add openwebui to bekkalokk services

This is not directly added to the configuration yet, just a start on the service config.
2026-01-09 08:58:24 +01:00 · 2024-12-14 21:30:12 +01:00
109 changed files with 2718 additions and 3914 deletions
--- a/.gitea/workflows/eval.yml
+++ b/.gitea/workflows/eval.yml
@@ -4,10 +4,10 @@ on:
  push:
 jobs:
  evals:
-    runs-on: debian-latest
+    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v3
    - run: apt-get update && apt-get -y install sudo
-    - uses: https://github.com/cachix/install-nix-action@v31
+    - uses: https://github.com/cachix/install-nix-action@v23
    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
    - run: nix flake check
--- a/.mailmap
+++ b/.mailmap
@@ -1,25 +0,0 @@
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
 Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
 Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
 Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
 Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
 Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
 Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,24 +1,18 @@
 keys:
  # Users
-  - &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+  - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
  - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
  - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
-  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
  # Hosts
-  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
+  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
  - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
-  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
+  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
-  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
 creation_rules:
@@ -26,6 +20,7 @@ creation_rules:
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_jokum
      - *user_danio
      - *user_felixalb
      - *user_eirikwit
@@ -49,10 +44,10 @@ creation_rules:
      pgp:
      - *user_oysteikt
-  - path_regex: secrets/kommode/[^/]+\.yaml$
+  - path_regex: secrets/jokum/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_kommode
+      - *host_jokum
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
@@ -96,31 +91,3 @@ creation_rules:
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
  - path_regex: secrets/lupine/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_lupine-1
      - *host_lupine-2
      - *host_lupine-3
      - *host_lupine-4
      - *host_lupine-5
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
  - path_regex: secrets/bakke/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bakke
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
--- a/base/default.nix
+++ b/base/default.nix
@@ -1,9 +1,4 @@
-{
+{ pkgs, lib, fp, ... }:
  pkgs,
  lib,
  fp,
  ...
 }:
 {
  imports = [
@@ -12,14 +7,9 @@
    ./networking.nix
    ./nix.nix
    ./vm.nix
    ./flake-input-exporter.nix
    ./services/acme.nix
    ./services/uptimed.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/logrotate.nix
    ./services/nginx.nix
@@ -27,12 +17,9 @@
    ./services/postfix.nix
    ./services/smartd.nix
    ./services/thermald.nix
    ./services/userborn.nix
    ./services/userdbd.nix
  ];
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  time.timeZone = "Europe/Oslo";
@@ -58,22 +45,8 @@
    kitty.terminfo
  ];
  # .bash_profile already works, but lets also use .bashrc like literally every other distro
  # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
  # home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
  # btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
  programs.bash.shellInit = ''
    if [ -n "''${BASH_VERSION:-}" ]; then
      if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
       [[ -f ~/.bashrc ]] && . ~/.bashrc
      fi
    fi
  '';
  programs.zsh.enable = true;
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
@@ -84,3 +57,4 @@
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
 }
--- a/base/flake-input-exporter.nix
+++ b/base/flake-input-exporter.nix
@@ -1,55 +0,0 @@
 {
  config,
  inputs,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  data = lib.flip lib.mapAttrs inputs (
    name: input: {
      inherit (input)
        lastModified
        ;
    }
  );
  folder = pkgs.writeTextDir "share/flake-inputs" (
    lib.concatMapStringsSep "\n" (
      { name, value }: ''nixos_last_modified_input{flake="${name}"} ${toString value.lastModified}''
    ) (lib.attrsToList data)
  );
  port = 9102;
 in
 {
  services.nginx.virtualHosts."${config.networking.fqdn}-nixos-metrics" = {
    serverName = config.networking.fqdn;
    serverAliases = [
      "${config.networking.hostName}.pvv.org"
    ];
    locations."/metrics" = {
      root = "${folder}/share";
      tryFiles = "/flake-inputs =404";
      extraConfig = ''
        default_type text/plain;
      '';
    };
    listen = [
      {
        inherit port;
        addr = "0.0.0.0";
      }
    ];
    extraConfig = ''
      allow ${values.hosts.ildkule.ipv4}/32;
      allow ${values.hosts.ildkule.ipv6}/128;
      allow 127.0.0.1/32;
      allow ::1/128;
      allow ${values.ipv4-space};
      allow ${values.ipv6-space};
      deny all;
    '';
  };
  networking.firewall.allowedTCPPorts = [ port ];
 }
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -1,17 +1,16 @@
-{ lib, config, inputs, ... }:
+{ inputs, ... }:
 {
  nix = {
    gc = {
      automatic = true;
      options = "--delete-older-than 2d";
    };
    optimise.automatic = true;
    settings = {
      allow-dirty = true;
-      auto-allocate-uids = true;
+      auto-optimise-store = true;
      builders-use-substitutes = true;
-      experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
+      experimental-features = [ "nix-command" "flakes" ];
      log-lines = 50;
      use-xdg-base-directories = true;
    };
@@ -22,16 +21,11 @@
    ** use the same channel the system
    ** was built with
    */
-    registry = lib.mkMerge [
+    registry = {
-      {
+      "nixpkgs".flake = inputs.nixpkgs;
-        "nixpkgs".flake = inputs.nixpkgs;
+      "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
-        "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
+      "pvv-nix".flake = inputs.self;
-      }
+    };
      # We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
      (lib.mkIf (!config.virtualisation.isVmVariant) {
        "pvv-nix".flake = inputs.self;
      })
    ];
    nixPath = [
      "nixpkgs=${inputs.nixpkgs}"
      "unstable=${inputs.nixpkgs-unstable}"
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -1,39 +1,26 @@
-{ config, inputs, pkgs, lib, ... }:
+{ inputs, pkgs, lib, ... }:
 let
  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
 in
 {
  system.autoUpgrade = {
    enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=24.11";
    flags = [
      "--refresh"
      "--no-write-lock-file"
      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
      # as such we instead use --override-input combined with --refresh
      # https://git.lix.systems/lix-project/lix/issues/400
-    ] ++ (lib.pipe inputUrls [
+      "--refresh"
-      (lib.intersectAttrs {
+      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.11-small"
-        nixpkgs = { };
+      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
-        nixpkgs-unstable = { };
+      "--no-write-lock-file"
-      })
+    ];
      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
      lib.concatLists
    ]);
  };
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+  environment.etc."current-system-flake-inputs.json".source
-    "current-system-flake-inputs.json".source
+    = pkgs.writers.writeJSON "flake-inputs.json" (
-      = pkgs.writers.writeJSON "flake-inputs.json" (
+      lib.flip lib.mapAttrs inputs (name: input:
-        lib.flip lib.mapAttrs inputs (name: input:
+        # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
-          # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
+        lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
-          lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
+          // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
-            // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
+      )
-        )
+    );
      );
  };
 }
--- a/base/services/dbus.nix
+++ b/base/services/dbus.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  services.dbus = {
    enable = true;
    implementation = "broker";
  };
 }
--- a/base/services/fwupd.nix
+++ b/base/services/fwupd.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
  services.fwupd.enable = true;
 }
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -20,14 +20,14 @@
    recommendedGzipSettings = true;
    appendConfig = ''
-      # pcre_jit on;
+      pcre_jit on;
      worker_processes auto;
      worker_rlimit_nofile 100000;
    '';
    eventsConfig = ''
      worker_connections 2048;
      use epoll;
-      # multi_accept on;
+      multi_accept on;
    '';
  };
@@ -40,25 +40,6 @@
  };
  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
    listen = [
      {
        addr = "0.0.0.0";
        extraParameters = [
          "default_server"
          # Seemingly the default value of net.core.somaxconn
          "backlog=4096"
          "deferred"
        ];
      }
      {
        addr = "[::0]";
        extraParameters = [
          "default_server"
          "backlog=4096"
          "deferred"
        ];
      }
    ];
    sslCertificate = "/etc/certs/nginx.crt";
    sslCertificateKey = "/etc/certs/nginx.key";
    addSSL = true;
--- a/base/services/postfix.nix
+++ b/base/services/postfix.nix
@@ -6,17 +6,18 @@ in
  services.postfix = {
    enable = true;
-    settings.main = {
+    hostname = "${config.networking.hostName}.pvv.ntnu.no";
-      myhostname = "${config.networking.hostName}.pvv.ntnu.no";
+    domain = "pvv.ntnu.no";
      mydomain = "pvv.ntnu.no";
-      # Nothing should be delivered to this machine
+    relayHost = "smtp.pvv.ntnu.no";
-      mydestination = [ ];
+    relayPort = 465;
      relayhost = [ "smtp.pvv.ntnu.no:465" ];
    config = {
      smtp_tls_wrappermode = "yes";
      smtp_tls_security_level = "encrypt";
    };
    # Nothing should be delivered to this machine
    destination = [ ];
  };
-}
+}
--- a/base/services/uptimed.nix
+++ b/base/services/uptimed.nix
@@ -1,59 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.uptimed;
 in
 {
  options.services.uptimed.settings = lib.mkOption {
    description = "";
    default = { };
    type = lib.types.submodule {
      freeformType = with lib.types; attrsOf (either str (listOf str));
    };
  };
  config = {
    services.uptimed = {
      enable = true;
      settings = let
        stateDir = "/var/lib/uptimed";
      in {
        PIDFILE = "${stateDir}/pid";
        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
      };
    };
    systemd.services.uptimed = lib.mkIf (cfg.enable) {
      serviceConfig = let
        uptimed = pkgs.uptimed.overrideAttrs (prev: {
          postPatch = ''
             substituteInPlace Makefile.am \
               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
             substituteInPlace src/Makefile.am \
               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
          '';
        });
      in {
        Type = "notify";
        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
        BindReadOnlyPaths = let
          configFile = lib.pipe cfg.settings [
            (lib.mapAttrsToList
              (k: v:
                if builtins.isList v
                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
                  else "${k}=${v}")
            )
            (lib.concatStringsSep "\n")
            (pkgs.writeText "uptimed.conf")
          ];
        in [
          "${configFile}:/var/lib/uptimed/uptimed.conf"
        ];
      };
    };
  };
 }
--- a/base/services/userborn.nix
+++ b/base/services/userborn.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
  services.userborn.enable = true;
 }
--- a/base/services/userdbd.nix
+++ b/base/services/userdbd.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
  services.userdbd.enable = true;
 }
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -1,15 +0,0 @@
 { lib, ... }:
 # This enables
 #     lib.mkIf (!config.virtualisation.isVmVariant) { ... }
 {
  options.virtualisation.isVmVariant = lib.mkOption {
    description = "`true` if system is build with 'nixos-rebuild build-vm'";
    type = lib.types.bool;
    default = false;
  };
  config.virtualisation.vmVariant = {
    virtualisation.isVmVariant = true;
  };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764627417,
+        "lastModified": 1733168902,
-        "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
+        "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
+        "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5",
        "type": "github"
      },
      "original": {
@@ -20,26 +20,6 @@
        "type": "github"
      }
    },
    "gergle": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1764868579,
        "narHash": "sha256-rfTUOIc0wnC4+19gLVfPbHfXx/ilfuUix6bWY+yaM2U=",
        "ref": "refs/heads/main",
        "rev": "9c923d1d50daa6a3b28c3214ad2300bfaf6c8fcd",
        "revCount": 22,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      }
    },
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
@@ -48,17 +28,17 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1764868843,
+        "lastModified": 1730249639,
-        "narHash": "sha256-ZXYLXKO+VjAJr2f5zz+7SuKFICfI2eZnmTgS/626YE0=",
+        "narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
        "ref": "refs/heads/main",
-        "rev": "c095533c50e80dd18ac48046f1479cf4d83c631c",
+        "rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
-        "revCount": 52,
+        "revCount": 34,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
+        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
+        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
      }
    },
    "grzegorz-clients": {
@@ -68,17 +48,17 @@
        ]
      },
      "locked": {
-        "lastModified": 1764867811,
+        "lastModified": 1726861934,
-        "narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=",
+        "narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
        "ref": "refs/heads/master",
-        "rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3",
+        "rev": "546d921ec46735dbf876e36f4af8df1064d09432",
-        "revCount": 81,
+        "revCount": 78,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
+        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
+        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
      }
    },
    "matrix-next": {
@@ -88,58 +68,33 @@
        ]
      },
      "locked": {
-        "lastModified": 1764844095,
+        "lastModified": 1727410897,
-        "narHash": "sha256-Drf1orxsmFDzO+UbPo85gHjXW7QzAM+6oTPvI7vOSik=",
+        "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "25b9f31ef1dbc3987b4c716de716239f2b283701",
+        "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
-        "ref": "v0.8.0",
+        "ref": "v0.6.1",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
    },
-    "minecraft-heatmap": {
+    "minecraft-data": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1756124334,
+        "lastModified": 1725277886,
-        "narHash": "sha256-DXFmSpgI8FrqcdqY7wg5l/lpssWjslHq5ufvyp/5k4o=",
+        "narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
-        "ref": "refs/heads/main",
+        "ref": "refs/heads/master",
-        "rev": "83760b1ebcd9722ddf58a4117d29555da65538ad",
+        "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
-        "revCount": 13,
+        "revCount": 2,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
      }
    },
    "minecraft-kartverket": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1765903589,
        "narHash": "sha256-JRLmckeM4G2hkH2V3VdfjHrrsWgJ8j7rZDYYjHTkRqA=",
        "ref": "refs/heads/main",
        "rev": "7c86d342e68506fcd83cb74af3336f99ff522a0a",
        "revCount": 24,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      }
    },
    "nix-gitea-themes": {
@@ -149,43 +104,49 @@
        ]
      },
      "locked": {
-        "lastModified": 1743881366,
+        "lastModified": 1714416973,
-        "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
+        "narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
        "ref": "refs/heads/main",
-        "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
+        "rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
-        "revCount": 11,
+        "revCount": 6,
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
+        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1764806471,
+        "lastModified": 1733466147,
-        "narHash": "sha256-Qk0SArnS83KqyS9wNt1YoTkkYKDraNrjRWKUtB9DKoM=",
+        "narHash": "sha256-1QAch5UZXGDc8Kh3PvdIKfVNeebjZFWiIKn8lAr1ZBM=",
-        "rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
+        "owner": "NixOS",
-        "type": "tarball",
+        "repo": "nixpkgs",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.896.6707b1809330/nixexprs.tar.xz"
+        "rev": "66dddf2c2aae34272f117ea95a06efe376edbe27",
        "type": "github"
      },
      "original": {
-        "type": "tarball",
+        "owner": "NixOS",
-        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
+        "ref": "nixos-24.11-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1764854611,
+        "lastModified": 1733603762,
-        "narHash": "sha256-MVzFp4ZKwdh6U1wy4fJe/GY3Hb4cvvyJbAZOhaeBQoo=",
+        "narHash": "sha256-E+cuaL8s1oHCumWD/Zkw0gkLOOQcz848pVyLfvqWDVw=",
-        "rev": "3a4b875aef660bbd148e86b92cffea2a360c3275",
+        "owner": "NixOS",
-        "type": "tarball",
+        "repo": "nixpkgs",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre906534.3a4b875aef66/nixexprs.tar.xz"
+        "rev": "b1dd465e8139748a8e26037fdd4c5ffe79457cbd",
        "type": "github"
      },
      "original": {
-        "type": "tarball",
+        "owner": "NixOS",
-        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "pvv-calendar-bot": {
@@ -195,11 +156,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764869785,
+        "lastModified": 1723850344,
-        "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
+        "narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
        "ref": "refs/heads/main",
-        "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
+        "rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
-        "revCount": 23,
+        "revCount": 19,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      },
@@ -215,11 +176,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1757332682,
+        "lastModified": 1725212759,
-        "narHash": "sha256-4p4aVQWs7jHu3xb6TJlGik20lqbUU/Fc0/EHpzoRlO0=",
+        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
-        "ref": "refs/heads/main",
+        "ref": "refs/heads/master",
-        "rev": "da1113341ad9881d8d333d1e29790317bd7701e7",
+        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
-        "revCount": 518,
+        "revCount": 473,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -231,12 +192,10 @@
    "root": {
      "inputs": {
        "disko": "disko",
        "gergle": "gergle",
        "greg-ng": "greg-ng",
        "grzegorz-clients": "grzegorz-clients",
        "matrix-next": "matrix-next",
-        "minecraft-heatmap": "minecraft-heatmap",
+        "minecraft-data": "minecraft-data",
        "minecraft-kartverket": "minecraft-kartverket",
        "nix-gitea-themes": "nix-gitea-themes",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
@@ -253,11 +212,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764816035,
+        "lastModified": 1729391507,
-        "narHash": "sha256-F0IQSmSj4t2ThkbWZooAhkCTO+YpZSd2Pqiv2uoYEHo=",
+        "narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "74d9abb7c5c030469f90d97a67d127cc5d76c238",
+        "rev": "784981a9feeba406de38c1c9a3decf966d853cca",
        "type": "github"
      },
      "original": {
@@ -273,11 +232,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764483358,
+        "lastModified": 1733128155,
-        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
+        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
+        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -2,8 +2,8 @@
  description = "PVV System flake";
  inputs = {
-    nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; # remember to also update the url in base/services/auto-upgrade.nix
-    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,24 +17,18 @@
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
-    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
-    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
+    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
-    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git";
+    greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
    greg-ng.inputs.nixpkgs.follows = "nixpkgs";
-    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
+    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
    gergle.inputs.nixpkgs.follows = "nixpkgs";
    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
-    minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
+    minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
    minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -59,70 +53,40 @@
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-
+      nixosConfig = nixpkgs: name: config: lib.nixosSystem (lib.recursiveUpdate
-      nixosConfig =
+        rec {
        nixpkgs:
        name:
        configurationPath:
        extraArgs:
        lib.nixosSystem (lib.recursiveUpdate
        (let
          system = "x86_64-linux";
        in {
          inherit system;
          specialArgs = {
            inherit unstablePkgs inputs;
            values = import ./values.nix;
            fp = path: ./${path};
-          } // extraArgs.specialArgs or { };
+          };
          modules = [
-            configurationPath
+            ./hosts/${name}/configuration.nix
            sops-nix.nixosModules.sops
-          ] ++ extraArgs.modules or [];
+          ] ++ config.modules or [];
          pkgs = import nixpkgs {
            inherit system;
            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
                "nvidia-settings"
              ];
            overlays = [
              # Global overlays go here
-            ] ++ extraArgs.overlays or [ ];
+            ] ++ config.overlays or [ ];
          };
-        })
+        }
-        (builtins.removeAttrs extraArgs [
+        (removeAttrs config [ "modules" "overlays" ])
          "modules"
          "overlays"
          "specialArgs"
        ])
      );
-      stableNixosConfig = name: extraArgs:
+      stableNixosConfig = nixosConfig nixpkgs;
-          nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
+      unstableNixosConfig = nixosConfig nixpkgs-unstable;
    in {
      bakke = stableNixosConfig "bakke" {
        modules = [
          disko.nixosModules.disko
        ];
      };
      bicep = stableNixosConfig "bicep" {
        modules = [
          inputs.matrix-next.nixosModules.default
          inputs.pvv-calendar-bot.nixosModules.default
          inputs.minecraft-heatmap.nixosModules.default
          self.nixosModules.gickup
          self.nixosModules.matrix-ooye
        ];
        overlays = [
-          inputs.pvv-calendar-bot.overlays.default
+          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
          inputs.minecraft-heatmap.overlays.default
          (final: prev: {
            inherit (self.packages.${prev.system}) out-of-your-element;
          })
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" {
@@ -133,26 +97,23 @@
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
            bluemap = final.callPackage ./packages/bluemap.nix { };
          })
          inputs.nix-gitea-themes.overlays.default
          inputs.pvv-nettsiden.overlays.default
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
          inputs.pvv-nettsiden.nixosModules.default
-          self.nixosModules.bluemap
+        ];
      };
      bob = stableNixosConfig "bob" {
        modules = [
          disko.nixosModules.disko
          { disko.devices.disk.disk1.device = "/dev/vda"; }
        ];
      };
      ildkule = stableNixosConfig "ildkule" { };
      #ildkule-unstable = unstableNixosConfig "ildkule" { };
      shark = stableNixosConfig "shark" { };
      wenche = stableNixosConfig "wenche" { };
      kommode = stableNixosConfig "kommode" {
        overlays = [
          inputs.nix-gitea-themes.overlays.default
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
        ];
      };
      ustetind = stableNixosConfig "ustetind" {
        modules = [
@@ -163,56 +124,30 @@
      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
        modules = [
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
          inputs.gergle.nixosModules.default
          inputs.greg-ng.nixosModules.default
        ];
        overlays = [
          inputs.greg-ng.overlays.default
          inputs.gergle.overlays.default
        ];
      };
      georg = stableNixosConfig "georg" {
        modules = [
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
          inputs.gergle.nixosModules.default
          inputs.greg-ng.nixosModules.default
        ];
        overlays = [
          inputs.greg-ng.overlays.default
          inputs.gergle.overlays.default
        ];
      };
-    }
+    };
    //
    (let
      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
      stableLupineNixosConfig = name: extraArgs:
          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
      modules = [{ networking.hostName = name; }];
      specialArgs.lupineName = name;
    }));
    nixosModules = {
      bluemap = ./modules/bluemap.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
    };
    devShells = forAllSystems (system: {
-      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
          config = {
            allowUnfree = true;
            cudaSupport = true;
          };
        };
      in cuda-pkgs.callPackage ./shells/cuda.nix { };
    });
    packages = {
@@ -227,9 +162,6 @@
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        bluemap = pkgs.callPackage ./packages/bluemap.nix { };
        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
      } //
      (lib.pipe null [
        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
--- a/hosts/bakke/configuration.nix
+++ b/hosts/bakke/configuration.nix
@@ -1,26 +0,0 @@
 { config, pkgs, values, ... }:
 {
  imports = [
      ./hardware-configuration.nix
      ../../base
      ../../misc/metrics-exporters.nix
      ./filesystems.nix
    ];
  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bakke";
  networking.hostId = "99609ffc";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  system.stateVersion = "24.05";
 }
--- a/hosts/bakke/disks.nix
+++ b/hosts/bakke/disks.nix
@@ -1,83 +0,0 @@
 {
  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
  disko.devices = {
    disk = {
      one = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
      two = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
    };
    mdadm = {
      boot = {
        type = "mdadm";
        level = 1;
        metadata = "1.0";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/boot";
        };
      };
      raid1 = {
        type = "mdadm";
        level = 1;
        content = {
          type = "gpt";
          partitions.primary = {
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/bakke/filesystems.nix
+++ b/hosts/bakke/filesystems.nix
@@ -1,26 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives:
  boot.swraid.enable = true;
  # ZFS Data pool:
  environment.systemPackages = with pkgs; [ zfs ];
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
    supportedFilesystems = [ "zfs" ];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  # NFS Exports:
  #TODO
  # NFS Import mounts:
  #TODO
 }
--- a/hosts/bakke/hardware-configuration.nix
+++ b/hosts/bakke/hardware-configuration.nix
@@ -1,52 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=nix" "noatime" ];
    };
  fileSystems."/boot" =
    { device = "/dev/sdc2";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -6,9 +6,10 @@
    (fp /base)
    (fp /misc/metrics-exporters.nix)
-    ./services/bluemap.nix
+    ./services/bluemap/default.nix
    ./services/gitea/default.nix
    ./services/idp-simplesamlphp
-    ./services/kerberos.nix
+    ./services/kerberos
    ./services/mediawiki
    ./services/nginx.nix
    ./services/phpfpm.nix
--- a/hosts/bekkalokk/services/bluemap.nix
+++ b/hosts/bekkalokk/services/bluemap.nix
@@ -1,127 +0,0 @@
 { config, lib, pkgs, inputs, ... }:
 let
  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
  format = pkgs.formats.hocon { };
 in {
  # NOTE: our versino of the module gets added in flake.nix
  disabledModules = [ "services/web-apps/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
    host = "minecraft.pvv.ntnu.no";
    maps = let
      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
    in {
      "verden" = {
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:overworld";
          name = "Verden";
          sorting = 0;
          start-pos = {
            x = 0;
            z = 0;
          };
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
          };
        };
      };
      "underverden" = {
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_nether";
          name = "Underverden";
          sorting = 100;
          start-pos = {
            x = 0;
            z = 0;
          };
          sky-color = "#290000";
          void-color = "#150000";
          sky-light = 1;
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          cave-detection-uses-block-light = true;
          render-mask = [{
            max-y = 90;
          }];
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/nether.hocon") ];
          };
        };
      };
      "enden" = {
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_end";
          name = "Enden";
          sorting = 200;
          start-pos = {
            x = 0;
            z = 0;
          };
          sky-color = "#080010";
          void-color = "#080010";
          sky-light = 1;
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          marker-sets = {
            _includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
          };
        };
      };
    };
  };
  systemd.services."render-bluemap-maps" = {
    serviceConfig = {
      StateDirectory = [ "bluemap/world" ];
      ExecStartPre = let
        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
          archive = true;
          compress = true;
          verbose = true;
          no-owner = true;
          no-group = true;
          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
        };
      in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
      LoadCredential = [
        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
      ];
    };
  };
  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    http3 = true;
    quic = true;
    http3_hq = true;
    extraConfig = ''
      # Enabling QUIC 0-RTT
      ssl_early_data on;
      quic_gso on;
      quic_retry on;
      add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    '';
  };
  networking.firewall.allowedUDPPorts = [ 443 ];
 }
--- a/hosts/bekkalokk/services/bluemap/default.nix
+++ b/hosts/bekkalokk/services/bluemap/default.nix
@@ -0,0 +1,83 @@
 { config, lib, pkgs, inputs, ... }:
 let
  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
 in {
  imports = [
    ./module.nix # From danio, pending upstreaming
  ];
  disabledModules = [ "services/web-apps/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
    host = "minecraft.pvv.ntnu.no";
    maps = {
      "verden" = {
        settings = {
          world = vanillaSurvival;
          sorting = 0;
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
        };
      };
      "underverden" = {
        settings = {
          world = "${vanillaSurvival}/DIM-1";
          sorting = 100;
          sky-color = "#290000";
          void-color = "#150000";
          ambient-light = 0.6;
          world-sky-light = 0;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          cave-detection-uses-block-light = true;
          max-y = 90;
          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
        };
      };
      "enden" = {
        settings = {
          world = "${vanillaSurvival}/DIM1";
          sorting = 200;
          sky-color = "#080010";
          void-color = "#080010";
          ambient-light = 0.6;
          world-sky-light = 0;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
        };
      };
    };
  };
  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
  };
  # TODO: render somewhere else lmao
  systemd.services."render-bluemap-maps" = {
    preStart = ''
      mkdir -p /var/lib/bluemap/world
      ${pkgs.rsync}/bin/rsync \
        -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
        -avz --no-owner --no-group \
        root@innovation.pvv.ntnu.no:/ \
        ${vanillaSurvival}
    '';
    serviceConfig = {
      LoadCredential = [
        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
      ];
    };
  };
 }
--- a/hosts/bekkalokk/services/bluemap/module.nix
+++ b/hosts/bekkalokk/services/bluemap/module.nix
@@ -25,7 +25,8 @@ let
    "core.conf" = coreConfig;
    "webapp.conf" = webappConfig;
    "webserver.conf" = webserverConfig;
-    "packs" = cfg.packs;
+    "packs" = cfg.resourcepacks;
    "addons" = cfg.resourcepacks; # TODO
  };
  renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
@@ -36,14 +37,14 @@ let
    "core.conf" = coreConfig;
    "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
    "webserver.conf" = webserverConfig;
-    "packs" = value.packs;
+    "packs" = value.resourcepacks;
    "addons" = cfg.resourcepacks; # TODO
  };
  inherit (lib) mkOption;
 in {
  options.services.bluemap = {
    enable = lib.mkEnableOption "bluemap";
    package = lib.mkPackageOption pkgs "bluemap" { };
    eula = mkOption {
      type = lib.types.bool;
@@ -110,7 +111,7 @@ in {
          metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
        };
      };
-      description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
+      description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
    };
    webappSettings = mkOption {
@@ -127,7 +128,7 @@ in {
          webroot = config.services.bluemap.webRoot;
        }
      '';
-      description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
+      description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
    };
    webserverSettings = mkOption {
@@ -147,18 +148,18 @@ in {
      default = { };
      description = ''
        Settings for the webserver.conf file, usually not required.
-        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
+        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
      '';
    };
    maps = mkOption {
-      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
+      type = lib.types.attrsOf (lib.types.submodule {
        options = {
-          packs = mkOption {
+          resourcepacks = mkOption {
            type = lib.types.path;
-            default = cfg.packs;
+            default = cfg.resourcepacks;
-            defaultText = lib.literalExpression "config.services.bluemap.packs";
+            defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
-            description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
+            description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
          };
          settings = mkOption {
            type = (lib.types.submodule {
@@ -168,74 +169,43 @@ in {
                  type = lib.types.path;
                  description = "Path to world folder containing the dimension to render";
                };
                name = mkOption {
                  type = lib.types.str;
                  description = "The display name of this map (how this map will be named on the webapp)";
                  default = name;
                  defaultText = lib.literalExpression "<name>";
                };
                render-mask = mkOption {
                  type = with lib.types; listOf (attrsOf format.type);
                  description = "Limits for the map render";
                  default = [ ];
                  example = [
                    {
                      min-x = -4000;
                      max-x = 4000;
                      min-z = -4000;
                      max-z = 4000;
                      min-y = 50;
                      max-y = 100;
                    }
                    {
                      subtract = true;
                      min-y = 90;
                      max-y = 127;
                    }
                  ];
                };
              };
            });
            description = ''
              Settings for files in `maps/`.
              See the default for an example with good options for the different world types.
-              For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
+              For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
            '';
          };
        };
-      }));
+      });
      default = {
        "overworld".settings = {
-          world = cfg.defaultWorld;
+          world = "${cfg.defaultWorld}";
          dimension = "minecraft:overworld";
          name = "Overworld";
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
        };
        "nether".settings = {
-          world = cfg.defaultWorld;
+          world = "${cfg.defaultWorld}/DIM-1";
          dimension = "minecraft:the_nether";
          name = "Nether";
          sorting = 100;
          sky-color = "#290000";
          void-color = "#150000";
          sky-light = 1;
          ambient-light = 0.6;
          world-sky-light = 0;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          cave-detection-uses-block-light = true;
          max-y = 90;
        };
        "end".settings = {
-          world = cfg.defaultWorld;
+          world = "${cfg.defaultWorld}/DIM1";
          dimension = "minecraft:the_end";
          name = "The End";
          sorting = 200;
          sky-color = "#080010";
          void-color = "#080010";
          sky-light = 1;
          ambient-light = 0.6;
          world-sky-light = 0;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
        };
@@ -243,36 +213,31 @@ in {
      defaultText = lib.literalExpression ''
        {
          "overworld".settings = {
-            world = cfg.defaultWorld;
+            world = "''${cfg.defaultWorld}";
            name = "Overworld";
            dimension = "minecraft:overworld";
            ambient-light = 0.1;
            cave-detection-ocean-floor = -5;
          };
          "nether".settings = {
-            world = cfg.defaultWorld;
+            world = "''${cfg.defaultWorld}/DIM-1";
            dimension = "minecraft:the_nether";
            name = "Nether";
            sorting = 100;
            sky-color = "#290000";
            void-color = "#150000";
            sky-light = 1;
            ambient-light = 0.6;
            world-sky-light = 0;
            remove-caves-below-y = -10000;
            cave-detection-ocean-floor = -5;
            cave-detection-uses-block-light = true;
            max-y = 90;
          };
          "end".settings = {
-            world = cfg.defaultWorld;
+            world = "''${cfg.defaultWorld}/DIM1";
            name = "The End";
            dimension = "minecraft:the_end";
            sorting = 200;
            sky-color = "#080010";
            void-color = "#080010";
            sky-light = 1;
            ambient-light = 0.6;
            world-sky-light = 0;
            remove-caves-below-y = -10000;
            cave-detection-ocean-floor = -5;
          };
@@ -300,7 +265,7 @@ in {
      description = ''
        Where the rendered map will be stored.
        Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
-        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/common/src/main/resources/de/bluecolored/bluemap/config/storages)
+        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
      '';
      default = {
        "file" = {
@@ -316,12 +281,12 @@ in {
      '';
    };
-    packs = mkOption {
+    resourcepacks = mkOption {
      type = lib.types.path;
-      default = pkgs.linkFarm "packs" { };
+      default = pkgs.linkFarm "resourcepacks" { };
      description = ''
-        A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.
+        A set of resourcepacks/mods to extract models from loaded in alphabetical order.
-        Can be overriden on a per-map basis with `services.bluemap.maps.<name>.packs`.
+        Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
      '';
    };
  };
@@ -342,23 +307,12 @@ in {
    systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
      serviceConfig = {
        Type = "oneshot";
        CPUSchedulingPolicy = "batch";
        Group = "nginx";
        UMask = "026";
        ExecStart = [
          # If web folder doesnt exist generate it
          ''|test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs''
        ]
        ++
          # Render each minecraft map
          lib.attrsets.mapAttrsToList
            (name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
            cfg.maps
        ++ [
          # Generate updated webapp
          "${lib.getExe cfg.package} -c ${webappConfigFolder} -gs"
        ];
      };
      script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
        (name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
        cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
    };
    systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@@ -1,36 +1,30 @@
-{ config, values, lib, pkgs, unstablePkgs, ... }:
+{ config, values, fp, pkgs, lib, ... }:
 let
  cfg = config.services.gitea;
  domain = "git.pvv.ntnu.no";
  sshPort  = 2222;
 in {
  imports = [
    ./customization
    ./gpg.nix
    ./import-users
    ./web-secret-provider
  ];
-  sops.secrets = let
+  sops.secrets = {
-    defaultConfig = {
+    "gitea/database" = {
      owner = "gitea";
      group = "gitea";
    };
    "gitea/email-password" = {
      owner = "gitea";
      group = "gitea";
      restartUnits = [ "gitea.service" ];
    };
  in {
    "gitea/database" = defaultConfig;
    "gitea/email-password" = defaultConfig;
    "gitea/lfs-jwt-secret" = defaultConfig;
    "gitea/oauth2-jwt-secret" = defaultConfig;
    "gitea/secret-key" = defaultConfig;
  };
  services.gitea = {
    enable = true;
    appName = "PVV Git";
    package = unstablePkgs.gitea;
    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
@@ -48,19 +42,9 @@ in {
        ROOT_URL = "https://${domain}/";
        PROTOCOL = "http+unix";
        SSH_PORT = sshPort;
        LANDING_PAGE = "explore";
        START_SSH_SERVER = true;
        START_LFS_SERVER = true;
-        LFS_JWT_SECRET = lib.mkForce "";
+        LANDING_PAGE = "explore";
        LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
      };
      oauth2 = {
        JWT_SECRET = lib.mkForce "";
        JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
      };
      "git.timeout" = {
        MIGRATE = 3600;
        MIRROR = 1800;
      };
      mailer = {
        ENABLED = true;
@@ -84,10 +68,6 @@ in {
      };
      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
      session.COOKIE_SECURE = true;
      security = {
        SECRET_KEY = lib.mkForce "";
        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
      };
      database.LOG_SQL = false;
      repository = {
        PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -122,10 +102,6 @@ in {
      picture = {
        DISABLE_GRAVATAR = true;
        ENABLE_FEDERATED_AVATAR = false;
        AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
        # NOTE: go any bigger than this, and gitea will freeze your gif >:(
        AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
      };
      actions.ENABLED = true;
      ui = {
@@ -154,23 +130,10 @@ in {
      };
      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
    };
    dump = {
      enable = true;
      interval = "weekly";
      type = "tar.gz";
    };
  };
  environment.systemPackages = [ cfg.package ];
  systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
  systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
  systemd.services.gitea.serviceConfig.BindPaths = [
    "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
  ];
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
@@ -186,7 +149,6 @@ in {
        proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4}/32;
          allow ${values.hosts.ildkule.ipv6}/128;
          deny all;
        '';
      };
@@ -195,30 +157,34 @@ in {
  networking.firewall.allowedTCPPorts = [ sshPort ];
-  systemd.services.gitea-dump = {
+  # Extra customization
    serviceConfig.ExecStart = let
      args = lib.cli.toGNUCommandLineShell { } {
        type = cfg.dump.type;
-        # This should be declarative on nixos, no need to backup.
+  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
        skip-custom-dir = true;
-        # This can be regenerated, no need to backup
+  systemd.services.install-gitea-customization = {
-        skip-index = true;
+    description = "Install extra customization in gitea's CUSTOM_DIR";
    wantedBy = [ "gitea.service" ];
    requiredBy = [ "gitea.service" ];
-        # Logs are stored in the systemd journal
+    serviceConfig =  {
-        skip-log = true;
+      Type = "oneshot";
-      };
+      User = cfg.user;
-    in lib.mkForce "${lib.getExe cfg.package} ${args}";
+      Group = cfg.group;
    };
-    # Only keep n backup files at a time
+    script = let
-    postStop = let
+      logo-svg = fp /assets/logo_blue_regular.svg;
-      cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
+      logo-png = fp /assets/logo_blue_regular.png;
-      backupCount = 3;
+      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
-    in ''
+        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
-      for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
+        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
-        ${cu "rm"} "$file"
+        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
      done
      '';
    in ''
      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
    '';
  };
 }
--- a/hosts/bekkalokk/services/gitea/gpg.nix
+++ b/hosts/bekkalokk/services/gitea/gpg.nix
@@ -4,23 +4,9 @@ let
  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
 in
 {
-  sops.secrets = {
+  sops.secrets."gitea/gpg-signing-key" = {
-    "gitea/gpg-signing-key-public" = {
+    owner = cfg.user;
-      owner = cfg.user;
+    inherit (cfg) group;
      inherit (cfg) group;
      restartUnits = [
        "gitea.service"
        "gitea-ensure-gnupg-homedir.service"
      ];
    };
    "gitea/gpg-signing-key-private" = {
      owner = cfg.user;
      inherit (cfg) group;
      restartUnits = [
        "gitea.service"
        "gitea-ensure-gnupg-homedir.service"
      ];
    };
  };
  systemd.services.gitea.environment = { inherit GNUPGHOME; };
@@ -32,7 +18,6 @@ in
  systemd.services.gitea-ensure-gnupg-homedir = {
    description = "Import gpg key for gitea";
    before = [ "gitea.service" ];
    environment = { inherit GNUPGHOME; };
    serviceConfig = {
      Type = "oneshot";
@@ -40,8 +25,7 @@ in
      PrivateNetwork = true;
    };
    script = ''
-      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path}
+      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
    '';
  };
@@ -50,6 +34,5 @@ in
    SIGNING_NAME = "PVV Git";
    SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
    INITIAL_COMMIT = "always";
    WIKI = "always";
  };
 }
--- a/hosts/bekkalokk/services/gitea/import-users/default.nix
+++ b/hosts/bekkalokk/services/gitea/import-users/default.nix
@@ -11,8 +11,7 @@ in
  systemd.services.gitea-import-users = lib.mkIf cfg.enable {
    enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
    environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
    serviceConfig = {
      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
        flakeIgnore = [
@@ -26,7 +25,6 @@ in
      ];
      DynamicUser="yes";
      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
      RuntimeDirectory = "gitea-import-users";
    };
  };
--- a/hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py
+++ b/hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py
@@ -17,10 +17,6 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
 if PASSWD_FILE_PATH is None:
    PASSWD_FILE_PATH = '/tmp/passwd-import'
 def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
    r = requests.get(
@@ -181,7 +177,6 @@ def ensure_gitea_user_is_part_of_team(
 # List of teams that all users should be part of by default
 COMMON_USER_TEAMS = [
    ("Projects", "Members"),
    ("Grzegorz", "Members"),
    ("Kurs", "Members"),
 ]
@@ -191,8 +186,7 @@ def main():
    if existing_users is None:
        exit(1)
-    print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
+    for username, name in passwd_file_parser("/tmp/passwd-import"):
    for username, name in passwd_file_parser(PASSWD_FILE_PATH):
        print(f"Processing {username}")
        add_or_patch_gitea_user(username, name, existing_users)
        for org, team_name in COMMON_USER_TEAMS:
--- a/hosts/kommode/services/gitea/customization/loading.apng
+++ b/hosts/kommode/services/gitea/customization/loading.apng
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
@@ -3,7 +3,6 @@ let
  organizations = [
    "Drift"
    "Projects"
    "Grzegorz"
    "Kurs"
  ];
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
--- a/hosts/bekkalokk/services/kerberos/default.nix
+++ b/hosts/bekkalokk/services/kerberos/default.nix
--- a/hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
+++ b/hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
@@ -0,0 +1,88 @@
 { pkgs, lib, ... }:
 # Based on
 # - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
 # - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
 let
  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
    str submodule;
 in
 { }: {
  type = let
    section = attrsOf relation;
    relation = either (attrsOf value) value;
    value = either (listOf atom) atom;
    atom = oneOf [int str bool];
  in submodule {
    freeformType = attrsOf section;
    options = {
      include = mkOption {
        default = [ ];
        description = mdDoc ''
          Files to include in the Kerberos configuration.
        '';
        type = coercedTo path singleton (listOf path);
      };
      includedir = mkOption {
        default = [ ];
        description = mdDoc ''
          Directories containing files to include in the Kerberos configuration.
        '';
        type = coercedTo path singleton (listOf path);
      };
      module = mkOption {
        default = [ ];
        description = mdDoc ''
          Modules to obtain Kerberos configuration from.
        '';
        type = coercedTo path singleton (listOf path);
      };
    };
  };
  generate = let
    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
    formatToplevel = args @ {
      include ? [ ],
      includedir ? [ ],
      module ? [ ],
      ...
    }: let
      sections = removeAttrs args [ "include" "includedir" "module" ];
    in concatStringsSep "\n" (filter (x: x != "") [
      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
      (concatMapStringsSep "\n" (m: "module ${m}") module)
      (concatMapStringsSep "\n" (i: "include ${i}") include)
      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
    ]);
    formatSection = name: section: ''
      [${name}]
      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
    '';
    formatRelation = name: relation:
      if isAttrs relation
      then ''
        ${name} = {
        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
        }''
      else formatValue name relation;
    formatValue = name: value:
      if isList value
      then concatMapStringsSep "\n" (formatAtom name) value
      else formatAtom name value;
    formatAtom = name: atom: let
      v = if isBool atom then boolToString atom else toString atom;
    in "${name} = ${v}";
  in
    name: value: pkgs.writeText name ''
      ${formatToplevel value}
    '';
 }
--- a/hosts/bekkalokk/services/kerberos/krb5.nix
+++ b/hosts/bekkalokk/services/kerberos/krb5.nix
@@ -0,0 +1,90 @@
 { config, lib, pkgs, ... }:
 let
  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
  inherit (lib.types) bool;
  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
    The option `krb5.${name}' has been removed. Use
    `security.krb5.settings.${name}' for structured configuration.
  '';
  cfg = config.security.krb5;
  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
 in {
  imports = [
    (mkRemovedOptionModuleCfg "libdefaults")
    (mkRemovedOptionModuleCfg "realms")
    (mkRemovedOptionModuleCfg "domain_realm")
    (mkRemovedOptionModuleCfg "capaths")
    (mkRemovedOptionModuleCfg "appdefaults")
    (mkRemovedOptionModuleCfg "plugins")
    (mkRemovedOptionModuleCfg "config")
    (mkRemovedOptionModuleCfg "extraConfig")
    (mkRemovedOptionModule' "kerberos" ''
      The option `krb5.kerberos' has been moved to `security.krb5.package'.
    '')
  ];
  options = {
    security.krb5 = {
      enable = mkOption {
        default = false;
        description = mdDoc "Enable and configure Kerberos utilities";
        type = bool;
      };
      package = mkPackageOption pkgs "krb5" {
        example = "heimdal";
      };
      settings = mkOption {
        default = { };
        type = format.type;
        description = mdDoc ''
          Structured contents of the {file}`krb5.conf` file. See
          {manpage}`krb5.conf(5)` for details about configuration.
        '';
        example = {
          include = [ "/run/secrets/secret-krb5.conf" ];
          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
          libdefaults = {
            default_realm = "ATHENA.MIT.EDU";
          };
          realms = {
            "ATHENA.MIT.EDU" = {
              admin_server = "athena.mit.edu";
              kdc = [
                "athena01.mit.edu"
                "athena02.mit.edu"
              ];
            };
          };
          domain_realm = {
            "mit.edu" = "ATHENA.MIT.EDU";
          };
          logging = {
            kdc = "SYSLOG:NOTICE";
            admin_server = "SYSLOG:NOTICE";
            default = "SYSLOG:NOTICE";
          };
        };
      };
    };
  };
  config = mkIf cfg.enable {
    environment = {
      systemPackages = [ cfg.package ];
      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
    };
  };
  meta.maintainers = builtins.attrValues {
    inherit (lib.maintainers) dblsaiko h7x4;
  };
 }
--- a/hosts/bekkalokk/services/kerberos/pam.nix
+++ b/hosts/bekkalokk/services/kerberos/pam.nix
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -61,6 +61,7 @@ in {
      user = "mediawiki";
      passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
      createLocally = false;
      # TODO: create a normal database and copy over old data when the service is production ready
      name = "mediawiki";
    };
@@ -130,12 +131,6 @@ in {
      $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
      $wgVectorResponsive = true;
      # Experimental dark mode support for Vector 2022
      $wgVectorNightMode['beta'] = true;
      $wgVectorNightMode['logged_out'] = true;
      $wgVectorNightMode['logged_in'] = true;
      $wgDefaultUserOptions['vector-theme'] = 'os';
      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgUseTeX = false;
@@ -220,11 +215,11 @@ in {
      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
        buildInputs = with pkgs; [ imagemagick ];
      } ''
-        magick \
+        convert \
          ${fp /assets/logo_blue_regular.png} \
          -resize x64 \
          -gravity center \
          -crop 64x64+0+0 \
          ${fp /assets/logo_blue_regular.png} \
          -flatten \
          -colors 256 \
          -background transparent \
--- a/hosts/bekkalokk/services/open-webui.nix
+++ b/hosts/bekkalokk/services/open-webui.nix
@@ -0,0 +1,49 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.open-webui;
  domain = "gpt.pvv.ntnu.no";
  address = "127.0.1.11";
  port = 11111;
 in
 {
  services.open-webui = {
    enable = true;
    package = pkgs.unstable.open-webui;
    port = port;
    host = "${address}";
    openFirewall = true;
 	environment = {
  		ANONYMIZED_TELEMETRY = "False";
  		DO_NOT_TRACK = "True";
  		SCARF_NO_ANALYTICS = "True";
 		OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
 		ENABLE_SIGNUP = "False";
 		ENABLE_OAUTH_SIGNUP = "True";
 		#ENABLE_LOGIN_FORM = "False"; #for forcing oauth only - less confusion but needed for local admin account i think
 		DEFAULT_USER_ROLE = "user";
 		ENABLE_ADMIN_EXPORT = "False";
 		ENABLE_ADMIN_CHAT_ACCESS = "False";
 		ENABLE_COMMUNITY_SHARING = "False";
 		WEBUI_URL = "${domain}";
 	};
  };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://${address}:${toString port}";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@@ -18,16 +18,11 @@ in {
    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
  });
  security.acme.certs."www.pvv.ntnu.no" = {
    extraDomainNames = [
      "pvv.ntnu.no"
      "www.pvv.org"
      "pvv.org"
    ];
  };
  services.idp.sp-remote-metadata = [
    "https://www.pvv.ntnu.no/simplesaml/"
    "https://pvv.ntnu.no/simplesaml/"
    "https://www.pvv.org/simplesaml/"
    "https://pvv.org/simplesaml/"
  ];
  services.pvv-nettsiden = {
@@ -72,9 +67,7 @@ in {
        ADMIN_NAME = "PVV Drift";
        ADMIN_EMAIL = "drift@pvv.ntnu.no";
        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
-        TRUSTED_DOMAINS = [
+        TRUSTED_DOMAINS = [ cfg.domainName ];
          "www.pvv.ntnu.no"
        ];
      };
    };
  };
@@ -85,28 +78,13 @@ in {
    "catch_workers_output" = true;
  };
  services.nginx.virtualHosts."pvv.ntnu.no" = {
    globalRedirect = cfg.domainName;
    redirectCode = 307;
    forceSSL = true;
    useACMEHost = "www.pvv.ntnu.no";
  };
  services.nginx.virtualHosts."www.pvv.org" = {
    globalRedirect = cfg.domainName;
    redirectCode = 307;
    forceSSL = true;
    useACMEHost = "www.pvv.ntnu.no";
  };
  services.nginx.virtualHosts."pvv.org" = {
    globalRedirect = cfg.domainName;
    redirectCode = 307;
    forceSSL = true;
    useACMEHost = "www.pvv.ntnu.no";
  };
  services.nginx.virtualHosts.${cfg.domainName} = {
    serverAliases = [
      "pvv.ntnu.no"
      "www.pvv.org"
      "pvv.org"
    ];
    locations = {
      # Proxy home directories
      "^~ /~" = {
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -53,7 +53,7 @@ in {
        echo "Creating thumbnail for $fname"
        mkdir -p $(dirname ".thumbnails/$fname")
-        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
+        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
    '';
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -7,11 +7,10 @@
    (fp /misc/metrics-exporters.nix)
    ./services/nginx
    ./services/calendar-bot.nix
    #./services/git-mirrors
    ./services/minecraft-heatmap.nix
    ./services/mysql.nix
    ./services/postgres.nix
    ./services/mysql.nix
    ./services/calendar-bot.nix
    ./services/matrix
  ];
@@ -21,15 +20,13 @@
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
-  boot.loader.systemd-boot.enable = true;
+  boot.loader.grub.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
  networking.hostName = "bicep";
-  #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
+  systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
-  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp6s0f0";
    #matchConfig.Name = "enp6s0f0";
    matchConfig.Name = "ens18";
    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
      ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
  };
@@ -40,13 +37,6 @@
  # There are no smart devices
  services.smartd.enable = false;
  # we are a vm now
  services.qemuGuest.enable = true;
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.sshguard.enable = true;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
--- a/hosts/bicep/hardware-configuration.nix
+++ b/hosts/bicep/hardware-configuration.nix
@@ -5,29 +5,22 @@
 {
  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
+    { device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
      fsType = "ext4";
    };
  # temp data disk, only 128gb not enough until we can add another disk to the system.
  fileSystems."/data" =
-    { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
+    { device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
-      fsType = "ext4";
+      fsType = "f2fs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/198B-E363";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
@@ -37,7 +30,11 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@@ -1,100 +0,0 @@
 { config, pkgs, lib, fp, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  sops.secrets."gickup/github-token" = {
    owner = "gickup";
  };
  services.gickup = {
    enable = true;
    dataDir = "/data/gickup";
    destinationSettings = {
      structured = true;
      zip = false;
      keep = 10;
      bare = true;
      lfs = false;
    };
    instances = let
      defaultGithubConfig = {
        settings.token_file = config.sops.secrets."gickup/github-token".path;
      };
      defaultGitlabConfig = {
        # settings.token_file = ...
      };
    in {
      "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
      "github:NixOS/nixpkgs" = defaultGithubConfig;
      "github:go-gitea/gitea" = defaultGithubConfig;
      "github:heimdal/heimdal" = defaultGithubConfig;
      "github:saltstack/salt" = defaultGithubConfig;
      "github:typst/typst" = defaultGithubConfig;
      "github:unmojang/FjordLauncher" = defaultGithubConfig;
      "github:unmojang/drasl" = defaultGithubConfig;
      "github:yushijinhun/authlib-injector" = defaultGithubConfig;
      "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
      "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
      "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
      "any:glibc" = {
        settings.url = "https://sourceware.org/git/glibc.git";
      };
      "any:out-of-your-element" = {
        settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
      };
      "any:out-of-your-element-module" = {
        settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
      };
    };
  };
  services.cgit = let
    domain = "mirrors.pvv.ntnu.no";
  in {
    ${domain} = {
      enable = true;
      package = pkgs.callPackage (fp /packages/cgit.nix) { };
      group = "gickup";
      scanPath = "${cfg.dataDir}/linktree";
      settings = {
        enable-commit-graph = true;
        enable-follow-links = true;
        enable-http-clone = true;
        enable-remote-branches = true;
        clone-url = "https://${domain}/$CGIT_REPO_URL";
        remove-suffix = true;
        root-title = "PVVSPPP";
        root-desc = "PVV Speiler Praktisk og Prominent Programvare";
        snapshots = "all";
        logo = "/PVV-logo.png";
      };
    };
  };
  services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    locations."= /PVV-logo.png".alias = let
      small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
        nativeBuildInputs = [ pkgs.imagemagick ];
      } ''
        magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
      '';
    in toString small-pvv-logo;
  };
  systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
    serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
  };
 }
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -6,14 +6,12 @@
    key = "synapse/turnconfig";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    restartUnits = [ "coturn.service" ];
  };
  sops.secrets."matrix/coturn/static-auth-secret" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "coturn/static-auth-secret";
    owner = config.users.users.turnserver.name;
    group = config.users.users.turnserver.group;
    restartUnits = [ "coturn.service" ];
  };
  services.matrix-synapse-next = {
@@ -44,15 +42,12 @@
  security.acme.certs.${config.services.coturn.realm} = {
    email = "drift@pvv.ntnu.no";
-    listenHTTP = "${values.services.turn.ipv4}:80";
+    listenHTTP = "129.241.210.213:80";
    reloadServices = [ "coturn.service" ];
  };
  users.users.turnserver.extraGroups = [ "acme" ];
  # It needs this to be allowed to access the files with the acme group
  systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
  systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
  };
@@ -71,7 +66,7 @@
    listening-ips = [
      values.services.turn.ipv4
-      values.services.turn.ipv6
+      # values.services.turn.ipv6
    ];
    tls-listening-port = 443;
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -9,8 +9,7 @@
    ./coturn.nix
    ./mjolnir.nix
-    # ./discord.nix
+    ./discord.nix
    ./out-of-your-element.nix
    ./hookshot
  ];
--- a/hosts/bicep/services/matrix/discord.nix
+++ b/hosts/bicep/services/matrix/discord.nix
@@ -45,7 +45,7 @@ in
  };
-  services.mx-puppet-discord.enable = false;
+  services.mx-puppet-discord.enable = true;
  services.mx-puppet-discord.settings = {
    bridge = {
      bindAddress = "localhost";
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -18,7 +18,6 @@ in
  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.groups.keys-matrix-registrations.name;
    restartUnits = [ "matrix-hookshot.service" ];
    content = ''
      id: matrix-hookshot
      as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
@@ -78,14 +77,14 @@ in
        outbound = true;
        urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
        userIdPrefix = "_webhooks_";
-        allowJsTransformationFunctions = true;
+        allowJsTransformationFunctions = false;
        waitForComplete = false;
      };
      feeds = {
        enabled = true;
        pollIntervalSeconds = 600;
      };
-
+      
      serviceBots = [
        { localpart = "bot_feeds";
          displayname = "Aya";
@@ -95,11 +94,6 @@ in
        }
      ];
      widgets = {
        roomSetupWidget.addOnInvite = false;
        publicUrl = "https://hookshot.pvv.ntnu.no/widgetapi/v1/static";
      };
      permissions = [
        # Users of the PVV Server
        { actor = "pvv.ntnu.no";
@@ -134,7 +128,6 @@ in
  services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
    enableACME = true;
    addSSL = true;
    locations."/" = {
      proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
    };
--- a/hosts/bicep/services/matrix/mjolnir.nix
+++ b/hosts/bicep/services/matrix/mjolnir.nix
@@ -6,7 +6,6 @@
    key = "mjolnir/access_token";
    owner = config.users.users.mjolnir.name;
    group = config.users.users.mjolnir.group;
    restartUnits = [ "mjolnir.service" ];
  };
  services.mjolnir = {
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -1,70 +0,0 @@
 { config, pkgs, fp, ... }:
 let
  cfg = config.services.matrix-ooye;
 in
 {
  users.groups.keys-matrix-registrations = { };
  sops.secrets = {
    "matrix/ooye/as_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/as_token";
      restartUnits = [ "matrix-ooye.service" ];
    };
    "matrix/ooye/hs_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/hs_token";
      restartUnits = [ "matrix-ooye.service" ];
    };
    "matrix/ooye/discord_token" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/discord_token";
      restartUnits = [ "matrix-ooye.service" ];
    };
    "matrix/ooye/discord_client_secret" = {
      sopsFile = fp /secrets/bicep/matrix.yaml;
      key = "ooye/discord_client_secret";
      restartUnits = [ "matrix-ooye.service" ];
    };
  };
  services.matrix-ooye = {
    enable = true;
    homeserver = "https://matrix.pvv.ntnu.no";
    homeserverName = "pvv.ntnu.no";
    discordTokenPath = config.sops.secrets."matrix/ooye/discord_token".path;
    discordClientSecretPath = config.sops.secrets."matrix/ooye/discord_client_secret".path;
    bridgeOrigin = "https://ooye.pvv.ntnu.no";
    enableSynapseIntegration = false;
  };
  systemd.services."matrix-synapse" = {
    after = [
      "matrix-ooye-pre-start.service"
      "network-online.target"
    ];
    requires = [ "matrix-ooye-pre-start.service" ];
    serviceConfig = {
      LoadCredential = [
        "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
      ];
      ExecStartPre = [
        "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
        "+${pkgs.coreutils}/bin/chown matrix-synapse:keys-matrix-registrations ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
      ];
    };
  };
  services.matrix-synapse-next.settings = {
    app_service_config_files = [
      "${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
    ];
  };
  services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${cfg.socket}";
  };
 }
--- a/hosts/bicep/services/matrix/smtp-authenticator/default.nix
+++ b/hosts/bicep/services/matrix/smtp-authenticator/default.nix
@@ -1,4 +1,4 @@
-{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
+{ lib, buildPythonPackage, fetchFromGitHub }:
 buildPythonPackage rec {
  pname = "matrix-synapse-smtp-auth";
@@ -6,9 +6,6 @@ buildPythonPackage rec {
  src = ./.;
  pyproject = true;
  build-system = [ setuptools ];
  doCheck = false;
  meta = with lib; {
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -124,8 +124,8 @@ in {
        "fec0::/10"
        # NTNU
-        values.ntnu.ipv4-space
+        "129.241.0.0/16"
-        values.ntnu.ipv6-space
+        "2001:700:300::/44"
      ];
    };
  };
--- a/hosts/bicep/services/minecraft-heatmap.nix
+++ b/hosts/bicep/services/minecraft-heatmap.nix
@@ -1,49 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.minecraft-heatmap;
 in
 {
  sops.secrets."minecraft-heatmap/ssh-key/private" = {
    mode = "600";
  };
  sops.secrets."minecraft-heatmap/postgres-passwd" = {
    mode = "600";
  };
  services.minecraft-heatmap = {
    enable = true;
    database = {
      host = "postgres.pvv.ntnu.no";
      port = 5432;
      name = "minecraft_heatmap";
      user = "minecraft_heatmap";
      passwordFile = config.sops.secrets."minecraft-heatmap/postgres-passwd".path;
    };
  };
  systemd.services.minecraft-heatmap-ingest-logs = {
    serviceConfig.LoadCredential = [
      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
    ];
    preStart = let
      knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
        innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
        innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
        innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
      '';
    in ''
      mkdir -p '${cfg.minecraftLogsDir}'
      "${lib.getExe pkgs.rsync}" \
      --archive \
      --verbose \
      --progress \
      --no-owner \
      --no-group \
      --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
      root@innovation.pvv.ntnu.no:/ \
      '${cfg.minecraftLogsDir}'/
    '';
  };
 }
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -48,8 +48,6 @@
    IPAddressAllow = [
      values.ipv4-space
      values.ipv6-space
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
 }
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -1,15 +1,15 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, ... }:
 {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_15;
    enableTCPIP = true;
    dataDir = "/data/postgresql";
    authentication = ''
-      host all all ${values.ipv4-space} md5
+      host all all 129.241.210.128/25 md5
-      host all all ${values.ipv6-space} md5
+      host all all 2001:700:300:1900::/64 md5
      host all all ${values.hosts.ildkule.ipv4}/32 md5
      host all all ${values.hosts.ildkule.ipv6}/32 md5
    '';
    # Hilsen https://pgconfigurator.cybertec-postgresql.com/
@@ -74,40 +74,11 @@
    };
  };
-  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
+  systemd.services.postgresql.serviceConfig = {
-    user = config.systemd.services.postgresql.serviceConfig.User;
+    LoadCredential = [
-    group = config.systemd.services.postgresql.serviceConfig.Group;
+      "cert:/etc/certs/postgres.crt"
-    mode = "0700";
+      "key:/etc/certs/postgres.key"
  };
  systemd.services.postgresql-setup = {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
    ];
    serviceConfig = {
      LoadCredential = [
        "cert:/etc/certs/postgres.crt"
        "key:/etc/certs/postgres.key"
      ];
      BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
    };
  };
  systemd.services.postgresql = {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
    ];
    serviceConfig = {
      LoadCredential = [
        "cert:/etc/certs/postgres.crt"
        "key:/etc/certs/postgres.key"
      ];
      BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
    };
  };
  environment.snakeoil-certs."/etc/certs/postgres" = {
--- a/hosts/bob/configuration.nix
+++ b/hosts/bob/configuration.nix
@@ -0,0 +1,46 @@
 { config, fp, pkgs, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      (fp /base)
      (fp /misc/metrics-exporters.nix)
      ./disks.nix
      (fp /misc/builder.nix)
    ];
  sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  networking.hostName = "bob"; # Define your hostname.
  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
    matchConfig.Name = "en*";
    DHCP = "yes";
    gateway = [ ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/bob/disks.nix
+++ b/hosts/bob/disks.nix
@@ -0,0 +1,39 @@
 # Example to create a bios compatible gpt partition
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/kommode/hardware-configuration.nix
+++ b/hosts/kommode/hardware-configuration.nix
@@ -8,32 +8,17 @@
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/86CD-4C23";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -25,26 +25,6 @@
  # List services that you want to enable:
  services.spotifyd = {
    enable = true;
    settings.global = {
      device_name = "georg";
      use_mpris = false;
      #dbus_type = "system";
      #zeroconf_port = 1234;
    };
  };
  networking.firewall.allowedTCPPorts = [
    # config.services.spotifyd.settings.zeroconf_port
    5353 # spotifyd is its own mDNS service wtf
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/ildkule/services/monitoring/dashboards/gitea-dashbaord.json
+++ b/hosts/ildkule/services/monitoring/dashboards/gitea-dashbaord.json
@@ -1539,8 +1539,8 @@
    ]
  },
  "timezone": "browser",
-  "title": "Gitea Dashboard",
+  "title": "Gitea Dashbaord",
  "uid": "nNq1Iw5Gz",
  "version": 29,
  "weekStart": ""
-}
+}
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -56,12 +56,13 @@ in {
          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
-        {
+        # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
-          name = "MySQL";
+        # {
-          type = "file";
+        #   name = "MySQL";
-          url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
+        #   type = "file";
-          options.path = dashboards/mysql.json;
+        #   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
-        }
+        #   options.path = dashboards/mysql.json;
        # }
        {
          name = "Postgresql";
          type = "file";
@@ -75,10 +76,10 @@ in {
          options.path = dashboards/go-processes.json;
        }
        {
-          name = "Gitea Dashboard";
+          name = "Gitea Dashbaord";
          type = "file";
          url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
-          options.path = dashboards/gitea-dashboard.json;
+          options.path = dashboards/gitea-dashbaord.json;
        }
      ];
--- a/hosts/ildkule/services/monitoring/prometheus/default.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/default.nix
@@ -2,12 +2,12 @@
  stateDir = "/data/monitoring/prometheus";
 in {
  imports = [
    ./exim.nix
    ./gitea.nix
    ./machines.nix
    ./matrix-synapse.nix
-    ./mysqld.nix
+    # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
    # ./mysqld.nix
    ./postgres.nix
    ./machines.nix
  ];
  services.prometheus = {
--- a/hosts/ildkule/services/monitoring/prometheus/exim.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/exim.nix
@@ -1,14 +0,0 @@
 { ... }:
 {
  services.prometheus = {
    scrapeConfigs = [
      {
        job_name = "exim";
        scrape_interval = "15s";
        static_configs = [{
          targets = [ "microbel.pvv.ntnu.no:9636" ];
        }];
      }
    ];
  };
 }
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -1,37 +1,54 @@
 { config, ... }: let
  cfg = config.services.prometheus;
  mkHostScrapeConfig = name: ports: {
    labels.hostname = name;
    targets = map (port: "${name}.pvv.ntnu.no:${toString port}") ports;
  };
  defaultNodeExporterPort = 9100;
  defaultSystemdExporterPort = 9101;
  defaultNixosExporterPort = 9102;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "base_info";
    static_configs = [
-      (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
+      { labels.hostname = "ildkule";
-
+        targets = [
-      (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
-      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
-      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+        ];
-      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      }
-      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      { labels.hostname = "bekkalokk";
-      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+        targets = [
-      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+          "bekkalokk.pvv.ntnu.no:9100"
-
+          "bekkalokk.pvv.ntnu.no:9101"
-      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+        ];
-      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      }
-      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+      { labels.hostname = "bicep";
-      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+        targets = [
-      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+          "bicep.pvv.ntnu.no:9100"
-
+          "bicep.pvv.ntnu.no:9101"
-      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
+        ];
-      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
+      }
-      (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
+      { labels.hostname = "brzeczyszczykiewicz";
        targets = [
          "brzeczyszczykiewicz.pvv.ntnu.no:9100"
          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
        ];
      }
      { labels.hostname = "georg";
        targets = [
          "georg.pvv.ntnu.no:9100"
          "georg.pvv.ntnu.no:9101"
        ];
      }
      { labels.hostname =  "hildring";
        targets = [
          "hildring.pvv.ntnu.no:9100"
        ];
      }
      { labels.hostname =  "isvegg";
        targets = [
          "isvegg.pvv.ntnu.no:9100"
        ];
      }
      { labels.hostname =  "microbel";
        targets = [
          "microbel.pvv.ntnu.no:9100"
        ];
      }
    ];
  }];
 }
--- a/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
@@ -1,22 +1,7 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
-  sops = {
+  sops.secrets."config/mysqld_exporter" = { };
    secrets."config/mysqld_exporter_password" = { };
    templates."mysqld_exporter.conf" = {
      restartUnits = [ "prometheus-mysqld-exporter.service" ];
      content = let
        inherit (config.sops) placeholder;
      in ''
        [client]
        host = mysql.pvv.ntnu.no
        port = 3306
        user = prometheus_mysqld_exporter
        password = ${placeholder."config/mysqld_exporter_password"}
      '';
    };
  };
  services.prometheus = {
    scrapeConfigs = [{
@@ -34,7 +19,7 @@ in {
    exporters.mysqld = {
      enable = true;
-      configFile = config.sops.templates."mysqld_exporter.conf".path;
+      configFilePath = config.sops.secrets."config/mysqld_exporter".path;
    };
  };
 }
--- a/hosts/kommode/configuration.nix
+++ b/hosts/kommode/configuration.nix
@@ -1,34 +0,0 @@
 { pkgs, values, fp, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    (fp /misc/metrics-exporters.nix)
    ./services/gitea
    ./services/nginx.nix
  ];
  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "kommode"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  services.btrfs.autoScrub.enable = true;
  environment.systemPackages = with pkgs; [];
  system.stateVersion = "24.11";
 }
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -1,63 +0,0 @@
 { config, pkgs, lib, fp, ... }:
 let
  cfg = config.services.gitea;
 in
 {
  services.gitea-themes = {
    monokai = pkgs.gitea-theme-monokai;
    earl-grey = pkgs.gitea-theme-earl-grey;
    pitch-black = pkgs.gitea-theme-pitch-black;
    catppuccin = pkgs.gitea-theme-catppuccin;
  };
  systemd.services.gitea-customization = lib.mkIf cfg.enable {
    description = "Install extra customization in gitea's CUSTOM_DIR";
    wantedBy = [ "gitea.service" ];
    requiredBy = [ "gitea.service" ];
    serviceConfig =  {
      Type = "oneshot";
      User = cfg.user;
      Group = cfg.group;
    };
    script = let
      logo-svg = fp /assets/logo_blue_regular.svg;
      logo-png = fp /assets/logo_blue_regular.png;
      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
      '';
      extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
      '';
      project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
        labels = lib.importJSON ./labels/projects.json;
      };
      customTemplates = pkgs.runCommandLocal "gitea-templates" {
        nativeBuildInputs = with pkgs; [
          coreutils
          gnused
        ];
      } ''
        # Bigger icons
        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
        sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
      '';
    in ''
      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
    '';
  };
 }
--- a/hosts/kommode/services/gitea/customization/labels/projects.json
+++ b/hosts/kommode/services/gitea/customization/labels/projects.json
@@ -1,116 +0,0 @@
 [
  {
    "name": "art",
    "exclusive": false,
    "color": "#006b75",
    "description": "Requires some creativity"
  },
  {
    "name": "big",
    "exclusive": false,
    "color": "#754bc4",
    "description": "This is gonna take a while"
  },
  {
    "name": "blocked",
    "exclusive": false,
    "color": "#850021",
    "description": "This issue/PR depends on one or more other issues/PRs"
  },
  {
    "name": "bug",
    "exclusive": false,
    "color": "#f05048",
    "description": "Something brokey"
  },
  {
    "name": "ci-cd",
    "exclusive": false,
    "color": "#d1ff78",
    "description": "Continuous integrals and continuous derivation"
  },
  {
    "name": "crash report",
    "exclusive": false,
    "color": "#ed1111",
    "description": "Report an oopsie"
  },
  {
    "name": "disputed",
    "exclusive": false,
    "color": "#5319e7",
    "description": "Kranglefanter"
  },
  {
    "name": "documentation",
    "exclusive": false,
    "color": "#fbca04",
    "description": "Documentation changes required"
  },
  {
    "name": "duplicate",
    "exclusive": false,
    "color": "#cccccc",
    "description": "This issue or pull request already exists"
  },
  {
    "name": "feature request",
    "exclusive": false,
    "color": "#0052cc",
    "description": ""
  },
  {
    "name": "good first issue",
    "exclusive": false,
    "color": "#009800",
    "description": "Get your hands dirty with a new project here"
  },
  {
    "name": "me gusta",
    "exclusive": false,
    "color": "#30ff36",
    "description": "( ͡° ͜ʖ ͡°)"
  },
  {
    "name": "packaging",
    "exclusive": false,
    "color": "#bf642b",
    "description": ""
  },
  {
    "name": "question",
    "exclusive": false,
    "color": "#cc317c",
    "description": ""
  },
  {
    "name": "security",
    "exclusive": false,
    "color": "#ed1111",
    "description": "Skommel"
  },
  {
    "name": "techdebt spring cleaning",
    "exclusive": false,
    "color": "#8c6217",
    "description": "The code is smelly 👃"
  },
  {
    "name": "testing",
    "exclusive": false,
    "color": "#52b373",
    "description": "Poke it and see if it explodes"
  },
  {
    "name": "ui/ux",
    "exclusive": false,
    "color": "#f28852",
    "description": "User complaints about ergonomics and economics and whatever"
  },
  {
    "name": "wontfix",
    "exclusive": false,
    "color": "#ffffff",
    "description": "Nei, vil ikke"
  }
 ]
--- a/hosts/kommode/services/nginx.nix
+++ b/hosts/kommode/services/nginx.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
  services.nginx.enable = true;
 }
--- a/hosts/lupine/configuration.nix
+++ b/hosts/lupine/configuration.nix
@@ -1,35 +0,0 @@
 { fp, values, lupineName, ... }:
 {
  imports = [
    ./hardware-configuration/${lupineName}.nix
    (fp /base)
    (fp /misc/metrics-exporters.nix)
    ./services/gitea-runner.nix
  ];
  sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp0s31f6";
    address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
    networkConfig.LLDP = false;
  };
  systemd.network.wait-online = {
    anyInterface = true;
  };
  # There are no smart devices
  services.smartd.enable = false;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.05";
 }
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -1,40 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/81D6-38D3";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-2.nix
+++ b/hosts/lupine/hardware-configuration/lupine-2.nix
@@ -1,40 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/4A34-6AE5";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -1,40 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/63FA-297B";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-4.nix
+++ b/hosts/lupine/hardware-configuration/lupine-4.nix
@@ -1,34 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -1,40 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/F372-37DF";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/services/gitea-runner.nix
+++ b/hosts/lupine/services/gitea-runner.nix
@@ -1,71 +0,0 @@
 { config, lupineName, ... }:
 {
  # This is unfortunately state, and has to be generated one at a time :(
  # To do that, comment out all except one of the runners, fill in its token
  # inside the sops file, rebuild the system, and only after this runner has
  # successfully registered will gitea give you the next token.
  # - oysteikt Sep 2023
  sops = {
    secrets."gitea/runners/token" = {
      key = "gitea/runners/${lupineName}";
    };
    templates."gitea-runner-envfile" = {
      restartUnits = [
        "gitea-runner-${lupineName}.service"
      ];
      content = ''
        TOKEN="${config.sops.placeholder."gitea/runners/token"}"
      '';
    };
  };
  services.gitea-actions-runner.instances = {
    ${lupineName} = {
      enable = true;
      name = "git-runner-${lupineName}";
      url = "https://git.pvv.ntnu.no";
      # NOTE: gitea actions runners need node inside their docker images,
      #       so we are a bit limited here.
      labels = [
        "debian-latest:docker://node:current-trixie"
        "debian-trixie:docker://node:current-trixie"
        "debian-bookworm:docker://node:current-bookworm"
        "debian-bullseye:docker://node:current-bullseye"
        "debian-latest-slim:docker://node:current-trixie-slim"
        "debian-trixie-slim:docker://node:current-trixie-slim"
        "debian-bookworm-slim:docker://node:current-bookworm-slim"
        "debian-bullseye-slim:docker://node:current-bullseye-slim"
        "alpine-latest:docker://node:current-alpine"
        "alpine-3.22:docker://node:current-alpine3.22"
        "alpine-3.21:docker://node:current-alpine3.21"
        # See https://gitea.com/gitea/runner-images
        "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
        "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
        "ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
        "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
        "ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
        "ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
        "ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
        "ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
        "ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
        "ubuntu-jammy-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
      ];
      tokenFile = config.sops.templates."gitea-runner-envfile".path;
    };
  };
  virtualisation.podman = {
    enable = true;
    defaultNetwork.settings.dns_enabled = true;
    autoPrune.enable = true;
  };
  networking.dhcpcd.IPv6rs = false;
  networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
 }
--- a/hosts/ustetind/services/gitea-runners.nix
+++ b/hosts/ustetind/services/gitea-runners.nix
@@ -15,8 +15,8 @@ let
        enable = true;
        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
        labels = [
-          "debian-latest:docker://node:current-bookworm"
+          "debian-latest:docker://node:18-bullseye"
-          "ubuntu-latest:docker://node:current-bookworm"
+          "ubuntu-latest:docker://node:18-bullseye"
        ];
        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
      };
--- a/hosts/wenche/configuration.nix
+++ b/hosts/wenche/configuration.nix
@@ -1,39 +0,0 @@
 { config, fp, pkgs, values, lib, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      (fp /base)
      (fp /misc/metrics-exporters.nix)
      (fp /misc/builder.nix)
    ];
  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.device = "/dev/sda";
  networking.hostName = "wenche"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  hardware.graphics.enable = true;
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.nvidia = {
    modesetting.enable = true;
    open = false;
    package = config.boot.kernelPackages.nvidiaPackages.production;
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/wenche/hardware-configuration.nix
+++ b/hosts/wenche/hardware-configuration.nix
@@ -1,27 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "nvidia"  ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
      fsType = "ext4";
    };
  swapDevices = [ {
    device = "/var/lib/swapfile";
    size = 16*1024;
  } ];
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/57
+++ b/57
@@ -1,56 +1,25 @@
 set positional-arguments # makes variables accesible as $1 $2 $@
 export GUM_FILTER_HEIGHT := "15"
-nom := `if [[ -t 1 ]] && command -v nom >/dev/null; then echo nom; else echo nix; fi`
+nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
 nix_eval_opts := "--log-format raw --option warn-dirty false"
@_default:
  just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
-check *_:
+check:
-  nix flake check --keep-going "$@"
+  nix flake check --keep-going
-build-machine machine=`just _a_machine` *_:
+build-machine machine=`just _a_machine`:
-  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel "${@:2}"
+  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
-run-vm machine=`just _a_machine` *_:
+run-vm machine=`just _a_machine`:
-  nixos-rebuild build-vm --flake .#{{ machine }} "${@:2}"
+  nixos-rebuild build-vm --flake .#{{ machine }}
  QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
-@update-inputs *_:
+@update-inputs:
-  @git reset flake.lock
+  nix eval .#inputs --apply builtins.attrNames --json \
-  @git restore flake.lock
+    | jq '.[]' -r \
-  nix eval {{nix_eval_opts}} --file flake.nix --apply 'x: builtins.attrNames x.inputs' --json \
+    | gum choose --no-limit --height=15 \
-    | { printf "%s\n" --commit-lock-file; jq '.[]' -r | grep -vxF "self" ||:; } \
+    | xargs -L 1 nix flake lock --update-input
    | gum choose --no-limit --header "Choose extra arguments:" \
    | tee >(xargs -d'\n' echo + nix flake update "$@" >&2) \
    | xargs -d'\n' nix flake update "$@"
@repl $machine=`just _a_machine` *_:
  set -v; nixos-rebuild --flake .#"$machine" repl "${@:2}"
@eval $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
  set -v; nix eval {{nix_eval_opts}} ".#nixosConfigurations.\"$machine\".config.$attrpath" --show-trace "${@:3}"
@eval-vm $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
  just eval "$machine" "virtualisation.vmVariant.$attrpath" "${@:3}"
 # helpers
 [no-exit-message]
 _a_machine:
-  #!/usr/bin/env -S sh -euo pipefail
+  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter
  machines="$(
    nix eval {{nix_eval_opts}} .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r
  )"
  [ -n "$machines" ] || { echo >&2 "ERROR: no machines found"; false; }
  if [ -s .direnv/vars/last-machine.txt ]; then
    machines="$(
      grep <<<"$machines" -xF  "$(cat .direnv/vars/last-machine.txt)" ||:
      grep <<<"$machines" -xFv "$(cat .direnv/vars/last-machine.txt)" ||:
    )"
  fi
  choice="$(gum filter <<<"$machines")"
  mkdir -p .direnv/vars
  cat <<<"$choice" >.direnv/vars/last-machine.txt
  cat <<<"$choice"
--- a/keys/oysteikt.pub
+++ b/keys/oysteikt.pub
@@ -8,58 +8,34 @@ FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM
 N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA
 Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK
 KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH
-EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLiJAEExYKADgWIQT303iQIoqQdEDh/UhG
+EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3
-uSKOgUoqrAUCYuaF5AIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKO
+eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF
-gUoqrKWiAQC1yFpodz5PGsZbFgihEA0UQ5jcoXBojoAlVRgmkwm41gEA782rsvyl
+AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+
-87ExoluDD3eV/Z5ILp7Ex6JeaE3JUix8Sgi0Jmg3eDQgKGFsdGVybmF0aXZlKSA8
+IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB
-aDd4NC5hbHRAbmFuaS53dGY+iJAEExYKADgWIQT303iQIoqQdEDh/UhGuSKOgUoq
+3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk
-rAUCYvuPSgIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKOgUoqrK3L
+jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5
-AP4h0cjFuNFwMQlg6oVfWvjCvKZO+ePP+SnTNRKvKbAxSgEA/yG48r9im6M0Xr9z
+Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs
-DAHcDlbClaONX4X+6rZ6OoU6hw24MwRi5oZHFgkrBgEEAdpHDwEBB0CyZzQZNAiz
+xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO
-OmSMNjCBK3rMjzU/b6T1a8GDogQhKfK5VYj1BBgWCgAmFiEE99N4kCKKkHRA4f1I
+c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT
-RrkijoFKKqwFAmLmhkcCGwIFCQPCZwAAgQkQRrkijoFKKqx2IAQZFgoAHRYhBPPN
+ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7
-qGzFWp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323T
+Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx
-aM5zdJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9
+VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM
-CpNl4GzpD4CRDu55AP9mpAyRoKt3yjYvTaHz1TpsXHLzqfJO6sYBRXH3YXyNTAEA
+s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss
-prtmn/S9HltHijnsLs1PEHmRua14XQBdL1HuzFID8ASI9QQYFgoAJgIbAhYhBPfT
+gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD
-eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
+XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID
-Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
+MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu
-dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
+MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys
-4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
+KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2
-Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLiPUEGBYKACYC
+dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU
-GwIWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCaI6lzgUJCWqGhwCBdiAEGRYKAB0W
+aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR
-IQTzzahsxVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYe
+eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r
-Jt9t02jOc3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFa
+VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ
-azcz/QqTZeBs6Q+AkQ4JEEa5Io6BSiqsCG0BALDNFlploZWjQ0Xn3B9fd+1sTUmY
+dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm
-+e0s95lEY7XqVkF2AQCkKzMd2mHsymyVtY32bSsZ0iJxHTmxomS0uQ/TGIugB7kC
+W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y
-DQRi5oZ6ARAA2tcgStDSsVSLaN4UodtYaKGKVnBF1qjD1xzt+K3AIZLVRTjhyJdm
+QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW
-xRknEAGV7YwHKlJjMgvjzLNQ2aKHBZPvTybde4QGv7Ogka8PLyvtX1aoY9Fzi7Xr
+RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK
-xlfYguiEb4T8c07DmnjrLIDBiFPMQ5jCk9pxhxjVJKjlxpXetxNzSrCt5Z5fgQna
+KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa
-SdH9xhAe2kkPqZOpNbszg11/5oQFCZi9TJFWeoyQN74bK3tCn2vafguZj+ISyeox
+T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR
-fqBErwOBwvi7gkhpuuoCAzAt/Y5y6OocGBBI3z1w+wlADeEtniEkhXfmXJTdr2HK
+SNkE
-ymILAmUtIQRToA4SighwbjMD9dgCDPMvC+uP3jlhaUe7NkrQD442G2XmRAhy1mbd
+=oTMO
 cxlb5Eu16epbAIOv0/BMrChu705dkKvVtAZszYJNjg02ZIb9IKql6aXa/HkYqvod
 KjHyabRtBsnDr6m/T6BDtnXzQo4yCPFX2khn0hGKPFMLKmE7X4HaDZxQlynda+0J
 r63WzbBQ0ZpL/sFiaIqcFGlarsm9ijeudo0pacDBAlun0hLE/+Qt5iS4AJoupesq
 LMOh3SGOo4KQhrcZx1ts0XiEuns2XbcWAQpBByu9MgEsmiB6yyw5J8Pg7ir1wFjg
 HnKG/BjQRzo12Xty8wbdq1YDgkWvlu5opTYI1ArM/kd6zPF30fsDRBsAEQEAAYh+
 BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmLmhnoCGwwFCQPCZwAACgkQ
 RrkijoFKKqwxNAEAwcUbJlvS+tJsRgqdQqTVgVw9k+g+tOT5TYjQnDPnDgoA/3Nj
 orUkhudDNGEW8odSz2C+mEHjy9HUJGLI5ul1ZqwCiH4EGBYKACYCGwwWIQT303iQ
 IoqQdEDh/UhGuSKOgUoqrAUCZqqeBQUJBaVLCAAKCRBGuSKOgUoqrMnbAP4oQbpa
 Uki4OAfaSbH36qYTIbe8k9w58+e4nsVBII94wQEA3nSPoMKWZTI1eiHR/xKc9uOI
 /Nk2tOHKpEjs9mOtywaIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9SEa5Io6BSiqs
 BQJojqXOBQkJaoZUAAoJEEa5Io6BSiqsiXkBAJ0JTRmdQQpEK9KSh8V7FEkblIsm
 Ngko2cs+OhNSUgW9AQD0a7FHM3Dx32a7yD0zE3QwWi5VgeZZVIPyhItrOaANDbgz
 BGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1OWOoVU3mZX/K
 7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGxQIbIAUJA8Jn
 AAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9duIJ7zdR0U15tO
 NAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQYFgoAJgIbIBYh
 BPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5Io6BSiqsjF0B
 AJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/lDkrvOytuFnKb
 kDrCaTrtLh/JAmBXpSERIejmD4h+BBgWCgAmAhsgFiEE99N4kCKKkHRA4f1IRrki
 joFKKqwFAmiOpc4FCQlqhgkACgkQRrkijoFKKqwSMAD/bbO/uwwdFEJVgcNRexZU
 6aoSxAGI1vjS92hSyfxZ9AABAK8KYO8sBGGCiVu+vWUpoUYmp3lfYTJHtf+36WMc
 D5MD
 =Gubf
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/builder.nix
+++ b/misc/builder.nix
@@ -2,10 +2,4 @@
 {
  nix.settings.trusted-users = [ "@nix-builder-users" ];
  nix.daemonCPUSchedPolicy = "batch";
  boot.binfmt.emulatedSystems = [
    "aarch64-linux"
    "armv7l-linux"
  ];
 }
--- a/modules/gickup/default.nix
+++ b/modules/gickup/default.nix
@@ -1,310 +0,0 @@
 { config, pkgs, lib, utils, ... }:
 let
  cfg = config.services.gickup;
  format = pkgs.formats.yaml { };
 in
 {
  imports = [
    ./set-description.nix
    ./hardlink-files.nix
    ./import-from-toml.nix
    ./update-linktree.nix
  ];
  options.services.gickup = {
    enable = lib.mkEnableOption "gickup, a git repository mirroring service";
    package = lib.mkPackageOption pkgs "gickup" { };
    gitPackage = lib.mkPackageOption pkgs "git" { };
    gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
    dataDir = lib.mkOption {
      type = lib.types.path;
      description = "The directory to mirror repositories to.";
      default = "/var/lib/gickup";
      example = "/data/gickup";
    };
    destinationSettings = lib.mkOption {
      description = ''
        Settings for destination local, see gickup configuration file
        Note that `path` will be set automatically to `/var/lib/gickup`
      '';
      type = lib.types.submodule {
        freeformType = format.type;
      };
      default = { };
      example = {
        structured = true;
        zip = false;
        keep = 10;
        bare = true;
        lfs = true;
      };
    };
    instances = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
        submoduleName = name;
        nameParts = rec {
          repoType = builtins.head (lib.splitString ":" submoduleName);
          owner = if repoType == "any"
                  then null
                  else lib.pipe submoduleName [
                    (lib.removePrefix "${repoType}:")
                    (lib.splitString "/")
                    builtins.head
                  ];
          repo = if repoType == "any"
                 then null
                 else lib.pipe submoduleName [
                    (lib.removePrefix "${repoType}:")
                    (lib.splitString "/")
                    lib.last
                  ];
          slug = if repoType == "any"
                 then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
                 else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
        };
      in {
        options = {
          interval = lib.mkOption {
            type = lib.types.str;
            default = "daily";
            example = "weekly";
            description = ''
              Specification (in the format described by {manpage}`systemd.time(7)`) of the time
              interval at which to run the service.
            '';
          };
          type = lib.mkOption {
            type = lib.types.enum [
              "github"
              "gitlab"
              "gitea"
              "gogs"
              "bitbucket"
              "onedev"
              "sourcehut"
              "any"
            ];
            example = "github";
            default = nameParts.repoType;
            description = ''
              The type of the repository to mirror.
            '';
          };
          owner = lib.mkOption {
            type = with lib.types; nullOr str;
            example = "go-gitea";
            default = nameParts.owner;
            description = ''
              The owner of the repository to mirror (if applicable)
            '';
          };
          repo = lib.mkOption {
            type = with lib.types; nullOr str;
            example = "gitea";
            default = nameParts.repo;
            description = ''
              The name of the repository to mirror (if applicable)
            '';
          };
          slug = lib.mkOption {
            type = lib.types.str;
            default = nameParts.slug;
            example = "github-go-gitea-gitea";
            description = ''
              The slug of the repository to mirror.
            '';
          };
          description = lib.mkOption {
            type = with lib.types; nullOr str;
            example = "A project which does this and that";
            description = ''
              A description of the project. This isn't used directly by gickup for anything,
              but can be useful if gickup is used together with cgit or similar.
            '';
          };
          settings = lib.mkOption {
            description = "Instance specific settings, see gickup configuration file";
            type = lib.types.submodule {
              freeformType = format.type;
            };
            default = { };
            example = {
              username = "gickup";
              password = "hunter2";
              wiki = true;
              issues = true;
            };
          };
        };
      }));
    };
  };
  config = lib.mkIf cfg.enable {
    users.users.gickup = {
      isSystemUser = true;
      group = "gickup";
      home = "/var/lib/gickup";
    };
    users.groups.gickup = { };
    services.gickup.destinationSettings.path = "/var/lib/gickup/raw";
    systemd.tmpfiles.settings."10-gickup" = lib.mkIf (cfg.dataDir != "/var/lib/gickup") {
      ${cfg.dataDir}.d = {
        user = "gickup";
        group = "gickup";
        mode = "0755";
      };
    };
    systemd.slices."system-gickup" = {
      description = "Gickup git repository mirroring service";
      after = [ "network.target" ];
    };
    systemd.targets.gickup = {
      description = "Gickup git repository mirroring service";
      wants = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
    };
    systemd.timers = {
      "gickup@" = {
        description = "Gickup git repository mirroring service for %i";
        timerConfig = {
          OnCalendar = "daily";
          RandomizedDelaySec = "1h";
          Persistent = true;
          AccuracySec = "1s";
        };
      };
    }
    //
    # Overrides for mirrors which are not "daily"
    (lib.pipe cfg.instances [
      builtins.attrValues
      (builtins.filter (instance: instance.interval != "daily"))
      (map ({ slug, interval, ... }: {
        name = "gickup@${slug}";
        value = {
          overrideStrategy = "asDropin";
          timerConfig.OnCalendar = interval;
        };
      }))
      builtins.listToAttrs
    ]);
    systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
    systemd.services = {
      "gickup@" = let
        configDir = lib.pipe cfg.instances [
          (lib.mapAttrsToList (name: instance: {
            name = "${instance.slug}.yml";
            path = format.generate "gickup-configuration-${name}.yml" {
              destination.local = [ cfg.destinationSettings ];
              source.${instance.type} = [
                (
                  (lib.optionalAttrs (instance.type != "any") {
                    user = instance.owner;
                    includeorgs = [ instance.owner ];
                    include = [ instance.repo ];
                  })
                  //
                  instance.settings
                )
              ];
            };
          }))
          (pkgs.linkFarm "gickup-configuration-files")
        ];
      in {
        description = "Gickup git repository mirroring service for %i";
        after = [ "network.target" ];
        path = [
          cfg.gitPackage
          cfg.gitLfsPackage
        ];
        restartIfChanged = false;
        serviceConfig = {
          Type = "oneshot";
          ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
          ExecStartPost = "";
          User = "gickup";
          Group = "gickup";
          BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
            "${cfg.dataDir}:/var/lib/gickup"
          ];
          Slice = "system-gickup.slice";
          SyslogIdentifier = "gickup-%i";
          StateDirectory = "gickup";
          # WorkingDirectory = "gickup";
          # RuntimeDirectory = "gickup";
          # RuntimeDirectoryMode = "0700";
          # https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
          RemainAfterExit = true;
          # Hardening options
          AmbientCapabilities = [];
          LockPersonality = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateMounts = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProcSubset = "pid";
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          # ProtectProc = "invisible";
          # ProtectSystem = "strict";
          RemoveIPC = true;
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          # SystemCallFilter = [
          #   "@system-service"
          #   "~@resources"
          #   "~@privileged"
          # ];
          UMask = "0002";
          CapabilityBoundingSet = [];
        };
      };
    };
  };
 }
--- a/modules/gickup/hardlink-files.nix
+++ b/modules/gickup/hardlink-files.nix
@@ -1,42 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  config = lib.mkIf cfg.enable {
    # TODO: add a service that will look at the backed up files and hardlink
    #       the ones that have a matching hash together to save space. This can
    #       either run routinely (i.e. trigger by systemd-timer), or be activated
    #       whenever a gickup@<slug>.service finishes. The latter is probably better.
    # systemd.services."gickup-hardlink" = {
    #   serviceConfig = {
    #     Type = "oneshot";
    #     ExecStart = let
    #       script = pkgs.writeShellApplication {
    #         name = "gickup-hardlink-files.sh";
    #         runtimeInputs = [ pkgs.coreutils pkgs.jdupes ];
    #         text = ''
    #         '';
    #       };
    #     in lib.getExe script;
    #     User = "gickup";
    #     Group = "gickup";
    #     BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
    #       "${cfg.dataDir}:/var/lib/gickup"
    #     ];
    #     Slice = "system-gickup.slice";
    #     StateDirectory = "gickup";
    #     # Hardening options
    #     # TODO:
    #     PrivateNetwork = true;
    #   };
    # };
  };
 }
--- a/modules/gickup/import-from-toml.nix
+++ b/modules/gickup/import-from-toml.nix
@@ -1,11 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  config = lib.mkIf cfg.enable {
    # TODO: import cfg.instances from a toml file to make it easier for non-nix users
    #       to add repositories to mirror
  };
 }
--- a/modules/gickup/set-description.nix
+++ b/modules/gickup/set-description.nix
@@ -1,9 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  config = lib.mkIf cfg.enable {
    # TODO: create .git/description files for each repo where cfg.instances.<instance>.description is set
  };
 }
--- a/modules/gickup/update-linktree.nix
+++ b/modules/gickup/update-linktree.nix
@@ -1,84 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.gickup;
 in
 {
  config = lib.mkIf cfg.enable {
    # TODO: run upon completion of cloning a repository
    systemd.timers."gickup-linktree" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
        Unit = "gickup-linktree.service";
      };
    };
    # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
    systemd.services."gickup-linktree" = {
      serviceConfig = {
        Type = "oneshot";
        ExecStart = let
          script = pkgs.writeShellApplication {
            name = "gickup-update-symlink-tree.sh";
            runtimeInputs = [
              pkgs.coreutils
              pkgs.findutils
            ];
            text = ''
              shopt -s nullglob
              for repository in ./*/*/*; do
                REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
                echo "Checking $REPOSITORY_RELATIVE_DIRS"
                declare -a REVISIONS
                readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
                if [[ "''${#REVISIONS[@]}" == 0 ]]; then
                  echo "Found no revisions for $repository, continuing"
                  continue
                fi
                LAST_REVISION="''${REVISIONS[0]}"
                SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
                mkdir -p "$(dirname "$SYMLINK_PATH")"
                EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
                EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
                if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
                  echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
                  rm "$SYMLINK_PATH" ||:
                  ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
                else
                  echo "Symlink already up to date, continuing..."
                fi
                echo "---"
              done
            '';
          };
        in lib.getExe script;
        User = "gickup";
        Group = "gickup";
        BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
          "${cfg.dataDir}:/var/lib/gickup"
        ];
        Slice = "system-gickup.slice";
        StateDirectory = "gickup";
        WorkingDirectory = "/var/lib/gickup/raw";
        # Hardening options
        # TODO:
        PrivateNetwork = true;
      };
    };
  };
 }
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -1,9 +1,7 @@
-{config, lib, pkgs, unstablePkgs, values, ...}:
+{config, lib, pkgs, ...}:
 let
  grg = config.services.greg-ng;
  grgw = config.services.grzegorz-webui;
  machine = config.networking.hostName;
 in {
  services.greg-ng = {
    enable = true;
@@ -11,13 +9,6 @@ in {
    settings.port = 31337;
    enableSway = true;
    enablePipewire = true;
    mpvPackage = unstablePkgs.mpv;
  };
  systemd.user.services.restart-greg-ng = {
    script = "systemctl --user restart greg-ng.service";
    startAt = "*-*-* 06:30:00";
  };
  services.grzegorz-webui = {
@@ -25,98 +16,37 @@ in {
    listenAddr = "localhost";
    listenPort = 42069;
    listenWebsocketPort = 42042;
-    hostName = "${machine}-old.pvv.ntnu.no";
+    hostName = "${config.networking.fqdn}";
-    apiBase = "https://${machine}-backend.pvv.ntnu.no/api";
+    apiBase = "http://${grg.settings.host}:${toString grg.settings.port}/api";
  };
  services.gergle = {
    enable = true;
    virtualHost = config.networking.fqdn;
  };
  services.nginx.enable = true;
-  services.nginx.virtualHosts = {
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
-    ${config.networking.fqdn} = {
+    forceSSL = true;
-      forceSSL = true;
+    enableACME = true;
-      enableACME = true;
+    kTLS = true;
-      kTLS = true;
+    serverAliases = [
-      serverAliases = [
+      "${config.networking.hostName}.pvv.org"
-        "${machine}.pvv.org"
+    ];
-      ];
+    extraConfig = ''
-      extraConfig = ''
+      allow 129.241.210.128/25;
-        # pvv
+      allow 2001:700:300:1900::/64;
-        allow ${values.ipv4-space}
+      deny all;
-        allow ${values.ipv6-space}
+    '';
        # ntnu
        allow ${values.ntnu.ipv4-space}
        allow ${values.ntnu.ipv6-space}
        deny all;
      '';
-      locations."/docs" = {
+    locations."/" = {
-        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+      proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
      };
      locations."/api" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
        proxyWebsockets = true;
      };
    };
-
+    # https://github.com/rawpython/remi/issues/216
-    "${machine}-backend.pvv.ntnu.no" = {
+    locations."/websocket" = {
-      forceSSL = true;
+      proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
-      enableACME = true;
+      proxyWebsockets = true;
      kTLS = true;
      serverAliases = [
        "${machine}-backend.pvv.org"
      ];
      extraConfig = ''
        # pvv
        allow ${values.ipv4-space}
        allow ${values.ipv6-space}
        # ntnu
        allow ${values.ntnu.ipv4-space}
        allow ${values.ntnu.ipv6-space}
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
        proxyWebsockets = true;
      };
    };
-
+    locations."/api" = {
-    "${machine}-old.pvv.ntnu.no" = {
+      proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
-      forceSSL = true;
+    };
-      enableACME = true;
+    locations."/docs" = {
-      kTLS = true;
+      proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
      serverAliases = [
        "${machine}-old.pvv.org"
      ];
      extraConfig = ''
        # pvv
        allow ${values.ipv4-space}
        allow ${values.ipv6-space}
        # ntnu
        allow ${values.ntnu.ipv4-space}
        allow ${values.ntnu.ipv6-space}
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
      };
      # https://github.com/rawpython/remi/issues/216
      locations."/websocket" = {
        proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
        proxyWebsockets = true;
      };
      locations."/api" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
      };
      locations."/docs" = {
        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
      };
    };
  };
 }
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -1,211 +0,0 @@
 # Original from: https://cgit.rory.gay/nix/OOYE-module.git/
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.matrix-ooye;
  mkStringOption =
    name: default:
    lib.mkOption {
      type = lib.types.str;
      default = default;
    };
 in
 {
  options = {
    services.matrix-ooye = {
      enable = lib.mkEnableOption "Enable OOYE service";
      package = lib.mkOption {
        type = lib.types.package;
        default = pkgs.out-of-your-element;
      };
      appserviceId = mkStringOption "The ID of the appservice." "ooye";
      homeserver = mkStringOption "The homeserver to connect to." "http://localhost:8006";
      homeserverName = mkStringOption "The name of the homeserver to connect to." "localhost";
      namespace = mkStringOption "The prefix to use for the MXIDs/aliases of bridged users/rooms. Should end with a _!" "_ooye_";
      discordTokenPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-token";
      discordClientSecretPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-client-secret";
      socket = mkStringOption "The socket to listen on, can either be a port number or a unix socket path." "6693";
      bridgeOrigin = mkStringOption "The web frontend URL for the bridge, defaults to http://localhost:{socket}" "";
      enableSynapseIntegration = lib.mkEnableOption "Enable Synapse integration";
    };
  };
  config = lib.mkIf cfg.enable (
    let
      baseConfig = pkgs.writeText "matrix-ooye-config.json" (
        builtins.toJSON {
          id = cfg.appserviceId;
          namespaces = {
            users = [
              {
                exclusive = true;
                regex = "@${cfg.namespace}.*:${cfg.homeserverName}";
              }
            ];
            aliases = [
              {
                exclusive = true;
                regex = "#${cfg.namespace}.*:${cfg.homeserverName}";
              }
            ];
          };
          protocols = [ "discord" ];
          sender_localpart = "${cfg.namespace}bot";
          rate_limited = false;
          socket = cfg.socket; # Can either be a TCP port or a unix socket path
          url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
          ooye = {
            server_name = cfg.homeserverName;
            namespace_prefix = cfg.namespace;
            max_file_size = 5000000;
            content_length_workaround = false;
            include_user_id_in_mxid = true;
            server_origin = cfg.homeserver;
            bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
          };
        }
      );
      script = pkgs.writeScript "matrix-ooye-pre-start.sh" ''
        #!${lib.getExe pkgs.bash}
        REGISTRATION_FILE=registration.yaml
        id
        echo "Before if statement"
        stat ''${REGISTRATION_FILE}
        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
          echo "No registration file found at '$REGISTRATION_FILE'"
          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
        fi
        echo "After if statement"
        stat ''${REGISTRATION_FILE}
        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
        # Check if we have all required tokens
        if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
          echo "Generated new AS token: ''${AS_TOKEN}"
        fi
        if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
          echo "Generated new HS token: ''${HS_TOKEN}"
        fi
        if [[ -z "$DISCORD_TOKEN" ]]; then
          echo "No Discord token found at '${cfg.discordTokenPath}'"
          echo "You can find this on the 'Bot' tab of your Discord application."
          exit 1
        fi
        if [[ -z "$DISCORD_CLIENT_SECRET" ]]; then
          echo "No Discord client secret found at '${cfg.discordTokenPath}'"
          echo "You can find this on the 'OAuth2' tab of your Discord application."
          exit 1
        fi
        shred -u ''${REGISTRATION_FILE}
        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
        shred -u ''${REGISTRATION_FILE}
        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
      '';
    in
    {
      warnings =
        lib.optionals ((builtins.substring (lib.stringLength cfg.namespace - 1) 1 cfg.namespace) != "_") [
          "OOYE namespace does not end with an underscore! This is recommended to have better ID formatting. Provided: '${cfg.namespace}'"
        ]
        ++ lib.optionals ((builtins.substring 0 1 cfg.namespace) != "_") [
          "OOYE namespace does not start with an underscore! This is recommended to avoid conflicts with registered users. Provided: '${cfg.namespace}'"
        ];
      environment.systemPackages = [ cfg.package ];
      systemd.services."matrix-ooye-pre-start" = {
        enable = true;
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = script;
          WorkingDirectory = "/var/lib/matrix-ooye";
          StateDirectory = "matrix-ooye";
          DynamicUser = true;
          RemainAfterExit = true;
          Type = "oneshot";
          LoadCredential = [
            "discord_token:${cfg.discordTokenPath}"
            "discord_client_secret:${cfg.discordClientSecretPath}"
          ];
        };
      };
      systemd.services."matrix-ooye" = {
        enable = true;
        description = "Out of Your Element - a Discord bridge for Matrix.";
        wants = [
          "network-online.target"
          "matrix-synapse.service"
          "conduit.service"
          "dendrite.service"
        ];
        after = [
          "matrix-ooye-pre-start.service"
          "network-online.target"
        ];
        requires = [ "matrix-ooye-pre-start.service" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = lib.getExe config.services.matrix-ooye.package;
          WorkingDirectory = "/var/lib/matrix-ooye";
          StateDirectory = "matrix-ooye";
          #ProtectSystem = "strict";
          #ProtectHome = true;
          #PrivateTmp = true;
          #NoNewPrivileges = true;
          #PrivateDevices = true;
          Restart = "on-failure";
          DynamicUser = true;
        };
      };
      systemd.services."matrix-synapse" = lib.mkIf cfg.enableSynapseIntegration {
        after = [
          "matrix-ooye-pre-start.service"
          "network-online.target"
        ];
        requires = [ "matrix-ooye-pre-start.service" ];
        serviceConfig = {
          LoadCredential = [
            "matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
          ];
          ExecStartPre = [
            "+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
            "+${pkgs.coreutils}/bin/chown matrix-synapse:matrix-synapse ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
          ];
        };
      };
      services.matrix-synapse.settings.app_service_config_files = lib.mkIf cfg.enableSynapseIntegration [
        "${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
      ];
    }
  );
 }
--- a/modules/robots-txt.nix
+++ b/modules/robots-txt.nix
@@ -1,116 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.environment.robots-txt;
  robots-txt-format = {
    type = let
      coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str);
    in lib.types.listOf (lib.types.submodule {
      freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
      options = {
        pre_comment = lib.mkOption {
          description = "Comment to add before the rule";
          type = lib.types.lines;
          default = "";
        };
        post_comment = lib.mkOption {
          description = "Comment to add after the rule";
          type = lib.types.lines;
          default = "";
        };
      };
    });
    generate = name: value: let
      makeComment = comment: lib.pipe comment [
        (lib.splitString "\n")
        (lib.map (line: if line == "" then "#" else "# ${line}"))
        (lib.concatStringsSep "\n")
      ];
      ruleToString = rule: let
        user_agent = rule.User-agent or [];
        pre_comment = rule.pre_comment;
        post_comment = rule.post_comment;
        rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ];
      in lib.concatStringsSep "\n" (lib.filter (x: x != null) [
        (if (pre_comment != "") then makeComment pre_comment else null)
        (let
          user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
        in
          if user_agent == [] then null else user-agents
        )
        (lib.pipe rest [
          (lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
          lib.concatLists
          (lib.concatStringsSep "\n")
        ])
        (if (post_comment != "") then makeComment post_comment else null)
      ]);
      content = lib.concatMapStringsSep "\n\n" ruleToString value;
    in pkgs.writeText name content;
  };
 in
 {
  options.environment.robots-txt = lib.mkOption {
    default = { };
    description = ''
      Different instances of robots.txt to use with web services.
    '';
    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
      options = {
        enable = lib.mkEnableOption "this instance of robots.txt" // {
          default = true;
        };
        path = lib.mkOption {
          description = "The resulting path of the dir containing the robots.txt file";
          type = lib.types.path;
          readOnly = true;
          default = "/etc/robots-txt/${name}";
        };
        rules = lib.mkOption {
          description = "Rules to include in robots.txt";
          default = [ ];
          example = [
            { User-agent = "Googlebot"; Disallow = "/no-googlebot"; }
            { User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; }
          ];
          type = robots-txt-format.type;
        };
        virtualHost = lib.mkOption {
          description = "An nginx virtual host to add the robots.txt to";
          type = lib.types.nullOr lib.types.str;
          default = null;
        };
      };
    }));
  };
  config = {
    environment.etc = lib.mapAttrs' (name: value: {
      name = "robots-txt/${name}/robots.txt";
      value.source = robots-txt-format.generate name value.rules;
    }) cfg;
    services.nginx.virtualHosts = lib.pipe cfg [
      (lib.filterAttrs (_: value: value.virtualHost != null))
      (lib.mapAttrs' (name: value: {
        name = value.virtualHost;
        value = {
          locations = {
            "= /robots.txt" = {
              extraConfig = ''
                add_header Content-Type text/plain;
              '';
              root = cfg.${name}.path;
            };
          };
        };
      }))
    ];
  };
 }
--- a/packages/bluemap.nix
+++ b/packages/bluemap.nix
@@ -2,11 +2,11 @@
 stdenvNoCC.mkDerivation rec {
  pname = "bluemap";
-  version = "5.15";
+  version = "5.2";
  src = fetchurl {
    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
-    hash = "sha256-g50V/4LtHaHNRMTt+PK/ZTf4Tber2D6ZHJvuAXQLaFI=";
+    hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
  };
  dontUnpack = true;
--- a/packages/cgit.nix
+++ b/packages/cgit.nix
@@ -1,21 +0,0 @@
 { cgit, fetchurl, ... }:
 let
  pname = cgit.pname;
  commit = "09d24d7cd0b7e85633f2f43808b12871bb209d69";
 in
 cgit.overrideAttrs (_: {
  version = "1.2.3-unstable-2024.07.16";
  src = fetchurl {
    url = "https://git.zx2c4.com/cgit/snapshot/${pname}-${commit}.tar.xz";
    hash = "sha256-gfgjAXnWRqVCP+4cmYOVdB/3OFOLJl2WBOc3bFVDsjw=";
  };
  # cgit is tightly coupled with git and needs a git source tree to build.
  # IMPORTANT: Remember to check which git version cgit needs on every version
  # bump (look for "GIT_VER" in the top-level Makefile).
  gitSrc = fetchurl {
    url = "mirror://kernel/software/scm/git/git-2.46.0.tar.xz";
    hash = "sha256-fxI0YqKLfKPr4mB0hfcWhVTCsQ38FVx+xGMAZmrCf5U=";
  };
 })
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@@ -12,7 +12,7 @@ let
    name
  , commit
  , hash
-  , tracking-branch ? "REL1_44"
+  , tracking-branch ? "REL1_42"
  , kebab-name ? kebab-case-name name
  , fetchgit ? pkgs.fetchgit
  }:
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
  (mw-ext {
    name = "CodeEditor";
-    commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
+    commit = "9f69f2cf7616342d236726608a702d651b611938";
-    hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
+    hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
  })
  (mw-ext {
    name = "CodeMirror";
-    commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
+    commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
-    hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
+    hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
  })
  (mw-ext {
    name = "DeleteBatch";
-    commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
+    commit = "b76bb482e026453079104d00f9675b4ab851947e";
-    hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
+    hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
  })
  (mw-ext {
    name = "PluggableAuth";
-    commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
+    commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
-    hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
+    hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
  })
  (mw-ext {
    name = "Popups";
-    commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
+    commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
-    hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
+    hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
  })
  (mw-ext {
    name = "Scribunto";
-    commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
+    commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
-    hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
+    hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
  })
  (mw-ext {
    name = "SimpleSAMLphp";
    kebab-name = "simple-saml-php";
-    commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
+    commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
-    hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
+    hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
  })
  (mw-ext {
    name = "TemplateData";
-    commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
+    commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
-    hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
+    hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
  })
  (mw-ext {
    name = "TemplateStyles";
-    commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
+    commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
-    hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
+    hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
  })
  (mw-ext {
    name = "UserMerge";
-    commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
+    commit = "41759d0c61377074d159f7d84130a095822bc7a3";
-    hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
+    hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
  })
  (mw-ext {
    name = "VisualEditor";
-    commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
+    commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
-    hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
+    hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
  })
  (mw-ext {
    name = "WikiEditor";
-    commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
+    commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
-    hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
+    hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
  })
 ]
--- a/packages/out-of-your-element.nix
+++ b/packages/out-of-your-element.nix
@@ -1,56 +0,0 @@
 {
  lib,
  fetchFromGitea,
  makeWrapper,
  nodejs,
  buildNpmPackage,
  fetchpatch,
 }:
 buildNpmPackage {
  pname = "delete-your-element";
  version = "3.3-unstable-2025-12-09";
  src = fetchFromGitea {
    domain = "git.pvv.ntnu.no";
    owner = "Drift";
    repo = "delete-your-element";
    rev = "1c0c545a024ef7215a1a3483c10acce853f79765";
    hash = "sha256-ow/PdlHfU7PCwsjJUEzoETzONs1KoKTRMRQ9ADN0tGk=";
  };
  patches = [
    (fetchpatch {
      name = "ooye-fix-package-lock-0001.patch";
      url = "https://cgit.rory.gay/nix/OOYE-module.git/plain/pl.patch?h=ee126389d997ba14be3fe3ef360ba37b3617a9b2";
      hash = "sha256-dP6WEHb0KksDraYML+jcR5DftH9BiXvwevUg38ALOrc=";
    })
  ];
  npmDepsHash = "sha256-OXOyO6LxK/WYYVysSxkol0ilMUZB+osLYUE5DpJlbps=";
  # npmDepsHash = "sha256-Y+vgp7+7pIDm64AYSs8ltoAiON0EPpJInbmgn3/LkVA=";
  dontNpmBuild = true;
  makeCacheWritable = true;
  nativeBuildInputs = [ makeWrapper ];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/share
    cp -a . $out/share/ooye
    makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye --add-flags $out/share/ooye/start.js
    makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye-addbot --add-flags $out/share/ooye/addbot.js
    runHook postInstall
  '';
  meta = with lib; {
    description = "Matrix-Discord bridge with modern features.";
    homepage = "https://gitdab.com/cadence/out-of-your-element";
    longDescription = ''
      Modern Matrix-to-Discord appservice bridge, created by @cadence:cadence.moe.
    '';
    license = licenses.gpl3;
    # maintainers = with maintainers; [ RorySys ];
    mainProgram = "matrix-ooye";
  };
 }
--- a/packages/simplesamlphp/default.nix
+++ b/packages/simplesamlphp/default.nix
@@ -8,18 +8,18 @@
 php.buildComposerProject rec {
  pname = "simplesamlphp";
-  version = "2.4.3";
+  version = "2.2.1";
  src = fetchFromGitHub {
    owner = "simplesamlphp";
    repo = "simplesamlphp";
-    tag = "v${version}";
+    rev = "v${version}";
-    hash = "sha256-vv4gzcnPfMapd8gER2Vsng1SBloHKWrJJltnw2HUnX4=";
+    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
  };
  composerStrictValidation = false;
-  vendorHash = "sha256-vu3Iz6fRk3Gnh9Psn46jgRYKkmqGte+5xHBRmvdgKG4=";
+  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
  # TODO: metadata could be fetched automagically with these:
  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
--- a/secrets/bakke/bakke.yaml
+++ b/secrets/bakke/bakke.yaml
@@ -1,90 +0,0 @@
 hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
 example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
 #ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
 example_array:
    - ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
    - ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
 example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
 example_booleans:
    - ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
 sops:
    age:
        - recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0NNRFlYaDVtY2taK2xZ
            R1pJKzhzOFJJbVI1ZEtQZTJJd1JiejdwaHpJCjlyZVZLZUpVeG1HNHo1UTlaa1gz
            Q2JOTmpibndlcERXaWw3Ujd3OGo2aU0KLS0tIEhKcjFKYm82VFdHWTkvcFBDam5H
            bzhGbFF6ZmRPTXpzMWgzWGJJbGlkUTAKtNREtgj4kXKDymmbBt2YVFUqrAaGY72z
            8fUEIz/2/kPeb4QBpYt4HQabXDLCZXZ0Q5qhHRFOSER8o+TrkJDEow==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbEJRNjVJSE5qSk1VcVR6
            VTh6ZU93Q2dGclhZWXA4YTh5WXZ4MWFMRzNRCkJ6Z1F6a20za3ZxLzRsZGg2aHpn
            Nll0NW9XRndIOFpzMVgwK3RxWm1BUkEKLS0tIGF0MUYwblY4a3haelJYRkNyd3lS
            S0ZuSUVXWGVXbnJocm1LRjZRSGVrMFkKQcwZk7mlF96kPdvZyLNR2i5CnU/qR7/i
            u897JxtxmXuuNDKPA80pFxfwkOwzcUVrYiwOlAbMENwJWH1SwFO3Cg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWa2c5d0RvR21jQ21ZRVBL
            dkR2RDhMMmJKTXk4UnFTbEZCbE5vV2cwRTNnCkFFT05kYUhXREtzSGkyY1VYQ2ZE
            bU0xZnlUN0draW5DZXRqQlloVi9NaFkKLS0tIDdHb05weWlzcDN4bFdzYnpUVjVV
            ZkVXK01odnZJeGhoaFFLbEVSMFJsMHcK/mgeA6aMlr7T35rHL3GriYHu2DQE45sI
            8RdxdErESmpx0bneFbmsBgXOYu+iT64zatPEGVSu1taW/nMa8Ucpzw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbm4wL1pHeVVRYzJrb0RZ
            VHA5ZGRTUHkxbk9qenpNRGE4bjQ0SzN6UVFvCkRHQ0VDaUhRRDI3Yy90UXZCdTlo
            dnBHSmU5WlBlczlBbDBZRHFvLzFBWVkKLS0tIFVNVG5qRDZlcWZ4R00zc0N5bkli
            d0Z4TEJzdEFuV3NnTndFZlpPMTNYSHMK1d1Use9/w4ClrCfShBymIxHZppCXmhmQ
            vIW5vI4Ui0jSX9Rwhd17CLT66mQYBbaHTGB9fiGNQpFRc/ztaFbbnw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNmF2ZTFreDdzdVZHRWt4
            VW1TNXFWRW13T3VBN04wMi95VkRCeHJIalVNClRLZGFDY2ZIREkweXp5dU9yYVRD
            T1N5QVh0eWczd3VIWEthbTZRVXM0L00KLS0tIFlWeDZmQzYrQXdoZ3dycS9udEFW
            TGg0bGwxQjQ1UkR5OC9FajI1RHprUXMK8NRbkEjLEW6pANEkB0QyBcgMin/Aaf5A
            dkFYo01G3XM7AmlnnM9UCc56Gc/ZfcsVaUhMAZoEvEvuU0++ufCIZg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNE04cmdoYnc4cGhmMmlW
            aU1MNXpacVp2eGV1dU1GUUNyd3dFRDI0and3CllsSG9qR1IwaG1iU2FpWEduanhx
            WVE2SWZBblp5RWd3Mi8rc2s3M2F6cXcKLS0tIFBnaCtIelBPdEtqRUIrTnY3VytC
            K3dUNVgrYlVnRjRKVVRDQmxsUC9tOG8KFE/pU3tSnyohg58FTWWc2j1Yk0+QHRyH
            VakZTPA8l2j7X01KOwEDaZBZrzFd8059GBUMRnylcVOCg5a5VjXpEg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-15T21:42:17Z"
    mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
    pgp:
        - created_at: "2025-12-22T06:10:02Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA0av/duuklWYAQ/+Jcq2EiWutguXVgFJsG0eU9CmM/ZrSfN7Of6MeGh53vw5
            F125rivlWf56nEjAnW0u0Ai1MRUUvL6cSqnIxH0y0NcgllkUVrMDJPtsp4/1pFG3
            pMhQuaoun7mmHbMwFD/WIGk3NeQA2WRm8vCa2yHuOHKG5rISZDgY/5WdkLGK9Vll
            A3eBaz2r+jQwZNHMTu9Sgmuya7EAGCb/7oSTyE+ZyG9zDwyvbKcuS+xMx/Sqx5a+
            a1a38fJCdwTHNGR293kMhVK75z0aOvGp4t92bulAe0Tp0Efc43TNGYIGjOQT7r3J
            k4YQ0OcR+fezp8GSLxoewWBpCMFaRliSnLh7XJwd2jTURbzlpQFFKNXW4pLxrAIr
            ZJXZ6Hloz91MRoQ8HLCs7WqhLptXGnqXsJPCwdBJEeVzutyt3cZIzq11bNgf9sNv
            Ydj86FmGTMFK5d9kNYAqxwnfcVIc3/AdbyKNoky1Muu0z5XvUdgUcYu5RK9yL3DA
            dUJVI5uam+ONUatFeTbS2Vz7KEbwh1H3gfQUQTrE6FOSrh8bk0lp1aG1geL69ram
            XXh/uHkvzTgbq+oiyiqbodurrEQHcdhrYJwvPELLQwtIq+0iVu7xNIFz+LNuAMqK
            d1lualLK7xHNqCOhihY1nKR3PjDrE4tUKjtwu1lp2Ae+VEXg1FgrqdkquxlE+0XS
            XgG0jfeGqwQKM1qGkaj9UX/xXe8Io5KhOAqRhnkauU9nZ4Uaj5X1rFpbLAOT2/FZ
            rHjT46gUUh1hK2TEnL14yJ8ttIntlcXh6lJ6zbkIL7G+56GlqhPmr8M6N67VEq8=
            =8M3y
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@@ -35,82 +35,86 @@ bluemap:
    ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
    ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQjZvVEplU2pMQmgrQXE2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbjFxWk5lY0kxaStxcnVh
-            Qy9FY1NRZEhpSTVCdy9rVEFHekM4NHJEVlRvCkNnVUlCQzdGenlKOW56ZGY4bzJm
+            SnlYamw5WXBRTkU0ZGFEWnZvME1nZk94TlIwCmlhVGFtckJpN1RZdXRBYkxDbnVS
-            K1c1N25ZbDFNMDY0YzlGMTlMN2htSEEKLS0tIEYvWEVoMUVtVDRkeEt5eWFZckJs
+            UmZtWENzZWNYRmptY2kwem42ek1LbXcKLS0tIElsRXBmNHNmdjdqTmFLL2ltMnFC
-            aFRsYmhNMkQwdFlDa1ROWXdhWGFKUUEKqixofKZBMXpV8q801HtVoHzZWJhsifSB
+            VG11M3ZpeUJPUGlEQmExOEdSZFJERE0KSIo1pzx8AcoJWEzNzEDoV3eM7194IHxL
-            DLPHbOAWpXjKygNJ1ogi66FWBFfRL0KGffQEuaIozTA1r1NafSCLKA==
+            4pCSSztKDCF+XdJZLh5sgudaYLJGtX5n7q1hbuL0wOmotM9bN2YLog==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YmhFNHNuaXlFZXMxNmtR
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybXRjNEM3ZDYwa21LdWpE
-            S3ZIM25xVnYxNE5kL0RJR0lpNWo1c2ZTczFRCkRKakRNek8xdVcxcFN5Wkc1VDJ5
+            dDg1MUxaeHlJSHRhWk40TndYbHZLWHVsVWk4CkxkRVJ4c1lhaXZodGxhNGhkUy9q
-            QjJuQjcwZ25RVkpoMXFpQXltU21MOTQKLS0tIFVrNVJ1alAwM1RtTy9zUUIzMkpi
+            M0I1SHdjeXVXL1E4OXgxS2x0cU9ESFkKLS0tIFpNMjNKLzNDWWtvTkhHRDFSTklH
-            bnFVWG5xWW1hSDZob0NzZVZNOHdqRTAKci5uPZI7K/ljVRZ1j2qQFABpf+Anuj2a
+            T1k1cXp4NXVvVGdkYXp0VVNJejVJRkkK6K31gqRRvo0mbJy6aCTKotVmrfqZoARG
-            yqz92A7DbMUSUqmUNCHWg2vKmMwuRL3CXLPzZoXgIN07dpYQlk6qgg==
+            w6wKe1TJLWJv8RAD3GQrub9MJwQhUG38Jtj1WrXgNMlF24zFPlZDEQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZExMODZvbUo5VWt4UWs4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2azhwMEJRZ3JQRnhDNlFR
-            ZXRXWkdDczQxcGRJbUFyU3V5bDllampVWTF3CndVSzZESmlwUFcxMjZKODhPY1pz
+            a283MitGTTdaMTZURmFYam85TU43RkdXYTI0CnQxWnRUZ2F6MHd1TWlHMDZ4b1p0
-            WHo5aC9JOUg0VndhdGIxeU1PU2t2QWMKLS0tIExQelVMSWUrMkUrY3htMVIxTHFo
+            WStOVndGTUpmdncvd1k0WlV3c0xKYmMKLS0tIFpSb1hKbHJyM1dCOVBMa1Jabndp
-            blNkNG02ZTFHR1ZjL1dBbjlDNXk5VmMK+EbzW0Rdq5cxIm8EnQ2P87BTxfMKywyM
+            NWlGSFhQUngvWG5BQ1lyOFAxanlGdlEKt09a9bMErR3wqbutxhDRfSWp40mmfShJ
-            Q3LGAw4RDR/Gstj9hzpTPnNjb4D5tMcQmeQlAvBriZPFXCrmq5WCXA==
+            KAAO2TEMKkEGFvaxYu+G9rbR37h/ZttikJMvIVlfRzmVADlFwO7eHw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSGFIdjJwTkpRdzdIQ2Iz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYVJLMTZma08xZVo3cEZs
-            WW1jamZFY1JrTTBZRjM5enZmNkNEMTRaQ24wCjdJY2l4OVJyU2pVR3dQZFg0cHRl
+            Ym1FTU9ZdmxlcUxselltWDRwdUhUdU1udnpjCmh4TlJEK09UdlNFLzN0YnN3WGtt
-            dU1xS0gwbWM0MktPL2d6dG1wN1ZsWEkKLS0tIHJscElDRVFrakJCZmtMbk0xaVp4
+            aGpzd25Vckc1TmVCamQ0ekk2QWpraUEKLS0tIG9CNzBOM1g2aTRlQmt3WWVrTlNB
-            MDBoekhiMWZaeU9IWkcybFNWczVtUUUK4BOBttXkGhmUYTjR68ZvaT0BpbIw67rr
+            ZWsrZy9HSWt4OUdMb3ZZQmNjNGZNZjQKMhvkRnis8P2iV3hoigiN2IXeIFvFuYRK
-            Ls5XV6Azkid7GAttNayqb/OjshUco1xIbAyGRz77b5uzMzM1cM6+dA==
+            FeMG/cNOtAUsOgHMs4xDPqpLrhpay7IEvwQukBxscd/88I8/ZdGeHQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSmVyNkNiWkxob05lakJI
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtazZ2RUo3ZjdKeStLWW0r
-            N1dWVWl4bnd0cWV0bzlzQTdhMTZ6aWZJMFU4CkYwc29NTW5PODVVTU5DNFdCV0RO
+            bm1NVWJRbjZpZTVRcEFWTnJwYkp2YUN3OTM4CnhRa2RpOS83MW9zaWlUV1M4b21t
-            RTJHaDVmbWZ1WFdSRVE4Tk9SbHhsdUkKLS0tIFhiN3M1aGJtY2ZqTkIwYjB6S095
+            OG5Ub3VkK1dSMkVzN2VtT0JrWkFSTkEKLS0tIGMvOFU2U243RnpUTThRRWthaHpZ
-            WkpCQWlab2s5anVIa2Vlak1vNzI5U0kKRhPzmr9IW0fVDRKzfR1du7KgevNUchxJ
+            SjBhZjJpNGlUclF3bXRKOXk0KzlHdzQKp/asp39bRfNXyetc3ySVpnzfO6it9D/e
-            GDz5B/EekvwZwhcAGvkE6uwHIAIMaau49S9iwqK4NjIcBIGagoqiDQ==
+            XWyhq0yKRFAC8yMYeAuA4kIcNM4DGRc0PnwA/ce3IgHsV1ZNdvdWfg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXJKL3RzUEMzZXN5Qmsw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnT3lTUEFaN3pOMGhsQ1Ra
-            aFRrMXE2b2dNU05NeWNuaEZOdkcyMWpvUlM0ClVkMVJoS3Y5SnJxQ3RtaUtncDcw
+            SVZ6cE90a1BteXgzaldsN3ZTSGZpZXlyWHdvClhJM2ZDRHR0VzVSQXd0b1drK3hG
-            cWRKYjdFbEJ3aWE1ei9wYnpVRGhBd00KLS0tIFFycFgyWGVvMFc3azN3T2Z4aHln
+            aW8zUWlHcVFkTFpJYXpxWlAwVHV0ckUKLS0tIGVmR0g2Vk56dlZCU01Dd3NzUFZU
-            UzR0dUp5MHFWdDFya0hlRXM4M1d5YVUKhaXAFsId/SGv5wmKvjTLSAAlDNuSH80H
+            UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
-            SahjRm7nj5Z6ZHJfBZu9cGoZ5ZdvPsr1DtLgErSndnOnh7TWA8SgGQ==
+            4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-09T21:18:23Z"
    mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
    pgp:
-        - created_at: "2025-12-01T10:58:17Z"
+        - created_at: "2024-08-04T00:03:28Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ/+IxSo/UF0bv0ktR4aYDhZF/7y8Xv56jaZbW+bI8os57SY
+            hQIMA0av/duuklWYAQ/7BlyYej03uyhLheXS406h3Ew7v7D+rHHvHjiw3FCJxHoC
-            mk7MbCqMmujf31gDlWwvytn3sEBTs69tre2rJH0JhDnfxrfL4uHJqD2Idtfhejgv
+            1revUrMa/M6iTNQteaBvBcYVR4+SpUpRyN/6BSzEQBrNhUBR+70VWL2yzeeb6Bw7
-            6ezh37/aFy0GgkUKUMpVG3sksZjQrKrSvJiHgfIAaiEiNU6grc6EDLPqDrgO0s1V
+            GBtuyS7O3DEd0froE3aFETR0NfQ1FfcndOBd3SDKOsCgL5nfJSyOPQtr1OMLKzoW
-            RBUiv2VMyg6a2MBf6TSrdoHw/HtK/PvOgrQ/C3q3jjUzVLUnScIsewwTq0zdmVf6
+            +CARt457xEx0KY7IIpN6e57IT7bVjJx5UuDcN0ZncUyuGUAKHdn0nAHzWqiSZV9w
-            WPG5/sTjKoIYRdjrEZOIZglU61Q2/d0GTGkI7nkr5xl+iJicRO8O4cYmZ2NivMLt
+            bIftLJ936zvBOhhl3DkzvALnI9+//KPSMM3o/1ti07FoAx8cK2w83VA5Ia9qeNkB
-            pjsYGQ+Kyuxzmgqjh2aRv5uu7p4g1fYIBZdcqmm14Jc/IznNUAdfpgoRGUxEbnGW
+            wfVuE6f5a2KP/KrfnVCfvweMh/MIEUGb14XEaniyYwvlW5vwF9YgPH6HGc0c+lH6
-            R6C2eTzvhZGFj0+jssLwcWtGxa2xxPAHL8TbAvroffzx7W9IdyWkmOEaMuyHFAWT
+            UWy8+Iw7kXkUEJuhtNWyBPJeVKheSBieoWUBZZAK4uWUpChJxfc5M3+P3mgzTIP+
-            FpsdlSkYmQs1H5YCdRnapFkNbaIPsQy/c4dQhzYakrheMdpXo6efSPmk9RdjKZrd
+            7P04xdtS0GwrNwMBiQFqc56hoYDAwMYbn9lFzM3LLq+h8Ztg2G4X9LXjD956TP5C
-            HvJaepwJA7Uf9+eY+LgPVTKY4ObJziJEEIM8QwmBW4h7ZujbntUHXhL1dt2Bc8nZ
+            bPV7BFcjTSaAt1TDJcDJRxfrtx6Mo/DLknpGTMRM0UfQ/22uMz2GAH38L0C7lD9B
-            5foSRmLA0lsd59QSPA3lg30TpJARC8aq4dlYsTFqQgHVTHA2W1m5gYvIgNKlhR/F
+            RrKlpDuMKzj/LUihO33Ry9J0IpZ3XF6oaSl/+P+uO9QYNxA/zkuxuSWfqoysldyN
-            NGNaAWW0+3V6NeQF5UVp/ug4RbJK+qbrQw/+jeyRaPj3TWaFobOfs+Ad5zcL5QfS
+            bSo1dHGapY/+PVMjM0E/2Dkk9T2IbQUlkVxPrlvuUd3YfrJ7bCva2GDjLvXSp7LS
-            XgG1ix1Re4pnbeGbTE0QsFQ/Ir0mwPGuNzr1CFuVQWvPUYqA4iv8nlxIj2E43gcL
+            XgGgLgrj54YoOn4uUFsxzDIS7yVps3fCkByVtc1Lc3C8uPPF1B+jOX7O87kZOHag
-            4ihGEE6dKrrwLJuALNq4p7mqnCMJ7/kjLNTRUSmWY8fHaVmX/QL0uGZwYH1Y5P4=
+            XvT2ze2ITfdxPzoyZO1nWVIGO8rAtQ/vK/Iv2/hHtc4gfzL+gy7GeUWGHkvZ1Kk=
-            =2j4b
+            =wDmH
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/secrets/bicep/bicep.yaml
+++ b/secrets/bicep/bicep.yaml
@@ -3,91 +3,88 @@ calendar-bot:
    mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
 mysql:
    password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
 gickup:
    github-token: ENC[AES256_GCM,data:H/yBDLIvEXunmaUha3c2vUWKLRIbl9QrC0t13AQDRCTnrvhabeiUFLNxZ/F+4B6sZ2aPSgZoB69WwnHvh1wLdiFp1qLWKW/jQPvzZOxE4n+jXrnSOutUWktbPzVj,iv:KFW4jRru93JIl9doVFtcNkJDWp89NlzWjPDflHxcL/U=,tag:YtgyRxkoZO9MkuP3DJh7zA==,type:str]
 minecraft-heatmap:
    postgres-passwd: ENC[AES256_GCM,data:T8s9xct07AJ4/Z6MQjNrqZQq7FerHz8Op+ea8zO2MDLPWWgU7/hBfrr+T4sc1TgT3e5vtE0dVcqCSbZCZj+6zQ==,iv:prx6d8c92OvbL8IjBLAvi1Vqk69D6ZIkAp7E8CSljok=,tag:UA5YS4YwViYZJ2PWzIIM3g==,type:str]
    ssh-key:
        private: ENC[AES256_GCM,data:h9OtD6hxrxyokFDe9bveAkMICrs3YrsAEqg0RVHV+xCkgkNAdoh85wb1QI8FJ0tga4Bfq8ZxZTdMnexQvbYWL8m/N/P6gWoPPJd7dwGuxaUZu5lqngVuHIhH0yWFWtPXjQ0Zyl5Q1aBKyjzJMvJc/H2iprgVH4YFs/fWf/KDEp17Plvvz0AoPGPrOZErDmne4MtLbW3pUm1r5ACo/41OyXYwjHk1Ywgsoz1CMxe/DrmkADnf7jSDWL6Q0mz8hIIYi8GbToJS4BIJ2plttraxV9sqpIPzS/1jMERNchItlkCppSYIy/eohVmskP8dAySm5Z7HNGGtzWSSGLxq15xKc7OVFYPMI+B35nPnp1LVOUWqBHAqVo7dwxc3VXOlVat7AMknUZnr67d4TIIl5BOdy/rvAxzXS/fDV0zntIs5o3phKStVvq07eZFaOVva45B7Pyyn0PdBhHBt2JcBtm+Xtg9i3xvZdwQgbeeJRhnYgDqK6BVhmtTuirwp1GOyslqaFCjg0MJj+W+d8R9gbbfyFR6YrZQAkcd/o/yZGg86z7Phe18=,iv:nt/+qPBwPZKQt43VJ9FbKjLYioFwCxD7VK9WNCJCmpQ=,tag:MuDfnTiro3VVJq9x5rkEQg==,type:str]
        public: ENC[AES256_GCM,data:+fiCO8VRSmV7tmyweYSpZJMOuMORLHkWetYbr20aTQ1vRYr927nYGes4E464t+Dv9OyJPCLmHBdgt7UvxJWuC3pZE8iStnBYnej3D4ebMzi2SMfOkJjGuQSplXtl8QeAYe1YvROmtQ==,iv:thgGQUyWdXfwUt1E/vudoNjl8JjnksFd1rb/asTry+g=,tag:t1iQPocvfI+JafuJycaLuw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
-        - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
+        - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWXVrN3MwSkh4RUJHcmRu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiOVc1eXg1bU9BZmc0cXhM
-            V0YrMkhIVGZtLzFsbEZ4dmNSV1FmT1Y2M3prCnhWOSs5VElEOUhuQU1xa2FmRlIw
+            L0dpbVBvQTNzcnFWcktSaW5rQXhnZks4dlhRCmVla3kzWDlJN2V0dDFYWkxJUUVo
-            YXQvZFpGYXh1eTMwVkZEempxdHA5eGsKLS0tIHlGQXlHc1ZJaWlPNitrSlQ3R25h
+            RTlqNWM4c0lmbkc3cUM0dTgyWGpSNWcKLS0tIEx4SkxDdTFGUi9OQ0NRVGxXeSs4
-            a28xWWRwbTlaZjIrbUpxUDJzMnp1alkK3awAxPMvmrh42Pwhv4mBUvWH5ev+OK+i
+            b3Zaa3p1MnU1UTk1T3hmejVkM2RDLzAKmk63I60GEenLt0l4FHmz9mBAumw105Qs
-            nKWXHOMyYPudYg062Ex7iAHS5WTw71bsMkUEwmU0Mt5XbopkXCyyZA==
+            mDbQBfAj1m1FTE6tl38J8wVyFI8LT550bqYdymvnT2mnEIAIP/04ag==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZ3k1VjN4SlVPcHhkNXpw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dmJpdUxVcllPYXpxRlN6
-            MTFncDF6cDdKVmVSQUdDQUQwNW5scjZ6TUdFCnY0UkJjdE5DaUFNZm00VEVmZG92
+            ZnYyc25sbjdWNUNEQnE3UU5Ea0JPK3o0Ukc0CnFIOU0rOU5lV0tGb2NuNnQzejhw
-            U0VINHJqbDd4RGFnOWdxaVhoMjRYN0EKLS0tICtESEFUbHBDamFJelphbTlMNmNQ
+            cTBkOFJHTXJIMFhzZ0tpODJ6N1pJRTgKLS0tIEhPVlBMcjdHNVRKWDhkTXFTOFFu
-            amJIdU5iaWNLQ28wYXJxZ0ptVUxRQVEKZtVEIcBrGHpmg/wGCzDshYZ83pJUf5CY
+            NUREdmFNR2NkY0Uzcm9tbmhteHFtSTgKSUTGoNb2/0rljN7oojVk1fMAulK669ud
-            I4hmsoPRnq7Zh45eCuE7j+RNhGiQWGi8q/+sUnSJQMGjzIHf0QfVkA==
+            fpacGQFBJzJOusx29YC01W6mn8TW8Cdw6mKmS3QEsYYx7S4HpX0v1g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TXZuS2pvOTd0RmdtU1ZE
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUmNyQWU2Ym5NMjJnUUpu
-            MmIzUUxFV2NKcXJtempJdVpUQVZwWVBlZm5ZCkJZeVZiUjNPdW1XZlJ0YWxDa092
+            Vi9yeWhFM0NDTGZtRThXQWMxYVI2aEUrNUVvCklxTldQRnp4dTVXMjRXWU5DNWhz
-            aGs5R3VUYkdBbVQ0V2dzcGV5alZxQ00KLS0tIHJqdGExb05DVFhka3duRTY1dFhz
+            dzllOXp1RVRaMDFNWExuK01maFk0blEKLS0tIC9hUENybThmWlBab3IwSTQxSHBj
-            MGFxVlJDcEZjc0Jxc3loV1ZjNkl0TjQKu+gUS5uyfWBNn67WFt1NwjzkwYWG4r04
+            Q0IyL20vdlRBNWZyNXc3MGVtcUNza1UKLDq74TMy5hXhimnDA06/Ku5RJQcDvkjn
-            hFh9hxB8efiMxYiDp2fc9EKvn1FlTBQJE1KWyiD88twzhKDKaDqQJg==
+            QKSGCxZ6FJ/io22qNiw0vDRzTfW1Dz+9/Yog3Pi870IcAljkdmoxEA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQTF3bXhXa1AxazZqZWZv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTUpYam1KQ2laek42V1NE
-            dWFpWGwyUDZkZnczc2NpbnBWeTJGQUVBSFFzCkwyRFVVa0l3dS9GaGN3Mm5TY3dh
+            eUY2TlY2Q0JNTHR6QUEvZEhhem5ZKzhPQ0JFClZldDE3dDVIeTQrOVpJNGI5dDlR
-            Z0VkRU1uZGVscnlLNXArZVMyVFhxTWMKLS0tIHV2ZExtVnFONTlQRVNMTFRzQnFu
+            YStuTlRDcXdiWE9LdThaUERnbEpkU28KLS0tIDNidFQ3ZTdINXpTZGljZmh3Q1ky
-            ZmtGTVJqKzlGWDBaUWs1Qk1PSnc2WE0KrIJy3b1TdI7ur02ZzOfWJGWl6WuSUFV4
+            Ynk3aUtFOFdGV1NHb2d4YXJXb0xNYU0K07jwIfF+US++qz9rKn0TgR/vZam12vvr
-            h9Bb3uSpVZLWb0MRKTK5RIeedQZ0NuVOqAP3hCglzzNkZ10/r7ly2Q==
+            lq5s694hHkSRmAP5uJ4lNQKUkacH9qlBXB+aU+D98vKRDGYIkKhlQg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5L0hVVnE0bVp4d3MwQXo3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaURPbENOQ2l2N2lsd2l4
-            bnl5aWMxajZRNHFHQzhXVDZtK2k3TjJGRlFZCnRORzNTVEJOeTZ6OGZFNDNlQzZG
+            aUdQNlUyWjNFM2JhcXF1Z1NJZ0lzZWFjYmhNCnF0VmZzd0hJSjJvekpzN3hoYnlq
-            MmFHRFpQMW0vSVl1c29yTFoySFEyNEkKLS0tIHVPUlhIdHlxWHV3a1Nra0lEN21Z
+            UDg0VHVlMUFTc2xNdGtLb2VXVzBySHMKLS0tIHdVWjlnTmdxSGpMR09zOFpVYmZF
-            cWxLUTBIeEZ0Sy9Ta2Jsajh5eVd4bTQKvmpiIPGbgPjqssx4sc/bqaCLeGIPcRfF
+            M3ljcDgyUHB3Zm00bUxWeHRvK3o1bE0KGWWaSuPmvzA4PqBg3y+XOpnVCkv34eV3
-            BVWm8tEpDmpjvFPgRKhgIKFAQZXumd/9ykWAJE02OWeOOD/LjfSSMA==
+            ZEnPJood5bkBlVqfiBbwJaF98rCH1f5WI6S0NA/5ol5kckDpfwpePg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUczg1MEI0VFhFNUxYcCtj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMczFnbUlONTI0M083bzNB
-            UXZZaUhPNEZ3cDkvc2lZMm9ZYnZGTit4U3lnCmR0cC94dDVQcjJYWTh0Zkhkclps
+            RVdYQ3ZIT2dwbVJVS3pjZjc4d1htMVQxZGtZCjlPejdVNFVrV0t2MjJ5NEZuYklt
-            WkVrZmdCSE0wdzYwNXMra0hLYWEzU1UKLS0tIHY5MG1LZkFpeisxeDNXQkFrdm9J
+            U0ZiUWgzdytMSHd1N3FPdmNmb3B3UkEKLS0tIGtPdmhpT0NQSGpPWWVublF6dVZt
-            dndlQmsyTFBOQlIrcnJlOVdWS214aTAK4RSsxV89Ccb5K8JP20J+R621LWdtuQJ6
+            cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
-            vwWhWkbtBU1Ck3NeEa4UanRqFJxl0bkpdFzHWoQnCm9TmzRf+Oikfw==
+            0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-25T12:27:53Z"
+    lastmodified: "2024-08-15T21:18:33Z"
-    mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
+    mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
    pgp:
-        - created_at: "2025-12-02T00:51:13Z"
+        - created_at: "2024-08-04T00:03:40Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ//eMoBqyI6G8T7c+LwLWl0KxVl4bPv8B1w6l2h+DbwYbki
+            hQIMA0av/duuklWYAQ//XP1HnmkjG/wdSC2lQm2XJkB5hMU+eJxglsPVaQpqTODr
-            s/u0EToWGFKNTcoio1Xwwhb8pVnUprLONKe1LHgDSsWhvZXBaq3OHxWJuGQ+T0lS
+            dtVslBr/4nvCLypWhwYCG4jSz9YHU1sI9kDOsuo7PtwCrhfefeOL6CO+O40ECFMR
-            1nEOZt1aRp9ff4RA4BLS2LIB5+2lkVvQ2jWhgzzrEgC4FXI+d5XMhgXtPlO8Dgv7
+            CEMmPLrTXg3LV3TzulchXY6x72LRzJ/aJ1Ra/6sGmffL7JHJ7vHz+U63oXyYivdX
-            Dwp+zTkYyCRny3FzL/AhHCYkqxHuuH19u4j9taN5VidKp9a1EKvjYZW4+xPM0gek
+            9zsxP+iGRpQBK6wcA+Wg30rFV1ENE77H5Wh3PGRRXBSVE1fF6I3USgOxlQvGGnK8
-            9AR89EIzVeLGMSVUFToAfmZ2jFOfMj42pmbQg29Dr3iUVvOZ1sP+w6Jt/1j4FoNe
+            cobLecH6V2TwSAptVcGk1gEmn6RUZdxATBnt0vE/Wr/zxZLuoRJgxmiwXuL5+kYW
-            iylriaZtSMLb6kjqN6xf0TnA6exa7hHuAlK3WbPv6JAYrGxs7+l9lGLJkgdXqkzt
+            QjCvCgAAEyFJtDRycwPPpDtTCBECPV97Ryev0Z8PdrYHfjNcgNVgDwNH9L3TuIEY
-            oxyJTilv1+YJuXy4O2oW6hV8yymOfAKGHt/dkEnPX6UtddH+RDCo+HdWmXWy1Feo
+            QL/f/+9PgNuUjf/7nktn1c5eAvmMyKJCiy9yKYZ1H9ynwN5Bxf+KJflVtTWbdJJo
-            skEfvwsbzKPCHInPGbo9Yq5NIgJgaisJlHVf5XHxuVVWdEgmpPZ1XxRvmk5B/9lu
+            ITXP2RyU2ttM2WjAM87E0HJD3XZ9x9I8Se/f5eQbg2Om7E2HXYr/v2uWf2ByRn5y
-            gvr+kG4nN2ZxjBC8sZmHQrvuF93x3mXmHIyu/W2LV5era7Q7tUjaikBMba3a3Rpo
+            PV232/rR/whf/vpiwChDsBT97ZfZJibU8Xot7WMkQhgjCJaYH0wzYcrnvg3EIAo6
-            OQw0auB1OBSmZOFWMa4ppWU3H5V1hOBoD6tygpJvRvuKxJIVGMg1XWBuLJuAhLF8
+            MBN1ufKNAp8BoXrM2P4yu+UOjrN8O+54Sxg7CSwg/a/ldDdjUnsGfbf3vzY1EJcY
-            Sdz9AtHR7zeHtNG+4/da/5iYFLi8e0j0H16TlKlW+BuN9kXfmuw1UC1cl+gRLPrS
+            2lhLZ8sOQyl+Ppe095pcTLvcYp2FOihf6d3i7GGG6Q9Uh2Ljs7EB02GDKP1XozjS
-            XAEXT6KxURapNNTZTbM66rJNdP60J4u8LhvBD4RLQNGXYQe8Q6RrOdrVRCYO1cjx
+            XgEsx/GScE/PE15VKlOHhrrF7OJj8P+uvlriVqk/MSWUVO2+X1yS09gXFtazLZBo
-            71Sydx+N+XLbNHfgi1AnaVXmWmZ5PRsAxt4xXPWZb0lV8heh8T1FBKeQM35p
+            yqK2yWAOsjFnrMv4A8YHM7COkKvJ9BGdefsoGQu1O838/T7R9+e1OK9iDhfbcMM=
-            =Ur6q
+            =vMG8
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.9.0
--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@@ -9,92 +9,91 @@ mjolnir:
 discord:
    as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
    hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
 ooye:
    hs_token: ENC[AES256_GCM,data:QBrdRt4ozAh2XYJtssm82uHlk9aGO1Nr0fEZetmWfLvmw52FZEq8ijyKOgwS6uTcndMi4gGKkq9r4eapLwcMdQ==,iv:VHOAqxR1WGzZ9dmNx+FmjGAKRpUFjWOwyOVmgDswpE0=,tag:k5it/yx7pOfGbJXZUlV69Q==,type:str]
    as_token: ENC[AES256_GCM,data:RMkY0xVj14FwDbYaAysSmzB0IlJuk0ucicNhhTmVAEgiU05PxWG+qk3/elFcaFwaXRFgQQtVyGFZEcK5gpE9hA==,iv:8JgNrTe7GQqPMdUCxEaxJ9qV7Uec2fkYBmF9LmH4X3o=,tag:tRnFpRAZs9kO3u2SDMwNnA==,type:str]
    discord_token: ENC[AES256_GCM,data:6rzv3glW03jcYiJ7sAvDcvDmQHs9iVbV11tIFwgD3GuTkVn6mbAoQhjUaz3zpb/OeoGt+j/pCBRlZgk=,iv:JwkqLpeGYhgwLX7SACNh0AUO53XSx9IKgncI0+KkvyU=,tag:30C0X9nVSlEYPITVzuN0qA==,type:str]
    discord_client_secret: ENC[AES256_GCM,data:wbM7bPZCWa2+UNUqXi27fP0ppdinRkEC4N9KB68TJzg=,iv:Y2j+8oI+kI7DMrBfFU3G5HtFWguNxDpxbNvJkpK5lQs=,tag:GntocbTCybCVqZ2T3lNSIQ==,type:str]
 hookshot:
    as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
    hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
-        - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
+        - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPL2Z6RVEyWnBPSXZXZFNn
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcndkMFhyZzdCK0JDN2FZ
-            dTlKd2xPREVLVjIrcnB4MTRHNU9LQklodGo4CjNuZmwrV2hCSlBXbWMzQk56WStE
+            ME4rTWo5dm9yVGFSQS92M0FpaW5WMGpzRm13CnZ3OEluNWNnMHJWaTBuZXc1dk9X
-            MW9uVk1ZOWtZb0dFQjZFS1VUZ2ZOd2cKLS0tIFkvU0s4L0h4TS9zemVLc1JyTVhB
+            VXRDOHlXUmloYUVYT2pzT2llYU8rK2sKLS0tIENJVUgxUzFxTFg0S1BScm5tNU5x
-            WEU3d1ZsMVdyYXNFNVpyallMSk1QaG8KYtDGiTY2Cf5YmmAKgr2s0FNeZDRpUCUD
+            M09CZ0Y3NTQzUVY2ZXA3cG9pYUx1SG8KkZXHZmB5yBh/zoMBMdMwlHyjIQE31EK7
-            vJEm+1XFJI4fkOytpOZt0ZywTDZZd6JkXD1V713Kvr+sDCvuT6HW2A==
+            cwAfWYVLjk0CDM1JScTCy7RoQpbqNsMWFyUpu1p+1N0FE8IgefOU6w==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeTFLdGNER2lRZWlWT3RS
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTekd4bHhLeVh3RkNsRjBu
-            RXQ5UmMyNm4wRklwRTUyK2RsVlRxMUU3RGdJCmtLa0VTNmFoSWRsc3Nhc0ZhQklJ
+            V2h0azluRmJzalZGdy9MR2RENkY2WkpyakN3CkdFWHB3cUhQYkZlU2Q3d1ZtcUlr
-            MVV6M3pvQzdtVTR5Lyt4VmpjMkFhcGcKLS0tIDZzcnpDclZLM21MYjFlbkRKUi9P
+            UTBzUU1lVFZZaHUrUENiWlFCYXErT3cKLS0tIEZUcVNRN1QwdnNPYnI0ejRyNDBJ
-            L1NFL3RQSlh5c0hjVXJ4RWZObUExaWsKyU9dDDimP60N7aF8wda4g+Uqw1Hcx13R
+            QXJzMmFkdDh3SHJCSjlCQmVSKy9McU0Ki8UxAzALy7EPr6Nve8UGLmOCqstCcOfP
-            9kuemMqS1cj9HPRuEhCOINAHIqtnYGmHaow6UlEc/nuKrsV6Ibbvmw==
+            OkTpjXFcTBJ9wMj1ZXCoH3KYqvJSu0gvB97phnkN9X8aXkf2DsOCfQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFphcGt3V2I1UGdVcFJW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT05zbjVqY0NNQ2ozdEhx
-            RUt2cXNIaUlJbjE3bVRLcFlRalhZODM4ajNrCjdjSC92a0cweG0yWFVBR3BBOUsz
+            MWFlMWpvMUorR2RnY1Nva3h3VHRjZTJiQlFjCjNtUzZxRlRlZkxGNncyQVExSVN4
-            OVloN1craG1PdGVnTFdXSllOVkpRb2sKLS0tIDI0UE1QMFpwUG9Xemp2TjJRWTRS
+            UTJINkxHZU13aXpOdDhRNW56M3RXMUUKLS0tIHBqWHNIZ0dYTWNaclVDVk5sS3I5
-            UUFYczFnSExjZEJkQzhYc0M3ZFJOOVEKxqyXt/2CmKiuIBKdA24atjD8Ns84mV3C
+            YlFkckxlcjROank3eXdtdWhMY2N2Sm8Khqzk4NUSeaPBYkMbHBhBkagFBQs7Z9MX
-            6i2H1P7+XCDTjT+MyaRV7TlOyGPv/AqcXnAgKxk0CNX5O3qoAXmjqg==
+            HYLiY5pOdCkOteDSOGlqSdiKI7yVNsETjDXeXybLHk/RNaJbhvhqwg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVTVyMy9mOGtnK01hRG02
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNUU3aE84RnpaR1pET1l1
-            TG56MSt6Mzk5Qm9jNE1uTVQ4bUh6M1ZJS3hJCkxlZ004TXJwZUxIYTQrRy9KaGdQ
+            b2dDYjZmSVd3N05iMTloKzVTc3phOVVGYlRrCkpGMUZhL0Ywd1dEZm5TYStCNjlX
-            U0VHdHptVmIzazBMMmVjMmt1WXhlOFUKLS0tIGJpNHZxbEhFWENhdDNBS3JZbVBO
+            ZUJnWU8yZ0htbHowMzNBekNRSDBjWVkKLS0tIDlXczh1VDNsdDYzTDMvK1U3TWxQ
-            WFdFdjNPNXRRdUFBZERjRVhLbWhYa1kKDULOz7tab3nP/o3W+2lYQVZy+5R1r5dg
+            V2tXdk9BUG50c2ZCMVRoY0hxeFlkYkkK+XdRap/LtxzZ3q4ulPRb3LQyeeuO0mu8
-            V82DVkqygJwhjMD+UHV9KnkHSnaSfwQxF1pVKq1ZZN1l+mgNcISbjA==
+            So+7G2acSDhcNqZtW4jsu/NzSNqcv1bwd4XcKe7xqVDVYRpN8LBb2Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFl6VUtDN0JFeDB5ODUx
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMW8wMi9rdStMSkx5dlpL
-            Q3dEeUFlWWtCV3p3TWUyWHFMc0pTamo2Q1RNCllyR211ZmdTaTdRNzBDVXhqc2xi
+            V250UlpET1k0NmZzaFpYRG15OG9NWVBKMGtnClFxeERxc1kvS1QxNTc0WFFQTDU4
-            Rk1Tc2thTGZLNW1hejJzdUpOOTBDUDAKLS0tIEFhb3BPQTcrMXhlenZpeExCNHNH
+            UmNGaTluelF4NElXUWhHQ3ZnN2FYa1EKLS0tIEJHT1FZZEFwc3lxYWJFc083ZG92
-            OU9sN3hoTHIxWXUxRGFQekJDaVB2S1UK20kKBwClp4zSlgMShCC5l9EmhbTZ4jwT
+            TllFaWFqOXZhVldlcVJwQ09TSGRFMzQK+smZIE1hYx8urWrAqqAb9zId6ZblQesr
-            m82tXz1tCuYqJeyklyHW5vol4jE5To2AL3im7WyepD9C5pgA1xNiZA==
+            pc7lDe5AAumIh8t8tzFwl72XtSMrStDqaneibbRjr0N39L0xN/nhTw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQjFGZVdKTGRXdHBtMjY4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2gvZXFXNmdod1IxWm1o
-            Yi83alRTNnpZTnl1c1R2ajJYRXYrRnZUYUY0CkE5THJVSXYwT0lHTGZvMGFCcnY2
+            djN2Sm1iVkpHYTJ4LzdLWVI3dGJIZTdQK0VrCjJqVnA5NFlXVGFFUDhXdE9GZmRJ
-            YTJhS3ZyY1ZqNTZmL0ZnZHRUNmhmWmcKLS0tIC9nc0xIMmIzSGl3aG9kaEM1Kzlo
+            K3ZNTnVDZ2w2NjZEemRNUnVoaXJhN28KLS0tIFVxa0NBNlVVNlBDZ1pxSWRZNFY5
-            aENqOUhnSjZpNi93SDBaRy96MWhjblUKqvy6v1CdL1pqOt3N1gEPCT01ypwd/SG5
+            WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
-            dVaVKV2nEWoAS0/+mho0KmdHQNJi1Qejhk5RSkoaZRd/jSC8sR8hdA==
+            pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-21T21:23:24Z"
+    lastmodified: "2024-10-13T23:30:01Z"
-    mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
+    mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
    pgp:
-        - created_at: "2025-12-02T00:51:22Z"
+        - created_at: "2024-08-04T00:03:46Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ//ScZ/w12TKrcPdjlPMgE25vVMG3oH5ozWfVdnzSpDJF/O
+            hQIMA0av/duuklWYAQ//TtjTsxf5xHnu4g5Y22qvyMud17MN4j4hCoLXjRSbzG8K
-            ELT0FRqoDOQfW+XCi6os3ovWQUqDSxuflLdLUkWJFC801LV9gn63loCZlwvMga5C
+            /E+0Gs08P3QqV6DddmLvxeAcnLBTAdE4XCMFsRX9eK0BLqPe++yoamOpoPe896zm
-            TWcw1ZwGw+El4I8GklzHc5t+vcWvfICjBj9c0s6b+NlmPhRDt9k9cCtvX2QTHbTm
+            BW2BXn/oemGdOFVOf43LRuMEYn32pjg4RNzR4bn3om2TY3S0nr7GP5J9B1QrSPfH
-            9tO9371o3CuEwzPCBou1WvAvhQHH61j6KmWo+gfaGv2MjF+spB2CDhKGlQZAfaPy
+            AFdR78MwX7PrOkkh4jSLPftjAI8jUtvS/TzX8AXnzy1A8xSkWxww00GMvTvSSAwZ
-            Q5SspigrBwv6JhqqqrBMT364OI/mNUfm+y8yX+EdQ/4ZIDmA9JCLmDmA1GMaXBqS
+            wxU6fePkLwuxVwZVqI5pdsjAscwy7FE7NWDgE9GMIxxwAJRRwJcsJ+eVM6ykWMyq
-            XjANHb0rGStNuQKhluUmqYEguzicDWpHDaoFXiJ4C3x9NF2u56cb8IauJ5rBqdC1
+            Xqo24kWkAqgs7vbxU55gOqPVHN50M22fQ4+RYaLnLyj6BO+0WegW1OmK88q0flaA
-            xyeCc1Ja8dUIHQkTwEvIOXfyxtDrVT2B8gM1AYHHTxNjRgJTXIVBUo826ccN4Uyb
+            QADZHLGrsuiVgc4KxHskwQou1RuHZnPUSqn+Nhnsp8rtAfboHS28v7ekRNTmhTWG
-            GdprWu7Dy0RjC8v2IyVvQiDGzekE4l5ddSgz1N9HIAfbo+j/6vCMTycdsp2FRJ9O
+            qPVPlOlVnY0AemohDjBnk3o4rCxJhviL9KTjmAtIGTK03Fqzk2v23H3+LRo/rocm
-            1CHzgcQfBRnIgOkgSfxh+b7eKKkL11x4SbT36f9zWL+wSSCtO6p66BxK5kJgQO0X
+            gQCXzN6Igdwn7n9x8wXmuO6iL9Jftu4MoaQ0W55hZiBfh8pG76TGdNhycZr2T40w
-            ACWE1gqKdJJlgw3QcBZwCxFT/cIGjfqRE9Rwyi26NvHyd4EnH/BU6xcKtZ3cZkIl
+            MBnRX3ydwH2T+y2pGM9tJY+nlgGsyTiOw01SN7/mio3YdCSvChXTkV3PaX28u+CJ
-            D599+UTygoyWz7l2s6h0O2t5KFNP0DarcRHlv6BPJ4KuNwq0+nGa1E54kDHeqfzS
+            5TaYLM2IP8W5DJU3r3dV3I3JYED1O5Arq7Xrv5Z4qr8vwamnCN6SZGe2qCqxTOrS
-            XgEg7wqYz9QXtiHHofPEgVOo2MD6FTYNTBQ3Fj91CW65ME0hBfzsliqoLq9B2mvZ
+            XgEHGwiK1pFQIBxkI0gFmGX0ckd1NYUfsUCyYrFkcAsicWetBhdlgMjLc86bVHwQ
-            3t7SL3uR1vngmtFaXxCyERcsAnAQz1ClSK9Ee5vzAWLazC58xvctwam1eXKkuew=
+            7p4iGLGsr7GZEArBnP0J5Ee+Hr9MCiW/OCLY4M4jlTsyimlsdgDgyr+RqoOnvig=
-            =G9kW
+            =SRZU
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.8.1
--- a/secrets/ildkule/ildkule.yaml
+++ b/secrets/ildkule/ildkule.yaml
@@ -1,5 +1,15 @@
 #ENC[AES256_GCM,data:oyFG9fCzJH8yLB0QY78CVOcYO6Ttp/ARqtIcXwWGYOvL6nW+yLcakrdmVA96sR5toywb32aW,iv:7o3FI0cI6GHCwmQfLYh2iAVr8sELOMoxGSzE5qvuAaI=,tag:z9F1c4dOIiy2FtKpBwm5wg==,type:comment]
 #ENC[AES256_GCM,data:nhDznFCozGpXdYBfumLyhp7TnA7C/IqBCpHJ,iv:3AZN6iVBha8Qh5/X6Yn/5JWsGhDXlE/zdUh1CcO7fQc=,tag:59DaAyKTOmkKty4eyFWFqw==,type:comment]
 #ENC[AES256_GCM,data:vQu+AG19Vy94xxwj196G2uk9,iv:YJGBvoMgOngjn/TeuXeoU82daRvJDxvCQMYb3XCPlw0=,tag:fU6ZhhmAh0yh3/QuXbCNkQ==,type:comment]
 #ENC[AES256_GCM,data:S1UOENn/ewhw8Pb9CmKp,iv:jafOhkCoiTm5HXQ/S611L4VlQFa1Wqr5WIIRzLQm3i0=,tag:6CQ+Y9E/FxWN8K+D9J7+Fg==,type:comment]
 #ENC[AES256_GCM,data:lHHmoCHyP2Tc3waRGeMPEasQiv5+,iv:W6SSFpeWBfTBOEDo4P9hox39eoAiO40Ay4T3QeiI9Tw=,tag:9bLbcEZ9/B1QolDettwcfg==,type:comment]
 #ENC[AES256_GCM,data:DrF4XHSd8QAWn5h1xEGGpDKMQcLF,iv:nPCBbThQh/Aa+uccKJtmiCXSvoJKHxZMJ42yFkV+hi8=,tag:3l50mMn7cPoCnjPcHv1+Vg==,type:comment]
 #ENC[AES256_GCM,data:ADUhFzufaR2xXNOLgiXKu5Cd8Zx3waYeZiLF,iv:WMK2gJwplf6r/EdijrvrOBHgPL57W+UMIQ8dBPp/DBA=,tag:E/q/ccAd7UH3BV7nut6Slg==,type:comment]
 #ENC[AES256_GCM,data:IVFSM6VOWnR0YDRfecsDPlYr,iv:Jxe8pq3lxw5QUGKyspB8tWSquDSMo3mAJBAsQGKxSec=,tag:7bffwY98iTX4/De0coUIxA==,type:comment]
 #ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
 #ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
 config:
-    mysqld_exporter_password: ENC[AES256_GCM,data:I9K+QMqaN3FOOVKzeOR9Q6UERStXX0P8WEHyN1jzzbM=,iv:UxvIdlfAyJvNuxPkU4+guKPa0fiD0vVLzHOTYktcmso=,tag:ltnIqEwESYx9HBu8UN0ZLw==,type:str]
+    mysqld_exporter: ENC[AES256_GCM,data:w4muNsWmsW1fPx9nqtDGPCZ9faO3W5Pagn/DfWrb5yf88GQOzOsN4z7TH3QeW0Xs6I5jDIktGmFml6RDxCjD8UX9eer1pvC7Kxyl2DQKLHwmsgx1DUFNTRUzE1Sgx8rZAJ8HM7DO7L/6aXS0ndY4J+huyhDDVd+cIetgiQ==,iv:Q4cZD9CKd/EDOm4bjAE2EOstwKpwexF2pxhMEF0/5/k=,tag:S0rOLJS+b9ualtxcHKdHlw==,type:str]
 keys:
    grafana:
        secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
@@ -8,83 +18,87 @@ keys:
        postgres_exporter_env: ENC[AES256_GCM,data:8MEoikoA6tFNm9qZbk0DFWANd7nRs5QSqrsGLoLKPIc1xykJaXTlyP5v8ywVGR8j7bfPs4p6QfpUIWK8CCnfQ1QhsFPXUMksl8p+K+xuMakYZr9OoWigGqvOHpFb9blfBN1FBdRrk38REXWAMUn74KSRI9v+0i5lpC4=,iv:anpjWVUadKfSAm9XbkeAKu+jAk+LxcpVYQ+gUe5szYw=,tag:4tzb/8B/e1uVoqTsQGlcKA==,type:str]
        postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVFo0QzdTbnE3QUN3NGwz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbW1FZmt2ZDRZcWs4SEkr
-            VlYwYkVMd1ZWMlVZcm10cGtDVTdFZGxBdGd3ClArQWRxZ0V5RWY1dXF5MUorTS9P
+            R3ZDaUgyVlVvRHNNRTZCS2pxQThsT0NmYkFJCkk1Y1NpT1RSTFp1MWJ4aVNrelVx
-            RjhMaXFKaThud3ROcTYrTmt1aUZkSjgKLS0tIGZZczNJVFMrNlBRKzN0dE9rZUsv
+            blYvS0l3ZHczaVcvZDE3U0k4ejVtZmsKLS0tIC84WEE0WERiTCtKNTN0NmZUbDhV
-            bkx4ZVg4OXFUWUhPcTRmRERSQmZDUlUK4jdVIeagp0RJ0511jqT8GL9Y2gezzWD6
+            c1QwV1l5b1ZQNitFRnFhQmIzSWNZd2MKokg6XMIFfjxB6sO8EBjBc7E7Ur3zBw1o
-            hIYAXFePO/CkN/RA7DF0Y72fawmRWdPjipaFOMMZcKn7FClsZzqVtw==
+            akXuA4I1Xw2H1W8B6HkVSDp4BpBEe8xi0z8TUmzkA9/IBoypG5EJKA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcnBRdEJodU8wbGZlV01t
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQzVtTFRFTnNNQTFXL2dF
-            VDBPOXRJY2NtK1l0UTZhSHFDQk1JWHVtcWlBCnBEeWRkZnUvbnZMV0hNbjkrNkZD
+            UC84d1o5Z0p2by80QW9Sck8zVHJvMjdjd25nCitBRWtzVVdTUU85RzFpN1FmOVQ1
-            MjFwaUFyVjlkN3o4SHMxMlFpcnpEZlEKLS0tIFFxN0doOExOak5kUFhyZWVtWWRk
+            SlNESXBKc1BUdTRaWk5nSENvUXdraWMKLS0tIDlkUFZRVUV2Qi9iSUpFRmN1Tm5S
-            QlEyZUlveXVvZ2d3M1dqSkVlV0s2djgK4QAE3eKNYKN12CBteu897jQ8+4sbxBAM
+            dW9lTkxsNXBBN0wwZ0NFbThRdzlvOU0KbLzteBt0VTr825sfKLNs3i3FT0/dgn2z
-            wC/mzVvdlf2WXIF6m+R1ugDyQdWZeWZiGcZMX+BwwqE7Qu2egUdxqg==
+            kOpJQf7KZKEVBkInUOkPmobtw6oM9vfWha035tTJPYjWy+Lp939tBw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZHNYRldRR3N2eVR0TFhO
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCR25sQzNkMHhETzY5cXRm
-            bi83WnNRT2lRUUVUSDhhQXg5U2RmQTN6RW0wCkswRlgycCs2RWxVQUVTcWcreTVp
+            Y3QzYXZOemFTTmN3aTVpODlQclB1Y0JRNlRRCi9wQWVGUVFYd3ppMUVMdUVQNnBC
-            R1JScWViT1FXUGhVYW1KNTZ6eFdaeEEKLS0tIFpyeCtmRDZtOWY0OEZRZk4vVUhh
+            bVVRVHlsTWIzMitqNlQxN2NKcWl3a28KLS0tIEJrNk44TEN0ZzJ5L0JaKzFZaE9M
-            VnlnZFFDOHNKejBQNEUvUG5xTkphOW8KXskAnKTfKQmQOhgcmGsIA3XXfWfubBeA
+            MmxPN3RUT0hDRW9MSm92LzZJY1lCZlUKM+r/35me5K74KkidKLUTZxqMqR++izHK
-            QQQ3YSlLKPd9czV13SpSo9IDr/jWCUHF5SblpOD4t/ZFZR4ajV/VQQ==
+            69gXZEHY+ZSvJ+9IBzcIxcFdSFyVUAN7wobBWZGDxmGJRClS/8jcHw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQTdHaXRLTFROWVE3dVR5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbzZHMHVqVkVrTVdiUmli
-            YlV4VGNsd0hCNjc1U3ZOZFVHRVB1cFF3QXdnCkExQTlqalJXVkp1Umt4SDZJME5q
+            OVhhVTZhbVRVU3VKd1Jxa0Y5dlFReXQ0QmlZCkVtVEhCcVlHamozeDYrQlVvRjlZ
-            R2tmbmNaKzRISkRQN2MrQXY3OGdINU0KLS0tIEtjcDI5WlVPQmFVU1NzNWxZSHQw
+            YUNXM3FML2ZLOW5PZ0tpZjlPc2lpdlkKLS0tIHVXZHoyRmlscSt2TlpLb2lDd3Bt
-            dE9kZW9OK3FPRHc3YUVobjlwZVpUNDgKeIL32Sbecv/d0FFX+FKYxQqyyiipZbW4
+            bmJJS3JPWlVMd0FRaExUZEZMdXk5N0kKY6qYVva2aOkvo1huKH50gkT1iQAUhZCB
-            GxOVsjUaZsifGsCdT9V2xNlXsuYmoc98azFqRHq9W1VbXP+sUuk9mg==
+            ieUD1aQumHe1OYVeEWJCf2nYgApwq1tPjea5nqc4VzOogTbLVcKMFA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Q3lUUS9wMGI5V1NiOWZZ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNWc0RVNQRzJkRTBKS2xD
-            dXppS0ZsL0VXODdsZTlnZW9OS1VjWGticHlzClZPNFBmWjA1dXFvMXlPekZoOEpr
+            R3ArQ2lkc3F3QXN3bldZbkJMaFhoaDI4Mm1RClhuSmdRbWxlM1lxOURRWWVocC9X
-            NHJtSEIxNU1nb1VDcFdqd3BCWVFEYkUKLS0tIEEwczZSSS80U1MyaW5yTnFZWDFO
+            dWFSOG5yN2x3Vm9CZ0pSN1BLTWk1ZmsKLS0tIHRpRmJmL3FmaTFpL0czV0tIOWhX
-            eVRpUDB1VjZkZTNVSFRRSFlqVUpBVUkK6X6Y0du2C6eslGR9O7r5Wg0P6GO/KBP7
+            NHZLaEx3dEozc21MR3ROWHRBQzR3T00KQQiQ4SxpyMTDZyGY7TZrdQEioZAB+BQ/
-            HQibU10/HhLOjdzj0LKQldHWDnDUzisUHQH2srRSzCg+RQ/FL+BmUg==
+            u24WgbBdSP6VDvqmq2gG8BqZ3Aog2/7SQ0CVzrsimAoXi7YCWCTetA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUFZ1N01mQzZUOGdQemhM
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcERwTTJmdlgvZjhWeTBP
-            VUYvSW53U3VpSnZIN2pHMlBlVzN2UFBiSzJZCkFUeGd2QTRud0tSWHZSSXVNT2dp
+            eGJ0aG5RQ0xrRVBSMldEMEFpUHo0TnM1aFNzCkhReEZ2dWVGelNadjdITCthcTZn
-            Z2UrTFFZeTV0dTNUSW0wbkFHV2tqZ1EKLS0tIHJJWGZYeEdSS2hSemtnMmh2c0xt
+            RzlQZmh0MzF5RmZGRW5UVXhYL3RHRFkKLS0tIEtrV1ZjQkovZFlmcDM2OUNYaHZx
-            MkZJS1JJUGZBSkU2bWRONHVNK1ZjNTQKbwBOAnmCTTlILx4MVZjt4qg4yIENrrgv
+            WDRSdDZRa1lIbEVTdDlhU1dwUXUzQTgK5iE4Cf/zjsPYHKcqYA0rFqY0TNcCnzNU
-            x3IogdZAHt5TNBM6TzFT7eEpvmS1WWMveeetT9jFb/rlTVroturzqQ==
+            vTM+cEPaA+/FXTwLfPpaiSkg5Fq8k2XdeMQsjQnglTBSWCwAJin27g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-16T20:08:18Z"
+    lastmodified: "2024-04-20T23:41:59Z"
-    mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
+    mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
    pgp:
-        - created_at: "2025-12-01T10:58:21Z"
+        - created_at: "2024-08-04T00:03:54Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ//fm0H3oXbEcd0f5QwmAggrRzyy49KMXXpZVFm3xa9K2AX
+            hQIMA0av/duuklWYARAAs0o2EHlphoU4JcO5fhmplhmHQp7GXjaUc5zakGACrl0w
-            W9+GJb9YDiCQ2shiKYas1QNcwxF8EQKWqDGGP5vHpUNb3el89sfE54qnz+MGcAiS
+            0NVVLXf3hlb3saPgbRkf+ugVXd5dRDYfa3vbIDKpQwHVLSNVrVb7M8eIc0RXM41q
-            eVqggFbtHlDFG6iYt4Rgng4CmVnPv+CKdFuRs0WWO4ouNbG8NKIuqXuDrGw7yxBE
+            MqpueXLo6YfxbgOvsfNlgCvDFgMoBMVv/rWz0QGTj8VCvD5AkxiLQJxZ8TnlKn0w
-            i4AvIynHHkrQ8Bu4KAgjhZOCTAd53TH6EFPa4qy1x9fe8Ki1QTJsBcNk4KXIT5ws
+            NF6yQ7LCGgKVU8YHpKYjPmmDU/VegRYVe6wz4ackk0MZ5ITSFXF4qOG93Uj2SZfe
-            LUzbcCFths5JzpEdCLEViaFP7joSSlXBKQ7AtAXdznmmrX5JhoiBIEHusYY7Hjoe
+            ocpPYZ9BrOnxzCYd9ZS1yUmMRLRC61l66oG1hGrBTN7fcmHZaycCdcvABWOB/fxJ
-            urzppufh38LF6KFCRAl7EltJPlenA6NhMlTg4jEEi2v6IjqcEGrj9kyAgBnS3uz8
+            940zMb5NYK6whToCWY++m3I6123k+/vLJe+3NoFc/wYdvpnxVqLZqijxYPZZkbRN
-            MtFovJ2IzENgsIWZxUxr9vbQQY5PYy9ZcJpEPBRVRDfP+tlNs+kA58AD5ZqLkZwM
+            gCtRE67AFWny0VQ2k1CGzBGbRAxM2EtIfDlbNgMUNBNuGST4tgxApp5QEa1yecHC
-            NOZmQZyjRP0L+8HfCiWRBt3dSJGabO4jNIBydKU40/2bTOIY8MnnYR9pss3qIRzf
+            mr3jDhR8UuFdIrq2sTz/uMUptTrsB3oaZmfuZ47pCVHtDNc2ri4U1gsI6oI03utO
-            TpePQd7PoGwcU446FV3py3yKecBUMEfb8uA0TYfp+7WMbJqetuQ+fGxCCNDDJKar
+            u/q6nMHiJlf8HUwI59GemBaHTiMgzKl0REAoV3SpdfjWSDZiro42au6E20M1dgup
-            gMSEhFhduTSvQQPGjZemI89qZhO/0HCxyMMYpIPNYwiohqIGXFfFzCjz+CCt9xOj
+            rQG8Gz33QnIHg5ezEHcTSeHk3SgMTbAqQy7/aD3pqI6wEgXqU2neDFZEkNu4FnzD
-            5eTg+MSV6R8njgbiOpYyrNJE1K9LpKtCZop6QWNtSusaoKOT1jCVQLhvFSNfOeTS
+            ofnm1oAGnbOIH2+SFtd33hDe/2nuFBo3CYEyz/fezhbMwCwoA4Iwd7FBQW4ideXS
-            XAFdZOYFB/qtaxBF5Uu++jz2MkFZKbSkD+1niVgmusJV/dGwNUU+pvX6Ua1tH3mi
+            XAGU2gt1hdPfgMQ55GeRI01C2dqiLQOpvTHy2uBl9ekPtSw2Ws27hVhdHvU7B5ZG
-            WAN4e6EtqtlL2BTIOAv6xPqMFYe7wQw5fdky8J8diGbBd1v77YXpibZoNWfd
+            Jr388jC5d5dKGNv1I8nVNlfmPvb4hwGazrHdCYiQdwrpggajFtWD/LIgUcW2
-            =Z56A
+            =aK5J
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.8.1
--- a/secrets/jokum/jokum.yaml
+++ b/secrets/jokum/jokum.yaml
@@ -11,82 +11,86 @@ matrix:
    registrations:
        mx-puppet-discord: ENC[AES256_GCM,data:nvWSaZ4we8BD50Op/bZMrlMXGBwzvG3IXGPGJe2paCZ10tTm9v4+aYGYhILNhcQM095AD9KdEJ44TAyPxZ/c5iYLqb/LJzEpa5X2jKoiF6r7PjNFGevKQs7fzJk4Y9MxHwZ2KJT+uHjtXF8erJvFDs3S3WgmuAQW1U9b5fYQNc4ZF0tY+BsWU2ehqMejpx7w93TkcIiZY7Uoj4kPMEp8aI6v/7VPIjM9g7b+R5KGZ1/yIpiNCzZuT+x2mxCtqGfbOynWON8PaCIojp7sbLaRWhX2bd4GG2wP3T5MsgwjJzQSfyXjK1Dyxzr8fVmh0R2mJoZHTYNQLLwYncLwqXQEHr6tXNWPTwxPslW+BdLsp/8//m0F04vUf4Z0dbf22NSaPkH9GdRLB3zXh07VxqG+B7OvAjDULHUmA5uwgtZq9h0G73TWDJ8U75eAxrTdsgQgmIsyhpLljFW2QSnOPL/93ieovh5qRgXjgyqrljDOkB+fhC0gdQalPeBM8l5zPI8aaJsVp/l15rx4nUIrFka0g+v+SRhAIPtQAKA=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:Vm+zNmA53HIb2dP8FIgP6Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvKzl4b1VWTHQ2bGI4bXJl
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmLzAzMzNCdGxSMVdiNUVK
-            SFNhY2xVNm9XdG56akFWZkR5NHliUnpFaTFJCkhRY2hONTVvRkZaN0JrM0lkZUVu
+            SFlJeTEyRW5SenQrMnFGZEJ5TGJxNDIvSmhzCkdBUnYvNDVxZ1ZNSkYxanZQY3Iw
-            N3kxWVBWOUV2WHJMZ3Jsd24rOS9hc2cKLS0tIHFDWXBMcmppeHJBb3RLZ08rdVlE
+            akhuK01haFVRTUlKcjloVU9QVmhldGMKLS0tIDZmMjk1WlNNYUFXN2pWQ0oxRjRv
-            R00zS0R1Q29QYUlTamI3MkhNNWpaZ2cKMTZ8G2ZVNsAKgZj8B857eH4yfw/fvwtJ
+            bzFmcnJUaUJmU2pCZTRnRTZZZHVkQnMKrKLbYFE2+0rj5BUchhYtWghzbRJTFDaY
-            YmDTcA0w+uXI+qTtSLs/UPQ54KcW7zNvMUUSoyKrYSDul0SFUDk+Vw==
+            +RQpJC+5gSinmUuP3nMGR2bv+gL9v/EOJKeVrC7/sZM9mQeXI36CUg==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3U1hmbE0rWVYvenhwQUpQ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU0xjY0NEelJvaFJEdjl0
-            NFlKcFZtMWVWNGU3cVkvcVY1Mklyb0x6cHg0CkhGTHZPZEFCSnV1aFB0eG1ZOHNU
+            YVVDYXFxbFg4d241ZjdRRjZVM1lJd0R3NldJCjJQRW9EOGMrcHRUNlRhNEJ3cWhS
-            UGJLY3BxOHF6V3NuWGZJUWkzcEVUc2cKLS0tIHhVY2xjaXZCdXR3VU92UUE4eWFF
+            UWlycHYvaXA4TkxEVjZ1QThQUTlrcjAKLS0tIHNXWk1mQWJFcmU1Qmp4a3YrRngy
-            RHNtb1RlUmdpd0RibFlES0FDRjg3RFUKFBfH7eVw3j9wFWYjK3nwd5BuW9V4R29U
+            LzZ3bU1nd0FLa0hNR25CY0hzNS9GZjQKRoRMDXESUtwRGDat2gJ9Fjqy/m6FThzk
-            sD/5X7wLRmfo0zCNkf50RnN3oxiP5Sj8zprQnaZMX95EGZXgqeWuWQ==
+            k6byBSt605skrUd2YQZ+JF9cUs6p9y9Fm6t+HfK/kHQ7jchiS3ZLmQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMGc0a2FyTU9MaThIUDlz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSjFQb0I4eHlhL0NMN1ZF
-            VWJTOC9ZUktuejl6WFRtdlV5VEFIakZHeENvCkpFRDF4RDRQMnpjZTNCdkE1cWlO
+            WldhZ2ZiTTZDMXM3aXgxeHUyZm43dmVVNlFvCnQzd0VYdVd1azB4dlJkdDd3bE0r
-            VExPNXdxcGk5RTVEUE5KcHY1U1M5VTAKLS0tIEIramZ4R2sycnFnS3AvMWZ2Q1RK
+            VHlwMFZzaUhkVzhhanl4cWxGWUlDWFEKLS0tIFdWck9qVVRoTWZsK2RNYzF2WEhN
-            dGhDZnVraGlQQkFzdHBRUjEyWEJFMlkK0M3q1NqZdaC9E1hSUOwdTOUWdyvW1xPb
+            eFpOY1UzWHpYb3p4eDNRU1VSdnJyZ0UKrF9vihQPmmv4nrDf+tPAssfZLNJbdK1L
-            E/9SHuRZ+YTzXiECIEx/4ZiQEEcCWOS/wLTQjYpzoozBrmrjGaKC3Q==
+            N4IlFTUPchiPW1ss22bjtiooekHAuP4ygePYLKlKEi3w1SsKa9REGg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTXJkckNBWERIWUNXMERK
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZEhYTVRBWVJkYndjOEZq
-            UzRnL2FJaUlLTmxvYTBQTXlvSTRvbmhmajFJCnNCZjdxUXpVNDlwY1JDaDNCbWlH
+            WlF1UCtJN3Uwb0FNdHJITTdiTXZVRWQyUFh3CkJOOHRHSHhXdW5uTEhVeTFHWWNi
-            ZWJFR1o2YkxLMlVNWStoYnFYL2pNcmsKLS0tIEEzM1ZIN3dBb2paeWcxa0hJSDN2
+            QTd1cW5YTkFJZTRaN2RaMnRKQi93T1UKLS0tIEwzSnVleWduTkRhMnduNVFEMjFL
-            a01lK3hSa3prWERxQ1Z6Q3A5OW42NnMKxfCqjDityZvhOoH1DG0JJuEvowlzFBVv
+            NmVHOFd6eVhXdTQ3RE1adkhUaHB3TVEKPFmS1njkM6FPToIKML396vfM3T39co/v
-            WOofbRQ7HdB17OyZh3u5Kbd37D65bbse4HVUaL3NDbdfpUxsbZIUAg==
+            mvyOUCq921mTIzlPfVpfpXd9pmiyMKi/spDS4xZ2nFLyHMhXMKW20A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcExDUDNndXRLY2J5NnpD
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbDVRaU9pTkROV0VoNm5p
-            YTFnWndXYWZvRG1EdGZZekZXYUtBOXFVOVVvCmJJOEc2MVhqSDJPRTBVRU0xcElK
+            VUhsenhxR1cyTFZVeDJZd1gvVUx6TXdQY3hzCnBwUDZmaE5FdFdVODZFN0lxbTdB
-            SzJYS092eXc2WWExVFFheUZnLzlHb3cKLS0tIHJPRUt0RnlzWGozM1NtTlNzbzVK
+            dXRBVHpUak00RnZBRUpGeFRuajhZK2cKLS0tIGRaODBlM1FnRU5iV0RrWDlEMHUr
-            WUtwa3NvWDlsYmwyalYyL2FoNVBhaDgKiRmCO8OOU94uxnzUmGwnUjipDBVeF88x
+            U3AybkRZV2EzVjE1QktEcjdwNG00dXcKnWaJwHyA4Q5RFgOWg3wbPwL4E8Mgijph
-            hF92Hj7+9yBaEi4O1Je0b3ShjHfEsg690ajQKkzojGDX/awkdlcF1Q==
+            wCuujSzIUMGBqIBzr6ADbQ38lnUSKjGz8EQyrIa4/vILXzuJ/44SbQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyc1NLMmZzRUt5TWpyaXhH
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQ3RYV2tYVy9ubFQ2cTg3
-            c01CYTJsQUdBWmZ5eEVRWXduL2ZLQ1crTHgwCndRYzQ1ZU9ybmxlRlZtUVFnL21m
+            L0xqNlcycHZiU2hlRGxmd05EZldMa0xMWENzCkhHdmR0dVRYMjZkdit0Mjc4dy9X
-            eDhYZy82RFJqb1Y4Q1pZMTRRRHpQa2sKLS0tIEk0enhSL0Jjcld0QXNCbjNKNjJm
+            ZEtLY3hrbUZjaXpCdHBhVm9wZkJ0WlUKLS0tIHdsNHhNSEZVSHRuWE9tOXdoY3ZK
-            c241QUEvbE9iL2RPTFJCQ1dvVW9kVkEK3N7ojkIdpcN/ui1xw7IEzBKduk9aDKrt
+            Ti9TOVhUWVdsVmw2U2ZvazVKajJSRTAKnAxtMLh5U4xL3UsLehdo2JMBRcX9Vy+X
-            KajZLOkcaJWsYZISxP8kmN3CGOBlOx77MxC/rV1yM+/Su0S0TxIC1A==
+            oWlgVviORYtHaaU7Y9MFTmhV3OS+He38wX0l4NZOI0d8mZ/6uJ1JMA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-02-13T00:12:03Z"
    mac: ENC[AES256_GCM,data:FolV94dIwYSL5r1ZHTPdmqMKVTAhrnePG+5M4S1H/wBYbED3sr6oPPmmxwiwm5E4K0YR1+ou4yR/vGTV3lfRdxIGWhfAT0WW8WGTZVIlcJCEk5H7Rels6rkma12BCjZ1zOGjZZCcFTm+4NI2KNv+zTc29zry4539jkkxk+8Skog=,iv:KBxSFVaFI3S5J9xG2Lc7FINUI8TRKxPtrbP3f2wXkHo=,tag:TWAtix03ZnB71+O7cF8b4A==,type:str]
    pgp:
-        - created_at: "2025-12-01T10:58:23Z"
+        - created_at: "2024-08-04T00:04:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ//R733yCFFSYFZX2bORvyI/xgHjzxNxWPkVZagrWDvjthK
+            hQIMA0av/duuklWYAQ//QIfxaAOVl0QStvZe6irI0GHS8+7EExn88dP1QdMnVijv
-            zJH6EiHZrivSRx6cXQIQ4SoR0LWHNidmIj188l8oB/Dh7jj42zd93+U99EeUhVNs
+            W/IiVffs/Bb0t0hcNFY3SaU4ea+zOT5bdMOlQGA383hTYvwXXdI+uSFmn3hrysZS
-            qPN9C88/e/tEWs05HTSm4oUQpoSeDVBeZEd+du+eP+DJWypSi63fh5sqjPrPHXdq
+            eY7394Z9c8jubEDXfJOHTt0mbpfzOglZjiCcQYnZlhkgOzilDXMCjVsjVvuAN0bz
-            apayt9XGSGBIhWsACb9d56VqCb1eNF/SOcOTLPHWvA074TxmvcbWH5CfiqQLcYGd
+            MFN/DjC50fIdlaeWe7h7NgK3Mu9j39tUrgDCGn2YlCycxcpPz8+83Ge8bOnyskZs
-            r600nWol5qhmCqgiLFueUiYDikKVHi+MitatCM15yrnMi0ZLp3B32n3zPjbTUpAh
+            P/04wfkOGSrwb1ingxHjZP9lR2NABdqOqSBzC+x7EQs6xNAmC4XayeTnASBDYp8B
-            0NHtXHhH4ihBqWxnVSTqAqWiqM+oMORhzVatq0PjUq20XayELsY8yn7YvtJMZLjD
+            +H/3Hiv1nWtS//PQr/5+KHR1/iLaSNI2fUAUFimIwEQTU1vpMaV2tVmJtpmSQRAg
-            CstNQc6NqYxwjLpsuqZQHse5MnAgXapp5ogKLpjxRX9ZKWo5QD1VDB4wELG16sdv
+            MpwljVoCSWvhmU4oZU8ObTjcMy58YfWHIOcIN2HHgWBVdITve3sca6J1VHs0rWFm
-            h/ZvS7nh0mMWRRyXAe5OL8vTJIeiQBday5aVgqk58OrdhzVtqp3isIKRb5W92W4z
+            4tqPElsfa59WPy3HKLGg8pPahoBlj4X1PGJVHxXBMJsPnbX0gg6V7ajQaVdOsJAF
-            53Cw23prLhZnVssMLQiKUVFTIu2f1d907Kj+sH5AUybkbt93T7m/NCaEpDyxPPur
+            LMgAel7eNq0KBzk/rrVRoV5ii2lipUtKmb+FKTXKvSnwgqhVNkRppsl9BqgeXvTR
-            QDOT1KFFVTQIBHLyqg8pASJyJMiuSuQ3cbFkTDWrOWpKEDfpxo9Vy64dEKNCeWMb
+            P7AsKnNgQBydz9vDTkDOuspyTluDmhXkwNQyhjH0enPAyeQWN2qs/A8qgmfdTXff
-            XhVHWMIJXmLXalPePDaCEYCkR8usWZpQsRei2DHaRbXt1dcOjWuLOZeHNizy7CbS
+            TzvlfOEy/6r4zl7V+L+qcw0pYrzi5K2CtemN8TlGhRvAYgiURY/78kD6EGrjMLLS
-            XAGkGgNySuI5IFbVBfKG0OaYXu6PM4Kbh8XBnxxREaSH+EiEe11ig6CImV2pbcbU
+            XAHBQn0q8dYgKf2uA0JcfNehgpI5fr3gZxQFKhnuXkXRa5h9hMn1mzdhtO4VyN1e
-            pfHSdTioB03UnQvgVSP2M2DgMr3dkJnqXKrzRO80kVBd9uwR4I/1TUzsk0K+
+            d8eL57iFeApC9SAmAGMOz0DBbskD470qnYObUliViWQpcj2VR6W4BwZG28QX
-            =4Nje
+            =iviy
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/Show More
+++ b/Show More