WIP: fix bluemap markers

flake.lock: bump
topology: extend some more
2025-12-31 12:48:23 +01:00 · 2025-12-30 16:39:22 +09:00 · 2025-12-30 16:39:12 +09:00 · 2025-12-30 14:23:09 +09:00 · 2025-12-30 13:09:59 +09:00 · 2025-12-30 13:00:52 +09:00
183 changed files with 9485 additions and 1741 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,10 @@
 root = true
 [*]
 end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.nix]
 indent_style = space
 indent_size = 2
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1 @@
 use flake
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -0,0 +1 @@
 e00008da1afe0d760badd34bbeddff36bb08c475
--- a/.gitea/workflows/build-topology-graph.yml
+++ b/.gitea/workflows/build-topology-graph.yml
@@ -0,0 +1,32 @@
 name: "Build topology graph"
 on:
  push:
    branches:
      - main
 jobs:
  evals:
    runs-on: debian-latest
    steps:
    - uses: actions/checkout@v6
    - name: Install sudo
      run: apt-get update && apt-get -y install sudo
    - uses: https://github.com/cachix/install-nix-action@v31
    - name: Configure Nix
      run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
    - name: Build topology graph
      run: nix build .#topology -L
    - name: Upload topology graph
      uses: https://git.pvv.ntnu.no/Projects/rsync-action@v2
      with:
        source: result/*.svg
        quote-source: false
        target: ${{ gitea.ref_name }}/topology_graph/
        username: gitea-web
        ssh-key: ${{ secrets.WEB_SYNC_SSH_KEY }}
        host: pages.pvv.ntnu.no
        known-hosts: "pages.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2QjfFB+city1SYqltkVqWACfo1j37k+oQQfj13mtgg"
--- a/.gitea/workflows/eval.yml
+++ b/.gitea/workflows/eval.yml
@@ -4,10 +4,10 @@ on:
  push:
 jobs:
  evals:
-    runs-on: ubuntu-latest
+    runs-on: debian-latest
    steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
    - run: apt-get update && apt-get -y install sudo
-    - uses: https://github.com/cachix/install-nix-action@v23
+    - uses: https://github.com/cachix/install-nix-action@v31
    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
    - run: nix flake check
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 result*
 /configuration.nix
 /.direnv/
 *.qcow2
--- a/.mailmap
+++ b/.mailmap
@@ -0,0 +1,25 @@
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
 Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
 Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
 Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,26 +1,37 @@
 keys:
  # Users
-  - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+  - &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
  - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
  - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
-  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
+  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
  # Hosts
-  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
+  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
-  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
+  - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
-  - &host_buskerud age1tmn5qahlyf0e579e4camckdyxrexjzffv54hdzdnrw7lzqs7kyqq0f2fr3
+  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
 creation_rules:
  # Global secrets
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_jokum
      - *user_danio
      - *user_felixalb
      - *user_eirikwit
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
@@ -32,15 +43,21 @@ creation_rules:
      - *host_bekkalokk
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
-  - path_regex: secrets/jokum/[^/]+\.yaml$
+  - path_regex: secrets/kommode/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_jokum
+      - *host_kommode
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
@@ -50,6 +67,9 @@ creation_rules:
      - *host_ildkule
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
@@ -59,12 +79,48 @@ creation_rules:
      - *host_bicep
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
-  - path_regex: secrets/buskerud/[^/]+\.yaml$
+  - path_regex: secrets/ustetind/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_buskerud
+      - *host_ustetind
      - *user_danio
-      - *user_eirikwit
+      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
  - path_regex: secrets/lupine/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_lupine-1
      - *host_lupine-2
      - *host_lupine-3
      - *host_lupine-4
      - *host_lupine-5
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
  - path_regex: secrets/bakke/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bakke
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
--- a/README.MD
+++ b/README.MD
@@ -1,57 +0,0 @@
 # PVV NixOS configs
 ## Hvordan endre på ting
 Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
 Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
 `nix flake check --keep-going`
 før du bygger en maskin med:
 `nix build .#<maskinnavn>`
 hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
 `nix build .` for å bygge alle de viktige maskinene.
 NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
 Husk å hvertfall stage nye filer om du har laget dem!
 Om alt bygger fint commit det og push til git repoet.
 Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
 `nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
 som root på maskinen.
 ## Seksjonen for hemmeligheter
 For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
 readable i nix-storen, bruker vi [sops-nix](https://github.com/Mic92/sops-nix)
 For å legge til secrets kan du kjøre f.eks. `sops secrets/jokum/jokum.yaml`
 Dette vil dekryptere filen og gi deg en text-editor du kan bruke for endre hemmelighetene.
 Et nix shell med dette verktøyet inkludert ligger i flaket og shell.nix og kan aktiveres med:
 `nix-shell` eller `nix develop`. Vi anbefaler det siste.
 I tilegg kan du sette opp [direnv](https://direnv.net/) slik at dette skjer automatisk
 for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som har tilgang til hemmelighetene
 om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
 Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
 ### Legge til flere keys
 Gjør det som gir mening i .sops.yml
 Etter det kjør `sops updatekeys secrets/host/file.yml`
 MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila
--- a/README.md
+++ b/README.md
@@ -0,0 +1,36 @@
 # PVV NixOS config
 This repository contains the NixOS configurations for Programvareverkstedet's server closet.
 In addition to machine configurations, it also contains a bunch of shared modules, packages, and
 more.
 ## Machines
 | Name                       | Type     | Description                                               |
 |----------------------------|----------|-----------------------------------------------------------|
 | [bekkalokk][bek]           | Physical | Our main web host, webmail, wiki, idp, minecraft map, ... |
 | [bicep][bic]               | Virtual  | Database host, matrix, git mirrors, ...                   |
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 ## Documentation
 - [Development - working on the PVV machines](./docs/development.md)
 - [Miscellaneous development notes](./docs/development-misc.md)
 - [User management](./docs/users.md)
 - [Secret management and `sops-nix`](./docs/secret-management.md)
 [bek]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bekkalokk
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
--- a/base.nix
+++ b/base.nix
@@ -1,133 +0,0 @@
 { config, lib, pkgs, inputs, values, ... }:
 {
  imports = [
    ./users
    ./modules/snakeoil-certs.nix
  ];
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
  # networking.tempAddresses = lib.mkDefault "disabled";
  # networking.defaultGateway = values.hosts.gateway;
  systemd.network.enable = true;
  services.resolved = {
    enable = lib.mkDefault true;
    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "no";
  };
  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "--update-input" "nixpkgs"
      "--update-input" "nixpkgs-unstable"
      "--no-write-lock-file"
    ];
  };
  nix.gc.automatic = true;
  nix.gc.options = "--delete-older-than 2d";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  /* This makes commandline tools like
  ** nix run nixpkgs#hello
  ** and nix-shell -p hello
  ** use the same channel the system
  ** was built with
  */
  nix.registry = {
    nixpkgs.flake = inputs.nixpkgs;
  };
  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
  environment.systemPackages = with pkgs; [
    file
    git
    gnupg
    htop
    nano
    ripgrep
    rsync
    screen
    tmux
    vim
    wget
    kitty.terminfo
  ];
  programs.zsh.enable = true;
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
  services.openssh = {
    enable = true;
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
    '';
    settings.PermitRootLogin = "yes";
  };
  # nginx return 444 for all nonexistent virtualhosts
  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
    "/etc/certs/nginx" = {
      owner = "nginx";
      group = "nginx";
    };
  };
  services.nginx = {
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    appendConfig = ''
      pcre_jit on;
      worker_processes auto;
      worker_rlimit_nofile 100000;
    '';
    eventsConfig = ''
      worker_connections 2048;
      use epoll;
      multi_accept on;
    '';
  };
  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
    LimitNOFILE = 65536;
  };
  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
    sslCertificate = "/etc/certs/nginx.crt";
    sslCertificateKey = "/etc/certs/nginx.key";
    addSSL = true;
    extraConfig = "return 444;";
  };
  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
  };
 }
--- a/base/default.nix
+++ b/base/default.nix
@@ -0,0 +1,89 @@
 {
  pkgs,
  lib,
  fp,
  ...
 }:
 {
  imports = [
    (fp /users)
    (fp /modules/snakeoil-certs.nix)
    ./networking.nix
    ./nix.nix
    ./vm.nix
    ./flake-input-exporter.nix
    ./services/acme.nix
    ./services/uptimed.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/logrotate.nix
    ./services/nginx.nix
    ./services/openssh.nix
    ./services/postfix.nix
    ./services/prometheus-node-exporter.nix
    ./services/prometheus-systemd-exporter.nix
    ./services/promtail.nix
    ./services/smartd.nix
    ./services/thermald.nix
    ./services/userborn.nix
    ./services/userdbd.nix
  ];
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "no";
  };
  environment.systemPackages = with pkgs; [
    file
    git
    gnupg
    htop
    nano
    ripgrep
    rsync
    screen
    tmux
    vim
    wget
    kitty.terminfo
  ];
  # .bash_profile already works, but lets also use .bashrc like literally every other distro
  # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
  # home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
  # btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
  programs.bash.shellInit = ''
    if [ -n "''${BASH_VERSION:-}" ]; then
      if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
       [[ -f ~/.bashrc ]] && . ~/.bashrc
      fi
    fi
  '';
  programs.zsh.enable = true;
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
  '';
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
 }
--- a/base/flake-input-exporter.nix
+++ b/base/flake-input-exporter.nix
@@ -0,0 +1,55 @@
 {
  config,
  inputs,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  data = lib.flip lib.mapAttrs inputs (
    name: input: {
      inherit (input)
        lastModified
        ;
    }
  );
  folder = pkgs.writeTextDir "share/flake-inputs" (
    lib.concatMapStringsSep "\n" (
      { name, value }: ''nixos_last_modified_input{flake="${name}"} ${toString value.lastModified}''
    ) (lib.attrsToList data)
  );
  port = 9102;
 in
 {
  services.nginx.virtualHosts."${config.networking.fqdn}-nixos-metrics" = {
    serverName = config.networking.fqdn;
    serverAliases = [
      "${config.networking.hostName}.pvv.org"
    ];
    locations."/metrics" = {
      root = "${folder}/share";
      tryFiles = "/flake-inputs =404";
      extraConfig = ''
        default_type text/plain;
      '';
    };
    listen = [
      {
        inherit port;
        addr = "0.0.0.0";
      }
    ];
    extraConfig = ''
      allow ${values.hosts.ildkule.ipv4}/32;
      allow ${values.hosts.ildkule.ipv6}/128;
      allow 127.0.0.1/32;
      allow ::1/128;
      allow ${values.ipv4-space};
      allow ${values.ipv6-space};
      deny all;
    '';
  };
  networking.firewall.allowedTCPPorts = [ port ];
 }
--- a/base/networking.nix
+++ b/base/networking.nix
@@ -0,0 +1,13 @@
 { lib, values, ... }:
 {
  systemd.network.enable = true;
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
  # The rest of the networking configuration is usually sourced from /values.nix
  services.resolved = {
    enable = lib.mkDefault true;
    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };
 }
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -0,0 +1,40 @@
 { lib, config, inputs, ... }:
 {
  nix = {
    gc = {
      automatic = true;
      options = "--delete-older-than 2d";
    };
    optimise.automatic = true;
    settings = {
      allow-dirty = true;
      auto-allocate-uids = true;
      builders-use-substitutes = true;
      experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
      log-lines = 50;
      use-xdg-base-directories = true;
    };
    /* This makes commandline tools like
    ** nix run nixpkgs#hello
    ** and nix-shell -p hello
    ** use the same channel the system
    ** was built with
    */
    registry = lib.mkMerge [
      {
        "nixpkgs".flake = inputs.nixpkgs;
        "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
      }
      # We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
      (lib.mkIf (!config.virtualisation.isVmVariant) {
        "pvv-nix".flake = inputs.self;
      })
    ];
    nixPath = [
      "nixpkgs=${inputs.nixpkgs}"
      "unstable=${inputs.nixpkgs-unstable}"
    ];
  };
 }
--- a/base/services/acme.nix
+++ b/base/services/acme.nix
@@ -0,0 +1,15 @@
 { ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
  };
  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
  virtualisation.vmVariant = {
    security.acme.defaults.server = "https://127.0.0.1";
    security.acme.preliminarySelfsigned = true;
    users.users.root.initialPassword = "root";
  };
 }
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -0,0 +1,39 @@
 { config, inputs, pkgs, lib, ... }:
 let
  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
 in
 {
  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "--refresh"
      "--no-write-lock-file"
      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
      # as such we instead use --override-input combined with --refresh
      # https://git.lix.systems/lix-project/lix/issues/400
    ] ++ (lib.pipe inputUrls [
      (lib.intersectAttrs {
        nixpkgs = { };
        nixpkgs-unstable = { };
      })
      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
      lib.concatLists
    ]);
  };
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
    "current-system-flake-inputs.json".source
      = pkgs.writers.writeJSON "flake-inputs.json" (
        lib.flip lib.mapAttrs inputs (name: input:
          # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
          lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
            // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
        )
      );
  };
 }
--- a/base/services/dbus.nix
+++ b/base/services/dbus.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  services.dbus = {
    enable = true;
    implementation = "broker";
  };
 }
--- a/base/services/fwupd.nix
+++ b/base/services/fwupd.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  services.fwupd.enable = true;
 }
--- a/base/services/irqbalance.nix
+++ b/base/services/irqbalance.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  services.irqbalance.enable = true;
 }
--- a/base/services/logrotate.nix
+++ b/base/services/logrotate.nix
@@ -0,0 +1,8 @@
 { ... }:
 {
  systemd.services.logrotate = {
    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
    unitConfig.RequiresMountsFor = "/var/log";
    serviceConfig.ReadWritePaths = [ "/var/log" ];
  };
 }
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -0,0 +1,67 @@
 { config, lib, ... }:
 {
  # nginx return 444 for all nonexistent virtualhosts
  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
    "/etc/certs/nginx" = {
      owner = "nginx";
      group = "nginx";
    };
  };
  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
  services.nginx = {
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    appendConfig = ''
      # pcre_jit on;
      worker_processes auto;
      worker_rlimit_nofile 100000;
    '';
    eventsConfig = ''
      worker_connections 2048;
      use epoll;
      # multi_accept on;
    '';
  };
  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
    LimitNOFILE = 65536;
    # We use jit my dudes
    MemoryDenyWriteExecute = lib.mkForce false;
    # What the fuck do we use that where the defaults are not enough???
    SystemCallFilter = lib.mkForce null;
  };
  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
    listen = [
      {
        addr = "0.0.0.0";
        extraParameters = [
          "default_server"
          # Seemingly the default value of net.core.somaxconn
          "backlog=4096"
          "deferred"
        ];
      }
      {
        addr = "[::0]";
        extraParameters = [
          "default_server"
          "backlog=4096"
          "deferred"
        ];
      }
    ];
    sslCertificate = "/etc/certs/nginx.crt";
    sslCertificateKey = "/etc/certs/nginx.key";
    addSSL = true;
    extraConfig = "return 444;";
  };
 }
--- a/base/services/openssh.nix
+++ b/base/services/openssh.nix
@@ -0,0 +1,21 @@
 { ... }:
 {
  services.openssh = {
    enable = true;
    startWhenNeeded = true;
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
      Match Group wheel
        PasswordAuthentication no
      Match All
    '';
    settings.PermitRootLogin = "yes";
  };
    users.users."root".openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
    ];
 }
--- a/base/services/postfix.nix
+++ b/base/services/postfix.nix
@@ -0,0 +1,22 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.postfix;
 in
 {
  services.postfix = {
    enable = true;
    settings.main = {
      myhostname = "${config.networking.hostName}.pvv.ntnu.no";
      mydomain = "pvv.ntnu.no";
      # Nothing should be delivered to this machine
      mydestination = [ ];
      relayhost = [ "smtp.pvv.ntnu.no:465" ];
      smtp_tls_wrappermode = "yes";
      smtp_tls_security_level = "encrypt";
    };
  };
 }
--- a/base/services/prometheus-node-exporter.nix
+++ b/base/services/prometheus-node-exporter.nix
@@ -0,0 +1,23 @@
 { config, lib, values, ... }:
 let
  cfg = config.services.prometheus.exporters.node;
 in
 {
  services.prometheus.exporters.node = {
    enable = lib.mkDefault true;
    port = 9100;
    enabledCollectors = [ "systemd" ];
  };
  systemd.services.prometheus-node-exporter.serviceConfig = lib.mkIf cfg.enable {
    IPAddressDeny = "any";
    IPAddressAllow = [
      "127.0.0.1"
      "::1"
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
 }
--- a/base/services/prometheus-systemd-exporter.nix
+++ b/base/services/prometheus-systemd-exporter.nix
@@ -0,0 +1,26 @@
 { config, lib, values, ... }:
 let
  cfg = config.services.prometheus.exporters.systemd;
 in
 {
  services.prometheus.exporters.systemd = {
    enable = lib.mkDefault true;
    port = 9101;
    extraFlags = [
      "--systemd.collector.enable-restart-count"
      "--systemd.collector.enable-ip-accounting"
    ];
  };
  systemd.services.prometheus-systemd-exporter.serviceConfig = {
    IPAddressDeny = "any";
    IPAddressAllow = [
      "127.0.0.1"
      "::1"
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
 }
--- a/base/services/promtail.nix
+++ b/base/services/promtail.nix
@@ -0,0 +1,38 @@
 { config, lib, values, ... }:
 let
  cfg = config.services.prometheus.exporters.node;
 in
 {
  services.promtail = {
    enable = lib.mkDefault true;
    configuration = {
      server = {
        http_listen_port = 28183;
        grpc_listen_port = 0;
      };
      clients = [{
        url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
      }];
      scrape_configs = [{
        job_name = "systemd-journal";
        journal = {
          max_age = "12h";
          labels = {
            job = "systemd-journal";
            host = config.networking.hostName;
          };
        };
        relabel_configs = [
          {
            source_labels = [ "__journal__systemd_unit" ];
            target_label = "unit";
          }
          {
            source_labels = [ "__journal_priority_keyword" ];
            target_label = "level";
          }
        ];
      }];
    };
  };
 }
--- a/base/services/smartd.nix
+++ b/base/services/smartd.nix
@@ -0,0 +1,20 @@
 { config, pkgs, lib, ... }:
 {
  services.smartd = {
    enable = lib.mkDefault true;
    notifications = {
      mail = {
        enable = true;
        sender = "root@pvv.ntnu.no";
        recipient = "root@pvv.ntnu.no";
      };
      wall.enable = false;
    };
  };
  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
    smartmontools
  ]);
  systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
 }
--- a/base/services/thermald.nix
+++ b/base/services/thermald.nix
@@ -0,0 +1,8 @@
 { config, lib, ... }:
 {
  # Let's not thermal throttle
  services.thermald.enable = lib.mkIf (lib.all (x: x) [
      (config.nixpkgs.system == "x86_64-linux")
      (!config.boot.isContainer or false)
    ]) true;
 }
--- a/base/services/uptimed.nix
+++ b/base/services/uptimed.nix
@@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.uptimed;
 in
 {
  options.services.uptimed.settings = lib.mkOption {
    description = "";
    default = { };
    type = lib.types.submodule {
      freeformType = with lib.types; attrsOf (either str (listOf str));
    };
  };
  config = {
    services.uptimed = {
      enable = true;
      settings = let
        stateDir = "/var/lib/uptimed";
      in {
        PIDFILE = "${stateDir}/pid";
        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
      };
    };
    systemd.services.uptimed = lib.mkIf (cfg.enable) {
      serviceConfig = let
        uptimed = pkgs.uptimed.overrideAttrs (prev: {
          postPatch = ''
             substituteInPlace Makefile.am \
               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
             substituteInPlace src/Makefile.am \
               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
          '';
        });
      in {
        Type = "notify";
        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
        BindReadOnlyPaths = let
          configFile = lib.pipe cfg.settings [
            (lib.mapAttrsToList
              (k: v:
                if builtins.isList v
                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
                  else "${k}=${v}")
            )
            (lib.concatStringsSep "\n")
            (pkgs.writeText "uptimed.conf")
          ];
        in [
          "${configFile}:/var/lib/uptimed/uptimed.conf"
        ];
      };
    };
  };
 }
--- a/base/services/userborn.nix
+++ b/base/services/userborn.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  services.userborn.enable = true;
 }
--- a/base/services/userdbd.nix
+++ b/base/services/userdbd.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  services.userdbd.enable = true;
 }
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -0,0 +1,15 @@
 { lib, ... }:
 # This enables
 #     lib.mkIf (!config.virtualisation.isVmVariant) { ... }
 {
  options.virtualisation.isVmVariant = lib.mkOption {
    description = "`true` if system is build with 'nixos-rebuild build-vm'";
    type = lib.types.bool;
    default = false;
  };
  config.virtualisation.vmVariant = {
    virtualisation.isVmVariant = true;
  };
 }
--- a/docs/development-misc.md
+++ b/docs/development-misc.md
@@ -0,0 +1,103 @@
 # Miscellaneous development notes
 This document contains a bunch of information that is not particularly specific to the pvv nixos config,
 but concerns technologies we use often or gotchas to be aware of when working with NixOS. A lot of the information
 here is already public information spread around the internet, but we've collected some of the items we use often
 here.
 ## The firewall
 `networking.firewall` is a NixOS module that configures `iptables` rules on the machine. It is enabled by default on
 all of our machines, and it can be easy to forget about it when setting up new services, especially when we are the
 ones creating the NixOS module.
 When setting up a new service that listens on a TCP or UDP port, make sure to add the appropriate ports to either
 `networking.firewall.allowedTCPPorts` or `networking.firewall.allowedUDPPorts`.
 You can list out the current firewall rules by running `sudo iptables -L -n -v` on the machine.
 ## Finding stuff
 Finding stuff, both underlying implementation and usage is absolutely crucial when working on nix.
 Oftentimes, the documentation will be outdated, lacking or just plain out wrong. These are some of
 the techniques we have found to be quite good when working with nix.
 ### [ripgrep](https://github.com/BurntSushi/ripgrep)
 ripgrep (or `rg` for short) is a tool that lets you recursively grep for regex patters in a directory.
 It is great for finding references to configuration, and where and how certain things are used. It is
 especially great when working with [nixpkgs](https://github.com/NixOS/nixpkgs), which is quite large.
 ### GitHub Search
 When trying to set up a new service or reconfigure something, it is very common that someone has done it
 before you, but it has never been documented anywhere. A lot of Nix code exists on GitHub, and you can
 easily query it by using the `lang:nix` filter in the search bar.
 For example: https://github.com/search?q=lang%3Anix+dibbler&type=code
 ## rsync
 `rsync` is a tool for synchronizing files between machines. It is very useful when transferring large
 amounts of data from a to b. We use it for multiple things, often when data is produced or stored on
 one machine, and we want to process or convert it on another. For example, we use it to transfer gitea
 artifacts, to transfer gallery pictures, to transfer minecraft world data for map rendering, and more.
 Along with `rsync`, we often use a lesser known tool called `rrsync`, which you can use inside an ssh
 configuration (`authorized_keys` file) to restrict what paths a user can access when connecting over ssh.
 This is useful both as a security measure, but also to avoid accidental overwrites of files outside the intended
 path. `rrsync` will use chroot to restrict what paths the user can access, as well as refuse to run arbitrary commands.
 ## `nix repl`
 `nix repl` is an interactive REPL for the Nix language. It is very useful for experimenting with Nix code,
 and testing out small snippets of code to make sure it behaves as expected. You can also use it to explore
 NixOS machine configurations, to interactively see that the configuration evaluates to what you expect.
 ```
 # While in the pvv-nixos-config directory
 nix repl .
 # Upon writing out the config path and clickin [Tab], you will get autocompletion suggestions:
 nix-repl> nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts._
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.bekkalokk.pvv.ntnu.no-nixos-metrics
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.idp.pvv.ntnu.no
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.minecraft.pvv.ntnu.no
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.ntnu.no
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.org
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pw.pvv.ntnu.no
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.roundcubeplaceholder.example.com
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.snappymail.pvv.ntnu.no
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.webmail.pvv.ntnu.no
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.wiki.pvv.ntnu.no
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.ntnu.no
 nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.org
 ```
 ## `nix why-depends`
 If you ever wonder why a certain package is being used as a dependency of another package,
 or another machine, you can use `nix why-depends` to find the dependency path from one package to another.
 This is often useful after updating nixpkgs and finding an error saying that a certain package is insecure,
 broken or whatnot. You can do something like the following
 ```bash
 # Why does bekkalokk depend on openssl?
 nix why-depends .#nixosConfigurations.bekkalokk.config.system.build.toplevel .#nixosConfigurations.bekkalokk.pkgs.openssl
 # Why does bekkalokk's minecraft-server depend on zlib? (this is not real)
 nix why-depends .#nixosConfigurations.bekkalokk.pkgs.minecraft-server .#nixosConfigurations.bekkalokk.pkgs.zlib
 ```
 ## php-fpm
 php-fpm (FastCGI Process Manager) is a PHP implementation that is designed for speed and production use. We host a bunch
 of different PHP applications (including our own website), and so we use php-fpm quite a bit. php-fpm typically exposes a
 unix socket that nginx will connect to, and php-fpm will then render php upon web requests forwarded from nginx and return
 it.
 php-fpm has a tendency to be a bit hard to debug. It is not always very willing to spit out error messages and logs, and so
 it can be a bit hard to figure out what's up when something goes wrong. You should see some of the commented stuff laying around
 in the website code on bekkalokk for examples of how to configure php-fpm for better logging and error reporting.
--- a/docs/development.md
+++ b/docs/development.md
@@ -0,0 +1,190 @@
 # Development - working on the PVV machines
 This document outlines the process of editing our NixOS configurations, and testing and deploying said changes
 to the machines. Most of the information written here is specific to the PVV NixOS configuration, and the topics
 will not really cover the nix code itself in detail. You can find some more resources for that by either following
 the links from the *Upstream documentation* section below, or in [Miscellaneous development notes](./development-misc.md).
 ## Editing nix files
 > [!WARN]
 > Before editing any nix files, make sure to read [Secret management and `sops-nix`](./secret-management.md)!
 > We do not want to add any secrets in plaintext to the nix files, and certainly not commit and publish
 > them into the common public.
 The files are plaintext code, written in the [`Nix` language](https://nix.dev/manual/nix/stable/language/).
 Below is a list of important files and directories, and a description of what they contain.
 ### `flake.nix`
 The `flake.nix` file is a [nix flake](https://wiki.nixos.org/wiki/Flakes) and makes up the entrypoint of the
 entire configuration. It declares what inputs are used (similar to dependencies), as well as what outputs the
 flake exposes. In our case, the most important outputs are the `nixosConfigurations` (our machine configs), but
 we also expose custom modules, packages, devshells, and more. You can run `nix flake show` to get an overview of
 the outputs (however you will need to [enable the `nix-flakes` experimental option](https://wiki.nixos.org/wiki/Flakes#Setup)).
 You will find that a lot of the flake inputs are the different PVV projects that we develop, imported to be hosted
 on the NixOS machines. This makes it easy to deploy changes to these projects, as we can just update the flake input
 to point to a new commit or version, and then rebuild the machines.
 A NixOS configuration is usually made with the `nixpkgs.lib.nixosSystem` function, however we have a few custom wrapper
 functions named `nixosConfig` and `stableNixosConfig` that abstracts away some common configuration we want on all our machines.
 ### `values.nix`
 `values.nix` is a somewhat rare pattern in NixOS configurations around the internet. It contains a bunch of constant values
 that we use throughout the configuration, such as IP addresses, DNS names, paths and more. This not only makes it easier to
 change the values should we need to, but it also makes the configuration more readable. Instead of caring what exact IP any
 machine has, you can write `values.machines.name.ipv4` and abstract the details away.
 ### `base`
 The `base` directory contains a bunch of NixOS configuration that is common for all or most machines. Some of the config
 you will find here sets defaults for certain services without enabling them, so that when they are enabled in a machine config,
 we don't need to repeat the same defaults over again. Other parts actually enable certain services that we want on all machines,
 such as `openssh` or the auto upgrade timer.
 ### Vendoring `modules` and `packages`
 Sometimes, we either find that the packages or modules provided by `nixpkgs` is not sufficient for us,
 or that they are bugged in some way that can not be easily overrided. There are also cases where the
 modules or packages does not exist. In these cases, we tend to either copy and modify the modules and
 packages from nixpkgs, or create our own. These modules and packages end up in the top-level `modules`
 and `packages` directories. They are usually exposed in `flake.nix` as flake outputs `nixosModules.<name>`
 and `packages.<platform>.<name>`, and they are usually also added to the machines that need them in the flake.
 In order to override or add an extra package, the easiest way is to use an [`overlay`](https://wiki.nixos.org/wiki/Overlays).
 This makes it so that the package from `pkgs.<name>` now refers to the modified variant of the package.
 In order to add a module, you can just register it in the modules of the nixos machine.
 In order to override a module, you also have to use `disabledModules = [ "<path-relative-to-nixpkgs/modules>" ];`.
 Use `rg` to find examples of the latter.
 Do note that if you believe a new module to be of high enough quality, or the change you are making to be
 relevant for every nix user, you should strongly consider also creating a PR towards nixpkgs. However,
 getting changes made there has a bit higher threshold and takes more time than making changes in the PVV config,
 so feel free to make the changes here first. We can always remove the changes again once the upstreaming is finished.
 ### `users`, `secrets` and `keys`
 For `users`, see [User management](./users.md)
 For `secrets` and `keys`, see [Secret management and `sops-nix`](./secret-management.md)
 ### Collaboration
 We use our gitea to collaborate on changes to the nix configuration. Every PVV maintenance member should have
 access to the repository. The usual workflow is that we create a branch for the change we want to make, do a bunch
 of commits and changes, and then open a merge request for review (or just rebase on master if you know what you are doing).
 ### Upstream documentation
 Here are different sources of documentation and stuff that you might find useful while
 writing, editing and debugging nix code.
 - [nixpkgs repository](https://github.com/NixOS/nixpkgs)
 This is particularly useful to read the source code, as well as upstreaming pieces of code that we think
 everyone would want
 - [NixOS search](https://search.nixos.org/)
 This is useful for searching for both packages and NixOS options.
 - [nixpkgs documentation](https://nixos.org/manual/nixpkgs/stable/)
 - [NixOS documentation](https://nixos.org/manual/nixos/stable/)
 - [nix (the tool) documentation](https://nix.dev/manual/nix/stable/)
 All of the three above make up the official documentation with all technical
 details about the different pieces that makes up NixOS.
 - [The official NixOS wiki](https://wiki.nixos.org)
 User-contributed guides, tips and tricks, and whatever else.
 - [nix.dev](https://nix.dev)
 Additional stuff
 - [Noogle](https://noogle.dev)
 This is useful when looking for nix functions and packaging helpers.
 ## Testing and deploying changes
 After editing the nix files on a certain branch, you will want to test and deploy the changes to the machines.
 Unfortunately, we don't really have a good setup for testing for runtime correctness locally, but we can at least
 make sure that the code evaluates and builds correctly before deploying.
 To just check that the code evaluates without errors, you can run:
 ```bash
 nix flake check
 # Or if you want to keep getting all errors before it quits:
 nix flake check --keep-going
 ```
 > [!NOTE]
 > If you are making changes that involves creating new nix files, remember to `git add` those files before running
 > any nix commands. Nix refuses to acknowledge files that are not either commited or at least staged. It will spit
 > out an error message about not finding the file in question.
 ### Building machine configurations
 To build any specific machine configuration and look at the output, you can run:
 ```bash
 nix build .#nixosConfigurations.<machine-name>.config.system.build.toplevel
 # or just
 nix build .#<machine-name>
 ```
 This will create a symlink name `./result` to a directory containing the built NixOS system. It is oftentimes
 the case that config files for certain services only end up in the nix store without being put into `/etc`. If you wish
 to read those files, you can often find them by looking at the systemd unit files in `./result/etc/systemd/system/`.
 (if you are using vim, `gf` or go-to-file while the cursor is over a file path is a useful trick while doing this).
 If you have edited something that affects multiple machines, you can also build all important machines at once by running:
 ```bash
 nix build .#
 ```
 > [!NOTE]
 > Building all machines at once can take a long time, depending on what has changed and whether you have already
 > built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
 > if this is the first time.
 ### Deploying to machines
 > [!WARN]
 > Be careful to think about state when testing changes against the machines. Sometimes, a certain change
 > can lead to irreversible changes to the data stored on the machine. An example would be a set of database
 > migrations applied when testing a newer version of a service. Unless that service also comes with downwards
 > migrations, you can not go back to the previous version without losing data.
 To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
 repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
 ```bash
 # Run this while in the pvv-nixos-config directory
 sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
 ```
 This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
 Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
 revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
 ### Forcefully reset to `main`
 If you ever want to reset a machine to the `main` branch, you can do so by running:
 ```bash
 nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
 ```
 This will ignore the current branch and just pull the latest `main` from the git repository directly from gitea.
 You can also use this command if there are updates on the `main` branch that you want to deploy to the machine without
 waiting for the nightly rebuild.
--- a/docs/secret-management.md
+++ b/docs/secret-management.md
@@ -0,0 +1,160 @@
 # Secret management and `sops-nix`
 Nix config is love, nix config is life, and publishing said config to the
 internet is not only a good deed and kinda cool, but also encourages properly
 secured configuration as opposed to [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity).
 That being said, there are some details of the config that we really shouldn't
 share with the general public. In particular, there are so-called *secrets*, that is
 API keys, passwords, tokens, cookie secrets, salts, peppers and jalapenos that we'd
 rather keep to ourselves. However, it is not entirely trivial to do so in the NixOS config.
 For one, we'd have to keep these secrets out of the public git repo somehow, and secondly
 everything that is configured via nix ends up as world readable files (i.e. any user on the
 system can read the file) in `/nix/store`.
 In order to solve this, we use a NixOS module called [`sops-nix`](https://github.com/Mic92/sops-nix)
 which uses a technology called [`sops`](https://github.com/getsops/sops) behind the scenes.
 The idea is simple: we encrypt these secrets with a bunch of different keys and store the
 encrypted files in the git repo. First of all, we encrypt the secrets a bunch of time with
 PVV maintenance member's keys, so that we can decrypt and edit the contents. Secondly, we
 encrypt the secrets with the [host keys]() of the NixOS machines, so that they can decrypt
 the secrets. The secrets will be decrypted and stored in a well-known location (usually `/run/secrets`)
 so that they do not end up in the nix store, and are not world readable.
 This way, we can both keep the secrets in the git repository and let multiple people edit them,
 but also ensure that they don't end up in the wrong hands.
 ## Adding a new machine
 In order to add a new machine to the nix-sops setup, you should do the following:
 ```console
 # Create host keys (if they don't already exist)
 ssh-keygen -A -b 4096
 # Derive an age-key from the public host key
 nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
 # Register the age key in .sops.yaml
 vim .sops.yaml
 ```
 The contents of `.sops.yaml` should look like this:
 ```yaml
 keys:
  # Users
  ...
  # Hosts
  ...
  - &host_<machine_name> <public_age_key>
 creation_rules:
  ...
  - path_regex: secrets/<machine_name>/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_<machine_name>
      - ... user keys
    - pgp:
      - ... user keys
 ```
 > [!NOTE]
 > Take care that all the keys in the `age` and `pgp` sections are prefixed
 > with a `-`, or else sops might try to encrypt the secrets in a way where
 > you need both keys present to decrypt the content. Also, it tends to throw
 > interesting errors when it fails to do so.
 ```console
 # While cd-ed into the repository, run this to get a shell with the `sops` tool present
 nix-shell
 ```
 Now you should also be able to edit secrets for this machine by running:
 ```
 sops secrets/<machine_name>/<machine_name>.yaml
 ```
 ## Adding a user
 Adding a user is quite similar to adding a new machine.
 This guide assumes you have already set up SSH keys.
 ```
 # Derive an age-key from your key
 # (edit the path to the key if it is named something else)
 nix-shell -p ssh-to-age --run 'cat ~/.ssh/id_ed25519.pub | ssh-to-age'
 # Register the age key in .sops.yaml
 vim .sops.yaml
 ```
 The contents of `.sops.yaml` should look like this:
 ```yaml
 keys:
  # Users
  ...
  - &user_<user_name> <public_age_key>
  # Hosts
  ...
 creation_rules:
  ...
  # Do this for all the machines you are planning to edit
  # (or just do it for all machines)
  - path_regex: secrets/<machine_name>/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_<machine_name>
      - ... user keys
      - *host_<user_name>
    - pgp:
      - ... user keys
 ```
 Now that sops is properly configured to recognize the key, you need someone
 who already has access to decrypt all the secrets and re-encrypt them with your
 key. At this point, you should probably [open a PR](https://docs.gitea.com/usage/issues-prs/pull-request)
 and ask someone in PVV maintenance if they can checkout the PR branch, run the following
 command and push the diff back into the PR (and maybe even ask them to merge if you're feeling
 particularly needy).
 ```console
 sops updatekeys secrets/*/*.yaml
 ```
 ## Updating keys
 > [!NOTE]
 > At some point, we found this flag called `sops -r` that seemed to be described to do what
 > `sops updatekeys` does, do not be fooled. This only rotates the "inner key" for those who
 > already have the secrets encrypted with their key.
 Updating keys is done with this command:
 ```console
 sops updatekeys secrets/*/*.yaml
 ```
 However, there is a small catch. [oysteikt](https://git.pvv.ntnu.no/oysteikt) has kinda been
 getting gray hairs lately, and refuses to use modern technology - he is still stuck using GPG.
 This means that to be able to re-encrypt the sops secrets, you will need to have a gpg keychain
 with his latest public key available. The key has an expiry date, so if he forgets to update it,
 you should send him and angry email and tag him a bunch of times in a gitea issue. If the key
 is up to date, you can do the following:
 ```console
 # Fetch gpg (unless you have it already)
 nix-shell -p gpg
 # Import oysteikts key to the gpg keychain
 gpg --import ./keys/oysteikt.pub
 ```
 Now you should be able to run the `sops updatekeys` command again.
--- a/docs/users.md
+++ b/docs/users.md
@@ -0,0 +1,50 @@
 # User management
 Due to some complications with how NixOS creates users compared to how we used to
 create users with the salt-based setup, the NixOS machine users are created and
 managed separately. We tend to create users on-demand, whenever someone in PVV
 maintenance want to work on the NixOS machines.
 ## Setting up a new user
 You can find the files for the existing users, and thereby examples of user files
 in the [`users`](../users) directory. When creating a new file here, you should name it
 `your-username.nix`, and add *at least* the following contents:
 ```nix
 { pkgs, ... }:
 {
  users.users."<username>" = {
    isNormalUser = true;
    extraGroups = [
      "wheel" # In case you wanna use sudo (you probably do)
      "nix-builder-users" # Arbitrary access to write to the nix store
    ];
    # Any packages you frequently use to manage servers go here.
    # Please don't pull gigantonormous packages here unless you
    # absolutely need them, and remember that any package can be
    # pulled via nix-shell if you only use it once in a blue moon.
    packages = with pkgs; [
      bottom
      eza
    ];
    # Not strictly needed, but we recommend adding your public SSH
    # key here. If it is not present, you will have to log into the
    # machine as 'root' before setting your password for every NixOS
    # machine you have not logged into yet.
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjiQ0wg4lpC7YBMAAHoGmgwqHOBi+EUz5mmCymGlIyT my-key"
    ];
  };
 }
 ```
 The file will be picked up automatically, so creating the file and adding the
 contents should be enough to get you registered. You should
 [open a PR](https://docs.gitea.com/usage/issues-prs/pull-request) with the new
 code so the machines will be rebuilt with your user present.
 See also [Secret Management](./secret-management.md) for how to add your keys to the
 system that lets us add secrets (API keys, password, etc.) to the NixOS config.
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
  "nodes": {
    "devshell": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1728330715,
        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -7,38 +28,33 @@
        ]
      },
      "locked": {
-        "lastModified": 1716431128,
+        "lastModified": 1736864502,
-        "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "v1.11.0",
        "repo": "disko",
        "type": "github"
      }
    },
-    "fix-python": {
+    "flake-compat": {
-      "inputs": {
+      "flake": false,
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "grzegorz",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1713887124,
+        "lastModified": 1696426674,
-        "narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "GuillaumeDesforges",
+        "owner": "edolstra",
-        "repo": "fix-python",
+        "repo": "flake-compat",
-        "rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
-        "owner": "GuillaumeDesforges",
+        "owner": "edolstra",
-        "repo": "fix-python",
+        "repo": "flake-compat",
        "type": "github"
      }
    },
@@ -47,39 +63,84 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1689068808,
+        "lastModified": 1726560853,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
-        "id": "flake-utils",
+        "owner": "numtide",
-        "type": "indirect"
+        "repo": "flake-utils",
        "type": "github"
      }
    },
-    "grzegorz": {
+    "gergle": {
      "inputs": {
        "fix-python": "fix-python",
        "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1716065905,
+        "lastModified": 1764868579,
-        "narHash": "sha256-08uhxBzfakfhl/ooc+gMzDupWKYvTeyQZwuvB1SBS7A=",
+        "narHash": "sha256-rfTUOIc0wnC4+19gLVfPbHfXx/ilfuUix6bWY+yaM2U=",
-        "owner": "Programvareverkstedet",
+        "ref": "main",
-        "repo": "grzegorz",
+        "rev": "9c923d1d50daa6a3b28c3214ad2300bfaf6c8fcd",
-        "rev": "0481aef6553ae9aee86e4edb4ca0ed4f2eba2058",
+        "revCount": 22,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
-        "owner": "Programvareverkstedet",
+        "owner": "hercules-ci",
-        "repo": "grzegorz",
+        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
        "lastModified": 1765760377,
        "narHash": "sha256-2+lgzUjVas9hPSeWn52MwuX+iidMN4RkzkHo4vrGmR8=",
        "ref": "main",
        "rev": "f340dc5b9c9f3b75b7aca41f56f8869b9e28cf8c",
        "revCount": 58,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
      }
    },
    "grzegorz-clients": {
      "inputs": {
        "nixpkgs": [
@@ -87,17 +148,18 @@
        ]
      },
      "locked": {
-        "lastModified": 1716115695,
+        "lastModified": 1764867811,
-        "narHash": "sha256-aI65l4x+U5v3i/nfn6N3eW5IZodmf4pyAByE7vTJh8I=",
+        "narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=",
-        "owner": "Programvareverkstedet",
+        "ref": "master",
-        "repo": "grzegorz-clients",
+        "rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3",
-        "rev": "b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe",
+        "revCount": 81,
-        "type": "github"
+        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
      },
      "original": {
-        "owner": "Programvareverkstedet",
+        "ref": "master",
-        "repo": "grzegorz-clients",
+        "type": "git",
-        "type": "github"
+        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
      }
    },
    "matrix-next": {
@@ -107,20 +169,63 @@
        ]
      },
      "locked": {
-        "lastModified": 1717234745,
+        "lastModified": 1764844095,
-        "narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
+        "narHash": "sha256-Drf1orxsmFDzO+UbPo85gHjXW7QzAM+6oTPvI7vOSik=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
+        "rev": "25b9f31ef1dbc3987b4c716de716239f2b283701",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
-        "ref": "v0.6.0",
+        "ref": "v0.8.0",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
    },
    "minecraft-heatmap": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
        "lastModified": 1766407405,
        "narHash": "sha256-UEJ8F8/oG70biWRrGbL5/aB7OXzzvnYs+jxkR07UHvA=",
        "ref": "main",
        "rev": "e719840f72ca1b0cd169562a3a0de69899821de0",
        "revCount": 16,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
      }
    },
    "minecraft-kartverket": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1765904683,
        "narHash": "sha256-uXM56y5n5GWpCiCNdKlTcCAy2IntgDB21c4gBDU30io=",
        "ref": "main",
        "rev": "6fae27b1659efb6774cf08a4e36ed29ab0e24105",
        "revCount": 26,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      }
    },
    "nix-gitea-themes": {
      "inputs": {
        "nixpkgs": [
@@ -128,63 +233,95 @@
        ]
      },
      "locked": {
-        "lastModified": 1714416973,
+        "lastModified": 1743881366,
-        "narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
+        "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
-        "ref": "refs/heads/main",
+        "ref": "main",
-        "rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
+        "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
-        "revCount": 6,
+        "revCount": 11,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
      }
    },
    "nix-topology": {
      "inputs": {
        "devshell": "devshell",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
        "lastModified": 1765969653,
        "narHash": "sha256-qVpQxyvdByeDfb+d+jhbyNna2Ie+w85iHpt4Qu0rv/E=",
        "owner": "oddlama",
        "repo": "nix-topology",
        "rev": "0ed73e5a1b65eb8ed388d070ebe8dedb9182f466",
        "type": "github"
      },
      "original": {
        "owner": "oddlama",
        "ref": "main",
        "repo": "nix-topology",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1716586607,
+        "lastModified": 1767043167,
-        "narHash": "sha256-PzpeC/xi0+YTGJS5rdbcOqVgIryuWHkimMVXoCIidgA=",
+        "narHash": "sha256-wN04/SL+8tV0D2HBIgt9dpX/03U18xoJ+8PT+dcn30E=",
-        "owner": "NixOS",
+        "rev": "0b43a6ee07997a6e319e92dcbf276c2736506944",
-        "repo": "nixpkgs",
+        "type": "tarball",
-        "rev": "03309929e115bba1339308814f8b6e63f250fedf",
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.2789.0b43a6ee0799/nixexprs.tar.xz"
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
+        "type": "tarball",
-        "ref": "nixos-24.05-small",
+        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
        "type": "indirect"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1716061101,
        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1716660083,
+        "lastModified": 1767031366,
-        "narHash": "sha256-QO7cdjtDhx72KEw6m0NOtuE5FS4asaRExZ65uFR/q8g=",
+        "narHash": "sha256-SJz8tVEnXusU8OzN5ixAXQgzXv8fNIzp9ztzUyobh4s=",
-        "owner": "NixOS",
+        "rev": "d23fedd87fcd067b1d160323fae0d0e4f995527d",
-        "repo": "nixpkgs",
+        "type": "tarball",
-        "rev": "6de51d98ec2ae46730f11845e221aab9d2470a8a",
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre918279.d23fedd87fcd/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730797577,
        "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
+        "owner": "cachix",
-        "ref": "nixos-unstable-small",
+        "repo": "pre-commit-hooks.nix",
-        "type": "indirect"
+        "type": "github"
      }
    },
    "pvv-calendar-bot": {
@@ -194,15 +331,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1693136143,
+        "lastModified": 1764869785,
-        "narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
+        "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
-        "ref": "refs/heads/main",
+        "ref": "main",
-        "rev": "a32894b305f042d561500f5799226afd1faf5abb",
+        "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
-        "revCount": 9,
+        "revCount": 23,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      }
@@ -214,15 +352,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1716150352,
+        "lastModified": 1767080188,
-        "narHash": "sha256-c13lzYbLmbrcbEdPTYZYtlX2Qsz1W+2sLsIMGShPgwo=",
+        "narHash": "sha256-BmyPuWeSQ9XREyi0KSerWRfJndmyzHNJLysBJld/KwA=",
-        "ref": "refs/heads/master",
+        "ref": "main",
-        "rev": "2cab4df4b119e08a1f90ea1c944652cd78b4d478",
+        "rev": "08a216f4473e26aa2a5349e72633c0ab24e8ffbd",
-        "revCount": 459,
+        "revCount": 534,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      }
@@ -230,10 +369,14 @@
    "root": {
      "inputs": {
        "disko": "disko",
-        "grzegorz": "grzegorz",
+        "gergle": "gergle",
        "greg-ng": "greg-ng",
        "grzegorz-clients": "grzegorz-clients",
        "matrix-next": "matrix-next",
        "minecraft-heatmap": "minecraft-heatmap",
        "minecraft-kartverket": "minecraft-kartverket",
        "nix-gitea-themes": "nix-gitea-themes",
        "nix-topology": "nix-topology",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pvv-calendar-bot": "pvv-calendar-bot",
@@ -241,23 +384,65 @@
        "sops-nix": "sops-nix"
      }
    },
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
          "greg-ng",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1765680428,
        "narHash": "sha256-fyPmRof9SZeI14ChPk5rVPOm7ISiiGkwGCunkhM+eUg=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "eb3898d8ef143d4bf0f7f2229105fc51c7731b2f",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "rust-overlay_2": {
      "inputs": {
        "nixpkgs": [
          "minecraft-heatmap",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1766371695,
        "narHash": "sha256-W7CX9vy7H2Jj3E8NI4djHyF8iHSxKpb2c/7uNQ/vGFU=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "d81285ba8199b00dc31847258cae3c655b605e8c",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1716400300,
+        "lastModified": 1766894905,
-        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "ref": "master",
        "repo": "sops-nix",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -2,43 +2,54 @@
  description = "PVV System flake";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
+    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.url = "github:Mic92/sops-nix/master";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    disko.url = "github:nix-community/disko";
+    disko.url = "github:nix-community/disko/v1.11.0";
    disko.inputs.nixpkgs.follows = "nixpkgs";
-    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
+    nix-topology.url = "github:oddlama/nix-topology/main";
    nix-topology.inputs.nixpkgs.follows = "nixpkgs";
    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=main";
    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
-    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
+    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git?ref=main";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
-    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
-    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
+    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git?ref=main";
    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
-    grzegorz.url = "github:Programvareverkstedet/grzegorz";
+    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
-    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
-    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
+
    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
    greg-ng.inputs.nixpkgs.follows = "nixpkgs";
    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
    gergle.inputs.nixpkgs.follows = "nixpkgs";
    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
    minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
    minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = { self, nixpkgs, nixpkgs-unstable, pvv-nettsiden, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
  let
-    nixlib = nixpkgs.lib;
+    inherit (nixpkgs) lib;
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      "aarch64-darwin"
    ];
-    forAllSystems = f: nixlib.genAttrs systems (system: f system);
+    forAllSystems = f: lib.genAttrs systems f;
-    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    allMachines = builtins.attrNames self.nixosConfigurations;
    importantMachines = [
      "bekkalokk"
      "bicep"
@@ -47,41 +58,84 @@
      "ildkule"
    ];
  in {
    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
    pkgs = forAllSystems (system:
      import nixpkgs {
        inherit system;
        config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
          [
            "nvidia-x11"
            "nvidia-settings"
          ];
      });
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
+
-        rec {
+      nixosConfig =
        nixpkgs:
        name:
        configurationPath:
        extraArgs:
        lib.nixosSystem (lib.recursiveUpdate
        (let
          system = "x86_64-linux";
        in {
          inherit system;
          specialArgs = {
-            inherit nixpkgs-unstable inputs;
+            inherit unstablePkgs inputs;
            values = import ./values.nix;
-          };
+            fp = path: ./${path};
          } // extraArgs.specialArgs or { };
          modules = [
-            ./hosts/${name}/configuration.nix
+            configurationPath
            sops-nix.nixosModules.sops
-          ] ++ config.modules or [];
+          ] ++ extraArgs.modules or [];
          pkgs = import nixpkgs {
            inherit system;
            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
                "nvidia-settings"
              ];
            overlays = [
              # Global overlays go here
-            ] ++ config.overlays or [ ];
+            ] ++ extraArgs.overlays or [ ];
          };
-        }
+        })
-        (removeAttrs config [ "modules" "overlays" ])
+        (builtins.removeAttrs extraArgs [
          "modules"
          "overlays"
          "specialArgs"
        ])
      );
-      stableNixosConfig = nixosConfig nixpkgs;
+      stableNixosConfig = name: extraArgs:
-      unstableNixosConfig = nixosConfig nixpkgs-unstable;
+          nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
    in {
      bakke = stableNixosConfig "bakke" {
        modules = [
          disko.nixosModules.disko
        ];
      };
      bicep = stableNixosConfig "bicep" {
        modules = [
          inputs.matrix-next.nixosModules.default
          inputs.pvv-calendar-bot.nixosModules.default
          inputs.minecraft-heatmap.nixosModules.default
          self.nixosModules.gickup
          self.nixosModules.matrix-ooye
        ];
        overlays = [
-          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
+          inputs.pvv-calendar-bot.overlays.default
          inputs.minecraft-heatmap.overlays.default
          (final: prev: {
            inherit (self.packages.${prev.system}) out-of-your-element;
          })
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" {
@@ -90,42 +144,88 @@
            heimdal = unstablePkgs.heimdal;
            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
            bluemap = final.callPackage ./packages/bluemap.nix { };
          })
          inputs.nix-gitea-themes.overlays.default
          inputs.pvv-nettsiden.overlays.default
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
          inputs.pvv-nettsiden.nixosModules.default
-        ];
+          self.nixosModules.bluemap
      };
      bob = stableNixosConfig "bob" {
        modules = [
          disko.nixosModules.disko
          { disko.devices.disk.disk1.device = "/dev/vda"; }
        ];
      };
      ildkule = stableNixosConfig "ildkule" { };
      #ildkule-unstable = unstableNixosConfig "ildkule" { };
      shark = stableNixosConfig "shark" { };
      wenche = stableNixosConfig "wenche" { };
      kommode = stableNixosConfig "kommode" {
        overlays = [
          inputs.nix-gitea-themes.overlays.default
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
        ];
      };
      ustetind = stableNixosConfig "ustetind" {
        modules = [
         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
        ];
      };
      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
        modules = [
          inputs.grzegorz.nixosModules.grzegorz-kiosk
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
          inputs.gergle.nixosModules.default
          inputs.greg-ng.nixosModules.default
        ];
        overlays = [
          inputs.greg-ng.overlays.default
          inputs.gergle.overlays.default
        ];
      };
      georg = stableNixosConfig "georg" {
        modules = [
          inputs.grzegorz.nixosModules.grzegorz-kiosk
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
          inputs.gergle.nixosModules.default
          inputs.greg-ng.nixosModules.default
        ];
        overlays = [
          inputs.greg-ng.overlays.default
          inputs.gergle.overlays.default
        ];
      };
-      buskerud = stableNixosConfig "buskerud" { };
+    }
    //
    (let
      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
      stableLupineNixosConfig = name: extraArgs:
          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
      modules = [{ networking.hostName = name; }];
      specialArgs.lupineName = name;
    }));
    nixosModules = {
      bluemap = ./modules/bluemap.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
    };
    devShells = forAllSystems (system: {
-      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
          config = {
            allowUnfree = true;
            cudaSupport = true;
          };
        };
      in cuda-pkgs.callPackage ./shells/cuda.nix { };
    });
    packages = {
@@ -134,20 +234,63 @@
      in rec {
        default = important-machines;
        important-machines = pkgs.linkFarm "important-machines"
-          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
+          (lib.getAttrs importantMachines self.packages.x86_64-linux);
        all-machines = pkgs.linkFarm "all-machines"
-          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+          (lib.getAttrs allMachines self.packages.x86_64-linux);
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
-      } //
+        bluemap = pkgs.callPackage ./packages/bluemap.nix { };
-      (nixlib.pipe null [
+
        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
      }
      //
      # Mediawiki extensions
      (lib.pipe null [
        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
-        (nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+        (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
-        (nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
+        (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
      ])
-      // nixlib.genAttrs allMachines
+      //
-        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
+      # Machines
      lib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
      //
      # Nix-topology
      (let
        topology' = import inputs.nix-topology {
          pkgs = import nixpkgs {
            system = "x86_64-linux";
            overlays = [ inputs.nix-topology.overlays.default ];
          };
          specialArgs = {
            values = import ./values.nix;
          };
          modules = [
            ./topology
            {
              nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
                modules = [
                  inputs.nix-topology.nixosModules.default
                  ./topology/service-extractors/greg-ng.nix
                ];
              }) self.nixosConfigurations;
            }
          ];
        };
      in {
        topology = topology'.config.output;
        topology-png = pkgs.runCommand "pvv-config-topology-png" {
          nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
        } ''
          mkdir -p "$out"
          for file in '${topology'.config.output}'/*.svg; do
            ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
          done
        '';
      });
    };
  };
 }
--- a/hosts/bakke/configuration.nix
+++ b/hosts/bakke/configuration.nix
@@ -0,0 +1,25 @@
 { config, pkgs, values, ... }:
 {
  imports = [
      ./hardware-configuration.nix
      ../../base
      ./filesystems.nix
    ];
  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bakke";
  networking.hostId = "99609ffc";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  system.stateVersion = "24.05";
 }
--- a/hosts/bakke/disks.nix
+++ b/hosts/bakke/disks.nix
@@ -0,0 +1,83 @@
 {
  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
  disko.devices = {
    disk = {
      one = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
      two = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
    };
    mdadm = {
      boot = {
        type = "mdadm";
        level = 1;
        metadata = "1.0";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/boot";
        };
      };
      raid1 = {
        type = "mdadm";
        level = 1;
        content = {
          type = "gpt";
          partitions.primary = {
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/bakke/filesystems.nix
+++ b/hosts/bakke/filesystems.nix
@@ -0,0 +1,26 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives:
  boot.swraid.enable = true;
  # ZFS Data pool:
  environment.systemPackages = with pkgs; [ zfs ];
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
    supportedFilesystems = [ "zfs" ];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  # NFS Exports:
  #TODO
  # NFS Import mounts:
  #TODO
 }
--- a/hosts/bakke/hardware-configuration.nix
+++ b/hosts/bakke/hardware-configuration.nix
@@ -0,0 +1,52 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=nix" "noatime" ];
    };
  fileSystems."/boot" =
    { device = "/dev/sdc2";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -1,21 +1,23 @@
-{ pkgs, values, ... }:
+{ fp, pkgs, values, ... }:
 {
  imports = [
    ./hardware-configuration.nix
-    ../../base.nix
+    (fp /base)
    ../../misc/metrics-exporters.nix
-    ./services/website
+    ./services/bluemap.nix
    ./services/nginx.nix
    ./services/gitea/default.nix
    ./services/kerberos
    ./services/webmail
    ./services/mediawiki
    ./services/idp-simplesamlphp
    ./services/kerberos.nix
    ./services/mediawiki
    ./services/nginx.nix
    ./services/phpfpm.nix
    ./services/vaultwarden.nix
    ./services/webmail
    ./services/website
    ./services/well-known
  ];
-  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
+  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
@@ -30,6 +32,8 @@
    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  services.btrfs.autoScrub.enable = true;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
--- a/hosts/bekkalokk/services/bluemap.nix
+++ b/hosts/bekkalokk/services/bluemap.nix
@@ -0,0 +1,131 @@
 { config, lib, pkgs, inputs, ... }:
 let
  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
  format = pkgs.formats.hocon { };
 in {
  # NOTE: our versino of the module gets added in flake.nix
  disabledModules = [ "services/web-apps/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
    host = "minecraft.pvv.ntnu.no";
    maps = let
      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
    in {
      "verden" = {
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:overworld";
          name = "Verden";
          sorting = 0;
          start-pos = {
            x = 0;
            z = 0;
          };
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
          };
        };
      };
      "underverden" = {
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_nether";
          name = "Underverden";
          sorting = 100;
          start-pos = {
            x = 0;
            z = 0;
          };
          sky-color = "#290000";
          void-color = "#150000";
          sky-light = 1;
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          cave-detection-uses-block-light = true;
          render-mask = [{
            max-y = 90;
          }];
          marker-sets = {
            _includes = [ (format.lib.mkInclude {
              required = true;
              type = "file";
              value = "${bluemap-export}/nether.hocon";
            }) ];
          };
        };
      };
      "enden" = {
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_end";
          name = "Enden";
          sorting = 200;
          start-pos = {
            x = 0;
            z = 0;
          };
          sky-color = "#080010";
          void-color = "#080010";
          sky-light = 1;
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
          };
        };
      };
    };
  };
  systemd.services."render-bluemap-maps" = {
    serviceConfig = {
      StateDirectory = [ "bluemap/world" ];
      ExecStartPre = let
        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
          archive = true;
          compress = true;
          verbose = true;
          no-owner = true;
          no-group = true;
          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
        };
      in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
      LoadCredential = [
        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
      ];
    };
  };
  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    http3 = true;
    quic = true;
    http3_hq = true;
    extraConfig = ''
      # Enabling QUIC 0-RTT
      ssl_early_data on;
      quic_gso on;
      quic_retry on;
      add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    '';
  };
  networking.firewall.allowedUDPPorts = [ 443 ];
 }
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@@ -1,107 +0,0 @@
 { config, values, pkgs, ... }:
 let
  cfg = config.services.gitea;
  domain = "git.pvv.ntnu.no";
  sshPort  = 2222;
 in {
  imports = [
    ./ci.nix
    ./import-users.nix
  ];
  sops.secrets = {
    "gitea/database" = {
      owner = "gitea";
      group = "gitea";
    };
    "gitea/email-password" = {
      owner = "gitea";
      group = "gitea";
    };
  };
  services.gitea = {
    enable = true;
    stateDir = "/data/gitea";
    appName = "PVV Git";
    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
      port = config.services.postgresql.settings.port;
      passwordFile = config.sops.secrets."gitea/database".path;
      createDatabase = false;
    };
    mailerPasswordFile = config.sops.secrets."gitea/email-password".path;
    settings = {
      server = {
        DOMAIN   = domain;
        ROOT_URL = "https://${domain}/";
        PROTOCOL = "http+unix";
        SSH_PORT = sshPort;
        START_SSH_SERVER = true;
      };
      mailer = {
        ENABLED = true;
        FROM = "gitea@pvv.ntnu.no";
        PROTOCOL = "smtp";
        SMTP_ADDR = "smtp.pvv.ntnu.no";
        SMTP_PORT = 587;
        USER = "gitea@pvv.ntnu.no";
      };
      indexer.REPO_INDEXER_ENABLED = true;
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
      database.LOG_SQL = false;
      picture = {
        DISABLE_GRAVATAR = true;
        ENABLE_FEDERATED_AVATAR = false;
      };
      actions.ENABLED = true;
      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
    };
  };
  environment.systemPackages = [ cfg.package ];
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
      extraConfig = ''
        client_max_body_size 512M;
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [ sshPort ];
  # Extra customization
  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
  systemd.services.install-gitea-customization = {
    description = "Install extra customization in gitea's CUSTOM_DIR";
    wantedBy = [ "gitea.service" ];
    requiredBy = [ "gitea.service" ];
    serviceConfig =  {
      Type = "oneshot";
      User = cfg.user;
      Group = cfg.group;
    };
    script = let
      logo-svg = ../../../../assets/logo_blue_regular.svg;
      logo-png = ../../../../assets/logo_blue_regular.png;
    in ''
      install -Dm444 ${logo-svg} ${cfg.customDir}/public/img/logo.svg
      install -Dm444 ${logo-png} ${cfg.customDir}/public/img/logo.png
      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/img/loading.png
    '';
  };
 }
--- a/hosts/bekkalokk/services/gitea/gitea-import-users.py
+++ b/hosts/bekkalokk/services/gitea/gitea-import-users.py
@@ -1,94 +0,0 @@
 import requests
 import secrets
 import os
 EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
 if EMAIL_DOMAIN is None:
    EMAIL_DOMAIN = 'pvv.ntnu.no'
 API_TOKEN = os.getenv('API_TOKEN')
 if API_TOKEN is None:
    raise Exception('API_TOKEN not set')
 GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 BANNED_SHELLS = [
    "/usr/bin/nologin",
    "/usr/sbin/nologin",
    "/sbin/nologin",
    "/bin/false",
    "/bin/msgsh",
 ]
 existing_users = {}
 # This function should only ever be called when adding users
 # from the passwd file
 def add_user(username, name):
    user = {
            "full_name": name,
            "username": username,
            "login_name": username,
            "source_id": 1,  # 1 = SMTP
    }
    if username not in existing_users:
        user["password"] = secrets.token_urlsafe(32)
        user["must_change_password"] = False
        user["visibility"] = "private"
        user["email"] = username + '@' + EMAIL_DOMAIN
        r = requests.post(GITEA_API_URL + '/admin/users', json=user,
                          headers={'Authorization': 'token ' + API_TOKEN})
        if r.status_code != 201:
            print('ERR: Failed to create user ' + username + ': ' + r.text)
            return
        print('Created user ' + username)
        existing_users[username] = user
    else:
        user["visibility"] = existing_users[username]["visibility"]
        r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
                           json=user,
                           headers={'Authorization': 'token ' + API_TOKEN})
        if r.status_code != 200:
            print('ERR: Failed to update user ' + username + ': ' + r.text)
            return
        print('Updated user ' + username)
 def main():
    # Fetch existing users
    r = requests.get(GITEA_API_URL + '/admin/users',
                     headers={'Authorization': 'token ' + API_TOKEN})
    if r.status_code != 200:
        raise Exception('Failed to get users: ' + r.text)
    for user in r.json():
        existing_users[user['login']] = user
    # Read the file, add each user
    with open("/tmp/passwd-import", 'r') as f:
        for line in f.readlines():
            uid = int(line.split(':')[2])
            if uid < 1000:
                continue
            shell = line.split(':')[-1]
            if shell in BANNED_SHELLS:
                continue
            username = line.split(':')[0]
            name = line.split(':')[4].split(',')[0]
            add_user(username, name)
 if __name__ == '__main__':
    main()
--- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
@@ -84,16 +84,16 @@ let
        cp ${./config.php} "$out"
        substituteInPlace "$out" \
-          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
-          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
+          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
-          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
+          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
-          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
+          --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
-          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
+          --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
      '';
      "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
@@ -202,6 +202,12 @@ in
          rewrite ^/simplesaml/(.*)$ /$1 redirect;
          return 404;
        '';
        "/robots.txt" = {
          root = pkgs.writeTextDir "robots.txt" ''
            User-agent: *
            Disallow: /
          '';
        };
      };
    };
  };
--- a/hosts/bekkalokk/services/kerberos/default.nix
+++ b/hosts/bekkalokk/services/kerberos/default.nix
@@ -1,18 +1,5 @@
 { config, pkgs, lib, ... }:
 {
  #######################
  # TODO: remove these once nixos 24.05 gets released
  #######################
  # imports = [
  #   ./krb5.nix
  #   ./pam.nix
  # ];
  # disabledModules = [
  #   "config/krb5/default.nix"
  #   "security/pam.nix"
  # ];
  #######################
  security.krb5 = {
    enable = true;
    settings = {
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
@@ -17,16 +17,16 @@
        cp ${./simplesaml-config.php} "$out"
        substituteInPlace "$out" \
-          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
-          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
+          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
-          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
+          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
-          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
+          --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
-          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
-          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
+          --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
      '';
    };
  };
@@ -61,7 +61,6 @@ in {
      user = "mediawiki";
      passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
      createLocally = false;
      # TODO: create a normal database and copy over old data when the service is production ready
      name = "mediawiki";
    };
@@ -86,7 +85,20 @@ in {
    };
    extensions = {
-      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
+      inherit (pkgs.mediawiki-extensions)
        CodeEditor
        CodeMirror
        DeleteBatch
        PluggableAuth
        Popups
        Scribunto
        SimpleSAMLphp
        TemplateData
        TemplateStyles
        UserMerge
        VisualEditor
        WikiEditor
        ;
    };
    extraConfig = ''
@@ -118,15 +130,35 @@ in {
      $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
      $wgVectorResponsive = true;
      # Experimental dark mode support for Vector 2022
      $wgVectorNightMode['beta'] = true;
      $wgVectorNightMode['logged_out'] = true;
      $wgVectorNightMode['logged_in'] = true;
      $wgDefaultUserOptions['vector-theme'] = 'os';
      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;
      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
      $wgAllowCopyUploads = true;
-      # SimpleSAML
+      # Misc program paths
      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
      $wgExiv2Command = '${pkgs.exiv2}/bin/exiv2';
      # See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
      $wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran';
      $wgGitBin = '${pkgs.git}/bin/git';
      # Debugging
      $wgShowExceptionDetails = false;
      $wgShowIPinHeader = false;
      # EXT:{SimpleSAML,PluggableAuth}
      $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
-      $wgPluggableAuth_Config['Log in using my SAML'] = [
+      $wgPluggableAuth_Config['Log in using SAML'] = [
        'plugin' => 'SimpleSAMLphp',
        'data' => [
          'authSourceId' => 'default-sp',
@@ -136,8 +168,12 @@ in {
        ]
      ];
-      # Fix https://github.com/NixOS/nixpkgs/issues/183097
+      # EXT:Scribunto
-      $wgDBserver = "${toString cfg.database.host}";
+      $wgScribuntoDefaultEngine = 'luastandalone';
      $wgScribuntoEngineConf['luastandalone']['luaPath'] = '${pkgs.lua}/bin';
      # EXT:WikiEditor
      $wgWikiEditorRealtimePreview = true;
    '';
  };
@@ -179,16 +215,16 @@ in {
        '';
      };
-      "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
+      "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
-      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
+      "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
        buildInputs = with pkgs; [ imagemagick ];
      } ''
-        convert \
+        magick \
          ${fp /assets/logo_blue_regular.png} \
          -resize x64 \
          -gravity center \
          -crop 64x64+0+0 \
          ${../../../../assets/logo_blue_regular.png} \
          -flatten \
          -colors 256 \
          -background transparent \
--- a/hosts/bekkalokk/services/phpfpm.nix
+++ b/hosts/bekkalokk/services/phpfpm.nix
@@ -0,0 +1,51 @@
 { lib, ... }:
 let
  pools = map (pool: "phpfpm-${pool}") [
    "idp"
    "mediawiki"
    "pvv-nettsiden"
    "roundcube"
    "snappymail"
  ];
 in
 {
  # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
  systemd.services = lib.genAttrs pools (_: {
    serviceConfig = let
      caps = [
        "CAP_NET_BIND_SERVICE"
        "CAP_SETGID"
        "CAP_SETUID"
        "CAP_CHOWN"
        "CAP_KILL"
        "CAP_IPC_LOCK"
        "CAP_DAC_OVERRIDE"
      ];
    in {
      AmbientCapabilities = caps;
      CapabilityBoundingSet = caps;
      DeviceAllow = [ "" ];
      LockPersonality = true;
      MemoryDenyWriteExecute = false;
      NoNewPrivileges = true;
      PrivateMounts = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RemoveIPC = true;
      UMask = "0077";
      RestrictNamespaces = "~mnt";
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      KeyringMode = "private";
      SystemCallFilter = [
        "@system-service"
      ];
    };
  });
 }
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -0,0 +1,102 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.vaultwarden;
  domain = "pw.pvv.ntnu.no";
  address = "127.0.1.2";
  port = 3011;
  wsPort = 3012;
 in {
  sops.secrets."vaultwarden/environ" = {
    owner = "vaultwarden";
    group = "vaultwarden";
  };
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    environmentFile = config.sops.secrets."vaultwarden/environ".path;
    config = {
      domain = "https://${domain}";
      rocketAddress = address;
      rocketPort = port;
      websocketEnabled = true;
      websocketAddress = address;
      websocketPort = wsPort;
      signupsAllowed = true;
      signupsVerify = true;
      signupsDomainsWhitelist = "pvv.ntnu.no";
      smtpFrom = "vaultwarden@pvv.ntnu.no";
      smtpFromName = "VaultWarden PVV";
      smtpHost = "smtp.pvv.ntnu.no";
      smtpUsername = "vaultwarden";
      smtpSecurity = "force_tls";
      smtpAuthMechanism = "Login";
      # Configured in environ:
      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
      # smtpPassword = hemli
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    kTLS = true;
    extraConfig = ''
      client_max_body_size 128M;
    '';
    locations."/" = {
      proxyPass = "http://${address}:${toString port}";
      proxyWebsockets = true;
    };
    locations."/notifications/hub" = {
      proxyPass = "http://${address}:${toString wsPort}";
      proxyWebsockets = true;
    };
    locations."/notifications/hub/negotiate" = {
      proxyPass = "http://${address}:${toString port}";
      proxyWebsockets = true;
    };
  };
  systemd.services.vaultwarden = lib.mkIf cfg.enable {
    serviceConfig = {
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      NoNewPrivileges = true;
      # MemoryDenyWriteExecute = true;
      PrivateMounts = true;
      PrivateUsers = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
      ];
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@@ -6,6 +6,11 @@ let
  domain = "webmail.pvv.ntnu.no";
 in
 {
  sops.secrets."roundcube/postgres_password" = {
    owner = "nginx";
    group = "nginx";
  };
  services.roundcube = {
    enable = true;
@@ -16,10 +21,15 @@ in
      custom_from
    ]);
-    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
+    dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
    maxAttachmentSize = 20;
    hostName = "roundcubeplaceholder.example.com";
    database = {
      host = "postgres.pvv.ntnu.no";
      passwordFile = config.sops.secrets."roundcube/postgres_password".path;
    };
    extraConfig = ''
      $config['enable_installer'] = false;
      $config['default_host'] = "ssl://imap.pvv.ntnu.no";
--- a/hosts/bekkalokk/services/webmail/snappymail.nix
+++ b/hosts/bekkalokk/services/webmail/snappymail.nix
@@ -1,8 +1,8 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, fp, pkgs, ... }:
 let
  cfg = config.services.snappymail;
 in {
-  imports = [ ../../../../modules/snappymail.nix ];
+  imports = [ (fp /modules/snappymail.nix) ];
  services.snappymail = {
    enable = true;
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@@ -18,11 +18,16 @@ in {
    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
  });
  security.acme.certs."www.pvv.ntnu.no" = {
    extraDomainNames = [
      "pvv.ntnu.no"
      "www.pvv.org"
      "pvv.org"
    ];
  };
  services.idp.sp-remote-metadata = [
    "https://www.pvv.ntnu.no/simplesaml/"
    "https://pvv.ntnu.no/simplesaml/"
    "https://www.pvv.org/simplesaml/" 
    "https://pvv.org/simplesaml/" 
  ];
  services.pvv-nettsiden = {
@@ -67,7 +72,9 @@ in {
        ADMIN_NAME = "PVV Drift";
        ADMIN_EMAIL = "drift@pvv.ntnu.no";
        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
-        TRUSTED_DOMAINS = [ cfg.domainName ];
+        TRUSTED_DOMAINS = [
          "www.pvv.ntnu.no"
        ];
      };
    };
  };
@@ -78,13 +85,28 @@ in {
    "catch_workers_output" = true;
  };
-  services.nginx.virtualHosts.${cfg.domainName} = {
+  services.nginx.virtualHosts."pvv.ntnu.no" = {
-    serverAliases = [
+    globalRedirect = cfg.domainName;
-      "pvv.ntnu.no"
+    redirectCode = 307;
-      "www.pvv.org"
+    forceSSL = true;
-      "pvv.org"
+    useACMEHost = "www.pvv.ntnu.no";
-    ];
+  };
  services.nginx.virtualHosts."www.pvv.org" = {
    globalRedirect = cfg.domainName;
    redirectCode = 307;
    forceSSL = true;
    useACMEHost = "www.pvv.ntnu.no";
  };
  services.nginx.virtualHosts."pvv.org" = {
    globalRedirect = cfg.domainName;
    redirectCode = 307;
    forceSSL = true;
    useACMEHost = "www.pvv.ntnu.no";
  };
  services.nginx.virtualHosts.${cfg.domainName} = {
    locations = {
      # Proxy home directories
      "^~ /~" = {
@@ -116,16 +138,6 @@ in {
      "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
      "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
      "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
      # Proxy the matrix well-known files
      # Host has be set before proxy_pass
      # The header must be set so nginx on the other side routes it to the right place
      "^~ /.well-known/matrix/" = {
        extraConfig = ''
          proxy_set_header Host matrix.pvv.ntnu.no;
          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
        '';
      };
    };
  };
 }
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -53,7 +53,7 @@ in {
        echo "Creating thumbnail for $fname"
        mkdir -p $(dirname ".thumbnails/$fname")
-        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
+        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
    '';
@@ -62,6 +62,33 @@ in {
      WorkingDirectory = galleryDir;
      User = config.services.pvv-nettsiden.user;
      Group = config.services.pvv-nettsiden.group;
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true; # disable for third party rotate scripts
      PrivateDevices = true;
      PrivateNetwork = true; # disable for mail delivery
      PrivateTmp = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true; # disable for userdir logs
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "full";
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true; # disable for creating setgid directories
      SocketBindDeny = [ "any" ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
      ];
    };
  };
 }
--- a/hosts/bekkalokk/services/well-known/default.nix
+++ b/hosts/bekkalokk/services/well-known/default.nix
@@ -0,0 +1,18 @@
 { ... }:
 {
  services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
    "^~ /.well-known/" = {
      alias = (toString ./root) + "/";
    };
    # Proxy the matrix well-known files
    # Host has be set before proxy_pass
    # The header must be set so nginx on the other side routes it to the right place
    "^~ /.well-known/matrix/" = {
      extraConfig = ''
        proxy_set_header Host matrix.pvv.ntnu.no;
        proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
      '';
    };
  };
 }
--- a/hosts/bekkalokk/services/well-known/root/autoconfig/mail/config-v1.1.xml
+++ b/hosts/bekkalokk/services/well-known/root/autoconfig/mail/config-v1.1.xml
@@ -0,0 +1,31 @@
 <?xml version="1.0"?>
 <clientConfig version="1.1">
  <emailProvider id="pvv.ntnu.no">
    <domain>pvv.ntnu.no</domain>
    <domain>pvv.org</domain>
    <displayName>Programvareverkstedet</displayName>
    <incomingServer type="imap">
      <hostname>imap.pvv.ntnu.no</hostname>
      <port>993</port>
      <socketType>SSL</socketType>
      <username>%EMAILLOCALPART%</username>
      <authentication>password-cleartext</authentication>
    </incomingServer>
    <outgoingServer type="smtp">
      <hostname>smtp.pvv.ntnu.no</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <username>%EMAILLOCALPART%</username>
      <authentication>password-cleartext</authentication>
      <useGlobalPreferredServer>true</useGlobalPreferredServer>
    </outgoingServer>
    <documentation url="https://www.pvv.ntnu.no/pvv/Drift/Mail/IMAP_POP3">
       <descr lang="en">Setup programvareverkstedet email user with IMAP or POP3</descr>
       <descr lang="nb">Sett opp programvareverkstedet email bruker med IMAP eller POP3</descr>
    </documentation>
  </emailProvider>
 </clientConfig>
--- a/hosts/bekkalokk/services/well-known/root/security.txt
+++ b/hosts/bekkalokk/services/well-known/root/security.txt
@@ -0,0 +1,12 @@
 Contact: mailto:drift@pvv.ntnu.no
 Contact: mailto:cert@pvv.ntnu.no
 # drift@pvv.ntnu.no is read by more people and have a quicker reaction time,
 # but cert@pvv.ntnu.no can be used for more severe issues.
 Preferred-Languages: no, en
 Expires: 2032-12-31T23:59:59.000Z
 # This file was last updated 2024-09-14.
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
--- a/hosts/bicep/acmeCert.nix
+++ b/hosts/bicep/acmeCert.nix
@@ -1,24 +0,0 @@
 { values, ... }:
 {
  users.groups.acme.members = [ "nginx" ];
  security.acme.certs."postgres.pvv.ntnu.no" = {
    group = "acme";
    extraDomainNames = [
      # "postgres.pvv.org"
      "bicep.pvv.ntnu.no"
      # "bicep.pvv.org"
      # values.hosts.bicep.ipv4
      # values.hosts.bicep.ipv6
    ];
  };
  services.nginx = {
    enable = true;
    virtualHosts."postgres.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      # useACMEHost = "postgres.pvv.ntnu.no";
    };
  };
 }
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -1,35 +1,34 @@
-{ pkgs, values, ... }:
+{ fp, pkgs, values, ... }:
 {
  imports = [
    ./hardware-configuration.nix
-    ../../base.nix
+    (fp /base)
    ../../misc/metrics-exporters.nix
    ./services/nginx
-    ./acmeCert.nix
+    ./services/calendar-bot.nix
-
+    #./services/git-mirrors
    ./services/minecraft-heatmap.nix
    ./services/mysql.nix
    ./services/postgres.nix
    ./services/mysql.nix
    # TODO: fix the calendar bot
    # ./services/calendar-bot.nix
    ./services/matrix
  ];
-  sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
+  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
-  boot.loader.grub.enable = true;
+  boot.loader.systemd-boot.enable = true;
-  boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
+  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bicep";
-  systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
+  #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
-    matchConfig.Name = "enp6s0f0";
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    #matchConfig.Name = "enp6s0f0";
    matchConfig.Name = "ens18";
    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
      ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
  };
@@ -37,6 +36,16 @@
    anyInterface = true;
  };
  # There are no smart devices
  services.smartd.enable = false;
  # we are a vm now
  services.qemuGuest.enable = true;
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.sshguard.enable = true;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
--- a/hosts/bicep/hardware-configuration.nix
+++ b/hosts/bicep/hardware-configuration.nix
@@ -5,22 +5,29 @@
 {
  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
+    { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
      fsType = "ext4";
    };
  # temp data disk, only 128gb not enough until we can add another disk to the system.
  fileSystems."/data" =
-    { device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
+    { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
-      fsType = "f2fs";
+      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/198B-E363";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
@@ -30,11 +37,7 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bicep/services/calendar-bot.nix
+++ b/hosts/bicep/services/calendar-bot.nix
@@ -1,13 +1,21 @@
-{ config, lib, pkgs, ... }:
+{ config, fp, lib, pkgs, ... }:
 let
  cfg = config.services.pvv-calendar-bot;
 in {
-  sops.secrets."calendar-bot/matrix_token" = {
+  sops.secrets = {
-    sopsFile = ../../../secrets/bicep/bicep.yaml;
+    "calendar-bot/matrix_token" = {
      sopsFile = fp /secrets/bicep/bicep.yaml;
      key = "calendar-bot/matrix_token";
      owner = cfg.user;
      group = cfg.group;
    };
    "calendar-bot/mysql_password" = {
      sopsFile = fp /secrets/bicep/bicep.yaml;
      key = "calendar-bot/mysql_password";
      owner = cfg.user;
      group = cfg.group;
    };
  };
  services.pvv-calendar-bot = {
    enable = true;
@@ -18,6 +26,11 @@ in {
        user = "@bot_calendar:pvv.ntnu.no";
        channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
      };
      database = {
        host = "mysql.pvv.ntnu.no";
        user = "calendar-bot";
        passwordFile = config.sops.secrets."calendar-bot/mysql_password".path;
      };
      secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
      onCalendar = "*-*-* 09:00:00";
    };
--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@@ -0,0 +1,100 @@
 { config, pkgs, lib, fp, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  sops.secrets."gickup/github-token" = {
    owner = "gickup";
  };
  services.gickup = {
    enable = true;
    dataDir = "/data/gickup";
    destinationSettings = {
      structured = true;
      zip = false;
      keep = 10;
      bare = true;
      lfs = false;
    };
    instances = let
      defaultGithubConfig = {
        settings.token_file = config.sops.secrets."gickup/github-token".path;
      };
      defaultGitlabConfig = {
        # settings.token_file = ...
      };
    in {
      "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
      "github:NixOS/nixpkgs" = defaultGithubConfig;
      "github:go-gitea/gitea" = defaultGithubConfig;
      "github:heimdal/heimdal" = defaultGithubConfig;
      "github:saltstack/salt" = defaultGithubConfig;
      "github:typst/typst" = defaultGithubConfig;
      "github:unmojang/FjordLauncher" = defaultGithubConfig;
      "github:unmojang/drasl" = defaultGithubConfig;
      "github:yushijinhun/authlib-injector" = defaultGithubConfig;
      "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
      "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
      "any:glibc" = {
        settings.url = "https://sourceware.org/git/glibc.git";
      };
      "any:out-of-your-element" = {
        settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
      };
      "any:out-of-your-element-module" = {
        settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
      };
    };
  };
  services.cgit = let
    domain = "mirrors.pvv.ntnu.no";
  in {
    ${domain} = {
      enable = true;
      package = pkgs.callPackage (fp /packages/cgit.nix) { };
      group = "gickup";
      scanPath = "${cfg.dataDir}/linktree";
      settings = {
        enable-commit-graph = true;
        enable-follow-links = true;
        enable-http-clone = true;
        enable-remote-branches = true;
        clone-url = "https://${domain}/$CGIT_REPO_URL";
        remove-suffix = true;
        root-title = "PVVSPPP";
        root-desc = "PVV Speiler Praktisk og Prominent Programvare";
        snapshots = "all";
        logo = "/PVV-logo.png";
      };
    };
  };
  services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    locations."= /PVV-logo.png".alias = let
      small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
        nativeBuildInputs = [ pkgs.imagemagick ];
      } ''
        magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
      '';
    in toString small-pvv-logo;
  };
  systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
    serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
  };
 }
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -1,17 +1,19 @@
-{ config, lib, pkgs, secrets, ... }:
+{ config, lib, fp, pkgs, secrets, values, ... }:
 {
  sops.secrets."matrix/synapse/turnconfig" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "synapse/turnconfig";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    restartUnits = [ "coturn.service" ];
  };
  sops.secrets."matrix/coturn/static-auth-secret" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "coturn/static-auth-secret";
    owner = config.users.users.turnserver.name;
    group = config.users.users.turnserver.group;
    restartUnits = [ "coturn.service" ];
  };
  services.matrix-synapse-next = {
@@ -42,12 +44,15 @@
  security.acme.certs.${config.services.coturn.realm} = {
    email = "drift@pvv.ntnu.no";
-    listenHTTP = "129.241.210.213:80";
+    listenHTTP = "${values.services.turn.ipv4}:80";
    reloadServices = [ "coturn.service" ];
  };
  users.users.turnserver.extraGroups = [ "acme" ];
  # It needs this to be allowed to access the files with the acme group
  systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
  systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
  };
@@ -60,12 +65,14 @@
    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    use-auth-secret = true;
    # World readable but I  dont think it's that bad
    static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
    secure-stun = true;
-    listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ];
+    listening-ips = [
      values.services.turn.ipv4
      values.services.turn.ipv6
    ];
    tls-listening-port = 443;
    alt-tls-listening-port = 5349;
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -9,7 +9,9 @@
    ./coturn.nix
    ./mjolnir.nix
-    ./discord.nix
+    # ./discord.nix
    ./out-of-your-element.nix
    ./hookshot
  ];
--- a/hosts/bicep/services/matrix/discord.nix
+++ b/hosts/bicep/services/matrix/discord.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, fp, ... }:
 let
  cfg = config.services.mx-puppet-discord;
@@ -6,19 +6,46 @@ in
 {
  users.groups.keys-matrix-registrations = { };
-  sops.secrets."matrix/registrations/mx-puppet-discord" = {
+  sops.secrets."matrix/discord/as_token" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "registrations/mx-puppet-discord";
+    key = "discord/as_token";
  };
  sops.secrets."matrix/discord/hs_token" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "discord/hs_token";
  };
  sops.templates."discord-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.groups.keys-matrix-registrations.name;
    content = ''
      as_token: "${config.sops.placeholder."matrix/discord/as_token"}"
      hs_token: "${config.sops.placeholder."matrix/discord/hs_token"}"
      id: discord-puppet
      namespaces:
        users:
          - exclusive: true
            regex: '@_discordpuppet_.*'
        rooms: []
        aliases:
          - exclusive: true
            regex: '#_discordpuppet_.*'
      protocols: []
      rate_limited: false
      sender_localpart: _discordpuppet_bot
      url: 'http://localhost:8434'
      de.sorunome.msc2409.push_ephemeral: true
    '';
  };
  systemd.services.mx-puppet-discord = {
-    serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
+    serviceConfig.SupplementaryGroups = [
      config.users.groups.keys-matrix-registrations.name
    ];
  };
-  services.mx-puppet-discord.enable = true;
+  services.mx-puppet-discord.enable = false;
  services.mx-puppet-discord.settings = {
    bridge = {
      bindAddress = "localhost";
@@ -29,11 +56,16 @@ in
    relay.whitelist = [ ".*" ];
    selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
  };
-  services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
+  services.mx-puppet-discord.serviceDependencies = [
    "matrix-synapse.target"
    "nginx.service"
  ];
  services.matrix-synapse-next.settings = {
-    app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
+    app_service_config_files = [
      config.sops.templates."discord-registration.yaml".path
    ];
    use_appservice_legacy_authorization = true;
  };
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -0,0 +1,142 @@
 { config, lib, fp, unstablePkgs, inputs, ... }:
 let
  cfg = config.services.matrix-hookshot;
  webhookListenAddress = "127.0.0.1";
  webhookListenPort = 8435;
 in
 {
  sops.secrets."matrix/hookshot/as_token" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/as_token";
  };
  sops.secrets."matrix/hookshot/hs_token" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/hs_token";
  };
  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.groups.keys-matrix-registrations.name;
    restartUnits = [ "matrix-hookshot.service" ];
    content = ''
      id: matrix-hookshot
      as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
      hs_token: "${config.sops.placeholder."matrix/hookshot/hs_token"}"
      namespaces:
        rooms: []
        users:
          - regex: "@_webhooks_.*:pvv.ntnu.no"
            exclusive: true
          - regex: "@bot_feeds:pvv.ntnu.no"
            exclusive: true
        aliases: []
      sender_localpart: hookshot
      url: "http://${cfg.settings.bridge.bindAddress}:${toString cfg.settings.bridge.port}"
      rate_limited: false
      # If enabling encryption
      de.sorunome.msc2409.push_ephemeral: true
      push_ephemeral: true
      org.matrix.msc3202: true
    '';
  };
  systemd.services.matrix-hookshot = {
    serviceConfig.SupplementaryGroups = [
      config.users.groups.keys-matrix-registrations.name
    ];
  };
  services.matrix-hookshot = {
    enable = true;
    package = unstablePkgs.matrix-hookshot;
    registrationFile = config.sops.templates."hookshot-registration.yaml".path;
    settings = {
      bridge = {
        bindAddress = "127.0.0.1";
        domain = "pvv.ntnu.no";
        url = "https://matrix.pvv.ntnu.no";
        mediaUrl = "https://matrix.pvv.ntnu.no";
        port = 9993;
      };
      listeners = [
        {
          bindAddress = webhookListenAddress;
          port = webhookListenPort;
          resources = [
            "webhooks"
            # "metrics"
            # "provisioning"
            "widgets"
          ];
        }
      ];
      generic = {
        enabled = true;
        outbound = true;
        urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
        userIdPrefix = "_webhooks_";
        allowJsTransformationFunctions = true;
        waitForComplete = false;
      };
      feeds = {
        enabled = true;
        pollIntervalSeconds = 600;
      };
      serviceBots = [
        { localpart = "bot_feeds";
          displayname = "Aya";
          avatar = ./feeds.png;
          prefix = "!aya";
          service = "feeds";
        }
      ];
      widgets = {
        roomSetupWidget.addOnInvite = false;
        publicUrl = "https://hookshot.pvv.ntnu.no/widgetapi/v1/static";
      };
      permissions = [
        # Users of the PVV Server
        { actor = "pvv.ntnu.no";
          services = [ { service = "*"; level = "commands"; } ];
        }
        # Members of Medlem space (for people with their own hs)
        { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
          services = [ { service = "*"; level = "commands"; } ];
        }
        # Members of Drift
        { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
          services = [ { service = "*"; level = "admin"; } ];
        }
        # Dan bootstrap
        { actor = "@dandellion:dodsorf.as";
          services = [ { service = "*"; level = "admin"; } ];
        }
      ];
    };
  };
  services.matrix-hookshot.serviceDependencies = [
    "matrix-synapse.target"
    "nginx.service"
  ];
  services.matrix-synapse-next.settings = {
    app_service_config_files = [
      config.sops.templates."hookshot-registration.yaml".path
    ];
  };
  services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
    enableACME = true;
    addSSL = true;
    locations."/" = {
      proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
    };
  };
 }
--- a/hosts/bicep/services/matrix/hookshot/feeds.png
+++ b/hosts/bicep/services/matrix/hookshot/feeds.png
--- a/hosts/bicep/services/matrix/mjolnir.nix
+++ b/hosts/bicep/services/matrix/mjolnir.nix
@@ -1,17 +1,18 @@
-{ config, lib, ... }:
+{ config, lib, fp, ... }:
 {
  sops.secrets."matrix/mjolnir/access_token" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "mjolnir/access_token";
    owner = config.users.users.mjolnir.name;
    group = config.users.users.mjolnir.group;
    restartUnits = [ "mjolnir.service" ];
  };
  services.mjolnir = {
    enable = true;
    pantalaimon.enable = false;
-    homeserverUrl = http://127.0.0.1:8008;
+    homeserverUrl = "https://matrix.pvv.ntnu.no";
    accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
    managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
    protectedRooms = map (a: "https://matrix.to/#/${a}") [
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -0,0 +1,70 @@
 { config, pkgs, fp, ... }:
 let
  cfg = config.services.matrix-ooye;
 in
 {
  users.groups.keys-matrix-registrations = { };
  sops.secrets = {
    "matrix/ooye/as_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/as_token";
      restartUnits = [ "matrix-ooye.service" ];
    };
    "matrix/ooye/hs_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/hs_token";
      restartUnits = [ "matrix-ooye.service" ];
    };
    "matrix/ooye/discord_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/discord_token";
      restartUnits = [ "matrix-ooye.service" ];
    };
    "matrix/ooye/discord_client_secret" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/discord_client_secret";
      restartUnits = [ "matrix-ooye.service" ];
    };
  };
  services.matrix-ooye = {
    enable = true;
    homeserver = "https://matrix.pvv.ntnu.no";
    homeserverName = "pvv.ntnu.no";
    discordTokenPath = config.sops.secrets."matrix/ooye/discord_token".path;
    discordClientSecretPath = config.sops.secrets."matrix/ooye/discord_client_secret".path;
    bridgeOrigin = "https://ooye.pvv.ntnu.no";
    enableSynapseIntegration = false;
  };
  systemd.services."matrix-synapse" = {
    after = [
      "matrix-ooye-pre-start.service"
      "network-online.target"
    ];
    requires = [ "matrix-ooye-pre-start.service" ];
    serviceConfig = {
      LoadCredential = [
        "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
      ];
      ExecStartPre = [
        "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
        "+${pkgs.coreutils}/bin/chown matrix-synapse:keys-matrix-registrations ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
      ];
    };
  };
  services.matrix-synapse-next.settings = {
    app_service_config_files = [
      "${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
    ];
  };
  services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${cfg.socket}";
  };
 }
--- a/hosts/bicep/services/matrix/smtp-authenticator/default.nix
+++ b/hosts/bicep/services/matrix/smtp-authenticator/default.nix
@@ -1,4 +1,4 @@
-{ lib, buildPythonPackage, fetchFromGitHub }:
+{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
 buildPythonPackage rec {
  pname = "matrix-synapse-smtp-auth";
@@ -6,6 +6,9 @@ buildPythonPackage rec {
  src = ./.;
  pyproject = true;
  build-system = [ setuptools ];
  doCheck = false;
  meta = with lib; {
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, values, inputs, ... }:
+{ config, lib, fp, pkgs, values, inputs, ... }:
 let
  cfg = config.services.matrix-synapse-next;
@@ -10,23 +10,18 @@ let
 in {
  sops.secrets."matrix/synapse/signing_key" = {
    key = "synapse/signing_key";
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
  };
  sops.secrets."matrix/synapse/user_registration" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "synapse/signing_key";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
  };
  sops.secrets."matrix/sliding-sync/env" = {
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
    key = "sliding-sync/env";
  };
  services.matrix-synapse-next = {
    enable = true;
@@ -43,8 +38,6 @@ in {
    workers.eventPersisters = 2;
    workers.useUserDirectoryWorker = true;
    enableSlidingSync = true;
    enableNginx = true;
    settings = {
@@ -131,22 +124,19 @@ in {
        "fec0::/10"
        # NTNU
-        "129.241.0.0/16"
+        values.ntnu.ipv4-space
-        "2001:700:300::/44"
+        values.ntnu.ipv6-space
      ];
    };
  };
  services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
  services.redis.servers."".enable = true;
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
+  {
    kTLS = true;
-  })
+  }
-  ({
+  {
    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
@@ -156,35 +146,43 @@ in {
        add_header Access-Control-Allow-Origin *;
      '';
    };
-  })
+  }
-  ({
+  {
    locations."/_synapse/admin" = {
      proxyPass = "http://$synapse_backend";
      extraConfig = ''
        allow 127.0.0.1;
        allow ::1;
        allow ${values.hosts.bicep.ipv4};
        allow ${values.hosts.bicep.ipv6};
        deny all;
      '';
    };
  }
  {
    locations = let
      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
-      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
    in lib.mapAttrs' (n: v: lib.nameValuePair
-      (metricsPath v) ({
+      (metricsPath v) {
        proxyPass = proxyPath v;
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4};
          allow ${values.hosts.ildkule.ipv6};
          allow ${values.hosts.ildkule.ipv4_global};
          allow ${values.hosts.ildkule.ipv6_global};
          deny all;
        '';
      }))
      cfg.workers.instances;
      })
-  ({
+      cfg.workers.instances;
  }
  {
    locations."/metrics/master/1" = {
      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
      extraConfig = ''
        allow ${values.hosts.ildkule.ipv4};
        allow ${values.hosts.ildkule.ipv6};
        allow ${values.hosts.ildkule.ipv4_global};
        allow ${values.hosts.ildkule.ipv6_global};
        deny all;
      '';
    };
@@ -202,5 +200,5 @@ in {
            labels = { };
          }]) + "/";
    };
-  })];
+  }];
 }
--- a/hosts/bicep/services/minecraft-heatmap.nix
+++ b/hosts/bicep/services/minecraft-heatmap.nix
@@ -0,0 +1,49 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.minecraft-heatmap;
 in
 {
  sops.secrets."minecraft-heatmap/ssh-key/private" = {
    mode = "600";
  };
  sops.secrets."minecraft-heatmap/postgres-passwd" = {
    mode = "600";
  };
  services.minecraft-heatmap = {
    enable = true;
    database = {
      host = "postgres.pvv.ntnu.no";
      port = 5432;
      name = "minecraft_heatmap";
      user = "minecraft_heatmap";
      passwordFile = config.sops.secrets."minecraft-heatmap/postgres-passwd".path;
    };
  };
  systemd.services.minecraft-heatmap-ingest-logs = {
    serviceConfig.LoadCredential = [
      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
    ];
    preStart = let
      knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
        innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
        innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
        innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
      '';
    in ''
      mkdir -p '${cfg.minecraftLogsDir}'
      "${lib.getExe pkgs.rsync}" \
      --archive \
      --verbose \
      --progress \
      --no-owner \
      --no-group \
      --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
      root@innovation.pvv.ntnu.no:/ \
      '${cfg.minecraftLogsDir}'/
    '';
  };
 }
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -48,6 +48,8 @@
    IPAddressAllow = [
      values.ipv4-space
      values.ipv6-space
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
 }
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -1,18 +1,15 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 let
  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
 in
 {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_15;
    enableTCPIP = true;
    dataDir = "/data/postgresql";
    authentication = ''
-      host all all 129.241.210.128/25 md5
+      host all all ${values.ipv4-space} md5
-      host all all 2001:700:300:1900::/64 md5
+      host all all ${values.ipv6-space} md5
      host all all ${values.hosts.ildkule.ipv4}/32 md5
      host all all ${values.hosts.ildkule.ipv6}/32 md5
    '';
    # Hilsen https://pgconfigurator.cybertec-postgresql.com/
@@ -77,14 +74,47 @@ in
    };
  };
-  systemd.services.postgresql.serviceConfig = {
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
-    LoadCredential = [
+    user = config.systemd.services.postgresql.serviceConfig.User;
-      "cert:${sslCert.directory}/cert.pem"
+    group = config.systemd.services.postgresql.serviceConfig.Group;
-      "key:${sslCert.directory}/key.pem"
+    mode = "0700";
    ];
  };
-  users.groups.acme.members = [ "postgres" ];
+  systemd.services.postgresql-setup = {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
    ];
    serviceConfig = {
      LoadCredential = [
        "cert:/etc/certs/postgres.crt"
        "key:/etc/certs/postgres.key"
      ];
      BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
    };
  };
  systemd.services.postgresql = {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
    ];
    serviceConfig = {
      LoadCredential = [
        "cert:/etc/certs/postgres.crt"
        "key:/etc/certs/postgres.key"
      ];
      BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
    };
  };
  environment.snakeoil-certs."/etc/certs/postgres" = {
    owner = "postgres";
    group = "postgres";
    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
  };
  networking.firewall.allowedTCPPorts = [ 5432 ];
  networking.firewall.allowedUDPPorts = [ 5432 ];
--- a/hosts/bob/configuration.nix
+++ b/hosts/bob/configuration.nix
@@ -1,46 +0,0 @@
 { config, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../base.nix
      ../../misc/metrics-exporters.nix
      ./disks.nix
      ../../misc/builder.nix
    ];
  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  networking.hostName = "bob"; # Define your hostname.
  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
    matchConfig.Name = "en*";
    DHCP = "yes";
    gateway = [ ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/bob/disks.nix
+++ b/hosts/bob/disks.nix
@@ -1,39 +0,0 @@
 # Example to create a bios compatible gpt partition
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@@ -1,10 +1,9 @@
-{ config, pkgs, values, ... }:
+{ config, fp, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ../../base.nix
+      (fp /base)
      ../../misc/metrics-exporters.nix
      ./services/grzegorz.nix
    ];
--- a/hosts/brzeczyszczykiewicz/services/grzegorz.nix
+++ b/hosts/brzeczyszczykiewicz/services/grzegorz.nix
@@ -1,6 +1,6 @@
-{ config, ... }:
+{ config, fp, ... }:
 {
-  imports = [ ../../../modules/grzegorz.nix ];
+  imports = [ (fp /modules/grzegorz.nix) ];
  services.nginx.virtualHosts."${config.networking.fqdn}" = {
    serverAliases = [
--- a/hosts/buskerud/configuration.nix
+++ b/hosts/buskerud/configuration.nix
@@ -1,42 +0,0 @@
 { config, pkgs, values, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    ../../misc/metrics-exporters.nix
  ];
  sops.defaultSopsFile = ../../secrets/buskerud/buskerud.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  # buskerud does not support efi?
  # boot.loader.systemd-boot.enable = true;
  # boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sdb";
  networking.hostName = "buskerud";
  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  networking.tempAddresses = "disabled";
  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp3s0f0";
    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/buskerud/services/bluemap.nix
+++ b/hosts/buskerud/services/bluemap.nix
@@ -1,21 +0,0 @@
 {config, ...}:
 {
  sops.secrets."bluemap_ssh_key" = {
    owner = "root";
    mode = "0400";
  };
  services.bluemap = {
    enable = true;
    eula = true;
    defaultWorld = "/var/lib/bluemap/vanilla";
    host = "minecraft.pvv.ntnu.no";
  };
  systemd.services."render-bluemap-maps".preStart = ''
    rsync -e 'ssh -i ${config.sops.secrets."bluemap_ssh_key".path} -o "StrictHostKeyChecking accept-new"' \
      root@innovation.pvv.ntnu.no:/var/backups/minecraft/current/ \
      /var/lib/bluemap/vanilla"
    '';
 }
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -1,12 +1,11 @@
-{ config, pkgs, values, ... }:
+{ config, fp, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ../../base.nix
+      (fp /base)
      ../../misc/metrics-exporters.nix
-      ../../modules/grzegorz.nix
+      (fp /modules/grzegorz.nix)
    ];
  boot.loader.systemd-boot.enable = true;
@@ -25,6 +24,26 @@
  # List services that you want to enable:
  services.spotifyd = {
    enable = true;
    settings.global = {
      device_name = "georg";
      use_mpris = false;
      #dbus_type = "system";
      #zeroconf_port = 1234;
    };
  };
  networking.firewall.allowedTCPPorts = [
    # config.services.spotifyd.settings.zeroconf_port
    5353 # spotifyd is its own mDNS service wtf
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -1,16 +1,15 @@
-{ config, pkgs, values, ... }:
+{ config, fp, pkgs, lib, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ../../base.nix
+      (fp /base)
      ../../misc/metrics-exporters.nix
      ./services/monitoring
      ./services/nginx
    ];
-  sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
+  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
@@ -19,17 +18,37 @@
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
-  networking.hostName = "ildkule"; # Define your hostname.
+  # Openstack Neutron and systemd-networkd are not best friends, use something else:
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+  systemd.network.enable = lib.mkForce false;
-    matchConfig.Name = "en*";
+  networking = let
-    DHCP = "yes";
+    hostConf = values.hosts.ildkule;
-    gateway = [ ];
+  in {
    hostName = "ildkule";
    tempAddresses = "disabled";
    useDHCP = lib.mkForce true;
    search = values.defaultNetworkConfig.domains;
    nameservers = values.defaultNetworkConfig.dns;
    defaultGateway.address = hostConf.ipv4_internal_gw;
    interfaces."ens4" = {
      ipv4.addresses = [
        { address = hostConf.ipv4;          prefixLength = 32; }
        { address = hostConf.ipv4_internal; prefixLength = 24; }
      ];
      ipv6.addresses = [
        { address = hostConf.ipv6;          prefixLength = 64; }
      ];
    };
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # No devices with SMART
  services.smartd.enable = false;
  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/hosts/ildkule/hardware-configuration.nix
+++ b/hosts/ildkule/hardware-configuration.nix
@@ -3,7 +3,14 @@
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
+  fileSystems."/" = {
    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
    fsType = "ext4";
  };
  fileSystems."/data" = {
    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
    fsType = "ext4";
  };
  networking.useDHCP = lib.mkDefault true;
 }
--- a/hosts/ildkule/services/monitoring/dashboards/gitea-dashboard.json
+++ b/hosts/ildkule/services/monitoring/dashboards/gitea-dashboard.json
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -34,13 +34,13 @@ in {
        {
          name = "Ildkule Prometheus";
          type = "prometheus";
-          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
+          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
          isDefault = true;
        }
        {
          name = "Ildkule loki";
          type = "loki";
-          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
+          url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
        }
      ];
      dashboards.settings.providers = [
@@ -56,13 +56,12 @@ in {
          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
-	# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
+        {
-	# {
+          name = "MySQL";
-	#   name = "MySQL";
+          type = "file";
-	#   type = "file";
+          url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
-	#   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
+          options.path = dashboards/mysql.json;
-	#   options.path = dashboards/mysql.json;
+        }
 	# }
        {
          name = "Postgresql";
          type = "file";
@@ -75,6 +74,12 @@ in {
          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
          options.path = dashboards/go-processes.json;
        }
        {
          name = "Gitea Dashboard";
          type = "file";
          url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
          options.path = dashboards/gitea-dashboard.json;
        }
      ];
    };
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -2,6 +2,7 @@
 let
  cfg = config.services.loki;
  stateDir = "/data/monitoring/loki";
 in {
  services.loki = {
    enable = true;
@@ -16,7 +17,7 @@ in {
      ingester = {
        wal = {
          enabled = true;
-          dir = "/var/lib/loki/wal";
+          dir = "${stateDir}/wal";
        };
        lifecycler = {
          address = "127.0.0.1";
@@ -48,33 +49,30 @@ in {
      storage_config = {
        boltdb_shipper = {
-          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
+          active_index_directory = "${stateDir}/boltdb-shipper-index";
-          cache_location = "/var/lib/loki/boltdb-shipper-cache";
+          cache_location = "${stateDir}/boltdb-shipper-cache";
          # shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
-          directory = "/var/lib/loki/chunks";
+          directory = "${stateDir}/chunks";
        };
      };
      limits_config = {
        allow_structured_metadata = false;
        # enforce_metric_name = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
      compactor = {
-        working_directory = "/var/lib/loki/compactor";
+        working_directory = "${stateDir}/compactor";
        # shared_store = "filesystem";
      };
      # ruler = {
      #   storage = {
      #     type = "local";
      #     local = {
-      #       directory = "/var/lib/loki/rules";
+      #       directory = "${stateDir}/rules";
      #     };
      #   };
      #   rule_path = "/etc/loki/rules";
--- a/hosts/ildkule/services/monitoring/prometheus/default.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/default.nix
@@ -1,18 +1,26 @@
-{ config, ... }: {
+{ config, ... }: let
  stateDir = "/data/monitoring/prometheus";
 in {
  imports = [
-    ./gogs.nix
+    ./exim.nix
    ./gitea.nix
    ./machines.nix
    ./matrix-synapse.nix
-    # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
+    ./mysqld.nix
    # ./mysqld.nix
    ./node.nix
    ./postgres.nix
  ];
  services.prometheus = {
    enable = true;
    listenAddress = "127.0.0.1";
    port = 9001;
    ruleFiles = [ rules/synapse-v2.rules ];
  };
  fileSystems."/var/lib/prometheus2" = {
    device = stateDir;
    options = [ "bind" ];
  };
 }
--- a/hosts/ildkule/services/monitoring/prometheus/exim.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/exim.nix
@@ -0,0 +1,14 @@
 { ... }:
 {
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "exim";
        scrape_interval = "15s";
        static_configs = [{
          targets = [ "microbel.pvv.ntnu.no:9636" ];
        }];
      }
    ];
  };
 }
--- a/hosts/ildkule/services/monitoring/prometheus/gitea.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/gitea.nix
@@ -0,0 +1,16 @@
 { ... }:
 {
  services.prometheus.scrapeConfigs = [{
    job_name = "gitea";
    scrape_interval = "60s";
    scheme = "https";
    static_configs = [
      {
        targets = [
          "git.pvv.ntnu.no:443"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/monitoring/prometheus/gogs.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/gogs.nix
@@ -1,16 +0,0 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "git-gogs";
    scheme = "https";
    metrics_path = "/-/metrics";
    static_configs = [
      {
        targets = [
          "essendrop.pvv.ntnu.no:443"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -0,0 +1,37 @@
 { config, ... }: let
  cfg = config.services.prometheus;
  mkHostScrapeConfig = name: ports: {
    labels.hostname = name;
    targets = map (port: "${name}.pvv.ntnu.no:${toString port}") ports;
  };
  defaultNodeExporterPort = 9100;
  defaultSystemdExporterPort = 9101;
  defaultNixosExporterPort = 9102;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "base_info";
    static_configs = [
      (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
      (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
      (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
    ];
  }];
 }
--- a/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
@@ -1,7 +1,22 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
-  sops.secrets."config/mysqld_exporter" = { };
+  sops = {
    secrets."config/mysqld_exporter_password" = { };
    templates."mysqld_exporter.conf" = {
      restartUnits = [ "prometheus-mysqld-exporter.service" ];
      content = let
        inherit (config.sops) placeholder;
      in ''
        [client]
        host = mysql.pvv.ntnu.no
        port = 3306
        user = prometheus_mysqld_exporter
        password = ${placeholder."config/mysqld_exporter_password"}
      '';
    };
  };
  services.prometheus = {
    scrapeConfigs = [{
@@ -19,7 +34,7 @@ in {
    exporters.mysqld = {
      enable = true;
-      configFilePath = config.sops.secrets."config/mysqld_exporter".path;
+      configFile = config.sops.templates."mysqld_exporter.conf".path;
    };
  };
 }
--- a/hosts/ildkule/services/monitoring/prometheus/node.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/node.nix
@@ -1,22 +0,0 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "node";
    static_configs = [
      {
        targets = [
          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
          "microbel.pvv.ntnu.no:9100"
          "isvegg.pvv.ntnu.no:9100"
          "knakelibrak.pvv.ntnu.no:9100"
          "hildring.pvv.ntnu.no:9100"
          "bicep.pvv.ntnu.no:9100"
          "essendrop.pvv.ntnu.no:9100"
          "andresbu.pvv.ntnu.no:9100"
          "bekkalokk.pvv.ntnu.no:9100"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/monitoring/uptime-kuma.nix
+++ b/hosts/ildkule/services/monitoring/uptime-kuma.nix
@@ -2,6 +2,7 @@
 let
  cfg = config.services.uptime-kuma;
  domain = "status.pvv.ntnu.no";
  stateDir = "/data/monitoring/uptime-kuma";
 in {
  services.uptime-kuma = {
    enable = true;
@@ -17,4 +18,9 @@ in {
    kTLS = true;
    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
  };
  fileSystems."/var/lib/uptime-kuma" = {
    device = stateDir;
    options = [ "bind" ];
  };
 }
--- a/hosts/kommode/configuration.nix
+++ b/hosts/kommode/configuration.nix
@@ -0,0 +1,32 @@
 { pkgs, values, fp, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    ./services/gitea
    ./services/nginx.nix
  ];
  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "kommode"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  services.btrfs.autoScrub.enable = true;
  environment.systemPackages = with pkgs; [];
  system.stateVersion = "24.11";
 }
--- a/hosts/kommode/hardware-configuration.nix
+++ b/hosts/kommode/hardware-configuration.nix
@@ -8,17 +8,32 @@
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/86CD-4C23";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -0,0 +1,63 @@
 { config, pkgs, lib, fp, ... }:
 let
  cfg = config.services.gitea;
 in
 {
  services.gitea-themes = {
    monokai = pkgs.gitea-theme-monokai;
    earl-grey = pkgs.gitea-theme-earl-grey;
    pitch-black = pkgs.gitea-theme-pitch-black;
    catppuccin = pkgs.gitea-theme-catppuccin;
  };
  systemd.services.gitea-customization = lib.mkIf cfg.enable {
    description = "Install extra customization in gitea's CUSTOM_DIR";
    wantedBy = [ "gitea.service" ];
    requiredBy = [ "gitea.service" ];
    serviceConfig =  {
      Type = "oneshot";
      User = cfg.user;
      Group = cfg.group;
    };
    script = let
      logo-svg = fp /assets/logo_blue_regular.svg;
      logo-png = fp /assets/logo_blue_regular.png;
      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
      '';
      extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
      '';
      project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
        labels = lib.importJSON ./labels/projects.json;
      };
      customTemplates = pkgs.runCommandLocal "gitea-templates" {
        nativeBuildInputs = with pkgs; [
          coreutils
          gnused
        ];
      } ''
        # Bigger icons
        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
        sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
      '';
    in ''
      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
    '';
  };
 }
--- a/hosts/kommode/services/gitea/customization/labels/projects.json
+++ b/hosts/kommode/services/gitea/customization/labels/projects.json
@@ -0,0 +1,116 @@
 [
  {
    "name": "art",
    "exclusive": false,
    "color": "#006b75",
    "description": "Requires some creativity"
  },
  {
    "name": "big",
    "exclusive": false,
    "color": "#754bc4",
    "description": "This is gonna take a while"
  },
  {
    "name": "blocked",
    "exclusive": false,
    "color": "#850021",
    "description": "This issue/PR depends on one or more other issues/PRs"
  },
  {
    "name": "bug",
    "exclusive": false,
    "color": "#f05048",
    "description": "Something brokey"
  },
  {
    "name": "ci-cd",
    "exclusive": false,
    "color": "#d1ff78",
    "description": "Continuous integrals and continuous derivation"
  },
  {
    "name": "crash report",
    "exclusive": false,
    "color": "#ed1111",
    "description": "Report an oopsie"
  },
  {
    "name": "disputed",
    "exclusive": false,
    "color": "#5319e7",
    "description": "Kranglefanter"
  },
  {
    "name": "documentation",
    "exclusive": false,
    "color": "#fbca04",
    "description": "Documentation changes required"
  },
  {
    "name": "duplicate",
    "exclusive": false,
    "color": "#cccccc",
    "description": "This issue or pull request already exists"
  },
  {
    "name": "feature request",
    "exclusive": false,
    "color": "#0052cc",
    "description": ""
  },
  {
    "name": "good first issue",
    "exclusive": false,
    "color": "#009800",
    "description": "Get your hands dirty with a new project here"
  },
  {
    "name": "me gusta",
    "exclusive": false,
    "color": "#30ff36",
    "description": "( ͡° ͜ʖ ͡°)"
  },
  {
    "name": "packaging",
    "exclusive": false,
    "color": "#bf642b",
    "description": ""
  },
  {
    "name": "question",
    "exclusive": false,
    "color": "#cc317c",
    "description": ""
  },
  {
    "name": "security",
    "exclusive": false,
    "color": "#ed1111",
    "description": "Skommel"
  },
  {
    "name": "techdebt spring cleaning",
    "exclusive": false,
    "color": "#8c6217",
    "description": "The code is smelly 👃"
  },
  {
    "name": "testing",
    "exclusive": false,
    "color": "#52b373",
    "description": "Poke it and see if it explodes"
  },
  {
    "name": "ui/ux",
    "exclusive": false,
    "color": "#f28852",
    "description": "User complaints about ergonomics and economics and whatever"
  },
  {
    "name": "wontfix",
    "exclusive": false,
    "color": "#ffffff",
    "description": "Nei, vil ikke"
  }
 ]
--- a/Show More
+++ b/Show More