fix daemon things for worblehat

This fixes issues with rebuilding georg and brzeczyszczykiewicz.

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/128
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>

.sops.yaml

@@ -22,6 +22,7 @@ keys:
   - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
   - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
   - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
+  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
 
 creation_rules:
   # Global secrets
@@ -147,3 +148,15 @@ creation_rules:
       - *user_vegardbm
       pgp:
       - *user_oysteikt
+  - path_regex: secrets/skrot/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_skrot
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt

README.md

@@ -43,7 +43,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
-| [skrott][skr]              | Physical | Kiosk, snacks and soda                                    |
+| [skrot/skrott][skr]        | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 
 ## Documentation

base/networking.nix

@@ -3,10 +3,6 @@
   systemd.network.enable = true;
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
 
   # The rest of the networking configuration is usually sourced from /values.nix
 

flake.lock

@@ -124,6 +124,27 @@
         "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
       }
     },
+    "libdib": {
+      "inputs": {
+        "nixpkgs": [
+          "worblehat",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769338528,
+        "narHash": "sha256-t18ZoSt9kaI1yde26ok5s7aFLkap1Q9+/2icVh2zuaE=",
+        "ref": "refs/heads/main",
+        "rev": "7218348163fd8d84df4a6f682c634793e67a3fed",
+        "revCount": 13,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/libdib.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/libdib.git"
+      }
+    },
     "matrix-next": {
       "inputs": {
         "nixpkgs": [
@@ -353,7 +374,8 @@
         "pvv-nettsiden": "pvv-nettsiden",
         "qotd": "qotd",
         "roowho2": "roowho2",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "worblehat": "worblehat"
       }
     },
     "roowho2": {
@@ -461,6 +483,28 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "worblehat": {
+      "inputs": {
+        "libdib": "libdib",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1770887951,
+        "narHash": "sha256-6LGqM9yhONtfCXHtPNn3S0GFsmB2dCchyozHDevwmiQ=",
+        "ref": "main",
+        "rev": "911063041f24d594a772a2a699d71d3d94953ce8",
+        "revCount": 101,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/worblehat.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/worblehat.git"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -23,6 +23,9 @@
     dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
     dibbler.inputs.nixpkgs.follows = "nixpkgs";
 
+    worblehat.url = "git+https://git.pvv.ntnu.no/Projects/worblehat.git?ref=main";
+    worblehat.inputs.nixpkgs.follows = "nixpkgs";
+
     matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -94,7 +97,6 @@
         }:
         let
           commonPkgsConfig = {
-            inherit localSystem crossSystem;
             config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
               [
                 "nvidia-x11"
@@ -104,8 +106,11 @@
               # Global overlays go here
               inputs.roowho2.overlays.default
             ]) ++ overlays;
-          };
+          } // (if localSystem != crossSystem then {
-
+            inherit localSystem crossSystem;
+          } else {
+            system = crossSystem;
+          });
           pkgs = import nixpkgs commonPkgsConfig;
           unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
         in
@@ -184,6 +189,18 @@
       };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
+      skrot = stableNixosConfig "skrot" {
+        modules = [
+          self.nixosModules.drumknotty
+          inputs.disko.nixosModules.disko
+          inputs.dibbler.nixosModules.default
+          inputs.worblehat.nixosModules.default
+        ];
+        overlays = [
+          inputs.dibbler.overlays.default
+          inputs.worblehat.overlays.default
+        ];
+      };
       shark = stableNixosConfig "shark" { };
       wenche = stableNixosConfig "wenche" { };
       temmie = stableNixosConfig "temmie" { };
@@ -205,8 +222,6 @@
         ];
       };
 
-      dagali = unstableNixosConfig "dagali" { };
-
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
@@ -280,6 +295,7 @@
       rsync-pull-targets = ./modules/rsync-pull-targets.nix;
       snakeoil-certs = ./modules/snakeoil-certs.nix;
       snappymail = ./modules/snappymail.nix;
+      drumknotty = ./modules/drumknotty.nix;
     };
 
     devShells = forAllSystems (system: {

hosts/dagali/TODO.md

@@ -1,78 +0,0 @@
-# Tracking document for new PVV kerberos auth stack
-
-![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
-
-<div align="center">
-  Bensinstasjon på heimdal
-</div>
-
-### TODO:
-
-- [ ] setup heimdal
-  - [x] ensure running with systemd
-  - [x] compile smbk5pwd (part of openldap)
-  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
-  - [ ] fully initialize PVV.NTNU.NO
-    - [x] `kadmin -l init PVV.NTNU.NO`
-    - [x] add oysteikt/admin@PVV.NTNU.NO principal
-    - [x] add oysteikt@PVV.NTNU.NO principal
-    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
-      - why is this needed, and where is it documented?
-      - `kadmin check` seems to work under sudo?
-      - (it is included by default, just included as error message
-         in a weird state)
-
-    - [x] Ensure client is working correctly
-      - [x] Ensure kinit works on darbu
-      - [x] Ensure kpasswd works on darbu
-      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
-
-    - [ ] Ensure kdc is working correctly
-      - [x] Ensure kinit works on dagali
-      - [x] Ensure kpasswd works on dagali
-      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
-
-    - [x] Fix FQDN
-      - https://github.com/NixOS/nixpkgs/issues/94011
-      - https://github.com/NixOS/nixpkgs/issues/261269
-      - Possibly fixed by disabling systemd-resolved
-
-- [ ] setup cyrus sasl
-  - [x] ensure running with systemd 
-  - [x] verify GSSAPI support plugin is installed
-    - `nix-shell -p cyrus_sasl --command pluginviewer`
-  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
-  - [x] verify cyrus sasl is able to talk to heimdal
-    - `sudo testsaslauthd -u oysteikt -p <password>`
-  - [ ] provide ldap principal to cyrus sasl through keytab
-
-- [ ] setup openldap
-  - [x] ensure running with systemd
-  - [ ] verify openldap is able to talk to cyrus sasl
-  - [ ] create user for oysteikt in openldap
-  - [ ] authenticate openldap login through sasl
-    - does this require creating an ldap user?
-
-- [ ] fix smbk5pwd integration
-  - [x] add smbk5pwd schemas to openldap
-  - [x] create openldap db for smbk5pwd with overlays
-  - [ ] test to ensure that user sync is working
-  - [ ] test as user source (replace passwd)
-  - [ ] test as PAM auth source
-  - [ ] test as auth source for 3rd party appliation
-
-- [ ] Set up ldap administration panel
-  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
-
-- [ ] Set up kerberos SRV DNS entry
-
-### Information and URLS
-
-- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
-- Use a keytab: https://kb.iu.edu/d/aumh
-- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
-- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
-- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
-- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
-- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -1,51 +0,0 @@
-
-{ config, pkgs, values, lib, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../base.nix
-    ../../misc/metrics-exporters.nix
-
-    ./services/heimdal.nix
-    #./services/openldap.nix
-    ./services/cyrus-sasl.nix
-  ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  # resolved messes up FQDN coming from nscd
-  services.resolved.enable = false;
-
-  networking.hostName = "dagali";
-  networking.domain = lib.mkForce "pvv.local";
-  networking.hosts = {
-    "129.241.210.185" = [ "dagali.pvv.local" ];
-  };
-  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-  networking.networkmanager.enable = true;
-
-  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
-    matchConfig.Name = "ens18";
-    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-    # TODO: consider adding to base.nix
-    nix-output-monitor
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
-}

hosts/dagali/hardware-configuration.nix

@@ -1,33 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

hosts/dagali/services/cyrus-sasl.nix

@@ -1,21 +0,0 @@
-{ config, ... }:
-let
-  cfg = config.services.saslauthd;
-in
-{
-  # TODO: This is seemingly required for openldap to authenticate
-  #       against kerberos, but I have no idea how to configure it as
-  #       such. Does it need a keytab? There's a binary "testsaslauthd"
-  #       that follows with `pkgs.cyrus_sasl` that might be useful.
-  services.saslauthd = {
-    enable = true;
-    mechanism = "kerberos5";
-    config = ''
-      mech_list: gs2-krb5 gssapi
-      keytab: /etc/krb5.keytab
-    '';
-  };
-
-  # TODO: maybe the upstream module should consider doing this?
-  environment.systemPackages = [ cfg.package ];
-}

hosts/dagali/services/heimdal.nix

@@ -1,100 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  realm = "PVV.LOCAL";
-  cfg = config.security.krb5;
-in
-{
-  security.krb5 = {
-    enable = true;
-
-    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
-    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
-    #       will do for now.
-    package = pkgs.heimdal.overrideAttrs (prev: {
-      postInstall = prev.postInstall + ''
-        cp include/heim_threads.h $dev/include
-      '';
-    });
-
-    settings = {
-      realms.${realm} = {
-        kdc = [ "dagali.${lib.toLower realm}" ];
-        admin_server = "dagali.${lib.toLower realm}";
-        kpasswd_server = "dagali.${lib.toLower realm}";
-        default_domain = lib.toLower realm;
-        primary_kdc = "dagali.${lib.toLower realm}";
-      };
-
-      kadmin.default_keys = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96:pw-salt"
-        "aes128-cts-hmac-sha1-96:pw-salt"
-      ];
-
-      libdefaults.default_etypes = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96"
-        "aes128-cts-hmac-sha1-96"
-      ];
-
-      libdefaults = {
-        default_realm = realm;
-        dns_lookup_kdc = false;
-        dns_lookup_realm = false;
-      };
-
-      domain_realm = {
-        "${lib.toLower realm}" = realm;
-        ".${lib.toLower realm}" = realm;
-      };
-
-      logging = {
-        # kdc = "CONSOLE";
-        kdc = "SYSLOG:DEBUG:AUTH";
-        admin_server = "SYSLOG:DEBUG:AUTH";
-        default = "SYSLOG:DEBUG:AUTH";
-      };
-    };
-  };
-
-  services.kerberos_server = {
-    enable = true;
-    settings = {
-      realms.${realm} = {
-        dbname = "/var/lib/heimdal/heimdal";
-        mkey = "/var/lib/heimdal/m-key";
-        acl = [
-          {
-            principal = "kadmin/admin";
-            access = "all";
-          }
-          {
-            principal = "felixalb/admin";
-            access = "all";
-          }
-          {
-            principal = "oysteikt/admin";
-            access = "all";
-          }
-        ];
-      };
-      # kadmin.default_keys = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96:pw-salt"
-      #   "aes128-cts-hmac-sha1-96:pw-salt"
-      # ];
-
-      # libdefaults.default_etypes = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96"
-      #   "aes128-cts-hmac-sha1-96"
-      # ];
-
-      # password_quality.min_length = 8;
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
-  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
-
-  networking.hosts = {
-    "127.0.0.2" = lib.mkForce [ ];
-    "::1" = lib.mkForce [ ];
-  };
-}

hosts/dagali/services/openldap.nix

@@ -1,121 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  services.openldap = let
-    dn = "dc=pvv,dc=ntnu,dc=no";
-    cfg = config.services.openldap;
-
-    heimdal = config.security.krb5.package;
-  in {
-    enable = true;
-
-    # NOTE: this is a custom build of openldap with support for
-    #       perl and kerberos.
-    package = pkgs.openldap.overrideAttrs (prev: {
-      # https://github.com/openldap/openldap/blob/master/configure
-      configureFlags = prev.configureFlags ++ [
-        # Connect to slapd via UNIX socket
-        "--enable-local"
-        # Cyrus SASL
-        "--enable-spasswd"
-        # Reverse hostname lookups
-        "--enable-rlookups"
-        # perl
-        "--enable-perl"
-      ];
-
-      buildInputs = prev.buildInputs ++ [
-        pkgs.perl
-	# NOTE: do not upstream this, it might not work with
-	#       MIT in the same way
-        heimdal
-      ];
-
-      extraContribModules = prev.extraContribModules ++ [
-        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
-        "smbk5pwd"
-      ];
-    });
-
-    settings = {
-      attrs = {
-        olcLogLevel = [ "stats" "config" "args" ];
-
-        # olcAuthzRegexp = ''
-        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
-        #         "uid=heimdal,${dn2}"
-        # '';
-
-        # olcSaslSecProps = "minssf=0";
-      };
-
-      children = {
-        "cn=schema".includes = let
-          # NOTE: needed for smbk5pwd.so module
-          schemaToLdif = name: path: pkgs.runCommandNoCC name {
-            buildInputs = with pkgs; [ schema2ldif ];
-          } ''
-            schema2ldif "${path}" > $out
-          '';
-
-          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
-          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
-        in [
-           "${cfg.package}/etc/schema/core.ldif"
-           "${cfg.package}/etc/schema/cosine.ldif"
-           "${cfg.package}/etc/schema/nis.ldif"
-           "${cfg.package}/etc/schema/inetorgperson.ldif"
-           "${hdb-ldif}"
-           "${samba-ldif}"
-        ];
-
-        # NOTE: installation of smbk5pwd.so module
-        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-        "cn=module{0}".attrs = {
-          objectClass = [ "olcModuleList" ];
-          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
-        };
-
-        # NOTE: activation of smbk5pwd.so module for {1}mdb
-        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
-          olcOverlay = "{0}smbk5pwd";
-          olcSmbK5PwdEnable = [ "krb5" "samba" ];
-          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
-        };
-
-        "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-
-          olcDatabase = "{1}mdb";
-
-          olcSuffix = dn;
-
-          # TODO: PW is supposed to be a secret, but it's probably fine for testing
-          olcRootDN = "cn=users,${dn}";
-
-          # TODO: replace with proper secret
-          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
-
-          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
-          olcDbIndex = "objectClass eq";
-
-          olcAccess = [
-            ''{0}to attrs=userPassword,shadowLastChange
-                by dn.exact=cn=users,${dn} write
-                by self write
-                by anonymous auth
-                by * none''
-
-            ''{1}to dn.base=""
-                by * read''
-
-            /* allow read on anything else */
-            # ''{2}to *
-            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
-            #     by * read''
-          ];
-        };
-      };
-    };
-  };
-}

hosts/skrot/configuration.nix

@@ -0,0 +1,79 @@
+{
+  fp,
+  lib,
+  config,
+  values,
+  ...
+}:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    (fp /base)
+  ];
+
+  boot.consoleLogLevel = 0;
+
+  sops.defaultSopsFile = fp /secrets/skrot/skrot.yaml;
+
+  systemd.network.networks."enp2s0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp2s0";
+    address = with values.hosts.skrot; [
+      (ipv4 + "/25")
+      (ipv6 + "/64")
+    ];
+  };
+
+  sops.secrets = {
+    "dibbler/postgresql/password" = {
+      owner = "drumknotty";
+      group = "drumknotty";
+    };
+    "worblehat/postgresql/password" = {
+      owner = "drumknotty";
+      group = "drumknotty";
+    };
+  };
+
+  services.drumknotty = {
+    enable = true;
+    kioskMode = true;
+    limitScreenWidth = 80;
+    limitScreenHeight = 42;
+
+    dibblerSettings = {
+      general.quit_allowed = false;
+      database = {
+        type = "postgresql";
+        postgresql = {
+          username = "pvv_vv";
+          dbname = "pvv_vv";
+          host = "postgres.pvv.ntnu.no";
+          password_file = config.sops.secrets."dibbler/postgresql/password".path;
+        };
+      };
+    };
+    worblehatSettings = {
+      general.quit_allowed = false;
+      database = {
+        type = "postgresql";
+        postgresql = {
+          username = "pvv_vv";
+          dbname = "pvv_vv";
+          host = "postgres.pvv.ntnu.no";
+          password_file = config.sops.secrets."worblehat/postgresql/password".path;
+        };
+      };
+    };
+  };
+
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
+    enable = true;
+    wantedBy = [ "getty.target" ]; # to start at boot
+    serviceConfig.Restart = "always"; # restart when session is closed
+  };
+
+  system.stateVersion = "25.11"; # Did you read the comment? Nah bro
+}

hosts/skrot/disk-config.nix

@@ -0,0 +1,41 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            plainSwap = {
+              size = "8G";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+                resumeDevice = false;
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/skrot/hardware-configuration.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/skrott/configuration.nix

@@ -59,7 +59,7 @@
   # zramSwap.enable = true;
 
   networking = {
-    hostName = "skrot";
+    hostName = "skrott";
     defaultGateway = values.hosts.gateway;
     defaultGateway6 = values.hosts.gateway6;
     interfaces.eth0 = {

modules/drumknotty.nix

@@ -0,0 +1,317 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.drumknotty;
+
+  format = pkgs.formats.toml { };
+in
+{
+  options.services.drumknotty = {
+    enable = lib.mkEnableOption "DrumknoTTY";
+
+    dibblerPackage = lib.mkPackageOption pkgs "dibbler" { };
+    worblehatPackage = lib.mkPackageOption pkgs "worblehat" { };
+    screenPackage = lib.mkPackageOption pkgs "screen" { };
+
+    screenSessionName = lib.mkOption {
+      type = lib.types.str;
+      default = "drumknotty";
+      example = "myscreensessionname";
+      description = ''
+        Sets the screen session name.
+      '';
+    };
+
+    createLocalDatabase = lib.mkEnableOption "" // {
+      description = ''
+        Whether to set up a local postgres database automatically.
+
+        ::: {.note}
+        You must set up postgres manually before enabling this option.
+        :::
+      '';
+    };
+
+    kioskMode = lib.mkEnableOption "" // {
+      description = ''
+        Whether to let dibbler take over the entire machine.
+
+        This will restrict the machine to a single TTY and make the program unquittable.
+        You can still get access to PTYs via SSH and similar, if enabled.
+      '';
+    };
+
+    limitScreenHeight = lib.mkOption {
+      type = with lib.types; nullOr ints.unsigned;
+      default = null;
+      example = 42;
+      description = ''
+        If set, limits the height of the screen dibbler uses to the given number of lines.
+      '';
+    };
+
+    limitScreenWidth = lib.mkOption {
+      type = with lib.types; nullOr ints.unsigned;
+      default = null;
+      example = 80;
+      description = ''
+        If set, limits the width of the screen dibbler uses to the given number of columns.
+      '';
+    };
+
+    dibblerSettings = lib.mkOption {
+      description = "Configuration for dibbler";
+      default = { };
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+    };
+
+    worblehatSettings = lib.mkOption {
+      description = "Configuration for worblehat";
+      default = { };
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+    };
+
+    deadline-daemon = {
+      enable = lib.mkEnableOption "" // {
+        description = ''
+          Whether to enable the worblehat deadline-daemon service,
+          which periodically checks for upcoming deadlines and notifies users.
+
+          Note that this service is independent of the main worblehat service,
+          and must be enabled separately.
+        '';
+      };
+
+      onCalendar = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          How often to trigger rendering the map,
+          in the format of a systemd timer onCalendar configuration.
+
+          See {manpage}`systemd.timer(5)`.
+        '';
+        default = "*-*-* 10:15:00";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = [
+          cfg.dibblerPackage
+          cfg.worblehatPackage
+        ];
+
+        environment.etc."dibbler/dibbler.toml".source = format.generate "dibbler.toml" cfg.dibblerSettings;
+        environment.etc."worblehat/config.toml".source =
+          format.generate "worblehat-config.toml" cfg.worblehatSettings;
+
+        users = {
+          users.drumknotty = {
+            group = "drumknotty";
+            isNormalUser = true;
+          };
+          groups.drumknotty = { };
+        };
+
+        services.dibbler.settings.database = lib.mkIf cfg.createLocalDatabase {
+          type = "postgresql";
+          postgresql.host = "/run/postgresql";
+        };
+
+        services.postgresql = lib.mkIf cfg.createLocalDatabase {
+          ensureDatabases = [
+            "dibbler"
+            "worblehat"
+          ];
+          ensureUsers = [
+            {
+              name = "drumknotty";
+              ensureDBOwnership = true;
+              ensureClauses.login = true;
+            }
+          ];
+        };
+
+        systemd.services.dibbler-setup-database = lib.mkIf cfg.createLocalDatabase {
+          description = "Dibbler database setup";
+          wantedBy = [ "default.target" ];
+          after = [ "postgresql.service" ];
+          unitConfig = {
+            ConditionPathExists = "!/var/lib/dibbler/.db-setup-done";
+          };
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = "${lib.getExe cfg.dibblerPackage} --config /etc/dibbler/dibbler.toml create-db";
+            ExecStartPost = "${lib.getExe' pkgs.coreutils "touch"} /var/lib/dibbler/.db-setup-done";
+            StateDirectory = "dibbler";
+
+            User = "drumknotty";
+            Group = "drumknotty";
+          };
+        };
+
+        systemd.services.worblehat-setup-database = lib.mkIf cfg.createLocalDatabase {
+          description = "Worblehat database setup";
+          wantedBy = [ "default.target" ];
+          after = [ "postgresql.service" ];
+          unitConfig = {
+            ConditionPathExists = "!/var/lib/worblehat/.db-setup-done";
+          };
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = "${lib.getExe cfg.worblehatPackage} --config /etc/worblehat/config.toml create-db";
+            ExecStartPost = "${lib.getExe' pkgs.coreutils "touch"} /var/lib/worblehat/.db-setup-done";
+            StateDirectory = "worblehat";
+
+            User = "drumknotty";
+            Group = "drumknotty";
+          };
+        };
+
+      }
+      (lib.mkIf cfg.kioskMode {
+        boot.kernelParams = [
+          "console=tty1"
+        ];
+
+        users.users.drumknotty = {
+          extraGroups = [ "lp" ];
+          shell =
+            (pkgs.writeShellScriptBin "login-shell" "${lib.getExe' cfg.screenPackage "screen"} -x ${cfg.screenSessionName}")
+            // {
+              shellPath = "/bin/login-shell";
+            };
+        };
+
+        services.drumknotty.dibblerSettings.general = {
+          quit_allowed = false;
+          stop_allowed = false;
+        };
+
+        services.drumknotty.worblehatSettings.general = {
+          quit_allowed = false;
+          stop_allowed = false;
+        };
+
+        systemd.services.drumknotty-screen-session = {
+          description = "Drumknotty Screen Session";
+          wantedBy = [
+            "default.target"
+          ];
+          after =
+            if cfg.createLocalDatabase then
+              [
+                "postgresql.service"
+                "dibbler-setup-database.service"
+                "worblehat-setup-database.service"
+              ]
+            else
+              [
+                "network.target"
+              ];
+          serviceConfig =
+            let
+              dibblerArgs = lib.cli.toCommandLineShellGNU { } {
+                config = "/etc/dibbler/dibbler.toml";
+              };
+
+              worblehatArgs = lib.cli.toCommandLineShellGNU { } {
+                config = "/etc/worblehat/config.toml";
+              };
+
+            in
+            {
+              Type = "forking";
+              RemainAfterExit = false;
+              Restart = "always";
+              RestartSec = "5s";
+              SuccessExitStatus = 1;
+
+              User = "drumknotty";
+              Group = "drumknotty";
+
+              ExecStartPre = "-${lib.getExe' cfg.screenPackage "screen"} -X -S ${cfg.screenSessionName} kill";
+              ExecStart =
+                let
+                  screenArgs = lib.escapeShellArgs [
+                    # -dm creates the screen in detached mode without accessing it
+                    "-dm"
+
+                    # Session name
+                    "-S"
+                    "drumknotty"
+
+                    # Window name
+                    "-t"
+                    "dibbler"
+
+                    # Set optimal output mode instead of VT100 emulation
+                    "-O"
+
+                    # Enable login mode, updates utmp entries
+                    "-l"
+                  ];
+
+                in
+                "${lib.getExe' cfg.screenPackage "screen"} ${screenArgs} ${lib.getExe cfg.dibblerPackage} ${dibblerArgs} loop";
+              ExecStartPost = [
+                "${lib.getExe' cfg.screenPackage "screen"} -X -S ${cfg.screenSessionName} -t worblehat ${lib.getExe cfg.worblehatPackage} ${worblehatArgs} cli"
+              ]
+              ++ lib.optionals (cfg.limitScreenWidth != null) [
+                "${lib.getExe' cfg.screenPackage "screen"} -X -S ${cfg.screenSessionName} width ${toString cfg.limitScreenWidth}"
+              ]
+              ++ lib.optionals (cfg.limitScreenHeight != null) [
+                "${lib.getExe' cfg.screenPackage "screen"} -X -S ${cfg.screenSessionName} height ${toString cfg.limitScreenHeight}"
+              ];
+            };
+        };
+
+        services.getty.autologinUser = "drumknotty";
+      })
+      (lib.mkIf cfg.deadline-daemon.enable {
+        systemd.timers.worblehat-deadline-daemon = {
+          description = "Worblehat Deadline Daemon";
+          wantedBy = [ "timers.target" ];
+          timerConfig = {
+            OnCalendar = cfg.deadline-daemon.onCalendar;
+            Persistent = true;
+          };
+        };
+
+        systemd.services.worblehat-deadline-daemon = {
+          description = "Worblehat Deadline Daemon";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            CPUSchedulingPolicy = "idle";
+            IOSchedulingClass = "idle";
+
+            ExecStart =
+              let
+                worblehatArgs = lib.cli.toCommandLineShellGNU { } {
+                  config = "/etc/worblehat/config.toml";
+                };
+              in
+              "${lib.getExe cfg.package} ${worblehatArgs} deadline-daemon";
+
+            User = "worblehat";
+            Group = "worblehat";
+          };
+        };
+      })
+
+    ]
+  );
+
+}

secrets/skrot/skrot.yaml

@@ -0,0 +1,96 @@
+dibbler:
+    postgresql:
+        password: ENC[AES256_GCM,data:3X9A3jOpFVRuBg0gRiCEsZVKfLI=,iv:XC7LBNUhALk9IEhItV8fO5p/m7VKL0REBY1W2IZt7G4=,tag:l18R7EhbOlucZHFQiEvpHw==,type:str]
+worblehat:
+    postgresql:
+        password: ENC[AES256_GCM,data:5xEiz+Op0dpxO/x75iEZs0VVqhbr+85BusXGt7xyQZk=,iv:MvnRPx+segcEzUzQsJXGXDaQlKpf5AN9pSfXP34Cz6k=,tag:AG8JUl3+8ZJz+gbLti78Vw==,type:str]
+sops:
+    age:
+        - recipient: age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTk5YU3Z2Yy9HS1R4ME5I
+            UU1PRWVncHJYcXY5RlFpOWVQUWZsdy93ZDFBCnlxWkpaL1g5WmNSckNYd202WE40
+            RkwwSEM1YUNNZmozejlrdW8yY1JiekkKLS0tIHVWY0JKZm9CNWhzVGl4cG82UXZs
+            ZnllQzJiK1ZkRmFndmtYdW9IclFWY1EK82f1iGt3nt8dJnEQlMujNqConf6Qq6GX
+            hqoqPoc2EM4kun28Bbpq4pAY7eEPRrWFqOkjYVvgIRoS88D7xT3LWg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WTJIOUcxRlBuNmRrNUZo
+            MXFxeVJBTEhDK00yTUw1U2dHckNFYWZKWkhNCnYxYmtrUEVvd1RaYUI5WTRTRW16
+            S2NhbDdpdDZhSkVWeUhjZDhKd3ZpTmcKLS0tIFovWm5lOXBzcnN3Zm5GQlBhNmlp
+            eTB4WldMNW9GNUwwaEUzRThsemxRVzQKGpa0J2PBzDRdHijm0e3nFAaxQCHUjz+L
+            KataXJEMCijJ6k+7vpb5QMxe2jB1J2PMxNGFp0bWAy2Al3p/Ez2Kww==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaW1ZSXhVeFVTQW9WYzVh
+            WkVUM2JkOU5VNU9oQXE2Y2pvcFlOWTdvbnpJClduS0RHL2xja291a2doQ0wzbzhQ
+            NmJOSGVvQUdxM3IvaS8zRW1VbVhvYmsKLS0tIHoyOUdvT0xXWXo3SWcyQ1lqTmJS
+            ZUdnS2RvOXI1dGNYQTl6ZHE1cUdMWHMK4ycAJQLyKCgJIzjQ02bPjz4Ct9eO6ivw
+            kfWhyMaoWwM9PhFcwSak0cLpX0C/IOzSzO78pf3WhG16pV7aXapdog==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaml0OVlhcUJSU1hSY3lP
+            bkM0cUV4Z2ZLeERHZ3BUNExuYS9KSU5CekQ4CmQ3SE1vdDBtdFJ6czZYR3U5Tk1X
+            SFJmTVlERjBzV0hFalFLMmVLQzNNdXMKLS0tIDdJLzZveFdnYTI0azk1UXJZLzZF
+            Sy9XbjhwOFR6SFpaNHZLd3ZxdmxOVUEKBBbGmdVVlKHxO+/iODznLP3+dJGppybW
+            +1k9uenVHzie+pDKcrQpSyX2WDnmgg7hUAUiXPuz1eEWmwbRJnU/5w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXK01vOVV5YlhsZ2ljYS91
+            OUVEaEpTbXFKOHVNVDVoMTlrS05wRmsyM2dvCjZHOXlCUGowd0J4UlQzSzM5dWJ0
+            eU50SHdtZ2ZyUE1JVHdvODFxWDYvRWsKLS0tIDhlRVQ0Mm5Ua0J2aExqMzRyUGlP
+            RUR6Yi9SUDFCUkZmRk5hYTVFeGloZXcKY/XtaSoW8Pu2wS4oistLSc0T5JvMnt+w
+            s3yfe/zx9/1K6OtbeljF9FZVOB/dOamvk+Qlfl0T5qush7/WgGzErA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0pFb2tRTURtWmp6elRN
+            M0xtajlzMTNPMnppcGhJMVlsNHdwWmNGbFVFCnlxM1JQTkR2elAvdytKUEJ3djBS
+            UnlhL0tLLzY3Z05RU3phNDZIOGtTMFEKLS0tIEpOZDUxU1JQVXJTbmVFQlVkOUcy
+            eWlyWGhaS1JCNitUSVVScFk2WGEvOG8K2rpYPGx5jhyyRK4UkeJR96wDFr4Frzsr
+            QWz7fYZRWKWf0H0qn+bm9IfVJiBAlS5i16D1FnipZVmdWefFaZSEPg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVFV0WVZrK0wzbnhkcmcz
+            c2lIdVlKcFpoYjZIWlNPN0M5N2g2WG9YdlRJCjg5YlNoSzQ5YW5yRUVSeTEzRThY
+            WklKQzlzRXdrUUlFNzF4M1BFZCtPT28KLS0tIDlUOTVIQVZJNFJwTnQxN0Z1ZlQx
+            MmxPMWNPYzJiOFRqY2VYczhvRm5IR3cKpUVV+zsMolsHI2YK9YqC6ecNT6QXv0TV
+            d1SpXRAexZBeWCCHBjSdvQBl8AT4EwrAIP2M2o++6i5DaGoGiEIWZQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-17T15:30:20Z"
+    mac: ENC[AES256_GCM,data:byJbaGBKiW8P6Z9EAaXFIAurNPZ1Yu3H4wISL3YESGPVy5GSbMlfSTLElw8BcQNgOuLq8+BVZcRZn+UaLx7vNKfmpbOmthmrMqilcW/vmgsQ5+of+r+O9bOqqXAmlBLvB82trkLUWsPfO4hHJBfjFweLZFqzszW3t/zeLMocM18=,iv:EqiPEg0xgRPsuJfjUKg/ba10m1rqopO4gtPwKABuNk4=,tag:5l4sJxsV69ha4hf+9iBmMw==,type:str]
+    pgp:
+        - created_at: "2026-02-10T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYARAAnSjSeI8BybEl1PwNt3KTGcUjpCI+XZPWgNWuvjIymVBv
+            ZgNESNktJB4loNvd/+TIADE7TqGFQK9ev6IPRoDHHkSMdmJ9Bc/lu2HPO+rJa1yD
+            vLXbjf8vRa+GkBDV8DTrPPFvSrHY+jv9vQIzY3nQPKMlyV58E85N262q/2gJUfm9
+            cy/dYE2BUWMQC1DfiGbBRC4xGHhp94XccOMBkIpchP+BL90ZVpocnxeSrSjBsSLE
+            wuhMQPRQSI4PFm8ZYajf6tF001HDa5zaqF1lqkTxtxypDDUr8BVb9n/ObaD8omDI
+            QHQUiPmVgpDs7w2Ph5UgJxK1c+dOcG+mXsl1CHOLldA29sNzDBuh94PKfRl1B3cY
+            KPoPIqntdn59zzRDbuVJxWeJal7Ffynwsrx4h7w7muIR/FYeaFphsokE5Q6gqwTO
+            ZqWY2tuQ0CFRtMl7HB7ZVdSsKv6D5DlesXPXdrhQBKRrNylBpSBmcZH8KRAuHGNj
+            4GFZRN++GFuq54d7wB689kn+F7+pbNom7CDILXiCrz8+9DjFw0maDRoas8OaUyW6
+            kfyJe/YnK94EyCPitkJWYc9uvA2t9y25Rm9uUSvh7WnTFAEK9mJLOal4VgHbqCtg
+            zSGbdw79U4H0Umbi5eSCvEYNtv7eBzKaS/t6irfDRr1WajNhThcd1wmnvjZYxl3S
+            XgHOucYvQvxXjqG0B0Qbd12ucYthPO1+gozEzWxJx2wtiL3gClPYOaiteRlO/XQA
+            WTG6A36X3IxB6qW8lEx12geyjHxFYb82BjyrBnnlj+YcViIBpPQqd8Dz6sl4Rls=
+            =tCoI
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1

topology/default.nix

@@ -228,7 +228,7 @@ in {
         (mkConnection "demiurgen" "eno1")
         (mkConnection "sanctuary" "ethernet_0")
         (mkConnection "torskas" "eth0")
-        (mkConnection "skrot" "eth0")
+        (mkConnection "skrott" "eth0")
         (mkConnection "homeassistant" "eth0")
         (mkConnection "orchid" "eth0")
         (mkConnection "principal" "em0")

values.nix

@@ -40,10 +40,6 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
-    dagali = {
-      ipv4 = pvv-ipv4 185;
-      ipv6 = pvv-ipv6 185;
-    };
     ildkule = {
       ipv4 = "129.241.153.213";
       ipv4_internal = "192.168.12.209";
@@ -89,6 +85,10 @@ in rec {
       ipv4 = pvv-ipv4 235;
       ipv6 = pvv-ipv6 235;
     };
+    skrot = {
+      ipv4 = pvv-ipv4 237;
+      ipv6 = pvv-ipv6 237;
+    };
     temmie = {
       ipv4 = pvv-ipv4 167;
       ipv6 = pvv-ipv6 167;