fixup! WIP: enable gickup on bicep

.sops.yaml

@@ -104,9 +104,3 @@ creation_rules:
       - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
-
-  - path_regex: secrets/skrott/[^/]+\.yaml$
-    key_groups:
-    - age:
-      - *user_danio
-      - *user_eirikwit

base/services/nginx.nix

@@ -20,14 +20,14 @@
     recommendedGzipSettings = true;
 
     appendConfig = ''
-      # pcre_jit on;
+      pcre_jit on;
       worker_processes auto;
       worker_rlimit_nofile 100000;
     '';
     eventsConfig = ''
       worker_connections 2048;
       use epoll;
-      # multi_accept on;
+      multi_accept on;
     '';
   };
 

flake.lock

@@ -1,26 +1,5 @@
 {
   "nodes": {
-    "dibbler": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1747505135,
-        "narHash": "sha256-kfDCvIbNKePKpJCXST2V1bwWHtsgFOL/E7DvQbBygsQ=",
-        "ref": "refs/heads/main",
-        "rev": "0844843e595be617f683fbc245c944edd2bc6aa8",
-        "revCount": 209,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
-      }
-    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -41,23 +20,6 @@
         "type": "github"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "id": "flake-utils",
-        "type": "indirect"
-      }
-    },
     "gergle": {
       "inputs": {
         "nixpkgs": [
@@ -249,7 +211,6 @@
     },
     "root": {
       "inputs": {
-        "dibbler": "dibbler",
         "disko": "disko",
         "gergle": "gergle",
         "greg-ng": "greg-ng",
@@ -304,21 +265,6 @@
         "repo": "sops-nix",
         "type": "github"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -31,9 +31,6 @@
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
 
     minecraft-data.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
-
-    dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git";
-    dibbler.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -162,20 +159,13 @@
           inputs.gergle.overlays.default
         ];
       };
-      skrott = stableNixosConfig "skrott" {
-        modules = [
-          ./hosts/skrott/configuration.nix
-          inputs.dibbler.nixosModules.default
-          sops-nix.nixosModules.sops
-        ];
-      };
     };
 
     nixosModules = {
       snakeoil-certs = ./modules/snakeoil-certs.nix;
       snappymail = ./modules/snappymail.nix;
       robots-txt = ./modules/robots-txt.nix;
-      gickup = ./modules/gickup;
+      gickup = ./modules/gickup.nix;
     };
 
     devShells = forAllSystems (system: {

hosts/bicep/services/git-mirrors/default.nix

@@ -1,7 +1,4 @@
-{ config, pkgs, lib, fp, ... }:
+{ config, ... }:
-let
-  cfg = config.services.gickup;
-in
 {
   sops.secrets."gickup/github-token" = {
     owner = "gickup";
@@ -10,8 +7,6 @@ in
   services.gickup = {
     enable = true;
 
-    dataDir = "/data/gickup";
-
     destinationSettings = {
       structured = true;
       zip = false;
@@ -22,79 +17,51 @@ in
 
     instances = let
       defaultGithubConfig = {
-        settings.token_file = config.sops.secrets."gickup/github-token".path;
+        settings.token_file = sops.secrets."gickup/github-token".path;
       };
       defaultGitlabConfig = {
         # settings.token_file = ...
       };
     in {
-      "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
-      "github:NixOS/nixpkgs" = defaultGithubConfig;
       "github:go-gitea/gitea" = defaultGithubConfig;
-      "github:heimdal/heimdal" = defaultGithubConfig;
-      "github:saltstack/salt" = defaultGithubConfig;
-      "github:typst/typst" = defaultGithubConfig;
       "github:unmojang/FjordLauncher" = defaultGithubConfig;
       "github:unmojang/drasl" = defaultGithubConfig;
+      "github:NixOS/nixpkgs" = defaultGithubConfig;
+      "github:saltstack/salt" = defaultGithubConfig;
+      "github:heimdal/heimdal" = defaultGithubConfig;
       "github:yushijinhun/authlib-injector" = defaultGithubConfig;
+      "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
 
-      "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
+      # "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
-      "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
+      # "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
-      "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
+      # "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
-      "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
+      # "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
-      "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
+      # "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
 
       "any:glibc" = {
         settings.url = "https://sourceware.org/git/glibc.git";
       };
-
-      "any:out-of-your-element" = {
-        settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
-      };
-
-      "any:out-of-your-element-module" = {
-        settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
-      };
     };
   };
 
-  services.cgit = let
+  # services.cgit = let
-    domain = "bicep.pvv.ntnu.no";
+  #   domain = "mirrors.pvv.ntnu.no";
-  in {
+  # in {
-    ${domain} = {
+  #   ${domain} = {
-      enable = true;
+  #     enable = true;
-      package = pkgs.callPackage (fp /packages/cgit.nix) { };
+  #     group = "gickup";
-      group = "gickup";
+  #     scanPath = "/var/lib/gickup";
-      scanPath = "${cfg.dataDir}/linktree";
+  #     settings = {
-      settings = {
+  #       enable-commit-graph = true;
-        enable-commit-graph = true;
+  #       enable-follow-links = true;
-        enable-follow-links = true;
+  #       enable-http-clone = true;
-        enable-http-clone = true;
+  #       enable-remote-branches = true;
-        enable-remote-branches = true;
+  #       clone-url = "https://${domain}/$CGIT_REPO_URL";
-        clone-url = "https://${domain}/$CGIT_REPO_URL";
+  #       remove-suffix = true;
-        remove-suffix = true;
+  #       root-title = "https://${domain}";
-        root-title = "PVVSPPP";
+  #       root-desc = "PVV's repository mirroring service";
-        root-desc = "PVV Speiler Praktisk og Prominent Programvare";
+  #       snapshots = "all";
-        snapshots = "all";
+  #     };
-        logo = "/PVV-logo.png";
+  #   };
-      };
+  # };
-    };
-  };
-
-  services.nginx.virtualHosts."bicep.pvv.ntnu.no" = {
-    forceSSL = true;
-    enableACME = true;
-
-    locations."= /PVV-logo.png".alias = let
-      small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
-        nativeBuildInputs = [ pkgs.imagemagick ];
-      } ''
-        magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
-      '';
-    in toString small-pvv-logo;
-  };
-
-  systemd.services."fcgiwrap-cgit-bicep.pvv.ntnu.no" = {
-    serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
-  };
 }

hosts/skrott/configuration.nix

@@ -1,27 +0,0 @@
-{ fp, config, pkgs, values, ... }:
-{
-  imports = [
-    # Include the results of the hardware scan.
-    ./hardware-configuration.nix
-    (fp /base)
-    (fp /misc/metrics-exporters.nix)
-    # ./services/dibbler.nix
-  ];
-  
-  sops.defaultSopsFile = ../../secrets/skrott/skrott.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "skrott";
-
-  systemd.network.networks."30-yolo" = values.defaultNetworkConfig // {
-    matchConfig.Name = "*";
-    address = with values.hosts.skrott; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  system.stateVersion = "24.11";
-}

hosts/skrott/hardware-configuration.nix

@@ -1,40 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
-      fsType = "ext4";
-    };
-
-  fileSystems."/data" =
-    { device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
-      fsType = "f2fs";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/skrott/services/dibbler.nix

@@ -1,28 +0,0 @@
-{ config, inputs, ... }:
-{
-  sops.secrets = {
-    "dibbler/config" = {
-      owner = "dibbler";
-      group = "dibbler";
-    };
-  };
-
-  services.dibbler = {
-    enable = true;
-    package = inputs.dibbler.packages.dibbler;
-    settings = {
-      quit_allowed = false;
-      stop_allowed = false;
-      show_tracebacks = true;
-      input_encoding = "utf8";
-
-      low_credit_warning_limit = -100;
-      user_recent_transaction_limit = 20;
-
-      # See https://pypi.org/project/brother_ql/ for label types
-      # Set rotate to False for endless labels
-      label_type = "62";
-      label_rotate = false;
-    };
-  };
-}

modules/gickup.nix

@@ -4,13 +4,6 @@ let
   format = pkgs.formats.yaml { };
 in
 {
-  imports = [
-    ./set-description.nix
-    ./hardlink-files.nix
-    ./import-from-toml.nix
-    ./update-linktree.nix
-  ];
-
   options.services.gickup = {
     enable = lib.mkEnableOption "gickup, a git repository mirroring service";
 
@@ -18,13 +11,6 @@ in
     gitPackage = lib.mkPackageOption pkgs "git" { };
     gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
 
-    dataDir = lib.mkOption {
-      type = lib.types.path;
-      description = "The directory to mirror repositories to.";
-      default = "/var/lib/gickup";
-      example = "/data/gickup";
-    };
-
     destinationSettings = lib.mkOption {
       description = ''
         Settings for destination local, see gickup configuration file
@@ -57,6 +43,7 @@ in
                     (lib.removePrefix "${repoType}:")
                     (lib.splitString "/")
                     builtins.head
+                    lib.toLower
                   ];
 
           repo = if repoType == "any"
@@ -65,11 +52,12 @@ in
                     (lib.removePrefix "${repoType}:")
                     (lib.splitString "/")
                     lib.last
+                    lib.toLower
                   ];
 
           slug = if repoType == "any"
-                 then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
+                 then builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName
-                 else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
+                 else "${repoType}-${owner}-${repo}";
         };
       in {
         options = {
@@ -128,15 +116,6 @@ in
             '';
           };
 
-          description = lib.mkOption {
-            type = with lib.types; nullOr str;
-            example = "A project which does this and that";
-            description = ''
-              A description of the project. This isn't used directly by gickup for anything,
-              but can be useful if gickup is used together with cgit or similar.
-            '';
-          };
-
           settings = lib.mkOption {
             description = "Instance specific settings, see gickup configuration file";
             type = lib.types.submodule {
@@ -156,23 +135,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    users.users.gickup = {
+    services.gickup.destinationSettings.path = "/var/lib/gickup";
-      isSystemUser = true;
-      group = "gickup";
-      home = "/var/lib/gickup";
-    };
-
-    users.groups.gickup = { };
-
-    services.gickup.destinationSettings.path = "/var/lib/gickup/raw";
-
-    systemd.tmpfiles.settings."10-gickup" = lib.mkIf (cfg.dataDir != "/var/lib/gickup") {
-      ${cfg.dataDir}.d = {
-        user = "gickup";
-        group = "gickup";
-        mode = "0755";
-      };
-    };
 
     systemd.slices."system-gickup" = {
       description = "Gickup git repository mirroring service";
@@ -213,8 +176,7 @@ in
 
     systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
 
-    systemd.services = {
+    systemd.services."gickup@" = let
-      "gickup@" = let
       configDir = lib.pipe cfg.instances [
         (lib.mapAttrsToList (name: instance: {
           name = "${instance.slug}.yml";
@@ -244,31 +206,19 @@ in
         cfg.gitLfsPackage
       ];
 
-        restartIfChanged = false;
-
       serviceConfig = {
-          Type = "oneshot";
+        Slice = "system-gickup.slice";
-          ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
+        ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml' --debug";
-          ExecStartPost = "";
 
         User = "gickup";
         Group = "gickup";
 
-          BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
-            "${cfg.dataDir}:/var/lib/gickup"
-          ];
-
-          Slice = "system-gickup.slice";
-
         SyslogIdentifier = "gickup-%i";
         StateDirectory = "gickup";
         # WorkingDirectory = "gickup";
         # RuntimeDirectory = "gickup";
         # RuntimeDirectoryMode = "0700";
 
-          # https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
-          RemainAfterExit = true;
-
         # Hardening options
         AmbientCapabilities = [];
         LockPersonality = true;
@@ -305,6 +255,13 @@ in
         CapabilityBoundingSet = [];
       };
     };
+
+    users.users.gickup = {
+      isSystemUser = true;
+      group = "gickup";
+      home = "/var/lib/gickup";
     };
+
+    users.groups.gickup = { };
   };
 }

modules/gickup/hardlink-files.nix

@@ -1,42 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.gickup;
-in
-{
-  config = lib.mkIf cfg.enable {
-    # TODO: add a service that will look at the backed up files and hardlink
-    #       the ones that have a matching hash together to save space. This can
-    #       either run routinely (i.e. trigger by systemd-timer), or be activated
-    #       whenever a gickup@<slug>.service finishes. The latter is probably better.
-
-    # systemd.services."gickup-hardlink" = {
-    #   serviceConfig = {
-    #     Type = "oneshot";
-    #     ExecStart = let
-    #       script = pkgs.writeShellApplication {
-    #         name = "gickup-hardlink-files.sh";
-    #         runtimeInputs = [ pkgs.coreutils pkgs.jdupes ];
-    #         text = ''
-
-    #         '';
-    #       };
-    #     in lib.getExe script;
-
-    #     User = "gickup";
-    #     Group = "gickup";
-
-    #     BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
-    #       "${cfg.dataDir}:/var/lib/gickup"
-    #     ];
-
-    #     Slice = "system-gickup.slice";
-
-    #     StateDirectory = "gickup";
-
-    #     # Hardening options
-    #     # TODO:
-    #     PrivateNetwork = true;
-    #   };
-    # };
-  };
-}

modules/gickup/import-from-toml.nix

@@ -1,11 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.services.gickup;
-in
-{
-  config = lib.mkIf cfg.enable {
-    # TODO: import cfg.instances from a toml file to make it easier for non-nix users
-    #       to add repositories to mirror
-  };
-}

modules/gickup/set-description.nix

@@ -1,9 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.gickup;
-in
-{
-  config = lib.mkIf cfg.enable {
-    # TODO: create .git/description files for each repo where cfg.instances.<instance>.description is set
-  };
-}

modules/gickup/update-linktree.nix

@@ -1,84 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.gickup;
-in
-{
-  config = lib.mkIf cfg.enable {
-    # TODO: run upon completion of cloning a repository
-    systemd.timers."gickup-linktree" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnCalendar = "daily";
-        Persistent = true;
-        Unit = "gickup-linktree.service";
-      };
-    };
-
-    # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
-    systemd.services."gickup-linktree" = {
-      serviceConfig = {
-        Type = "oneshot";
-        ExecStart = let
-          script = pkgs.writeShellApplication {
-            name = "gickup-update-symlink-tree.sh";
-            runtimeInputs = [
-              pkgs.coreutils
-              pkgs.findutils
-            ];
-            text = ''
-              shopt -s nullglob
-
-              for repository in ./*/*/*; do
-                REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
-
-                echo "Checking $REPOSITORY_RELATIVE_DIRS"
-
-                declare -a REVISIONS
-                readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
-
-                if [[ "''${#REVISIONS[@]}" == 0 ]]; then
-                  echo "Found no revisions for $repository, continuing"
-                  continue
-                fi
-
-                LAST_REVISION="''${REVISIONS[0]}"
-                SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
-
-                mkdir -p "$(dirname "$SYMLINK_PATH")"
-
-                EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
-                EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
-
-                if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
-                  echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
-                  rm "$SYMLINK_PATH" ||:
-                  ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
-                else
-                  echo "Symlink already up to date, continuing..."
-                fi
-
-                echo "---"
-              done
-            '';
-          };
-        in lib.getExe script;
-
-        User = "gickup";
-        Group = "gickup";
-
-        BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
-          "${cfg.dataDir}:/var/lib/gickup"
-        ];
-
-        Slice = "system-gickup.slice";
-
-        StateDirectory = "gickup";
-        WorkingDirectory = "/var/lib/gickup/raw";
-
-        # Hardening options
-        # TODO:
-        PrivateNetwork = true;
-      };
-    };
-  };
-}

packages/cgit.nix

@@ -1,21 +0,0 @@
-{ cgit, fetchurl, ... }:
-let
-  pname = cgit.pname;
-  commit = "09d24d7cd0b7e85633f2f43808b12871bb209d69";
-in
-cgit.overrideAttrs (_: {
-  version = "1.2.3-unstable-2024.07.16";
-
-  src = fetchurl {
-    url = "https://git.zx2c4.com/cgit/snapshot/${pname}-${commit}.tar.xz";
-    hash = "sha256-gfgjAXnWRqVCP+4cmYOVdB/3OFOLJl2WBOc3bFVDsjw=";
-  };
-
-  # cgit is tightly coupled with git and needs a git source tree to build.
-  # IMPORTANT: Remember to check which git version cgit needs on every version
-  # bump (look for "GIT_VER" in the top-level Makefile).
-  gitSrc = fetchurl {
-    url = "mirror://kernel/software/scm/git/git-2.46.0.tar.xz";
-    hash = "sha256-fxI0YqKLfKPr4mB0hfcWhVTCsQ38FVx+xGMAZmrCf5U=";
-  };
-})

secrets/bicep/bicep.yaml

@@ -4,7 +4,7 @@ calendar-bot:
 mysql:
     password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
 gickup:
-    github-token: ENC[AES256_GCM,data:H/yBDLIvEXunmaUha3c2vUWKLRIbl9QrC0t13AQDRCTnrvhabeiUFLNxZ/F+4B6sZ2aPSgZoB69WwnHvh1wLdiFp1qLWKW/jQPvzZOxE4n+jXrnSOutUWktbPzVj,iv:KFW4jRru93JIl9doVFtcNkJDWp89NlzWjPDflHxcL/U=,tag:YtgyRxkoZO9MkuP3DJh7zA==,type:str]
+    github-token: ENC[AES256_GCM,data:ICv6BP/kCrpx6qPCfdEeLK2NP/3iGmmv8hkHhHdwD1qyQb5g4NYBkm+OyRM4F75WUpg3j80x7I4k1vuSeVLzOldyIQ4uK00NQ58D8Ej/Wfm0ojMQM9g4Sr+6wyor,iv:TovZIU4Cs8nriYHXlCgnj3HV6c9F4A08xFOqrM3ls14=,tag:WwgM7z0ErREUvkafFK3AeQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -65,8 +65,8 @@ sops:
             cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
             0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-07T21:34:48Z"
+    lastmodified: "2025-05-07T20:27:27Z"
-    mac: ENC[AES256_GCM,data:n6GHD+nQmZL17WvUZiMCBLRHbtpoKU6U8o/Oraj0VSRi/pQ74QWGVEcIX87kFjBvR2C+UPd3KwXzjQHhjUfHpz9EjIGi6tXLTTo8K3ptd2wCL8MW418TVO4KV+BFmHGT4kwlbdoqaJ2SA7HcfXNaC68e/2CTXhtkLpIwGXtYWJA=,iv:iC5QX/JMwno4mBljPdorNmcQSD2wy/wOYvGrUoC2yzg=,tag:GuFNQ6+d6o9DYC6Do/IEqQ==,type:str]
+    mac: ENC[AES256_GCM,data:8K+epmSfXj8kne76KieVETzcinH/csyGRKIclGq0woKlSW/U6F8vhaRMQzw3Jvp/aCYYj0N5evmNsVwufgUmvBFovZ/aJ9wZXHRBrwBm9cqLxpb/inA5uB9adOQYXC6JF3RjqA/eKmXMLIuRck9WL65vB5XPny8iOZcgHJ/415w=,iv:21hG0/Ypy4EFWu4VjIgodQa7hFHyFuPSSSJtlIuLqJ8=,tag:I1d+p1V/ByJN+0pY76kOeQ==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:40Z"
           enc: |-

secrets/skrott/skrott.yaml

@@ -1,41 +0,0 @@
-hello: ENC[AES256_GCM,data:KRtCZhcS+LMV5oUivFDBjQo7m9XkaGbHKOW6N/SFRiyZA3eXSkVeltttUHhCrw==,iv:AXlyyW5gQvXu//jV/BVb79ASbKsfu5FFNnRmXNBbfg0=,tag:UVLWNgxtSFh4txCDWl5bPg==,type:str]
-example_key: ENC[AES256_GCM,data:7SpSse4uVUzCwCzbdQ==,iv:zUh9qk/T7LNOXMqToQozn2KeHu9HJtAKarU+Xb5xwi0=,tag:AyO1cflpYraiABPApfjL8A==,type:str]
-#ENC[AES256_GCM,data:NnvbBdwOv5xiqArBdyypGg==,iv:iFCVF8EL8xrKNaDcPOcWp65EoilnG0mN/ph/ZaafLS0=,tag:7pQcs8grVPZbbjr/tze4LQ==,type:comment]
-example_array:
-    - ENC[AES256_GCM,data:fd3mltqGVj7bXHEMmcY=,iv:wzTLHEgQ7bDfUlu01qtaU6fe8L1ZTqmDEBJYf1jttxc=,tag:53XJn1OdJBTEC2BvoSIG1A==,type:str]
-    - ENC[AES256_GCM,data:jZffrJgY0C0YuGIwxxk=,iv:PH+x0/4vm40w+YuCO3JlOqw5bdfaBT29m0YjKMRCFXg=,tag:rWSocVW9kimF5Dcs8lBuLQ==,type:str]
-example_number: ENC[AES256_GCM,data:lWYwd7RXk//H/w==,iv:lD62NqHV/o2QJft48l+0MSeoiGRQ1WFKDoD0sXUevqI=,tag:Ov8j/DqbFww27tDJhmaufA==,type:float]
-example_booleans:
-    - ENC[AES256_GCM,data:QEIQzw==,iv:sGfKE8VMl1uElsfG0Cip647jv/i1+eGE0UxgOM3i4uA=,tag:eWKw678aymRGa1fk8d7RSA==,type:bool]
-    - ENC[AES256_GCM,data:9czVwLg=,iv:OEKALhwOl0OcEJe+k9bhxxdZ/bNd/Xfcvrd40fwAwF8=,tag:CWBuPlcO9WgrSUb0BgfL9g==,type:bool]
-dibbler:
-    config: ENC[AES256_GCM,data:SVTe6MOansry+FKwdu3mDZna4vmu+UMwySfKrfImnGozLz2FYHLW+RvjWaRpa7aGInPfE/icYbSxbHrFIPcIGGlJHTKUlCqQ6km/qYh3UxggKGH1JeUEIgkyvgBXvofym8b5CzyfRXpm35fs+1Io7MWTpeDhmNVk1hVoIU/qR6o6NhOCeH00Gy3cqxCGqi4loJYa51BMNczcUMynwP/9lB2OOb7ogl2TbKXZOK2jwSDCTLJ8FrKcCtUcUnGqUp9VwgktxNrRtFwGohW2gAg2Oq2OR+00dpT2VS+gUtHabrcwft7ioZBmb7rrI4KxpJwG96CYqX90iQiltkwA57BqVByvaYhga4nwdVT48e76MIgBYcQX1WDolL8eEU5QPvhnbmU2mVjdD9SmapoHwBm2qM7LqmsMjqnH8ZHMdtETs6kzt227/QZdh7fc7kaIK1x3Lpxpl3whUMc+mrM8D9xFSjuyxSiF0h7tBH6H,iv:oGd6Dnw655bpwXjqW4niU5dN0RfUDY39hFfiiIc9vhQ=,tag:4CL6iqCiALp/k03Ju6OI/Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUlh2azlDTm9PRjJXQ2hO
-            MDlVbTdEN1RIVHkrbjIyY3pVVVlXY3M4eFNjCmJvZUNobVJHdnBhWjFHVVhmVVdX
-            aFloQVRyUXZsQ2g0bENQald6T2F3cEUKLS0tIGRuQjBXb2lzQnJQdDk0SzYwNUsx
-            SnhWdGZaTTVXbm4waW42ZUE0aWFtdDQKFLiRLCBHLAn43q7EPdc/mmQImltIsA5T
-            5ejVVvsva2wznc/pYvAeLb40yAwtszsNwH02SJ19WDz5wEARaQ8+8w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwd2w1YUtHaFZoNEFxMjF4
-            d1V2OFF4ZjFwNnpBWi9Cc3d1SHdqeVh4RDBzCmNLU3VWeVl4Z0ZPOUUvRjlsYzFZ
-            bjEwRlAweVcvME9nZTY1cmM4VHpXWVUKLS0tIHZJRjIveGoyQm02R0xaT2FEclFv
-            ZjhLdUhWdHp2N2krbkxqcHRoZVB6WkEK7uRAXYfI9LMfBXbHwitEVIyhGe6adIFz
-            9at0KEwLXePpR6bO9PM+T4am9V46Ygdq5iS8bSmX03832sK69pF9CA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-16T22:32:52Z"
-    mac: ENC[AES256_GCM,data:A1kg0QtZN3gMnBz1uqllPK4WI4U/CE8yJh8rHJ9CQ9V2kJQA6Kk7XrESVMsBpIazI6GuN1s33v4hNpeXhns5DMSdpWgQdyz8OM4Kj2nGz5h/JxCYwKT0e3R5qy48e0dcM906SG08DVQCCsiBnXAFWymM9Hs2+dPAAWlCNiR0gME=,iv:SookZTJGT7F5vZU6uDr9gO1A6XuDmL1UXlyphYS2dsI=,tag:8S77OX8aJcCn3efY25k4Dw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

values.nix

@@ -72,10 +72,6 @@ in rec {
       ipv4 = pvv-ipv4 240;
       ipv6 = pvv-ipv6 240;
     };
-    skrott = {
-      ipv4 = pvv-ipv4 235;
-      ipv6 = pvv-ipv6 235;
-    };
   };
 
   defaultNetworkConfig = {