bicep/element: set default country code

.mailmap: further dedup
hosts/various: bump stateVersion
2026-02-20 08:57:53 +01:00 · 2026-01-27 04:11:40 +09:00 · 2026-01-27 04:07:25 +09:00 · 2026-01-27 04:00:48 +09:00 · 2026-01-27 03:59:40 +09:00 · 2026-01-27 03:52:34 +09:00
15 changed files with 229 additions and 22 deletions
--- a/.mailmap
+++ b/.mailmap
@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau

 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
+Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
+
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
+Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
+
+Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>
--- a/flake.nix
+++ b/flake.nix
@@ -129,6 +129,7 @@
          ] ++ (lib.optionals enableDefaults [
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
+            self.nixosModules.rsync-pull-targets
          ]) ++ modules;
        }
        (builtins.removeAttrs extraArgs [
@@ -270,11 +271,12 @@

    nixosModules = {
      bluemap = ./modules/bluemap.nix;
-      snakeoil-certs = ./modules/snakeoil-certs.nix;
-      snappymail = ./modules/snappymail.nix;
-      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
+      robots-txt = ./modules/robots-txt.nix;
+      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
+      snakeoil-certs = ./modules/snakeoil-certs.nix;
+      snappymail = ./modules/snappymail.nix;
    };

    devShells = forAllSystems (system: {
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -28,5 +28,5 @@

  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -49,6 +49,24 @@ in {
    lib.listToAttrs
  ];

+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.uploadsDir} = {
+      user = config.services.root;
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      # TODO: create new key on principal
+      enable = false;
+      publicKey = "";
+    };
+  };
+
  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -3,13 +3,21 @@ let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
-  users.users.${config.services.pvv-nettsiden.user} = {
-    useDefaultShell = true;
-
  # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${transferDir} = {
+      user = config.services.pvv-nettsiden.user;
+      rrsyncArgs.wo = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
+    };
  };

  systemd.paths.pvv-nettsiden-gallery-update = {
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -30,5 +30,5 @@

  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -37,6 +37,7 @@ in {
          # element call group calls
          feature_group_calls = true;
        };
+        default_country_code = "NO";
        default_theme = "dark";
        # Servers in this list should provide some sort of valuable scoping
        # matrix.org is not useful compared to matrixrooms.info,
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -14,6 +14,10 @@ in
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/hs_token";
  };
+  sops.secrets."matrix/hookshot/passkey" = {
+    sopsFile = fp /secrets/bicep/matrix.yaml;
+    key = "hookshot/passkey";
+  };

  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
  };

  systemd.services.matrix-hookshot = {
-    serviceConfig.SupplementaryGroups = [
+    serviceConfig = {
+      SupplementaryGroups = [
        config.users.groups.keys-matrix-registrations.name
      ];
+      LoadCredential = [
+        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
+      ];
+    };
  };

  services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
    package = unstablePkgs.matrix-hookshot;
    registrationFile = config.sops.templates."hookshot-registration.yaml".path;
    settings = {
+      passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
+
      bridge = {
        bindAddress = "127.0.0.1";
        domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
        mediaUrl = "https://matrix.pvv.ntnu.no";
        port = 9993;
      };
+
      listeners = [
        {
          bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
          ];
        }
      ];
+
      generic = {
        enabled = true;
        outbound = true;
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -27,6 +27,24 @@ in {
    '';
  };

+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.settings.media_store_path} = {
+      user = config.services.root;
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      # TODO: create new key on principal
+      enable = false;
+      publicKey = "";
+    };
+  };
+
  services.matrix-synapse-next = {
    enable = true;

--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@@ -17,5 +17,5 @@

  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -32,5 +32,5 @@

  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@@ -15,5 +15,5 @@

  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }
--- a/hosts/skrott/configuration.nix
+++ b/hosts/skrott/configuration.nix
@@ -96,11 +96,11 @@
  };

  # https://github.com/NixOS/nixpkgs/issues/84105
-  boot.kernelParams = [
+  boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
    "console=ttyUSB0,9600"
    # "console=tty1" # Already part of the module
  ];
-  systemd.services."serial-getty@ttyUSB0" = {
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
    enable = true;
    wantedBy = [ "getty.target" ]; # to start at boot
    serviceConfig.Restart = "always"; # restart when session is closed
--- a/modules/rsync-pull-targets.nix
+++ b/modules/rsync-pull-targets.nix
@@ -0,0 +1,140 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.rsync-pull-targets;
+in
+{
+  options.services.rsync-pull-targets = {
+    enable = lib.mkEnableOption "";
+
+    rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
+
+    locations = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
+        options = {
+          enable = lib.mkEnableOption "" // {
+            default = true;
+            example = false;
+          };
+
+          user = lib.mkOption {
+            type = lib.types.str;
+            description = "Which user to use as SSH login";
+            example = "root";
+          };
+
+          location = lib.mkOption {
+            type = lib.types.path;
+            default = name;
+            defaultText = lib.literalExpression "<name>";
+            example = "/path/to/rsyncable/item";
+          };
+
+          # TODO: handle autogeneration of keys
+          # autoGenerateSSHKeypair = lib.mkOption {
+          #   type = lib.types.bool;
+          #   default = config.publicKey == null;
+          #   defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
+          #   example = true;
+          # };
+
+          publicKey = lib.mkOption {
+            type = lib.types.str;
+            # type = lib.types.nullOr lib.types.str;
+            # default = null;
+            example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
+          };
+
+          rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
+            default = cfg.rrsyncPackage;
+            defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
+          };
+
+          enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
+
+          rrsyncArgs = {
+            ro = lib.mkEnableOption "" // {
+              description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
+            };
+            wo = lib.mkEnableOption "" // {
+              description = "Allow only writing to the DIR.";
+            };
+            munge = lib.mkEnableOption "" // {
+              description = "Enable rsync's --munge-links on the server side.";
+              # TODO: set a default?
+            };
+            no-del = lib.mkEnableOption "" // {
+              description = "Disable rsync's --delete* and --remove* options.";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+            no-lock = lib.mkEnableOption "" // {
+              description = "Avoid the single-run (per-user) lock check.";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+            no-overwrite = lib.mkEnableOption "" // {
+              description = "Prevent overwriting existing files by enforcing --ignore-existing";
+              default = submoduleArgs.config.enableRecommendedHardening;
+              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
+            };
+          };
+
+          authorizedKeysAttrs = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
+              "restrict"
+              "no-agent-forwarding"
+              "no-port-forwarding"
+              "no-pty"
+              "no-X11-forwarding"
+            ];
+            defaultText = lib.literalExpression ''
+              lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
+                "restrict"
+                "no-agent-forwarding"
+                "no-port-forwarding"
+                "no-pty"
+                "no-X11-forwarding"
+              ]
+            '';
+            example = [
+              "restrict"
+              "no-agent-forwarding"
+              "no-port-forwarding"
+              "no-pty"
+              "no-X11-forwarding"
+            ];
+          };
+        };
+      }));
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # assertions = lib.pipe cfg.locations [
+    #   (lib.filterAttrs (_: value: value.enable))
+      # TODO: assert that there are no duplicate (user, publicKey) pairs.
+      #       if there are then ssh won't know which command to provide and might provide a random one, not sure.
+      # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
+      #   assertion =
+      #   message = "";
+      # })
+    # ];
+
+    services.openssh.enable = true;
+    users.users = lib.pipe cfg.locations [
+      (lib.filterAttrs (_: value: value.enable))
+      (lib.mapAttrs' (_: { user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
+        rrsyncArgString = lib.cli.toCommandLineShellGNU {
+          isLong = _: false;
+        } rrsyncArgs;
+        # TODO: handle " in location
+      in {
+        name = user;
+        value.openssh.authorizedKeys.keys = [
+          "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
+        ];
+      }))
+    ];
+  };
+}
--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@@ -17,6 +17,7 @@ ooye:
 hookshot:
    as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
    hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
+    passkey: ENC[AES256_GCM,data:sR3ZdvNe+321WalGA57Nsb7eIRnOgAWX4P4aahynS5kD8nZ40axO3H29pciTn3rgBLsKPYAbJ24Ch40SL5emlz9UL1nH//khCEAXUXR5+RA83TvRrog1BdiCTX3wYY6SvM8BRwAEcWbAavfRHyNM0stSRjamdam70OvEEHlOUafs4lfQghYXVN+YV6bT+gan9eMRwhTsuWB/V01SAUot5pgFtprpvFs/l90E9sZFxxejlLniy/4nHjO9rcXAeCz/8cw5P56AqCzqyliYxKM3qbhwp+Pz/RVH+7PKQwABP80tw4HLvBz2nwYzPHJrSejIH/lxE1sJH8ttUQ8mHIFpv0GGB0oENyfYCekoSXWL+wuFEE+xjyak1KUDfohaJ9QMZa+A4jHiGoWHAwfU083uNFNdE1NxPpa55xQ/Q5fGE58qmZVbHUoL1EFOi0Nc15vp9kRojjQoEENvEQKwZHlauhm+940s6IwBE/bHk5WBjWM6BM/7Y8dj23uo1Vj0gy5IK0xYk62+IXNINPeDnS5sZJJweOKvS9JDYNw/9oC5ptmsqkGWryWm22Mwq9AIWm1Zt+0nIZRrOM+JHWJCtCqXhD5+UL1fl6wt7IgvOqgOtsFUM39n2hS4UWyVohToLy2u8VFKDIx1yb530y+Q2HfT6oKPYtcm5+b/dgDaqph1JSuqxWoiXMdx/DvGLhM6nIfPnAi5EImXDQIxkh4tJ6P+z+4vOPiX5fKflXk2eioVL77BQ4jXLunu4zBu/bOCePHigAD/+E9IgHnVSMxpTgDQ3w7WI7FCY9wjbXqbsL3QB1BOizIFNqHDcX2COeJV7X8Aia0HBpZgQpFX5XtMJAKnO2BR2EA94xSk9/rAPgZpJkZXTHl5MpPz9+WLv4uFy0daIJ/y7jkxLXK2UNw9VVfkq/I6cteQMwHPe0V9XZc1DIXOjJ23r9qNtx11Dx7Zumh3EQvp/8D/i0G6lhW1y3xP0Uu1iuxfnvhacBTwiRTSrKhT0HKlFG9cG2SaZH5D8zLyhrQhp8V5AdAdikmQUfDigDTzd45YpWRaNEGM1wcAI5cWBdPHY6Hv3NHQoX3yx6jm3Qo1QqIVlhqHqEeM6++H1Sfd3xg8zMSSGXlQT6EYE0+raOvKrmbnGCW3GnguHEjU1vCE/w7u8LCct7IBCSL7XQpLg39SmSx/MdL5OWXaUCxbVMM38q/4PXNzRVNaHRZFXm35+q1gZ/fx9a3vY/YS9+qEhcsvNQaNyuVcbigz9fqEWoAnFh2rCIMT3XMc+N0V0+TSIF4nU/Im82wu1+ujcrJ6OpGubcf208y8giwOgdKAARTKtybInUx31+JkzMw9A4q+CxRLHcrYYhIHz0MyhAVY3JKQp6DvoRwT58/MEENv6hSvsf0PhrgIkPTYeNeasJwFt8tKPmEkFYINhigC3XPmid+hMJfp/w8MnFLAIX9Cp+7adQPPW5RZqHuuf0rV+vdVqU3nFmnet8KZd3SrZiWAXcKViyHYAWb3c60TMO2C37goHkTMd6olZ09ZEfrTpdX+MEHswW65p4rJgNZIbVquD73DpZuE30HsrUBsPeWpQy2JGNUPq8tCvcREVgmnIt7yJn8sC8D+RwgXCXHf6qDMjANi7nvD6uWTik4P68e9lVztO4QudwdZdPieflfFADH4sFPhXwCpGOkR37RSrqe6t3CR3ZI0aXqHdZ1l1JcJv+5WEXmJZfNUOPBGpvatmc7ygJYDxuQoJ5FDFsyZffrAYOcEXC6gDaq6NTGgo4JZAYQsHg8JaFWQPEToagiSQhhErMeA5nTUvNjJ4/0HHIvsjsGabAv3GiT2lcVnowt8qwEyLnQStNiAxv0bURhW82BLCHq5cHx7mtUNqDQjrc48iQZiZd20orTq7PmxwWBa6T9EwuEOQiX69inIbSU7kGbRmVUS+RPKfFoCXXOSlBjzoLM448Ymbf0FsEgATb0I5sJ6R2k9mlh3WgRur/u8ODtXJO9TLjVvAm1WmHWXn8ZSvKRS+/VSGg3RzKGyVqh2gJmpDJmF4BwzqslhaCdvdkwBW+7oZN///1h41NX6Fo68l+P/Rl/ZFvCF2VD18E1EjmnOs8sxmMjsDct3HNd7xB1PJLKtNTCLEF0vLDOM5qGaWfBVZtwHiz7fhbPxeE4ND8ygHhUUVzDsC3uHeVHwBMghSY92wnNq6SJP5HMC5knoEFxGnr5te8GcMT6iD6KMKjzqPnp7raGSFo96d5qDiug8krD3vEpbE+3L0XRye5m+2N/wVL7u888JZ0Yj9uWZoAmg41G9y5NU1g8Sns9gY1jalZFaY1+S2nCAfgZRNzx0gLa4CY7SClib1+qDCKIVLJyCqlbKRkIbNXV/B+/L6MAUwTRn8NLhm1+U1QgqD3X+cTJoys/1laSEBXcupT0CrCkR2wguGh1tfkyZ0yLJcbyIfRHzmEooMHWgL5N+mNYCwxLyIfDmBSacZI7AUBfGD+RT24W0vl976zd/sBzIZtQGFPKDtb5bzNE5FNfSfser+afqBG+S+gr1GUn2ZQMGN2095uqnYiwCUtxmczGlOLixbQMnYPbxClB7i4NFvZj2GbnX+yRgv8OFWTnp0C1aPsQHgZzWKAe0cDaRJpAOTTbaGaSJiwIIu689xqYGKej3oQLaAHqlRyRhJngUOj4panxNb/ZFbP6lfUF0fehNJFJaR3WKSiRAjv6ommtSFDQ26TrhYE9d+yG1KApzkhlPTLNA4fVRQxfZi41hbfHDg4kwZMpc86BSCq85qnzW+nMJiWTLxTKYSzjpiWSnMzBvBYf0vntz5+ltwJwyVMX/TdAoYGyHOCINLSxhKoajORJ0g6zEyBRdG+kg0qZCFi894fR4eAz5/fvbrhOhhnCOaVCJlvLo2jXiizQlsqbvLr8bTbyMF5yJPEPV8H/B8uhzzjCIxvbbc3Ac3rPX47FBdEc5869c7JgL/2HD9GZzJXfRBzyhSTFMMh7J+K7LgEIGsItTsJM9wa4BC9ZicZRifuGxBKATOIVeTpJJHA80yhmL6lsazUrrAlyA93mR4CsuInmum6QMyjkmcXBnEtybSeuUjX7aFmzSz9Il7C9iR/4QRWyzgSIh7sbqEl/v4mQtJMlydbZdd0aT65AShTHUIkNZxOg/IuEW26v8pyZi5msfPBjwmknQkXPTf1fCcgVuY6OoQBPzYR1BFTjpY5lTfAMYH9sDW+xxRTFftsNNRzIctX0IEv5haWxLDhuN7eagltf2v3GubrbsYTeVwuCFJnabgzXan4vvpPVIPhrhE2k6G0FfDhIpQL9oweNBG2hefoXoOr+piHYcc1hJSHnSUp9qRxQxXzjvaFulfRO+2GoMAg6E6pz1Fz8e8mHRubREH6NOLvz070D0u1o7Tb6LE2cmw2XdRaVqO+Jo3u7pZUUVYllF31Uxb8ngHarWQ3dOBneZQHsW3AFpRofz9BcHII6dd4BhAM+sl7+cBEFuNn9nkDBR8PLx7O0G+b99qSAnOdvY6wWTwMbWC2JLcv6QTwqe/bAdEg3hNi2GOoqwvs0e6BO/7GS88egcwqZEe2Tpvtzb+NCia/A3oc/VNWTucmQcv9K10QaloZjHMXAMsDESr3LJ0enaoqc90bbHWEuoyRJoDDuW2NXHpCILLAxCUDZnArlE78J2B15Yc2sBkgHyYrILaZo1dBVR23R+QX4bZXt69EZC74IdcELt4qw4ANK+xKtSRJ5vnVml58/71IukUp5GOwEzImEC4YG5G7O7hpMWZmM48RvOuhmqk3LvCggjHPploLqw3PY46twgbKTBai4PbYZ2NaFAHkgc4jqoKSgzQD0jqUkNxFZNSXmvC6QGksns/GaI/qZJVSWAxr95P3oEyZrsfY+KFvhpGJWAa/TIyJslTsKjSv+VFg9jm93yT6P+Jfp1sR+tnyTgrDUF3SIi1/HbM4DlgbyHon25B+4fabgbGajl0Ua/zNyFmWcGN4yRQfXgK47vhQFyfAaOliIKbvsCEnfLniDhPg9FlnxBHSVPHNxeEufocboCUJzm0pU2r2iRRN6fKiiIZubjxeXDjRHTsJAffstPp6pSDxgtZzivquUkj1669QmZaHhV6VyAhGOz/A3VWWB0FGdToeuS5FciNyYVmfJ8moHP1skV/jR4Ke3R/gHato0Un0nUr39ftB81uVomTYlVYuXAUUfJnAU/i8PbdjWCXSlAIeqCUeEf9oLq4n/xtUvJGBzxPgRJPaWxnckS2umi+6CRCs9f1EzwORgOosnQDJxALsGV3Nl4dR1o8ygAHkiBiqKyaEk0ulVM6XrfGFcQMkRgK2PVIZHNCEY72jU42/LlzWumXH2uoivR0toT7kk919VJYa5+2ac=,iv:BqwTfYEtqtFazQGfhL6rxfIUrZ2cin+jy070FDaGIuc=,tag:MMUGNmH6m4aNR4U8KAac6w==,type:str]
 livekit:
    keyfile:
        #ENC[AES256_GCM,data:M+SfmEuhPL8sqxOl3uL8mE6Z6pC6naQNxFRskMPbVpLVWYM1Be+QOoLEiTMtWqH2PAf2NZXLcNY63Q99bYINz+BTt/ekllye,iv:DSZJxoZUlUZxPpzfpXyZ4ECeJjq6/WW8I2fvTXIjmfU=,tag:HwHhdQA8yuSKYxM5LcZV/w==,type:comment]
@@ -86,8 +87,8 @@ sops:
            Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
            OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-21T02:03:24Z"
-    mac: ENC[AES256_GCM,data:yVe+78V7zYgYveLFBghKdAeibg97DRafgsRRCZPYkWu8t2iadtD5UqRK0KS4Zcc55ojHJ11otgadaPHQyl8EIzt7Dwlm7ZOVEmmPAYdaweWfnPRdFhDAxcgj8Ejh03LAdLQK8WwlfTF/09Avub2ZUnN0aPwFCen/qD6dYmcGDNk=,iv:y4YE9AqlVVBBtRGoIdfIcNGE4chChBOR0Euy68xkQBA=,tag:/yopCpkvFaEzr2iXxLd3uw==,type:str]
+    lastmodified: "2026-01-26T12:49:23Z"
+    mac: ENC[AES256_GCM,data:+rkFq7pYZrGTtLIjjwa5DQC6WFpeV3JS80w6xADcn+kNnjg94p70GVZ3zP6p+f4PZ/Rupjg1cmm3w0g/ranx+FEmmX43N+zSY97NYOC2oxOhlNDDyrnRDElaiCOq41Jd13FxnjX3Jg9gxkD3szGS9hG+gv3wSf9NabOhFFL79GQ=,iv:+9UDVsvfr581CSNdtLRTfrjQ7rsLgMLmyK4cof0NZUU=,tag:9/xq9ThqrDzg+Snh3vSkVw==,type:str]
    pgp:
        - created_at: "2026-01-16T06:34:46Z"
          enc: |-
Author	SHA1	Message	Date
h7x4	79a46ce3f6	bicep/element: set default country code	2026-01-27 04:11:40 +09:00
h7x4	19e45be83a	.mailmap: further dedup	2026-01-27 04:07:25 +09:00
h7x4	a8892e2fb2	hosts/various: bump `stateVersion`	2026-01-27 04:00:48 +09:00
h7x4	a149f97ac0	bicep: bump `stateVersion` from 22.11 -> 25.11	2026-01-27 03:59:40 +09:00
h7x4	e76c656378	bekkalokk: bump `stateVersion` from 22.11 -> 25.11	2026-01-27 03:52:34 +09:00
h7x4	5877ef60b1	modules/rsync-pull-targets: leave TODO about assertion	2026-01-27 00:27:00 +09:00
h7x4	73456de527	bekkalokk/mediawiki, bicep/matrix/synapse: leave principal rsync target stubs	2026-01-27 00:26:42 +09:00
h7x4	2f8e9ea190	modules/rsync-pull-targets: init, migrate bekkalokk/website/fetch-gallery	2026-01-26 23:57:20 +09:00
h7x4	c3c98392ad	bicep/hookshot: add passkey to sops	2026-01-26 21:52:58 +09:00