Run shellcheck

base/networking.nix

@@ -3,10 +3,6 @@
   systemd.network.enable = true;
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
 
   # The rest of the networking configuration is usually sourced from /values.nix
 

base/services/acme.nix

@@ -2,7 +2,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "acme-drift@pvv.ntnu.no";
+    defaults.email = "drift@pvv.ntnu.no";
   };
 
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:

flake.lock

@@ -195,11 +195,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770960722,
+        "lastModified": 1767906352,
-        "narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=",
+        "narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
         "ref": "main",
-        "rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2",
+        "rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
-        "revCount": 15,
+        "revCount": 13,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
       },

flake.nix

@@ -205,8 +205,6 @@
         ];
       };
 
-      dagali = unstableNixosConfig "dagali" { };
-
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -47,8 +47,8 @@ in {
       }}
 
       # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf "${transferDir}/gallery.tar.gz" | sed 's|/$||')))
-      while IFS= read fname; do
+      while IFS= read -r fname; do
         rm -f "$fname" ||:
         rm -f ".thumbnails/$fname.png" ||:
       done <<< "$filesToRemove"
@@ -58,7 +58,7 @@ in {
       mkdir -p .thumbnails
       images=$(find . -type f -not -path "./.thumbnails*")
 
-      while IFS= read fname; do
+      while IFS= read -r fname; do
         # Skip this file if an up-to-date thumbnail already exists
         if [ -f ".thumbnails/$fname.png" ] && \
           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +67,7 @@ in {
         fi
 
         echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
+        mkdir -p "$(dirname ".thumbnails/$fname")"
         magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
         touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
       done <<< "$images"

hosts/bicep/services/matrix/livekit.nix

@@ -43,7 +43,7 @@ in
     keyFile = config.sops.templates."matrix-livekit-keyfile".path;
   };
 
-  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
 
   services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
     locations."^~ /livekit/jwt/" = {

hosts/bicep/services/matrix/out-of-your-element.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, values, fp, ... }:
+{ config, pkgs, fp, ... }:
 let
   cfg = config.services.matrix-ooye;
 in
@@ -28,23 +28,6 @@ in
     };
   };
 
-  services.rsync-pull-targets = lib.mkIf cfg.enable {
-    enable = true;
-    locations."/var/lib/private/matrix-ooye" = {
-      user = "root";
-      rrsyncArgs.ro = true;
-      authorizedKeysAttrs = [
-        "restrict"
-        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
-        "no-agent-forwarding"
-        "no-port-forwarding"
-        "no-pty"
-        "no-X11-forwarding"
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
-    };
-  };
-
   services.matrix-ooye = {
     enable = true;
     homeserver = "https://matrix.pvv.ntnu.no";

hosts/bicep/services/mysql/backup.nix

@@ -57,7 +57,7 @@ in
       rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
       ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
 
-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt "${toString (rotations + 1)}" ]; do
         rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
       done
     '';

hosts/bicep/services/postgresql/backup.nix

@@ -58,7 +58,7 @@ in
       rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
       ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
 
-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt "${toString (rotations + 1)}" ]; do
         rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
       done
     '';

hosts/dagali/TODO.md

@@ -1,78 +0,0 @@
-# Tracking document for new PVV kerberos auth stack
-
-![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
-
-<div align="center">
-  Bensinstasjon på heimdal
-</div>
-
-### TODO:
-
-- [ ] setup heimdal
-  - [x] ensure running with systemd
-  - [x] compile smbk5pwd (part of openldap)
-  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
-  - [ ] fully initialize PVV.NTNU.NO
-    - [x] `kadmin -l init PVV.NTNU.NO`
-    - [x] add oysteikt/admin@PVV.NTNU.NO principal
-    - [x] add oysteikt@PVV.NTNU.NO principal
-    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
-      - why is this needed, and where is it documented?
-      - `kadmin check` seems to work under sudo?
-      - (it is included by default, just included as error message
-         in a weird state)
-
-    - [x] Ensure client is working correctly
-      - [x] Ensure kinit works on darbu
-      - [x] Ensure kpasswd works on darbu
-      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
-
-    - [ ] Ensure kdc is working correctly
-      - [x] Ensure kinit works on dagali
-      - [x] Ensure kpasswd works on dagali
-      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
-
-    - [x] Fix FQDN
-      - https://github.com/NixOS/nixpkgs/issues/94011
-      - https://github.com/NixOS/nixpkgs/issues/261269
-      - Possibly fixed by disabling systemd-resolved
-
-- [ ] setup cyrus sasl
-  - [x] ensure running with systemd 
-  - [x] verify GSSAPI support plugin is installed
-    - `nix-shell -p cyrus_sasl --command pluginviewer`
-  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
-  - [x] verify cyrus sasl is able to talk to heimdal
-    - `sudo testsaslauthd -u oysteikt -p <password>`
-  - [ ] provide ldap principal to cyrus sasl through keytab
-
-- [ ] setup openldap
-  - [x] ensure running with systemd
-  - [ ] verify openldap is able to talk to cyrus sasl
-  - [ ] create user for oysteikt in openldap
-  - [ ] authenticate openldap login through sasl
-    - does this require creating an ldap user?
-
-- [ ] fix smbk5pwd integration
-  - [x] add smbk5pwd schemas to openldap
-  - [x] create openldap db for smbk5pwd with overlays
-  - [ ] test to ensure that user sync is working
-  - [ ] test as user source (replace passwd)
-  - [ ] test as PAM auth source
-  - [ ] test as auth source for 3rd party appliation
-
-- [ ] Set up ldap administration panel
-  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
-
-- [ ] Set up kerberos SRV DNS entry
-
-### Information and URLS
-
-- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
-- Use a keytab: https://kb.iu.edu/d/aumh
-- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
-- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
-- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
-- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
-- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -1,51 +0,0 @@
-
-{ config, pkgs, values, lib, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../base.nix
-    ../../misc/metrics-exporters.nix
-
-    ./services/heimdal.nix
-    #./services/openldap.nix
-    ./services/cyrus-sasl.nix
-  ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  # resolved messes up FQDN coming from nscd
-  services.resolved.enable = false;
-
-  networking.hostName = "dagali";
-  networking.domain = lib.mkForce "pvv.local";
-  networking.hosts = {
-    "129.241.210.185" = [ "dagali.pvv.local" ];
-  };
-  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-  networking.networkmanager.enable = true;
-
-  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
-    matchConfig.Name = "ens18";
-    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-    # TODO: consider adding to base.nix
-    nix-output-monitor
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
-}

hosts/dagali/hardware-configuration.nix

@@ -1,33 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

hosts/dagali/services/cyrus-sasl.nix

@@ -1,21 +0,0 @@
-{ config, ... }:
-let
-  cfg = config.services.saslauthd;
-in
-{
-  # TODO: This is seemingly required for openldap to authenticate
-  #       against kerberos, but I have no idea how to configure it as
-  #       such. Does it need a keytab? There's a binary "testsaslauthd"
-  #       that follows with `pkgs.cyrus_sasl` that might be useful.
-  services.saslauthd = {
-    enable = true;
-    mechanism = "kerberos5";
-    config = ''
-      mech_list: gs2-krb5 gssapi
-      keytab: /etc/krb5.keytab
-    '';
-  };
-
-  # TODO: maybe the upstream module should consider doing this?
-  environment.systemPackages = [ cfg.package ];
-}

hosts/dagali/services/heimdal.nix

@@ -1,100 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  realm = "PVV.LOCAL";
-  cfg = config.security.krb5;
-in
-{
-  security.krb5 = {
-    enable = true;
-
-    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
-    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
-    #       will do for now.
-    package = pkgs.heimdal.overrideAttrs (prev: {
-      postInstall = prev.postInstall + ''
-        cp include/heim_threads.h $dev/include
-      '';
-    });
-
-    settings = {
-      realms.${realm} = {
-        kdc = [ "dagali.${lib.toLower realm}" ];
-        admin_server = "dagali.${lib.toLower realm}";
-        kpasswd_server = "dagali.${lib.toLower realm}";
-        default_domain = lib.toLower realm;
-        primary_kdc = "dagali.${lib.toLower realm}";
-      };
-
-      kadmin.default_keys = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96:pw-salt"
-        "aes128-cts-hmac-sha1-96:pw-salt"
-      ];
-
-      libdefaults.default_etypes = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96"
-        "aes128-cts-hmac-sha1-96"
-      ];
-
-      libdefaults = {
-        default_realm = realm;
-        dns_lookup_kdc = false;
-        dns_lookup_realm = false;
-      };
-
-      domain_realm = {
-        "${lib.toLower realm}" = realm;
-        ".${lib.toLower realm}" = realm;
-      };
-
-      logging = {
-        # kdc = "CONSOLE";
-        kdc = "SYSLOG:DEBUG:AUTH";
-        admin_server = "SYSLOG:DEBUG:AUTH";
-        default = "SYSLOG:DEBUG:AUTH";
-      };
-    };
-  };
-
-  services.kerberos_server = {
-    enable = true;
-    settings = {
-      realms.${realm} = {
-        dbname = "/var/lib/heimdal/heimdal";
-        mkey = "/var/lib/heimdal/m-key";
-        acl = [
-          {
-            principal = "kadmin/admin";
-            access = "all";
-          }
-          {
-            principal = "felixalb/admin";
-            access = "all";
-          }
-          {
-            principal = "oysteikt/admin";
-            access = "all";
-          }
-        ];
-      };
-      # kadmin.default_keys = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96:pw-salt"
-      #   "aes128-cts-hmac-sha1-96:pw-salt"
-      # ];
-
-      # libdefaults.default_etypes = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96"
-      #   "aes128-cts-hmac-sha1-96"
-      # ];
-
-      # password_quality.min_length = 8;
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
-  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
-
-  networking.hosts = {
-    "127.0.0.2" = lib.mkForce [ ];
-    "::1" = lib.mkForce [ ];
-  };
-}

hosts/dagali/services/openldap.nix

@@ -1,121 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  services.openldap = let
-    dn = "dc=pvv,dc=ntnu,dc=no";
-    cfg = config.services.openldap;
-
-    heimdal = config.security.krb5.package;
-  in {
-    enable = true;
-
-    # NOTE: this is a custom build of openldap with support for
-    #       perl and kerberos.
-    package = pkgs.openldap.overrideAttrs (prev: {
-      # https://github.com/openldap/openldap/blob/master/configure
-      configureFlags = prev.configureFlags ++ [
-        # Connect to slapd via UNIX socket
-        "--enable-local"
-        # Cyrus SASL
-        "--enable-spasswd"
-        # Reverse hostname lookups
-        "--enable-rlookups"
-        # perl
-        "--enable-perl"
-      ];
-
-      buildInputs = prev.buildInputs ++ [
-        pkgs.perl
-	# NOTE: do not upstream this, it might not work with
-	#       MIT in the same way
-        heimdal
-      ];
-
-      extraContribModules = prev.extraContribModules ++ [
-        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
-        "smbk5pwd"
-      ];
-    });
-
-    settings = {
-      attrs = {
-        olcLogLevel = [ "stats" "config" "args" ];
-
-        # olcAuthzRegexp = ''
-        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
-        #         "uid=heimdal,${dn2}"
-        # '';
-
-        # olcSaslSecProps = "minssf=0";
-      };
-
-      children = {
-        "cn=schema".includes = let
-          # NOTE: needed for smbk5pwd.so module
-          schemaToLdif = name: path: pkgs.runCommandNoCC name {
-            buildInputs = with pkgs; [ schema2ldif ];
-          } ''
-            schema2ldif "${path}" > $out
-          '';
-
-          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
-          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
-        in [
-           "${cfg.package}/etc/schema/core.ldif"
-           "${cfg.package}/etc/schema/cosine.ldif"
-           "${cfg.package}/etc/schema/nis.ldif"
-           "${cfg.package}/etc/schema/inetorgperson.ldif"
-           "${hdb-ldif}"
-           "${samba-ldif}"
-        ];
-
-        # NOTE: installation of smbk5pwd.so module
-        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-        "cn=module{0}".attrs = {
-          objectClass = [ "olcModuleList" ];
-          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
-        };
-
-        # NOTE: activation of smbk5pwd.so module for {1}mdb
-        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
-          olcOverlay = "{0}smbk5pwd";
-          olcSmbK5PwdEnable = [ "krb5" "samba" ];
-          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
-        };
-
-        "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-
-          olcDatabase = "{1}mdb";
-
-          olcSuffix = dn;
-
-          # TODO: PW is supposed to be a secret, but it's probably fine for testing
-          olcRootDN = "cn=users,${dn}";
-
-          # TODO: replace with proper secret
-          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
-
-          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
-          olcDbIndex = "objectClass eq";
-
-          olcAccess = [
-            ''{0}to attrs=userPassword,shadowLastChange
-                by dn.exact=cn=users,${dn} write
-                by self write
-                by anonymous auth
-                by * none''
-
-            ''{1}to dn.base=""
-                by * read''
-
-            /* allow read on anything else */
-            # ''{2}to *
-            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
-            #     by * read''
-          ];
-        };
-      };
-    };
-  };
-}

hosts/kommode/services/gitea/customization/default.nix

@@ -10,59 +10,6 @@ in
     catppuccin = pkgs.gitea-theme-catppuccin;
   };
 
-  services.gitea.settings = {
-    ui = {
-      DEFAULT_THEME = "gitea-auto";
-      REACTIONS = lib.concatStringsSep "," [
-        "+1"
-        "-1"
-        "laugh"
-        "confused"
-        "heart"
-        "hooray"
-        "rocket"
-        "eyes"
-        "100"
-        "anger"
-        "astonished"
-        "no_good"
-        "ok_hand"
-        "pensive"
-        "pizza"
-        "point_up"
-        "sob"
-        "skull"
-        "upside_down_face"
-        "shrug"
-        "huh"
-        "bruh"
-        "okiedokie"
-        "grr"
-      ];
-
-      CUSTOM_EMOJIS = lib.concatStringsSep "," [
-        "bruh"
-        "grr"
-        "huh"
-        "ohyeah"
-      ];
-    };
-    "ui.meta" = {
-      AUTHOR = "Programvareverkstedet";
-      DESCRIPTION = "Bokstavelig talt programvareverkstedet";
-      KEYWORDS = lib.concatStringsSep "," [
-        "git"
-        "hackerspace"
-        "nix"
-        "open source"
-        "foss"
-        "organization"
-        "software"
-        "student"
-      ];
-    };
-  };
-
   systemd.services.gitea-customization = lib.mkIf cfg.enable {
     description = "Install extra customization in gitea's CUSTOM_DIR";
     wantedBy = [ "gitea.service" ];
@@ -103,19 +50,14 @@ in
         sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
       '';
     in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      install -Dm444 ${logo-svg} "${cfg.customDir}/public/assets/img/logo.svg"
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+      install -Dm444 ${logo-png} "${cfg.customDir}/public/assets/img/logo.png"
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 ${./loading.apng} "${cfg.customDir}/public/assets/img/loading.png"
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+      install -Dm444 ${extraLinks} "${cfg.customDir}/templates/custom/extra_links.tmpl"
-      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
+      install -Dm444 ${extraLinksFooter} "${cfg.customDir}/templates/custom/extra_links_footer.tmpl"
-      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+      install -Dm444 ${project-labels} "${cfg.customDir}/options/label/project-labels.yaml"
 
-      install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
+      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" "${cfg.customDir}/templates/"
-      install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
-      install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
-      install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
-
-      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
     '';
   };
 }

hosts/kommode/services/gitea/default.nix

@@ -83,24 +83,11 @@ in {
         AUTO_WATCH_NEW_REPOS = false;
       };
       admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
+      session.COOKIE_SECURE = true;
       security = {
         SECRET_KEY = lib.mkForce "";
         SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
       };
-      cache = {
-        ADAPTER = "redis";
-        HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
-        ITEM_TTL = "72h";
-      };
-      session = {
-        COOKIE_SECURE = true;
-        PROVIDER = "redis";
-        PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
-      };
-      queue = {
-        TYPE = "redis";
-        CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
-      };
       database.LOG_SQL = false;
       repository = {
         PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -141,6 +128,31 @@ in {
         AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
       };
       actions.ENABLED = true;
+      ui = {
+        REACTIONS = lib.concatStringsSep "," [
+          "+1"
+          "-1"
+          "laugh"
+          "confused"
+          "heart"
+          "hooray"
+          "rocket"
+          "eyes"
+          "100"
+          "anger"
+          "astonished"
+          "no_good"
+          "ok_hand"
+          "pensive"
+          "pizza"
+          "point_up"
+          "sob"
+          "skull"
+          "upside_down_face"
+          "shrug"
+        ];
+      };
+      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
 
     dump = {
@@ -152,26 +164,12 @@ in {
 
   environment.systemPackages = [ cfg.package ];
 
-  systemd.services.gitea = lib.mkIf cfg.enable {
+  systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
-    wants = [ "redis-gitea.service" ];
-    after = [ "redis-gitea.service" ];
 
-    serviceConfig = {
+  systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
-      CPUSchedulingPolicy = "batch";
+  systemd.services.gitea.serviceConfig.BindPaths = [
-      CacheDirectory = "gitea/repo-archive";
-      BindPaths = [
     "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
   ];
-    };
-  };
-
-  services.redis.servers.gitea = lib.mkIf cfg.enable {
-    enable = true;
-    user = config.services.gitea.user;
-    save = [ ];
-    openFirewall = false;
-    port = 5698;
-  };
 
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;

modules/matrix-ooye.nix

@@ -81,7 +81,7 @@ in
 
         if [[ ! -f ''${REGISTRATION_FILE} ]]; then
           echo "No registration file found at '$REGISTRATION_FILE'"
-          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+          cp --no-preserve=mode,ownership "${baseConfig}" ''${REGISTRATION_FILE}
         fi
 
         echo "After if statement"
@@ -116,7 +116,7 @@ in
         fi
 
         shred -u ''${REGISTRATION_FILE}
-        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+        cp --no-preserve=mode,ownership "${baseConfig}" ''${REGISTRATION_FILE}
 
         ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
 

modules/snakeoil-certs.nix

@@ -51,8 +51,8 @@ in
       script = let
         openssl = lib.getExe pkgs.openssl;
       in lib.concatMapStringsSep "\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
+        mkdir -p "$(dirname "${value.certificate}")" "$(dirname "${value.certificateKey}")"
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+        if ! ${openssl} x509 -checkend 86400 -noout -in "${value.certificate}"
         then
           echo "Regenerating '${value.certificate}'"
           ${openssl} req \

values.nix

@@ -40,10 +40,6 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
-    dagali = {
-      ipv4 = pvv-ipv4 185;
-      ipv6 = pvv-ipv6 185;
-    };
     ildkule = {
       ipv4 = "129.241.153.213";
       ipv4_internal = "192.168.12.209";