lib
    sqlite-interactive
    # Debug software which won't debug itself
    strace
    # Download files from the internet
    wget
  ];
  # Clone/push nix config and friends
  programs.git.enable = true;
  # Gitea gpg, oysteikt sops, etc.
  programs.gnupg.agent.enable = true;
  # Monitor the wellbeing of the machines
  programs.htop.enable = true;
  # Keep sessions running during work over SSH
  programs.tmux.enable = true;
  # Same reasoning as tmux
  programs.screen.enable = true;
  # Edit files on the system without resorting to joe(1)
  programs.nano.enable = true;
  # Same reasoning as nano
  programs.vim.enable = true;
  # Same reasoning as vim
  programs.neovim.enable = true;
  # Some people like this shell for some reason
  programs.zsh.enable = true;
 }
--- a/base/services/acme.nix
+++ b/base/services/acme.nix
@@ -2,12 +2,14 @@
 {
  security.acme = {
    acceptTerms = true;
-    defaults.email = "acme-drift@pvv.ntnu.no";
+    defaults.email = "drift@pvv.ntnu.no";
  };
  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
  virtualisation.vmVariant = {
    security.acme.defaults.server = "https://127.0.0.1";
    security.acme.preliminarySelfsigned = true;
    users.users.root.initialPassword = "root";
  };
-}
+}
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -9,8 +9,6 @@ in
    enable = true;
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "-L"
      "--refresh"
      "--no-write-lock-file"
      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
@@ -28,7 +26,7 @@ in
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
    "current-system-flake-inputs.json".source
      = pkgs.writers.writeJSON "flake-inputs.json" (
        lib.flip lib.mapAttrs inputs (name: input:
--- a/base/services/journald-upload.nix
+++ b/base/services/journald-upload.nix
@@ -1,24 +0,0 @@
 { config, lib, values, ... }:
 let
  cfg = config.services.journald.upload;
 in
 {
  services.journald.upload = {
    enable = lib.mkDefault true;
    settings.Upload = {
      # URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
      URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
      ServerKeyFile = "-";
      ServerCertificateFile = "-";
      TrustedCertificateFile = "-";
    };
  };
  systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
    IPAddressDeny = "any";
    IPAddressAllow = [
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
 }
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -39,38 +39,29 @@
    SystemCallFilter = lib.mkForce null;
  };
-  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
+  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    "_" = {
+    listen = [
-      listen = [
+      {
-        {
+        addr = "0.0.0.0";
-          addr = "0.0.0.0";
+        extraParameters = [
-          extraParameters = [
+          "default_server"
-            "default_server"
+          # Seemingly the default value of net.core.somaxconn
-            # Seemingly the default value of net.core.somaxconn
+          "backlog=4096"
-            "backlog=4096"
+          "deferred"
-            "deferred"
+        ];
-          ];
+      }
-        }
+      {
-        {
+        addr = "[::0]";
-          addr = "[::0]";
+        extraParameters = [
-          extraParameters = [
+          "default_server"
-            "default_server"
+          "backlog=4096"
-            "backlog=4096"
+          "deferred"
-            "deferred"
+        ];
-          ];
+      }
-        }
+    ];
-      ];
+    sslCertificate = "/etc/certs/nginx.crt";
-      sslCertificate = "/etc/certs/nginx.crt";
+    sslCertificateKey = "/etc/certs/nginx.key";
-      sslCertificateKey = "/etc/certs/nginx.key";
+    addSSL = true;
-      addSSL = true;
+    extraConfig = "return 444;";
      extraConfig = "return 444;";
    };
    ${config.networking.fqdn} = {
      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
      addSSL = lib.mkDefault true;
      extraConfig = lib.mkDefault "return 444;";
    };
  };
 }
--- a/base/services/polkit.nix
+++ b/base/services/polkit.nix
@@ -1,15 +0,0 @@
 { config, lib, ... }:
 let
  cfg = config.security.polkit;
 in
 {
  security.polkit.enable = true;
  environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
    polkit.addAdminRule(function(action, subject) {
        if(subject.isInGroup("wheel")) {
            return ["unix-user:"+subject.user];
        }
    });
  '';
 }
--- a/base/services/roowho2.nix
+++ b/base/services/roowho2.nix
@@ -1,12 +1,4 @@
-{ lib, values, ... }:
+{ ... }:
 {
-  services.roowho2.enable = lib.mkDefault true;
+  services.roowho2.enable = true;
  systemd.sockets.roowho2-rwhod.socketConfig = {
    IPAddressDeny = "any";
    IPAddressAllow = [
      "127.0.0.1"
      values.ipv4-space
    ];
  };
 }
--- a/base/services/smartd.nix
+++ b/base/services/smartd.nix
@@ -1,9 +1,7 @@
 { config, pkgs, lib, ... }:
 {
  services.smartd = {
-    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
+    enable = lib.mkDefault true;
    #       hosts with disk passthrough.
    enable = lib.mkDefault (!config.services.qemuGuest.enable);
    notifications = {
      mail = {
        enable = true;
--- a/base/sops.nix
+++ b/base/sops.nix
@@ -1,12 +0,0 @@
 { config, fp, lib, ... }:
 {
  sops.defaultSopsFile = let
    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
    keyFile = "/var/lib/sops-nix/key.txt";
    generateKey = true;
  };
 }
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -11,6 +11,5 @@
  };
  config.virtualisation.vmVariant = {
    virtualisation.isVmVariant = true;
    virtualisation.graphics = false;
  };
 }
--- a/docs/development.md
+++ b/docs/development.md
@@ -7,7 +7,7 @@ the links from the *Upstream documentation* section below, or in [Miscellaneous
 ## Editing nix files
-> [!WARNING]
+> [!WARN]
 > Before editing any nix files, make sure to read [Secret management and `sops-nix`](./secret-management.md)!
 > We do not want to add any secrets in plaintext to the nix files, and certainly not commit and publish
 > them into the common public.
@@ -156,6 +156,27 @@ nix build .#
 > built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
 > if this is the first time.
 ### Deploying to machines
 > [!WARN]
 > Be careful to think about state when testing changes against the machines. Sometimes, a certain change
 > can lead to irreversible changes to the data stored on the machine. An example would be a set of database
 > migrations applied when testing a newer version of a service. Unless that service also comes with downwards
 > migrations, you can not go back to the previous version without losing data.
 To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
 repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
 ```bash
 # Run this while in the pvv-nixos-config directory
 sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
 ```
 This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
 Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
 revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
 ### Forcefully reset to `main`
 If you ever want to reset a machine to the `main` branch, you can do so by running:
--- a/docs/secret-management.md
+++ b/docs/secret-management.md
@@ -151,7 +151,7 @@ is up to date, you can do the following:
 ```console
 # Fetch gpg (unless you have it already)
-nix shell nixpkgs#gnupg
+nix-shell -p gpg
 # Import oysteikts key to the gpg keychain
 gpg --import ./keys/oysteikt.pub
--- a/flake.lock
+++ b/flake.lock
@@ -1,24 +1,24 @@
 {
  "nodes": {
-    "dibbler": {
+    "devshell": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1770133120,
+        "lastModified": 1728330715,
-        "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
+        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
-        "ref": "main",
+        "owner": "numtide",
-        "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
+        "repo": "devshell",
-        "revCount": 244,
+        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
-        "type": "git",
+        "type": "github"
        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
      },
      "original": {
-        "ref": "main",
+        "owner": "numtide",
-        "type": "git",
+        "repo": "devshell",
-        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
+        "type": "github"
      }
    },
    "disko": {
@@ -42,21 +42,37 @@
        "type": "github"
      }
    },
-    "flake-parts": {
+    "flake-compat": {
-      "inputs": {
+      "flake": false,
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1765835352,
+        "lastModified": 1696426674,
-        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "hercules-ci",
+        "owner": "edolstra",
-        "repo": "flake-parts",
+        "repo": "flake-compat",
-        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
-        "owner": "hercules-ci",
+        "owner": "edolstra",
-        "repo": "flake-parts",
+        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
@@ -67,11 +83,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767906545,
+        "lastModified": 1764868579,
-        "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
+        "narHash": "sha256-rfTUOIc0wnC4+19gLVfPbHfXx/ilfuUix6bWY+yaM2U=",
        "ref": "main",
-        "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
+        "rev": "9c923d1d50daa6a3b28c3214ad2300bfaf6c8fcd",
-        "revCount": 23,
+        "revCount": 22,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      },
@@ -81,6 +97,28 @@
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
@@ -89,11 +127,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1767906494,
+        "lastModified": 1765760377,
-        "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
+        "narHash": "sha256-2+lgzUjVas9hPSeWn52MwuX+iidMN4RkzkHo4vrGmR8=",
        "ref": "main",
-        "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
+        "rev": "f340dc5b9c9f3b75b7aca41f56f8869b9e28cf8c",
-        "revCount": 61,
+        "revCount": 58,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
      },
@@ -153,11 +191,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1767906976,
+        "lastModified": 1766407405,
-        "narHash": "sha256-igCg8I83eO+noF00raXVJqDxzLS2SrZN8fK5bnvO+xI=",
+        "narHash": "sha256-UEJ8F8/oG70biWRrGbL5/aB7OXzzvnYs+jxkR07UHvA=",
        "ref": "main",
-        "rev": "626bc9b6bae6a997b347cdbe84080240884f2955",
+        "rev": "e719840f72ca1b0cd169562a3a0de69899821de0",
-        "revCount": 17,
+        "revCount": 16,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
      },
@@ -174,11 +212,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769500363,
+        "lastModified": 1765904683,
-        "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
+        "narHash": "sha256-uXM56y5n5GWpCiCNdKlTcCAy2IntgDB21c4gBDU30io=",
        "ref": "main",
-        "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
+        "rev": "6fae27b1659efb6774cf08a4e36ed29ab0e24105",
-        "revCount": 47,
+        "revCount": 26,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      },
@@ -195,11 +233,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1770960722,
+        "lastModified": 1743881366,
-        "narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=",
+        "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
        "ref": "main",
-        "rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2",
+        "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
-        "revCount": 15,
+        "revCount": 11,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
      },
@@ -211,17 +249,19 @@
    },
    "nix-topology": {
      "inputs": {
-        "flake-parts": "flake-parts",
+        "devshell": "devshell",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
-        ]
+        ],
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1769018862,
+        "lastModified": 1765969653,
-        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
+        "narHash": "sha256-qVpQxyvdByeDfb+d+jhbyNna2Ie+w85iHpt4Qu0rv/E=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
+        "rev": "0ed73e5a1b65eb8ed388d070ebe8dedb9182f466",
        "type": "github"
      },
      "original": {
@@ -233,45 +273,57 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1769724120,
+        "lastModified": 1767043167,
-        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
+        "narHash": "sha256-wN04/SL+8tV0D2HBIgt9dpX/03U18xoJ+8PT+dcn30E=",
-        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
+        "rev": "0b43a6ee07997a6e319e92dcbf276c2736506944",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.2789.0b43a6ee0799/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "lastModified": 1765674936,
        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1769813739,
+        "lastModified": 1767031366,
-        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
+        "narHash": "sha256-SJz8tVEnXusU8OzN5ixAXQgzXv8fNIzp9ztzUyobh4s=",
-        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
+        "rev": "d23fedd87fcd067b1d160323fae0d0e4f995527d",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre918279.d23fedd87fcd/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730797577,
        "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "pvv-calendar-bot": {
      "inputs": {
        "nixpkgs": [
@@ -300,11 +352,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769009806,
+        "lastModified": 1767080188,
-        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
+        "narHash": "sha256-BmyPuWeSQ9XREyi0KSerWRfJndmyzHNJLysBJld/KwA=",
        "ref": "main",
-        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
+        "rev": "08a216f4473e26aa2a5349e72633c0ab24e8ffbd",
-        "revCount": 575,
+        "revCount": 534,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -314,30 +366,8 @@
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      }
    },
    "qotd": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1768684204,
        "narHash": "sha256-TErBiXxTRPUtZ/Mw8a5p+KCeGCFXa0o8fzwGoo75//Y=",
        "ref": "main",
        "rev": "a86f361bb8cfac3845b96d49fcbb2faea669844f",
        "revCount": 11,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
      }
    },
    "root": {
      "inputs": {
        "dibbler": "dibbler",
        "disko": "disko",
        "gergle": "gergle",
        "greg-ng": "greg-ng",
@@ -351,7 +381,6 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pvv-calendar-bot": "pvv-calendar-bot",
        "pvv-nettsiden": "pvv-nettsiden",
        "qotd": "qotd",
        "roowho2": "roowho2",
        "sops-nix": "sops-nix"
      }
@@ -364,11 +393,11 @@
        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
-        "lastModified": 1769834595,
+        "lastModified": 1767631532,
-        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
+        "narHash": "sha256-cDUHAGjfkH3G/lxXhfEzHOZrt8JDSGOGa2M25jJtrMg=",
        "ref": "main",
-        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
+        "rev": "fa789c43a667f50c14fa8238c51af5bcd7ab5aa7",
-        "revCount": 49,
+        "revCount": 26,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      },
@@ -386,11 +415,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767840362,
+        "lastModified": 1765680428,
-        "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
+        "narHash": "sha256-fyPmRof9SZeI14ChPk5rVPOm7ISiiGkwGCunkhM+eUg=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
+        "rev": "eb3898d8ef143d4bf0f7f2229105fc51c7731b2f",
        "type": "github"
      },
      "original": {
@@ -428,11 +457,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769309768,
+        "lastModified": 1767322002,
-        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
+        "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
+        "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
        "type": "github"
      },
      "original": {
@@ -448,11 +477,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769469829,
+        "lastModified": 1766894905,
-        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
+        "narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
+        "rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7",
        "type": "github"
      },
      "original": {
@@ -461,6 +490,21 @@
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -20,9 +20,6 @@
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git?ref=main";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
    dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
    dibbler.inputs.nixpkgs.follows = "nixpkgs";
    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
@@ -44,9 +41,6 @@
    minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
    minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
    qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
    qotd.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -69,76 +63,59 @@
  in {
    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
-    pkgs = forAllSystems (system: import nixpkgs {
+    pkgs = forAllSystems (system:
-      inherit system;
+      import nixpkgs {
-      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        inherit system;
-        [
+        config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-          "nvidia-x11"
+          [
-          "nvidia-settings"
+            "nvidia-x11"
-        ];
+            "nvidia-settings"
-    });
+          ];
      });
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
      nixosConfig =
        nixpkgs:
        name:
        configurationPath:
-        extraArgs@{
+        extraArgs:
-          localSystem ? "x86_64-linux", # buildPlatform
+        lib.nixosSystem (lib.recursiveUpdate
-          crossSystem ? "x86_64-linux", # hostPlatform
+        (let
-          specialArgs ? { },
+          system = "x86_64-linux";
-          modules ? [ ],
+        in {
-          overlays ? [ ],
+          inherit system;
-          enableDefaults ? true,
+
-          ...
+          specialArgs = {
-        }:
+            inherit unstablePkgs inputs;
-        let
+            values = import ./values.nix;
-          commonPkgsConfig = {
+            fp = path: ./${path};
-            inherit localSystem crossSystem;
+          } // extraArgs.specialArgs or { };
          modules = [
            configurationPath
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
          ] ++ extraArgs.modules or [];
          pkgs = import nixpkgs {
            inherit system;
            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
                "nvidia-settings"
              ];
-            overlays = (lib.optionals enableDefaults [
+            overlays = [
              # Global overlays go here
              inputs.roowho2.overlays.default
-            ]) ++ overlays;
+            ] ++ extraArgs.overlays or [ ];
          };
-
+        })
          pkgs = import nixpkgs commonPkgsConfig;
          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
        in
        lib.nixosSystem (lib.recursiveUpdate
        {
          system = crossSystem;
          inherit pkgs;
          specialArgs = {
            inherit inputs unstablePkgs;
            values = import ./values.nix;
            fp = path: ./${path};
          } // specialArgs;
          modules = [
            {
              networking.hostName = lib.mkDefault name;
            }
            configurationPath
          ] ++ (lib.optionals enableDefaults [
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
            self.nixosModules.rsync-pull-targets
          ]) ++ modules;
        }
        (builtins.removeAttrs extraArgs [
          "localSystem"
          "crossSystem"
          "modules"
          "overlays"
          "specialArgs"
          "enableDefaults"
        ])
      );
@@ -147,7 +124,7 @@
    in {
      bakke = stableNixosConfig "bakke" {
        modules = [
-          inputs.disko.nixosModules.disko
+          disko.nixosModules.disko
        ];
      };
      bicep = stableNixosConfig "bicep" {
@@ -162,40 +139,29 @@
          inputs.pvv-calendar-bot.overlays.default
          inputs.minecraft-heatmap.overlays.default
          (final: prev: {
-            inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
+            inherit (self.packages.${prev.system}) out-of-your-element;
          })
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" {
        overlays = [
          (final: prev: {
            heimdal = unstablePkgs.heimdal;
            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
            simplesamlphptheme = final.callPackage ./packages/simplesamlphptheme { };
            bluemap = final.callPackage ./packages/bluemap.nix { };
          })
          inputs.pvv-nettsiden.overlays.default
          inputs.qotd.overlays.default
        ];
        modules = [
          inputs.pvv-nettsiden.nixosModules.default
          self.nixosModules.bluemap
          inputs.qotd.nixosModules.default
        ];
      };
      ildkule = stableNixosConfig "ildkule" { };
      #ildkule-unstable = unstableNixosConfig "ildkule" { };
      skrot = stableNixosConfig "skrot" {
        modules = [
          inputs.disko.nixosModules.disko
          inputs.dibbler.nixosModules.default
        ];
        overlays = [inputs.dibbler.overlays.default];
      };
      shark = stableNixosConfig "shark" { };
      wenche = stableNixosConfig "wenche" { };
      temmie = stableNixosConfig "temmie" { };
      gluttony = stableNixosConfig "gluttony" { };
      kommode = stableNixosConfig "kommode" {
        overlays = [
@@ -203,7 +169,6 @@
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
          inputs.disko.nixosModules.disko
        ];
      };
@@ -237,38 +202,6 @@
      };
    }
    //
    (let
      skrottConfig = {
        modules = [
          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
          inputs.dibbler.nixosModules.default
        ];
        overlays = [
          inputs.dibbler.overlays.default
          (final: prev: {
            # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
            atool = prev.emptyDirectory;
            micro = prev.emptyDirectory;
            ncdu = prev.emptyDirectory;
          })
        ];
      };
    in {
      skrott = self.nixosConfigurations.skrott-native;
      skrott-native = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "aarch64-linux";
        crossSystem = "aarch64-linux";
      });
      skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "x86_64-linux";
        crossSystem = "aarch64-linux";
      });
      skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "x86_64-linux";
        crossSystem = "x86_64-linux";
      });
    })
    //
    (let
      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
      stableLupineNixosConfig = name: extraArgs:
@@ -280,25 +213,15 @@
    nixosModules = {
      bluemap = ./modules/bluemap.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
      robots-txt = ./modules/robots-txt.nix;
      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
    };
    devShells = forAllSystems (system: {
-      default = let
+      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
        pkgs = import nixpkgs-unstable {
          inherit system;
          overlays = [
            (final: prev: {
              inherit (inputs.disko.packages.${system}) disko;
            })
          ];
        };
      in pkgs.callPackage ./shell.nix { };
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
@@ -312,20 +235,19 @@
    packages = {
      "x86_64-linux" = let
-        system = "x86_64-linux";
+        pkgs = nixpkgs.legacyPackages."x86_64-linux";
        pkgs = nixpkgs.legacyPackages.${system};
      in rec {
        default = important-machines;
        important-machines = pkgs.linkFarm "important-machines"
-          (lib.getAttrs importantMachines self.packages.${system});
+          (lib.getAttrs importantMachines self.packages.x86_64-linux);
        all-machines = pkgs.linkFarm "all-machines"
-          (lib.getAttrs allMachines self.packages.${system});
+          (lib.getAttrs allMachines self.packages.x86_64-linux);
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        bluemap = pkgs.callPackage ./packages/bluemap.nix { };
-        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
+        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
      }
      //
      # Mediawiki extensions
@@ -339,25 +261,15 @@
      lib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
      //
      # Skrott is exception
      {
        skrott = self.packages.${system}.skrott-native-sd;
        skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
        skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
        skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
        skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
        skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
      }
      //
      # Nix-topology
      (let
        topology' = import inputs.nix-topology {
          pkgs = import nixpkgs {
-            inherit system;
+            system = "x86_64-linux";
            overlays = [
              inputs.nix-topology.overlays.default
              (final: prev: {
-                inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
+                inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
              })
            ];
          };
--- a/hosts/bakke/configuration.nix
+++ b/hosts/bakke/configuration.nix
@@ -6,13 +6,20 @@
      ./filesystems.nix
    ];
  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bakke";
  networking.hostId = "99609ffc";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.05";
 }
--- a/hosts/bakke/filesystems.nix
+++ b/hosts/bakke/filesystems.nix
@@ -1,17 +1,17 @@
-{ pkgs,... }:
+{ config, pkgs, lib, ... }:
 {
  # Boot drives:
  boot.swraid.enable = true;
  # ZFS Data pool:
  environment.systemPackages = with pkgs; [ zfs ];
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
-    supportedFilesystems.zfs = true;
+    supportedFilesystems = [ "zfs" ];
-    # Use stable linux packages, these work with zfs
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
    kernelPackages = pkgs.linuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
--- a/hosts/bakke/hardware-configuration.nix
+++ b/hosts/bakke/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -16,9 +16,18 @@
    ./services/webmail
    ./services/website
    ./services/well-known
    ./services/qotd
  ];
  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bekkalokk";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -26,7 +35,7 @@
  services.btrfs.autoScrub.enable = true;
-  # Don't change (even during upgrades) unless you know what you are doing.
+  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "25.11";
+  system.stateVersion = "22.11";
 }
--- a/hosts/bekkalokk/hardware-configuration.nix
+++ b/hosts/bekkalokk/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bekkalokk/services/bluemap.nix
+++ b/hosts/bekkalokk/services/bluemap.nix
@@ -21,7 +21,6 @@ in {
      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
    in {
      "verden" = {
        extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:overworld";
@@ -33,10 +32,12 @@ in {
          };
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
          };
        };
      };
      "underverden" = {
        extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_nether";
@@ -56,10 +57,12 @@ in {
          render-mask = [{
            max-y = 90;
          }];
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/nether.hocon") ];
          };
        };
      };
      "enden" = {
        extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_end";
@@ -75,6 +78,9 @@ in {
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
          };
        };
      };
    };
--- a/hosts/bekkalokk/services/idp-simplesamlphp/config.php
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/config.php
@@ -858,11 +858,7 @@ $config = [
    /*
     * Which theme directory should be used?
     */
-    'module.enable' => [
+    'theme.use' => 'default',
 	    'pvv' => TRUE,
    ],
    'theme.use' => 'ssp-theme:pvv',
    /*
     * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want
--- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
@@ -97,7 +97,6 @@ let
      '';
      "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
      #"modules/ssp-theme" = pkgs.simplesamlphptheme;
    };
  };
 in
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, fp, config, values, ... }: let
+{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
@@ -34,7 +34,6 @@ in {
  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
  sops.secrets = lib.pipe [
    "mediawiki/secret-key"
    "mediawiki/password"
    "mediawiki/postgres_password"
    "mediawiki/simplesamlphp/postgres_password"
@@ -49,23 +48,6 @@ in {
    lib.listToAttrs
  ];
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.uploadsDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
    };
  };
  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
@@ -162,24 +144,6 @@ in {
      $wgDBserver = "${toString cfg.database.host}";
      $wgAllowCopyUploads = true;
      # Files
      $wgFileExtensions = [
        'bmp',
        'gif',
        'jpeg',
        'jpg',
        'mp3',
        'odg',
        'odp',
        'ods',
        'odt',
        'pdf',
        'png',
        'tiff',
        'webm',
        'webp',
      ];
      # Misc program paths
      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -215,15 +179,15 @@ in {
  # Cache directory for simplesamlphp
  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
    user = "mediawiki";
    group = "mediawiki";
    mode = "0770";
  };
-  users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
+  users.groups.mediawiki.members = [ "nginx" ];
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
    kTLS = true;
    forceSSL = true;
    enableACME = true;
@@ -269,22 +233,4 @@ in {
    };
  };
  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
 }
--- a/hosts/bekkalokk/services/qotd/default.nix
+++ b/hosts/bekkalokk/services/qotd/default.nix
@@ -1,6 +0,0 @@
 {
  services.qotd = {
    enable = true;
    quotes = builtins.fromJSON (builtins.readFile ./quotes.json);
  };
 }
--- a/hosts/bekkalokk/services/qotd/quotes.json
+++ b/hosts/bekkalokk/services/qotd/quotes.json
@@ -1 +0,0 @@
 ["quote 1", "quote 2"]
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, values, ... }:
+{ config, pkgs, lib, ... }:
 let
  cfg = config.services.vaultwarden;
  domain = "pw.pvv.ntnu.no";
@@ -99,21 +99,4 @@ in {
      ];
    };
  };
  services.rsync-pull-targets = {
    enable = true;
    locations."/var/lib/vaultwarden" = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/snappymail.nix
+++ b/hosts/bekkalokk/services/webmail/snappymail.nix
@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, values, ... }:
+{ config, lib, fp, pkgs, ... }:
 let
  cfg = config.services.snappymail;
 in {
@@ -14,21 +14,5 @@ in {
    enableACME = true;
    kTLS = true;
  };
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.dataDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
    };
  };
 }
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -1,30 +1,15 @@
-{ pkgs, lib, config, values, ... }:
+{ pkgs, lib, config, ... }:
 let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
  users.users.${config.services.pvv-nettsiden.user} = {
    # NOTE: the user unfortunately needs a registered shell for rrsync to function...
    #       is there anything we can do to remove this?
    useDefaultShell = true;
  };
-  # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
+    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-  services.rsync-pull-targets = {
+    openssh.authorizedKeys.keys = [
-    enable = true;
+    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
-    locations.${transferDir} = {
+    ];
      user = config.services.pvv-nettsiden.user;
      rrsyncArgs.wo = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
    };
  };
  systemd.paths.pvv-nettsiden-gallery-update = {
--- a/hosts/bekkalokk/services/well-known/default.nix
+++ b/hosts/bekkalokk/services/well-known/default.nix
@@ -1,25 +1,18 @@
-{ lib, ... }:
+{ ... }:
 {
-  services.nginx.virtualHosts = lib.genAttrs [
+  services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
-    "pvv.ntnu.no"
+    "^~ /.well-known/" = {
-    "www.pvv.ntnu.no"
+      alias = (toString ./root) + "/";
    "pvv.org"
    "www.pvv.org"
  ] (_: {
    locations = {
      "^~ /.well-known/" = {
        alias = (toString ./root) + "/";
      };
      # Proxy the matrix well-known files
      # Host has be set before proxy_pass
      # The header must be set so nginx on the other side routes it to the right place
      "^~ /.well-known/matrix/" = {
        extraConfig = ''
          proxy_set_header Host matrix.pvv.ntnu.no;
          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
        '';
      };
    };
-  });
+
    # Proxy the matrix well-known files
    # Host has be set before proxy_pass
    # The header must be set so nginx on the other side routes it to the right place
    "^~ /.well-known/matrix/" = {
      extraConfig = ''
        proxy_set_header Host matrix.pvv.ntnu.no;
        proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
      '';
    };
  };
 }
--- a/hosts/bekkalokk/services/well-known/root/security.txt
+++ b/hosts/bekkalokk/services/well-known/root/security.txt
@@ -6,11 +6,7 @@ Contact: mailto:cert@pvv.ntnu.no
 Preferred-Languages: no, en
 Expires: 2032-12-31T23:59:59.000Z
-# This file was last updated 2026-02-27.
+# This file was last updated 2024-09-14.
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
 # Please note that we are a student organization, and unfortunately we do not
 # have a bug bounty program or offer monetary compensation for disclosure of
 # security vulnerabilities.
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -9,12 +9,22 @@
    ./services/calendar-bot.nix
    #./services/git-mirrors
    ./services/minecraft-heatmap.nix
-    ./services/mysql
+    ./services/mysql.nix
-    ./services/postgresql
+    ./services/postgres.nix
    ./services/matrix
  ];
  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bicep";
  #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    #matchConfig.Name = "enp6s0f0";
@@ -26,9 +36,17 @@
    anyInterface = true;
  };
  # There are no smart devices
  services.smartd.enable = false;
  # we are a vm now
  services.qemuGuest.enable = true;
-  # Don't change (even during upgrades) unless you know what you are doing.
+  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.sshguard.enable = true;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "25.11";
+  system.stateVersion = "22.11";
 }
--- a/hosts/bicep/hardware-configuration.nix
+++ b/hosts/bicep/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@@ -66,7 +66,6 @@ in
      package = pkgs.callPackage (fp /packages/cgit.nix) { };
      group = "gickup";
      scanPath = "${cfg.dataDir}/linktree";
      gitHttpBackend.checkExportOkFiles = false;
      settings = {
        enable-commit-graph = true;
        enable-follow-links = true;
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -1,6 +1,13 @@
 { config, lib, fp, pkgs, secrets, values, ... }:
 {
  sops.secrets."matrix/synapse/turnconfig" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "synapse/turnconfig";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    restartUnits = [ "coturn.service" ];
  };
  sops.secrets."matrix/coturn/static-auth-secret" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "coturn/static-auth-secret";
@@ -9,18 +16,9 @@
    restartUnits = [ "coturn.service" ];
  };
  sops.templates."matrix-synapse-turnconfig" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    content = ''
      turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
    '';
    restartUnits = [ "matrix-synapse.target" ];
  };
  services.matrix-synapse-next = {
    extraConfigFiles = [
-      config.sops.templates."matrix-synapse-turnconfig".path
+      config.sops.secrets."matrix/synapse/turnconfig".path
    ];
    settings = {
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -1,17 +1,19 @@
 { config, ... }:
 {
  imports = [
    ./synapse-admin.nix
    ./synapse-auto-compressor.nix
    ./synapse.nix
    ./synapse-admin.nix
    ./element.nix
    ./coturn.nix
    ./livekit.nix
    ./mjolnir.nix
    ./well-known.nix
    # ./discord.nix
    ./out-of-your-element.nix
    ./hookshot
  ];
 }
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -2,13 +2,6 @@
 let
  synapse-cfg = config.services.matrix-synapse-next;
 in {
  services.pvv-matrix-well-known.client = {
    "m.homeserver" = {
      base_url = "https://matrix.pvv.ntnu.no";
      server_name = "pvv.ntnu.no";
    };
  };
  services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
@@ -16,10 +9,10 @@ in {
    root = pkgs.element-web.override {
      conf = {
-        # Tries to look up well-known first, else uses bundled config.
+        default_server_config."m.homeserver" = {
-        default_server_name = "matrix.pvv.ntnu.no";
+          base_url = "https://matrix.pvv.ntnu.no";
-        default_server_config = config.services.pvv-matrix-well-known.client;
+          server_name = "pvv.ntnu.no";
-
+        };
        disable_3pid_login = true;
 #        integrations_ui_url = "https://dimension.dodsorf.as/riot";
 #        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
@@ -37,7 +30,6 @@ in {
          # element call group calls
          feature_group_calls = true;
        };
        default_country_code = "NO";
        default_theme = "dark";
        # Servers in this list should provide some sort of valuable scoping
        # matrix.org is not useful compared to matrixrooms.info,
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -14,10 +14,6 @@ in
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/hs_token";
  };
  sops.secrets."matrix/hookshot/passkey" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/passkey";
  };
  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
@@ -48,14 +44,9 @@ in
  };
  systemd.services.matrix-hookshot = {
-    serviceConfig = {
+    serviceConfig.SupplementaryGroups = [
-      SupplementaryGroups = [
+      config.users.groups.keys-matrix-registrations.name
-        config.users.groups.keys-matrix-registrations.name
+    ];
      ];
      LoadCredential = [
        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
      ];
    };
  };
  services.matrix-hookshot = {
@@ -63,8 +54,6 @@ in
    package = unstablePkgs.matrix-hookshot;
    registrationFile = config.sops.templates."hookshot-registration.yaml".path;
    settings = {
      passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
      bridge = {
        bindAddress = "127.0.0.1";
        domain = "pvv.ntnu.no";
@@ -72,7 +61,6 @@ in
        mediaUrl = "https://matrix.pvv.ntnu.no";
        port = 9993;
      };
      listeners = [
        {
          bindAddress = webhookListenAddress;
@@ -85,7 +73,6 @@ in
          ];
        }
      ];
      generic = {
        enabled = true;
        outbound = true;
--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -1,67 +0,0 @@
 { config, lib, fp, ... }:
 let
  synapseConfig = config.services.matrix-synapse-next;
  matrixDomain = "matrix.pvv.ntnu.no";
  cfg = config.services.livekit;
 in
 {
  sops.secrets."matrix/livekit/keyfile/lk-jwt-service" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "livekit/keyfile/lk-jwt-service";
  };
  sops.templates."matrix-livekit-keyfile" = {
    restartUnits = [
      "livekit.service"
      "lk-jwt-service.service"
    ];
    content = ''
      lk-jwt-service: ${config.sops.placeholder."matrix/livekit/keyfile/lk-jwt-service"}
    '';
  };
  services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
    "org.matrix.msc4143.rtc_foci" = [{
      type = "livekit";
      livekit_service_url = "https://${matrixDomain}/livekit/jwt";
    }];
  };
  services.livekit = {
    enable = true;
    openFirewall = true;
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
    # NOTE: needed for ingress/egress workers
    # redis.createLocally = true;
    # settings.room.auto_create = false;
  };
  services.lk-jwt-service = lib.mkIf cfg.enable {
    enable = true;
    livekitUrl = "wss://${matrixDomain}/livekit/sfu";
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
  };
  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
  services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
    locations."^~ /livekit/jwt/" = {
      proxyPass = "http://localhost:${toString config.services.lk-jwt-service.port}/";
    };
    # TODO: load balance to multiple livekit ingress/egress workers
    locations."^~ /livekit/sfu/" = {
      proxyPass = "http://localhost:${toString config.services.livekit.settings.port}/";
      proxyWebsockets = true;
      extraConfig = ''
        proxy_send_timeout 120;
        proxy_read_timeout 120;
        proxy_buffering off;
        proxy_set_header Accept-Encoding gzip;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
      '';
    };
  };
 }
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, values, fp, ... }:
+{ config, pkgs, fp, ... }:
 let
  cfg = config.services.matrix-ooye;
 in
@@ -28,23 +28,6 @@ in
    };
  };
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations."/var/lib/private/matrix-ooye" = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
    };
  };
  services.matrix-ooye = {
    enable = true;
    homeserver = "https://matrix.pvv.ntnu.no";
--- a/hosts/bicep/services/matrix/synapse-auto-compressor.nix
+++ b/hosts/bicep/services/matrix/synapse-auto-compressor.nix
@@ -1,56 +0,0 @@
 { config, lib, utils, ... }:
 let
  cfg = config.services.synapse-auto-compressor;
 in
 {
  services.synapse-auto-compressor = {
    # enable = true;
    postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
  };
  # NOTE: nixpkgs has some broken asserts, vendored the entire unit
  systemd.services.synapse-auto-compressor = {
    description = "synapse-auto-compressor";
    requires = [
      "postgresql.target"
    ];
    inherit (cfg) startAt;
    serviceConfig = {
      Type = "oneshot";
      DynamicUser = true;
      User = "matrix-synapse";
      PrivateTmp = true;
      ExecStart = utils.escapeSystemdExecArgs [
        "${cfg.package}/bin/synapse_auto_compressor"
        "-p"
        cfg.postgresUrl
        "-c"
        cfg.settings.chunk_size
        "-n"
        cfg.settings.chunks_to_compress
        "-l"
        (lib.concatStringsSep "," (map toString cfg.settings.levels))
      ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateUsers = true;
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      ProcSubset = "pid";
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
    };
  };
 }
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -15,33 +15,11 @@ in {
    group = config.users.users.matrix-synapse.group;
  };
-  sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
+  sops.secrets."matrix/synapse/user_registration" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/user_registration/registration_shared_secret";
+    key = "synapse/signing_key";
  };
  sops.templates."matrix-synapse-user-registration" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    content = ''
      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
    '';
  };
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.settings.media_store_path} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
    };
  };
  services.matrix-synapse-next = {
@@ -105,7 +83,7 @@ in {
      mau_stats_only = true;
      enable_registration = false;
-      registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
+      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
      password_config.enabled = true;
@@ -117,32 +95,6 @@ in {
        }
      ];
      experimental_features = {
        # MSC3266: Room summary API. Used for knocking over federation
        msc3266_enabled = true;
        # MSC4222 needed for syncv2 state_after. This allow clients to
        # correctly track the state of the room.
        msc4222_enabled = true;
      };
      # The maximum allowed duration by which sent events can be delayed, as
      # per MSC4140.
      max_event_delay_duration = "24h";
      rc_message = {
        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
        # Note key sharing events are bursty
        per_second = 0.5;
        burst_count = 30;
      };
      rc_delayed_event_mgmt = {
        # This needs to match at least the heart-beat frequency plus a bit of headroom
        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
        per_second = 1;
        burst_count = 20;
      };
      trusted_key_servers = [
        { server_name = "matrix.org"; }
        { server_name = "dodsorf.as"; }
@@ -180,12 +132,21 @@ in {
  services.redis.servers."".enable = true;
  services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
  {
    kTLS = true;
  }
  {
    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
      '';
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
      '';
    };
  }
  {
    locations."/_synapse/admin" = {
      proxyPass = "http://$synapse_backend";
--- a/hosts/bicep/services/matrix/well-known.nix
+++ b/hosts/bicep/services/matrix/well-known.nix
@@ -1,44 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.pvv-matrix-well-known;
  format = pkgs.formats.json { };
  matrixDomain = "matrix.pvv.ntnu.no";
 in
 {
  options.services.pvv-matrix-well-known = {
    client = lib.mkOption {
      type = lib.types.submodule { freeformType = format.type; };
      default = { };
      example = {
        "m.homeserver".base_url = "https://${matrixDomain}/";
      };
    };
    server = lib.mkOption {
      type = lib.types.submodule { freeformType = format.type; };
      default = { };
      example = {
        "m.server" = "https://${matrixDomain}/";
      };
    };
  };
  config = {
    services.nginx.virtualHosts.${matrixDomain} = {
      locations."= /.well-known/matrix/client" = lib.mkIf (cfg.client != { }) {
        alias = format.generate "nginx-well-known-matrix-server.json" cfg.client;
        extraConfig = ''
          default_type application/json;
          add_header Access-Control-Allow-Origin *;
        '';
      };
      locations."= /.well-known/matrix/server" = lib.mkIf (cfg.server != { }) {
        alias = format.generate "nginx-well-known-matrix-server.json" cfg.server;
        extraConfig = ''
          default_type application/json;
          add_header Access-Control-Allow-Origin *;
        '';
      };
    };
  };
 }
--- a/hosts/bicep/services/minecraft-heatmap.nix
+++ b/hosts/bicep/services/minecraft-heatmap.nix
@@ -22,7 +22,7 @@ in
    };
  };
-  systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
+  systemd.services.minecraft-heatmap-ingest-logs = {
    serviceConfig.LoadCredential = [
      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
    ];
--- a/hosts/bicep/services/mysql/default.nix
+++ b/hosts/bicep/services/mysql/default.nix
@@ -1,11 +1,5 @@
-{ config, pkgs, lib, values, ... }:
+{ pkgs, lib, config, values, ... }:
 let
  cfg = config.services.mysql;
  dataDir = "/data/mysql";
 in
 {
  imports = [ ./backup.nix ];
  sops.secrets."mysql/password" = {
    owner = "mysql";
    group = "mysql";
@@ -15,7 +9,8 @@ in
  services.mysql = {
    enable = true;
-    package = pkgs.mariadb_118;
+    dataDir = "/data/mysql";
    package = pkgs.mariadb;
    settings = {
      mysqld = {
        # PVV allows a lot of connections at the same time
@@ -26,9 +21,6 @@ in
        # This was needed in order to be able to use all of the old users
        # during migration from knakelibrak to bicep in Sep. 2023
        secure_auth = 0;
        slow-query-log = 1;
        slow-query-log-file = "/var/log/mysql/mysql-slow.log";
      };
    };
@@ -44,31 +36,20 @@ in
    }];
  };
-  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
+  services.mysqlBackup = {
-
+    enable = true;
-  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
+    location = "/var/lib/mysql/backups";
    inherit (cfg) user group;
    mode = "0700";
  };
-  systemd.services.mysql = lib.mkIf cfg.enable {
+  networking.firewall.allowedTCPPorts = [ 3306 ];
-    after = [
+
-      "systemd-tmpfiles-setup.service"
+  systemd.services.mysql.serviceConfig = {
-      "systemd-tmpfiles-resetup.service"
+    IPAddressDeny = "any";
    IPAddressAllow = [
      values.ipv4-space
      values.ipv6-space
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
    serviceConfig = {
      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
      LogsDirectory = "mysql";
      IPAddressDeny = "any";
      IPAddressAllow = [
        values.ipv4-space
        values.ipv6-space
        values.hosts.ildkule.ipv4
        values.hosts.ildkule.ipv6
      ];
    };
  };
 }
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -1,83 +0,0 @@
 { config, lib, pkgs, values, ... }:
 let
  cfg = config.services.mysql;
  backupDir = "/data/mysql-backups";
 in
 {
  # services.mysqlBackup = lib.mkIf cfg.enable {
  #   enable = true;
  #   location = "/var/lib/mysql-backups";
  # };
  systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
 	  user = "mysql";
 	  group = "mysql";
 	  mode = "700";
 	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations.${backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
    };
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves.
  systemd.services."backup-mysql" = lib.mkIf cfg.enable {
    description = "Backup MySQL data";
    requires = [ "mysql.service" ];
    path = with pkgs; [
      cfg.package
      coreutils
      zstd
    ];
    script = let
      rotations = 2;
    in ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
      mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
      # NOTE: this needs to be a hardlink for rrsync to allow sending it
      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "mysql";
      Group = "mysql";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      StateDirectory = [ "mysql-backups" ];
      BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
      # TODO: hardening
    };
    startAt = "*-*-* 02:15:00";
  };
 }
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -1,13 +1,8 @@
-{ config, lib, pkgs, values, ... }:
+{ config, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
 in
 {
  imports = [ ./backup.nix ];
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_18;
+    package = pkgs.postgresql_15;
    enableTCPIP = true;
    authentication = ''
@@ -79,13 +74,13 @@ in
    };
  };
-  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
    user = config.systemd.services.postgresql.serviceConfig.User;
    group = config.systemd.services.postgresql.serviceConfig.Group;
    mode = "0700";
  };
-  systemd.services.postgresql-setup = lib.mkIf cfg.enable {
+  systemd.services.postgresql-setup = {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
@@ -100,7 +95,7 @@ in
    };
  };
-  systemd.services.postgresql = lib.mkIf cfg.enable {
+  systemd.services.postgresql = {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
@@ -115,12 +110,18 @@ in
    };
  };
-  environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
+  environment.snakeoil-certs."/etc/certs/postgres" = {
    owner = "postgres";
    group = "postgres";
    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
  };
-  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
+  networking.firewall.allowedTCPPorts = [ 5432 ];
-  networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
+  networking.firewall.allowedUDPPorts = [ 5432 ];
  services.postgresqlBackup = {
    enable = true;
    location = "/var/lib/postgres/backups";
    backupAll = true;
  };
 }
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -1,84 +0,0 @@
 { config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
  backupDir = "/data/postgresql-backups";
 in
 {
  # services.postgresqlBackup = lib.mkIf cfg.enable {
  #   enable = true;
  #   location = "/var/lib/postgresql-backups";
  #   backupAll = true;
  # };
  systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
 	  user = "postgres";
 	  group = "postgres";
 	  mode = "700";
 	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations.${backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
    };
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves
  systemd.services."backup-postgresql" = {
    description = "Backup PostgreSQL data";
    requires = [ "postgresql.service" ];
    path = with pkgs; [
      coreutils
      zstd
      cfg.package
    ];
    script = let
      rotations = 2;
    in ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
      pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
      # NOTE: this needs to be a hardlink for rrsync to allow sending it
      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "postgres";
      Group = "postgres";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      StateDirectory = [ "postgresql-backups" ];
      BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
      # TODO: hardening
    };
    startAt = "*-*-* 01:15:00";
  };
 }
--- a/hosts/bikkje/configuration.nix
+++ b/hosts/bikkje/configuration.nix
@@ -1,6 +1,6 @@
 { config, pkgs, values, ... }:
 {
-  networking.nat = {
+    networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "ens3";
@@ -25,7 +25,6 @@
      ];
      networking = {
        hostName = "bikkje";
        firewall = {
          enable = true;
          # Allow SSH and HTTP and ports for email and irc
@@ -37,11 +36,9 @@
        useHostResolvConf = mkForce false;
      };
      services.resolved.enable = true;
      # Don't change (even during upgrades) unless you know what you are doing.
      # See https://search.nixos.org/options?show=system.stateVersion
      system.stateVersion = "23.11";
      services.resolved.enable = true;
    };
  };
 };
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@@ -8,14 +8,28 @@
      ./services/grzegorz.nix
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "brzeczyszczykiewicz";
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
-  fonts.fontconfig.enable = true;
+  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/brzeczyszczykiewicz/hardware-configuration.nix
+++ b/hosts/brzeczyszczykiewicz/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -8,11 +8,24 @@
      (fp /modules/grzegorz.nix)
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "georg";
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  services.spotifyd = {
    enable = true;
    settings.global = {
@@ -28,9 +41,15 @@
    5353 # spotifyd is its own mDNS service wtf
  ];
  fonts.fontconfig.enable = true;
-  # Don't change (even during upgrades) unless you know what you are doing.
+
-  # See https://search.nixos.org/options?show=system.stateVersion
+
-  system.stateVersion = "25.11";
+  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/georg/hardware-configuration.nix
+++ b/hosts/georg/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/gluttony/configuration.nix
+++ b/hosts/gluttony/configuration.nix
@@ -1,60 +0,0 @@
 {
  fp,
  lib,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    (fp /base)
  ];
  systemd.network.enable = lib.mkForce false;
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.loader = {
    systemd-boot.enable = false; # no uefi support on this device
    grub.device = "/dev/sda";
    grub.enable = true;
  };
  boot.tmp.cleanOnBoot = true;
  networking =
    let
      hostConf = values.hosts.gluttony;
    in
    {
      tempAddresses = "disabled";
      useDHCP = false;
      search = values.defaultNetworkConfig.domains;
      nameservers = values.defaultNetworkConfig.dns;
      defaultGateway.address = hostConf.ipv4_internal_gw;
      interfaces."ens3" = {
        ipv4.addresses = [
          {
            address = hostConf.ipv4;
            prefixLength = 32;
          }
          {
            address = hostConf.ipv4_internal;
            prefixLength = 24;
          }
        ];
        ipv6.addresses = [
          {
            address = hostConf.ipv6;
            prefixLength = 64;
          }
        ];
      };
    };
  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/gluttony/hardware-configuration.nix
+++ b/hosts/gluttony/hardware-configuration.nix
@@ -1,50 +0,0 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/mapper/pool-root";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/933A-3005";
    fsType = "vfat";
    options = [
      "fmask=0077"
      "dmask=0077"
    ];
  };
  swapDevices = [
    {
      device = "/var/lib/swapfile";
      size = 8 * 1024;
    }
  ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -7,10 +7,13 @@
      ./services/monitoring
      ./services/nginx
      ./services/journald-remote.nix
    ];
-  boot.loader.systemd-boot.enable = false;
+  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.device = "/dev/vda";
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
@@ -20,6 +23,7 @@
  networking = let
    hostConf = values.hosts.ildkule;
  in {
    hostName = "ildkule";
    tempAddresses = "disabled";
    useDHCP = lib.mkForce true;
@@ -38,9 +42,13 @@
    };
  };
-  services.qemuGuest.enable = true;
+  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # No devices with SMART
  services.smartd.enable = false;
  system.stateVersion = "23.11"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "23.11";
 }
--- a/hosts/ildkule/services/journald-remote.nix
+++ b/hosts/ildkule/services/journald-remote.nix
@@ -1,58 +0,0 @@
 { config, lib, values, ... }:
 let
  cfg = config.services.journald.remote;
  domainName = "journald.pvv.ntnu.no";
 in
 {
  security.acme.certs.${domainName} = {
    webroot = "/var/lib/acme/acme-challenge/";
    group = config.services.nginx.group;
  };
  services.nginx = {
    enable = true;
    virtualHosts.${domainName} = {
      forceSSL = true;
      useACMEHost = "${domainName}";
      locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
    };
  };
  services.journald.upload.enable = lib.mkForce false;
  services.journald.remote = {
    enable = true;
    settings.Remote = let
      inherit (config.security.acme.certs.${domainName}) directory;
    in {
      ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
      ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
      TrustedCertificateFile = "-";
    };
  };
  systemd.sockets."systemd-journal-remote" = {
    socketConfig = {
      IPAddressDeny = "any";
      IPAddressAllow = [
        "127.0.0.1"
        "::1"
        values.ipv4-space
        values.ipv6-space
      ];
    };
  };
  networking.firewall.allowedTCPPorts = [ cfg.port ];
  systemd.services."systemd-journal-remote" = {
    serviceConfig = {
      LoadCredential = let
        inherit (config.security.acme.certs.${domainName}) directory;
      in [
        "key.pem:${directory}/key.pem"
        "cert.pem:${directory}/cert.pem"
      ];
    };
  };
 }
--- a/hosts/ildkule/services/monitoring/dashboards/go-processes.json
+++ b/hosts/ildkule/services/monitoring/dashboards/go-processes.json
--- a/hosts/ildkule/services/monitoring/dashboards/mysql.json
+++ b/hosts/ildkule/services/monitoring/dashboards/mysql.json
@@ -13,7 +13,7 @@
    ]
  },
  "description": "",
-  "editable": false,
+  "editable": true,
  "gnetId": 11323,
  "graphTooltip": 1,
  "id": 31,
@@ -3690,7 +3690,7 @@
        },
        "hide": 0,
        "includeAll": false,
-        "label": "Data source",
+        "label": "Data Source",
        "multi": false,
        "name": "datasource",
        "options": [],
@@ -3713,12 +3713,12 @@
        "definition": "label_values(mysql_up, job)",
        "hide": 0,
        "includeAll": true,
-        "label": "Job",
+        "label": "job",
        "multi": true,
        "name": "job",
        "options": [],
        "query": "label_values(mysql_up, job)",
-        "refresh": 2,
+        "refresh": 1,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
@@ -3742,12 +3742,12 @@
        "definition": "label_values(mysql_up, instance)",
        "hide": 0,
        "includeAll": true,
-        "label": "Instance",
+        "label": "instance",
        "multi": true,
        "name": "instance",
        "options": [],
        "query": "label_values(mysql_up, instance)",
-        "refresh": 2,
+        "refresh": 1,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
--- a/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
+++ b/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
--- a/hosts/ildkule/services/monitoring/dashboards/postgres.json
+++ b/hosts/ildkule/services/monitoring/dashboards/postgres.json
@@ -328,7 +328,7 @@
        "rgba(50, 172, 45, 0.97)"
      ],
      "datasource": "${DS_PROMETHEUS}",
-      "format": "short",
+      "format": "decbytes",
      "gauge": {
        "maxValue": 100,
        "minValue": 0,
@@ -411,7 +411,7 @@
        "rgba(50, 172, 45, 0.97)"
      ],
      "datasource": "${DS_PROMETHEUS}",
-      "format": "short",
+      "format": "decbytes",
      "gauge": {
        "maxValue": 100,
        "minValue": 0,
@@ -1410,7 +1410,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "pg_settings_seq_page_cost{instance=\"$instance\"}",
+          "expr": "pg_settings_seq_page_cost",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -1872,7 +1872,7 @@
      },
      "yaxes": [
        {
-          "format": "short",
+          "format": "bytes",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -1966,7 +1966,7 @@
      },
      "yaxes": [
        {
-          "format": "short",
+          "format": "bytes",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2060,7 +2060,7 @@
      },
      "yaxes": [
        {
-          "format": "short",
+          "format": "bytes",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2251,7 +2251,7 @@
      },
      "yaxes": [
        {
-          "format": "short",
+          "format": "bytes",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2439,7 +2439,7 @@
      },
      "yaxes": [
        {
-          "format": "short",
+          "format": "bytes",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2589,35 +2589,35 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_backend",
          "refId": "A"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_alloc",
          "refId": "B"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "backend_fsync",
          "refId": "C"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_checkpoint",
          "refId": "D"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
          "refId": "B"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
@@ -3164,4 +3164,4 @@
  "title": "PostgreSQL Database",
  "uid": "000000039",
  "version": 1
-}
+}
--- a/hosts/ildkule/services/monitoring/dashboards/synapse.json
+++ b/hosts/ildkule/services/monitoring/dashboards/synapse.json
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -47,13 +47,13 @@ in {
        {
          name = "Node Exporter Full";
          type = "file";
-          url = "https://grafana.com/api/dashboards/1860/revisions/42/download";
+          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
          options.path = dashboards/node-exporter-full.json;
        }
        {
          name = "Matrix Synapse";
          type = "file";
-          url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json";
+          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
        {
@@ -65,9 +65,15 @@ in {
        {
          name = "Postgresql";
          type = "file";
-          url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
+          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
          options.path = dashboards/postgres.json;
        }
        {
          name = "Go Processes (gogs)";
          type = "file";
          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
          options.path = dashboards/go-processes.json;
        }
        {
          name = "Gitea Dashboard";
          type = "file";
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -19,18 +19,15 @@ in {
      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
--- a/hosts/kommode/configuration.nix
+++ b/hosts/kommode/configuration.nix
@@ -4,12 +4,21 @@
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    ./disks.nix
    ./services/gitea
    ./services/nginx.nix
  ];
  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "kommode"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -17,9 +26,7 @@
  services.btrfs.autoScrub.enable = true;
-  services.qemuGuest.enable = true;
+  environment.systemPackages = with pkgs; [];
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/hosts/kommode/disks.nix
+++ b/hosts/kommode/disks.nix
@@ -1,80 +0,0 @@
 { lib, ... }:
 {
  disko.devices = {
    disk = {
      sda = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
            root = {
              name = "root";
              label = "root";
              start = "1MiB";
              end = "-5G";
              content = {
                type = "btrfs";
                extraArgs = [ "-f" ]; # Override existing partition
                # subvolumes = let
                #   makeSnapshottable = subvolPath: mountOptions: let
                #     name = lib.replaceString "/" "-" subvolPath;
                #   in {
                #     "@${name}/active" = {
                #       mountpoint = subvolPath;
                #       inherit mountOptions;
                #     };
                #     "@${name}/snapshots" = {
                #       mountpoint = "${subvolPath}/.snapshots";
                #       inherit mountOptions;
                #     };
                #   };
                # in {
                #   "@" = { };
                #   "@/swap" = {
                #     mountpoint = "/.swapvol";
                #     swap.swapfile.size = "4G";
                #   };
                #   "@/root" = {
                #     mountpoint = "/";
                #     mountOptions = [ "compress=zstd" "noatime" ];
                #   };
                # }
                # // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
                # swap.swapfile.size = "4G";
                mountpoint = "/";
              };
            };
            swap = {
              name = "swap";
              label = "swap";
              start = "-5G";
              end = "-1G";
              content.type = "swap";
            };
            ESP = {
              name = "ESP";
              label = "ESP";
              start = "-1G";
              end = "100%";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/kommode/hardware-configuration.nix
+++ b/hosts/kommode/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
@@ -13,6 +13,21 @@
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/86CD-4C23";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -10,59 +10,6 @@ in
    catppuccin = pkgs.gitea-theme-catppuccin;
  };
  services.gitea.settings = {
    ui = {
      DEFAULT_THEME = "gitea-auto";
      REACTIONS = lib.concatStringsSep "," [
        "+1"
        "-1"
        "laugh"
        "confused"
        "heart"
        "hooray"
        "rocket"
        "eyes"
        "100"
        "anger"
        "astonished"
        "no_good"
        "ok_hand"
        "pensive"
        "pizza"
        "point_up"
        "sob"
        "skull"
        "upside_down_face"
        "shrug"
        "huh"
        "bruh"
        "okiedokie"
        "grr"
      ];
      CUSTOM_EMOJIS = lib.concatStringsSep "," [
        "bruh"
        "grr"
        "huh"
        "ohyeah"
      ];
    };
    "ui.meta" = {
      AUTHOR = "Programvareverkstedet";
      DESCRIPTION = "Bokstavelig talt programvareverkstedet";
      KEYWORDS = lib.concatStringsSep "," [
        "git"
        "hackerspace"
        "nix"
        "open source"
        "foss"
        "organization"
        "software"
        "student"
      ];
    };
  };
  systemd.services.gitea-customization = lib.mkIf cfg.enable {
    description = "Install extra customization in gitea's CUSTOM_DIR";
    wantedBy = [ "gitea.service" ];
@@ -110,11 +57,6 @@ in
      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
      install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
      install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
      install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
      install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
    '';
  };
--- a/hosts/kommode/services/gitea/customization/emotes/bruh.png
+++ b/hosts/kommode/services/gitea/customization/emotes/bruh.png
--- a/hosts/kommode/services/gitea/customization/emotes/grr.png
+++ b/hosts/kommode/services/gitea/customization/emotes/grr.png
--- a/hosts/kommode/services/gitea/customization/emotes/huh.gif
+++ b/hosts/kommode/services/gitea/customization/emotes/huh.gif
--- a/hosts/kommode/services/gitea/customization/emotes/okiedokie.jpg
+++ b/hosts/kommode/services/gitea/customization/emotes/okiedokie.jpg
--- a/hosts/kommode/services/gitea/customization/labels/projects.json
+++ b/hosts/kommode/services/gitea/customization/labels/projects.json
@@ -35,12 +35,6 @@
    "color": "#ed1111",
    "description": "Report an oopsie"
  },
  {
    "name": "developer experience",
    "exclusive": false,
    "color": "#eb6420",
    "description": "Think about the developers"
  },
  {
    "name": "disputed",
    "exclusive": false,
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -83,24 +83,11 @@ in {
        AUTO_WATCH_NEW_REPOS = false;
      };
      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
      session.COOKIE_SECURE = true;
      security = {
        SECRET_KEY = lib.mkForce "";
        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
      };
      cache = {
        ADAPTER = "redis";
        HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
        ITEM_TTL = "72h";
      };
      session = {
        COOKIE_SECURE = true;
        PROVIDER = "redis";
        PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
      };
      queue = {
        TYPE = "redis";
        CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
      };
      database.LOG_SQL = false;
      repository = {
        PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -141,6 +128,31 @@ in {
        AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
      };
      actions.ENABLED = true;
      ui = {
        REACTIONS = lib.concatStringsSep "," [
          "+1"
          "-1"
          "laugh"
          "confused"
          "heart"
          "hooray"
          "rocket"
          "eyes"
          "100"
          "anger"
          "astonished"
          "no_good"
          "ok_hand"
          "pensive"
          "pizza"
          "point_up"
          "sob"
          "skull"
          "upside_down_face"
          "shrug"
        ];
      };
      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
    };
    dump = {
@@ -152,26 +164,12 @@ in {
  environment.systemPackages = [ cfg.package ];
-  systemd.services.gitea = lib.mkIf cfg.enable {
+  systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
    wants = [ "redis-gitea.service" ];
    after = [ "redis-gitea.service" ];
-    serviceConfig = {
+  systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
-      CPUSchedulingPolicy = "batch";
+  systemd.services.gitea.serviceConfig.BindPaths = [
-      CacheDirectory = "gitea/repo-archive";
+    "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
-      BindPaths = [
+  ];
        "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
      ];
    };
  };
  services.redis.servers.gitea = lib.mkIf cfg.enable {
    enable = true;
    user = config.services.gitea.user;
    save = [ ];
    openFirewall = false;
    port = 5698;
  };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
@@ -197,23 +195,6 @@ in {
  networking.firewall.allowedTCPPorts = [ sshPort ];
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.dump.backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
    };
  };
  systemd.services.gitea-dump = {
    serviceConfig.ExecStart = let
      args = lib.cli.toGNUCommandLineShell { } {
--- a/hosts/kommode/services/gitea/web-secret-provider/default.nix
+++ b/hosts/kommode/services/gitea/web-secret-provider/default.nix
@@ -28,7 +28,7 @@ in
  users.users."gitea-web" = {
    group = "gitea-web";
    isSystemUser = true;
-    useDefaultShell = true;
+    shell = pkgs.bash;
  };
  sops.secrets."gitea/web-secret-provider/token" = {
--- a/hosts/lupine/configuration.nix
+++ b/hosts/lupine/configuration.nix
@@ -9,6 +9,12 @@
  ];
  sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp0s31f6";
@@ -22,7 +28,7 @@
  # There are no smart devices
  services.smartd.enable = false;
-  # Don't change (even during upgrades) unless you know what you are doing.
+  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.05";
 }
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-2.nix
+++ b/hosts/lupine/hardware-configuration/lupine-2.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-4.nix
+++ b/hosts/lupine/hardware-configuration/lupine-4.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@@ -6,14 +6,33 @@
      (fp /base)
    ];
  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "shark"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
-  services.qemuGuest.enable = true;
+  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/shark/hardware-configuration.nix
+++ b/hosts/shark/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/skrot/configuration.nix
+++ b/hosts/skrot/configuration.nix
@@ -1,63 +0,0 @@
 {
  fp,
  lib,
  config,
  values,
  ...
 }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./disk-config.nix
    (fp /base)
  ];
  boot.consoleLogLevel = 0;
  sops.defaultSopsFile = fp /secrets/skrot/skrot.yaml;
  systemd.network.networks."enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.skrot; [
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  sops.secrets = {
    "dibbler/postgresql/password" = {
      owner = "dibbler";
      group = "dibbler";
    };
  };
  services.dibbler = {
    enable = true;
    kioskMode = true;
    limitScreenWidth = 80;
    limitScreenHeight = 42;
    settings = {
      general.quit_allowed = false;
      database = {
        type = "postgresql";
        postgresql = {
          username = "pvv_vv";
          dbname = "pvv_vv";
          host = "postgres.pvv.ntnu.no";
          password_file = config.sops.secrets."dibbler/postgresql/password".path;
        };
      };
    };
  };
  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
    enable = true;
    wantedBy = [ "getty.target" ]; # to start at boot
    serviceConfig.Restart = "always"; # restart when session is closed
  };
  system.stateVersion = "25.11"; # Did you read the comment? Nah bro
 }
--- a/hosts/skrot/disk-config.nix
+++ b/hosts/skrot/disk-config.nix
@@ -1,41 +0,0 @@
 {
  disko.devices = {
    disk = {
      main = {
        device = "/dev/sda";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              type = "EF00";
              size = "1G";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            plainSwap = {
              size = "8G";
              content = {
                type = "swap";
                discardPolicy = "both";
                resumeDevice = false;
              };
            };
            root = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/skrot/hardware-configuration.nix
+++ b/hosts/skrot/hardware-configuration.nix
@@ -1,15 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/skrott/configuration.nix
+++ b/hosts/skrott/configuration.nix
@@ -1,112 +0,0 @@
 { config, pkgs, lib, modulesPath, fp, values, ... }: {
  imports = [
    (modulesPath + "/profiles/perlless.nix")
    (fp /base)
  ];
  # Disable import of a bunch of tools we don't need from nixpkgs.
  disabledModules = [ "profiles/base.nix" ];
  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
  boot = {
    consoleLogLevel = 0;
    enableContainers = false;
    loader.grub.enable = false;
    loader.systemd-boot.enable = false;
    kernelPackages = pkgs.linuxPackages;
  };
  hardware = {
    enableAllHardware = lib.mkForce false;
    firmware = [ pkgs.raspberrypiWirelessFirmware ];
  };
  # Now turn off a bunch of stuff lol
  # TODO: can we reduce further?
  # See also https://nixcademy.com/posts/minimizing-nixos-images/
  system.autoUpgrade.enable = lib.mkForce false;
  services.irqbalance.enable = lib.mkForce false;
  services.logrotate.enable = lib.mkForce false;
  services.nginx.enable = lib.mkForce false;
  services.postfix.enable = lib.mkForce false;
  services.smartd.enable = lib.mkForce false;
  services.udisks2.enable = lib.mkForce false;
  services.thermald.enable = lib.mkForce false;
  services.promtail.enable = lib.mkForce false;
  # There aren't really that many firmware updates for rbpi3 anyway
  services.fwupd.enable = lib.mkForce false;
  documentation.enable = lib.mkForce false;
  environment.enableAllTerminfo = lib.mkForce false;
  programs.neovim.enable = lib.mkForce false;
  programs.zsh.enable = lib.mkForce false;
  programs.git.package = pkgs.gitMinimal;
  nix.registry = lib.mkForce { };
  nix.nixPath = lib.mkForce [ ];
  sops.secrets = {
    "dibbler/postgresql/password" = {
      owner = "dibbler";
      group = "dibbler";
    };
  };
  # zramSwap.enable = true;
  networking = {
    hostName = "skrott";
    defaultGateway = values.hosts.gateway;
    defaultGateway6 = values.hosts.gateway6;
    interfaces.eth0 = {
      useDHCP = false;
      ipv4.addresses = [{
        address = values.hosts.skrott.ipv4;
        prefixLength = 25;
      }];
      ipv6.addresses = [{
        address = values.hosts.skrott.ipv6;
        prefixLength = 25;
      }];
    };
  };
  services.dibbler = {
    enable = true;
    kioskMode = true;
    limitScreenWidth = 80;
    limitScreenHeight = 42;
    settings = {
      general.quit_allowed = false;
      database = {
        type = "postgresql";
        postgresql = {
          username = "pvv_vv";
          dbname = "pvv_vv";
          host = "postgres.pvv.ntnu.no";
          password_file = config.sops.secrets."dibbler/postgresql/password".path;
        };
      };
    };
  };
  # https://github.com/NixOS/nixpkgs/issues/84105
  boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
    "console=ttyUSB0,9600"
    # "console=tty1" # Already part of the module
  ];
  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
    enable = true;
    wantedBy = [ "getty.target" ]; # to start at boot
    serviceConfig.Restart = "always"; # restart when session is closed
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -1,24 +0,0 @@
 { config, fp, pkgs, values, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    ./services/nfs-mounts.nix
    ./services/userweb.nix
  ];
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  services.nginx.enable = false;
  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/temmie/hardware-configuration.nix
+++ b/hosts/temmie/hardware-configuration.nix
@@ -1,30 +0,0 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/A367-83FD";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/temmie/services/nfs-mounts.nix
+++ b/hosts/temmie/services/nfs-mounts.nix
@@ -1,57 +0,0 @@
 { lib, values, ... }:
 let
  # See microbel:/etc/exports
  letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
 in
 {
  systemd.targets."pvv-homedirs" = {
    description = "PVV Homedir Partitions";
  };
  systemd.mounts = map (l: {
    description = "PVV Homedir Partition ${l}";
    before = [ "remote-fs.target" ];
    wantedBy = [ "multi-user.target" ];
    requiredBy = [ "pvv-homedirs.target" ];
    type = "nfs";
    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
    where = "/run/pvv-home-mounts/${l}";
    options = lib.concatStringsSep "," [
      "nfsvers=3"
      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
      "proto=tcp"
      "addr=${values.hosts.microbel.ipv4}"
      "mountproto=tcp"
      "mounthost=${values.hosts.microbel.ipv4}"
      "port=2049"
      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
      #       quite sure how to fix it. Living life on dangerous mode for now.
      "nolock"
      # Don't wait on every read/write
      "async"
      # Always keep mounted
      "noauto"
      # We don't want to update access time constantly
      "noatime"
      # No SUID/SGID, no special devices
      "nosuid"
      "nodev"
      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
      # "ro"
      "rw"
    ];
  }) letters;
 }
--- a/hosts/temmie/services/userweb.nix
+++ b/hosts/temmie/services/userweb.nix
@@ -1,344 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.httpd;
  homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
  # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
  phpEnv = pkgs.php.buildEnv {
    extensions = { all, ... }: with all; [
      imagick
      opcache
      protobuf
    ];
    extraConfig = ''
      display_errors=0
      post_max_size = 40M
      upload_max_filesize = 40M
    '';
  };
  perlEnv = pkgs.perl.withPackages (ps: with ps; [
    pkgs.exiftool
    pkgs.ikiwiki
    pkgs.irssi
    pkgs.nix.libs.nix-perl-bindings
    AlgorithmDiff
    AnyEvent
    AnyEventI3
    ArchiveZip
    CGI
    CPAN
    CPANPLUS
    DBDPg
    DBDSQLite
    DBI
    EmailAddress
    EmailSimple
    Env
    Git
    HTMLMason
    HTMLParser
    HTMLTagset
    HTTPDAV
    HTTPDaemon
    ImageMagick
    JSON
    LWP
    MozillaCA
    PathTiny
    Switch
    SysSyslog
    TestPostgreSQL
    TextPDF
    TieFile
    Tk
    URI
    XMLLibXML
  ]);
  # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
  pythonEnv = pkgs.python3.buildEnv.override {
    extraLibs = with pkgs.python3Packages; [
      legacy-cgi
      matplotlib
      requests
    ];
    ignoreCollisions = true;
  };
  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
  fhsEnv = pkgs.buildEnv {
    name = "userweb-env";
    paths = with pkgs; [
      bash
      perlEnv
      pythonEnv
      phpEnv
    ]
    ++ (with phpEnv.packages; [
      # composer
    ])
    ++ [
      acl
      aspell
      autoconf
      autotrash
      bazel
      bintools
      bison
      bsd-finger
      catdoc
      ccache
      clang
      cmake
      coreutils-full
      curl
      devcontainer
      diffutils
      emacs
      # exiftags
      exiftool
      ffmpeg
      file
      findutils
      gawk
      gcc
      glibc
      gnugrep
      gnumake
      gnupg
      gnuplot
      gnused
      gnutar
      gzip
      html-tidy
      imagemagick
      inetutils
      iproute2
      jhead
      less
      libgcc
      lndir
      mailutils
      man # TODO: does this one want a mandb instance?
      meson
      more
      mpc
      mpi
      mplayer
      ninja
      nix
      openssh
      openssl
      patchelf
      pkg-config
      ppp
      procmail
      procps
      qemu
      rc
      rhash
      rsync
      ruby # TODO: does this one want systemwide packages?
      salt
      sccache
      sourceHighlight
      spamassassin
      strace
      subversion
      system-sendmail
      systemdMinimal
      texliveMedium
      tmux
      unzip
      util-linux
      valgrind
      vim
      wget
      which
      wine
      xdg-utils
      zip
      zstd
    ];
    extraOutputsToInstall = [
      "man"
      "doc"
    ];
  };
 in
 {
  services.httpd = {
    enable = true;
    adminAddr = "drift@pvv.ntnu.no";
    # TODO: consider upstreaming systemd support
    # TODO: mod_log_journald in v2.5
    package = pkgs.apacheHttpd.overrideAttrs (prev: {
      nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
      buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
      configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
    });
    enablePHP = true;
    phpPackage = phpEnv;
    enablePerl = true;
    # TODO: mod_log_journald in v2.5
    extraModules = [
      "systemd"
      "userdir"
      # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
      #       incorrect or restrictive assumptions upstream, either nixpkgs or source
      # {
      #   name = "perl";
      #   path = let
      #     mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
      #       apacheHttpd = cfg.package.out;
      #       perl = perlEnv;
      #     };
      #   in "${mod_perl}/modules/mod_perl.so";
      # }
    ];
    extraConfig = ''
      TraceEnable on
      LogLevel warn rewrite:trace3
      ScriptLog ${cfg.logDir}/cgi.log
    '';
    # virtualHosts."userweb.pvv.ntnu.no" = {
    virtualHosts."temmie.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
        UserDir disabled root
        AddHandler cgi-script .cgi
        DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
        <Directory "/home/pvv/?/*/web-docs">
          Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
          AllowOverride All
          Require all granted
        </Directory>
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  # socket activation comes in v2.5
  # systemd.sockets.httpd = {
  #   wantedBy = [ "sockets.target" ];
  #   description = "HTTPD socket";
  #   listenStreams = [
  #     "0.0.0.0:80"
  #     "0.0.0.0:443"
  #   ];
  # };
  systemd.services.httpd = {
    after = [ "pvv-homedirs.target" ];
    requires = [ "pvv-homedirs.target" ];
    environment = {
      PATH = lib.mkForce "/usr/bin";
    };
    serviceConfig = {
      Type = lib.mkForce "notify";
      ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
      ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
      ExecStop = lib.mkForce "";
      KillMode = "mixed";
      ConfigurationDirectory = [ "httpd" ];
      LogsDirectory = [ "httpd" ];
      LogsDirectoryMode = "0700";
      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
      LockPersonality = true;
      PrivateDevices = true;
      PrivateTmp = true;
      # NOTE: this removes CAP_NET_BIND_SERVICE...
      # PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = "tmpfs";
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectSystem = true;
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
        "AF_NETLINK"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SocketBindDeny = "any";
      SocketBindAllow = [
        "tcp:80"
        "tcp:443"
      ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
         "@system-service"
      ];
      UMask = "0077";
      RuntimeDirectory = [ "httpd/root-mnt" ];
      RootDirectory = "/run/httpd/root-mnt";
      MountAPIVFS = true;
      BindReadOnlyPaths = [
        builtins.storeDir
        "/etc"
        # NCSD socket
        "/var/run"
        "/var/lib/acme"
        "${fhsEnv}/bin:/bin"
        "${fhsEnv}/sbin:/sbin"
        "${fhsEnv}/lib:/lib"
        "${fhsEnv}/share:/share"
      ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
        parent = [
          "/local"
          "/opt"
          "/opt/local"
          "/store"
          "/store/gnu"
          "/usr"
          "/usr/local"
        ];
        child = [
          "/bin"
          "/sbin"
          "/lib"
          "/libexec"
          "/include"
          "/share"
        ];
      });
      BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
    };
  };
  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
 }
--- a/hosts/ustetind/configuration.nix
+++ b/hosts/ustetind/configuration.nix
@@ -7,7 +7,12 @@
    ./services/gitea-runners.nix
  ];
-  boot.loader.systemd-boot.enable = false;
+  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  networking.hostName = "ustetind";
  networking.useHostResolvConf = lib.mkForce false;
@@ -34,7 +39,5 @@
    };
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/hosts/wenche/configuration.nix
+++ b/hosts/wenche/configuration.nix
@@ -14,9 +14,15 @@
    "armv7l-linux"
  ];
-  boot.loader.systemd-boot.enable = false;
+  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.device = "/dev/sda";
  networking.hostName = "wenche"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -30,9 +36,9 @@
    package = config.boot.kernelPackages.nvidiaPackages.production;
  };
-  services.qemuGuest.enable = true;
+  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
-  # Don't change (even during upgrades) unless you know what you are doing.
+  system.stateVersion = "24.11"; # Did you read the comment?
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/modules/bluemap.nix
+++ b/modules/bluemap.nix
@@ -13,32 +13,11 @@ let
        (format.generate "${name}.conf" value))
      cfg.storage);
-  generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }:
+  mapsFolder = pkgs.linkFarm "maps"
-    assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { });
+    (lib.attrsets.mapAttrs' (name: value:
-    lib.pipe settings (
+      lib.nameValuePair "${name}.conf"
-      (lib.optionals (extraHoconMarkersFile != null) [
+        (format.generate "${name}.conf" value.settings))
-        (settings: lib.recursiveUpdate settings {
+      cfg.maps);
          marker-placeholder = "###ASDF###";
        })
      ]) ++ [
        (format.generate "${name}.conf")
      ] ++ (lib.optionals (extraHoconMarkersFile != null) [
        (hoconFile: pkgs.runCommand "${name}-patched.conf" { } ''
          mkdir -p "$(dirname "$out")"
          cp '${hoconFile}' "$out"
          substituteInPlace "$out" \
            --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
        '')
      ])
    );
  mapsFolder = lib.pipe cfg.maps [
    (lib.attrsets.mapAttrs' (name: value: {
      name = "${name}.conf";
      value = generateMapConfigWithMarkerData name value;
    }))
    (pkgs.linkFarm "maps")
  ];
  webappConfigFolder = pkgs.linkFarm "bluemap-config" {
    "maps" = mapsFolder;
@@ -51,7 +30,7 @@ let
  renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
    "maps" = pkgs.linkFarm "maps" {
-      "${name}.conf" = generateMapConfigWithMarkerData name value;
+      "${name}.conf" = (format.generate "${name}.conf" value.settings);
    };
    "storages" = storageFolder;
    "core.conf" = coreConfig;
@@ -181,18 +160,6 @@ in {
            defaultText = lib.literalExpression "config.services.bluemap.packs";
            description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
          };
          extraHoconMarkersFile = mkOption {
            type = lib.types.nullOr lib.types.path;
            default = null;
            description = ''
              Path to a hocon file containing marker data.
              The content of this file will be injected into the map config file in a separate derivation.
              DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
            '';
          };
          settings = mkOption {
            type = (lib.types.submodule {
              freeformType = format.type;
--- a/modules/gickup/update-linktree.nix
+++ b/modules/gickup/update-linktree.nix
@@ -16,8 +16,6 @@ in
    # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
    systemd.services."gickup-linktree" = {
      after = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
      wantedBy = [ "gickup.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = let
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -37,23 +37,19 @@ in {
  services.nginx.enable = true;
  services.nginx.virtualHosts = {
    ${config.networking.fqdn} = {
      # NOTE: this overrides the default config in base/services/nginx.nix
      addSSL = false;
      forceSSL = true;
      enableACME = true;
      kTLS = true;
      serverAliases = [
        "${machine}.pvv.org"
      ];
      extraConfig = ''
        # pvv
-        allow ${values.ipv4-space};
+        allow ${values.ipv4-space}
-        allow ${values.ipv6-space};
+        allow ${values.ipv6-space}
        # ntnu
-        allow ${values.ntnu.ipv4-space};
+        allow ${values.ntnu.ipv4-space}
-        allow ${values.ntnu.ipv6-space};
+        allow ${values.ntnu.ipv6-space}
        deny all;
      '';
@@ -76,11 +72,11 @@ in {
      ];
      extraConfig = ''
        # pvv
-        allow ${values.ipv4-space};
+        allow ${values.ipv4-space}
-        allow ${values.ipv6-space};
+        allow ${values.ipv6-space}
        # ntnu
-        allow ${values.ntnu.ipv4-space};
+        allow ${values.ntnu.ipv4-space}
-        allow ${values.ntnu.ipv6-space};
+        allow ${values.ntnu.ipv6-space}
        deny all;
      '';
@@ -99,11 +95,11 @@ in {
      ];
      extraConfig = ''
        # pvv
-        allow ${values.ipv4-space};
+        allow ${values.ipv4-space}
-        allow ${values.ipv6-space};
+        allow ${values.ipv6-space}
        # ntnu
-        allow ${values.ntnu.ipv4-space};
+        allow ${values.ntnu.ipv4-space}
-        allow ${values.ntnu.ipv6-space};
+        allow ${values.ntnu.ipv6-space}
        deny all;
      '';
--- a/Show More
+++ b/Show More