WIP

2026-06-16 09:39:14 +02:00 · 2026-05-25 12:31:29 +09:00
12 changed files with 151 additions and 416 deletions
@@ -3,10 +3,6 @@
  systemd.network.enable = true;
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
  # networking.tempAddresses = lib.mkDefault "disabled";
  # networking.defaultGateway = values.hosts.gateway;
  # The rest of the networking configuration is usually sourced from /values.nix
@@ -212,7 +212,6 @@
          ];
          overlays = [inputs.dibbler.overlays.default];
        };
        dagali = stableNixosConfig "dagali" { };
        shark = stableNixosConfig "shark" {};
        wenche = stableNixosConfig "wenche" {};
        temmie = stableNixosConfig "temmie" {};
@@ -7,6 +7,7 @@
    ./services/nginx
    ./services/calendar-bot.nix
    ./services/garage.nix
    #./services/git-mirrors
    ./services/minecraft-heatmap.nix
    ./services/mysql
@@ -0,0 +1,143 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.garage;
 in
 {
  sops.secrets = lib.mkIf cfg.enable {
    "garage/rpc-secret" = {
      owner = "garage";
      group = "garage";
      restartUnits = [ "garage.service" ];
    };
    "garage/admin-token" = {
      owner = "garage";
      group = "garage";
      restartUnits = [ "garage.service" ];
    };
    "garage/metrics-token" = {
      owner = "garage";
      group = "garage";
      restartUnits = [ "garage.service" ];
    };
  };
  services.garage = {
    enable = true;
    package = pkgs.garage_2;
    settings = {
      data_dir = [
        {
          capacity = "50G";
          path = "/var/lib/garage/data";
        }
      ];
      metadata_dir = "/var/lib/garage/meta";
      db_engine = "lmdb";
      replication_factor = 1;
      rpc_bind_addr = "[::]:3901";
      rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
      s3_api = {
        s3_region = "eu-central";
        api_bind_addr = "[::]:3900";
        root_domain = ".garage.pvv.ntnu.no";
      };
      # s3_web = {
      #   bind_addr = "[::]:3902";
      #   root_domain = ".garage-web.pvv.ntnu.no";
      #   index = "index.html";
      # };
      admin = {
      #   api_bind_addr = "[::]:3903";
        admin_token_file = config.sops.secrets."garage/admin-token".path;
        metrics_token_file = config.sops.secrets."garage/metrics-token".path;
      };
    };
  };
  users = lib.mkIf cfg.enable {
    users.garage = {
      isSystemUser = true;
      group = "garage";
    };
    groups.garage = { };
  };
  systemd.tmpfiles.settings."10-garage" = lib.mkIf cfg.enable {
    "/data/garage/data".d = {
      user = "garage";
      group = "garage";
      mode = "0770";
    };
    "/data/garage/meta".d = {
      user = "garage";
      group = "garage";
      mode = "0770";
    };
  };
  systemd.services.garage = lib.mkIf cfg.enable {
    serviceConfig = {
      DynamicUser = false;
      User = "garage";
      Group = "garage";
      BindReadWritePaths = [
        "/data/garage/data:/var/lib/garage/data"
        "/data/garage/meta:/var/lib/garage/meta"
      ];
      LoadCredential = [
        "rpc_secret_path:${config.sops.secrets."garage/rpc-secret".path}"
        "admin_token_path:${config.sops.secrets."garage/admin-token".path}"
        "metrics_token_path:${config.sops.secrets."garage/metrics-token".path}"
      ];
      Environment = [
        "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
        "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
        "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
        "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
      ];
    };
  };
  services.nginx = lib.mkIf cfg.enable {
    upstreams.s3_backend.servers = {
      "[::1]:3900" = { };
    };
    # upstreams.web_backend.servers = {
    #   "[::1]:3902" = { };
    # };
    virtualHosts."garage.pvv.ntnu.no" = {
      serverAliases = [ "*.garage.pvv.ntnu.no" ];
      enableACME = true;
      # useACMEHost = "garage.pvv.ntnu.no";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://s3_backend";
        extraConfig = ''
          client_max_body_size 64m;
          proxy_max_temp_file_size 0;
        '';
      };
    };
    # virtualHosts."garage-web.pvv.ntnu.no" = {
    #   serverAliases = [ "*.garage-web.pvv.ntnu.no" ];
    #   useACMEHost = "garage-web.pvv.ntnu.no";
    #   forceSSL = true;
    #   locations."/" = {
    #     proxyPass = "http://web_backend";
    #   };
    # };
  };
 }
@@ -1,78 +0,0 @@
 # Tracking document for new PVV kerberos auth stack
 ![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
 <div align="center">
  Bensinstasjon på heimdal
 </div>
 ### TODO:
 - [ ] setup heimdal
  - [x] ensure running with systemd
  - [x] compile smbk5pwd (part of openldap)
  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
  - [ ] fully initialize PVV.NTNU.NO
    - [x] `kadmin -l init PVV.NTNU.NO`
    - [x] add oysteikt/admin@PVV.NTNU.NO principal
    - [x] add oysteikt@PVV.NTNU.NO principal
    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
      - why is this needed, and where is it documented?
      - `kadmin check` seems to work under sudo?
      - (it is included by default, just included as error message
         in a weird state)
    - [x] Ensure client is working correctly
      - [x] Ensure kinit works on darbu
      - [x] Ensure kpasswd works on darbu
      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
    - [ ] Ensure kdc is working correctly
      - [x] Ensure kinit works on dagali
      - [x] Ensure kpasswd works on dagali
      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
    - [x] Fix FQDN
      - https://github.com/NixOS/nixpkgs/issues/94011
      - https://github.com/NixOS/nixpkgs/issues/261269
      - Possibly fixed by disabling systemd-resolved
 - [ ] setup cyrus sasl
  - [x] ensure running with systemd 
  - [x] verify GSSAPI support plugin is installed
    - `nix-shell -p cyrus_sasl --command pluginviewer`
  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
  - [x] verify cyrus sasl is able to talk to heimdal
    - `sudo testsaslauthd -u oysteikt -p <password>`
  - [ ] provide ldap principal to cyrus sasl through keytab
 - [ ] setup openldap
  - [x] ensure running with systemd
  - [ ] verify openldap is able to talk to cyrus sasl
  - [ ] create user for oysteikt in openldap
  - [ ] authenticate openldap login through sasl
    - does this require creating an ldap user?
 - [ ] fix smbk5pwd integration
  - [x] add smbk5pwd schemas to openldap
  - [x] create openldap db for smbk5pwd with overlays
  - [ ] test to ensure that user sync is working
  - [ ] test as user source (replace passwd)
  - [ ] test as PAM auth source
  - [ ] test as auth source for 3rd party appliation
 - [ ] Set up ldap administration panel
  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
 - [ ] Set up kerberos SRV DNS entry
 ### Information and URLS
 - OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
 - Use a keytab: https://kb.iu.edu/d/aumh
 - 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
 - Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
 - Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
 - PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
 - OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
 - saslauthd(8): https://linux.die.net/man/8/saslauthd
@@ -1,51 +0,0 @@
 { config, pkgs, values, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    ../../misc/metrics-exporters.nix
    ./services/heimdal.nix
    #./services/openldap.nix
    ./services/cyrus-sasl.nix
  ];
  # buskerud does not support efi?
  # boot.loader.systemd-boot.enable = true;
  # boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  # resolved messes up FQDN coming from nscd
  services.resolved.enable = false;
  networking.hostName = "dagali";
  networking.domain = lib.mkForce "pvv.local";
  networking.hosts = {
    "129.241.210.185" = [ "dagali.pvv.local" ];
  };
  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  networking.tempAddresses = "disabled";
  networking.networkmanager.enable = true;
  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
    # TODO: consider adding to base.nix
    nix-output-monitor
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
 }
@@ -1,33 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
@@ -1,21 +0,0 @@
 { config, ... }:
 let
  cfg = config.services.saslauthd;
 in
 {
  # TODO: This is seemingly required for openldap to authenticate
  #       against kerberos, but I have no idea how to configure it as
  #       such. Does it need a keytab? There's a binary "testsaslauthd"
  #       that follows with `pkgs.cyrus_sasl` that might be useful.
  services.saslauthd = {
    enable = true;
    mechanism = "kerberos5";
    config = ''
      mech_list: gs2-krb5 gssapi
      keytab: /etc/krb5.keytab
    '';
  };
  # TODO: maybe the upstream module should consider doing this?
  environment.systemPackages = [ cfg.package ];
 }
@@ -1,100 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  realm = "PVV.LOCAL";
  cfg = config.security.krb5;
 in
 {
  security.krb5 = {
    enable = true;
    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
    #       will do for now.
    package = pkgs.heimdal.overrideAttrs (prev: {
      postInstall = prev.postInstall + ''
        cp include/heim_threads.h $dev/include
      '';
    });
    settings = {
      realms.${realm} = {
        kdc = [ "dagali.${lib.toLower realm}" ];
        admin_server = "dagali.${lib.toLower realm}";
        kpasswd_server = "dagali.${lib.toLower realm}";
        default_domain = lib.toLower realm;
        primary_kdc = "dagali.${lib.toLower realm}";
      };
      kadmin.default_keys = lib.concatStringsSep " " [
        "aes256-cts-hmac-sha1-96:pw-salt"
        "aes128-cts-hmac-sha1-96:pw-salt"
      ];
      libdefaults.default_etypes = lib.concatStringsSep " " [
        "aes256-cts-hmac-sha1-96"
        "aes128-cts-hmac-sha1-96"
      ];
      libdefaults = {
        default_realm = realm;
        dns_lookup_kdc = false;
        dns_lookup_realm = false;
      };
      domain_realm = {
        "${lib.toLower realm}" = realm;
        ".${lib.toLower realm}" = realm;
      };
      logging = {
        # kdc = "CONSOLE";
        kdc = "SYSLOG:DEBUG:AUTH";
        admin_server = "SYSLOG:DEBUG:AUTH";
        default = "SYSLOG:DEBUG:AUTH";
      };
    };
  };
  services.kerberos_server = {
    enable = true;
    settings = {
      realms.${realm} = {
        dbname = "/var/lib/heimdal/heimdal";
        mkey = "/var/lib/heimdal/m-key";
        acl = [
          {
            principal = "kadmin/admin";
            access = "all";
          }
          {
            principal = "felixalb/admin";
            access = "all";
          }
          {
            principal = "oysteikt/admin";
            access = "all";
          }
        ];
      };
      # kadmin.default_keys = lib.concatStringsSep " " [
      #   "aes256-cts-hmac-sha1-96:pw-salt"
      #   "aes128-cts-hmac-sha1-96:pw-salt"
      # ];
      # libdefaults.default_etypes = lib.concatStringsSep " " [
      #   "aes256-cts-hmac-sha1-96"
      #   "aes128-cts-hmac-sha1-96"
      # ];
      # password_quality.min_length = 8;
    };
  };
  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
  networking.hosts = {
    "127.0.0.2" = lib.mkForce [ ];
    "::1" = lib.mkForce [ ];
  };
 }
@@ -1,121 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  services.openldap = let
    dn = "dc=pvv,dc=ntnu,dc=no";
    cfg = config.services.openldap;
    heimdal = config.security.krb5.package;
  in {
    enable = true;
    # NOTE: this is a custom build of openldap with support for
    #       perl and kerberos.
    package = pkgs.openldap.overrideAttrs (prev: {
      # https://github.com/openldap/openldap/blob/master/configure
      configureFlags = prev.configureFlags ++ [
        # Connect to slapd via UNIX socket
        "--enable-local"
        # Cyrus SASL
        "--enable-spasswd"
        # Reverse hostname lookups
        "--enable-rlookups"
        # perl
        "--enable-perl"
      ];
      buildInputs = prev.buildInputs ++ [
        pkgs.perl
 	# NOTE: do not upstream this, it might not work with
 	#       MIT in the same way
        heimdal
      ];
      extraContribModules = prev.extraContribModules ++ [
        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
        "smbk5pwd"
      ];
    });
    settings = {
      attrs = {
        olcLogLevel = [ "stats" "config" "args" ];
        # olcAuthzRegexp = ''
        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
        #         "uid=heimdal,${dn2}"
        # '';
        # olcSaslSecProps = "minssf=0";
      };
      children = {
        "cn=schema".includes = let
          # NOTE: needed for smbk5pwd.so module
          schemaToLdif = name: path: pkgs.runCommandNoCC name {
            buildInputs = with pkgs; [ schema2ldif ];
          } ''
            schema2ldif "${path}" > $out
          '';
          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
        in [
           "${cfg.package}/etc/schema/core.ldif"
           "${cfg.package}/etc/schema/cosine.ldif"
           "${cfg.package}/etc/schema/nis.ldif"
           "${cfg.package}/etc/schema/inetorgperson.ldif"
           "${hdb-ldif}"
           "${samba-ldif}"
        ];
        # NOTE: installation of smbk5pwd.so module
        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
        "cn=module{0}".attrs = {
          objectClass = [ "olcModuleList" ];
          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
        };
        # NOTE: activation of smbk5pwd.so module for {1}mdb
        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
          olcOverlay = "{0}smbk5pwd";
          olcSmbK5PwdEnable = [ "krb5" "samba" ];
          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
        };
        "olcDatabase={1}mdb".attrs = {
          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
          olcDatabase = "{1}mdb";
          olcSuffix = dn;
          # TODO: PW is supposed to be a secret, but it's probably fine for testing
          olcRootDN = "cn=users,${dn}";
          # TODO: replace with proper secret
          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
          olcDbIndex = "objectClass eq";
          olcAccess = [
            ''{0}to attrs=userPassword,shadowLastChange
                by dn.exact=cn=users,${dn} write
                by self write
                by anonymous auth
                by * none''
            ''{1}to dn.base=""
                by * read''
            /* allow read on anything else */
            # ''{2}to *
            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
            #     by * read''
          ];
        };
      };
    };
  };
 }
@@ -10,6 +10,10 @@ minecraft-heatmap:
    ssh-key:
        private: ENC[AES256_GCM,data:h9OtD6hxrxyokFDe9bveAkMICrs3YrsAEqg0RVHV+xCkgkNAdoh85wb1QI8FJ0tga4Bfq8ZxZTdMnexQvbYWL8m/N/P6gWoPPJd7dwGuxaUZu5lqngVuHIhH0yWFWtPXjQ0Zyl5Q1aBKyjzJMvJc/H2iprgVH4YFs/fWf/KDEp17Plvvz0AoPGPrOZErDmne4MtLbW3pUm1r5ACo/41OyXYwjHk1Ywgsoz1CMxe/DrmkADnf7jSDWL6Q0mz8hIIYi8GbToJS4BIJ2plttraxV9sqpIPzS/1jMERNchItlkCppSYIy/eohVmskP8dAySm5Z7HNGGtzWSSGLxq15xKc7OVFYPMI+B35nPnp1LVOUWqBHAqVo7dwxc3VXOlVat7AMknUZnr67d4TIIl5BOdy/rvAxzXS/fDV0zntIs5o3phKStVvq07eZFaOVva45B7Pyyn0PdBhHBt2JcBtm+Xtg9i3xvZdwQgbeeJRhnYgDqK6BVhmtTuirwp1GOyslqaFCjg0MJj+W+d8R9gbbfyFR6YrZQAkcd/o/yZGg86z7Phe18=,iv:nt/+qPBwPZKQt43VJ9FbKjLYioFwCxD7VK9WNCJCmpQ=,tag:MuDfnTiro3VVJq9x5rkEQg==,type:str]
        public: ENC[AES256_GCM,data:+fiCO8VRSmV7tmyweYSpZJMOuMORLHkWetYbr20aTQ1vRYr927nYGes4E464t+Dv9OyJPCLmHBdgt7UvxJWuC3pZE8iStnBYnej3D4ebMzi2SMfOkJjGuQSplXtl8QeAYe1YvROmtQ==,iv:thgGQUyWdXfwUt1E/vudoNjl8JjnksFd1rb/asTry+g=,tag:t1iQPocvfI+JafuJycaLuw==,type:str]
 garage:
    rpc-secret: ENC[AES256_GCM,data:GzLWSrVcjCiZKNC78BCjf1CFDdUxU43w5cjUCxlV2zUv4RLJ9m4rJiw749du+JW/w7CvyVgBHSM7D4ixeunvJA==,iv:VwrmBtbNX0AumaBmMNYwMd+zMHfYwXzvMd5D2uQrIis=,tag:ShHXGuYx4lrg+ORf+JXISw==,type:str]
    admin-token: ENC[AES256_GCM,data:UFyn0s0t44oEDdV36kkeUyomvP0X+Sw4ed1g6n29Fh6PLYl53gvDnyg0OSI=,iv:w9IMARTfTcfvu/Qdh60JVH7S9W1GkV+/e3YL08WZKh8=,tag:kOx9BZ8OPBNRpvkLgmW3Zw==,type:str]
    metrics-token: ENC[AES256_GCM,data:/dCSR1OgpEsOsRRzCeiY6OSyGvl8feKovb/Kfqg6QCQ4tb8bAkkR8xLtTxQ=,iv:4wHwBgoiJFTZETtNs9t6dshgG3f84T7HHiEi86LkOmU=,tag:3usDN18uB2ZPo8fDJZEDag==,type:str]
 sops:
    age:
        - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
@@ -75,8 +79,8 @@ sops:
            U3IrZTB3YUJiREZDQkgzUFMvb3VxU1kKJhYYVcCT8hNJkEK1nD3GBekVGDOI3Nin
            iBat3LwB4Ijzx1jA+jKJ1Ilf4MgdoL2ox6l/uWft27vvsRaQ501VvA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-25T12:27:53Z"
+    lastmodified: "2026-04-29T12:18:46Z"
-    mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
+    mac: ENC[AES256_GCM,data:blfYRh75xbA+jeGCCxuZADBVAa4Nih+b5hcXEp8mdzOBrbdOWfL4TfuyYB0Cj/rMDsklIprczmBJ/a/cSTdKSaak/LfAzy7swR6u5R5V3+xLP6CopOhO59RaXc2inoMPEc73XAmP33jynm/kSznRM1PGA+X9oaK6PrWcTgHiM7M=,iv:SwXRz/XpyOVOQzvRjViqK41NOdHXGdTshQ3a/Qi1350=,tag:v6p6QW6qnv1T14PBBB88NQ==,type:str]
    pgp:
        - created_at: "2026-01-16T06:34:45Z"
          enc: |-
@@ -99,4 +103,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.12.2
@@ -36,10 +36,6 @@ in rec {
      ipv4 = pvv-ipv4 168;
      ipv6 = pvv-ipv6 168;
    };
    dagali = {
      ipv4 = pvv-ipv4 185;
      ipv6 = pvv-ipv6 185;
    };
    ildkule = {
      ipv4 = "129.241.100.145";
      ipv4_internal = "192.168.1.17";