WIP: Move krb5 realm to pvv.local, make sane ldap structure

WIP: set up heimdal-openldap-sasl stack
hosts/dagali: init
2026-02-20 17:07:51 +01:00 · 2026-02-15 15:34:33 +09:00 · 2026-02-15 15:34:33 +09:00 · 2026-02-15 15:34:33 +09:00 · 2026-02-13 19:45:45 +09:00 · 2026-02-13 18:55:42 +09:00
129 changed files with 13982 additions and 24184 deletions
--- a/.mailmap
+++ b/.mailmap
@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
 Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
 Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
 Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,6 +7,7 @@ keys:
  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
  - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
  # Hosts
  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
@@ -19,6 +20,7 @@ keys:
  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
 creation_rules:
@@ -32,6 +34,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -46,6 +49,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -58,6 +62,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -70,6 +75,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -82,6 +88,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -94,6 +101,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -110,6 +118,7 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -122,16 +131,19 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrott/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_skrott
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
--- a/README.md
+++ b/README.md
@@ -43,6 +43,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
 | [skrott][skr]              | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 ## Documentation
@@ -59,4 +60,5 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
 [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
--- a/base/default.nix
+++ b/base/default.nix
@@ -10,10 +10,12 @@
    (fp /users)
    (fp /modules/snakeoil-certs.nix)
    ./flake-input-exporter.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
    ./sops.nix
    ./vm.nix
    ./flake-input-exporter.nix
    ./services/acme.nix
    ./services/auto-upgrade.nix
@@ -24,6 +26,7 @@
    ./services/logrotate.nix
    ./services/nginx.nix
    ./services/openssh.nix
    ./services/polkit.nix
    ./services/postfix.nix
    ./services/prometheus-node-exporter.nix
    ./services/prometheus-systemd-exporter.nix
@@ -39,6 +42,9 @@
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  boot.loader.systemd-boot.enable = lib.mkDefault true;
  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
@@ -47,22 +53,8 @@
    keyMap = "no";
  };
-  environment.systemPackages = with pkgs; [
+  # Don't install the /lib/ld-linux.so.2 stub
-    file
+  environment.ldso32 = null;
    git
    gnupg
    htop
    nano
    net-tools
    ripgrep
    rsync
    screen
    tmux
    vim
    wget
    kitty.terminfo
  ];
  # .bash_profile already works, but lets also use .bashrc like literally every other distro
  # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -76,8 +68,6 @@
    fi
  '';
  programs.zsh.enable = true;
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
@@ -85,6 +75,14 @@
    Defaults lecture = never
  '';
  # These are servers, sleep is for the weak
  systemd.sleep.extraConfig = lib.mkDefault ''
    AllowSuspend=no
    AllowHibernation=no
  '';
  # users.mutableUsers = lib.mkDefault false;
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
--- a/base/networking.nix
+++ b/base/networking.nix
@@ -3,6 +3,10 @@
  systemd.network.enable = true;
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
  # networking.tempAddresses = lib.mkDefault "disabled";
  # networking.defaultGateway = values.hosts.gateway;
  # The rest of the networking configuration is usually sourced from /values.nix
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -37,4 +37,9 @@
      "unstable=${inputs.nixpkgs-unstable}"
    ];
  };
  # Make builds to be more likely killed than important services.
  # 100 is the default for user slices and 500 is systemd-coredumpd@
  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
 }
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -0,0 +1,68 @@
 { pkgs, lib, ... }:
 {
  # We don't need fonts on headless machines
  fonts.fontconfig.enable = lib.mkDefault false;
  # Extra packags for better terminal emulator compatibility in SSH sessions
  environment.enableAllTerminfo = true;
  environment.systemPackages = with pkgs; [
    # Debug dns outside resolvectl
    dig
    # Debug and find files
    file
    # Process json data
    jq
    # Check computer specs
    lshw
    # Check who is keeping open files
    lsof
    # Scan for open ports with netstat
    net-tools
    # Grep for files quickly
    ripgrep
    # Copy files over the network
    rsync
    # Access various state, often in /var/lib
    sqlite-interactive
    # Debug software which won't debug itself
    strace
    # Download files from the internet
    wget
  ];
  # Clone/push nix config and friends
  programs.git.enable = true;
  # Gitea gpg, oysteikt sops, etc.
  programs.gnupg.agent.enable = true;
  # Monitor the wellbeing of the machines
  programs.htop.enable = true;
  # Keep sessions running during work over SSH
  programs.tmux.enable = true;
  # Same reasoning as tmux
  programs.screen.enable = true;
  # Edit files on the system without resorting to joe(1)
  programs.nano.enable = true;
  # Same reasoning as nano
  programs.vim.enable = true;
  # Same reasoning as vim
  programs.neovim.enable = true;
  # Some people like this shell for some reason
  programs.zsh.enable = true;
 }
--- a/base/services/acme.nix
+++ b/base/services/acme.nix
@@ -2,14 +2,12 @@
 {
  security.acme = {
    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
+    defaults.email = "acme-drift@pvv.ntnu.no";
  };
  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
  virtualisation.vmVariant = {
    security.acme.defaults.server = "https://127.0.0.1";
    security.acme.preliminarySelfsigned = true;
    users.users.root.initialPassword = "root";
  };
 }
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -28,7 +28,7 @@ in
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
    "current-system-flake-inputs.json".source
      = pkgs.writers.writeJSON "flake-inputs.json" (
        lib.flip lib.mapAttrs inputs (name: input:
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -39,29 +39,38 @@
    SystemCallFilter = lib.mkForce null;
  };
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
-    listen = [
+    "_" = {
-      {
+      listen = [
-        addr = "0.0.0.0";
+        {
-        extraParameters = [
+          addr = "0.0.0.0";
-          "default_server"
+          extraParameters = [
-          # Seemingly the default value of net.core.somaxconn
+            "default_server"
-          "backlog=4096"
+            # Seemingly the default value of net.core.somaxconn
-          "deferred"
+            "backlog=4096"
-        ];
+            "deferred"
-      }
+          ];
-      {
+        }
-        addr = "[::0]";
+        {
-        extraParameters = [
+          addr = "[::0]";
-          "default_server"
+          extraParameters = [
-          "backlog=4096"
+            "default_server"
-          "deferred"
+            "backlog=4096"
-        ];
+            "deferred"
-      }
+          ];
-    ];
+        }
-    sslCertificate = "/etc/certs/nginx.crt";
+      ];
-    sslCertificateKey = "/etc/certs/nginx.key";
+      sslCertificate = "/etc/certs/nginx.crt";
-    addSSL = true;
+      sslCertificateKey = "/etc/certs/nginx.key";
-    extraConfig = "return 444;";
+      addSSL = true;
      extraConfig = "return 444;";
    };
    ${config.networking.fqdn} = {
      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
      addSSL = lib.mkDefault true;
      extraConfig = lib.mkDefault "return 444;";
    };
  };
 }
--- a/base/services/polkit.nix
+++ b/base/services/polkit.nix
@@ -0,0 +1,15 @@
 { config, lib, ... }:
 let
  cfg = config.security.polkit;
 in
 {
  security.polkit.enable = true;
  environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
    polkit.addAdminRule(function(action, subject) {
        if(subject.isInGroup("wheel")) {
            return ["unix-user:"+subject.user];
        }
    });
  '';
 }
--- a/base/services/smartd.nix
+++ b/base/services/smartd.nix
@@ -1,7 +1,9 @@
 { config, pkgs, lib, ... }:
 {
  services.smartd = {
-    enable = lib.mkDefault true;
+    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
    #       hosts with disk passthrough.
    enable = lib.mkDefault (!config.services.qemuGuest.enable);
    notifications = {
      mail = {
        enable = true;
--- a/base/sops.nix
+++ b/base/sops.nix
@@ -0,0 +1,12 @@
 { config, fp, lib, ... }:
 {
  sops.defaultSopsFile = let
    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
    keyFile = "/var/lib/sops-nix/key.txt";
    generateKey = true;
  };
 }
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -11,5 +11,6 @@
  };
  config.virtualisation.vmVariant = {
    virtualisation.isVmVariant = true;
    virtualisation.graphics = false;
  };
 }
--- a/docs/secret-management.md
+++ b/docs/secret-management.md
@@ -151,7 +151,7 @@ is up to date, you can do the following:
 ```console
 # Fetch gpg (unless you have it already)
-nix-shell -p gpg
+nix shell nixpkgs#gnupg
 # Import oysteikts key to the gpg keychain
 gpg --import ./keys/oysteikt.pub
--- a/flake.lock
+++ b/flake.lock
@@ -1,39 +1,17 @@
 {
  "nodes": {
    "devshell": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1764011051,
        "narHash": "sha256-M7SZyPZiqZUR/EiiBJnmyUbOi5oE/03tCeFrTiUZchI=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "17ed8d9744ebe70424659b0ef74ad6d41fc87071",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "dibbler": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1767906875,
+        "lastModified": 1770133120,
-        "narHash": "sha256-S88Qh7TJwuTkMQqAdXmF3JMkuV2e5GHTdom02QrtdIs=",
+        "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
        "ref": "main",
-        "rev": "b86962ef0e15d1a7de445172d4acea454b119a91",
+        "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
-        "revCount": 220,
+        "revCount": 244,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
      },
@@ -64,54 +42,21 @@
        "type": "github"
      }
    },
-    "flake-compat": {
+    "flake-parts": {
      "flake": false,
      "locked": {
        "lastModified": 1761588595,
        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1731533236,
+        "lastModified": 1765835352,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
-        "owner": "numtide",
+        "owner": "hercules-ci",
-        "repo": "flake-utils",
+        "repo": "flake-parts",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
        "type": "github"
      },
      "original": {
-        "id": "flake-utils",
+        "owner": "hercules-ci",
-        "type": "indirect"
+        "repo": "flake-parts",
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
@@ -136,28 +81,6 @@
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
@@ -251,11 +174,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767906653,
+        "lastModified": 1769500363,
-        "narHash": "sha256-KMiVvnlkRpW4/MVloLURfjv3bvjcae0X9skext2jKVE=",
+        "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
        "ref": "main",
-        "rev": "584fd6379c905a6370484c5b5ba0623b4fcb778f",
+        "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
-        "revCount": 27,
+        "revCount": 47,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      },
@@ -272,11 +195,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767906352,
+        "lastModified": 1770960722,
-        "narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
+        "narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=",
        "ref": "main",
-        "rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
+        "rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2",
-        "revCount": 13,
+        "revCount": 15,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
      },
@@ -288,19 +211,17 @@
    },
    "nix-topology": {
      "inputs": {
-        "devshell": "devshell",
+        "flake-parts": "flake-parts",
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1767888340,
+        "lastModified": 1769018862,
-        "narHash": "sha256-CccRg4d8TpOUGz2HefBZLNYtGrcAyCMa7GVJHcUd8W4=",
+        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "416ff06f72e810c554761e3f5dbf33b4f331e73e",
+        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
        "type": "github"
      },
      "original": {
@@ -312,53 +233,45 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1767871818,
+        "lastModified": 1769724120,
-        "narHash": "sha256-SOIHRu1sk+dW5f5DNTN5xYoeuZCyGIlKqxZ8RRj4lCM=",
+        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
-        "rev": "6eb8dee465373971d4495d92e23c2f0979384f76",
+        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.3412.6eb8dee46537/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "lastModified": 1765674936,
        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1767870855,
+        "lastModified": 1769813739,
-        "narHash": "sha256-SmrGFE9SdHFz60YbSCF7TtZ+GV8nIiYiI8fTEDyUouc=",
+        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
-        "rev": "719f19e8e447a52152aee8061c7a2951f9254f14",
+        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre924399.719f19e8e447/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1765911976,
        "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "pvv-calendar-bot": {
      "inputs": {
        "nixpkgs": [
@@ -387,11 +300,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768301954,
+        "lastModified": 1769009806,
-        "narHash": "sha256-qRmrsx0k6Hc0BLM0I/f3YnTg19Sofjk2l1Kp/0Xfhc8=",
+        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
        "ref": "main",
-        "rev": "c997ad4b47993dfd2368c3bbd07a0f71d55e3f5a",
+        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
-        "revCount": 569,
+        "revCount": 575,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -401,6 +314,27 @@
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      }
    },
    "qotd": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1768684204,
        "narHash": "sha256-TErBiXxTRPUtZ/Mw8a5p+KCeGCFXa0o8fzwGoo75//Y=",
        "ref": "main",
        "rev": "a86f361bb8cfac3845b96d49fcbb2faea669844f",
        "revCount": 11,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/qotd.git"
      }
    },
    "root": {
      "inputs": {
        "dibbler": "dibbler",
@@ -417,6 +351,7 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pvv-calendar-bot": "pvv-calendar-bot",
        "pvv-nettsiden": "pvv-nettsiden",
        "qotd": "qotd",
        "roowho2": "roowho2",
        "sops-nix": "sops-nix"
      }
@@ -429,11 +364,11 @@
        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
-        "lastModified": 1767903580,
+        "lastModified": 1769834595,
-        "narHash": "sha256-UtulIUyFv6HcU5BUcQONtyG29XPTOBMsJ4N0nJGNOUk=",
+        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
        "ref": "main",
-        "rev": "dd23346bda46629788b08aba2e8af3b3f13335af",
+        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
-        "revCount": 38,
+        "revCount": 49,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      },
@@ -493,11 +428,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767322002,
+        "lastModified": 1769309768,
-        "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
+        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
+        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
        "type": "github"
      },
      "original": {
@@ -513,11 +448,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767826491,
+        "lastModified": 1769469829,
-        "narHash": "sha256-WSBENPotD2MIhZwolL6GC9npqgaS5fkM7j07V2i/Ur8=",
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "ea3adcb6d2a000d9a69d0e23cad1f2cacb3a9fbe",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
        "type": "github"
      },
      "original": {
@@ -526,36 +461,6 @@
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -44,6 +44,9 @@
    minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
    minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
    qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
    qotd.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -66,50 +69,32 @@
  in {
    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
-    pkgs = forAllSystems (system:
+    pkgs = forAllSystems (system: import nixpkgs {
-      import nixpkgs {
+      inherit system;
-        inherit system;
+      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-        config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        [
-          [
+          "nvidia-x11"
-            "nvidia-x11"
+          "nvidia-settings"
-            "nvidia-settings"
+        ];
-          ];
+    });
      });
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
      nixosConfig =
        nixpkgs:
        name:
        configurationPath:
        extraArgs@{
-          system ? "x86_64-linux",
+          localSystem ? "x86_64-linux", # buildPlatform
          crossSystem ? "x86_64-linux", # hostPlatform
          specialArgs ? { },
          modules ? [ ],
          overlays ? [ ],
          enableDefaults ? true,
          ...
        }:
-        lib.nixosSystem (lib.recursiveUpdate
+        let
-        {
+          commonPkgsConfig = {
-          inherit system;
+            inherit localSystem crossSystem;
          specialArgs = {
            inherit unstablePkgs inputs;
            values = import ./values.nix;
            fp = path: ./${path};
          } // specialArgs;
          modules = [
            configurationPath
          ] ++ (lib.optionals enableDefaults [
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
          ]) ++ modules;
          pkgs = import nixpkgs {
            inherit system;
            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
@@ -120,9 +105,36 @@
              inputs.roowho2.overlays.default
            ]) ++ overlays;
          };
          pkgs = import nixpkgs commonPkgsConfig;
          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
        in
        lib.nixosSystem (lib.recursiveUpdate
        {
          system = crossSystem;
          inherit pkgs;
          specialArgs = {
            inherit inputs unstablePkgs;
            values = import ./values.nix;
            fp = path: ./${path};
          } // specialArgs;
          modules = [
            {
              networking.hostName = lib.mkDefault name;
            }
            configurationPath
          ] ++ (lib.optionals enableDefaults [
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
            self.nixosModules.rsync-pull-targets
          ]) ++ modules;
        }
        (builtins.removeAttrs extraArgs [
-          "system"
+          "localSystem"
          "crossSystem"
          "modules"
          "overlays"
          "specialArgs"
@@ -135,7 +147,7 @@
    in {
      bakke = stableNixosConfig "bakke" {
        modules = [
-          disko.nixosModules.disko
+          inputs.disko.nixosModules.disko
        ];
      };
      bicep = stableNixosConfig "bicep" {
@@ -157,16 +169,17 @@
      bekkalokk = stableNixosConfig "bekkalokk" {
        overlays = [
          (final: prev: {
            heimdal = unstablePkgs.heimdal;
            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
            bluemap = final.callPackage ./packages/bluemap.nix { };
          })
          inputs.pvv-nettsiden.overlays.default
          inputs.qotd.overlays.default
        ];
        modules = [
          inputs.pvv-nettsiden.nixosModules.default
          self.nixosModules.bluemap
          inputs.qotd.nixosModules.default
        ];
      };
      ildkule = stableNixosConfig "ildkule" { };
@@ -174,6 +187,7 @@
      shark = stableNixosConfig "shark" { };
      wenche = stableNixosConfig "wenche" { };
      temmie = stableNixosConfig "temmie" { };
      gluttony = stableNixosConfig "gluttony" { };
      kommode = stableNixosConfig "kommode" {
        overlays = [
@@ -181,6 +195,7 @@
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
          inputs.disko.nixosModules.disko
        ];
      };
@@ -190,6 +205,8 @@
        ];
      };
      dagali = unstableNixosConfig "dagali" { };
      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
        modules = [
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
@@ -212,17 +229,39 @@
          inputs.gergle.overlays.default
        ];
      };
-      skrott = stableNixosConfig "skrott" {
+    }
-        system = "aarch64-linux";
+    //
    (let
      skrottConfig = {
        modules = [
          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
          inputs.dibbler.nixosModules.default
        ];
        overlays = [
          inputs.dibbler.overlays.default
          (final: prev: {
            # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
            atool = prev.emptyDirectory;
            micro = prev.emptyDirectory;
            ncdu = prev.emptyDirectory;
          })
        ];
      };
-    }
+    in {
      skrott = self.nixosConfigurations.skrott-native;
      skrott-native = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "aarch64-linux";
        crossSystem = "aarch64-linux";
      });
      skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "x86_64-linux";
        crossSystem = "aarch64-linux";
      });
      skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
        localSystem = "x86_64-linux";
        crossSystem = "x86_64-linux";
      });
    })
    //
    (let
      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
@@ -235,15 +274,25 @@
    nixosModules = {
      bluemap = ./modules/bluemap.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
      robots-txt = ./modules/robots-txt.nix;
      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
    };
    devShells = forAllSystems (system: {
-      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = let
        pkgs = import nixpkgs-unstable {
          inherit system;
          overlays = [
            (final: prev: {
              inherit (inputs.disko.packages.${system}) disko;
            })
          ];
        };
      in pkgs.callPackage ./shell.nix { };
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
@@ -257,19 +306,20 @@
    packages = {
      "x86_64-linux" = let
-        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+        system = "x86_64-linux";
        pkgs = nixpkgs.legacyPackages.${system};
      in rec {
        default = important-machines;
        important-machines = pkgs.linkFarm "important-machines"
-          (lib.getAttrs importantMachines self.packages.x86_64-linux);
+          (lib.getAttrs importantMachines self.packages.${system});
        all-machines = pkgs.linkFarm "all-machines"
-          (lib.getAttrs allMachines self.packages.x86_64-linux);
+          (lib.getAttrs allMachines self.packages.${system});
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        bluemap = pkgs.callPackage ./packages/bluemap.nix { };
-        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
+        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
      }
      //
      # Mediawiki extensions
@@ -285,18 +335,23 @@
      //
      # Skrott is exception
      {
-        skrott = self.nixosConfigurations.skrott.config.system.build.sdImage;
+        skrott = self.packages.${system}.skrott-native-sd;
        skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
        skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
        skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
        skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
        skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
      }
      //
      # Nix-topology
      (let
        topology' = import inputs.nix-topology {
          pkgs = import nixpkgs {
-            system = "x86_64-linux";
+            inherit system;
            overlays = [
              inputs.nix-topology.overlays.default
              (final: prev: {
-                inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
+                inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
              })
            ];
          };
--- a/hosts/bakke/configuration.nix
+++ b/hosts/bakke/configuration.nix
@@ -6,20 +6,13 @@
      ./filesystems.nix
    ];
  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bakke";
  networking.hostId = "99609ffc";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.05";
 }
--- a/hosts/bakke/filesystems.nix
+++ b/hosts/bakke/filesystems.nix
@@ -1,17 +1,17 @@
-{ config, pkgs, lib, ... }:
+{ pkgs,... }:
 {
  # Boot drives:
  boot.swraid.enable = true;
  # ZFS Data pool:
  environment.systemPackages = with pkgs; [ zfs ];
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
-    supportedFilesystems = [ "zfs" ];
+    supportedFilesystems.zfs = true;
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+    # Use stable linux packages, these work with zfs
    kernelPackages = pkgs.linuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
--- a/hosts/bakke/hardware-configuration.nix
+++ b/hosts/bakke/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -16,18 +16,9 @@
    ./services/webmail
    ./services/website
    ./services/well-known
    ./services/qotd
  ];
  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bekkalokk";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -35,7 +26,7 @@
  services.btrfs.autoScrub.enable = true;
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }
--- a/hosts/bekkalokk/hardware-configuration.nix
+++ b/hosts/bekkalokk/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, fp, config, values, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
@@ -34,6 +34,7 @@ in {
  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
  sops.secrets = lib.pipe [
    "mediawiki/secret-key"
    "mediawiki/password"
    "mediawiki/postgres_password"
    "mediawiki/simplesamlphp/postgres_password"
@@ -48,6 +49,23 @@ in {
    lib.listToAttrs
  ];
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.uploadsDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
    };
  };
  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
@@ -144,6 +162,24 @@ in {
      $wgDBserver = "${toString cfg.database.host}";
      $wgAllowCopyUploads = true;
      # Files
      $wgFileExtensions = [
        'bmp',
        'gif',
        'jpeg',
        'jpg',
        'mp3',
        'odg',
        'odp',
        'ods',
        'odt',
        'pdf',
        'png',
        'tiff',
        'webm',
        'webp',
      ];
      # Misc program paths
      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -179,15 +215,15 @@ in {
  # Cache directory for simplesamlphp
  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
    user = "mediawiki";
    group = "mediawiki";
    mode = "0770";
  };
-  users.groups.mediawiki.members = [ "nginx" ];
+  users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
    kTLS = true;
    forceSSL = true;
    enableACME = true;
@@ -233,4 +269,22 @@ in {
    };
  };
  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
 }
--- a/hosts/bekkalokk/services/qotd/default.nix
+++ b/hosts/bekkalokk/services/qotd/default.nix
@@ -0,0 +1,6 @@
 {
  services.qotd = {
    enable = true;
    quotes = builtins.fromJSON (builtins.readFile ./quotes.json);
  };
 }
--- a/hosts/bekkalokk/services/qotd/quotes.json
+++ b/hosts/bekkalokk/services/qotd/quotes.json
@@ -0,0 +1 @@
 ["quote 1", "quote 2"]
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, values, ... }:
 let
  cfg = config.services.vaultwarden;
  domain = "pw.pvv.ntnu.no";
@@ -99,4 +99,21 @@ in {
      ];
    };
  };
  services.rsync-pull-targets = {
    enable = true;
    locations."/var/lib/vaultwarden" = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/snappymail.nix
+++ b/hosts/bekkalokk/services/webmail/snappymail.nix
@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, ... }:
+{ config, lib, fp, pkgs, values, ... }:
 let
  cfg = config.services.snappymail;
 in {
@@ -14,5 +14,21 @@ in {
    enableACME = true;
    kTLS = true;
  };
 }
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.dataDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
    };
  };
 }
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -1,15 +1,30 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, values, ... }:
 let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
  users.users.${config.services.pvv-nettsiden.user} = {
    # NOTE: the user unfortunately needs a registered shell for rrsync to function...
    #       is there anything we can do to remove this?
    useDefaultShell = true;
  };
-    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
+  # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
+  services.rsync-pull-targets = {
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
+    enable = true;
-    ];
+    locations.${transferDir} = {
      user = config.services.pvv-nettsiden.user;
      rrsyncArgs.wo = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
    };
  };
  systemd.paths.pvv-nettsiden-gallery-update = {
--- a/hosts/bekkalokk/services/well-known/default.nix
+++ b/hosts/bekkalokk/services/well-known/default.nix
@@ -1,18 +1,25 @@
-{ ... }:
+{ lib, ... }:
 {
-  services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
+  services.nginx.virtualHosts = lib.genAttrs [
-    "^~ /.well-known/" = {
+    "pvv.ntnu.no"
-      alias = (toString ./root) + "/";
+    "www.pvv.ntnu.no"
-    };
+    "pvv.org"
    "www.pvv.org"
  ] (_: {
    locations = {
      "^~ /.well-known/" = {
        alias = (toString ./root) + "/";
      };
-    # Proxy the matrix well-known files
+      # Proxy the matrix well-known files
-    # Host has be set before proxy_pass
+      # Host has be set before proxy_pass
-    # The header must be set so nginx on the other side routes it to the right place
+      # The header must be set so nginx on the other side routes it to the right place
-    "^~ /.well-known/matrix/" = {
+      "^~ /.well-known/matrix/" = {
-      extraConfig = ''
+        extraConfig = ''
-        proxy_set_header Host matrix.pvv.ntnu.no;
+          proxy_set_header Host matrix.pvv.ntnu.no;
-        proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-      '';
+        '';
      };
    };
-  };
+  });
 }
--- a/hosts/bekkalokk/services/well-known/root/security.txt
+++ b/hosts/bekkalokk/services/well-known/root/security.txt
@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
 Preferred-Languages: no, en
 Expires: 2032-12-31T23:59:59.000Z
-# This file was last updated 2024-09-14.
+# This file was last updated 2026-02-27.
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
 # Please note that we are a student organization, and unfortunately we do not
 # have a bug bounty program or offer monetary compensation for disclosure of
 # security vulnerabilities.
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -9,22 +9,12 @@
    ./services/calendar-bot.nix
    #./services/git-mirrors
    ./services/minecraft-heatmap.nix
-    ./services/mysql.nix
+    ./services/mysql
-    ./services/postgres.nix
+    ./services/postgresql
    ./services/matrix
  ];
  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "bicep";
  #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    #matchConfig.Name = "enp6s0f0";
@@ -36,17 +26,9 @@
    anyInterface = true;
  };
  # There are no smart devices
  services.smartd.enable = false;
  # we are a vm now
  services.qemuGuest.enable = true;
-  # Enable the OpenSSH daemon.
+  # Don't change (even during upgrades) unless you know what you are doing.
  services.openssh.enable = true;
  services.sshguard.enable = true;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }
--- a/hosts/bicep/hardware-configuration.nix
+++ b/hosts/bicep/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@@ -66,6 +66,7 @@ in
      package = pkgs.callPackage (fp /packages/cgit.nix) { };
      group = "gickup";
      scanPath = "${cfg.dataDir}/linktree";
      gitHttpBackend.checkExportOkFiles = false;
      settings = {
        enable-commit-graph = true;
        enable-follow-links = true;
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -1,13 +1,6 @@
 { config, lib, fp, pkgs, secrets, values, ... }:
 {
  sops.secrets."matrix/synapse/turnconfig" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "synapse/turnconfig";
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    restartUnits = [ "coturn.service" ];
  };
  sops.secrets."matrix/coturn/static-auth-secret" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "coturn/static-auth-secret";
@@ -16,9 +9,18 @@
    restartUnits = [ "coturn.service" ];
  };
  sops.templates."matrix-synapse-turnconfig" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    content = ''
      turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
    '';
    restartUnits = [ "matrix-synapse.target" ];
  };
  services.matrix-synapse-next = {
    extraConfigFiles = [
-      config.sops.secrets."matrix/synapse/turnconfig".path
+      config.sops.templates."matrix-synapse-turnconfig".path
    ];
    settings = {
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -1,19 +1,17 @@
 { config, ... }:
 {
  imports = [
    ./synapse.nix
    ./synapse-admin.nix
    ./synapse-auto-compressor.nix
    ./synapse.nix
    ./element.nix
    ./coturn.nix
    ./livekit.nix
    ./mjolnir.nix
    ./well-known.nix
    # ./discord.nix
    ./out-of-your-element.nix
    ./hookshot
  ];
 }
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -2,6 +2,13 @@
 let
  synapse-cfg = config.services.matrix-synapse-next;
 in {
  services.pvv-matrix-well-known.client = {
    "m.homeserver" = {
      base_url = "https://matrix.pvv.ntnu.no";
      server_name = "pvv.ntnu.no";
    };
  };
  services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
@@ -9,10 +16,10 @@ in {
    root = pkgs.element-web.override {
      conf = {
-        default_server_config."m.homeserver" = {
+        # Tries to look up well-known first, else uses bundled config.
-          base_url = "https://matrix.pvv.ntnu.no";
+        default_server_name = "matrix.pvv.ntnu.no";
-          server_name = "pvv.ntnu.no";
+        default_server_config = config.services.pvv-matrix-well-known.client;
-        };
+
        disable_3pid_login = true;
 #        integrations_ui_url = "https://dimension.dodsorf.as/riot";
 #        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
@@ -30,6 +37,7 @@ in {
          # element call group calls
          feature_group_calls = true;
        };
        default_country_code = "NO";
        default_theme = "dark";
        # Servers in this list should provide some sort of valuable scoping
        # matrix.org is not useful compared to matrixrooms.info,
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -14,6 +14,10 @@ in
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/hs_token";
  };
  sops.secrets."matrix/hookshot/passkey" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/passkey";
  };
  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
  };
  systemd.services.matrix-hookshot = {
-    serviceConfig.SupplementaryGroups = [
+    serviceConfig = {
-      config.users.groups.keys-matrix-registrations.name
+      SupplementaryGroups = [
-    ];
+        config.users.groups.keys-matrix-registrations.name
      ];
      LoadCredential = [
        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
      ];
    };
  };
  services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
    package = unstablePkgs.matrix-hookshot;
    registrationFile = config.sops.templates."hookshot-registration.yaml".path;
    settings = {
      passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
      bridge = {
        bindAddress = "127.0.0.1";
        domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
        mediaUrl = "https://matrix.pvv.ntnu.no";
        port = 9993;
      };
      listeners = [
        {
          bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
          ];
        }
      ];
      generic = {
        enabled = true;
        outbound = true;
--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -0,0 +1,67 @@
 { config, lib, fp, ... }:
 let
  synapseConfig = config.services.matrix-synapse-next;
  matrixDomain = "matrix.pvv.ntnu.no";
  cfg = config.services.livekit;
 in
 {
  sops.secrets."matrix/livekit/keyfile/lk-jwt-service" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "livekit/keyfile/lk-jwt-service";
  };
  sops.templates."matrix-livekit-keyfile" = {
    restartUnits = [
      "livekit.service"
      "lk-jwt-service.service"
    ];
    content = ''
      lk-jwt-service: ${config.sops.placeholder."matrix/livekit/keyfile/lk-jwt-service"}
    '';
  };
  services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
    "org.matrix.msc4143.rtc_foci" = [{
      type = "livekit";
      livekit_service_url = "https://${matrixDomain}/livekit/jwt";
    }];
  };
  services.livekit = {
    enable = true;
    openFirewall = true;
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
    # NOTE: needed for ingress/egress workers
    # redis.createLocally = true;
    # settings.room.auto_create = false;
  };
  services.lk-jwt-service = lib.mkIf cfg.enable {
    enable = true;
    livekitUrl = "wss://${matrixDomain}/livekit/sfu";
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
  };
  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
  services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
    locations."^~ /livekit/jwt/" = {
      proxyPass = "http://localhost:${toString config.services.lk-jwt-service.port}/";
    };
    # TODO: load balance to multiple livekit ingress/egress workers
    locations."^~ /livekit/sfu/" = {
      proxyPass = "http://localhost:${toString config.services.livekit.settings.port}/";
      proxyWebsockets = true;
      extraConfig = ''
        proxy_send_timeout 120;
        proxy_read_timeout 120;
        proxy_buffering off;
        proxy_set_header Accept-Encoding gzip;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
      '';
    };
  };
 }
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, fp, ... }:
+{ config, pkgs, lib, values, fp, ... }:
 let
  cfg = config.services.matrix-ooye;
 in
@@ -28,6 +28,23 @@ in
    };
  };
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations."/var/lib/private/matrix-ooye" = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
    };
  };
  services.matrix-ooye = {
    enable = true;
    homeserver = "https://matrix.pvv.ntnu.no";
--- a/hosts/bicep/services/matrix/synapse-auto-compressor.nix
+++ b/hosts/bicep/services/matrix/synapse-auto-compressor.nix
@@ -0,0 +1,56 @@
 { config, lib, utils, ... }:
 let
  cfg = config.services.synapse-auto-compressor;
 in
 {
  services.synapse-auto-compressor = {
    # enable = true;
    postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
  };
  # NOTE: nixpkgs has some broken asserts, vendored the entire unit
  systemd.services.synapse-auto-compressor = {
    description = "synapse-auto-compressor";
    requires = [
      "postgresql.target"
    ];
    inherit (cfg) startAt;
    serviceConfig = {
      Type = "oneshot";
      DynamicUser = true;
      User = "matrix-synapse";
      PrivateTmp = true;
      ExecStart = utils.escapeSystemdExecArgs [
        "${cfg.package}/bin/synapse_auto_compressor"
        "-p"
        cfg.postgresUrl
        "-c"
        cfg.settings.chunk_size
        "-n"
        cfg.settings.chunks_to_compress
        "-l"
        (lib.concatStringsSep "," (map toString cfg.settings.levels))
      ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateUsers = true;
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      ProcSubset = "pid";
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
    };
  };
 }
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -15,11 +15,33 @@ in {
    group = config.users.users.matrix-synapse.group;
  };
-  sops.secrets."matrix/synapse/user_registration" = {
+  sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/signing_key";
+    key = "synapse/user_registration/registration_shared_secret";
  };
  sops.templates."matrix-synapse-user-registration" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    content = ''
      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
    '';
  };
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.settings.media_store_path} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
    };
  };
  services.matrix-synapse-next = {
@@ -83,7 +105,7 @@ in {
      mau_stats_only = true;
      enable_registration = false;
-      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
+      registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
      password_config.enabled = true;
@@ -95,6 +117,32 @@ in {
        }
      ];
      experimental_features = {
        # MSC3266: Room summary API. Used for knocking over federation
        msc3266_enabled = true;
        # MSC4222 needed for syncv2 state_after. This allow clients to
        # correctly track the state of the room.
        msc4222_enabled = true;
      };
      # The maximum allowed duration by which sent events can be delayed, as
      # per MSC4140.
      max_event_delay_duration = "24h";
      rc_message = {
        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
        # Note key sharing events are bursty
        per_second = 0.5;
        burst_count = 30;
      };
      rc_delayed_event_mgmt = {
        # This needs to match at least the heart-beat frequency plus a bit of headroom
        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
        per_second = 1;
        burst_count = 20;
      };
      trusted_key_servers = [
        { server_name = "matrix.org"; }
        { server_name = "dodsorf.as"; }
@@ -132,21 +180,12 @@ in {
  services.redis.servers."".enable = true;
  services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
  {
    kTLS = true;
  }
  {
    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
      '';
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
      '';
    };
  }
  {
    locations."/_synapse/admin" = {
      proxyPass = "http://$synapse_backend";
--- a/hosts/bicep/services/matrix/well-known.nix
+++ b/hosts/bicep/services/matrix/well-known.nix
@@ -0,0 +1,44 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.pvv-matrix-well-known;
  format = pkgs.formats.json { };
  matrixDomain = "matrix.pvv.ntnu.no";
 in
 {
  options.services.pvv-matrix-well-known = {
    client = lib.mkOption {
      type = lib.types.submodule { freeformType = format.type; };
      default = { };
      example = {
        "m.homeserver".base_url = "https://${matrixDomain}/";
      };
    };
    server = lib.mkOption {
      type = lib.types.submodule { freeformType = format.type; };
      default = { };
      example = {
        "m.server" = "https://${matrixDomain}/";
      };
    };
  };
  config = {
    services.nginx.virtualHosts.${matrixDomain} = {
      locations."= /.well-known/matrix/client" = lib.mkIf (cfg.client != { }) {
        alias = format.generate "nginx-well-known-matrix-server.json" cfg.client;
        extraConfig = ''
          default_type application/json;
          add_header Access-Control-Allow-Origin *;
        '';
      };
      locations."= /.well-known/matrix/server" = lib.mkIf (cfg.server != { }) {
        alias = format.generate "nginx-well-known-matrix-server.json" cfg.server;
        extraConfig = ''
          default_type application/json;
          add_header Access-Control-Allow-Origin *;
        '';
      };
    };
  };
 }
--- a/hosts/bicep/services/minecraft-heatmap.nix
+++ b/hosts/bicep/services/minecraft-heatmap.nix
@@ -22,7 +22,7 @@ in
    };
  };
-  systemd.services.minecraft-heatmap-ingest-logs = {
+  systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
    serviceConfig.LoadCredential = [
      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
    ];
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -0,0 +1,83 @@
 { config, lib, pkgs, values, ... }:
 let
  cfg = config.services.mysql;
  backupDir = "/data/mysql-backups";
 in
 {
  # services.mysqlBackup = lib.mkIf cfg.enable {
  #   enable = true;
  #   location = "/var/lib/mysql-backups";
  # };
  systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
 	  user = "mysql";
 	  group = "mysql";
 	  mode = "700";
 	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations.${backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
    };
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves.
  systemd.services."backup-mysql" = lib.mkIf cfg.enable {
    description = "Backup MySQL data";
    requires = [ "mysql.service" ];
    path = with pkgs; [
      cfg.package
      coreutils
      zstd
    ];
    script = let
      rotations = 2;
    in ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
      mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
      # NOTE: this needs to be a hardlink for rrsync to allow sending it
      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "mysql";
      Group = "mysql";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      StateDirectory = [ "mysql-backups" ];
      BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
      # TODO: hardening
    };
    startAt = "*-*-* 02:15:00";
  };
 }
--- a/hosts/bicep/services/mysql/default.nix
+++ b/hosts/bicep/services/mysql/default.nix
@@ -1,5 +1,11 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
 let
  cfg = config.services.mysql;
  dataDir = "/data/mysql";
 in
 {
  imports = [ ./backup.nix ];
  sops.secrets."mysql/password" = {
    owner = "mysql";
    group = "mysql";
@@ -9,8 +15,7 @@
  services.mysql = {
    enable = true;
-    dataDir = "/data/mysql";
+    package = pkgs.mariadb_118;
    package = pkgs.mariadb;
    settings = {
      mysqld = {
        # PVV allows a lot of connections at the same time
@@ -21,6 +26,9 @@
        # This was needed in order to be able to use all of the old users
        # during migration from knakelibrak to bicep in Sep. 2023
        secure_auth = 0;
        slow-query-log = 1;
        slow-query-log-file = "/var/log/mysql/mysql-slow.log";
      };
    };
@@ -36,20 +44,31 @@
    }];
  };
-  services.mysqlBackup = {
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
-    enable = true;
+
-    location = "/var/lib/mysql/backups";
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
    inherit (cfg) user group;
    mode = "0700";
  };
-  networking.firewall.allowedTCPPorts = [ 3306 ];
+  systemd.services.mysql = lib.mkIf cfg.enable {
-
+    after = [
-  systemd.services.mysql.serviceConfig = {
+      "systemd-tmpfiles-setup.service"
-    IPAddressDeny = "any";
+      "systemd-tmpfiles-resetup.service"
    IPAddressAllow = [
      values.ipv4-space
      values.ipv6-space
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
    serviceConfig = {
      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
      LogsDirectory = "mysql";
      IPAddressDeny = "any";
      IPAddressAllow = [
        values.ipv4-space
        values.ipv6-space
        values.hosts.ildkule.ipv4
        values.hosts.ildkule.ipv6
      ];
    };
  };
 }
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -0,0 +1,84 @@
 { config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
  backupDir = "/data/postgresql-backups";
 in
 {
  # services.postgresqlBackup = lib.mkIf cfg.enable {
  #   enable = true;
  #   location = "/var/lib/postgresql-backups";
  #   backupAll = true;
  # };
  systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
 	  user = "postgres";
 	  group = "postgres";
 	  mode = "700";
 	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations.${backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
    };
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves
  systemd.services."backup-postgresql" = {
    description = "Backup PostgreSQL data";
    requires = [ "postgresql.service" ];
    path = with pkgs; [
      coreutils
      zstd
      cfg.package
    ];
    script = let
      rotations = 2;
    in ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
      pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
      # NOTE: this needs to be a hardlink for rrsync to allow sending it
      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "postgres";
      Group = "postgres";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      StateDirectory = [ "postgresql-backups" ];
      BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
      # TODO: hardening
    };
    startAt = "*-*-* 01:15:00";
  };
 }
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -1,8 +1,13 @@
-{ config, pkgs, values, ... }:
+{ config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
 in
 {
  imports = [ ./backup.nix ];
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_18;
    enableTCPIP = true;
    authentication = ''
@@ -74,13 +79,13 @@
    };
  };
-  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
    user = config.systemd.services.postgresql.serviceConfig.User;
    group = config.systemd.services.postgresql.serviceConfig.Group;
    mode = "0700";
  };
-  systemd.services.postgresql-setup = {
+  systemd.services.postgresql-setup = lib.mkIf cfg.enable {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
@@ -95,7 +100,7 @@
    };
  };
-  systemd.services.postgresql = {
+  systemd.services.postgresql = lib.mkIf cfg.enable {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
@@ -110,18 +115,12 @@
    };
  };
-  environment.snakeoil-certs."/etc/certs/postgres" = {
+  environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
    owner = "postgres";
    group = "postgres";
    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
  };
-  networking.firewall.allowedTCPPorts = [ 5432 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
-  networking.firewall.allowedUDPPorts = [ 5432 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
  services.postgresqlBackup = {
    enable = true;
    location = "/var/lib/postgres/backups";
    backupAll = true;
  };
 }
--- a/hosts/bikkje/configuration.nix
+++ b/hosts/bikkje/configuration.nix
@@ -1,6 +1,6 @@
 { config, pkgs, values, ... }:
 {
-    networking.nat = {
+  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "ens3";
@@ -25,6 +25,7 @@
      ];
      networking = {
        hostName = "bikkje";
        firewall = {
          enable = true;
          # Allow SSH and HTTP and ports for email and irc
@@ -36,9 +37,11 @@
        useHostResolvConf = mkForce false;
      };
      system.stateVersion = "23.11";
      services.resolved.enable = true;
      # Don't change (even during upgrades) unless you know what you are doing.
      # See https://search.nixos.org/options?show=system.stateVersion
      system.stateVersion = "23.11";
    };
  };
 };
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@@ -8,28 +8,14 @@
      ./services/grzegorz.nix
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "brzeczyszczykiewicz";
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
-  # List packages installed in system profile
+  fonts.fontconfig.enable = true;
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/brzeczyszczykiewicz/hardware-configuration.nix
+++ b/hosts/brzeczyszczykiewicz/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/dagali/TODO.md
+++ b/hosts/dagali/TODO.md
@@ -0,0 +1,78 @@
 # Tracking document for new PVV kerberos auth stack
 ![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
 <div align="center">
  Bensinstasjon på heimdal
 </div>
 ### TODO:
 - [ ] setup heimdal
  - [x] ensure running with systemd
  - [x] compile smbk5pwd (part of openldap)
  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
  - [ ] fully initialize PVV.NTNU.NO
    - [x] `kadmin -l init PVV.NTNU.NO`
    - [x] add oysteikt/admin@PVV.NTNU.NO principal
    - [x] add oysteikt@PVV.NTNU.NO principal
    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
      - why is this needed, and where is it documented?
      - `kadmin check` seems to work under sudo?
      - (it is included by default, just included as error message
         in a weird state)
    - [x] Ensure client is working correctly
      - [x] Ensure kinit works on darbu
      - [x] Ensure kpasswd works on darbu
      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
    - [ ] Ensure kdc is working correctly
      - [x] Ensure kinit works on dagali
      - [x] Ensure kpasswd works on dagali
      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
    - [x] Fix FQDN
      - https://github.com/NixOS/nixpkgs/issues/94011
      - https://github.com/NixOS/nixpkgs/issues/261269
      - Possibly fixed by disabling systemd-resolved
 - [ ] setup cyrus sasl
  - [x] ensure running with systemd 
  - [x] verify GSSAPI support plugin is installed
    - `nix-shell -p cyrus_sasl --command pluginviewer`
  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
  - [x] verify cyrus sasl is able to talk to heimdal
    - `sudo testsaslauthd -u oysteikt -p <password>`
  - [ ] provide ldap principal to cyrus sasl through keytab
 - [ ] setup openldap
  - [x] ensure running with systemd
  - [ ] verify openldap is able to talk to cyrus sasl
  - [ ] create user for oysteikt in openldap
  - [ ] authenticate openldap login through sasl
    - does this require creating an ldap user?
 - [ ] fix smbk5pwd integration
  - [x] add smbk5pwd schemas to openldap
  - [x] create openldap db for smbk5pwd with overlays
  - [ ] test to ensure that user sync is working
  - [ ] test as user source (replace passwd)
  - [ ] test as PAM auth source
  - [ ] test as auth source for 3rd party appliation
 - [ ] Set up ldap administration panel
  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
 - [ ] Set up kerberos SRV DNS entry
 ### Information and URLS
 - OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
 - Use a keytab: https://kb.iu.edu/d/aumh
 - 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
 - Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
 - Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
 - PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
 - OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
 - saslauthd(8): https://linux.die.net/man/8/saslauthd
--- a/hosts/dagali/configuration.nix
+++ b/hosts/dagali/configuration.nix
@@ -0,0 +1,51 @@
 { config, pkgs, values, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    ../../misc/metrics-exporters.nix
    ./services/heimdal.nix
    #./services/openldap.nix
    ./services/cyrus-sasl.nix
  ];
  # buskerud does not support efi?
  # boot.loader.systemd-boot.enable = true;
  # boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  # resolved messes up FQDN coming from nscd
  services.resolved.enable = false;
  networking.hostName = "dagali";
  networking.domain = lib.mkForce "pvv.local";
  networking.hosts = {
    "129.241.210.185" = [ "dagali.pvv.local" ];
  };
  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
  networking.tempAddresses = "disabled";
  networking.networkmanager.enable = true;
  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
    # TODO: consider adding to base.nix
    nix-output-monitor
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
 }
--- a/hosts/dagali/hardware-configuration.nix
+++ b/hosts/dagali/hardware-configuration.nix
@@ -0,0 +1,33 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/dagali/services/cyrus-sasl.nix
+++ b/hosts/dagali/services/cyrus-sasl.nix
@@ -0,0 +1,21 @@
 { config, ... }:
 let
  cfg = config.services.saslauthd;
 in
 {
  # TODO: This is seemingly required for openldap to authenticate
  #       against kerberos, but I have no idea how to configure it as
  #       such. Does it need a keytab? There's a binary "testsaslauthd"
  #       that follows with `pkgs.cyrus_sasl` that might be useful.
  services.saslauthd = {
    enable = true;
    mechanism = "kerberos5";
    config = ''
      mech_list: gs2-krb5 gssapi
      keytab: /etc/krb5.keytab
    '';
  };
  # TODO: maybe the upstream module should consider doing this?
  environment.systemPackages = [ cfg.package ];
 }
--- a/hosts/dagali/services/heimdal.nix
+++ b/hosts/dagali/services/heimdal.nix
@@ -0,0 +1,100 @@
 { config, pkgs, lib, ... }:
 let
  realm = "PVV.LOCAL";
  cfg = config.security.krb5;
 in
 {
  security.krb5 = {
    enable = true;
    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
    #       will do for now.
    package = pkgs.heimdal.overrideAttrs (prev: {
      postInstall = prev.postInstall + ''
        cp include/heim_threads.h $dev/include
      '';
    });
    settings = {
      realms.${realm} = {
        kdc = [ "dagali.${lib.toLower realm}" ];
        admin_server = "dagali.${lib.toLower realm}";
        kpasswd_server = "dagali.${lib.toLower realm}";
        default_domain = lib.toLower realm;
        primary_kdc = "dagali.${lib.toLower realm}";
      };
      kadmin.default_keys = lib.concatStringsSep " " [
        "aes256-cts-hmac-sha1-96:pw-salt"
        "aes128-cts-hmac-sha1-96:pw-salt"
      ];
      libdefaults.default_etypes = lib.concatStringsSep " " [
        "aes256-cts-hmac-sha1-96"
        "aes128-cts-hmac-sha1-96"
      ];
      libdefaults = {
        default_realm = realm;
        dns_lookup_kdc = false;
        dns_lookup_realm = false;
      };
      domain_realm = {
        "${lib.toLower realm}" = realm;
        ".${lib.toLower realm}" = realm;
      };
      logging = {
        # kdc = "CONSOLE";
        kdc = "SYSLOG:DEBUG:AUTH";
        admin_server = "SYSLOG:DEBUG:AUTH";
        default = "SYSLOG:DEBUG:AUTH";
      };
    };
  };
  services.kerberos_server = {
    enable = true;
    settings = {
      realms.${realm} = {
        dbname = "/var/lib/heimdal/heimdal";
        mkey = "/var/lib/heimdal/m-key";
        acl = [
          {
            principal = "kadmin/admin";
            access = "all";
          }
          {
            principal = "felixalb/admin";
            access = "all";
          }
          {
            principal = "oysteikt/admin";
            access = "all";
          }
        ];
      };
      # kadmin.default_keys = lib.concatStringsSep " " [
      #   "aes256-cts-hmac-sha1-96:pw-salt"
      #   "aes128-cts-hmac-sha1-96:pw-salt"
      # ];
      # libdefaults.default_etypes = lib.concatStringsSep " " [
      #   "aes256-cts-hmac-sha1-96"
      #   "aes128-cts-hmac-sha1-96"
      # ];
      # password_quality.min_length = 8;
    };
  };
  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
  networking.hosts = {
    "127.0.0.2" = lib.mkForce [ ];
    "::1" = lib.mkForce [ ];
  };
 }
--- a/hosts/dagali/services/openldap.nix
+++ b/hosts/dagali/services/openldap.nix
@@ -0,0 +1,121 @@
 { config, pkgs, lib, ... }:
 {
  services.openldap = let
    dn = "dc=pvv,dc=ntnu,dc=no";
    cfg = config.services.openldap;
    heimdal = config.security.krb5.package;
  in {
    enable = true;
    # NOTE: this is a custom build of openldap with support for
    #       perl and kerberos.
    package = pkgs.openldap.overrideAttrs (prev: {
      # https://github.com/openldap/openldap/blob/master/configure
      configureFlags = prev.configureFlags ++ [
        # Connect to slapd via UNIX socket
        "--enable-local"
        # Cyrus SASL
        "--enable-spasswd"
        # Reverse hostname lookups
        "--enable-rlookups"
        # perl
        "--enable-perl"
      ];
      buildInputs = prev.buildInputs ++ [
        pkgs.perl
 	# NOTE: do not upstream this, it might not work with
 	#       MIT in the same way
        heimdal
      ];
      extraContribModules = prev.extraContribModules ++ [
        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
        "smbk5pwd"
      ];
    });
    settings = {
      attrs = {
        olcLogLevel = [ "stats" "config" "args" ];
        # olcAuthzRegexp = ''
        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
        #         "uid=heimdal,${dn2}"
        # '';
        # olcSaslSecProps = "minssf=0";
      };
      children = {
        "cn=schema".includes = let
          # NOTE: needed for smbk5pwd.so module
          schemaToLdif = name: path: pkgs.runCommandNoCC name {
            buildInputs = with pkgs; [ schema2ldif ];
          } ''
            schema2ldif "${path}" > $out
          '';
          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
        in [
           "${cfg.package}/etc/schema/core.ldif"
           "${cfg.package}/etc/schema/cosine.ldif"
           "${cfg.package}/etc/schema/nis.ldif"
           "${cfg.package}/etc/schema/inetorgperson.ldif"
           "${hdb-ldif}"
           "${samba-ldif}"
        ];
        # NOTE: installation of smbk5pwd.so module
        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
        "cn=module{0}".attrs = {
          objectClass = [ "olcModuleList" ];
          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
        };
        # NOTE: activation of smbk5pwd.so module for {1}mdb
        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
          olcOverlay = "{0}smbk5pwd";
          olcSmbK5PwdEnable = [ "krb5" "samba" ];
          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
        };
        "olcDatabase={1}mdb".attrs = {
          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
          olcDatabase = "{1}mdb";
          olcSuffix = dn;
          # TODO: PW is supposed to be a secret, but it's probably fine for testing
          olcRootDN = "cn=users,${dn}";
          # TODO: replace with proper secret
          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
          olcDbIndex = "objectClass eq";
          olcAccess = [
            ''{0}to attrs=userPassword,shadowLastChange
                by dn.exact=cn=users,${dn} write
                by self write
                by anonymous auth
                by * none''
            ''{1}to dn.base=""
                by * read''
            /* allow read on anything else */
            # ''{2}to *
            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
            #     by * read''
          ];
        };
      };
    };
  };
 }
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -8,24 +8,11 @@
      (fp /modules/grzegorz.nix)
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "georg";
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  services.spotifyd = {
    enable = true;
    settings.global = {
@@ -41,15 +28,9 @@
    5353 # spotifyd is its own mDNS service wtf
  ];
  fonts.fontconfig.enable = true;
-
+  # Don't change (even during upgrades) unless you know what you are doing.
-
+  # See https://search.nixos.org/options?show=system.stateVersion
-  # This value determines the NixOS release from which the default
+  system.stateVersion = "25.11";
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/georg/hardware-configuration.nix
+++ b/hosts/georg/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/gluttony/configuration.nix
+++ b/hosts/gluttony/configuration.nix
@@ -0,0 +1,60 @@
 {
  fp,
  lib,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    (fp /base)
  ];
  systemd.network.enable = lib.mkForce false;
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.loader = {
    systemd-boot.enable = false; # no uefi support on this device
    grub.device = "/dev/sda";
    grub.enable = true;
  };
  boot.tmp.cleanOnBoot = true;
  networking =
    let
      hostConf = values.hosts.gluttony;
    in
    {
      tempAddresses = "disabled";
      useDHCP = false;
      search = values.defaultNetworkConfig.domains;
      nameservers = values.defaultNetworkConfig.dns;
      defaultGateway.address = hostConf.ipv4_internal_gw;
      interfaces."ens3" = {
        ipv4.addresses = [
          {
            address = hostConf.ipv4;
            prefixLength = 32;
          }
          {
            address = hostConf.ipv4_internal;
            prefixLength = 24;
          }
        ];
        ipv6.addresses = [
          {
            address = hostConf.ipv6;
            prefixLength = 64;
          }
        ];
      };
    };
  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/gluttony/hardware-configuration.nix
+++ b/hosts/gluttony/hardware-configuration.nix
@@ -0,0 +1,50 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/mapper/pool-root";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/933A-3005";
    fsType = "vfat";
    options = [
      "fmask=0077"
      "dmask=0077"
    ];
  };
  swapDevices = [
    {
      device = "/var/lib/swapfile";
      size = 8 * 1024;
    }
  ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -10,11 +10,7 @@
      ./services/journald-remote.nix
    ];
-  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
+  boot.loader.systemd-boot.enable = false;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.device = "/dev/vda";
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
@@ -24,7 +20,6 @@
  networking = let
    hostConf = values.hosts.ildkule;
  in {
    hostName = "ildkule";
    tempAddresses = "disabled";
    useDHCP = lib.mkForce true;
@@ -43,13 +38,9 @@
    };
  };
-  # List packages installed in system profile
+  services.qemuGuest.enable = true;
  environment.systemPackages = with pkgs; [
  ];
  # No devices with SMART
  services.smartd.enable = false;
  system.stateVersion = "23.11"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "23.11";
 }
--- a/hosts/ildkule/services/journald-remote.nix
+++ b/hosts/ildkule/services/journald-remote.nix
@@ -46,7 +46,7 @@ in
  networking.firewall.allowedTCPPorts = [ cfg.port ];
  systemd.services."systemd-journal-remote" = {
-    socketConfig = {
+    serviceConfig = {
      LoadCredential = let
        inherit (config.security.acme.certs.${domainName}) directory;
      in [
--- a/hosts/ildkule/services/monitoring/dashboards/go-processes.json
+++ b/hosts/ildkule/services/monitoring/dashboards/go-processes.json
--- a/hosts/ildkule/services/monitoring/dashboards/mysql.json
+++ b/hosts/ildkule/services/monitoring/dashboards/mysql.json
@@ -13,7 +13,7 @@
    ]
  },
  "description": "",
-  "editable": true,
+  "editable": false,
  "gnetId": 11323,
  "graphTooltip": 1,
  "id": 31,
@@ -3690,7 +3690,7 @@
        },
        "hide": 0,
        "includeAll": false,
-        "label": "Data Source",
+        "label": "Data source",
        "multi": false,
        "name": "datasource",
        "options": [],
@@ -3713,12 +3713,12 @@
        "definition": "label_values(mysql_up, job)",
        "hide": 0,
        "includeAll": true,
-        "label": "job",
+        "label": "Job",
        "multi": true,
        "name": "job",
        "options": [],
        "query": "label_values(mysql_up, job)",
-        "refresh": 1,
+        "refresh": 2,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
@@ -3742,12 +3742,12 @@
        "definition": "label_values(mysql_up, instance)",
        "hide": 0,
        "includeAll": true,
-        "label": "instance",
+        "label": "Instance",
        "multi": true,
        "name": "instance",
        "options": [],
        "query": "label_values(mysql_up, instance)",
-        "refresh": 1,
+        "refresh": 2,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
--- a/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
+++ b/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
--- a/hosts/ildkule/services/monitoring/dashboards/postgres.json
+++ b/hosts/ildkule/services/monitoring/dashboards/postgres.json
@@ -328,7 +328,7 @@
        "rgba(50, 172, 45, 0.97)"
      ],
      "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
      "gauge": {
        "maxValue": 100,
        "minValue": 0,
@@ -411,7 +411,7 @@
        "rgba(50, 172, 45, 0.97)"
      ],
      "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
      "gauge": {
        "maxValue": 100,
        "minValue": 0,
@@ -1410,7 +1410,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "pg_settings_seq_page_cost",
+          "expr": "pg_settings_seq_page_cost{instance=\"$instance\"}",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -1872,7 +1872,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -1966,7 +1966,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2060,7 +2060,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2251,7 +2251,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2439,7 +2439,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2589,35 +2589,35 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_backend",
          "refId": "A"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_alloc",
          "refId": "B"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "backend_fsync",
          "refId": "C"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_checkpoint",
          "refId": "D"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
          "refId": "B"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
--- a/hosts/ildkule/services/monitoring/dashboards/synapse.json
+++ b/hosts/ildkule/services/monitoring/dashboards/synapse.json
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -47,13 +47,13 @@ in {
        {
          name = "Node Exporter Full";
          type = "file";
-          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
+          url = "https://grafana.com/api/dashboards/1860/revisions/42/download";
          options.path = dashboards/node-exporter-full.json;
        }
        {
          name = "Matrix Synapse";
          type = "file";
-          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
+          url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
        {
@@ -65,15 +65,9 @@ in {
        {
          name = "Postgresql";
          type = "file";
-          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
+          url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
          options.path = dashboards/postgres.json;
        }
        {
          name = "Go Processes (gogs)";
          type = "file";
          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
          options.path = dashboards/go-processes.json;
        }
        {
          name = "Gitea Dashboard";
          type = "file";
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -19,15 +19,18 @@ in {
      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
--- a/hosts/kommode/configuration.nix
+++ b/hosts/kommode/configuration.nix
@@ -4,21 +4,12 @@
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    ./disks.nix
    ./services/gitea
    ./services/nginx.nix
  ];
  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "kommode"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -26,7 +17,9 @@
  services.btrfs.autoScrub.enable = true;
-  environment.systemPackages = with pkgs; [];
+  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/hosts/kommode/disks.nix
+++ b/hosts/kommode/disks.nix
@@ -0,0 +1,80 @@
 { lib, ... }:
 {
  disko.devices = {
    disk = {
      sda = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
            root = {
              name = "root";
              label = "root";
              start = "1MiB";
              end = "-5G";
              content = {
                type = "btrfs";
                extraArgs = [ "-f" ]; # Override existing partition
                # subvolumes = let
                #   makeSnapshottable = subvolPath: mountOptions: let
                #     name = lib.replaceString "/" "-" subvolPath;
                #   in {
                #     "@${name}/active" = {
                #       mountpoint = subvolPath;
                #       inherit mountOptions;
                #     };
                #     "@${name}/snapshots" = {
                #       mountpoint = "${subvolPath}/.snapshots";
                #       inherit mountOptions;
                #     };
                #   };
                # in {
                #   "@" = { };
                #   "@/swap" = {
                #     mountpoint = "/.swapvol";
                #     swap.swapfile.size = "4G";
                #   };
                #   "@/root" = {
                #     mountpoint = "/";
                #     mountOptions = [ "compress=zstd" "noatime" ];
                #   };
                # }
                # // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
                # swap.swapfile.size = "4G";
                mountpoint = "/";
              };
            };
            swap = {
              name = "swap";
              label = "swap";
              start = "-5G";
              end = "-1G";
              content.type = "swap";
            };
            ESP = {
              name = "ESP";
              label = "ESP";
              start = "-1G";
              end = "100%";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/kommode/hardware-configuration.nix
+++ b/hosts/kommode/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
@@ -13,21 +13,6 @@
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/86CD-4C23";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -10,6 +10,59 @@ in
    catppuccin = pkgs.gitea-theme-catppuccin;
  };
  services.gitea.settings = {
    ui = {
      DEFAULT_THEME = "gitea-auto";
      REACTIONS = lib.concatStringsSep "," [
        "+1"
        "-1"
        "laugh"
        "confused"
        "heart"
        "hooray"
        "rocket"
        "eyes"
        "100"
        "anger"
        "astonished"
        "no_good"
        "ok_hand"
        "pensive"
        "pizza"
        "point_up"
        "sob"
        "skull"
        "upside_down_face"
        "shrug"
        "huh"
        "bruh"
        "okiedokie"
        "grr"
      ];
      CUSTOM_EMOJIS = lib.concatStringsSep "," [
        "bruh"
        "grr"
        "huh"
        "ohyeah"
      ];
    };
    "ui.meta" = {
      AUTHOR = "Programvareverkstedet";
      DESCRIPTION = "Bokstavelig talt programvareverkstedet";
      KEYWORDS = lib.concatStringsSep "," [
        "git"
        "hackerspace"
        "nix"
        "open source"
        "foss"
        "organization"
        "software"
        "student"
      ];
    };
  };
  systemd.services.gitea-customization = lib.mkIf cfg.enable {
    description = "Install extra customization in gitea's CUSTOM_DIR";
    wantedBy = [ "gitea.service" ];
@@ -57,6 +110,11 @@ in
      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
      install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
      install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
      install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
      install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
    '';
  };
--- a/hosts/kommode/services/gitea/customization/emotes/bruh.png
+++ b/hosts/kommode/services/gitea/customization/emotes/bruh.png
--- a/hosts/kommode/services/gitea/customization/emotes/grr.png
+++ b/hosts/kommode/services/gitea/customization/emotes/grr.png
--- a/hosts/kommode/services/gitea/customization/emotes/huh.gif
+++ b/hosts/kommode/services/gitea/customization/emotes/huh.gif
--- a/hosts/kommode/services/gitea/customization/emotes/okiedokie.jpg
+++ b/hosts/kommode/services/gitea/customization/emotes/okiedokie.jpg
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -83,11 +83,24 @@ in {
        AUTO_WATCH_NEW_REPOS = false;
      };
      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
      session.COOKIE_SECURE = true;
      security = {
        SECRET_KEY = lib.mkForce "";
        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
      };
      cache = {
        ADAPTER = "redis";
        HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
        ITEM_TTL = "72h";
      };
      session = {
        COOKIE_SECURE = true;
        PROVIDER = "redis";
        PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
      };
      queue = {
        TYPE = "redis";
        CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
      };
      database.LOG_SQL = false;
      repository = {
        PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -128,31 +141,6 @@ in {
        AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
      };
      actions.ENABLED = true;
      ui = {
        REACTIONS = lib.concatStringsSep "," [
          "+1"
          "-1"
          "laugh"
          "confused"
          "heart"
          "hooray"
          "rocket"
          "eyes"
          "100"
          "anger"
          "astonished"
          "no_good"
          "ok_hand"
          "pensive"
          "pizza"
          "point_up"
          "sob"
          "skull"
          "upside_down_face"
          "shrug"
        ];
      };
      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
    };
    dump = {
@@ -164,12 +152,26 @@ in {
  environment.systemPackages = [ cfg.package ];
-  systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
+  systemd.services.gitea = lib.mkIf cfg.enable {
    wants = [ "redis-gitea.service" ];
    after = [ "redis-gitea.service" ];
-  systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
+    serviceConfig = {
-  systemd.services.gitea.serviceConfig.BindPaths = [
+      CPUSchedulingPolicy = "batch";
-    "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
+      CacheDirectory = "gitea/repo-archive";
-  ];
+      BindPaths = [
        "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
      ];
    };
  };
  services.redis.servers.gitea = lib.mkIf cfg.enable {
    enable = true;
    user = config.services.gitea.user;
    save = [ ];
    openFirewall = false;
    port = 5698;
  };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
@@ -195,6 +197,23 @@ in {
  networking.firewall.allowedTCPPorts = [ sshPort ];
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.dump.backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
    };
  };
  systemd.services.gitea-dump = {
    serviceConfig.ExecStart = let
      args = lib.cli.toGNUCommandLineShell { } {
--- a/hosts/kommode/services/gitea/web-secret-provider/default.nix
+++ b/hosts/kommode/services/gitea/web-secret-provider/default.nix
@@ -28,7 +28,7 @@ in
  users.users."gitea-web" = {
    group = "gitea-web";
    isSystemUser = true;
-    shell = pkgs.bash;
+    useDefaultShell = true;
  };
  sops.secrets."gitea/web-secret-provider/token" = {
--- a/hosts/lupine/configuration.nix
+++ b/hosts/lupine/configuration.nix
@@ -9,12 +9,6 @@
  ];
  sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp0s31f6";
@@ -28,7 +22,7 @@
  # There are no smart devices
  services.smartd.enable = false;
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.05";
 }
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-2.nix
+++ b/hosts/lupine/hardware-configuration/lupine-2.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-4.nix
+++ b/hosts/lupine/hardware-configuration/lupine-4.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@@ -6,33 +6,14 @@
      (fp /base)
    ];
  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "shark"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
-  # List packages installed in system profile
+  services.qemuGuest.enable = true;
  environment.systemPackages = with pkgs; [
  ];
  # List services that you want to enable:
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/shark/hardware-configuration.nix
+++ b/hosts/shark/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/skrott/configuration.nix
+++ b/hosts/skrott/configuration.nix
@@ -1,35 +1,56 @@
-{ config, pkgs, lib, fp, ... }: {
+{ config, pkgs, lib, modulesPath, fp, values, ... }: {
  imports = [
-    # ./hardware-configuration.nix
+    (modulesPath + "/profiles/perlless.nix")
    (fp /base)
  ];
  # Disable import of a bunch of tools we don't need from nixpkgs.
  disabledModules = [ "profiles/base.nix" ];
  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
  boot = {
    consoleLogLevel = 0;
    enableContainers = false;
    loader.grub.enable = false;
    loader.systemd-boot.enable = false;
    kernelPackages = pkgs.linuxPackages;
  };
  hardware = {
    enableAllHardware = lib.mkForce false;
    firmware = [ pkgs.raspberrypiWirelessFirmware ];
  };
  # Now turn off a bunch of stuff lol
  # TODO: can we reduce further?
  # See also https://nixcademy.com/posts/minimizing-nixos-images/
  system.autoUpgrade.enable = lib.mkForce false;
  services.irqbalance.enable = lib.mkForce false;
  services.logrotate.enable = lib.mkForce false;
  services.nginx.enable = lib.mkForce false;
  services.postfix.enable = lib.mkForce false;
  services.smartd.enable = lib.mkForce false;
  services.udisks2.enable = lib.mkForce false;
  services.thermald.enable = lib.mkForce false;
  services.promtail.enable = lib.mkForce false;
  # There aren't really that many firmware updates for rbpi3 anyway
  services.fwupd.enable = lib.mkForce false;
-  # TODO: can we reduce further?
+  documentation.enable = lib.mkForce false;
-  system.stateVersion = "25.05";
+  environment.enableAllTerminfo = lib.mkForce false;
-  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
+  programs.neovim.enable = lib.mkForce false;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  programs.zsh.enable = lib.mkForce false;
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  programs.git.package = pkgs.gitMinimal;
-  sops.age.generateKey = true;
+
  nix.registry = lib.mkForce { };
  nix.nixPath = lib.mkForce [ ];
  sops.secrets = {
-    "dibbler/postgresql/url" = {
+    "dibbler/postgresql/password" = {
      owner = "dibbler";
      group = "dibbler";
    };
@@ -39,10 +60,16 @@
  networking = {
    hostName = "skrot";
    defaultGateway = values.hosts.gateway;
    defaultGateway6 = values.hosts.gateway6;
    interfaces.eth0 = {
      useDHCP = false;
      ipv4.addresses = [{
-        address = "129.241.210.235";
+        address = values.hosts.skrott.ipv4;
        prefixLength = 25;
      }];
      ipv6.addresses = [{
        address = values.hosts.skrott.ipv6;
        prefixLength = 25;
      }];
    };
@@ -56,18 +83,30 @@
    settings = {
      general.quit_allowed = false;
-      database.url = config.sops.secrets."dibbler/postgresql/url".path;
+      database = {
        type = "postgresql";
        postgresql = {
          username = "pvv_vv";
          dbname = "pvv_vv";
          host = "postgres.pvv.ntnu.no";
          password_file = config.sops.secrets."dibbler/postgresql/password".path;
        };
      };
    };
  };
  # https://github.com/NixOS/nixpkgs/issues/84105
-  boot.kernelParams = [
+  boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
    "console=ttyUSB0,9600"
    # "console=tty1" # Already part of the module
  ];
-  systemd.services."serial-getty@ttyUSB0" = {
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
    enable = true;
    wantedBy = [ "getty.target" ]; # to start at boot
    serviceConfig.Restart = "always"; # restart when session is closed
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
 }
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -1,39 +1,24 @@
 { config, fp, pkgs, values, ... }:
 {
  imports = [
-      # Include the results of the hardware scan.
+    # Include the results of the hardware scan.
-      ./hardware-configuration.nix
+    ./hardware-configuration.nix
-      (fp /base)
+    (fp /base)
-      ./services/nfs-mounts.nix
+    ./services/nfs-mounts.nix
-    ];
+    ./services/userweb.nix
-
+  ];
  # sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  # sops.age.generateKey = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "temmie"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
-  # List packages installed in system profile
+  services.nginx.enable = false;
  environment.systemPackages = with pkgs; [
  ];
-  # List services that you want to enable:
+  services.qemuGuest.enable = true;
-  # This value determines the NixOS release from which the default
+  # Don't change (even during upgrades) unless you know what you are doing.
-  # settings for stateful data, like file locations and database versions
+  # See https://search.nixos.org/options?show=system.stateVersion
-  # on your system were taken. It‘s perfectly fine and recommended to leave
+  system.stateVersion = "25.11";
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "25.11"; # Did you read the comment?
 }
--- a/hosts/temmie/hardware-configuration.nix
+++ b/hosts/temmie/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/temmie/services/nfs-mounts.nix
+++ b/hosts/temmie/services/nfs-mounts.nix
@@ -1,21 +1,57 @@
-{ pkgs, lib, ... }:
+{ lib, values, ... }:
 let
  # See microbel:/etc/exports
  letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
 in
 {
-  fileSystems = let
+  systemd.targets."pvv-homedirs" = {
-    # See microbel:/etc/exports
+    description = "PVV Homedir Partitions";
-    shorthandAreas = lib.listToAttrs (map
+  };
-      (l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
+
-      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]);
+  systemd.mounts = map (l: {
-  in { }
+    description = "PVV Homedir Partition ${l}";
-  //
+
-  (lib.mapAttrs (_: device: {
+    before = [ "remote-fs.target" ];
-    inherit device;
+    wantedBy = [ "multi-user.target" ];
-    fsType = "nfs";
+    requiredBy = [ "pvv-homedirs.target" ];
-    options = [
+
    type = "nfs";
    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
    where = "/run/pvv-home-mounts/${l}";
    options = lib.concatStringsSep "," [
      "nfsvers=3"
-      "noauto"
+
      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
      "proto=tcp"
-      "x-systemd.automount"
+      "addr=${values.hosts.microbel.ipv4}"
-      "x-systemd.idle-timeout=300"
+      "mountproto=tcp"
      "mounthost=${values.hosts.microbel.ipv4}"
      "port=2049"
      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
      #       quite sure how to fix it. Living life on dangerous mode for now.
      "nolock"
      # Don't wait on every read/write
      "async"
      # Always keep mounted
      "noauto"
      # We don't want to update access time constantly
      "noatime"
      # No SUID/SGID, no special devices
      "nosuid"
      "nodev"
      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
      # "ro"
      "rw"
    ];
-  }) shorthandAreas);
+  }) letters;
 }
--- a/hosts/temmie/services/userweb.nix
+++ b/hosts/temmie/services/userweb.nix
@@ -0,0 +1,344 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.httpd;
  homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
  # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
  phpEnv = pkgs.php.buildEnv {
    extensions = { all, ... }: with all; [
      imagick
      opcache
      protobuf
    ];
    extraConfig = ''
      display_errors=0
      post_max_size = 40M
      upload_max_filesize = 40M
    '';
  };
  perlEnv = pkgs.perl.withPackages (ps: with ps; [
    pkgs.exiftool
    pkgs.ikiwiki
    pkgs.irssi
    pkgs.nix.libs.nix-perl-bindings
    AlgorithmDiff
    AnyEvent
    AnyEventI3
    ArchiveZip
    CGI
    CPAN
    CPANPLUS
    DBDPg
    DBDSQLite
    DBI
    EmailAddress
    EmailSimple
    Env
    Git
    HTMLMason
    HTMLParser
    HTMLTagset
    HTTPDAV
    HTTPDaemon
    ImageMagick
    JSON
    LWP
    MozillaCA
    PathTiny
    Switch
    SysSyslog
    TestPostgreSQL
    TextPDF
    TieFile
    Tk
    URI
    XMLLibXML
  ]);
  # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
  pythonEnv = pkgs.python3.buildEnv.override {
    extraLibs = with pkgs.python3Packages; [
      legacy-cgi
      matplotlib
      requests
    ];
    ignoreCollisions = true;
  };
  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
  fhsEnv = pkgs.buildEnv {
    name = "userweb-env";
    paths = with pkgs; [
      bash
      perlEnv
      pythonEnv
      phpEnv
    ]
    ++ (with phpEnv.packages; [
      # composer
    ])
    ++ [
      acl
      aspell
      autoconf
      autotrash
      bazel
      bintools
      bison
      bsd-finger
      catdoc
      ccache
      clang
      cmake
      coreutils-full
      curl
      devcontainer
      diffutils
      emacs
      # exiftags
      exiftool
      ffmpeg
      file
      findutils
      gawk
      gcc
      glibc
      gnugrep
      gnumake
      gnupg
      gnuplot
      gnused
      gnutar
      gzip
      html-tidy
      imagemagick
      inetutils
      iproute2
      jhead
      less
      libgcc
      lndir
      mailutils
      man # TODO: does this one want a mandb instance?
      meson
      more
      mpc
      mpi
      mplayer
      ninja
      nix
      openssh
      openssl
      patchelf
      pkg-config
      ppp
      procmail
      procps
      qemu
      rc
      rhash
      rsync
      ruby # TODO: does this one want systemwide packages?
      salt
      sccache
      sourceHighlight
      spamassassin
      strace
      subversion
      system-sendmail
      systemdMinimal
      texliveMedium
      tmux
      unzip
      util-linux
      valgrind
      vim
      wget
      which
      wine
      xdg-utils
      zip
      zstd
    ];
    extraOutputsToInstall = [
      "man"
      "doc"
    ];
  };
 in
 {
  services.httpd = {
    enable = true;
    adminAddr = "drift@pvv.ntnu.no";
    # TODO: consider upstreaming systemd support
    # TODO: mod_log_journald in v2.5
    package = pkgs.apacheHttpd.overrideAttrs (prev: {
      nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
      buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
      configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
    });
    enablePHP = true;
    phpPackage = phpEnv;
    enablePerl = true;
    # TODO: mod_log_journald in v2.5
    extraModules = [
      "systemd"
      "userdir"
      # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
      #       incorrect or restrictive assumptions upstream, either nixpkgs or source
      # {
      #   name = "perl";
      #   path = let
      #     mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
      #       apacheHttpd = cfg.package.out;
      #       perl = perlEnv;
      #     };
      #   in "${mod_perl}/modules/mod_perl.so";
      # }
    ];
    extraConfig = ''
      TraceEnable on
      LogLevel warn rewrite:trace3
      ScriptLog ${cfg.logDir}/cgi.log
    '';
    # virtualHosts."userweb.pvv.ntnu.no" = {
    virtualHosts."temmie.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
        UserDir disabled root
        AddHandler cgi-script .cgi
        DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
        <Directory "/home/pvv/?/*/web-docs">
          Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
          AllowOverride All
          Require all granted
        </Directory>
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  # socket activation comes in v2.5
  # systemd.sockets.httpd = {
  #   wantedBy = [ "sockets.target" ];
  #   description = "HTTPD socket";
  #   listenStreams = [
  #     "0.0.0.0:80"
  #     "0.0.0.0:443"
  #   ];
  # };
  systemd.services.httpd = {
    after = [ "pvv-homedirs.target" ];
    requires = [ "pvv-homedirs.target" ];
    environment = {
      PATH = lib.mkForce "/usr/bin";
    };
    serviceConfig = {
      Type = lib.mkForce "notify";
      ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
      ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
      ExecStop = lib.mkForce "";
      KillMode = "mixed";
      ConfigurationDirectory = [ "httpd" ];
      LogsDirectory = [ "httpd" ];
      LogsDirectoryMode = "0700";
      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
      LockPersonality = true;
      PrivateDevices = true;
      PrivateTmp = true;
      # NOTE: this removes CAP_NET_BIND_SERVICE...
      # PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = "tmpfs";
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectSystem = true;
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
        "AF_NETLINK"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SocketBindDeny = "any";
      SocketBindAllow = [
        "tcp:80"
        "tcp:443"
      ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
         "@system-service"
      ];
      UMask = "0077";
      RuntimeDirectory = [ "httpd/root-mnt" ];
      RootDirectory = "/run/httpd/root-mnt";
      MountAPIVFS = true;
      BindReadOnlyPaths = [
        builtins.storeDir
        "/etc"
        # NCSD socket
        "/var/run"
        "/var/lib/acme"
        "${fhsEnv}/bin:/bin"
        "${fhsEnv}/sbin:/sbin"
        "${fhsEnv}/lib:/lib"
        "${fhsEnv}/share:/share"
      ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
        parent = [
          "/local"
          "/opt"
          "/opt/local"
          "/store"
          "/store/gnu"
          "/usr"
          "/usr/local"
        ];
        child = [
          "/bin"
          "/sbin"
          "/lib"
          "/libexec"
          "/include"
          "/share"
        ];
      });
      BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
    };
  };
  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
 }
--- a/hosts/ustetind/configuration.nix
+++ b/hosts/ustetind/configuration.nix
@@ -7,12 +7,7 @@
    ./services/gitea-runners.nix
  ];
-  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
+  boot.loader.systemd-boot.enable = false;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  networking.hostName = "ustetind";
  networking.useHostResolvConf = lib.mkForce false;
@@ -39,5 +34,7 @@
    };
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/hosts/wenche/configuration.nix
+++ b/hosts/wenche/configuration.nix
@@ -14,15 +14,9 @@
    "armv7l-linux"
  ];
-  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
+  boot.loader.systemd-boot.enable = false;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  boot.loader.grub.device = "/dev/sda";
  networking.hostName = "wenche"; # Define your hostname.
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,9 +30,9 @@
    package = config.boot.kernelPackages.nvidiaPackages.production;
  };
-  # List packages installed in system profile
+  services.qemuGuest.enable = true;
  environment.systemPackages = with pkgs; [
  ];
-  system.stateVersion = "24.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/modules/gickup/update-linktree.nix
+++ b/modules/gickup/update-linktree.nix
@@ -16,6 +16,8 @@ in
    # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
    systemd.services."gickup-linktree" = {
      after = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
      wantedBy = [ "gickup.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = let
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -37,9 +37,13 @@ in {
  services.nginx.enable = true;
  services.nginx.virtualHosts = {
    ${config.networking.fqdn} = {
      # NOTE: this overrides the default config in base/services/nginx.nix
      addSSL = false;
      forceSSL = true;
      enableACME = true;
      kTLS = true;
      serverAliases = [
        "${machine}.pvv.org"
      ];
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -181,6 +181,9 @@ in
          #NoNewPrivileges = true;
          #PrivateDevices = true;
          Restart = "on-failure";
          RestartSec = "5s";
          StartLimitIntervalSec = "5s";
          StartLimitBurst = "5";
          DynamicUser = true;
        };
      };
--- a/modules/rsync-pull-targets.nix
+++ b/modules/rsync-pull-targets.nix
@@ -0,0 +1,146 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.rsync-pull-targets;
 in
 {
  options.services.rsync-pull-targets = {
    enable = lib.mkEnableOption "";
    rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
    locations = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
        options = {
          enable = lib.mkEnableOption "" // {
            default = true;
            example = false;
          };
          user = lib.mkOption {
            type = lib.types.str;
            description = "Which user to use as SSH login";
            example = "root";
          };
          location = lib.mkOption {
            type = lib.types.path;
            default = name;
            defaultText = lib.literalExpression "<name>";
            example = "/path/to/rsyncable/item";
          };
          # TODO: handle autogeneration of keys
          # autoGenerateSSHKeypair = lib.mkOption {
          #   type = lib.types.bool;
          #   default = config.publicKey == null;
          #   defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
          #   example = true;
          # };
          publicKey = lib.mkOption {
            type = lib.types.str;
            # type = lib.types.nullOr lib.types.str;
            # default = null;
            example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
          };
          rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
            default = cfg.rrsyncPackage;
            defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
          };
          enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
          rrsyncArgs = {
            ro = lib.mkEnableOption "" // {
              description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
            };
            wo = lib.mkEnableOption "" // {
              description = "Allow only writing to the DIR.";
            };
            munge = lib.mkEnableOption "" // {
              description = "Enable rsync's --munge-links on the server side.";
              # TODO: set a default?
            };
            no-del = lib.mkEnableOption "" // {
              description = "Disable rsync's --delete* and --remove* options.";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
            no-lock = lib.mkEnableOption "" // {
              description = "Avoid the single-run (per-user) lock check.";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
            no-overwrite = lib.mkEnableOption "" // {
              description = "Prevent overwriting existing files by enforcing --ignore-existing";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
          };
          authorizedKeysAttrs = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
              "restrict"
              "no-agent-forwarding"
              "no-port-forwarding"
              "no-pty"
              "no-X11-forwarding"
            ];
            defaultText = lib.literalExpression ''
              lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
                "restrict"
                "no-agent-forwarding"
                "no-port-forwarding"
                "no-pty"
                "no-X11-forwarding"
              ]
            '';
            example = [
              "restrict"
              "no-agent-forwarding"
              "no-port-forwarding"
              "no-pty"
              "no-X11-forwarding"
            ];
          };
        };
      }));
    };
  };
  config = lib.mkIf cfg.enable {
    # assertions = lib.pipe cfg.locations [
    #   (lib.filterAttrs (_: value: value.enable))
      # TODO: assert that there are no duplicate (user, publicKey) pairs.
      #       if there are then ssh won't know which command to provide and might provide a random one, not sure.
      # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
      #   assertion =
      #   message = "";
      # })
    # ];
    services.openssh.enable = true;
    users.users = lib.pipe cfg.locations [
      (lib.filterAttrs (_: value: value.enable))
      lib.attrValues
      # Index locations by SSH user
      (lib.foldl (acc: location: acc // {
        ${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
      }) { })
      (lib.mapAttrs (_name: locations: {
        openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
          rrsyncArgString = lib.cli.toCommandLineShellGNU {
            isLong = _: false;
          } rrsyncArgs;
          # TODO: handle " in location
        in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
        ) locations;
      }))
    ];
  };
 }
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
  (mw-ext {
    name = "CodeEditor";
-    commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
+    commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
-    hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
+    hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
  })
  (mw-ext {
    name = "CodeMirror";
-    commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
+    commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
-    hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
+    hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
  })
  (mw-ext {
    name = "DeleteBatch";
-    commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
+    commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
-    hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
+    hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
  })
  (mw-ext {
    name = "PluggableAuth";
-    commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
+    commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
-    hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
+    hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
  })
  (mw-ext {
    name = "Popups";
-    commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
+    commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
-    hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
+    hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
  })
  (mw-ext {
    name = "Scribunto";
-    commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
+    commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
-    hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
+    hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
  })
  (mw-ext {
    name = "SimpleSAMLphp";
    kebab-name = "simple-saml-php";
-    commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
+    commit = "a2f77374713473d594e368de24539aebcc1a800a";
-    hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
+    hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
  })
  (mw-ext {
    name = "TemplateData";
-    commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
+    commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
-    hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
+    hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
  })
  (mw-ext {
    name = "TemplateStyles";
-    commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
+    commit = "7de60a8da6576d7930f293d19ef83529abf52704";
-    hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
+    hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
  })
  (mw-ext {
    name = "UserMerge";
-    commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
+    commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
-    hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
+    hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
  })
  (mw-ext {
    name = "VisualEditor";
-    commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
+    commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
-    hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
+    hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
  })
  (mw-ext {
    name = "WikiEditor";
-    commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
+    commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
-    hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
+    hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
  })
 ]
--- a/packages/ooye/fix-lockfile.patch
+++ b/packages/ooye/fix-lockfile.patch
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Felix Albrigtsen	ee81a9ccdc	WIP: Move krb5 realm to pvv.local, make sane ldap structure	2026-02-15 15:34:33 +09:00
Øystein Tveit	fae6df12c8	WIP: set up heimdal-openldap-sasl stack	2026-02-15 15:34:33 +09:00
Øystein Tveit	4ba0433120	hosts/dagali: init	2026-02-15 15:34:33 +09:00
h7x4	0d40c7d7a7	base/acme: use different email alias for account	2026-02-13 19:45:45 +09:00
h7x4	b327582236	kommode/gitea: use redis for sessions and queue	2026-02-13 18:55:42 +09:00
h7x4	7e39bf3ba2	bicep/matrix/ooye: add rsync pull target for principal backups	2026-02-13 18:26:55 +09:00
h7x4	5bb0cd0465	kommode/gitea: set default theme	2026-02-13 14:32:36 +09:00
h7x4	9efda802cb	kommode/gitea: move ui configuration to `customization`	2026-02-13 14:23:48 +09:00
h7x4	3c08be3d73	kommode/gitea: configure redis cache	2026-02-13 03:50:21 +09:00
Øystein Tveit	b1a2836b5d	kommode/gitea: custom emoji	2026-02-13 03:38:45 +09:00
h7x4	ba1f30f737	kommode/gitea: configure more meta fields	2026-02-13 03:13:49 +09:00
Daniel Olsen	c455c5a7e3	bicep/matrix/livekit: fix matrix domain in livekit, allow dan's server as well	2026-02-11 22:58:19 +01:00
Vegard Bieker Matthey	35907be4f2	update sops keys for skrott	2026-02-07 22:17:09 +01:00
h7x4	210f74dc59	secrets: sops updatekeys	2026-02-08 05:19:26 +09:00
Vegard Bieker Matthey	d35de940c1	update gpg install cmd for secrets	2026-02-07 21:12:03 +01:00
h7x4	daa4b9e271	bekkalokk/mediawiki: adjust umask	2026-02-07 01:46:55 +09:00
h7x4	12eb0b3f53	bekkalokk/mediawiki: allow uploading more filetypes	2026-02-07 00:56:38 +09:00
h7x4	02bdb8d45b	kommode/gitea/web: use default login shell	2026-02-05 13:25:06 +09:00
h7x4	a5143c0aaa	bekkalokk/nettsiden: fix gallery rsync target	2026-02-05 13:19:29 +09:00
Vegard Bieker Matthey	561404cd87	bump dibbler	2026-02-04 04:11:56 +01:00
System administrator	3338b4cd61	gluttony: fix ipv4 addr	2026-02-03 21:05:53 +01:00
Vegard Bieker Matthey	2354dcf578	gluttony: update disk id	2026-02-03 16:18:43 +01:00
h7x4	304304185c	base: add `lsof` to list of default installed packages	2026-02-02 23:59:35 +09:00
h7x4	b712f3cda3	temmie/userweb: add a few more packages	2026-01-31 21:53:12 +09:00
h7x4	cc272a724c	temmie/userweb: add directory index search path	2026-01-31 21:30:23 +09:00
h7x4	fcaa97884e	temmie/userweb: add a bunch more normal packages	2026-01-31 21:20:26 +09:00
h7x4	11f2cf504f	temmie/userweb: add a bunch more perl packages	2026-01-31 20:31:03 +09:00
h7x4	7ab16bc949	temmie/userweb: restrict log access	2026-01-31 19:08:02 +09:00
h7x4	c4d5cfde56	temmie/userweb: add `legacy-cgi` to the python package set	2026-01-31 18:53:44 +09:00
h7x4	100d09f6b7	temmie/userweb: get first iteration working	2026-01-31 18:41:17 +09:00
h7x4	3b0742bfac	temmie: combine homedirs in overlayfs	2026-01-31 18:41:17 +09:00
h7x4	3ba1ea2e4f	flake.lock: bump	2026-01-31 13:44:39 +09:00
h7x4	91de031896	treewide: limit rsync pull target access to principal	2026-01-31 11:14:18 +09:00
h7x4	c3ce6a40ea	ildkule/grafana: update a bunch of dashboards	2026-01-31 01:07:26 +09:00
h7x4	beee0ddc75	ildkule/grafana: remove dashboard for gogs	2026-01-31 00:58:34 +09:00
h7x4	359f599655	bekkalokk/snappymail: add rsync pull target for principal	2026-01-31 00:19:09 +09:00
h7x4	5b1c6f16d1	bekkalokk/vaultwarden: add rsync pull target for principal	2026-01-31 00:18:57 +09:00
h7x4	cec69d89a8	bicep/{postgres,mysql}: fix old backup deletion (again)	2026-01-30 13:26:10 +09:00
h7x4	af0bf7b254	bicep/{postgres,mysql}: fix old backup deletion	2026-01-29 14:57:46 +09:00
h7x4	bcf8b1607f	bicep/{postgres,mysql}: use hardlink for latest backup file	2026-01-29 14:53:07 +09:00
h7x4	1d46fd1ec6	bicep/{postgres,mysql}: keep multiple backups, point at latest with symlink	2026-01-29 14:16:34 +09:00
h7x4	bac53be707	bicep/{postgres,mysql}: use zstd for backup compression	2026-01-29 13:50:35 +09:00
h7x4	f08bd96b74	bicep/{postgres,mysql}: move backups to `/data`	2026-01-29 13:41:06 +09:00
h7x4	25f2a13391	packages/mediawiki-extensions: bump all	2026-01-29 13:34:42 +09:00
h7x4	8774c81d23	bicep/{postgres,mysql}: custom backup units	2026-01-29 13:32:28 +09:00
h7x4	d6eca5c4e3	bicep/{postgres,mysql}: split config into several files	2026-01-29 13:18:25 +09:00
h7x4	49d1122ee5	bicep/mysql: enable slow query logs	2026-01-28 14:55:52 +09:00
h7x4	31bbf4b25f	bicep/synapse: enable auto-compressor timer	2026-01-28 14:50:57 +09:00
h7x4	2f7e1439d0	bicep/mysql: pin version, upgrade from 11.4 -> 11.8	2026-01-28 14:01:14 +09:00
h7x4	fa31a84bd2	bicep/postgres: upgrade from 15 -> 18	2026-01-28 14:00:25 +09:00
h7x4	b77c8eb5c0	modules/rsync-pull-targets: fix multiple pull targets with same user	2026-01-27 21:10:17 +09:00
h7x4	949661113e	bicep/mysql: move backup dir	2026-01-27 20:47:40 +09:00
h7x4	f442c4d65f	bicep/minecraft-heatmap: gate remaining config behind `cfg.enable`	2026-01-27 20:44:20 +09:00
h7x4	690aee634b	bicep/postgres: gate remaining config behind `cfg.enable`	2026-01-27 20:44:20 +09:00
h7x4	2ed1c83858	bicep/{postgres,mysql}: add rsync pull targets for backups	2026-01-27 20:39:12 +09:00
h7x4	d43de08a3b	flake.lock: bump	2026-01-27 19:44:45 +09:00
h7x4	e8c7f177e8	kommode: use disko to configure disks	2026-01-27 19:00:12 +09:00
h7x4	fb59a242fb	kommode/gitea: add rsync pull target for gitea dump dir	2026-01-27 18:55:25 +09:00
h7x4	65d095feb1	bekkalokk/mediawiki, bicep/matrix/synapse: add keys for rsync targets	2026-01-27 18:55:03 +09:00
h7x4	8273d98788	flake.nix: add `disko` to default devshell	2026-01-27 18:35:18 +09:00
h7x4	8a84069dcf	bicep/mysql: use `BindPaths` to access `dataDir`	2026-01-27 17:23:38 +09:00
h7x4	cda84be5b0	bekkalokk/well-known: add note about bug bounty program to `security.txt`	2026-01-27 17:11:07 +09:00
h7x4	79a46ce3f6	bicep/element: set default country code	2026-01-27 04:11:40 +09:00
h7x4	19e45be83a	.mailmap: further dedup	2026-01-27 04:07:25 +09:00
h7x4	a8892e2fb2	hosts/various: bump `stateVersion`	2026-01-27 04:00:48 +09:00
h7x4	a149f97ac0	bicep: bump `stateVersion` from 22.11 -> 25.11	2026-01-27 03:59:40 +09:00
h7x4	e76c656378	bekkalokk: bump `stateVersion` from 22.11 -> 25.11	2026-01-27 03:52:34 +09:00
h7x4	5877ef60b1	modules/rsync-pull-targets: leave TODO about assertion	2026-01-27 00:27:00 +09:00
h7x4	73456de527	bekkalokk/mediawiki, bicep/matrix/synapse: leave principal rsync target stubs	2026-01-27 00:26:42 +09:00
h7x4	2f8e9ea190	modules/rsync-pull-targets: init, migrate bekkalokk/website/fetch-gallery	2026-01-26 23:57:20 +09:00
h7x4	c3c98392ad	bicep/hookshot: add passkey to sops	2026-01-26 21:52:58 +09:00
h7x4	e01fd902eb	bekkalokk/mediawiki: move `secret.key` to sops	2026-01-26 17:55:55 +09:00
h7x4	ce8d759f79	skrott: yeet 700MB worth of firmware, leave raspberry-specific firmware be	2026-01-26 17:09:18 +09:00
h7x4	ea6296f47a	base/vm: disable graphics for vms by default	2026-01-26 17:08:35 +09:00
h7x4	c28fc3f229	ildkule/prometheus: add temmie,gluttony, re-enable lupine-2	2026-01-26 17:04:55 +09:00
h7x4	c124183d95	ildkule/prometheus: scrape skrott	2026-01-26 17:04:52 +09:00
h7x4	d7bb316056	skrott: yeetus ncdu	2026-01-26 15:45:10 +09:00
h7x4	c78c29aaa6	skrott: don't pull in nixpkgs/nixpkgs-unstable source tarballs	2026-01-26 15:43:23 +09:00
h7x4	7d451f1db5	base/auto-upgrade: don't install `flake-inputs.json` when disabled	2026-01-26 15:42:56 +09:00
h7x4	1d57cec04d	base/acme: remove deprecated argument	2026-01-26 15:07:40 +09:00
h7x4	f50372fabd	.sops.yaml: remove yet more remains of jokum	2026-01-26 13:53:30 +09:00
h7x4	0f355046de	.sops.yaml: add skrott	2026-01-26 13:53:16 +09:00
h7x4	285f5b6a84	flake.nix: point `skrott-x86_64` at correct nixosConfiguration, add `-sd` variants	2026-01-26 13:46:15 +09:00
h7x4	20eec03cd4	bakke: fix eval warnings about kernel packages	2026-01-26 13:46:14 +09:00
h7x4	fffdf77d6f	skrott: disable more stuff	2026-01-26 13:46:13 +09:00
h7x4	42bbb1eca1	flake.nix: make native skrott default, misc cleaning	2026-01-26 13:28:42 +09:00
h7x4	34fdc9159c	bekkalokk/mediawiki: remove nonused module import	2026-01-26 13:19:48 +09:00
h7x4	1b6ff9876d	Remove global packages from users, skrott: remove neovim properly	2026-01-26 13:16:06 +09:00
h7x4	0206c159a2	skrott: cross compile and further minimize	2026-01-26 13:15:46 +09:00
h7x4	15004829a8	flake.lock: bump dibbler	2026-01-26 02:30:53 +09:00
h7x4	48ffb3cda1	skrott/dibbler: fix postgres url	2026-01-26 02:27:21 +09:00
h7x4	9bbc64afc8	skrott: disable promtail, documentation	2026-01-26 02:25:12 +09:00
h7x4	1cf956f37b	skrott: disable thermald	2026-01-26 02:04:03 +09:00
h7x4	38a1d38c7f	skrott: disable zfs, udisks2	2026-01-26 01:31:46 +09:00
h7x4	f1a6e47e67	skrott: disable smartd	2026-01-26 00:48:36 +09:00
h7x4	c061c5be0c	base: re-enable `mutableUsers` (absolute state)	2026-01-26 00:25:20 +09:00
h7x4	08e3e1a287	README: add skrott to machine overview	2026-01-25 23:30:41 +09:00
h7x4	034f6540d9	secrets/skrott: add database password	2026-01-25 23:30:41 +09:00
h7x4	695fe48ba8	skrott: set gateway	2026-01-25 23:30:41 +09:00
h7x4	b37551209a	flake.nix: bump dibbler	2026-01-25 22:54:52 +09:00
Felix Albrigtsen	19059b742e	users/felixalb: update SSH keys	2026-01-25 13:17:39 +01:00
h7x4	e336c119a5	skrott: bump `stateVersion`	2026-01-25 21:08:28 +09:00
h7x4	52ac4ca775	skrott: update dibbler + config	2026-01-25 20:56:33 +09:00
Vegard Bieker Matthey	6b352507a3	Merge pull request 'gluttony: use grub as bootloader because of no uefi support' (!121 ) from gluttony-boot into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/121	2026-01-24 22:25:28 +01:00
Vegard Bieker Matthey	604b528dd3	use grub as bootloader because of no uefi support	2026-01-24 22:04:54 +01:00
h7x4	689d6582ae	topology: fix ntnu gateway <-> knutsen connection network	2026-01-23 00:56:32 +09:00
h7x4	ccdaeaf4a3	topology: fix gluttony network interface	2026-01-23 00:51:30 +09:00
h7x4	72fdca4998	topology: more connections to powerpuff cluster	2026-01-23 00:50:16 +09:00
h7x4	9ccdeb6ac9	topology: fix new machines	2026-01-23 00:43:20 +09:00
h7x4	8072121b3c	skrott: fix sops file location	2026-01-22 19:44:05 +09:00
h7x4	95f6463171	temmie: set up httpd	2026-01-22 19:41:52 +09:00
h7x4	39d3773a10	skrott: move networking config to values, add ipv6 address	2026-01-22 19:30:04 +09:00
h7x4	0e963f8cf0	gluttony: fix eval	2026-01-22 19:17:28 +09:00
h7x4	ba6c1c8205	temmie/nfs-mounts: generate systemd units ourselves	2026-01-22 19:10:30 +09:00
h7x4	1d47409d96	base: configure sops	2026-01-22 16:48:59 +09:00
h7x4	f7757d697d	base: don't install dynamic loader stub	2026-01-22 16:13:36 +09:00
h7x4	9f43ea887e	base: OOM early on nixos rebuilds	2026-01-22 16:13:20 +09:00
h7x4	5f94345a91	hosts/various: enable qemu guest agent, disable smartd for vms by default	2026-01-22 16:05:36 +09:00
h7x4	28baf322ce	hosts/various: formatting, add consistent warnings to `stateVersion`	2026-01-22 15:57:12 +09:00
h7x4	12477aeb34	flake.nix: set default hostname for most nixos hosts	2026-01-22 15:49:50 +09:00
h7x4	e2d553af19	bikkje: set `hostName`	2026-01-22 15:49:50 +09:00
h7x4	89ea5b321a	hosts/various: use systemd-boot as default bootloader	2026-01-22 15:49:50 +09:00
h7x4	3940f52760	hosts/various: remove empty `environment.systemPackages` lists	2026-01-22 15:45:43 +09:00
h7x4	e2f3c81ecd	base: move package list to separate file	2026-01-22 15:35:18 +09:00
h7x4	a4c3aaa402	base: provide reasoning for packages, add a few new ones	2026-01-22 15:31:48 +09:00
h7x4	5714efc668	modules/grzegorz: override base certificate config	2026-01-22 15:10:50 +09:00
h7x4	d5199779a6	base: disable fontconfig by default	2026-01-22 14:57:00 +09:00
h7x4	ae3c7019ef	base: disable hibernation and sleep	2026-01-22 14:54:35 +09:00
h7x4	73dc9306f1	base: no mutable users by default	2026-01-22 14:51:24 +09:00
h7x4	09d72305e2	base/nginx: return 444 on fqdn virtualHost by default	2026-01-21 23:17:47 +09:00
h7x4	2ace7b649f	nix-topology: remove postgresql icon override	2026-01-21 14:56:41 +09:00
h7x4	7703a94b19	flake.lock: bump	2026-01-21 14:49:00 +09:00
h7x4	ebd40fc2d7	bekkalokk/well-known: reply to well-known for all domains	2026-01-21 14:47:31 +09:00
h7x4	9eb5cd869a	bicep/element: fetch correct well-known file	2026-01-21 14:34:35 +09:00
h7x4	fa37f34028	packages/ooye: bump	2026-01-21 13:46:06 +09:00
h7x4	7111d00df8	modules/ooye: calm yo ass (set restart timer + counter)	2026-01-21 13:17:28 +09:00
h7x4	833a74a6fb	bicep/matrix: remove some whitespace lol	2026-01-21 13:14:41 +09:00
h7x4	d82cc2e605	update and fix `packages.out-of-your-element	2026-01-21 12:49:13 +09:00
h7x4	93cf6f4a63	bicep/sshguard: disable sshguard doesn't actually work as it currently stands, also the builtin PerSourcePenalty functionality in SSH is more aggressive than sshguard is able to catch anyway. It might've been reasonable if we were using it for anything other than SSH, but it doesn't seem like we are.	2026-01-21 11:13:27 +09:00
h7x4	0f11cca8ec	bicep/matrix: use sops templates to render structured files	2026-01-21 11:08:26 +09:00
h7x4	d892acb331	bicep/matrix: have element-web source well-known from config	2026-01-21 10:49:09 +09:00
h7x4	aa07687a94	bicep/matrix: add synapse config to help with livekit	2026-01-21 10:48:37 +09:00
h7x4	e5dd5b6325	bicep/matrix: attempt to set up livekit	2026-01-21 10:14:08 +09:00
h7x4	75c52f63cc	bicep/matrix: add module for adding stuff to well-known	2026-01-21 10:14:07 +09:00
Felix Albrigtsen	6b5c12a4b8	Merge pull request 'Fix the heccin quotes - mikrobel 2026' (!120 ) from fix-quotes into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/120 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2026-01-20 09:43:33 +01:00
h7x4	633efc1a7d	ildkule: unbreak eval	2026-01-20 17:12:25 +09:00
Felix Albrigtsen	14e2ed7e32	Fix the heccin quotes	2026-01-19 21:09:41 +01:00
Vegard Bieker Matthey	489551a8e2	hosts/gluttony: init (!119 ) Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/119 Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no> Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com> Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>	2026-01-19 17:39:01 +01:00
h7x4	5e5a7f1969	flake.lock: bump minecraft-kartverket	2026-01-19 00:18:06 +09:00
fredrik	b933d19f91	bekkalokk/qotd: init	2026-01-17 22:11:37 +01:00
h7x4	60b6cd137f	flake.lock: bump pvv-nettsiden	2026-01-17 16:55:20 +09:00
h7x4	3a0ea9c338	base/polkit: default to username if in group `wheel`	2026-01-17 03:59:55 +09:00
h7x4	d66aab1e61	flake.lock: bump minecraft-kartverket	2026-01-17 03:59:29 +09:00
h7x4	a9b1e11eea	flake.lock: bump	2026-01-16 23:25:15 +09:00
h7x4	1fc3eb24cf	flake.lock: bump minecraft-kartverket	2026-01-16 19:50:51 +09:00
h7x4	9984af36f4	modules/gickup: fix linktree config eval	2026-01-16 15:38:34 +09:00
h7x4	1080589aef	secrets//: update keys	2026-01-16 07:36:43 +01:00
Vegard Bieker Matthey	1a62eee464	add vegardbm to sops.yaml	2026-01-16 07:36:43 +01:00
h7x4	586a7c3ee5	flake.lock: bump	2026-01-16 11:51:31 +09:00
h7x4	8ff879d830	modules/gickup: run linktree after gickup fetches are done	2026-01-16 11:51:01 +09:00
h7x4	005d987ead	bicep/git-mirrors: fix cgit config	2026-01-16 11:50:31 +09:00