update README to reflect added host

Co-authored-by: System administrator <root@skrot.pvv.ntnu.no>
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/124
Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>

.mailmap

@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
 
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
+Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
+
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
+
+Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>

.sops.yaml

@@ -20,8 +20,9 @@ keys:
   - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
   - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
   - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
-  - &host_skrott age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
+  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
   - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
+  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
 
 creation_rules:
   # Global secrets
@@ -144,5 +145,18 @@ creation_rules:
       - *user_pederbs_sopp
       - *user_pederbs_nord
       - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+  - path_regex: secrets/skrot/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_skrot
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
       pgp:
       - *user_oysteikt

README.md

@@ -43,7 +43,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
-| [skrott][skr]              | Physical | Kiosk, snacks and soda                                    |
+| [skrot/skrott][skr]        | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 
 ## Documentation

base/programs.nix

@@ -19,6 +19,9 @@
     # Check computer specs
     lshw
 
+    # Check who is keeping open files
+    lsof
+
     # Scan for open ports with netstat
     net-tools
 

base/services/acme.nix

@@ -2,7 +2,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
+    defaults.email = "acme-drift@pvv.ntnu.no";
   };
 
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:

docs/secret-management.md

@@ -151,7 +151,7 @@ is up to date, you can do the following:
 
 ```console
 # Fetch gpg (unless you have it already)
-nix-shell -p gpg
+nix shell nixpkgs#gnupg
 
 # Import oysteikts key to the gpg keychain
 gpg --import ./keys/oysteikt.pub

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769400154,
+        "lastModified": 1770133120,
-        "narHash": "sha256-K0OeXzFCUZTkCBxUDr3U3ah0odS/urtNVG09WDl+HAA=",
+        "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
         "ref": "main",
-        "rev": "8e84669d9bf963d5e46bac37fe9b0aa8e8be2d01",
+        "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
-        "revCount": 230,
+        "revCount": 244,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
       },
@@ -174,11 +174,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768749374,
+        "lastModified": 1769500363,
-        "narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
+        "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
         "ref": "main",
-        "rev": "040294f2e1df46e33d995add6944b25859654097",
+        "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
-        "revCount": 37,
+        "revCount": 47,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
       },
@@ -195,11 +195,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767906352,
+        "lastModified": 1770960722,
-        "narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
+        "narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=",
         "ref": "main",
-        "rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
+        "rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2",
-        "revCount": 13,
+        "revCount": 15,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
       },
@@ -217,11 +217,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768955766,
+        "lastModified": 1769018862,
-        "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
+        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
+        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
         "type": "github"
       },
       "original": {
@@ -233,11 +233,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768877948,
+        "lastModified": 1769724120,
-        "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
+        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
-        "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
+        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -261,11 +261,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1768886240,
+        "lastModified": 1769813739,
-        "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
+        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
-        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
+        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -300,11 +300,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768636400,
+        "lastModified": 1769009806,
-        "narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
+        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
         "ref": "main",
-        "rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
+        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
-        "revCount": 573,
+        "revCount": 575,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -364,11 +364,11 @@
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
-        "lastModified": 1768140181,
+        "lastModified": 1769834595,
-        "narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
+        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
         "ref": "main",
-        "rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
+        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
-        "revCount": 43,
+        "revCount": 49,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
       },
@@ -428,11 +428,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767322002,
+        "lastModified": 1769309768,
-        "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
+        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
+        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
         "type": "github"
       },
       "original": {
@@ -448,11 +448,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768863606,
+        "lastModified": 1769469829,
-        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
         "type": "github"
       },
       "original": {

flake.nix

@@ -129,6 +129,7 @@
           ] ++ (lib.optionals enableDefaults [
             sops-nix.nixosModules.sops
             inputs.roowho2.nixosModules.default
+            self.nixosModules.rsync-pull-targets
           ]) ++ modules;
         }
         (builtins.removeAttrs extraArgs [
@@ -146,7 +147,7 @@
     in {
       bakke = stableNixosConfig "bakke" {
         modules = [
-          disko.nixosModules.disko
+          inputs.disko.nixosModules.disko
         ];
       };
       bicep = stableNixosConfig "bicep" {
@@ -183,6 +184,13 @@
       };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
+      skrot = stableNixosConfig "skrot" {
+        modules = [
+          inputs.disko.nixosModules.disko
+          inputs.dibbler.nixosModules.default
+        ];
+        overlays = [inputs.dibbler.overlays.default];
+      };
       shark = stableNixosConfig "shark" { };
       wenche = stableNixosConfig "wenche" { };
       temmie = stableNixosConfig "temmie" { };
@@ -194,6 +202,7 @@
         ];
         modules = [
           inputs.nix-gitea-themes.nixosModules.default
+          inputs.disko.nixosModules.disko
         ];
       };
 
@@ -270,15 +279,25 @@
 
     nixosModules = {
       bluemap = ./modules/bluemap.nix;
-      snakeoil-certs = ./modules/snakeoil-certs.nix;
-      snappymail = ./modules/snappymail.nix;
-      robots-txt = ./modules/robots-txt.nix;
       gickup = ./modules/gickup;
       matrix-ooye = ./modules/matrix-ooye.nix;
+      robots-txt = ./modules/robots-txt.nix;
+      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
+      snakeoil-certs = ./modules/snakeoil-certs.nix;
+      snappymail = ./modules/snappymail.nix;
     };
 
     devShells = forAllSystems (system: {
-      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = let
+        pkgs = import nixpkgs-unstable {
+          inherit system;
+          overlays = [
+            (final: prev: {
+              inherit (inputs.disko.packages.${system}) disko;
+            })
+          ];
+        };
+      in pkgs.callPackage ./shell.nix { };
       cuda = let
         cuda-pkgs = import nixpkgs-unstable {
           inherit system;

hosts/bekkalokk/configuration.nix

@@ -28,5 +28,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }

hosts/bekkalokk/services/mediawiki/default.nix

@@ -49,6 +49,23 @@ in {
     lib.listToAttrs
   ];
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.uploadsDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
+    };
+  };
+
   services.mediawiki = {
     enable = true;
     name = "Programvareverkstedet";
@@ -145,6 +162,24 @@ in {
       $wgDBserver = "${toString cfg.database.host}";
       $wgAllowCopyUploads = true;
 
+      # Files
+      $wgFileExtensions = [
+        'bmp',
+        'gif',
+        'jpeg',
+        'jpg',
+        'mp3',
+        'odg',
+        'odp',
+        'ods',
+        'odt',
+        'pdf',
+        'png',
+        'tiff',
+        'webm',
+        'webp',
+      ];
+
       # Misc program paths
       $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
       $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -240,6 +275,7 @@ in {
     serviceConfig = {
       BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
       LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+      UMask = lib.mkForce "0007";
     };
   };
 
@@ -248,6 +284,7 @@ in {
     serviceConfig = {
       BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
       LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+      UMask = lib.mkForce "0007";
     };
   };
 }

hosts/bekkalokk/services/vaultwarden.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, values, ... }:
 let
   cfg = config.services.vaultwarden;
   domain = "pw.pvv.ntnu.no";
@@ -99,4 +99,21 @@ in {
       ];
     };
   };
+
+  services.rsync-pull-targets = {
+    enable = true;
+    locations."/var/lib/vaultwarden" = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
+    };
+  };
 }

hosts/bekkalokk/services/webmail/snappymail.nix

@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, ... }:
+{ config, lib, fp, pkgs, values, ... }:
 let
   cfg = config.services.snappymail;
 in {
@@ -14,5 +14,21 @@ in {
     enableACME = true;
     kTLS = true;
   };
-}
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.dataDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
+    };
+  };
+}

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -1,15 +1,30 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, values, ... }:
 let
   galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
   transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
   users.users.${config.services.pvv-nettsiden.user} = {
+    # NOTE: the user unfortunately needs a registered shell for rrsync to function...
+    #       is there anything we can do to remove this?
     useDefaultShell = true;
+  };
 
   # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
+  services.rsync-pull-targets = {
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
+    enable = true;
+    locations.${transferDir} = {
+      user = config.services.pvv-nettsiden.user;
+      rrsyncArgs.wo = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
       ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
+    };
   };
 
   systemd.paths.pvv-nettsiden-gallery-update = {

hosts/bekkalokk/services/well-known/root/security.txt

@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
 Preferred-Languages: no, en
 
 Expires: 2032-12-31T23:59:59.000Z
-# This file was last updated 2024-09-14.
+# This file was last updated 2026-02-27.
 
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
+
+# Please note that we are a student organization, and unfortunately we do not
+# have a bug bounty program or offer monetary compensation for disclosure of
+# security vulnerabilities.

hosts/bicep/configuration.nix

@@ -9,8 +9,8 @@
     ./services/calendar-bot.nix
     #./services/git-mirrors
     ./services/minecraft-heatmap.nix
-    ./services/mysql.nix
+    ./services/mysql
-    ./services/postgres.nix
+    ./services/postgresql
 
     ./services/matrix
   ];
@@ -30,5 +30,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }

hosts/bicep/services/matrix/default.nix

@@ -1,8 +1,9 @@
 { config, ... }:
 {
   imports = [
-    ./synapse.nix
     ./synapse-admin.nix
+    ./synapse-auto-compressor.nix
+    ./synapse.nix
     ./element.nix
     ./coturn.nix
     ./livekit.nix

hosts/bicep/services/matrix/element.nix

@@ -37,6 +37,7 @@ in {
           # element call group calls
           feature_group_calls = true;
         };
+        default_country_code = "NO";
         default_theme = "dark";
         # Servers in this list should provide some sort of valuable scoping
         # matrix.org is not useful compared to matrixrooms.info,

hosts/bicep/services/matrix/hookshot/default.nix

@@ -14,6 +14,10 @@ in
     sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "hookshot/hs_token";
   };
+  sops.secrets."matrix/hookshot/passkey" = {
+    sopsFile = fp /secrets/bicep/matrix.yaml;
+    key = "hookshot/passkey";
+  };
 
   sops.templates."hookshot-registration.yaml" = {
     owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
   };
 
   systemd.services.matrix-hookshot = {
-    serviceConfig.SupplementaryGroups = [
+    serviceConfig = {
+      SupplementaryGroups = [
         config.users.groups.keys-matrix-registrations.name
       ];
+      LoadCredential = [
+        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
+      ];
+    };
   };
 
   services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
     package = unstablePkgs.matrix-hookshot;
     registrationFile = config.sops.templates."hookshot-registration.yaml".path;
     settings = {
+      passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
+
       bridge = {
         bindAddress = "127.0.0.1";
         domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
         mediaUrl = "https://matrix.pvv.ntnu.no";
         port = 9993;
       };
+
       listeners = [
         {
           bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
           ];
         }
       ];
+
       generic = {
         enabled = true;
         outbound = true;

hosts/bicep/services/matrix/livekit.nix

@@ -43,7 +43,7 @@ in
     keyFile = config.sops.templates."matrix-livekit-keyfile".path;
   };
 
-  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
 
   services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
     locations."^~ /livekit/jwt/" = {

hosts/bicep/services/matrix/out-of-your-element.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, fp, ... }:
+{ config, pkgs, lib, values, fp, ... }:
 let
   cfg = config.services.matrix-ooye;
 in
@@ -28,6 +28,23 @@ in
     };
   };
 
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations."/var/lib/private/matrix-ooye" = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
+    };
+  };
+
   services.matrix-ooye = {
     enable = true;
     homeserver = "https://matrix.pvv.ntnu.no";

hosts/bicep/services/matrix/synapse-auto-compressor.nix

@@ -0,0 +1,56 @@
+{ config, lib, utils, ... }:
+let
+  cfg = config.services.synapse-auto-compressor;
+in
+{
+  services.synapse-auto-compressor = {
+    # enable = true;
+    postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
+  };
+
+  # NOTE: nixpkgs has some broken asserts, vendored the entire unit
+  systemd.services.synapse-auto-compressor = {
+    description = "synapse-auto-compressor";
+    requires = [
+      "postgresql.target"
+    ];
+    inherit (cfg) startAt;
+    serviceConfig = {
+      Type = "oneshot";
+      DynamicUser = true;
+      User = "matrix-synapse";
+      PrivateTmp = true;
+      ExecStart = utils.escapeSystemdExecArgs [
+        "${cfg.package}/bin/synapse_auto_compressor"
+        "-p"
+        cfg.postgresUrl
+        "-c"
+        cfg.settings.chunk_size
+        "-n"
+        cfg.settings.chunks_to_compress
+        "-l"
+        (lib.concatStringsSep "," (map toString cfg.settings.levels))
+      ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      ProcSubset = "pid";
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+    };
+  };
+}

hosts/bicep/services/matrix/synapse.nix

@@ -27,6 +27,23 @@ in {
     '';
   };
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.settings.media_store_path} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
+    };
+  };
+
   services.matrix-synapse-next = {
     enable = true;
 

hosts/bicep/services/minecraft-heatmap.nix

@@ -22,7 +22,7 @@ in
     };
   };
 
-  systemd.services.minecraft-heatmap-ingest-logs = {
+  systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
     serviceConfig.LoadCredential = [
       "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
     ];

hosts/bicep/services/mysql/backup.nix

@@ -0,0 +1,83 @@
+{ config, lib, pkgs, values, ... }:
+let
+  cfg = config.services.mysql;
+  backupDir = "/data/mysql-backups";
+in
+{
+  # services.mysqlBackup = lib.mkIf cfg.enable {
+  #   enable = true;
+  #   location = "/var/lib/mysql-backups";
+  # };
+
+  systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
+	  user = "mysql";
+	  group = "mysql";
+	  mode = "700";
+	};
+
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations.${backupDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
+    };
+  };
+
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  #       another unit, it was easier to just make one ourselves.
+  systemd.services."backup-mysql" = lib.mkIf cfg.enable {
+    description = "Backup MySQL data";
+    requires = [ "mysql.service" ];
+
+    path = with pkgs; [
+      cfg.package
+      coreutils
+      zstd
+    ];
+
+    script = let
+      rotations = 2;
+    in ''
+      set -euo pipefail
+
+      OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
+
+      mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
+
+      # NOTE: this needs to be a hardlink for rrsync to allow sending it
+      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
+      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
+
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
+      done
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "mysql";
+      Group = "mysql";
+      UMask = "0077";
+
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      StateDirectory = [ "mysql-backups" ];
+      BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
+
+      # TODO: hardening
+    };
+
+    startAt = "*-*-* 02:15:00";
+  };
+}

hosts/bicep/services/mysql/default.nix

@@ -1,5 +1,11 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
+let
+  cfg = config.services.mysql;
+  dataDir = "/data/mysql";
+in
 {
+  imports = [ ./backup.nix ];
+
   sops.secrets."mysql/password" = {
     owner = "mysql";
     group = "mysql";
@@ -9,8 +15,7 @@
 
   services.mysql = {
     enable = true;
-    dataDir = "/data/mysql";
+    package = pkgs.mariadb_118;
-    package = pkgs.mariadb;
     settings = {
       mysqld = {
         # PVV allows a lot of connections at the same time
@@ -21,6 +26,9 @@
         # This was needed in order to be able to use all of the old users
         # during migration from knakelibrak to bicep in Sep. 2023
         secure_auth = 0;
+
+        slow-query-log = 1;
+        slow-query-log-file = "/var/log/mysql/mysql-slow.log";
       };
     };
 
@@ -36,14 +44,24 @@
     }];
   };
 
-  services.mysqlBackup = {
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
-    enable = true;
+
-    location = "/var/lib/mysql/backups";
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
+    inherit (cfg) user group;
+    mode = "0700";
   };
 
-  networking.firewall.allowedTCPPorts = [ 3306 ];
+  systemd.services.mysql = lib.mkIf cfg.enable {
+    after = [
+      "systemd-tmpfiles-setup.service"
+      "systemd-tmpfiles-resetup.service"
+    ];
+
+    serviceConfig = {
+      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
+
+      LogsDirectory = "mysql";
 
-  systemd.services.mysql.serviceConfig = {
       IPAddressDeny = "any";
       IPAddressAllow = [
         values.ipv4-space
@@ -52,4 +70,5 @@
         values.hosts.ildkule.ipv6
       ];
     };
+  };
 }

hosts/bicep/services/postgresql/backup.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, values, ... }:
+let
+  cfg = config.services.postgresql;
+  backupDir = "/data/postgresql-backups";
+in
+{
+  # services.postgresqlBackup = lib.mkIf cfg.enable {
+  #   enable = true;
+  #   location = "/var/lib/postgresql-backups";
+  #   backupAll = true;
+  # };
+
+  systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
+	  user = "postgres";
+	  group = "postgres";
+	  mode = "700";
+	};
+
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations.${backupDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
+    };
+  };
+
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  #       another unit, it was easier to just make one ourselves
+  systemd.services."backup-postgresql" = {
+    description = "Backup PostgreSQL data";
+    requires = [ "postgresql.service" ];
+
+    path = with pkgs; [
+      coreutils
+      zstd
+      cfg.package
+    ];
+
+    script = let
+      rotations = 2;
+    in ''
+      set -euo pipefail
+
+      OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
+
+      pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
+
+      # NOTE: this needs to be a hardlink for rrsync to allow sending it
+      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
+      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
+
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
+      done
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "postgres";
+      Group = "postgres";
+      UMask = "0077";
+
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      StateDirectory = [ "postgresql-backups" ];
+      BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
+
+      # TODO: hardening
+    };
+
+    startAt = "*-*-* 01:15:00";
+  };
+}

hosts/bicep/services/postgresql/default.nix

@@ -1,8 +1,13 @@
-{ config, pkgs, values, ... }:
+{ config, lib, pkgs, values, ... }:
+let
+  cfg = config.services.postgresql;
+in
 {
+  imports = [ ./backup.nix ];
+
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_18;
     enableTCPIP = true;
 
     authentication = ''
@@ -74,13 +79,13 @@
     };
   };
 
-  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
     user = config.systemd.services.postgresql.serviceConfig.User;
     group = config.systemd.services.postgresql.serviceConfig.Group;
     mode = "0700";
   };
 
-  systemd.services.postgresql-setup = {
+  systemd.services.postgresql-setup = lib.mkIf cfg.enable {
     after = [
       "systemd-tmpfiles-setup.service"
       "systemd-tmpfiles-resetup.service"
@@ -95,7 +100,7 @@
     };
   };
 
-  systemd.services.postgresql = {
+  systemd.services.postgresql = lib.mkIf cfg.enable {
     after = [
       "systemd-tmpfiles-setup.service"
       "systemd-tmpfiles-resetup.service"
@@ -110,18 +115,12 @@
     };
   };
 
-  environment.snakeoil-certs."/etc/certs/postgres" = {
+  environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
     owner = "postgres";
     group = "postgres";
     subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
   };
 
-  networking.firewall.allowedTCPPorts = [ 5432 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
-  networking.firewall.allowedUDPPorts = [ 5432 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
-
-  services.postgresqlBackup = {
-    enable = true;
-    location = "/var/lib/postgres/backups";
-    backupAll = true;
-  };
 }

hosts/brzeczyszczykiewicz/configuration.nix

@@ -17,5 +17,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }

hosts/georg/configuration.nix

@@ -32,5 +32,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }

hosts/gluttony/hardware-configuration.nix

@@ -31,7 +31,7 @@
   };
 
   fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/D00A-B488";
+    device = "/dev/disk/by-uuid/933A-3005";
     fsType = "vfat";
     options = [
       "fmask=0077"

hosts/ildkule/services/monitoring/dashboards/mysql.json

@@ -13,7 +13,7 @@
     ]
   },
   "description": "",
-  "editable": true,
+  "editable": false,
   "gnetId": 11323,
   "graphTooltip": 1,
   "id": 31,
@@ -1899,7 +1899,7 @@
       "dashes": false,
       "datasource": "$datasource",
       "decimals": 0,
-      "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool,  TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB 's internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
+      "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool,  TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB ‘s internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
       "editable": true,
       "error": false,
       "fieldConfig": {
@@ -3690,7 +3690,7 @@
         },
         "hide": 0,
         "includeAll": false,
-        "label": "Data Source",
+        "label": "Data source",
         "multi": false,
         "name": "datasource",
         "options": [],
@@ -3713,12 +3713,12 @@
         "definition": "label_values(mysql_up, job)",
         "hide": 0,
         "includeAll": true,
-        "label": "job",
+        "label": "Job",
         "multi": true,
         "name": "job",
         "options": [],
         "query": "label_values(mysql_up, job)",
-        "refresh": 1,
+        "refresh": 2,
         "regex": "",
         "skipUrlSync": false,
         "sort": 0,
@@ -3742,12 +3742,12 @@
         "definition": "label_values(mysql_up, instance)",
         "hide": 0,
         "includeAll": true,
-        "label": "instance",
+        "label": "Instance",
         "multi": true,
         "name": "instance",
         "options": [],
         "query": "label_values(mysql_up, instance)",
-        "refresh": 1,
+        "refresh": 2,
         "regex": "",
         "skipUrlSync": false,
         "sort": 0,

hosts/ildkule/services/monitoring/dashboards/postgres.json

@@ -328,7 +328,7 @@
         "rgba(50, 172, 45, 0.97)"
       ],
       "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
       "gauge": {
         "maxValue": 100,
         "minValue": 0,
@@ -411,7 +411,7 @@
         "rgba(50, 172, 45, 0.97)"
       ],
       "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
       "gauge": {
         "maxValue": 100,
         "minValue": 0,
@@ -1410,7 +1410,7 @@
       "tableColumn": "",
       "targets": [
         {
-          "expr": "pg_settings_seq_page_cost",
+          "expr": "pg_settings_seq_page_cost{instance=\"$instance\"}",
           "format": "time_series",
           "intervalFactor": 1,
           "refId": "A"
@@ -1872,7 +1872,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -1966,7 +1966,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -2060,7 +2060,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -2251,7 +2251,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -2439,7 +2439,7 @@
       },
       "yaxes": [
         {
-          "format": "bytes",
+          "format": "short",
           "label": null,
           "logBase": 1,
           "max": null,
@@ -2589,35 +2589,35 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "buffers_backend",
           "refId": "A"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "buffers_alloc",
           "refId": "B"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "backend_fsync",
           "refId": "C"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "buffers_checkpoint",
           "refId": "D"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
           "refId": "B"
         },
         {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",

hosts/ildkule/services/monitoring/grafana.nix

@@ -47,13 +47,13 @@ in {
         {
           name = "Node Exporter Full";
           type = "file";
-          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
+          url = "https://grafana.com/api/dashboards/1860/revisions/42/download";
           options.path = dashboards/node-exporter-full.json;
         }
         {
           name = "Matrix Synapse";
           type = "file";
-          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
+          url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json";
           options.path = dashboards/synapse.json;
         }
         {
@@ -65,15 +65,9 @@ in {
         {
           name = "Postgresql";
           type = "file";
-          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
+          url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
           options.path = dashboards/postgres.json;
         }
-        {
-          name = "Go Processes (gogs)";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
-          options.path = dashboards/go-processes.json;
-        }
         {
           name = "Gitea Dashboard";
           type = "file";

hosts/kommode/configuration.nix

@@ -4,6 +4,7 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     (fp /base)
+    ./disks.nix
 
     ./services/gitea
     ./services/nginx.nix

hosts/kommode/disks.nix

@@ -0,0 +1,80 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        type = "disk";
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            root = {
+              name = "root";
+              label = "root";
+              start = "1MiB";
+              end = "-5G";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # subvolumes = let
+                #   makeSnapshottable = subvolPath: mountOptions: let
+                #     name = lib.replaceString "/" "-" subvolPath;
+                #   in {
+                #     "@${name}/active" = {
+                #       mountpoint = subvolPath;
+                #       inherit mountOptions;
+                #     };
+                #     "@${name}/snapshots" = {
+                #       mountpoint = "${subvolPath}/.snapshots";
+                #       inherit mountOptions;
+                #     };
+                #   };
+                # in {
+                #   "@" = { };
+                #   "@/swap" = {
+                #     mountpoint = "/.swapvol";
+                #     swap.swapfile.size = "4G";
+                #   };
+                #   "@/root" = {
+                #     mountpoint = "/";
+                #     mountOptions = [ "compress=zstd" "noatime" ];
+                #   };
+                # }
+                # // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
+
+                # swap.swapfile.size = "4G";
+                mountpoint = "/";
+              };
+            };
+
+            swap = {
+              name = "swap";
+              label = "swap";
+              start = "-5G";
+              end = "-1G";
+              content.type = "swap";
+            };
+
+            ESP = {
+              name = "ESP";
+              label = "ESP";
+              start = "-1G";
+              end = "100%";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/kommode/hardware-configuration.nix

@@ -13,21 +13,6 @@
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/86CD-4C23";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
-    ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction

hosts/kommode/services/gitea/customization/default.nix

@@ -10,6 +10,59 @@ in
     catppuccin = pkgs.gitea-theme-catppuccin;
   };
 
+  services.gitea.settings = {
+    ui = {
+      DEFAULT_THEME = "gitea-auto";
+      REACTIONS = lib.concatStringsSep "," [
+        "+1"
+        "-1"
+        "laugh"
+        "confused"
+        "heart"
+        "hooray"
+        "rocket"
+        "eyes"
+        "100"
+        "anger"
+        "astonished"
+        "no_good"
+        "ok_hand"
+        "pensive"
+        "pizza"
+        "point_up"
+        "sob"
+        "skull"
+        "upside_down_face"
+        "shrug"
+        "huh"
+        "bruh"
+        "okiedokie"
+        "grr"
+      ];
+
+      CUSTOM_EMOJIS = lib.concatStringsSep "," [
+        "bruh"
+        "grr"
+        "huh"
+        "ohyeah"
+      ];
+    };
+    "ui.meta" = {
+      AUTHOR = "Programvareverkstedet";
+      DESCRIPTION = "Bokstavelig talt programvareverkstedet";
+      KEYWORDS = lib.concatStringsSep "," [
+        "git"
+        "hackerspace"
+        "nix"
+        "open source"
+        "foss"
+        "organization"
+        "software"
+        "student"
+      ];
+    };
+  };
+
   systemd.services.gitea-customization = lib.mkIf cfg.enable {
     description = "Install extra customization in gitea's CUSTOM_DIR";
     wantedBy = [ "gitea.service" ];
@@ -57,6 +110,11 @@ in
       install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
       install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
 
+      install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
+      install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
+      install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
+      install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
+
       "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
     '';
   };

hosts/kommode/services/gitea/default.nix

@@ -83,11 +83,24 @@ in {
         AUTO_WATCH_NEW_REPOS = false;
       };
       admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
-      session.COOKIE_SECURE = true;
       security = {
         SECRET_KEY = lib.mkForce "";
         SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
       };
+      cache = {
+        ADAPTER = "redis";
+        HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
+        ITEM_TTL = "72h";
+      };
+      session = {
+        COOKIE_SECURE = true;
+        PROVIDER = "redis";
+        PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
+      };
+      queue = {
+        TYPE = "redis";
+        CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
+      };
       database.LOG_SQL = false;
       repository = {
         PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -128,31 +141,6 @@ in {
         AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
       };
       actions.ENABLED = true;
-      ui = {
-        REACTIONS = lib.concatStringsSep "," [
-          "+1"
-          "-1"
-          "laugh"
-          "confused"
-          "heart"
-          "hooray"
-          "rocket"
-          "eyes"
-          "100"
-          "anger"
-          "astonished"
-          "no_good"
-          "ok_hand"
-          "pensive"
-          "pizza"
-          "point_up"
-          "sob"
-          "skull"
-          "upside_down_face"
-          "shrug"
-        ];
-      };
-      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
 
     dump = {
@@ -164,12 +152,26 @@ in {
 
   environment.systemPackages = [ cfg.package ];
 
-  systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
+  systemd.services.gitea = lib.mkIf cfg.enable {
+    wants = [ "redis-gitea.service" ];
+    after = [ "redis-gitea.service" ];
 
-  systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
+    serviceConfig = {
-  systemd.services.gitea.serviceConfig.BindPaths = [
+      CPUSchedulingPolicy = "batch";
+      CacheDirectory = "gitea/repo-archive";
+      BindPaths = [
         "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
       ];
+    };
+  };
+
+  services.redis.servers.gitea = lib.mkIf cfg.enable {
+    enable = true;
+    user = config.services.gitea.user;
+    save = [ ];
+    openFirewall = false;
+    port = 5698;
+  };
 
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
@@ -195,6 +197,23 @@ in {
 
   networking.firewall.allowedTCPPorts = [ sshPort ];
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.dump.backupDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
+    };
+  };
+
   systemd.services.gitea-dump = {
     serviceConfig.ExecStart = let
       args = lib.cli.toGNUCommandLineShell { } {

hosts/kommode/services/gitea/web-secret-provider/default.nix

@@ -28,7 +28,7 @@ in
   users.users."gitea-web" = {
     group = "gitea-web";
     isSystemUser = true;
-    shell = pkgs.bash;
+    useDefaultShell = true;
   };
 
   sops.secrets."gitea/web-secret-provider/token" = {

hosts/shark/configuration.nix

@@ -15,5 +15,5 @@
 
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }

hosts/skrot/configuration.nix

@@ -0,0 +1,63 @@
+{
+  fp,
+  lib,
+  config,
+  values,
+  ...
+}:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    (fp /base)
+  ];
+
+  boot.consoleLogLevel = 0;
+
+  sops.defaultSopsFile = fp /secrets/skrot/skrot.yaml;
+
+  systemd.network.networks."enp2s0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp2s0";
+    address = with values.hosts.skrot; [
+      (ipv4 + "/25")
+      (ipv6 + "/64")
+    ];
+  };
+
+  sops.secrets = {
+    "dibbler/postgresql/password" = {
+      owner = "dibbler";
+      group = "dibbler";
+    };
+  };
+
+  services.dibbler = {
+    enable = true;
+    kioskMode = true;
+    limitScreenWidth = 80;
+    limitScreenHeight = 42;
+
+    settings = {
+      general.quit_allowed = false;
+      database = {
+        type = "postgresql";
+        postgresql = {
+          username = "pvv_vv";
+          dbname = "pvv_vv";
+          host = "postgres.pvv.ntnu.no";
+          password_file = config.sops.secrets."dibbler/postgresql/password".path;
+        };
+      };
+    };
+  };
+
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
+    enable = true;
+    wantedBy = [ "getty.target" ]; # to start at boot
+    serviceConfig.Restart = "always"; # restart when session is closed
+  };
+
+  system.stateVersion = "25.11"; # Did you read the comment? Nah bro
+}

hosts/skrot/disk-config.nix

@@ -0,0 +1,41 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            plainSwap = {
+              size = "8G";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+                resumeDevice = false;
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/skrot/hardware-configuration.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/skrott/configuration.nix

@@ -59,7 +59,7 @@
   # zramSwap.enable = true;
 
   networking = {
-    hostName = "skrot";
+    hostName = "skrott";
     defaultGateway = values.hosts.gateway;
     defaultGateway6 = values.hosts.gateway6;
     interfaces.eth0 = {
@@ -96,11 +96,11 @@
   };
 
   # https://github.com/NixOS/nixpkgs/issues/84105
-  boot.kernelParams = [
+  boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
     "console=ttyUSB0,9600"
     # "console=tty1" # Already part of the module
   ];
-  systemd.services."serial-getty@ttyUSB0" = {
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
     enable = true;
     wantedBy = [ "getty.target" ]; # to start at boot
     serviceConfig.Restart = "always"; # restart when session is closed

hosts/temmie/services/nfs-mounts.nix

@@ -52,9 +52,6 @@ in
       # TODO: are there cgi scripts that modify stuff in peoples homedirs?
       # "ro"
       "rw"
-
-      # TODO: can we enable this and still run cgi stuff?
-      # "noexec"
     ];
   }) letters;
 }

hosts/temmie/services/userweb.nix

@@ -1,27 +1,342 @@
-{ ... }:
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.httpd;
+
+  homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
+
+  # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
+  phpEnv = pkgs.php.buildEnv {
+    extensions = { all, ... }: with all; [
+      imagick
+      opcache
+      protobuf
+    ];
+
+    extraConfig = ''
+      display_errors=0
+      post_max_size = 40M
+      upload_max_filesize = 40M
+    '';
+  };
+
+  perlEnv = pkgs.perl.withPackages (ps: with ps; [
+    pkgs.exiftool
+    pkgs.ikiwiki
+    pkgs.irssi
+    pkgs.nix.libs.nix-perl-bindings
+
+    AlgorithmDiff
+    AnyEvent
+    AnyEventI3
+    ArchiveZip
+    CGI
+    CPAN
+    CPANPLUS
+    DBDPg
+    DBDSQLite
+    DBI
+    EmailAddress
+    EmailSimple
+    Env
+    Git
+    HTMLMason
+    HTMLParser
+    HTMLTagset
+    HTTPDAV
+    HTTPDaemon
+    ImageMagick
+    JSON
+    LWP
+    MozillaCA
+    PathTiny
+    Switch
+    SysSyslog
+    TestPostgreSQL
+    TextPDF
+    TieFile
+    Tk
+    URI
+    XMLLibXML
+  ]);
+
+  # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
+  pythonEnv = pkgs.python3.buildEnv.override {
+    extraLibs = with pkgs.python3Packages; [
+      legacy-cgi
+
+      matplotlib
+      requests
+    ];
+    ignoreCollisions = true;
+  };
+
+  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
+  fhsEnv = pkgs.buildEnv {
+    name = "userweb-env";
+    paths = with pkgs; [
+      bash
+
+      perlEnv
+      pythonEnv
+
+      phpEnv
+    ]
+    ++ (with phpEnv.packages; [
+      # composer
+    ])
+    ++ [
+      acl
+      aspell
+      autoconf
+      autotrash
+      bazel
+      bintools
+      bison
+      bsd-finger
+      catdoc
+      ccache
+      clang
+      cmake
+      coreutils-full
+      curl
+      devcontainer
+      diffutils
+      emacs
+      # exiftags
+      exiftool
+      ffmpeg
+      file
+      findutils
+      gawk
+      gcc
+      glibc
+      gnugrep
+      gnumake
+      gnupg
+      gnuplot
+      gnused
+      gnutar
+      gzip
+      html-tidy
+      imagemagick
+      inetutils
+      iproute2
+      jhead
+      less
+      libgcc
+      lndir
+      mailutils
+      man # TODO: does this one want a mandb instance?
+      meson
+      more
+      mpc
+      mpi
+      mplayer
+      ninja
+      nix
+      openssh
+      openssl
+      patchelf
+      pkg-config
+      ppp
+      procmail
+      procps
+      qemu
+      rc
+      rhash
+      rsync
+      ruby # TODO: does this one want systemwide packages?
+      salt
+      sccache
+      sourceHighlight
+      spamassassin
+      strace
+      subversion
+      system-sendmail
+      systemdMinimal
+      texliveMedium
+      tmux
+      unzip
+      util-linux
+      valgrind
+      vim
+      wget
+      which
+      wine
+      xdg-utils
+      zip
+      zstd
+    ];
+
+    extraOutputsToInstall = [
+      "man"
+      "doc"
+    ];
+  };
+in
 {
   services.httpd = {
     enable = true;
+    adminAddr = "drift@pvv.ntnu.no";
 
-    # extraModules = [];
+    # TODO: consider upstreaming systemd support
+    # TODO: mod_log_journald in v2.5
+    package = pkgs.apacheHttpd.overrideAttrs (prev: {
+      nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
+      buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
+      configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
+    });
+
+    enablePHP = true;
+    phpPackage = phpEnv;
+
+    enablePerl = true;
+
+    # TODO: mod_log_journald in v2.5
+    extraModules = [
+      "systemd"
+      "userdir"
+      # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
+      #       incorrect or restrictive assumptions upstream, either nixpkgs or source
+      # {
+      #   name = "perl";
+      #   path = let
+      #     mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
+      #       apacheHttpd = cfg.package.out;
+      #       perl = perlEnv;
+      #     };
+      #   in "${mod_perl}/modules/mod_perl.so";
+      # }
+    ];
+
+    extraConfig = ''
+      TraceEnable on
+      LogLevel warn rewrite:trace3
+      ScriptLog ${cfg.logDir}/cgi.log
+    '';
 
     # virtualHosts."userweb.pvv.ntnu.no" = {
     virtualHosts."temmie.pvv.ntnu.no" = {
-
       forceSSL = true;
       enableACME = true;
+
+      extraConfig = ''
+        UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
+        UserDir disabled root
+        AddHandler cgi-script .cgi
+        DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
+
+        <Directory "/home/pvv/?/*/web-docs">
+          Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
+          AllowOverride All
+          Require all granted
+        </Directory>
+      '';
     };
   };
 
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  # socket activation comes in v2.5
+  # systemd.sockets.httpd = {
+  #   wantedBy = [ "sockets.target" ];
+  #   description = "HTTPD socket";
+  #   listenStreams = [
+  #     "0.0.0.0:80"
+  #     "0.0.0.0:443"
+  #   ];
+  # };
+
   systemd.services.httpd = {
     after = [ "pvv-homedirs.target" ];
     requires = [ "pvv-homedirs.target" ];
 
+    environment = {
+      PATH = lib.mkForce "/usr/bin";
+    };
+
     serviceConfig = {
+      Type = lib.mkForce "notify";
+
+      ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
+      ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
+      ExecStop = lib.mkForce "";
+      KillMode = "mixed";
+
+      ConfigurationDirectory = [ "httpd" ];
+      LogsDirectory = [ "httpd" ];
+      LogsDirectoryMode = "0700";
+
+      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+      LockPersonality = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      # NOTE: this removes CAP_NET_BIND_SERVICE...
+      # PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
       ProtectHome = "tmpfs";
-      BindPaths = let
+      ProtectKernelLogs = true;
-        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+      ProtectKernelModules = true;
-      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
+      ProtectSystem = true;
+      RemoveIPC = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SocketBindDeny = "any";
+      SocketBindAllow = [
+        "tcp:80"
+        "tcp:443"
+      ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+         "@system-service"
+      ];
+      UMask = "0077";
+
+      RuntimeDirectory = [ "httpd/root-mnt" ];
+      RootDirectory = "/run/httpd/root-mnt";
+      MountAPIVFS = true;
+      BindReadOnlyPaths = [
+        builtins.storeDir
+        "/etc"
+        # NCSD socket
+        "/var/run"
+        "/var/lib/acme"
+
+        "${fhsEnv}/bin:/bin"
+        "${fhsEnv}/sbin:/sbin"
+        "${fhsEnv}/lib:/lib"
+        "${fhsEnv}/share:/share"
+      ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
+        parent = [
+          "/local"
+          "/opt"
+          "/opt/local"
+          "/store"
+          "/store/gnu"
+          "/usr"
+          "/usr/local"
+        ];
+        child = [
+          "/bin"
+          "/sbin"
+          "/lib"
+          "/libexec"
+          "/include"
+          "/share"
+        ];
+      });
+      BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
     };
   };
 

modules/rsync-pull-targets.nix

@@ -0,0 +1,146 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.rsync-pull-targets;
+in
+{
+  options.services.rsync-pull-targets = {
+    enable = lib.mkEnableOption "";
+
+    rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
+
+    locations = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
+        options = {
+          enable = lib.mkEnableOption "" // {
+            default = true;
+            example = false;
+          };
+
+          user = lib.mkOption {
+            type = lib.types.str;
+            description = "Which user to use as SSH login";
+            example = "root";
+          };
+
+          location = lib.mkOption {
+            type = lib.types.path;
+            default = name;
+            defaultText = lib.literalExpression "<name>";
+            example = "/path/to/rsyncable/item";
+          };
+
+          # TODO: handle autogeneration of keys
+          # autoGenerateSSHKeypair = lib.mkOption {
+          #   type = lib.types.bool;
+          #   default = config.publicKey == null;
+          #   defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
+          #   example = true;
+          # };
+
+          publicKey = lib.mkOption {
+            type = lib.types.str;
+            # type = lib.types.nullOr lib.types.str;
+            # default = null;
+            example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
+          };
+
+          rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
+            default = cfg.rrsyncPackage;
+            defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
+          };
+
+          enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
+
+          rrsyncArgs = {
+            ro = lib.mkEnableOption "" // {
+              description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
+            };
+            wo = lib.mkEnableOption "" // {
+              description = "Allow only writing to the DIR.";
+            };
+            munge = lib.mkEnableOption "" // {
+              description = "Enable rsync's --munge-links on the server side.";
+              # TODO: set a default?
+            };
+            no-del = lib.mkEnableOption "" // {
+              description = "Disable rsync's --delete* and --remove* options.";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+            no-lock = lib.mkEnableOption "" // {
+              description = "Avoid the single-run (per-user) lock check.";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+            no-overwrite = lib.mkEnableOption "" // {
+              description = "Prevent overwriting existing files by enforcing --ignore-existing";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+          };
+
+          authorizedKeysAttrs = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
+              "restrict"
+              "no-agent-forwarding"
+              "no-port-forwarding"
+              "no-pty"
+              "no-X11-forwarding"
+            ];
+            defaultText = lib.literalExpression ''
+              lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
+                "restrict"
+                "no-agent-forwarding"
+                "no-port-forwarding"
+                "no-pty"
+                "no-X11-forwarding"
+              ]
+            '';
+            example = [
+              "restrict"
+              "no-agent-forwarding"
+              "no-port-forwarding"
+              "no-pty"
+              "no-X11-forwarding"
+            ];
+          };
+        };
+      }));
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # assertions = lib.pipe cfg.locations [
+    #   (lib.filterAttrs (_: value: value.enable))
+      # TODO: assert that there are no duplicate (user, publicKey) pairs.
+      #       if there are then ssh won't know which command to provide and might provide a random one, not sure.
+      # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
+      #   assertion =
+      #   message = "";
+      # })
+    # ];
+
+    services.openssh.enable = true;
+    users.users = lib.pipe cfg.locations [
+      (lib.filterAttrs (_: value: value.enable))
+
+      lib.attrValues
+
+      # Index locations by SSH user
+      (lib.foldl (acc: location: acc // {
+        ${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
+      }) { })
+
+      (lib.mapAttrs (_name: locations: {
+        openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
+          rrsyncArgString = lib.cli.toCommandLineShellGNU {
+            isLong = _: false;
+          } rrsyncArgs;
+          # TODO: handle " in location
+        in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
+        ) locations;
+      }))
+    ];
+  };
+}

packages/mediawiki-extensions/default.nix

@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
   (mw-ext {
     name = "CodeEditor";
-    commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
+    commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
-    hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
+    hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
+    commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
-    hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
+    hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
+    commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
-    hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
+    hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
+    commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
-    hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
+    hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
   })
   (mw-ext {
     name = "Popups";
-    commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
+    commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
-    hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
+    hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
+    commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
-    hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
+    hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
+    commit = "a2f77374713473d594e368de24539aebcc1a800a";
-    hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
+    hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
+    commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
-    hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
+    hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
+    commit = "7de60a8da6576d7930f293d19ef83529abf52704";
-    hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
+    hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
+    commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
-    hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
+    hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
+    commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
-    hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
+    hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
+    commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
-    hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
+    hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
   })
 ]

secrets/bicep/matrix.yaml

@@ -17,6 +17,7 @@ ooye:
 hookshot:
     as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
     hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
+    passkey: ENC[AES256_GCM,data:sR3ZdvNe+321WalGA57Nsb7eIRnOgAWX4P4aahynS5kD8nZ40axO3H29pciTn3rgBLsKPYAbJ24Ch40SL5emlz9UL1nH//khCEAXUXR5+RA83TvRrog1BdiCTX3wYY6SvM8BRwAEcWbAavfRHyNM0stSRjamdam70OvEEHlOUafs4lfQghYXVN+YV6bT+gan9eMRwhTsuWB/V01SAUot5pgFtprpvFs/l90E9sZFxxejlLniy/4nHjO9rcXAeCz/8cw5P56AqCzqyliYxKM3qbhwp+Pz/RVH+7PKQwABP80tw4HLvBz2nwYzPHJrSejIH/lxE1sJH8ttUQ8mHIFpv0GGB0oENyfYCekoSXWL+wuFEE+xjyak1KUDfohaJ9QMZa+A4jHiGoWHAwfU083uNFNdE1NxPpa55xQ/Q5fGE58qmZVbHUoL1EFOi0Nc15vp9kRojjQoEENvEQKwZHlauhm+940s6IwBE/bHk5WBjWM6BM/7Y8dj23uo1Vj0gy5IK0xYk62+IXNINPeDnS5sZJJweOKvS9JDYNw/9oC5ptmsqkGWryWm22Mwq9AIWm1Zt+0nIZRrOM+JHWJCtCqXhD5+UL1fl6wt7IgvOqgOtsFUM39n2hS4UWyVohToLy2u8VFKDIx1yb530y+Q2HfT6oKPYtcm5+b/dgDaqph1JSuqxWoiXMdx/DvGLhM6nIfPnAi5EImXDQIxkh4tJ6P+z+4vOPiX5fKflXk2eioVL77BQ4jXLunu4zBu/bOCePHigAD/+E9IgHnVSMxpTgDQ3w7WI7FCY9wjbXqbsL3QB1BOizIFNqHDcX2COeJV7X8Aia0HBpZgQpFX5XtMJAKnO2BR2EA94xSk9/rAPgZpJkZXTHl5MpPz9+WLv4uFy0daIJ/y7jkxLXK2UNw9VVfkq/I6cteQMwHPe0V9XZc1DIXOjJ23r9qNtx11Dx7Zumh3EQvp/8D/i0G6lhW1y3xP0Uu1iuxfnvhacBTwiRTSrKhT0HKlFG9cG2SaZH5D8zLyhrQhp8V5AdAdikmQUfDigDTzd45YpWRaNEGM1wcAI5cWBdPHY6Hv3NHQoX3yx6jm3Qo1QqIVlhqHqEeM6++H1Sfd3xg8zMSSGXlQT6EYE0+raOvKrmbnGCW3GnguHEjU1vCE/w7u8LCct7IBCSL7XQpLg39SmSx/MdL5OWXaUCxbVMM38q/4PXNzRVNaHRZFXm35+q1gZ/fx9a3vY/YS9+qEhcsvNQaNyuVcbigz9fqEWoAnFh2rCIMT3XMc+N0V0+TSIF4nU/Im82wu1+ujcrJ6OpGubcf208y8giwOgdKAARTKtybInUx31+JkzMw9A4q+CxRLHcrYYhIHz0MyhAVY3JKQp6DvoRwT58/MEENv6hSvsf0PhrgIkPTYeNeasJwFt8tKPmEkFYINhigC3XPmid+hMJfp/w8MnFLAIX9Cp+7adQPPW5RZqHuuf0rV+vdVqU3nFmnet8KZd3SrZiWAXcKViyHYAWb3c60TMO2C37goHkTMd6olZ09ZEfrTpdX+MEHswW65p4rJgNZIbVquD73DpZuE30HsrUBsPeWpQy2JGNUPq8tCvcREVgmnIt7yJn8sC8D+RwgXCXHf6qDMjANi7nvD6uWTik4P68e9lVztO4QudwdZdPieflfFADH4sFPhXwCpGOkR37RSrqe6t3CR3ZI0aXqHdZ1l1JcJv+5WEXmJZfNUOPBGpvatmc7ygJYDxuQoJ5FDFsyZffrAYOcEXC6gDaq6NTGgo4JZAYQsHg8JaFWQPEToagiSQhhErMeA5nTUvNjJ4/0HHIvsjsGabAv3GiT2lcVnowt8qwEyLnQStNiAxv0bURhW82BLCHq5cHx7mtUNqDQjrc48iQZiZd20orTq7PmxwWBa6T9EwuEOQiX69inIbSU7kGbRmVUS+RPKfFoCXXOSlBjzoLM448Ymbf0FsEgATb0I5sJ6R2k9mlh3WgRur/u8ODtXJO9TLjVvAm1WmHWXn8ZSvKRS+/VSGg3RzKGyVqh2gJmpDJmF4BwzqslhaCdvdkwBW+7oZN///1h41NX6Fo68l+P/Rl/ZFvCF2VD18E1EjmnOs8sxmMjsDct3HNd7xB1PJLKtNTCLEF0vLDOM5qGaWfBVZtwHiz7fhbPxeE4ND8ygHhUUVzDsC3uHeVHwBMghSY92wnNq6SJP5HMC5knoEFxGnr5te8GcMT6iD6KMKjzqPnp7raGSFo96d5qDiug8krD3vEpbE+3L0XRye5m+2N/wVL7u888JZ0Yj9uWZoAmg41G9y5NU1g8Sns9gY1jalZFaY1+S2nCAfgZRNzx0gLa4CY7SClib1+qDCKIVLJyCqlbKRkIbNXV/B+/L6MAUwTRn8NLhm1+U1QgqD3X+cTJoys/1laSEBXcupT0CrCkR2wguGh1tfkyZ0yLJcbyIfRHzmEooMHWgL5N+mNYCwxLyIfDmBSacZI7AUBfGD+RT24W0vl976zd/sBzIZtQGFPKDtb5bzNE5FNfSfser+afqBG+S+gr1GUn2ZQMGN2095uqnYiwCUtxmczGlOLixbQMnYPbxClB7i4NFvZj2GbnX+yRgv8OFWTnp0C1aPsQHgZzWKAe0cDaRJpAOTTbaGaSJiwIIu689xqYGKej3oQLaAHqlRyRhJngUOj4panxNb/ZFbP6lfUF0fehNJFJaR3WKSiRAjv6ommtSFDQ26TrhYE9d+yG1KApzkhlPTLNA4fVRQxfZi41hbfHDg4kwZMpc86BSCq85qnzW+nMJiWTLxTKYSzjpiWSnMzBvBYf0vntz5+ltwJwyVMX/TdAoYGyHOCINLSxhKoajORJ0g6zEyBRdG+kg0qZCFi894fR4eAz5/fvbrhOhhnCOaVCJlvLo2jXiizQlsqbvLr8bTbyMF5yJPEPV8H/B8uhzzjCIxvbbc3Ac3rPX47FBdEc5869c7JgL/2HD9GZzJXfRBzyhSTFMMh7J+K7LgEIGsItTsJM9wa4BC9ZicZRifuGxBKATOIVeTpJJHA80yhmL6lsazUrrAlyA93mR4CsuInmum6QMyjkmcXBnEtybSeuUjX7aFmzSz9Il7C9iR/4QRWyzgSIh7sbqEl/v4mQtJMlydbZdd0aT65AShTHUIkNZxOg/IuEW26v8pyZi5msfPBjwmknQkXPTf1fCcgVuY6OoQBPzYR1BFTjpY5lTfAMYH9sDW+xxRTFftsNNRzIctX0IEv5haWxLDhuN7eagltf2v3GubrbsYTeVwuCFJnabgzXan4vvpPVIPhrhE2k6G0FfDhIpQL9oweNBG2hefoXoOr+piHYcc1hJSHnSUp9qRxQxXzjvaFulfRO+2GoMAg6E6pz1Fz8e8mHRubREH6NOLvz070D0u1o7Tb6LE2cmw2XdRaVqO+Jo3u7pZUUVYllF31Uxb8ngHarWQ3dOBneZQHsW3AFpRofz9BcHII6dd4BhAM+sl7+cBEFuNn9nkDBR8PLx7O0G+b99qSAnOdvY6wWTwMbWC2JLcv6QTwqe/bAdEg3hNi2GOoqwvs0e6BO/7GS88egcwqZEe2Tpvtzb+NCia/A3oc/VNWTucmQcv9K10QaloZjHMXAMsDESr3LJ0enaoqc90bbHWEuoyRJoDDuW2NXHpCILLAxCUDZnArlE78J2B15Yc2sBkgHyYrILaZo1dBVR23R+QX4bZXt69EZC74IdcELt4qw4ANK+xKtSRJ5vnVml58/71IukUp5GOwEzImEC4YG5G7O7hpMWZmM48RvOuhmqk3LvCggjHPploLqw3PY46twgbKTBai4PbYZ2NaFAHkgc4jqoKSgzQD0jqUkNxFZNSXmvC6QGksns/GaI/qZJVSWAxr95P3oEyZrsfY+KFvhpGJWAa/TIyJslTsKjSv+VFg9jm93yT6P+Jfp1sR+tnyTgrDUF3SIi1/HbM4DlgbyHon25B+4fabgbGajl0Ua/zNyFmWcGN4yRQfXgK47vhQFyfAaOliIKbvsCEnfLniDhPg9FlnxBHSVPHNxeEufocboCUJzm0pU2r2iRRN6fKiiIZubjxeXDjRHTsJAffstPp6pSDxgtZzivquUkj1669QmZaHhV6VyAhGOz/A3VWWB0FGdToeuS5FciNyYVmfJ8moHP1skV/jR4Ke3R/gHato0Un0nUr39ftB81uVomTYlVYuXAUUfJnAU/i8PbdjWCXSlAIeqCUeEf9oLq4n/xtUvJGBzxPgRJPaWxnckS2umi+6CRCs9f1EzwORgOosnQDJxALsGV3Nl4dR1o8ygAHkiBiqKyaEk0ulVM6XrfGFcQMkRgK2PVIZHNCEY72jU42/LlzWumXH2uoivR0toT7kk919VJYa5+2ac=,iv:BqwTfYEtqtFazQGfhL6rxfIUrZ2cin+jy070FDaGIuc=,tag:MMUGNmH6m4aNR4U8KAac6w==,type:str]
 livekit:
     keyfile:
         #ENC[AES256_GCM,data:M+SfmEuhPL8sqxOl3uL8mE6Z6pC6naQNxFRskMPbVpLVWYM1Be+QOoLEiTMtWqH2PAf2NZXLcNY63Q99bYINz+BTt/ekllye,iv:DSZJxoZUlUZxPpzfpXyZ4ECeJjq6/WW8I2fvTXIjmfU=,tag:HwHhdQA8yuSKYxM5LcZV/w==,type:comment]
@@ -86,8 +87,8 @@ sops:
             Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
             OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-21T02:03:24Z"
+    lastmodified: "2026-01-26T12:49:23Z"
-    mac: ENC[AES256_GCM,data:yVe+78V7zYgYveLFBghKdAeibg97DRafgsRRCZPYkWu8t2iadtD5UqRK0KS4Zcc55ojHJ11otgadaPHQyl8EIzt7Dwlm7ZOVEmmPAYdaweWfnPRdFhDAxcgj8Ejh03LAdLQK8WwlfTF/09Avub2ZUnN0aPwFCen/qD6dYmcGDNk=,iv:y4YE9AqlVVBBtRGoIdfIcNGE4chChBOR0Euy68xkQBA=,tag:/yopCpkvFaEzr2iXxLd3uw==,type:str]
+    mac: ENC[AES256_GCM,data:+rkFq7pYZrGTtLIjjwa5DQC6WFpeV3JS80w6xADcn+kNnjg94p70GVZ3zP6p+f4PZ/Rupjg1cmm3w0g/ranx+FEmmX43N+zSY97NYOC2oxOhlNDDyrnRDElaiCOq41Jd13FxnjX3Jg9gxkD3szGS9hG+gv3wSf9NabOhFFL79GQ=,iv:+9UDVsvfr581CSNdtLRTfrjQ7rsLgMLmyK4cof0NZUU=,tag:9/xq9ThqrDzg+Snh3vSkVw==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:46Z"
           enc: |-

secrets/skrot/skrot.yaml

@@ -0,0 +1,93 @@
+dibbler:
+    postgresql:
+        password: ENC[AES256_GCM,data:3X9A3jOpFVRuBg0gRiCEsZVKfLI=,iv:XC7LBNUhALk9IEhItV8fO5p/m7VKL0REBY1W2IZt7G4=,tag:l18R7EhbOlucZHFQiEvpHw==,type:str]
+sops:
+    age:
+        - recipient: age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTk5YU3Z2Yy9HS1R4ME5I
+            UU1PRWVncHJYcXY5RlFpOWVQUWZsdy93ZDFBCnlxWkpaL1g5WmNSckNYd202WE40
+            RkwwSEM1YUNNZmozejlrdW8yY1JiekkKLS0tIHVWY0JKZm9CNWhzVGl4cG82UXZs
+            ZnllQzJiK1ZkRmFndmtYdW9IclFWY1EK82f1iGt3nt8dJnEQlMujNqConf6Qq6GX
+            hqoqPoc2EM4kun28Bbpq4pAY7eEPRrWFqOkjYVvgIRoS88D7xT3LWg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WTJIOUcxRlBuNmRrNUZo
+            MXFxeVJBTEhDK00yTUw1U2dHckNFYWZKWkhNCnYxYmtrUEVvd1RaYUI5WTRTRW16
+            S2NhbDdpdDZhSkVWeUhjZDhKd3ZpTmcKLS0tIFovWm5lOXBzcnN3Zm5GQlBhNmlp
+            eTB4WldMNW9GNUwwaEUzRThsemxRVzQKGpa0J2PBzDRdHijm0e3nFAaxQCHUjz+L
+            KataXJEMCijJ6k+7vpb5QMxe2jB1J2PMxNGFp0bWAy2Al3p/Ez2Kww==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaW1ZSXhVeFVTQW9WYzVh
+            WkVUM2JkOU5VNU9oQXE2Y2pvcFlOWTdvbnpJClduS0RHL2xja291a2doQ0wzbzhQ
+            NmJOSGVvQUdxM3IvaS8zRW1VbVhvYmsKLS0tIHoyOUdvT0xXWXo3SWcyQ1lqTmJS
+            ZUdnS2RvOXI1dGNYQTl6ZHE1cUdMWHMK4ycAJQLyKCgJIzjQ02bPjz4Ct9eO6ivw
+            kfWhyMaoWwM9PhFcwSak0cLpX0C/IOzSzO78pf3WhG16pV7aXapdog==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaml0OVlhcUJSU1hSY3lP
+            bkM0cUV4Z2ZLeERHZ3BUNExuYS9KSU5CekQ4CmQ3SE1vdDBtdFJ6czZYR3U5Tk1X
+            SFJmTVlERjBzV0hFalFLMmVLQzNNdXMKLS0tIDdJLzZveFdnYTI0azk1UXJZLzZF
+            Sy9XbjhwOFR6SFpaNHZLd3ZxdmxOVUEKBBbGmdVVlKHxO+/iODznLP3+dJGppybW
+            +1k9uenVHzie+pDKcrQpSyX2WDnmgg7hUAUiXPuz1eEWmwbRJnU/5w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXK01vOVV5YlhsZ2ljYS91
+            OUVEaEpTbXFKOHVNVDVoMTlrS05wRmsyM2dvCjZHOXlCUGowd0J4UlQzSzM5dWJ0
+            eU50SHdtZ2ZyUE1JVHdvODFxWDYvRWsKLS0tIDhlRVQ0Mm5Ua0J2aExqMzRyUGlP
+            RUR6Yi9SUDFCUkZmRk5hYTVFeGloZXcKY/XtaSoW8Pu2wS4oistLSc0T5JvMnt+w
+            s3yfe/zx9/1K6OtbeljF9FZVOB/dOamvk+Qlfl0T5qush7/WgGzErA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0pFb2tRTURtWmp6elRN
+            M0xtajlzMTNPMnppcGhJMVlsNHdwWmNGbFVFCnlxM1JQTkR2elAvdytKUEJ3djBS
+            UnlhL0tLLzY3Z05RU3phNDZIOGtTMFEKLS0tIEpOZDUxU1JQVXJTbmVFQlVkOUcy
+            eWlyWGhaS1JCNitUSVVScFk2WGEvOG8K2rpYPGx5jhyyRK4UkeJR96wDFr4Frzsr
+            QWz7fYZRWKWf0H0qn+bm9IfVJiBAlS5i16D1FnipZVmdWefFaZSEPg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVFV0WVZrK0wzbnhkcmcz
+            c2lIdVlKcFpoYjZIWlNPN0M5N2g2WG9YdlRJCjg5YlNoSzQ5YW5yRUVSeTEzRThY
+            WklKQzlzRXdrUUlFNzF4M1BFZCtPT28KLS0tIDlUOTVIQVZJNFJwTnQxN0Z1ZlQx
+            MmxPMWNPYzJiOFRqY2VYczhvRm5IR3cKpUVV+zsMolsHI2YK9YqC6ecNT6QXv0TV
+            d1SpXRAexZBeWCCHBjSdvQBl8AT4EwrAIP2M2o++6i5DaGoGiEIWZQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-10T20:02:28Z"
+    mac: ENC[AES256_GCM,data:i8CjVxoD7zdkLNJlI9DCo/tDV5DUI7JdpozLtYZzI7Cu51GayaE2Y3Wg4de6P0L7C3FER04WfRe/h+G9PLZICX/CfSipQysyrEq3Pjt9IKsjytDhP9VYJ36QFGF0PuHUQAMSLts/tAoAvLue6MP+V82l5js9ghvyBrzyBGxoyJw=,iv:QFNxvCYxrSkwy7iT+2BEacNPftDXju1cibprVPDjic0=,tag:496E+oCy/VwTylyaWhQD+A==,type:str]
+    pgp:
+        - created_at: "2026-02-10T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYARAAnSjSeI8BybEl1PwNt3KTGcUjpCI+XZPWgNWuvjIymVBv
+            ZgNESNktJB4loNvd/+TIADE7TqGFQK9ev6IPRoDHHkSMdmJ9Bc/lu2HPO+rJa1yD
+            vLXbjf8vRa+GkBDV8DTrPPFvSrHY+jv9vQIzY3nQPKMlyV58E85N262q/2gJUfm9
+            cy/dYE2BUWMQC1DfiGbBRC4xGHhp94XccOMBkIpchP+BL90ZVpocnxeSrSjBsSLE
+            wuhMQPRQSI4PFm8ZYajf6tF001HDa5zaqF1lqkTxtxypDDUr8BVb9n/ObaD8omDI
+            QHQUiPmVgpDs7w2Ph5UgJxK1c+dOcG+mXsl1CHOLldA29sNzDBuh94PKfRl1B3cY
+            KPoPIqntdn59zzRDbuVJxWeJal7Ffynwsrx4h7w7muIR/FYeaFphsokE5Q6gqwTO
+            ZqWY2tuQ0CFRtMl7HB7ZVdSsKv6D5DlesXPXdrhQBKRrNylBpSBmcZH8KRAuHGNj
+            4GFZRN++GFuq54d7wB689kn+F7+pbNom7CDILXiCrz8+9DjFw0maDRoas8OaUyW6
+            kfyJe/YnK94EyCPitkJWYc9uvA2t9y25Rm9uUSvh7WnTFAEK9mJLOal4VgHbqCtg
+            zSGbdw79U4H0Umbi5eSCvEYNtv7eBzKaS/t6irfDRr1WajNhThcd1wmnvjZYxl3S
+            XgHOucYvQvxXjqG0B0Qbd12ucYthPO1+gozEzWxJx2wtiL3gClPYOaiteRlO/XQA
+            WTG6A36X3IxB6qW8lEx12geyjHxFYb82BjyrBnnlj+YcViIBpPQqd8Dz6sl4Rls=
+            =tCoI
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

secrets/skrott/skrott.yaml

@@ -3,81 +3,90 @@ dibbler:
         password: ENC[AES256_GCM,data:2n85TO709GJc7/qoYp2RXO8Ttfo=,iv:5ZCZPEQQXPGYfDd1qPhDwDfm1Gds1M8PEX9IiCsHcrw=,tag:PAseyFBAe56pLj5Uv8Jd7A==,type:str]
 sops:
     age:
-        - recipient: age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
+        - recipient: age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WllOQ1dRSUJ6a1pvNFg2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdjk1L1N4QU5SK3pjTit6
-            N0YrQVBtMFZKRml0dG5PUGVhcU9VUXVHc25nClNFSXowUVRRVVhNeHUrTVVZRGRC
+            V0hIZHhyOW9Rc2xWdE9yN0tmMG93V0IzZzA4Ck5OSUlRTE5mVGZtMTl3NDh1QzA2
-            YkpVYlcrZm1NTE1IT1pSTDdOZGNHYlEKLS0tIHlJbkNBb3o0TlJlbEtsQ2ZsYlJn
+            Uk9RVnRENmVnQUZuQUVSeGxBS0VaK2sKLS0tIHRHbUUzcmlQbW0weXU0eWJKVmVT
-            Wis3T2V5QVYvQi9laUdoaE1DbUZZZE0K/liRzp6TJeufyTzemv+zBTOwzkeJRID4
+            ZUxJKzV3UDVVSW11SHRrWGxOSmgrZk0KyWxjEmCvNhiZfgXfObQfQ5riscy0mLFn
-            ZviYwwODWopB9/rCd8sIQaNXvEtvuXNWwcV1/p8DsJ9NHwqtdYHpmw==
+            3pslIN7fbxgxnEVyAhl9FOUS65GrmWrrhvN0pkIpgMw1cqtCrZHxyw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByY0dTMWc2VEVRdTJyOXo4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVFh2WC9iVHpURDBzckdB
-            R3BYb1VETHI2RktGVnVJUzg4WUsxbTNsK2tVCjVqVml3d29lK21wUXFnRm5GNHdX
+            UjVGcHkyR3V6VHVMbXc4c21ob1lSMDRWeW44ClgzRXhLY2RYN2hleDNLWHoyeXVm
-            blV4NEFZU01ZS3Qwc2FSMlVDRlU0SEEKLS0tIExwWXFJZGRTaTBSbjZtdTBXSXNJ
+            T2xJMlNZMml2NGZDNmlQWGp6RXJRQ1EKLS0tIGNmK0lGdjRLM3l4S3JVazZ0MkFU
-            TUhJWkIrdGg5UDdDQkdnQk50YTQ0M0UKqoMwtPlOSIqMcLvII/EVuZGrNDeULJHK
+            SzZOMFNvcGZRcjJsU242cnZ4NU9OZmcKxlRdhZlXP4KQBHFLFt195H5R33hLuQ0O
-            l7xCzQM0n72E/zxPuO7koVXVcUNwn4kNQCRLOHLcuqx2ZRD8Oc+zNA==
+            bVHtQk00IZmMPq4R4aOc0WMkuJxcFaLi0YDQigcFtReSvWDhTHns7A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNy8rcHpJclk1b0h2T0dw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua0cvc21qeFp4d1NZZ0Vw
-            U0pBYlJvQXlZTG1PeTRCV2hONEJlUWFqdUIwClJ4QnQyOGt4d1NEcVZYek9JUC9X
+            aWhldXVjUm1wSmJPdnpZV1JvTVowSWw4RVU0CngzUWkrcXA1TkpZN1M4QVBCS0pX
-            UW0wNjArK2YvZDRMMGpRU1N1dk9jSDQKLS0tIGJMbkZxLzZBVm4wNXVTNFpoRDNo
+            Z0w5aURoQU9Xck1RckNsRTlGeWk2N2cKLS0tIFlSdG05V2l6eStURDJVTXEzc0Zh
-            a3dwemI2Wlh2RE8zN0xsbmY5YnJUeTAKhkSpB4RgrfbDpK7IwLs1KGXCj8v0Rze3
+            U2tFemF1djFGeVFQYWg5NjFhdW13Vm8K/QztsuBUcmJNBta3R7uYHGzqKOCRus3s
-            YZh3BHW2WZLS7uQcIe/tnpIHwPrQnadKeYIw7xBmXu9dWyim9/5RyQ==
+            bFd2AOC0PNqvAe8e5q2XYf87MUt/U6AaFjroaDpoC3IUI2+qLJDXDA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUnA5SXNucGN4bi9zeGlU
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcUVib2tsd3lNS0VmOGNS
-            TzJPUGk5SWVONFVVYnNnejJBdFJmL3d1S0Y0Ci9SOVZmVUMzRWNicGN2dE5aRy80
+            WWR6NDE5RWw3bStqVjRtdWFSM1E2QUp2cEg0Cm0zdjE3eVpUS3M1L241akM3cyta
-            MFh3MUNTSE5EWEhQcUFsUENDdWlWYkkKLS0tIDYrb2RzVm9OTHlzKzBCdEtPYnF3
+            WGVFVGtQVnQ1d2U1QVRSYXE1YUYrTU0KLS0tIGRTK29EdzVka3hmaFIrSnVUQ1c5
-            L2VmNm5ITEUwUVJ3WXRmVGZnY0RSNE0KraXjJSZ9HKV8SO93khWVjBJcEYQLI0Rm
+            c0YxcWZIRHRxZEVjVk9MckJMVisyS28KGH6+9IXIBeXrrZ3AoL3zU1v6EA5TNwN5
-            lQuagfkZ5oaedsPGNqaXWo/cd3g2SZOfhmmRxY9R9gxmnjpP4L6gGg==
+            8DgPO9+yfVesZiEJ0MNhs6tXAA4ODInpU1CUdsjKWRA6/QXBbmEUQw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTlgxOGJwbDYrbXNDWmNY
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLS0RnMDNOZzBIZzF4VG1R
-            YzZGTTdlQXBFRUEySW1Rd0Z4bi90akZIOGpBCjdseUJIeGlJZVB1WDNFeU5LZDE0
+            T083bXFOdE1JSzl0SE1SUGlxdnFFQVluWVgwCnRLMThOSU45RTRFMVZybm9YV01n
-            cExQSFBPTWlUbVRjREdJaXROTjRwWTgKLS0tIENPM2VnZGtyaUowZmx5ZVdZVjRz
+            K1pCMThGUFhMMzZhUEszRlZlK2FoQXcKLS0tIHdJRGw4aEU5UkgrU3ZEZXl4bDhi
-            SW9kSTVBbDJUWHBzV0xBYTlReGloSkEKq6Q3HVKRnw2B0CUvgXlUkQUBgmCNLP80
+            dCtIVkdSWmg1dGNzNmhjZDBiWUJVWkEKSZySabmhM3HDXdduzFGAbOPR6m1CjwWb
-            fY5/ePAWZKt4P6TxzPNFH3aANWcnVC2/QxF2RgYfDXKKp1AVlAIlTA==
+            ttMA9hTvl+T/UqYjxSHj8hmsyTfDY7a4sfHaFcMBJMJrjuEllm/L9g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvS2gzN0ZyakcyVjlYRUZU
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYmF6cm5xUHVKMWw3MHJD
-            OFNmUHhsTysxV0JIV1JlM3hLNW9KRm9oY0gwCkh3SWxUV3ZqRXluVVRyRC9OQzVa
+            cWsvZTNWUjRZNDQxbFdDWGh5dUpCc2lGTTNjCm1uV0FCVEgxOG5WbXJUdXlkYTZW
-            ODE0NnE2ZHdZc1Qrdkp0YWZFZ0xnMWMKLS0tIFFsNElqVlZ3Sm56b2ZNcEpQMXo4
+            KzFzaDNma3RJWEtlUmFHNGxNVUFKN28KLS0tIFFCSi82Q3EvV01UeHg4bG96K1Jm
-            RGJCWmpyd1g1NC9Ud3I3TWRBZ2llblEKVrHE0kPVjapor98D4Z1gCtQsuWS/iAuE
+            S2JrZlcwcGsrTzdFTDlHcktJd0hmUVUKt0W/8r+L1m25kHKbh5RcweKbl4JB5xqX
-            5cje1AZdpYVdHoRtzRxKwPekfm9xa/knzFckjjO0JizTQWTPYg0gsQ==
+            DYUhUW1Rh1EI63CgVzriz4HZjuNGiuqG9cFv72wIg9Hl2lBPpkC4LQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYUtHY1djWno1MG1zQTRB
+            ZHNjbitQbTUwVjFkZWtHU0gwUFFMTTIrQUVZCkUwd3UrbmpyMndXcVl6MEFsSktX
+            L1ZBM2ZPbGMycXd0MDRyWGI1SHh2NVkKLS0tIHFKcS82cUJYZ2V6dHJ6djJSajFy
+            RkIzYUI3dUZjenpxRnplOTZKZmhoS0kKDw9Zuf57k+MAINMReYcCN1DoTtFMgKGJ
+            CWwkNN59Ojgz757xS+2cmK6oxAkDRcN+KZc3sANdj0LY//rXq/UJgw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2026-01-25T14:03:57Z"
     mac: ENC[AES256_GCM,data:RBf3LjVNSclsPN7I4QPaDUjWbKlaccjk3rzsRNdRe3+OvJSd7MsS9RfpUFCqUtO7ZkkocXHmkHA8z8LNxs6vejT9czMsLLQD14qHZS6fFdTnToOx3Kt5UuviPO/2UryVI+6HWORkH1aqFJhzkSMop2TO5mzuOTfbCEBLYUUuS6s=,iv:NQs8O1hIbjzGBTZo+gCuisj3edraFGk/Y146HmfPmQY=,tag:4g9IXw2UFC5V9EIHuWJqdA==,type:str]
     pgp:
-        - created_at: "2026-01-26T04:52:39Z"
+        - created_at: "2026-02-07T21:15:24Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYARAAtSg5bRhk7DN14CpdTtG9XPwQfZAP2EvCpFqXcU1LnIqi
+            hQIMA0av/duuklWYARAAsIJXQn91VrFoSuu0ppgC79T2juR6mA7H5Z2NSGypbild
-            odRqr1vzFlgXH/A/36C/c/JN7M0673PWivUidiMU38/WExgzxPTe/mpwoTHqRRgG
+            BsNPlWy+q8rpctGkria2Jm37Wz8Qu+sUNQ8Y2w6Z8Bv+M5tks62wc7qBjJkcZKmw
-            aSP5or2UjhwbN7M844JGbTMNAIUh9bVG2/Qm6cLFhv2HalAVhhnWsbIdJIjUmpjU
+            IjumrbsEmKQsZKS2YzGFcTjuwpBTGnACAMjUTz1rqnRcaq4U8Wqfi+mmf81yRSnR
-            cMjCfxO36uTVp1SajeJKd9x9n+AbWY84SzN/7HYrFcJQomOyb6FcioIwHcIe2YdN
+            F0emN015EmGCAUQYD6YRFMAw0PGbP3HiQrXQxdmv8zObbCg9d3+ZozurqFO2RmB4
-            GEdNkA13+hTNBR2ZYW3wrPxr39qK4R3mEJambwZLhQfRwUaqIB6PqvXICdqeLbRc
+            SeZIUEtxgVDuMsr87AmHgbCr8Ux9eZmHU0qv+ejgbnXE7/MaUbppa1gy3RdcwHqG
-            2OfzR5oN5HE3Z7QGwDDM8x8diegLYUyTyY3yhJ8PcCs44mXL2XN6XGefgNWuxxDd
+            DaETVa6YLUQqP9GOuTVy4gVr3AHtaGwMYRz30gjgQuoGUlQOG1U38PRtqe/94iHF
-            o8189NRNXD2xloiIcbBJQ6Mpix+qlEI4VRnaxiGI3huv/vpKqSxBZFCu4x4kxGwj
+            1lo14e31BSfHTnv66vupvWdfDXZme/1rOBJw0lM8Q+wHHJrr3mKmiLus85bJsMD7
-            OuaX3cPsvjzj0WEFsAvmrUB/Qdabfhhdm1TgY1PqoXfCudyLuDYqRg8sjIIUjmtA
+            M4Cn+5n3lE4kSrup8Y5fOsYSwq1WM9GYUfkVR+x2eHNmNdXLVHS0No6kA2TpKeqg
-            /EyXTO6Ah+vc/NP3mLcHeFAh91Lzvxvm6jEmpN7/jg9zbIzs0jNeVchFYxxVZuRn
+            zbTyL59i+VBPfANCPehVYxFv7JM9pTFYQXDzMEAJcFerWBmB70HUoYXPZxeDEpiC
-            J6ySrkQ5x4FC1DdJlxv36uOLdbsosgia8q3WHOfbt/Lyp/n1RuQX2Kjysi/C79ap
+            6seUT9lXM733QGbxwZLXRhXX4sDhJ7rMQJOvrxSvVDhiJx+Arqhz5srM8FlQHdjG
-            xYaozqRmuJIy4Ph4PbhA737PFS4GEyKsHfvskWeGvpGiu/XHP+R+AfE45Mac1O/S
+            kfC507phCarRqXoef55G4trYjrr3zf+sWHRnPuh1IdFch3U+2CMrBUZIRU+C1nXS
-            XgEgpNsTDb4GS70fjYBjaSyLcgCeAhqt4Mm4O3UTrYWLfziVLMI7vl9zTznGmY9n
+            XgHnubHvfLECTWfeEZUQvZaTtio1K3NSWqv/KBivBBRMfNI20A5erQXnocCYXB7o
-            fS70cnezoSWVj9Nfz+EmmsRWwAYRebzqLWaAtPmrrS5IbWZkLgpay7ga1y9cACo=
+            RYisThHMQomNI7bT8vbf5/N/xlqEra5par0SDX16jl4FuU6dgKRuQ3SrpzFjQTA=
-            =0Z+d
+            =ySHN
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

shell.nix

@@ -1,15 +1,16 @@
 { pkgs ? import <nixpkgs> {} }:
 pkgs.mkShellNoCC {
   packages = with pkgs; [
-    just
+    disko
-    jq
+    editorconfig-checker
+    gnupg
     gum
+    jq
+    just
+    openstackclient
     sops
     ssh-to-age
-    gnupg
     statix
-    openstackclient
-    editorconfig-checker
   ];
 
   env = {

topology/default.nix

@@ -228,7 +228,7 @@ in {
         (mkConnection "demiurgen" "eno1")
         (mkConnection "sanctuary" "ethernet_0")
         (mkConnection "torskas" "eth0")
-        (mkConnection "skrot" "eth0")
+        (mkConnection "skrott" "eth0")
         (mkConnection "homeassistant" "eth0")
         (mkConnection "orchid" "eth0")
         (mkConnection "principal" "em0")

values.nix

@@ -73,6 +73,10 @@ in rec {
       ipv4 = pvv-ipv4 179;
       ipv6 = pvv-ipv6 "1:2";
     };
+    principal = {
+      ipv4 = pvv-ipv4 233;
+      ipv6 = pvv-ipv6 "4:233";
+    };
     ustetind = {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;
@@ -81,13 +85,17 @@ in rec {
       ipv4 = pvv-ipv4 235;
       ipv6 = pvv-ipv6 235;
     };
+    skrot = {
+      ipv4 = pvv-ipv4 237;
+      ipv6 = pvv-ipv6 237;
+    };
     temmie = {
       ipv4 = pvv-ipv4 167;
       ipv6 = pvv-ipv6 167;
     };
     gluttony = {
       ipv4 = "129.241.100.118";
-      ipv4_internal = "192.168.20.11";
+      ipv4_internal = "192.168.20.77";
       ipv4_internal_gw = "192.168.20.1";
       ipv6 = "2001:700:305:aa07::3b3";
     };