DROP WHEN MERGED: taler modules from #332699

.sops.yaml

@@ -13,7 +13,6 @@ keys:
   - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
-  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
 
 creation_rules:
   # Global secrets
@@ -79,15 +78,3 @@ creation_rules:
       - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
-
-  - path_regex: secrets/ustetind/[^/]+\.yaml$
-    key_groups:
-    - age:
-      - *host_ustetind
-      - *user_danio
-      - *user_felixalb
-      - *user_pederbs_sopp
-      - *user_pederbs_nord
-      - *user_pederbs_bjarte
-      pgp:
-      - *user_oysteikt

base/default.nix

@@ -1,9 +1,9 @@
-{ pkgs, lib, fp, ... }:
+{ pkgs, lib, ... }:
 
 {
   imports = [
-    (fp /users)
-    (fp /modules/snakeoil-certs.nix)
+    ../users
+    ../modules/snakeoil-certs.nix
 
     ./networking.nix
     ./nix.nix

base/networking.nix

@@ -3,10 +3,6 @@
   systemd.network.enable = true;
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
 
   # The rest of the networking configuration is usually sourced from /values.nix
 

base/services/auto-upgrade.nix

@@ -2,12 +2,12 @@
 {
   system.autoUpgrade = {
     enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
     flags = [
       # --update-input is deprecated since nix 2.22, and removed in lix 2.90
       # https://git.lix.systems/lix-project/lix/issues/400
       "--refresh"
-      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.11-small"
+      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
       "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
       "--no-write-lock-file"
     ];

base/services/logrotate.nix

@@ -1,8 +1,42 @@
 { ... }:
 {
+  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
   systemd.services.logrotate = {
     documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
     unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig.ReadWritePaths = [ "/var/log" ];
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [ "/var/log" ];
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
   };
-}
+}

base/services/nginx.nix

@@ -33,10 +33,6 @@
 
   systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
     LimitNOFILE = 65536;
-    # We use jit my dudes
-    MemoryDenyWriteExecute = lib.mkForce false;
-    # What the fuck do we use that where the defaults are not enough???
-    SystemCallFilter = lib.mkForce null;
   };
 
   services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
@@ -45,4 +41,4 @@
     addSSL = true;
     extraConfig = "return 444;";
   };
-}
+}

base/services/smartd.nix

@@ -1,20 +1,8 @@
 { config, pkgs, lib, ... }:
 {
-  services.smartd = {
-    enable = lib.mkDefault true;
-    notifications = {
-      mail = {
-        enable = true;
-        sender = "root@pvv.ntnu.no";
-        recipient = "root@pvv.ntnu.no";
-      };
-      wall.enable = false;
-    };
-  };
+  services.smartd.enable = lib.mkDefault true;
 
   environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
     smartmontools
   ]);
-
-  systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
-}
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740485968,
-        "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
+        "lastModified": 1729281548,
+        "narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
+        "rev": "a6a3179ddf396dfc28a078e2f169354d0c137125",
         "type": "github"
       },
       "original": {
@@ -20,26 +20,6 @@
         "type": "github"
       }
     },
-    "gergle": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1736621371,
-        "narHash": "sha256-45UIQSQA7R5iU4YWvilo7mQbhY1Liql9bHBvYa3qRI0=",
-        "ref": "refs/heads/main",
-        "rev": "3729796c1213fe76e568ac28f1df8de4e596950b",
-        "revCount": 20,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
-      }
-    },
     "greg-ng": {
       "inputs": {
         "nixpkgs": [
@@ -48,17 +28,17 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1736545379,
-        "narHash": "sha256-PeTTmGumdOX3rd6OKI7QMCrZovCDkrckZbcHr+znxWA=",
+        "lastModified": 1730249639,
+        "narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
         "ref": "refs/heads/main",
-        "rev": "74f5316121776db2769385927ec0d0c2cc2b23e4",
-        "revCount": 42,
+        "rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
+        "revCount": 34,
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
+        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
+        "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
       }
     },
     "grzegorz-clients": {
@@ -68,17 +48,17 @@
         ]
       },
       "locked": {
-        "lastModified": 1736178795,
-        "narHash": "sha256-mPdi8cgvIDYcgG3FRG7A4BOIMu2Jef96TPMnV00uXlM=",
+        "lastModified": 1726861934,
+        "narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
         "ref": "refs/heads/master",
-        "rev": "fde738910de1fd8293535a6382c2f0c2749dd7c1",
-        "revCount": 79,
+        "rev": "546d921ec46735dbf876e36f4af8df1064d09432",
+        "revCount": 78,
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
+        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
+        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
       }
     },
     "matrix-next": {
@@ -124,11 +104,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736531400,
-        "narHash": "sha256-+X/HVI1AwoPcud28wI35XRrc1kDgkYdDUGABJBAkxDI=",
+        "lastModified": 1714416973,
+        "narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
         "ref": "refs/heads/main",
-        "rev": "e4dafd06b3d7e9e6e07617766e9c3743134571b7",
-        "revCount": 7,
+        "rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
+        "revCount": 6,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
       },
@@ -139,27 +119,43 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1740782485,
-        "narHash": "sha256-GkDJDqHYlPKZFdyxzZHtljxNRsosKB1GCrblqlvLFgo=",
+        "lastModified": 1729307008,
+        "narHash": "sha256-QUvb6epgKi9pCu9CttRQW4y5NqJ+snKr1FZpG/x3Wtc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dd5c2540983641bbaabdfc665931592d4c9989e8",
+        "rev": "a9b86fc2290b69375c5542b622088eb6eca2a7c3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11-small",
+        "ref": "nixos-24.05-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1728156290,
+        "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "17ae88b569bb15590549ff478bab6494dde4a907",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1740848276,
-        "narHash": "sha256-bYeI3FEs824X+MJYksKboNlmglehzplqzn+XvcojWMc=",
+        "lastModified": 1729308112,
+        "narHash": "sha256-Ap+cPeiluam2KFZO+OWuFTl/IkIJfyGYGMgkT2pVCRY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e9b0ff70ddc61c42548501b0fafb86bb49cca858",
+        "rev": "61253596816c4cd65e2a0f474cbc0ac0c6e0f7cf",
         "type": "github"
       },
       "original": {
@@ -196,11 +192,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737151758,
+        "lastModified": 1725212759,
         "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
         "ref": "refs/heads/master",
-        "rev": "a4ebe6ded0c8c124561a41cb329ff30891914b5e",
-        "revCount": 475,
+        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
+        "revCount": 473,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -212,7 +208,6 @@
     "root": {
       "inputs": {
         "disko": "disko",
-        "gergle": "gergle",
         "greg-ng": "greg-ng",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
@@ -250,14 +245,15 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1739262228,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "lastModified": 1728345710,
+        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,7 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; # remember to also update the url in base/services/auto-upgrade.nix
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -23,11 +23,9 @@
     nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
     nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
 
-    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
+    greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
     greg-ng.inputs.nixpkgs.follows = "nixpkgs";
-    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
-    gergle.inputs.nixpkgs.follows = "nixpkgs";
-    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
+    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
 
     minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
@@ -35,13 +33,13 @@
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
   let
-    inherit (nixpkgs) lib;
+    nixlib = nixpkgs.lib;
     systems = [
       "x86_64-linux"
       "aarch64-linux"
       "aarch64-darwin"
     ];
-    forAllSystems = f: lib.genAttrs systems f;
+    forAllSystems = f: nixlib.genAttrs systems f;
     allMachines = builtins.attrNames self.nixosConfigurations;
     importantMachines = [
       "bekkalokk"
@@ -51,17 +49,16 @@
       "ildkule"
     ];
   in {
-    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
+    inherit inputs;
 
     nixosConfigurations = let
       unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-      nixosConfig = nixpkgs: name: config: lib.nixosSystem (lib.recursiveUpdate
+      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
           specialArgs = {
             inherit unstablePkgs inputs;
             values = import ./values.nix;
-            fp = path: ./${path};
           };
 
           modules = [
@@ -117,36 +114,30 @@
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
 
-      ustetind = stableNixosConfig "ustetind" {
-        modules = [
-         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-        ];
-      };
-
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
-          inputs.gergle.nixosModules.default
           inputs.greg-ng.nixosModules.default
         ];
         overlays = [
           inputs.greg-ng.overlays.default
-          inputs.gergle.overlays.default
         ];
       };
       georg = stableNixosConfig "georg" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
-          inputs.gergle.nixosModules.default
           inputs.greg-ng.nixosModules.default
         ];
         overlays = [
           inputs.greg-ng.overlays.default
-          inputs.gergle.overlays.default
         ];
       };
-
-      dagali = unstableNixosConfig "dagali" { };
+      kvernberg = stableNixosConfig "kvernberg" {
+        modules = [
+          disko.nixosModules.disko
+          { disko.devices.disk.disk1.device = "/dev/sda"; }
+        ];
+      };
     };
 
     nixosModules = {
@@ -164,19 +155,19 @@
       in rec {
         default = important-machines;
         important-machines = pkgs.linkFarm "important-machines"
-          (lib.getAttrs importantMachines self.packages.x86_64-linux);
+          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
-          (lib.getAttrs allMachines self.packages.x86_64-linux);
+          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
       } //
-      (lib.pipe null [
+      (nixlib.pipe null [
         (_: pkgs.callPackage ./packages/mediawiki-extensions { })
-        (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
-        (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
+        (nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+        (nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
       ])
-      // lib.genAttrs allMachines
+      // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };
   };

hosts/bekkalokk/configuration.nix

@@ -1,10 +1,10 @@
-{ fp, pkgs, values, ... }:
+{ pkgs, values, ... }:
 {
   imports = [
     ./hardware-configuration.nix
 
-    (fp /base)
-    (fp /misc/metrics-exporters.nix)
+    ../../base
+    ../../misc/metrics-exporters.nix
 
     ./services/bluemap/default.nix
     ./services/gitea/default.nix
@@ -19,7 +19,7 @@
     ./services/well-known
   ];
 
-  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
+  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/bekkalokk/services/bluemap/default.nix

@@ -6,15 +6,13 @@ in {
     ./module.nix # From danio, pending upstreaming
   ];
 
-  disabledModules = [ "services/web-apps/bluemap.nix" ];
+  disabledModules = [ "services/web-servers/bluemap.nix" ];
 
   sops.secrets."bluemap/ssh-key" = { };
   sops.secrets."bluemap/ssh-known-hosts" = { };
 
   services.bluemap = {
     enable = true;
-    package = pkgs.callPackage ./package.nix { };
-    
     eula = true;
     onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
 

hosts/bekkalokk/services/bluemap/module.nix

@@ -26,6 +26,7 @@ let
     "webapp.conf" = webappConfig;
     "webserver.conf" = webserverConfig;
     "packs" = cfg.resourcepacks;
+    "addons" = cfg.resourcepacks; # TODO
   };
 
   renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
@@ -37,13 +38,13 @@ let
     "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
     "webserver.conf" = webserverConfig;
     "packs" = value.resourcepacks;
+    "addons" = cfg.resourcepacks; # TODO
   };
 
   inherit (lib) mkOption;
 in {
   options.services.bluemap = {
     enable = lib.mkEnableOption "bluemap";
-    package = lib.mkPackageOption pkgs "bluemap" { };
 
     eula = mkOption {
       type = lib.types.bool;
@@ -158,7 +159,7 @@ in {
             type = lib.types.path;
             default = cfg.resourcepacks;
             defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
-            description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
+            description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
           };
           settings = mkOption {
             type = (lib.types.submodule {
@@ -309,18 +310,9 @@ in {
         Group = "nginx";
         UMask = "026";
       };
-      script = ''
-        # If web folder doesnt exist generate it
-        test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
-
-        # Render each minecraft map
-        ${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
-          (name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
-          cfg.maps)}
-
-        # Generate updated webapp
-        ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
-      '';
+      script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
+        (name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
+        cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
     };
 
     systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {

hosts/bekkalokk/services/bluemap/package.nix

@@ -1,30 +0,0 @@
-{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
-
-stdenvNoCC.mkDerivation rec {
-  pname = "bluemap";
-  version = "5.7";
-
-  src = fetchurl {
-    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
-    hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
-  };
-
-  dontUnpack = true;
-
-  nativeBuildInputs = [ makeWrapper ];
-
-  installPhase = ''
-    runHook preInstall
-    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
-    runHook postInstall
-  '';
-
-  meta = {
-    description = "3D minecraft map renderer";
-    homepage = "https://bluemap.bluecolored.de/";
-    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
-    license = lib.licenses.mit;
-    maintainers = with lib.maintainers; [ dandellion h7x4 ];
-    mainProgram = "bluemap";
-  };
-}

hosts/bekkalokk/services/gitea/ci.nix

@@ -15,8 +15,8 @@ let
         enable = true;
         name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
         labels = [
-          "debian-latest:docker://node:current-bookworm"
-          "ubuntu-latest:docker://node:current-bookworm"
+          "debian-latest:docker://node:18-bullseye"
+          "ubuntu-latest:docker://node:18-bullseye"
         ];
         tokenFile = config.sops.secrets."gitea/runners/${name}".path;
       };
@@ -27,15 +27,5 @@ lib.mkMerge [
   (mkRunner "alpha")
   (mkRunner "beta")
   (mkRunner "epsilon")
-  {
-    virtualisation.podman = {
-      enable = true;
-      defaultNetwork.settings.dns_enabled = true;
-      autoPrune.enable = true;
-    };
-
-    networking.dhcpcd.IPv6rs = false;
-
-    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
-  }
+  { virtualisation.podman.enable = true; }
 ]

hosts/bekkalokk/services/gitea/customization.nix

@@ -1,52 +0,0 @@
-{ config, pkgs, lib, fp, ... }:
-let
-  cfg = config.services.gitea;
-in
-{
-  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
-
-  systemd.services.gitea-customization = lib.mkIf cfg.enable {
-    description = "Install extra customization in gitea's CUSTOM_DIR";
-    wantedBy = [ "gitea.service" ];
-    requiredBy = [ "gitea.service" ];
-
-    serviceConfig =  {
-      Type = "oneshot";
-      User = cfg.user;
-      Group = cfg.group;
-    };
-
-    script = let
-      logo-svg = fp /assets/logo_blue_regular.svg;
-      logo-png = fp /assets/logo_blue_regular.png;
-      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
-        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
-        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
-        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
-      '';
-
-      project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
-        labels = lib.importJSON ./labels/projects.json;
-      };
-
-      customTemplates = pkgs.runCommandLocal "gitea-templates" {
-        nativeBuildInputs = with pkgs; [
-          coreutils
-          gnused
-        ];
-      } ''
-        # Bigger icons
-        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
-        sed -i -e 's/24/48/g' "$out/repo/icon.tmpl"
-      '';
-    in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
-      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
-
-      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
-    '';
-  };
-}

hosts/bekkalokk/services/gitea/default.nix

@@ -1,12 +1,11 @@
-{ config, values, lib, ... }:
+{ config, values, pkgs, lib, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.pvv.ntnu.no";
   sshPort  = 2222;
 in {
   imports = [
-    ./customization.nix
-    ./gpg.nix
+    ./ci.nix
     ./import-users
     ./web-secret-provider
   ];
@@ -131,11 +130,6 @@ in {
       };
       "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
-
-    dump = {
-      enable = true;
-      type = "tar.gz";
-    };
   };
 
   environment.systemPackages = [ cfg.package ];
@@ -162,4 +156,35 @@ in {
   };
 
   networking.firewall.allowedTCPPorts = [ sshPort ];
+
+  # Extra customization
+
+  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
+
+  systemd.services.install-gitea-customization = {
+    description = "Install extra customization in gitea's CUSTOM_DIR";
+    wantedBy = [ "gitea.service" ];
+    requiredBy = [ "gitea.service" ];
+
+    serviceConfig =  {
+      Type = "oneshot";
+      User = cfg.user;
+      Group = cfg.group;
+    };
+
+    script = let
+      logo-svg = ../../../../assets/logo_blue_regular.svg;
+      logo-png = ../../../../assets/logo_blue_regular.png;
+      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
+        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
+        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
+        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
+      '';
+    in ''
+      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+    '';
+  };
 }

hosts/bekkalokk/services/gitea/gpg.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.gitea;
-  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
-in
-{
-  sops.secrets."gitea/gpg-signing-key" = {
-    owner = cfg.user;
-    inherit (cfg) group;
-  };
-
-  systemd.services.gitea.environment = { inherit GNUPGHOME; };
-
-  systemd.tmpfiles.settings."20-gitea-gnugpg".${GNUPGHOME}.d = {
-    inherit (cfg) user group;
-    mode = "700";
-  };
-
-  systemd.services.gitea-ensure-gnupg-homedir = {
-    description = "Import gpg key for gitea";
-    environment = { inherit GNUPGHOME; };
-    serviceConfig = {
-      Type = "oneshot";
-      User = cfg.user;
-      PrivateNetwork = true;
-    };
-    script = ''
-      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
-    '';
-  };
-
-  services.gitea.settings."repository.signing" = {
-    SIGNING_KEY = "0549C43374D2253C";
-    SIGNING_NAME = "PVV Git";
-    SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
-    INITIAL_COMMIT = "always";
-  };
-}

hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py

@@ -177,7 +177,6 @@ def ensure_gitea_user_is_part_of_team(
 # List of teams that all users should be part of by default
 COMMON_USER_TEAMS = [
     ("Projects", "Members"),
-    ("Grzegorz", "Members"),
     ("Kurs", "Members"),
 ]
 

hosts/bekkalokk/services/gitea/labels/projects.json

@@ -1,116 +0,0 @@
-[
-  {
-    "name": "art",
-    "exclusive": false,
-    "color": "#006b75",
-    "description": "Requires some creativity"
-  },
-  {
-    "name": "big",
-    "exclusive": false,
-    "color": "#754bc4",
-    "description": "This is gonna take a while"
-  },
-  {
-    "name": "blocked",
-    "exclusive": false,
-    "color": "#850021",
-    "description": "This issue/PR depends on one or more other issues/PRs"
-  },
-  {
-    "name": "bug",
-    "exclusive": false,
-    "color": "#f05048",
-    "description": "Something brokey"
-  },
-  {
-    "name": "ci-cd",
-    "exclusive": false,
-    "color": "#d1ff78",
-    "description": "Continuous integrals and continuous derivation"
-  },
-  {
-    "name": "crash report",
-    "exclusive": false,
-    "color": "#ed1111",
-    "description": "Report an oopsie"
-  },
-  {
-    "name": "disputed",
-    "exclusive": false,
-    "color": "#5319e7",
-    "description": "Kranglefanter"
-  },
-  {
-    "name": "documentation",
-    "exclusive": false,
-    "color": "#fbca04",
-    "description": "Documentation changes required"
-  },
-  {
-    "name": "duplicate",
-    "exclusive": false,
-    "color": "#cccccc",
-    "description": "This issue or pull request already exists"
-  },
-  {
-    "name": "feature request",
-    "exclusive": false,
-    "color": "#0052cc",
-    "description": ""
-  },
-  {
-    "name": "good first issue",
-    "exclusive": false,
-    "color": "#009800",
-    "description": "Get your hands dirty with a new project here"
-  },
-  {
-    "name": "me gusta",
-    "exclusive": false,
-    "color": "#30ff36",
-    "description": "( ͡° ͜ʖ ͡°)"
-  },
-  {
-    "name": "packaging",
-    "exclusive": false,
-    "color": "#bf642b",
-    "description": ""
-  },
-  {
-    "name": "question",
-    "exclusive": false,
-    "color": "#cc317c",
-    "description": ""
-  },
-  {
-    "name": "security",
-    "exclusive": false,
-    "color": "#ed1111",
-    "description": "Skommel"
-  },
-  {
-    "name": "techdebt spring cleaning",
-    "exclusive": false,
-    "color": "#8c6217",
-    "description": "The code is smelly 👃"
-  },
-  {
-    "name": "testing",
-    "exclusive": false,
-    "color": "#52b373",
-    "description": "Poke it and see if it explodes"
-  },
-  {
-    "name": "ui/ux",
-    "exclusive": false,
-    "color": "#f28852",
-    "description": "User complaints about ergonomics and economics and whatever"
-  },
-  {
-    "name": "wontfix",
-    "exclusive": false,
-    "color": "#ffffff",
-    "description": "Nei, vil ikke"
-  }
-]

hosts/bekkalokk/services/gitea/web-secret-provider/default.nix

@@ -3,7 +3,6 @@ let
   organizations = [
     "Drift"
     "Projects"
-    "Grzegorz"
     "Kurs"
   ];
 
@@ -28,7 +27,6 @@ in
   users.users."gitea-web" = {
     group = "gitea-web";
     isSystemUser = true;
-    shell = pkgs.bash;
   };
 
   sops.secrets."gitea/web-secret-provider/token" = {
@@ -60,7 +58,6 @@ in
           key-dir = "/var/lib/gitea-web/keys/%i";
           authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
           rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
-            mkdir -p "$1"
             ${lib.getExe pkgs.rrsync} -wo "$1"
             ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
           '';

hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@@ -34,21 +34,7 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
         f"{args.api_url}/orgs/{args.org}/repos",
         headers = { 'Authorization': 'token ' + token },
     )
-
-    results = [repo["name"] for repo in result.json()]
-    target = int(result.headers['X-Total-Count'])
-
-    i = 2
-    while len(results) < target:
-        result = requests.get(
-            f"{args.api_url}/orgs/{args.org}/repos",
-            params = { 'page': i },
-            headers = { 'Authorization': 'token ' + token },
-        )
-        results += [repo["name"] for repo in result.json()]
-        i += 1
-
-    return results
+    return [repo["name"] for repo in result.json()]
 
 
 def generate_ssh_key(args: argparse.Namespace, repository: str):

hosts/bekkalokk/services/mediawiki/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, config, values, pkgs-unstable, ... }: let
   cfg = config.services.mediawiki;
 
   # "mediawiki"
@@ -210,8 +210,8 @@ in {
         '';
       };
 
-      "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
-      "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
+      "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
+      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
       "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
         buildInputs = with pkgs; [ imagemagick ];
       } ''
@@ -219,7 +219,7 @@ in {
           -resize x64 \
           -gravity center \
           -crop 64x64+0+0 \
-          ${fp /assets/logo_blue_regular.png} \
+          ${../../../../assets/logo_blue_regular.png} \
           -flatten \
           -colors 256 \
           -background transparent \

hosts/bekkalokk/services/vaultwarden.nix

@@ -83,6 +83,7 @@ in {
       ProtectKernelLogs = true;
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
+      ProtectProc = "invisible";
       RestrictAddressFamilies = [
         "AF_INET"
         "AF_INET6"
@@ -97,6 +98,7 @@ in {
         "@system-service"
         "~@privileged"
       ];
+      UMask = "0007";
     };
   };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -21,7 +21,7 @@ in
       custom_from
     ]);
 
-    dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
+    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
     maxAttachmentSize = 20;
     hostName = "roundcubeplaceholder.example.com";
 

hosts/bekkalokk/services/webmail/snappymail.nix

@@ -1,8 +1,8 @@
-{ config, lib, fp, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.services.snappymail;
 in {
-  imports = [ (fp /modules/snappymail.nix) ];
+  imports = [ ../../../../modules/snappymail.nix ];
 
   services.snappymail = {
     enable = true;

hosts/bicep/configuration.nix

@@ -1,10 +1,10 @@
-{ fp, pkgs, values, ... }:
+{ pkgs, values, ... }:
 {
   imports = [
     ./hardware-configuration.nix
 
-    (fp /base)
-    (fp /misc/metrics-exporters.nix)
+    ../../base
+    ../../misc/metrics-exporters.nix
     ./services/nginx
 
     ./services/mysql.nix
@@ -15,7 +15,7 @@
     ./services/matrix
   ];
 
-  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
+  sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/bicep/services/calendar-bot.nix

@@ -1,16 +1,16 @@
-{ config, fp, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.services.pvv-calendar-bot;
 in {
   sops.secrets = {
     "calendar-bot/matrix_token" = {
-      sopsFile = fp /secrets/bicep/bicep.yaml;
+      sopsFile = ../../../secrets/bicep/bicep.yaml;
       key = "calendar-bot/matrix_token";
       owner = cfg.user;
       group = cfg.group;
     };
     "calendar-bot/mysql_password" = {
-      sopsFile = fp /secrets/bicep/bicep.yaml;
+      sopsFile = ../../../secrets/bicep/bicep.yaml;
       key = "calendar-bot/mysql_password";
       owner = cfg.user;
       group = cfg.group;

hosts/bicep/services/matrix/coturn.nix

@@ -1,14 +1,14 @@
-{ config, lib, fp, pkgs, secrets, values, ... }:
+{ config, lib, pkgs, secrets, values, ... }:
 
 {
   sops.secrets."matrix/synapse/turnconfig" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
     key = "synapse/turnconfig";
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;
   };
   sops.secrets."matrix/coturn/static-auth-secret" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
     key = "coturn/static-auth-secret";
     owner = config.users.users.turnserver.name;
     group = config.users.users.turnserver.group;
@@ -48,9 +48,6 @@
 
   users.users.turnserver.extraGroups = [ "acme" ];
 
-  # It needs this to be allowed to access the files with the acme group
-  systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
-
   systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
     AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
   };
@@ -69,7 +66,7 @@
 
     listening-ips = [
       values.services.turn.ipv4
-      values.services.turn.ipv6
+      # values.services.turn.ipv6
     ];
 
     tls-listening-port = 443;

hosts/bicep/services/matrix/discord.nix

@@ -1,4 +1,4 @@
-{ config, lib, fp, ... }:
+{ config, lib, ... }:
 
 let
   cfg = config.services.mx-puppet-discord;
@@ -7,11 +7,11 @@ in
   users.groups.keys-matrix-registrations = { };
 
   sops.secrets."matrix/discord/as_token" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
     key = "discord/as_token";
   };
   sops.secrets."matrix/discord/hs_token" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
     key = "discord/hs_token";
   };
 

hosts/bicep/services/matrix/hookshot/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, fp, unstablePkgs, inputs, ... }:
+{ config, lib, unstablePkgs, inputs, ... }:
 
 let
   cfg = config.services.matrix-hookshot;
@@ -6,12 +6,16 @@ let
   webhookListenPort = 8435;
 in
 {
+  imports = [
+    ./module.nix
+  ];
+
   sops.secrets."matrix/hookshot/as_token" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
     key = "hookshot/as_token";
   };
   sops.secrets."matrix/hookshot/hs_token" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
     key = "hookshot/hs_token";
   };
 

hosts/bicep/services/matrix/hookshot/module.nix

@@ -0,0 +1,127 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.matrix-hookshot;
+  settingsFormat = pkgs.formats.yaml { };
+  configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
+in
+{
+  options = {
+    services.matrix-hookshot = {
+      enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
+
+      package = lib.mkPackageOption pkgs "matrix-hookshot" { };
+
+      registrationFile = lib.mkOption {
+        type = lib.types.path;
+        description = ''
+          Appservice registration file.
+          As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
+        '';
+        example = lib.literalExpression ''
+          pkgs.writeText "matrix-hookshot-registration" \'\'
+            id: matrix-hookshot
+            as_token: aaaaaaaaaa
+            hs_token: aaaaaaaaaa
+            namespaces:
+              rooms: []
+              users:
+                - regex: "@_webhooks_.*:foobar"
+                  exclusive: true
+
+            sender_localpart: hookshot
+            url: "http://localhost:9993"
+            rate_limited: false
+            \'\'
+        '';
+      };
+
+      settings = lib.mkOption {
+        description = ''
+          {file}`config.yml` configuration as a Nix attribute set.
+
+          For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
+        '';
+        example = {
+          bridge = {
+            domain = "example.com";
+            url = "http://localhost:8008";
+            mediaUrl = "https://example.com";
+            port = 9993;
+            bindAddress = "127.0.0.1";
+          };
+          listeners = [
+            {
+              port = 9000;
+              bindAddress = "0.0.0.0";
+              resources = [ "webhooks" ];
+            }
+            {
+              port = 9001;
+              bindAddress = "localhost";
+              resources = [
+                "metrics"
+                "provisioning"
+              ];
+            }
+          ];
+        };
+        default = { };
+        type = lib.types.submodule {
+          freeformType = settingsFormat.type;
+          options = {
+            passFile = lib.mkOption {
+              type = lib.types.path;
+              default = "/var/lib/matrix-hookshot/passkey.pem";
+              description = ''
+                A passkey used to encrypt tokens stored inside the bridge.
+                File will be generated if not found.
+              '';
+            };
+          };
+        };
+      };
+
+      serviceDependencies = lib.mkOption {
+        type = with lib.types; listOf str;
+        default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
+        defaultText = lib.literalExpression ''
+          lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
+        '';
+        description = ''
+          List of Systemd services to require and wait for when starting the application service,
+          such as the Matrix homeserver if it's running on the same host.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.matrix-hookshot = {
+      description = "a bridge between Matrix and multiple project management services";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+
+      preStart = ''
+        if [ ! -f '${cfg.settings.passFile}' ]; then
+          mkdir -p $(dirname '${cfg.settings.passFile}')
+          ${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
+        fi
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+        ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ flandweber ];
+}

hosts/bicep/services/matrix/mjolnir.nix

@@ -1,8 +1,8 @@
-{ config, lib, fp, ... }:
+{ config, lib, ... }:
 
 {
   sops.secrets."matrix/mjolnir/access_token" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
     key = "mjolnir/access_token";
     owner = config.users.users.mjolnir.name;
     group = config.users.users.mjolnir.group;

hosts/bicep/services/matrix/synapse.nix

@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, values, inputs, ... }:
+{ config, lib, pkgs, values, inputs, ... }:
 
 let
   cfg = config.services.matrix-synapse-next;
@@ -10,13 +10,13 @@ let
 in {
   sops.secrets."matrix/synapse/signing_key" = {
     key = "synapse/signing_key";
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;
   };
 
   sops.secrets."matrix/synapse/user_registration" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
     key = "synapse/signing_key";
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;

hosts/bob/configuration.nix

@@ -1,16 +1,16 @@
-{ config, fp, pkgs, values, ... }:
+{ config, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      (fp /base)
-      (fp /misc/metrics-exporters.nix)
+      ../../base
+      ../../misc/metrics-exporters.nix
       ./disks.nix
 
-      (fp /misc/builder.nix)
+      ../../misc/builder.nix
     ];
 
-  sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
+  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/brzeczyszczykiewicz/configuration.nix

@@ -1,10 +1,10 @@
-{ config, fp, pkgs, values, ... }:
+{ config, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      (fp /base)
-      (fp /misc/metrics-exporters.nix)
+      ../../base
+      ../../misc/metrics-exporters.nix
 
       ./services/grzegorz.nix
     ];

hosts/brzeczyszczykiewicz/services/grzegorz.nix

@@ -1,6 +1,6 @@
-{ config, fp, ... }:
+{ config, ... }:
 {
-  imports = [ (fp /modules/grzegorz.nix) ];
+  imports = [ ../../../modules/grzegorz.nix ];
 
   services.nginx.virtualHosts."${config.networking.fqdn}" = {
     serverAliases = [

hosts/dagali/TODO.md

@@ -1,78 +0,0 @@
-# Tracking document for new PVV kerberos auth stack
-
-![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
-
-<div align="center">
-  Bensinstasjon på heimdal
-</div>
-
-### TODO:
-
-- [ ] setup heimdal
-  - [x] ensure running with systemd
-  - [x] compile smbk5pwd (part of openldap)
-  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
-  - [ ] fully initialize PVV.NTNU.NO
-    - [x] `kadmin -l init PVV.NTNU.NO`
-    - [x] add oysteikt/admin@PVV.NTNU.NO principal
-    - [x] add oysteikt@PVV.NTNU.NO principal
-    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
-      - why is this needed, and where is it documented?
-      - `kadmin check` seems to work under sudo?
-      - (it is included by default, just included as error message
-         in a weird state)
-
-    - [x] Ensure client is working correctly
-      - [x] Ensure kinit works on darbu
-      - [x] Ensure kpasswd works on darbu
-      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
-
-    - [ ] Ensure kdc is working correctly
-      - [x] Ensure kinit works on dagali
-      - [x] Ensure kpasswd works on dagali
-      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
-
-    - [x] Fix FQDN
-      - https://github.com/NixOS/nixpkgs/issues/94011
-      - https://github.com/NixOS/nixpkgs/issues/261269
-      - Possibly fixed by disabling systemd-resolved
-
-- [ ] setup cyrus sasl
-  - [x] ensure running with systemd 
-  - [x] verify GSSAPI support plugin is installed
-    - `nix-shell -p cyrus_sasl --command pluginviewer`
-  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
-  - [x] verify cyrus sasl is able to talk to heimdal
-    - `sudo testsaslauthd -u oysteikt -p <password>`
-  - [ ] provide ldap principal to cyrus sasl through keytab
-
-- [ ] setup openldap
-  - [x] ensure running with systemd
-  - [ ] verify openldap is able to talk to cyrus sasl
-  - [ ] create user for oysteikt in openldap
-  - [ ] authenticate openldap login through sasl
-    - does this require creating an ldap user?
-
-- [ ] fix smbk5pwd integration
-  - [x] add smbk5pwd schemas to openldap
-  - [x] create openldap db for smbk5pwd with overlays
-  - [ ] test to ensure that user sync is working
-  - [ ] test as user source (replace passwd)
-  - [ ] test as PAM auth source
-  - [ ] test as auth source for 3rd party appliation
-
-- [ ] Set up ldap administration panel
-  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
-
-- [ ] Set up kerberos SRV DNS entry
-
-### Information and URLS
-
-- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
-- Use a keytab: https://kb.iu.edu/d/aumh
-- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
-- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
-- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
-- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
-- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -1,51 +0,0 @@
-
-{ config, pkgs, values, lib, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../base.nix
-    ../../misc/metrics-exporters.nix
-
-    ./services/heimdal.nix
-    #./services/openldap.nix
-    ./services/cyrus-sasl.nix
-  ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  # resolved messes up FQDN coming from nscd
-  services.resolved.enable = false;
-
-  networking.hostName = "dagali";
-  networking.domain = lib.mkForce "pvv.local";
-  networking.hosts = {
-    "129.241.210.185" = [ "dagali.pvv.local" ];
-  };
-  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-  networking.networkmanager.enable = true;
-
-  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
-    matchConfig.Name = "ens18";
-    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-    # TODO: consider adding to base.nix
-    nix-output-monitor
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
-}

hosts/dagali/services/cyrus-sasl.nix

@@ -1,21 +0,0 @@
-{ config, ... }:
-let
-  cfg = config.services.saslauthd;
-in
-{
-  # TODO: This is seemingly required for openldap to authenticate
-  #       against kerberos, but I have no idea how to configure it as
-  #       such. Does it need a keytab? There's a binary "testsaslauthd"
-  #       that follows with `pkgs.cyrus_sasl` that might be useful.
-  services.saslauthd = {
-    enable = true;
-    mechanism = "kerberos5";
-    config = ''
-      mech_list: gs2-krb5 gssapi
-      keytab: /etc/krb5.keytab
-    '';
-  };
-
-  # TODO: maybe the upstream module should consider doing this?
-  environment.systemPackages = [ cfg.package ];
-}

hosts/dagali/services/heimdal.nix

@@ -1,100 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  realm = "PVV.LOCAL";
-  cfg = config.security.krb5;
-in
-{
-  security.krb5 = {
-    enable = true;
-
-    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
-    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
-    #       will do for now.
-    package = pkgs.heimdal.overrideAttrs (prev: {
-      postInstall = prev.postInstall + ''
-        cp include/heim_threads.h $dev/include
-      '';
-    });
-
-    settings = {
-      realms.${realm} = {
-        kdc = [ "dagali.${lib.toLower realm}" ];
-        admin_server = "dagali.${lib.toLower realm}";
-        kpasswd_server = "dagali.${lib.toLower realm}";
-        default_domain = lib.toLower realm;
-        primary_kdc = "dagali.${lib.toLower realm}";
-      };
-
-      kadmin.default_keys = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96:pw-salt"
-        "aes128-cts-hmac-sha1-96:pw-salt"
-      ];
-
-      libdefaults.default_etypes = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96"
-        "aes128-cts-hmac-sha1-96"
-      ];
-
-      libdefaults = {
-        default_realm = realm;
-        dns_lookup_kdc = false;
-        dns_lookup_realm = false;
-      };
-
-      domain_realm = {
-        "${lib.toLower realm}" = realm;
-        ".${lib.toLower realm}" = realm;
-      };
-
-      logging = {
-        # kdc = "CONSOLE";
-        kdc = "SYSLOG:DEBUG:AUTH";
-        admin_server = "SYSLOG:DEBUG:AUTH";
-        default = "SYSLOG:DEBUG:AUTH";
-      };
-    };
-  };
-
-  services.kerberos_server = {
-    enable = true;
-    settings = {
-      realms.${realm} = {
-        dbname = "/var/lib/heimdal/heimdal";
-        mkey = "/var/lib/heimdal/m-key";
-        acl = [
-          {
-            principal = "kadmin/admin";
-            access = "all";
-          }
-          {
-            principal = "felixalb/admin";
-            access = "all";
-          }
-          {
-            principal = "oysteikt/admin";
-            access = "all";
-          }
-        ];
-      };
-      # kadmin.default_keys = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96:pw-salt"
-      #   "aes128-cts-hmac-sha1-96:pw-salt"
-      # ];
-
-      # libdefaults.default_etypes = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96"
-      #   "aes128-cts-hmac-sha1-96"
-      # ];
-
-      # password_quality.min_length = 8;
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
-  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
-
-  networking.hosts = {
-    "127.0.0.2" = lib.mkForce [ ];
-    "::1" = lib.mkForce [ ];
-  };
-}

hosts/dagali/services/openldap.nix

@@ -1,121 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  services.openldap = let
-    dn = "dc=pvv,dc=ntnu,dc=no";
-    cfg = config.services.openldap;
-
-    heimdal = config.security.krb5.package;
-  in {
-    enable = true;
-
-    # NOTE: this is a custom build of openldap with support for
-    #       perl and kerberos.
-    package = pkgs.openldap.overrideAttrs (prev: {
-      # https://github.com/openldap/openldap/blob/master/configure
-      configureFlags = prev.configureFlags ++ [
-        # Connect to slapd via UNIX socket
-        "--enable-local"
-        # Cyrus SASL
-        "--enable-spasswd"
-        # Reverse hostname lookups
-        "--enable-rlookups"
-        # perl
-        "--enable-perl"
-      ];
-
-      buildInputs = prev.buildInputs ++ [
-        pkgs.perl
-	# NOTE: do not upstream this, it might not work with
-	#       MIT in the same way
-        heimdal
-      ];
-
-      extraContribModules = prev.extraContribModules ++ [
-        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
-        "smbk5pwd"
-      ];
-    });
-
-    settings = {
-      attrs = {
-        olcLogLevel = [ "stats" "config" "args" ];
-
-        # olcAuthzRegexp = ''
-        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
-        #         "uid=heimdal,${dn2}"
-        # '';
-
-        # olcSaslSecProps = "minssf=0";
-      };
-
-      children = {
-        "cn=schema".includes = let
-          # NOTE: needed for smbk5pwd.so module
-          schemaToLdif = name: path: pkgs.runCommandNoCC name {
-            buildInputs = with pkgs; [ schema2ldif ];
-          } ''
-            schema2ldif "${path}" > $out
-          '';
-
-          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
-          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
-        in [
-           "${cfg.package}/etc/schema/core.ldif"
-           "${cfg.package}/etc/schema/cosine.ldif"
-           "${cfg.package}/etc/schema/nis.ldif"
-           "${cfg.package}/etc/schema/inetorgperson.ldif"
-           "${hdb-ldif}"
-           "${samba-ldif}"
-        ];
-
-        # NOTE: installation of smbk5pwd.so module
-        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-        "cn=module{0}".attrs = {
-          objectClass = [ "olcModuleList" ];
-          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
-        };
-
-        # NOTE: activation of smbk5pwd.so module for {1}mdb
-        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
-          olcOverlay = "{0}smbk5pwd";
-          olcSmbK5PwdEnable = [ "krb5" "samba" ];
-          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
-        };
-
-        "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-
-          olcDatabase = "{1}mdb";
-
-          olcSuffix = dn;
-
-          # TODO: PW is supposed to be a secret, but it's probably fine for testing
-          olcRootDN = "cn=users,${dn}";
-
-          # TODO: replace with proper secret
-          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
-
-          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
-          olcDbIndex = "objectClass eq";
-
-          olcAccess = [
-            ''{0}to attrs=userPassword,shadowLastChange
-                by dn.exact=cn=users,${dn} write
-                by self write
-                by anonymous auth
-                by * none''
-
-            ''{1}to dn.base=""
-                by * read''
-
-            /* allow read on anything else */
-            # ''{2}to *
-            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
-            #     by * read''
-          ];
-        };
-      };
-    };
-  };
-}

hosts/georg/configuration.nix

@@ -1,12 +1,12 @@
-{ config, fp, pkgs, values, ... }:
+{ config, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      (fp /base)
-      (fp /misc/metrics-exporters.nix)
+      ../../base
+      ../../misc/metrics-exporters.nix
 
-      (fp /modules/grzegorz.nix)
+      ../../modules/grzegorz.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

hosts/ildkule/configuration.nix

@@ -1,16 +1,16 @@
-{ config, fp, pkgs, lib, values, ... }:
+{ config, pkgs, lib, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      (fp /base)
-      (fp /misc/metrics-exporters.nix)
+      ../../base
+      ../../misc/metrics-exporters.nix
 
       ./services/monitoring
       ./services/nginx
     ];
 
-  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
+  sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/kvernberg/configuration.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ../../base
+    ../../misc/metrics-exporters.nix
+
+    ./disks.nix
+  ];
+
+  sops.defaultSopsFile = ../../secrets/kvernberg/kvernberg.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+ 
+  networking.hostName = "kvernberg"; # Define your hostname.
+
+  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+    matchConfig.Name = "en*";
+    address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+    
+  ];
+
+  # No devices with SMART
+  services.smartd.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}

hosts/kvernberg/disks.nix

@@ -0,0 +1,39 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/kvernberg/hardware-configuration.nix

@@ -13,14 +13,7 @@
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
-    ];
+  swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

hosts/kvernberg/services/pvvvvvv/modules/libeufin/bank.nix

@@ -0,0 +1,93 @@
+{
+  lib,
+  config,
+  options,
+  ...
+}:
+{
+  imports = [ (import ./common.nix "bank") ];
+
+  options.services.libeufin.bank = {
+    initialAccounts = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      description = ''
+        Accounts to enable before the bank service starts.
+
+        This is mainly needed for the nexus currency conversion
+        since the exchange's bank account is expected to be already
+        registered.
+
+        Don't forget to change the account passwords afterwards.
+      '';
+      default = [ ];
+    };
+
+    settings = lib.mkOption {
+      description = ''
+        Configuration options for the libeufin bank system config file.
+
+        For a list of all possible options, please see the man page [`libeufin-bank.conf(5)`](https://docs.taler.net/manpages/libeufin-bank.conf.5.html)
+      '';
+      type = lib.types.submodule {
+        inherit (options.services.libeufin.settings.type.nestedTypes) freeformType;
+        options = {
+          libeufin-bank = {
+            CURRENCY = lib.mkOption {
+              type = lib.types.str;
+              description = ''
+                The currency under which the libeufin-bank should operate.
+
+                This defaults to the GNU taler module's currency for convenience
+                but if you run libeufin-bank separately from taler, you must set
+                this yourself.
+              '';
+            };
+            PORT = lib.mkOption {
+              type = lib.types.port;
+              default = 8082;
+              description = ''
+                The port on which libeufin-bank should listen.
+              '';
+            };
+            SUGGESTED_WITHDRAWAL_EXCHANGE = lib.mkOption {
+              type = lib.types.str;
+              default = "https://exchange.demo.taler.net/";
+              description = ''
+                Exchange that is suggested to wallets when withdrawing.
+
+                Note that, in order for withdrawals to work, your libeufin-bank
+                must be able to communicate with and send money etc. to the bank
+                at which the exchange used for withdrawals has its bank account.
+
+                If you also have your own bank and taler exchange network, you
+                probably want to set one of your exchange's url here instead of
+                the demo exchange.
+
+                This setting must always be set in order for the Android app to
+                not crash during the withdrawal process but the exchange to be
+                used can always be changed in the app.
+              '';
+            };
+          };
+          libeufin-bankdb-postgres = {
+            CONFIG = lib.mkOption {
+              type = lib.types.str;
+              description = ''
+                The database connection string for the libeufin-bank database.
+              '';
+            };
+          };
+        };
+      };
+    };
+  };
+
+  config = {
+    services.libeufin.bank.settings.libeufin-bank.CURRENCY = lib.mkIf (
+      config.services.taler.enable && (config.services.taler.settings.taler ? CURRENCY)
+    ) config.services.taler.settings.taler.CURRENCY;
+
+    services.libeufin.bank.settings.libeufin-bankdb-postgres.CONFIG = lib.mkIf config.services.libeufin.bank.createLocalDatabase "postgresql:///libeufin-bank";
+  };
+}
+

hosts/kvernberg/services/pvvvvvv/modules/libeufin/common.nix

@@ -0,0 +1,156 @@
+# TODO: create a common module generator for Taler and Libeufin?
+libeufinComponent:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  options.services.libeufin.${libeufinComponent} = {
+    enable = lib.mkEnableOption "libeufin core banking system and web interface";
+    package = lib.mkPackageOption pkgs "libeufin" { };
+    debug = lib.mkEnableOption "debug logging";
+    createLocalDatabase = lib.mkEnableOption "automatic creation of a local postgres database";
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Whether to open ports in the firewall";
+    };
+  };
+
+  config =
+    let
+      cfgMain = config.services.libeufin;
+      cfg = cfgMain.${libeufinComponent};
+
+      serviceName = "libeufin-${libeufinComponent}";
+
+      isNexus = libeufinComponent == "nexus";
+
+      # get database name from config
+      # TODO: should this always be the same db? In which case, should this be an option directly under `services.libeufin`?
+      dbName =
+        lib.removePrefix "postgresql:///"
+          cfg.settings."libeufin-${libeufinComponent}db-postgres".CONFIG;
+
+      bankPort = cfg.settings."${if isNexus then "nexus-httpd" else "libeufin-bank"}".PORT;
+    in
+    lib.mkIf cfg.enable {
+      services.libeufin.settings = cfg.settings;
+
+      # TODO add system-libeufin.slice?
+      systemd.services = {
+        # Main service
+        "${serviceName}" = {
+          serviceConfig = {
+            DynamicUser = true;
+            ExecStart =
+              let
+                args = lib.cli.toGNUCommandLineShell { } {
+                  c = cfgMain.configFile;
+                  L = if cfg.debug then "debug" else null;
+                };
+              in
+              "${lib.getExe' cfg.package "libeufin-${libeufinComponent}"} serve ${args}";
+            Restart = "on-failure";
+            RestartSec = "10s";
+          };
+          requires = [ "libeufin-dbinit.service" ];
+          after = [ "libeufin-dbinit.service" ];
+          wantedBy = [ "multi-user.target" ];
+        };
+
+        # Database Initialisation
+        libeufin-dbinit =
+          let
+            dbScript = pkgs.writers.writeText "libeufin-db-permissions.sql" ''
+              GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA libeufin_bank TO "${serviceName}";
+              GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA libeufin_nexus TO "${serviceName}";
+              GRANT USAGE ON SCHEMA libeufin_bank TO "${serviceName}";
+              GRANT USAGE ON SCHEMA libeufin_nexus TO "${serviceName}";
+            '';
+
+            # Accounts to be created after the bank database initialization.
+            #
+            # For example, if the bank's currency conversion is enabled, it's
+            # required that the exchange account is registered before the
+            # service starts.
+            initialAccountRegistration = lib.concatMapStringsSep "\n" (
+              account:
+              let
+                args = lib.cli.toGNUCommandLineShell { } {
+                  c = cfgMain.configFile;
+                  inherit (account) username password name;
+                  payto_uri = "payto://x-taler-bank/bank:${toString bankPort}/${account.username}?receiver-name=${account.name}";
+                  exchange = lib.toLower account.username == "exchange";
+                };
+              in
+              "${lib.getExe' cfg.package "libeufin-bank"} create-account ${args}"
+            ) cfg.initialAccounts;
+
+            args = lib.cli.toGNUCommandLineShell { } {
+              c = cfgMain.configFile;
+              L = if cfg.debug then "debug" else null;
+            };
+          in
+          {
+            path = [ config.services.postgresql.package ];
+            serviceConfig = {
+              Type = "oneshot";
+              DynamicUser = true;
+              StateDirectory = "libeufin-dbinit";
+              StateDirectoryMode = "0750";
+              User = dbName;
+            };
+            script = lib.optionalString cfg.enable ''
+              ${lib.getExe' cfg.package "libeufin-${libeufinComponent}"} dbinit ${args}
+            '';
+            # Grant DB permissions after schemas have been created
+            postStart =
+              ''
+                psql -U "${dbName}" -f "${dbScript}"
+              ''
+              + lib.optionalString ((!isNexus) && (cfg.initialAccounts != [ ])) ''
+                # only register initial accounts once
+                if [ ! -e /var/lib/libeufin-dbinit/init ]; then
+                  ${initialAccountRegistration}
+                  touch /var/lib/libeufin-dbinit/init
+                  echo "Bank initialisation complete"
+                fi
+              '';
+            requires = lib.optionals cfg.createLocalDatabase [ "postgresql.service" ];
+            after = [ "network.target" ] ++ lib.optionals cfg.createLocalDatabase [ "postgresql.service" ];
+          };
+      };
+
+      networking.firewall = lib.mkIf cfg.openFirewall {
+        allowedTCPPorts = [
+          bankPort
+        ];
+      };
+
+      environment.systemPackages = [ cfg.package ];
+
+      services.postgresql = lib.mkIf cfg.createLocalDatabase {
+        enable = true;
+        ensureDatabases = [ dbName ];
+        ensureUsers = [
+          { name = serviceName; }
+          {
+            name = dbName;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      assertions = [
+        {
+          assertion =
+            cfg.createLocalDatabase || (cfg.settings."libeufin-${libeufinComponent}db-postgres" ? CONFIG);
+          message = "Libeufin ${libeufinComponent} database is not configured.";
+        }
+      ];
+
+    };
+}

hosts/kvernberg/services/pvvvvvv/modules/libeufin/module.nix

@@ -0,0 +1,29 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+let
+  cfg = config.services.libeufin;
+  settingsFormat = pkgs.formats.ini { };
+in
+
+{
+  options.services.libeufin = {
+    configFile = lib.mkOption {
+      internal = true;
+      default = settingsFormat.generate "generated-libeufin.conf" cfg.settings;
+    };
+    settings = lib.mkOption {
+      description = "Global configuration options for the libeufin bank system config file.";
+      type = lib.types.submodule { freeformType = settingsFormat.type; };
+      default = { };
+    };
+  };
+
+  config = lib.mkIf (cfg.bank.enable || cfg.nexus.enable) {
+    environment.etc."libeufin/libeufin.conf".source = cfg.configFile;
+  };
+}

hosts/kvernberg/services/pvvvvvv/modules/libeufin/nexus.nix

@@ -0,0 +1,127 @@
+{
+  lib,
+  config,
+  options,
+  ...
+}:
+{
+  imports = [ (import ./common.nix "nexus") ];
+
+  options.services.libeufin.nexus.settings = lib.mkOption {
+    description = ''
+      Configuration options for the libeufin nexus config file.
+      For a list of all possible options, please see the man page [`libeufin-nexus.conf(5)`](https://docs.taler.net/manpages/libeufin-nexus.conf.5.html)
+    '';
+    type = lib.types.submodule {
+      inherit (options.services.libeufin.settings.type.nestedTypes) freeformType;
+      options = {
+        nexus-ebics = {
+          # Mandatory configuration values
+          # https://docs.taler.net/libeufin/nexus-manual.html#setting-up-the-ebics-subscriber
+          # https://docs.taler.net/libeufin/setup-ebics-at-postfinance.html
+          CURRENCY = lib.mkOption {
+            description = "Name of the fiat currency.";
+            type = lib.types.nonEmptyStr;
+            example = "CHF";
+          };
+          HOST_BASE_URL = lib.mkOption {
+            description = "URL of the EBICS server.";
+            type = lib.types.nonEmptyStr;
+            example = "https://ebics.postfinance.ch/ebics/ebics.aspx";
+          };
+          BANK_DIALECT = lib.mkOption {
+            description = ''
+              Name of the following combination: EBICS version and ISO20022
+              recommendations that Nexus would honor in the communication with the
+              bank.
+              Currently only the "postfinance" or "gls" value is supported.
+            '';
+            type = lib.types.enum [
+              "postfinance"
+              "gls"
+            ];
+            example = "postfinance";
+          };
+          HOST_ID = lib.mkOption {
+            description = "Name of the EBICS host.";
+            type = lib.types.nonEmptyStr;
+            example = "PFEBICS";
+          };
+          USER_ID = lib.mkOption {
+            description = ''
+              User ID of the EBICS subscriber.
+              This value must be assigned by the bank after having activated a new EBICS subscriber.
+            '';
+            type = lib.types.nonEmptyStr;
+            example = "PFC00563";
+          };
+          PARTNER_ID = lib.mkOption {
+            description = ''
+              Partner ID of the EBICS subscriber.
+              This value must be assigned by the bank after having activated a new EBICS subscriber.
+            '';
+            type = lib.types.nonEmptyStr;
+            example = "PFC00563";
+          };
+          IBAN = lib.mkOption {
+            description = "IBAN of the bank account that is associated with the EBICS subscriber.";
+            type = lib.types.nonEmptyStr;
+            example = "CH7789144474425692816";
+          };
+          BIC = lib.mkOption {
+            description = "BIC of the bank account that is associated with the EBICS subscriber.";
+            type = lib.types.nonEmptyStr;
+            example = "POFICHBEXXX";
+          };
+          NAME = lib.mkOption {
+            description = "Legal entity that is associated with the EBICS subscriber.";
+            type = lib.types.nonEmptyStr;
+            example = "John Smith S.A.";
+          };
+          BANK_PUBLIC_KEYS_FILE = lib.mkOption {
+            type = lib.types.path;
+            default = "/var/lib/libeufin-nexus/bank-ebics-keys.json";
+            description = ''
+              Filesystem location where Nexus should store the bank public keys.
+            '';
+          };
+          CLIENT_PRIVATE_KEYS_FILE = lib.mkOption {
+            type = lib.types.path;
+            default = "/var/lib/libeufin-nexus/client-ebics-keys.json";
+            description = ''
+              Filesystem location where Nexus should store the subscriber private keys.
+            '';
+          };
+        };
+        nexus-httpd = {
+          PORT = lib.mkOption {
+            type = lib.types.port;
+            default = 8084;
+            description = ''
+              The port on which libeufin-bank should listen.
+            '';
+          };
+        };
+        libeufin-nexusdb-postgres = {
+          CONFIG = lib.mkOption {
+            type = lib.types.str;
+            description = ''
+              The database connection string for the libeufin-nexus database.
+            '';
+          };
+        };
+      };
+    };
+  };
+
+  config =
+    let
+      cfgMain = config.services.libeufin;
+      cfg = config.services.libeufin.nexus;
+    in
+    lib.mkIf cfg.enable {
+      services.libeufin.nexus.settings.libeufin-nexusdb-postgres.CONFIG = lib.mkIf (
+        cfgMain.bank.enable && cfgMain.bank.createLocalDatabase
+      ) "postgresql:///libeufin-bank";
+    };
+}

hosts/kvernberg/services/pvvvvvv/modules/module-list.nix

@@ -0,0 +1,10 @@
+{
+  imports = [
+    ./libeufin/bank.nix
+    ./libeufin/module.nix
+    ./libeufin/nexus.nix
+    ./taler/exchange.nix
+    ./taler/merchant.nix
+    ./taler/module.nix
+  ];
+}

hosts/kvernberg/services/pvvvvvv/modules/taler/common.nix

@@ -0,0 +1,117 @@
+# TODO: create a common module generator for Taler and Libeufin?
+{
+  talerComponent ? "",
+  servicesDB ? [ ],
+  servicesNoDB ? [ ],
+  ...
+}:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  cfg = cfgTaler.${talerComponent};
+  cfgTaler = config.services.taler;
+  settingsFormat = pkgs.formats.ini { };
+
+  services = servicesDB ++ servicesNoDB;
+
+  dbName = "taler-${talerComponent}-httpd";
+  groupName = "taler-${talerComponent}-services";
+
+  inherit (cfgTaler) runtimeDir;
+in
+{
+  options = {
+    services.taler.${talerComponent} = {
+      enable = lib.mkEnableOption "the GNU Taler ${talerComponent}";
+      package = lib.mkPackageOption pkgs "taler-${talerComponent}" { };
+      # TODO: make option accept multiple debugging levels?
+      debug = lib.mkEnableOption "debug logging";
+      openFirewall = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to open ports in the firewall";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.taler.enable = cfg.enable;
+
+    systemd.services = lib.mergeAttrsList [
+      # Main services
+      (lib.genAttrs (map (n: "taler-${talerComponent}-${n}") services) (name: {
+        serviceConfig = {
+          DynamicUser = true;
+          User = name;
+          Group = groupName;
+          ExecStart = toString [
+            (lib.getExe' cfg.package name)
+            "-c /etc/taler/taler.conf"
+            (lib.optionalString cfg.debug " -L debug")
+          ];
+          RuntimeDirectory = name;
+          StateDirectory = name;
+          CacheDirectory = name;
+          ReadWritePaths = [ runtimeDir ];
+          Restart = "always";
+          RestartSec = "10s";
+        };
+        requires = [ "taler-${talerComponent}-dbinit.service" ];
+        after = [ "taler-${talerComponent}-dbinit.service" ];
+        wantedBy = [ "multi-user.target" ]; # TODO slice?
+      }))
+      # Database Initialisation
+      {
+        "taler-${talerComponent}-dbinit" = {
+          path = [ config.services.postgresql.package ];
+          serviceConfig = {
+            Type = "oneshot";
+            DynamicUser = true;
+            User = dbName;
+            Restart = "on-failure";
+            RestartSec = "5s";
+          };
+          requires = [ "postgresql.service" ];
+          after = [ "postgresql.service" ];
+        };
+      }
+    ];
+
+    users.groups.${groupName} = { };
+    systemd.tmpfiles.settings = {
+      "10-taler-${talerComponent}" = {
+        "${runtimeDir}" = {
+          d = {
+            group = groupName;
+            user = "nobody";
+            mode = "070";
+          };
+        };
+      };
+    };
+
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.settings."${talerComponent}".PORT ];
+    };
+
+    environment.systemPackages = [ cfg.package ];
+
+    services.taler.includes = [ "/etc/taler/conf.d/${talerComponent}.conf" ];
+    environment.etc."taler/conf.d/${talerComponent}.conf".source = settingsFormat.generate "generated-taler.conf" cfg.settings;
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ dbName ];
+      ensureUsers = map (service: { name = "taler-${talerComponent}-${service}"; }) servicesDB ++ [
+        {
+          name = dbName;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+}

hosts/kvernberg/services/pvvvvvv/modules/taler/exchange.nix

@@ -0,0 +1,143 @@
+{
+  lib,
+  config,
+  options,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = cfgTaler.exchange;
+  cfgTaler = config.services.taler;
+
+  talerComponent = "exchange";
+
+  # https://docs.taler.net/taler-exchange-manual.html#services-users-groups-and-file-system-hierarchy
+  servicesDB = [
+    "httpd"
+    "aggregator"
+    "closer"
+    "wirewatch"
+  ];
+
+  servicesNoDB = [
+    "secmod-cs"
+    "secmod-eddsa"
+    "secmod-rsa"
+  ];
+in
+
+{
+  imports = [
+    (import ./common.nix { inherit talerComponent servicesDB servicesNoDB; })
+  ];
+
+  options.services.taler.exchange = {
+    settings = lib.mkOption {
+      description = ''
+        Configuration options for the taler exchange config file.
+        For a list of all possible options, please see the man page [`taler.conf(5)`](https://docs.taler.net/manpages/taler.conf.5.html#exchange-options)
+      '';
+      type = lib.types.submodule {
+        inherit (options.services.taler.settings.type.nestedTypes) freeformType;
+        options = {
+          # TODO: do we want this to be a sub-attribute or only define the exchange set of options here
+          exchange = {
+            AML_THRESHOLD = lib.mkOption {
+              type = lib.types.str;
+              default = "${cfgTaler.settings.taler.CURRENCY}:1000000";
+              defaultText = "1000000 in {option}`CURRENCY`";
+              description = "Monthly transaction volume until an account is considered suspicious and flagged for AML review.";
+            };
+            DB = lib.mkOption {
+              type = lib.types.str;
+              internal = true;
+              default = "postgres";
+            };
+            MASTER_PUBLIC_KEY = lib.mkOption {
+              type = lib.types.str;
+              default = throw ''
+                You must provide `MASTER_PUBLIC_KEY` with the public part of your master key.
+                This will be used by the auditor service to get information about the exchange.
+                For more information, see https://docs.taler.net/taler-auditor-manual.html#initial-configuration
+                To generate this key, you must run `taler-exchange-offline setup`. It will print the public key.
+              '';
+              defaultText = "None, you must set this yourself.";
+              description = "Used by the exchange to verify information signed by the offline system.";
+            };
+            PORT = lib.mkOption {
+              type = lib.types.port;
+              default = 8081;
+              description = "Port on which the HTTP server listens.";
+            };
+          };
+          exchangedb-postgres = {
+            CONFIG = lib.mkOption {
+              type = lib.types.str;
+              internal = true;
+              default = "postgres:///taler-exchange-httpd";
+              description = "Database connection URI.";
+            };
+          };
+        };
+      };
+      default = { };
+    };
+    denominationConfig = lib.mkOption {
+      type = lib.types.lines;
+      defaultText = "None, you must set this yourself.";
+      example = ''
+        [COIN-KUDOS-n1-t1718140083]
+        VALUE = KUDOS:0.1
+        DURATION_WITHDRAW = 7 days
+        DURATION_SPEND = 2 years
+        DURATION_LEGAL = 6 years
+        FEE_WITHDRAW = KUDOS:0
+        FEE_DEPOSIT = KUDOS:0.1
+        FEE_REFRESH = KUDOS:0
+        FEE_REFUND = KUDOS:0
+        RSA_KEYSIZE = 2048
+        CIPHER = RSA
+      '';
+      description = ''
+        This option configures the cash denomination for the coins that the exchange offers.
+        For more information, consult the [upstream docs](https://docs.taler.net/taler-exchange-manual.html#coins-denomination-keys).
+        You can either write these manually or you can use the `taler-harness deployment gen-coin-config`
+        command to generate it.
+        Warning: Do not modify existing denominations after deployment.
+        Please see the upstream docs for how to safely do that.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.taler.includes = [
+      (pkgs.writers.writeText "exchange-denominations.conf" cfg.denominationConfig)
+    ];
+
+    systemd.services.taler-exchange-wirewatch = {
+      requires = [ "taler-exchange-httpd.service" ];
+      after = [ "taler-exchange-httpd.service" ];
+    };
+
+    # Taken from https://docs.taler.net/taler-exchange-manual.html#exchange-database-setup
+    # TODO: Why does aggregator need DELETE?
+    systemd.services."taler-${talerComponent}-dbinit".script =
+      let
+        deletePerm = name: lib.optionalString (name == "aggregator") ",DELETE";
+        dbScript = pkgs.writers.writeText "taler-exchange-db-permissions.sql" (
+          lib.pipe servicesDB [
+            (map (name: ''
+              GRANT SELECT,INSERT,UPDATE${deletePerm name} ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-${name}";
+              GRANT USAGE ON SCHEMA exchange TO "taler-exchange-${name}";
+            ''))
+            lib.concatStrings
+          ]
+        );
+      in
+      ''
+        ${lib.getExe' cfg.package "taler-exchange-dbinit"}
+        psql -U taler-exchange-httpd -f ${dbScript}
+      '';
+  };
+}

hosts/kvernberg/services/pvvvvvv/modules/taler/merchant.nix

@@ -0,0 +1,108 @@
+{
+  lib,
+  config,
+  options,
+  pkgs,
+  ...
+}:
+let
+  cfg = cfgTaler.merchant;
+  cfgTaler = config.services.taler;
+
+  talerComponent = "merchant";
+
+  # https://docs.taler.net/taler-merchant-manual.html#launching-the-backend
+  servicesDB = [
+    "httpd"
+    "webhook"
+    "wirewatch"
+    "depositcheck"
+    "exchange"
+  ];
+in
+{
+  imports = [
+    (import ./common.nix { inherit talerComponent servicesDB; })
+  ];
+
+  options.services.taler.merchant = {
+    settings = lib.mkOption {
+      description = ''
+        Configuration options for the taler merchant config file.
+        For a list of all possible options, please see the man page [`taler.conf(5)`](https://docs.taler.net/manpages/taler.conf.5.html#merchant-options)
+      '';
+      type = lib.types.submodule {
+        inherit (options.services.taler.settings.type.nestedTypes) freeformType;
+        options = {
+          # TODO: do we want this to be a sub-attribute or only define the merchant set of options here
+          merchant = {
+            DB = lib.mkOption {
+              type = lib.types.str;
+              internal = true;
+              default = "postgres";
+              description = "Plugin to use for the database.";
+            };
+            PORT = lib.mkOption {
+              type = lib.types.port;
+              default = 8083;
+              description = "Port on which the HTTP server listens.";
+            };
+            SERVE = lib.mkOption {
+              type = lib.types.str;
+              default = "tcp";
+              description = ''
+                Whether the HTTP server should listen on a UNIX domain socket ("unix") or on a TCP socket ("tcp").
+              '';
+            };
+            LEGAL_PRESERVATION = lib.mkOption {
+              type = lib.types.str;
+              internal = true;
+              default = "10 years";
+              description = "How long to keep data in the database for tax audits after the transaction has completed.";
+            };
+          };
+          merchantdb-postgres = {
+            CONFIG = lib.mkOption {
+              type = lib.types.str;
+              internal = true;
+              default = "postgres:///taler-${talerComponent}-httpd";
+              description = "Database connection URI.";
+            };
+            SQL_DIR = lib.mkOption {
+              type = lib.types.str;
+              internal = true;
+              default = "${cfg.package}/share/taler/sql/merchant/";
+              description = "The location for the SQL files to setup the database tables.";
+            };
+          };
+        };
+      };
+      default = { };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.taler-merchant-depositcheck = {
+      # taler-merchant-depositcheck needs its executable is in the PATH
+      # NOTE: couldn't use `lib.getExe` to only get that single executable
+      path = [ cfg.package ];
+    };
+
+    systemd.services."taler-${talerComponent}-dbinit".script =
+      let
+        # NOTE: not documented, but is necessary
+        dbScript = pkgs.writers.writeText "taler-merchant-db-permissions.sql" (
+          lib.concatStrings (
+            map (name: ''
+              GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA merchant TO "taler-merchant-${name}";
+              GRANT USAGE ON SCHEMA merchant TO "taler-merchant-${name}";
+            '') servicesDB
+          )
+        );
+      in
+      ''
+        ${lib.getExe' cfg.package "taler-merchant-dbinit"}
+        psql -U taler-${talerComponent}-httpd -f ${dbScript}
+      '';
+  };
+}

hosts/kvernberg/services/pvvvvvv/modules/taler/module.nix

@@ -0,0 +1,89 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+let
+  cfg = config.services.taler;
+  settingsFormat = pkgs.formats.ini { };
+in
+
+{
+  # TODO turn this into a generic taler-like service thingy?
+  options.services.taler = {
+    enable = lib.mkEnableOption "the GNU Taler system" // lib.mkOption { internal = true; };
+    includes = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [ ];
+      description = ''
+        Files to include into the config file using Taler's `@inline@` directive.
+        This allows including arbitrary INI files, including imperatively managed ones.
+      '';
+    };
+    settings = lib.mkOption {
+      description = ''
+        Global configuration options for the taler config file.
+        For a list of all possible options, please see the man page [`taler.conf(5)`](https://docs.taler.net/manpages/taler.conf.5.html)
+      '';
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+        options = {
+          taler = {
+            CURRENCY = lib.mkOption {
+              type = lib.types.nonEmptyStr;
+              description = ''
+                The currency which taler services will operate with. This cannot be changed later.
+              '';
+            };
+            CURRENCY_ROUND_UNIT = lib.mkOption {
+              type = lib.types.str;
+              default = "${cfg.settings.taler.CURRENCY}:0.01";
+              defaultText = lib.literalExpression ''
+                "''${config.services.taler.settings.taler.CURRENCY}:0.01"
+              '';
+              description = ''
+                Smallest amount in this currency that can be transferred using the underlying RTGS.
+                You should probably not touch this.
+              '';
+            };
+          };
+        };
+      };
+      default = { };
+    };
+    runtimeDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/run/taler-system-runtime/";
+      description = ''
+        Runtime directory shared between the taler services.
+        Crypto helpers put their sockets here for instance and the httpd
+        connects to them.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.taler.settings.PATHS = {
+      TALER_DATA_HOME = "\${STATE_DIRECTORY}/";
+      TALER_CACHE_HOME = "\${CACHE_DIRECTORY}/";
+      TALER_RUNTIME_DIR = cfg.runtimeDir;
+    };
+
+    environment.etc."taler/taler.conf".source =
+      let
+        includes = pkgs.writers.writeText "includes.conf" (
+          lib.concatStringsSep "\n" (map (include: "@inline@ ${include}") cfg.includes)
+        );
+        generatedConfig = settingsFormat.generate "generated-taler.conf" cfg.settings;
+      in
+      pkgs.runCommand "taler.conf" { } ''
+        cat ${includes} > $out
+        echo >> $out
+        echo >> $out
+        cat ${generatedConfig} >> $out
+      '';
+
+  };
+}

hosts/shark/configuration.nix

@@ -1,13 +1,13 @@
-{ config, fp, pkgs, values, ... }:
+{ config, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      (fp /base)
-      (fp /misc/metrics-exporters.nix)
+      ../../base
+      ../../misc/metrics-exporters.nix
     ];
 
-  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
+  sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/ustetind/configuration.nix

@@ -1,44 +0,0 @@
-{ config, fp, pkgs, lib, values, ... }:
-
-{
-  imports = [
-    (fp /base)
-    (fp /misc/metrics-exporters.nix)
-
-    ./services/gitea-runners.nix
-  ];
-
-  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  networking.hostName = "ustetind";
-
-  networking.useHostResolvConf = lib.mkForce false;
-
-  systemd.network.networks = {
-    "30-lxc-eth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "eth*"
-        ];
-      };
-      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
-    };
-    "40-podman-veth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "veth*"
-        ];
-      };
-      DHCP = "yes";
-    };
-  };
-
-  system.stateVersion = "24.11";
-}

modules/grzegorz.nix

@@ -2,8 +2,6 @@
 let
   grg = config.services.greg-ng;
   grgw = config.services.grzegorz-webui;
-
-  machine = config.networking.hostName;
 in {
   services.greg-ng = {
     enable = true;
@@ -18,77 +16,37 @@ in {
     listenAddr = "localhost";
     listenPort = 42069;
     listenWebsocketPort = 42042;
-    hostName = "${machine}-old.pvv.ntnu.no";
-    apiBase = "https://${machine}-backend.pvv.ntnu.no/api";
-  };
-
-  services.gergle = {
-    enable = true;
-    virtualHost = config.networking.fqdn;
+    hostName = "${config.networking.fqdn}";
+    apiBase = "http://${grg.settings.host}:${toString grg.settings.port}/api";
   };
 
   services.nginx.enable = true;
-  services.nginx.virtualHosts = {
-    ${config.networking.fqdn} = {
-      forceSSL = true;
-      enableACME = true;
-      kTLS = true;
-      serverAliases = [
-        "${machine}.pvv.org"
-      ];
-      extraConfig = ''
-        allow 129.241.210.128/25;
-        allow 2001:700:300:1900::/64;
-        deny all;
-      '';
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    kTLS = true;
+    serverAliases = [
+      "${config.networking.hostName}.pvv.org"
+    ];
+    extraConfig = ''
+      allow 129.241.210.128/25;
+      allow 2001:700:300:1900::/64;
+      deny all;
+    '';
+
+    locations."/" = {
+      proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
     };
-
-    "${machine}-backend.pvv.ntnu.no" = {
-      forceSSL = true;
-      enableACME = true;
-      kTLS = true;
-      serverAliases = [
-        "${machine}-backend.pvv.org"
-      ];
-      extraConfig = ''
-        allow 129.241.210.128/25;
-        allow 2001:700:300:1900::/64;
-        deny all;
-      '';
-
-      locations."/" = {
-        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
-        proxyWebsockets = true;
-      };
+    # https://github.com/rawpython/remi/issues/216
+    locations."/websocket" = {
+      proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
+      proxyWebsockets = true;
     };
-
-    "${machine}-old.pvv.ntnu.no" = {
-      forceSSL = true;
-      enableACME = true;
-      kTLS = true;
-      serverAliases = [
-        "${machine}-old.pvv.org"
-      ];
-      extraConfig = ''
-        allow 129.241.210.128/25;
-        allow 2001:700:300:1900::/64;
-        deny all;
-      '';
-
-      locations."/" = {
-        proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
-      };
-      # https://github.com/rawpython/remi/issues/216
-      locations."/websocket" = {
-        proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
-        proxyWebsockets = true;
-      };
-      locations."/api" = {
-        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
-      };
-      locations."/docs" = {
-        proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
-      };
+    locations."/api" = {
+      proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
+    };
+    locations."/docs" = {
+      proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
     };
   };
 }

packages/mediawiki-extensions/default.nix

@@ -12,7 +12,7 @@ let
     name
   , commit
   , hash
-  , tracking-branch ? "REL1_42"
+  , tracking-branch ? "REL1_41"
   , kebab-name ? kebab-case-name name
   , fetchgit ? pkgs.fetchgit
   }:
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
   (mw-ext {
     name = "CodeEditor";
-    commit = "9f69f2cf7616342d236726608a702d651b611938";
-    hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
+    commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
+    hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
-    hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
+    commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
+    hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "b76bb482e026453079104d00f9675b4ab851947e";
-    hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
+    commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
+    hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
-    hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
+    commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
+    hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
   })
   (mw-ext {
     name = "Popups";
-    commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
-    hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
+    commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
+    hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
-    hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
+    commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
+    hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
-    hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
+    commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
+    hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
-    hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
+    commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
+    hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
-    hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
+    commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
+    hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "41759d0c61377074d159f7d84130a095822bc7a3";
-    hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
+    commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
+    hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
-    hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
+    commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
+    hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
-    hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
+    commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
+    hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
   })
 ]

secrets/bekkalokk/bekkalokk.yaml

@@ -5,9 +5,12 @@ gitea:
     database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
     email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
-    gpg-signing-key: ENC[AES256_GCM,data:y/g1rpsEgiGEJ9BGii6te166ABpg1jgsyYMT1Ji5njLbT8/juBBMc7BFEM5BcIxKpQGijymsB+Htl8CZAN4Bl3FHSRyrnXGuMCnveJfw1qTVjMa6soriHv7EdTDFPCp3TYMbs1OgY/bhGJIvp8e4hCVd4F3x8eAlFmiwHhkxr62qQNHjH7SRNIyUNibf/TTttOeEcercxOy7FeUE99D+CWG4pnJNEYyRHDdddalgpSJyZIJvPpXoKmeCDk3futnxiZ15Vr7bDS5u4dqnE+no7DKoZ5fvk38f/77JH3w/Qom7NCYSG6L+unJ3r3RKuuGMRDjdz09TPZ4APpmrlyOElfGMmm134g6mdhgXmwNCo65Z7VOd1OKFA/uyZm2b7XsT3tCgRalE8gBa0R3MBMi3JK+5KUdS6ZUvYXDt8D8C68ldM3K9E7lyeeHn775rV6L4JIXcj/NL1O23sXtjeVuUPQmsUesgYlllRaiTSTfY7K+yOIG3wqqCuCDSAeILQICkvod4iw4xdVMQzd8eQtbD6bCjOzHwvBcu+rOSN6ti+xOQ7bJ9+6xhCgJJsiADkp2q09cUu8mDbUh+YJxfu+oZhPomOJVDMSqfS4qNXcVM9mbak/L9KPR4b83GqTpmXHnDMlGe4BHGXrkIUKPsBQ5TmdckXbpRDBQFrnjVvFT+Gfx3xwHxWc9fbxcFID2wp69EzQrGC77bDPCFxBT5vAVwffGYUezPQEo25bKRpCWxTFTpiIQfACrwzZc/O9cmwDgrYN7bTZyrrp8cbyBtllZGYmXxLDkDOzIqzpLG3b0yJC2jSnw0f1DkU6M2mD/j9FRTVW1MVymyLPiZQ7T9QyZ3MekHEEY1QqmyiJMIOekSzC5+3Us6Nl32MeBrIry6NuV8ewIQF5bcZEHtSmZ0k/wBtK0fpFHUuc/vETFuRUiQw/InhN5W8iH78vFvflxBfg61Qp7PzEx0k0axwEc6VAKbEg/uFNL+fhUKKt7sYiEBmwg2Vsj3pyZgdmjPZEsOQ86+psaxv+2feH94wog47jDHFRrc4iRC5w7kZ6UJXHfZt9lkBbwl4qNwiOLlPnUUcR+CpTBpPoKD9ulidQGfcYY49+iE+PM5dAI2CtisKpLQiwmrvjOzB1a/rC9QnH679frgH5Ebb57WRL4uSAVNRdIvIGzAF5MNwQOu+cxKoiW6ZmuNJSb547XUB1UO,iv:aKzrgAV30sLfPEpgdQ26ZzdM3+gYtoSpZ9mNyqCqf/M=,tag:vjywN4qxh2zsCE3RPG6Yrw==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
+    runners:
+        alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
+        beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
+        epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
 mediawiki:
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
     postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
@@ -94,8 +97,8 @@ sops:
             UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
             4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T21:18:23Z"
-    mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
+    lastmodified: "2024-10-12T21:56:27Z"
+    mac: ENC[AES256_GCM,data:bZ1BbVC6D+B6SFze2ReeCUcQamK/O14zH3YxCjWBwMC++w3niIiEx4Bq7Ulci5yuMld0luVsfUzHoqFN/+zvZbV2rGVk8lVRiTrpFoSZ78aUUgeHG9ROLXsR7T7rVhLWbl86y1G5LcKws7G55V0wAh6f58WjYYzwR8fnBmfW1Ko=,iv:7xtMdtXQB9uZirE/CkUSmeu0qnG++R7DUR7zn/Bo0lM=,tag:DH/BJPpAp//quDqKNXyHcg==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:28Z"
           enc: |-

secrets/ustetind/ustetind.yaml

@@ -1,90 +0,0 @@
-gitea:
-    runners:
-        alpha: ENC[AES256_GCM,data:Hnq2guka4oERPIFCv1/ggrLjaePA7907VHXMStDQ7ll3hntTioT76qGOUJgfIw==,iv:wDPYuuL6VAWJakrz6asVRrzwRxqw0JDRes13MgJIT6E=,tag:ogFUeUirHVkCLN63nctxOw==,type:str]
-        beta: ENC[AES256_GCM,data:HmdjBvW8eO5MkzXf7KEzSNQAptF/RKN8Bh03Ru7Ru/Ky+eJJtk91aqSSIjFa+Q==,iv:Hz9HE3U6CFfZFcPmYMd6wSzZkSvszt92L2gV+pUlMis=,tag:LG3NfsS7B1EdRFvnP3XESQ==,type:str]
-        epsilon: ENC[AES256_GCM,data:wfGxwWwDzb6AJaFnxe/93WNZGtuTpCkLci/Cc5MTCTKJz6XlNuy3m/1Xsnw0hA==,iv:I6Zl+4BBAUTXym2qUlFfdnoLTHShu+VyxPMjRlFzMis=,tag:jjTyZs1Nzqlhjd8rAldxDw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYVl6ZnI5TkhxK0JKNnlL
-            WE5YZUZ2T1JEbCtvSVUxemZ1QUs4R2pjMWc0ClJ0cnU0c0d5bU5jWU1aVGd6WE45
-            Wm9OT0xPaTJ3Y2kxMU5RTHdRKy81b2sKLS0tIEx4SkFoV240VUJieWFlc3hRWU1Y
-            SWlwZnNOT3paRHRsTC9CQUp5SlBvTncKdcMI8pWtsfBpgeUagOmZUXIC6svkfmwE
-            QF3GpWZgeVvo8e2oT2kBjerCDlUlzd0jJ8aK+B56xifTm7ii3oCAIA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3QVBaQWlSZk43dEtHVWF1
-            WmFBcmx3eFUvU2lrd0RCUGx3a2hDWHEzTUR3Cm9BclM3OU9SUnpySDZJZHRudmtO
-            Ulp5OEZvZmMyRGJvQXJnUDVLdVRJUVkKLS0tIHE3M3MycE9pU1huYUREN3luWEZV
-            WlNuN3BWeHhqL1dEOUJBSVNTaVJ3eTgKb5MRfeaay22PI9V5hni5mhnb0QF8PG8H
-            bKWbc2SwdMNolrxhUiiIhdppEtXGHqLyBel786tuOdtEwVcy+m/rtA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaDB6enozMFpqcWxFdU93
-            MEg5RTRzZExzWGppenlBTlZZRlpqWDBPT0UwCnhOaXI5R3Jrd0hWY0xqc1VXaDJZ
-            TUxwSTZDcHd0bnZPR2N2d0JVTUJONnMKLS0tIENzOW9PM0tQSndVNmF1bTZ4anpw
-            b1RzL0NEOWg0dGZUa0Jpd3hiTlRGSm8KleRV5c/Xoe0B1VtnR3y0sgXpmhMS8pKl
-            TWaAQTRlM9X2Pk5M/J/bu369ncmw/kycJKjK6W1yluaGwBNuEP+K4Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N1JvRVE0Y0xOMERMVXdB
-            enZiNk1DZTJTUnluRVBIWm9WNmFPc21rU0FZCjBIeHErSHgveFFFdk9ybWwrRXZG
-            WGpVcHliUW9Qb3dLb2Q0aWlrZmpiVm8KLS0tIG0wcXJVK2dMeG9NUTFQSzVtY2RG
-            UE1FS3MvSXlxdEtJVWxJVDRFSkRmQkkK/2z7Lu6LVd6RLZAXKs+JsPc+1kcqFAET
-            0zlTTTU0goTBLuXZ7uxFVZtqc1Nmoarf5Ksm/zcZ2B80P5ox9CzcWQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SFpKcVBTTlp3SXhVaGQy
-            QVVEV3h6dTZVcmx6aFc1eHF4UzJPbXQ2RnhvCkZiOEYydWhCYUtwcUdieGpBeTZh
-            Z3dYVno5bFNkOUszNHBJNTdQWS9jUTQKLS0tIEhPVEdLK0RaclVvdklFNUJCcHNi
-            OXVobVJCTjhQZ2RTQ21xK2dUY0h5RGcKcPBgD5FIWuyQBhmPt5aqrWgEG1tzhtr0
-            gVyLxgtMFGeeShjdpivgcWI/GZZlhWJilJOoZo7f6TknvCIIKsrUSA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlhiS1dxekZGZkRCQU9O
-            SktHRHRXL2VhNUJSRVhBeEM5UEZ1R0pFdXdrCnZQOUZaYitpSlJ0aXFpZXFrRFJj
-            MmZiLytvekZtVXYzamJDakc1RjdIREEKLS0tICtiOTZMRGZuWEdHTmZwRjZ2dUNT
-            aU4xWjVYYlNvSmYxajVGdzk5dTQ4WG8Klq12bSegsW29xp4qteuCB5Tzis6EhVCk
-            53jqtYe5UG9MjFVQYiSi2jJz5/dxfqSINMZ/Y/EB5LxbwgbFws8Yuw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-12T12:20:19Z"
-    mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
-    pgp:
-        - created_at: "2024-12-09T21:17:27Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA0av/duuklWYARAAv2XS2jzoymOzpRHquUbYpUtbIeKXhPS8i9uk2zBvSKnr
-            b/jZCpvtkCcSz1UFm+HzSn/i1eNkj9ghObisifvqY6JbO0DIa1jFlx1TfE9pj8dE
-            rrNTsYfxNwdGOvklPBHm3vKY5qPiGlE71TaKkJcO79vE5jxwhUqzWI9SWAZY3cFw
-            IVJN44DT0I4ctTlwPM9eAYYodL8QP8OMXHJ/mjI4SPODRsvrOyy6rpip40Q+dU/N
-            DwRupzrRlxJ8BDSh/x6J/AryZSwkmChX9cYyGaDknJ3ONQ0XLhVUtLkAvPWtWeow
-            6NVHmUOJ39ockT1clhYy2P5rQTraZESuI7vaSS9zVIuScBnJwbSRZ5xgxSD6Fj+C
-            Y/JyogXa8FtyG6xeMgIwW7t/m/rbXL5OkP4w8D+CJs+4I55WXz054XOZ937EisVH
-            XAlNBIHixjQVckbb+sS7rEmegfoC+rvOXA0irpwXFiapAbMGUePCwQHdSBMP8orC
-            Tb3E8kqHATN40b8CpUBcPw6HCQKmbhe8o+R8NG6TZh6JH7kSztl2+SIIuMzhDflr
-            1AphY047Ku2RANaWfo+xyVZMWgAQcnoaUOeYaHJ9nZ7f2klJ3fnRtdXJn1gcO3i3
-            NZVRjjYHJgzCVCIZJa1b1TMGep84naF7NmRkNlS4wyv6MXGqSpHHZUGUBAQOCMPS
-            XAEqjZt8va0LKtsPsBOTGQDuzTar+2069fu6TjS07mJM2sTp/G8bGBnvjc0TIplZ
-            M5FOiCilI9yX7vQ0O3LUKJW5zELWnW2d+3okpGjgkr0BFERtM7BMCp6nxR6+
-            =rEY5
-            -----END PGP MESSAGE-----
-          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

users/frero.nix

@@ -1,11 +0,0 @@
-{ pkgs, ... }:
-{
-  users.users.frero = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" "drift" "nix-builder-users" ];
-    shell = pkgs.zsh;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII09JbtSUMurvmHpJ7TmUQctXpNVhjFYhoJ3+1ZITmMx"
-    ];
-  };
-}

values.nix

@@ -31,10 +31,6 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
-    dagali = {
-      ipv4 = pvv-ipv4 185;
-      ipv6 = pvv-ipv6 185;
-    };
     ildkule = {
       ipv4 = "129.241.153.213";
       ipv4_internal = "192.168.12.209";
@@ -64,9 +60,9 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
-    ustetind = {
-      ipv4 = pvv-ipv4 234;
-      ipv6 = pvv-ipv6 234;
+    kvernberg = {
+      ipv4 = pvv-ipv4 206;
+      ipv6 = pvv-ipv6 "1:206";
     };
   };