Update hosts/bekkalokk/services/idp-simplesamlphp/default.nix

.gitea/workflows/build-topology-graph.yml

@@ -7,13 +7,16 @@ jobs:
   evals:
     runs-on: debian-latest
     steps:
-    - name: Install sudo
-      run: apt-get install --update --assume-yes sudo
-
     - uses: actions/checkout@v6
 
+    - name: Install sudo
+      run: apt-get update && apt-get -y install sudo
+
     - uses: https://github.com/cachix/install-nix-action@v31
 
+    - name: Configure Nix
+      run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+
     - name: Build topology graph
       run: nix build .#topology -L
 

.gitea/workflows/eval.yml

@@ -6,11 +6,8 @@ jobs:
   evals:
     runs-on: debian-latest
     steps:
-    - name: Install sudo
-      run: apt-get install --update --assume-yes sudo
-
     - uses: actions/checkout@v6
-
+    - run: apt-get update && apt-get -y install sudo
     - uses: https://github.com/cachix/install-nix-action@v31
-
+    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
     - run: nix flake check

.sops.yaml

@@ -10,15 +10,17 @@ keys:
   - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
 
   # Hosts
+  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
-  - &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
+  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
   - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
-  - &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
+  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
-  - &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
+  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
-  - &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
+  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
-  - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
+  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
-  - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
+  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
   - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
   - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
 
@@ -121,6 +123,31 @@ creation_rules:
       pgp:
       - *user_oysteikt
 
+  - path_regex: secrets/bakke/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_bakke
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+
+  - path_regex: secrets/skrott/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_skrott
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
   - path_regex: secrets/skrot/[^/]+\.yaml$
     key_groups:
     - age:

README.md

@@ -39,12 +39,11 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
-| [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
-| [skrot][skr]               | Physical | Kiosk, snacks and soda                                    |
+| [skrot/skrott][skr]        | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 
 ## Documentation
@@ -58,9 +57,8 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
-[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
-[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
+[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

base/default.nix

@@ -10,10 +10,7 @@
     (fp /users)
     (fp /modules/snakeoil-certs.nix)
 
-    ./mitigations.nix
-
     ./flake-input-exporter.nix
-    ./hardening.nix
     ./networking.nix
     ./nix.nix
     ./programs.nix
@@ -71,6 +68,8 @@
     fi
   '';
 
+  # security.lockKernelModules = true;
+  security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
   security.sudo.extraConfig = ''
     Defaults lecture = never

base/hardening.nix

@@ -1,64 +0,0 @@
-{ ... }:
-{
-  boot.blacklistedKernelModules = [
-    # Obscure network protocols
-    "appletalk"
-    "atm"
-    "ax25"
-    "batman-adv"
-    "can"
-    "netrom"
-    "psnap"
-    "rds"
-    "rose"
-    "sctp"
-    "tipc"
-
-    # Filesystems we don't use
-    "adfs"
-    "affs"
-    "befs"
-    "bfs"
-    "cifs"
-    "cramfs"
-    "efs"
-    "exofs"
-    "orangefs"
-    "freevxfs"
-    "gfs2"
-    "hfs"
-    "hfsplus"
-    "hpfs"
-    "jffs2"
-    "jfs"
-    "minix"
-    "nilfs2"
-    "ntfs"
-    "omfs"
-    "qnx4"
-    "qnx6"
-    "sysv"
-    "ubifs"
-    "ufs"
-
-    # Legacy hardware
-    "pcspkr"
-    "floppy"
-    "parport"
-    "ppdev"
-
-    # Other stuff we don't use
-    "firewire-core"
-    "firewire-ohci"
-    "ksmbd"
-    "ib_core"
-    "l2tp_eth"
-    "l2tp_netlink"
-    "l2tp_ppp"
-    "nfc"
-    "soundwire"
-  ];
-
-  # security.lockKernelModules = true;
-  security.protectKernelImage = true;
-}

base/mitigations.nix

@@ -1,17 +0,0 @@
-{ ... }:
-
-{
-  boot.blacklistedKernelModules = [
-  "rxrpc" # dirtyfrag
-  "esp6" # dirtyfrag
-  "esp4" # dirtyfrag
-];
-boot.extraModprobeConfig = ''
-  # dirtyfrag
-  install esp4 /bin/false
-  # dirtyfrag
-  install esp6 /bin/false
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
-}

base/services/acme.nix

@@ -2,7 +2,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
+    defaults.email = "acme-drift@pvv.ntnu.no";
   };
 
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:

flake.lock

@@ -1,20 +1,5 @@
 {
   "nodes": {
-    "crane": {
-      "locked": {
-        "lastModified": 1776635034,
-        "narHash": "sha256-OEOJrT3ZfwbChzODfIH4GzlNTtOFuZFWPtW7jIeR8xU=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "dc7496d8ea6e526b1254b55d09b966e94673750f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
     "dibbler": {
       "inputs": {
         "nixpkgs": [
@@ -22,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1771267058,
+        "lastModified": 1770133120,
-        "narHash": "sha256-EEL4SmD1b3BPJPsSJJ4wDTXWMumJqbR+BLzhJJG0skE=",
+        "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
         "ref": "main",
-        "rev": "e3962d02c78b9c7b4d18148d931a9a4bf22e7902",
+        "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
-        "revCount": 254,
+        "revCount": 244,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
       },
@@ -62,11 +47,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1772408722,
+        "lastModified": 1765835352,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
         "type": "github"
       },
       "original": {
@@ -78,15 +63,15 @@
     "gergle": {
       "inputs": {
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1777067150,
+        "lastModified": 1767906545,
-        "narHash": "sha256-vqPz8jCS1zTQlvmgctUFpvnr6f9ISR5h7CPG/HgQvf0=",
+        "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
         "ref": "main",
-        "rev": "b452a854fb78d6df9fe062b45e23a968657d115d",
+        "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
-        "revCount": 35,
+        "revCount": 23,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
       },
@@ -99,15 +84,15 @@
     "greg-ng": {
       "inputs": {
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ],
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1777019032,
+        "lastModified": 1767906494,
-        "narHash": "sha256-29lw7THThWb5DW01rVRj1b816Apwz/P4m2wVWaSIadU=",
+        "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
         "ref": "main",
-        "rev": "55262afca46c96f75a834d4e00e30d5fb20affb6",
+        "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
         "revCount": 61,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
@@ -232,11 +217,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778407980,
+        "lastModified": 1769018862,
-        "narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=",
+        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc",
+        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
         "type": "github"
       },
       "original": {
@@ -248,11 +233,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1778544512,
+        "lastModified": 1769724120,
-        "narHash": "sha256-VIsPgfIpZ/01XUO6WN+o1NZbP5iKPKPHdHPWqfm4XIg=",
+        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
-        "rev": "c417517f9d525181ee5619c683419d308ee29fe8",
+        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10745.c417517f9d52/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -261,11 +246,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1772328832,
+        "lastModified": 1765674936,
-        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -276,11 +261,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1778586796,
+        "lastModified": 1769813739,
-        "narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=",
+        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
-        "rev": "b25e938b89759b5f9466fc53c4a970244f84dc39",
+        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -315,11 +300,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778960428,
+        "lastModified": 1769009806,
-        "narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
+        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
         "ref": "main",
-        "rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
+        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
-        "revCount": 583,
+        "revCount": 575,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -373,24 +358,22 @@
     },
     "roowho2": {
       "inputs": {
-        "crane": "crane",
         "nixpkgs": [
           "nixpkgs"
         ],
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
-        "lastModified": 1778600367,
+        "lastModified": 1769834595,
-        "narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=",
+        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
         "ref": "main",
-        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
+        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
-        "revCount": 91,
+        "revCount": 49,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
       },
       "original": {
         "ref": "main",
-        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
       }
@@ -403,11 +386,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777000482,
+        "lastModified": 1767840362,
-        "narHash": "sha256-CZ5FKUSA8FCJf0h9GWdPJXoVVDL9H5yC74GkVc5ubIM=",
+        "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "403c09094a877e6c4816462d00b1a56ff8198e06",
+        "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
         "type": "github"
       },
       "original": {
@@ -445,11 +428,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776914043,
+        "lastModified": 1769309768,
-        "narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=",
+        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3",
+        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
         "type": "github"
       },
       "original": {
@@ -465,11 +448,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777944972,
+        "lastModified": 1769469829,
-        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
         "type": "github"
       },
       "original": {

flake.nix

@@ -32,13 +32,13 @@
     minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
     minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
 
-    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939";
+    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
     roowho2.inputs.nixpkgs.follows = "nixpkgs";
 
     greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
-    greg-ng.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    greg-ng.inputs.nixpkgs.follows = "nixpkgs";
     gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
-    gergle.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    gergle.inputs.nixpkgs.follows = "nixpkgs";
     grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -49,14 +49,8 @@
     qotd.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = {
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
-    self,
+  let
-    nixpkgs,
-    nixpkgs-unstable,
-    sops-nix,
-    disko,
-    ...
-  } @ inputs: let
     inherit (nixpkgs) lib;
     systems = [
       "x86_64-linux"
@@ -68,205 +62,221 @@
     importantMachines = [
       "bekkalokk"
       "bicep"
+      "brzeczyszczykiewicz"
       "georg"
       "ildkule"
-      "kommode"
-      "lupine-1"
-      "skrot"
     ];
   in {
     inputs = lib.mapAttrs (_: src: src.outPath) inputs;
 
-    pkgs = forAllSystems (system:
+    pkgs = forAllSystems (system: import nixpkgs {
-      import nixpkgs {
+      inherit system;
-        inherit system;
+      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-        config.allowUnfreePredicate = pkg:
+        [
-          builtins.elem (lib.getName pkg)
+          "nvidia-x11"
-          [
+          "nvidia-settings"
-            "nvidia-x11"
+        ];
-            "nvidia-settings"
+    });
-          ];
-      });
 
     nixosConfigurations = let
-      nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
+      nixosConfig =
-        localSystem ? "x86_64-linux", # buildPlatform
+        nixpkgs:
-        crossSystem ? "x86_64-linux", # hostPlatform
+        name:
-        specialArgs ? {},
+        configurationPath:
-        modules ? [],
+        extraArgs@{
-        overlays ? [],
+          localSystem ? "x86_64-linux", # buildPlatform
-        enableDefaults ? true,
+          crossSystem ? "x86_64-linux", # hostPlatform
-        ...
+          specialArgs ? { },
-      }: let
+          modules ? [ ],
-        commonPkgsConfig =
+          overlays ? [ ],
-          {
+          enableDefaults ? true,
-            config.allowUnfreePredicate = pkg:
+          ...
-              builtins.elem (lib.getName pkg)
+        }:
+        let
+          commonPkgsConfig = {
+            inherit localSystem crossSystem;
+            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
               [
                 "nvidia-x11"
                 "nvidia-settings"
               ];
-            overlays =
+            overlays = (lib.optionals enableDefaults [
-              (lib.optionals enableDefaults [
+              # Global overlays go here
-                # Global overlays go here
+              inputs.roowho2.overlays.default
-                inputs.roowho2.overlays.default
+            ]) ++ overlays;
-              ])
+          };
-              ++ overlays;
+
-          }
+          pkgs = import nixpkgs commonPkgsConfig;
-          // (
+          unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
-            if localSystem != crossSystem
+        in
-            then {
+        lib.nixosSystem (lib.recursiveUpdate
-              inherit localSystem crossSystem;
+        {
+          system = crossSystem;
+
+          inherit pkgs;
+
+          specialArgs = {
+            inherit inputs unstablePkgs;
+            values = import ./values.nix;
+            fp = path: ./${path};
+          } // specialArgs;
+
+          modules = [
+            {
+              networking.hostName = lib.mkDefault name;
             }
-            else {
+            configurationPath
-              system = crossSystem;
+          ] ++ (lib.optionals enableDefaults [
-            }
+            sops-nix.nixosModules.sops
-          );
+            inputs.roowho2.nixosModules.default
-        pkgs = import nixpkgs commonPkgsConfig;
+            self.nixosModules.rsync-pull-targets
-        unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
+          ]) ++ modules;
-      in
+        }
-        lib.nixosSystem (
+        (builtins.removeAttrs extraArgs [
-          lib.recursiveUpdate
+          "localSystem"
-          {
+          "crossSystem"
-            system = crossSystem;
+          "modules"
-
+          "overlays"
-            inherit pkgs;
+          "specialArgs"
-
+          "enableDefaults"
-            specialArgs =
+        ])
-              {
+      );
-                inherit inputs unstablePkgs;
-                values = import ./values.nix;
-                fp = path: ./${path};
-              }
-              // specialArgs;
-
-            modules =
-              [
-                {
-                  networking.hostName = lib.mkDefault name;
-                }
-                configurationPath
-              ]
-              ++ (lib.optionals enableDefaults [
-                sops-nix.nixosModules.sops
-                inputs.roowho2.nixosModules.default
-                self.nixosModules.rsync-pull-targets
-              ])
-              ++ modules;
-          }
-          (builtins.removeAttrs extraArgs [
-            "localSystem"
-            "crossSystem"
-            "modules"
-            "overlays"
-            "specialArgs"
-            "enableDefaults"
-          ])
-        );
 
       stableNixosConfig = name: extraArgs:
-        nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
+          nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
-    in
+    in {
-      {
+      bakke = stableNixosConfig "bakke" {
-        bicep = stableNixosConfig "bicep" {
+        modules = [
-          modules = [
+          inputs.disko.nixosModules.disko
-            inputs.matrix-next.nixosModules.default
+        ];
-            inputs.pvv-calendar-bot.nixosModules.default
+      };
-            inputs.minecraft-heatmap.nixosModules.default
+      bicep = stableNixosConfig "bicep" {
-            self.nixosModules.gickup
+        modules = [
-            self.nixosModules.matrix-ooye
+          inputs.matrix-next.nixosModules.default
-          ];
+          inputs.pvv-calendar-bot.nixosModules.default
-          overlays = [
+          inputs.minecraft-heatmap.nixosModules.default
-            inputs.pvv-calendar-bot.overlays.default
+          self.nixosModules.gickup
-            inputs.minecraft-heatmap.overlays.default
+          self.nixosModules.matrix-ooye
-            (final: prev: {
+        ];
-              inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
+        overlays = [
-            })
+          inputs.pvv-calendar-bot.overlays.default
-          ];
+          inputs.minecraft-heatmap.overlays.default
-        };
+          (final: prev: {
-        bekkalokk = stableNixosConfig "bekkalokk" {
+            inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
-          overlays = [
+          })
-            (final: prev: {
+        ];
-              mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
+      };
-              simplesamlphp = final.callPackage ./packages/simplesamlphp {};
+      bekkalokk = stableNixosConfig "bekkalokk" {
-              bluemap = final.callPackage ./packages/bluemap.nix {};
+        overlays = [
-            })
+          (final: prev: {
-            inputs.pvv-nettsiden.overlays.default
+            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
-            inputs.qotd.overlays.default
+            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
-          ];
+            simplesamlphptheme = final.callPackage ./packages/simplesamlphptheme { };
-          modules = [
+            bluemap = final.callPackage ./packages/bluemap.nix { };
-            inputs.pvv-nettsiden.nixosModules.default
+          })
-            self.nixosModules.bluemap
+          inputs.pvv-nettsiden.overlays.default
-            inputs.qotd.nixosModules.default
+          inputs.qotd.overlays.default
-          ];
+        ];
-        };
+        modules = [
-        ildkule = stableNixosConfig "ildkule" {
+          inputs.pvv-nettsiden.nixosModules.default
-          modules = [
+          self.nixosModules.bluemap
-            inputs.disko.nixosModules.disko
+          inputs.qotd.nixosModules.default
-          ];
+        ];
-        };
+      };
-        #ildkule-unstable = unstableNixosConfig "ildkule" { };
+      ildkule = stableNixosConfig "ildkule" { };
-        skrot = stableNixosConfig "skrot" {
+      #ildkule-unstable = unstableNixosConfig "ildkule" { };
-          modules = [
+      skrot = stableNixosConfig "skrot" {
-            inputs.disko.nixosModules.disko
+        modules = [
-            inputs.dibbler.nixosModules.default
+          inputs.disko.nixosModules.disko
-          ];
+          inputs.dibbler.nixosModules.default
-          overlays = [inputs.dibbler.overlays.default];
+        ];
-        };
+        overlays = [inputs.dibbler.overlays.default];
-        shark = stableNixosConfig "shark" {};
+      };
-        wenche = stableNixosConfig "wenche" {};
+      shark = stableNixosConfig "shark" { };
-        temmie = stableNixosConfig "temmie" {};
+      wenche = stableNixosConfig "wenche" { };
-        gluttony = stableNixosConfig "gluttony" {};
+      temmie = stableNixosConfig "temmie" { };
+      gluttony = stableNixosConfig "gluttony" { };
 
-        kommode = stableNixosConfig "kommode" {
+      kommode = stableNixosConfig "kommode" {
-          overlays = [
+        overlays = [
-            inputs.nix-gitea-themes.overlays.default
+          inputs.nix-gitea-themes.overlays.default
-          ];
+        ];
-          modules = [
+        modules = [
-            inputs.nix-gitea-themes.nixosModules.default
+          inputs.nix-gitea-themes.nixosModules.default
-            inputs.disko.nixosModules.disko
+          inputs.disko.nixosModules.disko
-          ];
+        ];
-        };
+      };
 
-        ustetind = stableNixosConfig "ustetind" {
+      ustetind = stableNixosConfig "ustetind" {
-          modules = [
+        modules = [
-            "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-          ];
+        ];
-        };
+      };
 
-        brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
+      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
-          modules = [
+        modules = [
-            inputs.grzegorz-clients.nixosModules.grzegorz-webui
+          inputs.grzegorz-clients.nixosModules.grzegorz-webui
-            inputs.gergle.nixosModules.default
+          inputs.gergle.nixosModules.default
-            inputs.greg-ng.nixosModules.default
+          inputs.greg-ng.nixosModules.default
-          ];
+        ];
-          overlays = [
+        overlays = [
-            inputs.greg-ng.overlays.default
+          inputs.greg-ng.overlays.default
-            inputs.gergle.overlays.default
+          inputs.gergle.overlays.default
-          ];
+        ];
-        };
+      };
-        georg = stableNixosConfig "georg" {
+      georg = stableNixosConfig "georg" {
-          modules = [
+        modules = [
-            inputs.grzegorz-clients.nixosModules.grzegorz-webui
+          inputs.grzegorz-clients.nixosModules.grzegorz-webui
-            inputs.gergle.nixosModules.default
+          inputs.gergle.nixosModules.default
-            inputs.greg-ng.nixosModules.default
+          inputs.greg-ng.nixosModules.default
-          ];
+        ];
-          overlays = [
+        overlays = [
-            inputs.greg-ng.overlays.default
+          inputs.greg-ng.overlays.default
-            inputs.gergle.overlays.default
+          inputs.gergle.overlays.default
-          ];
+        ];
-        };
+      };
-      }
+    }
-      // (let
+    //
-        machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
+    (let
-        stableLupineNixosConfig = name: extraArgs:
+      skrottConfig = {
+        modules = [
+          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
+          inputs.dibbler.nixosModules.default
+        ];
+        overlays = [
+          inputs.dibbler.overlays.default
+          (final: prev: {
+            # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
+            atool = prev.emptyDirectory;
+            micro = prev.emptyDirectory;
+            ncdu = prev.emptyDirectory;
+          })
+        ];
+      };
+    in {
+      skrott = self.nixosConfigurations.skrott-native;
+      skrott-native = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "aarch64-linux";
+        crossSystem = "aarch64-linux";
+      });
+      skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "x86_64-linux";
+        crossSystem = "aarch64-linux";
+      });
+      skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
+        localSystem = "x86_64-linux";
+        crossSystem = "x86_64-linux";
+      });
+    })
+    //
+    (let
+      machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
+      stableLupineNixosConfig = name: extraArgs:
           nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
-      in
+    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
-        lib.genAttrs machineNames (name:
+      modules = [{ networking.hostName = name; }];
-          stableLupineNixosConfig name {
+      specialArgs.lupineName = name;
-            modules = [{networking.hostName = name;}];
+    }));
-            specialArgs.lupineName = name;
-          }));
 
     nixosModules = {
       bluemap = ./modules/bluemap.nix;
@@ -288,8 +298,7 @@
             })
           ];
         };
-      in
+      in pkgs.callPackage ./shell.nix { };
-        pkgs.callPackage ./shell.nix {};
       cuda = let
         cuda-pkgs = import nixpkgs-unstable {
           inherit system;
@@ -298,88 +307,91 @@
             cudaSupport = true;
           };
         };
-      in
+      in cuda-pkgs.callPackage ./shells/cuda.nix { };
-        cuda-pkgs.callPackage ./shells/cuda.nix {};
     });
 
     packages = {
       "x86_64-linux" = let
         system = "x86_64-linux";
         pkgs = nixpkgs.legacyPackages.${system};
-      in
+      in rec {
-        rec {
+        default = important-machines;
-          default = important-machines;
+        important-machines = pkgs.linkFarm "important-machines"
-          important-machines =
+          (lib.getAttrs importantMachines self.packages.${system});
-            pkgs.linkFarm "important-machines"
+        all-machines = pkgs.linkFarm "all-machines"
-            (lib.getAttrs importantMachines self.packages.${system});
+          (lib.getAttrs allMachines self.packages.${system});
-          all-machines =
-            pkgs.linkFarm "all-machines"
-            (lib.getAttrs allMachines self.packages.${system});
 
-          simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};
+        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
-          bluemap = pkgs.callPackage ./packages/bluemap.nix {};
+        bluemap = pkgs.callPackage ./packages/bluemap.nix { };
 
-          out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix {};
+        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
-        }
+      }
-        //
+      //
-        # Mediawiki extensions
+      # Mediawiki extensions
-        (lib.pipe null [
+      (lib.pipe null [
-          (_: pkgs.callPackage ./packages/mediawiki-extensions {})
+        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
-          (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+        (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
-          (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
+        (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
-        ])
+      ])
-        //
+      //
-        # Machines
+      # Machines
-        lib.genAttrs allMachines
+      lib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
-        //
+      //
-        # Nix-topology
+      # Skrott is exception
-        (let
+      {
-          topology' = import inputs.nix-topology {
+        skrott = self.packages.${system}.skrott-native-sd;
-            pkgs = import nixpkgs {
+        skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
-              inherit system;
+        skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
-              overlays = [
+        skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
-                inputs.nix-topology.overlays.default
+        skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
-                (final: prev: {
+        skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
-                  inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
+      }
-                })
+      //
-              ];
+      # Nix-topology
-            };
+      (let
-
+        topology' = import inputs.nix-topology {
-            specialArgs = {
+          pkgs = import nixpkgs {
-              values = import ./values.nix;
+            inherit system;
-            };
+            overlays = [
-
+              inputs.nix-topology.overlays.default
-            modules = [
+              (final: prev: {
-              ./topology
+                inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
-              {
+              })
-                nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
-                  nixosCfg.extendModules {
-                    modules = [
-                      inputs.nix-topology.nixosModules.default
-                      ./topology/service-extractors/greg-ng.nix
-                      ./topology/service-extractors/postgresql.nix
-                      ./topology/service-extractors/mysql.nix
-                      ./topology/service-extractors/gitea-runners.nix
-                    ];
-                  })
-                self.nixosConfigurations;
-              }
             ];
           };
-        in {
+
-          topology = topology'.config.output;
+          specialArgs = {
-          topology-png =
+            values = import ./values.nix;
-            pkgs.runCommand "pvv-config-topology-png" {
+          };
-              nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
+
-            } ''
+          modules = [
-              mkdir -p "$out"
+            ./topology
-              for file in '${topology'.config.output}'/*.svg; do
+            {
-                ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
+              nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
-              done
+                modules = [
-            '';
+                  inputs.nix-topology.nixosModules.default
-        });
+                  ./topology/service-extractors/greg-ng.nix
+                  ./topology/service-extractors/postgresql.nix
+                  ./topology/service-extractors/mysql.nix
+                  ./topology/service-extractors/gitea-runners.nix
+                ];
+              }) self.nixosConfigurations;
+            }
+          ];
+        };
+      in {
+        topology = topology'.config.output;
+        topology-png = pkgs.runCommand "pvv-config-topology-png" {
+          nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
+        } ''
+          mkdir -p "$out"
+          for file in '${topology'.config.output}'/*.svg; do
+            ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
+          done
+        '';
+      });
     };
   };
 }

hosts/bakke/configuration.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      ./hardware-configuration.nix
+      ../../base
+      ./filesystems.nix
+    ];
+
+  networking.hostId = "99609ffc";
+  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp2s0";
+    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "24.05";
+}

hosts/bakke/disks.nix

@@ -0,0 +1,83 @@
+{
+  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
+  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
+  disko.devices = {
+    disk = {
+      one = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "mdraid";
+                name = "boot";
+              };
+            };
+            mdadm = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid1";
+              };
+            };
+          };
+        };
+      };
+      two = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "mdraid";
+                name = "boot";
+              };
+            };
+            mdadm = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid1";
+              };
+            };
+          };
+        };
+      };
+    };
+    mdadm = {
+      boot = {
+        type = "mdadm";
+        level = 1;
+        metadata = "1.0";
+        content = {
+          type = "filesystem";
+          format = "vfat";
+          mountpoint = "/boot";
+        };
+      };
+      raid1 = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "gpt";
+          partitions.primary = {
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/bakke/filesystems.nix

@@ -0,0 +1,26 @@
+{ pkgs,... }:
+{
+  # Boot drives:
+  boot.swraid.enable = true;
+
+  # ZFS Data pool:
+  boot = {
+    zfs = {
+      extraPools = [ "tank" ];
+      requestEncryptionCredentials = false;
+    };
+    supportedFilesystems.zfs = true;
+    # Use stable linux packages, these work with zfs
+    kernelPackages = pkgs.linuxPackages;
+  };
+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "Wed *-*-8..14 00:00:00";
+  };
+
+  # NFS Exports:
+  #TODO
+
+  # NFS Import mounts:
+  #TODO
+}

hosts/bakke/hardware-configuration.nix

@@ -0,0 +1,52 @@
+# Do not modify this file!  It was generated by 'nixos-generate-config'
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+      fsType = "btrfs";
+      options = [ "subvol=nix" "noatime" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/sdc2";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault false;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/bekkalokk/services/idp-simplesamlphp/config.php

@@ -858,7 +858,11 @@ $config = [
     /*
      * Which theme directory should be used?
      */
-    'theme.use' => 'default',
+    'module.enable' => [
+	    'pvv' => TRUE,
+    ],
+
+    'theme.use' => 'ssp-theme:pvv',
 
     /*
      * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -97,6 +97,7 @@ let
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+      #"modules/ssp-theme" = pkgs.simplesamlphptheme;
     };
   };
 in

hosts/bekkalokk/services/website/default.nix

@@ -80,40 +80,9 @@ in {
   };
 
   services.phpfpm.pools."pvv-nettsiden".settings = {
-    "php_admin_value[error_log]" = "syslog";
+    # "php_admin_value[error_log]" = "stderr";
     "php_admin_flag[log_errors]" = true;
     "catch_workers_output" = true;
-
-    "php_admin_value[max_execution_time]" = "30";
-    "request_terminate_timeout" = "60s";
-
-    "php_admin_value[sendmail_path]" = let
-      fakeSendmail = pkgs.writeShellApplication {
-        name = "fake-sendmail";
-        text = ''
-          TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
-          (
-            echo "SENDMAIL ARGS:"
-            echo "$@"
-            echo "SENDMAIL STDIN:"
-            cat -
-          ) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
-        '';
-      };
-    in lib.getExe fakeSendmail;
-
-    "php_admin_value[disable_functions]" = lib.concatStringsSep "," [
-      "curl_exec"
-      "curl_multi_exec"
-      "exec"
-      "parse_ini_file"
-      "passthru"
-      "popen"
-      "proc_open"
-      "shell_exec"
-      "show_source"
-      "system"
-    ];
   };
 
   services.nginx.virtualHosts."pvv.ntnu.no" = {

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -40,15 +40,15 @@ in {
     path = with pkgs; [ imagemagick gnutar gzip ];
 
     script = ''
-      tar ${lib.cli.toCommandLineShellGNU { } {
+      tar ${lib.cli.toGNUCommandLineShell {} {
         extract = true;
         file = "${transferDir}/gallery.tar.gz";
         directory = ".";
       }}
 
       # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
+      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
-      while IFS= read -r fname; do
+      while IFS= read fname; do
         rm -f "$fname" ||:
         rm -f ".thumbnails/$fname.png" ||:
       done <<< "$filesToRemove"
@@ -56,9 +56,9 @@ in {
       find . -type d -empty -delete
 
       mkdir -p .thumbnails
-      images=$(find . -type f -not -path './.thumbnails*')
+      images=$(find . -type f -not -path "./.thumbnails*")
 
-      while IFS= read -r fname; do
+      while IFS= read fname; do
         # Skip this file if an up-to-date thumbnail already exists
         if [ -f ".thumbnails/$fname.png" ] && \
           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +67,7 @@ in {
         fi
 
         echo "Creating thumbnail for $fname"
-        mkdir -p "$(dirname ".thumbnails/$fname")"
+        mkdir -p $(dirname ".thumbnails/$fname")
         magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
         touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
       done <<< "$images"

hosts/bicep/services/mysql/backup.nix

@@ -57,7 +57,7 @@ in
       rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
       ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
 
-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
         rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
       done
     '';

hosts/bicep/services/postgresql/backup.nix

@@ -58,7 +58,7 @@ in
       rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
       ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
 
-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
         rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
       done
     '';

hosts/gluttony/hardware-configuration.nix

@@ -22,7 +22,7 @@
     "sd_mod"
   ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
@@ -31,7 +31,7 @@
   };
 
   fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/BD97-FCA0";
+    device = "/dev/disk/by-uuid/933A-3005";
     fsType = "vfat";
     options = [
       "fmask=0077"

hosts/ildkule/configuration.nix

@@ -1,23 +1,17 @@
+{ config, fp, pkgs, lib, values, ... }:
 {
-  config,
-  fp,
-  pkgs,
-  lib,
-  values,
-  ...
-}: {
   imports = [
-    ./hardware-configuration.nix
+      # Include the results of the hardware scan.
-    ./disks.nix
+      ./hardware-configuration.nix
-    (fp /base)
+      (fp /base)
 
-    ./services/monitoring
+      ./services/monitoring
-    ./services/nginx
+      ./services/nginx
-    ./services/journald-remote.nix
+      ./services/journald-remote.nix
-  ];
+    ];
 
-  boot.loader.grub.enable = true;
+  boot.loader.systemd-boot.enable = false;
-  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub.device = "/dev/vda";
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
@@ -33,22 +27,13 @@
     nameservers = values.defaultNetworkConfig.dns;
     defaultGateway.address = hostConf.ipv4_internal_gw;
 
-    interfaces."ens3" = {
+    interfaces."ens4" = {
       ipv4.addresses = [
-        {
+        { address = hostConf.ipv4;          prefixLength = 32; }
-          address = hostConf.ipv4;
+        { address = hostConf.ipv4_internal; prefixLength = 24; }
-          prefixLength = 32;
-        }
-        {
-          address = hostConf.ipv4_internal;
-          prefixLength = 24;
-        }
       ];
       ipv6.addresses = [
-        {
+        { address = hostConf.ipv6;          prefixLength = 64; }
-          address = hostConf.ipv6;
-          prefixLength = 64;
-        }
       ];
     };
   };

hosts/ildkule/disks.nix

@@ -1,27 +0,0 @@
-{
-  disko.devices = {
-    disk = {
-      sda = {
-        device = "/dev/sda";
-        type = "disk";
-        content = {
-          type = "gpt";
-          partitions = {
-            bios = {
-              size = "1M";
-              type = "EF02";
-            };
-            root = {
-              size = "100%";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/";
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/ildkule/hardware-configuration.nix

@@ -1,24 +1,16 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+{ modulesPath, lib, ... }:
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-    ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
+    fsType = "ext4";
+  };
+  fileSystems."/data" = {
+    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
+    fsType = "ext4";
+  };
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -30,6 +30,8 @@ in {
       (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
 
+      (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+
       (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
       (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
       (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])

hosts/kommode/services/gitea/customization/default.nix

@@ -99,23 +99,23 @@ in
         ];
       } ''
         # Bigger icons
-        install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
+        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
         sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
       '';
     in ''
-      install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
+      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
-      install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
+      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
-      install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
+      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
-      install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
+      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
-      install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
+      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
-      install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
+      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
 
-      install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
+      install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
-      install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
+      install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
-      install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
+      install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
-      install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
+      install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
 
-      '${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
+      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
     '';
   };
 }

hosts/kommode/services/gitea/default.nix

@@ -131,9 +131,11 @@ in {
           "repo.pulls"
           "repo.releases"
         ];
-        ALLOW_FORK_INTO_SAME_OWNER = true;
       };
       picture = {
+        DISABLE_GRAVATAR = true;
+        ENABLE_FEDERATED_AVATAR = false;
+
         AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
         # NOTE: go any bigger than this, and gitea will freeze your gif >:(
         AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
@@ -214,7 +216,7 @@ in {
 
   systemd.services.gitea-dump = {
     serviceConfig.ExecStart = let
-      args = lib.cli.toCommandLineShellGNU { } {
+      args = lib.cli.toGNUCommandLineShell { } {
         type = cfg.dump.type;
 
         # This should be declarative on nixos, no need to backup.

hosts/kommode/services/gitea/web-secret-provider/default.nix

@@ -53,7 +53,7 @@ in
       Slice = "system-giteaweb.slice";
       Type = "oneshot";
       ExecStart = let
-        args = lib.cli.toCommandLineShellGNU { } {
+        args = lib.cli.toGNUCommandLineShell { } {
           org = "%i";
           token-path = "%d/token";
           api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";

hosts/lupine/configuration.nix

@@ -1,9 +1,10 @@
-{ fp, values, lib, lupineName, ... }:
+{ fp, values, lupineName, ... }:
 {
   imports = [
     ./hardware-configuration/${lupineName}.nix
 
     (fp /base)
+
     ./services/gitea-runner.nix
   ];
 

hosts/lupine/hardware-configuration/lupine-1.nix

@@ -14,28 +14,27 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
+    { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
-      fsType = "btrfs";
+      fsType = "ext4";
-      options = [ "subvol=@root" "compress=zstd" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
-      fsType = "btrfs";
-      options = [ "subvol=@nix" "compress=zstd" "noatime" ];
     };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/81D6-38D3";
       fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+      options = [ "fmask=0077" "dmask=0077" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
     ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
-

hosts/lupine/hardware-configuration/lupine-2.nix

@@ -14,27 +14,27 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
+    { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
-      fsType = "btrfs";
+      fsType = "ext4";
-      options = [ "subvol=@root" "compress=zstd" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
-      fsType = "btrfs";
-      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
     };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/4A34-6AE5";
       fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+      options = [ "fmask=0077" "dmask=0077" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
     ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/lupine/hardware-configuration/lupine-3.nix

@@ -14,28 +14,27 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
+    { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
-      fsType = "btrfs";
+      fsType = "ext4";
-      options = [ "subvol=@root" "compress=zstd" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
-      fsType = "btrfs";
-      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
     };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/63FA-297B";
       fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+      options = [ "fmask=0077" "dmask=0077" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
     ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
-

hosts/lupine/hardware-configuration/lupine-4.nix

@@ -14,27 +14,21 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
+    { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
-      fsType = "btrfs";
+      fsType = "ext4";
-      options = [ "subvol=@root" "compress=zstd" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
-      fsType = "btrfs";
-      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/A22E-E41A";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
     ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/lupine/hardware-configuration/lupine-5.nix

@@ -14,27 +14,27 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
+    { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
-      fsType = "btrfs";
+      fsType = "ext4";
-      options = [ "subvol=@root" "compress=zstd" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
-      fsType = "btrfs";
-      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
     };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/F372-37DF";
       fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+      options = [ "fmask=0077" "dmask=0077" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
     ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/lupine/services/gitea-runner.nix

@@ -39,22 +39,17 @@
         "debian-bullseye-slim:docker://node:current-bullseye-slim"
 
         "alpine-latest:docker://node:current-alpine"
-        "alpine-3.23:docker://node:current-alpine3.23"
         "alpine-3.22:docker://node:current-alpine3.22"
         "alpine-3.21:docker://node:current-alpine3.21"
 
         # See https://gitea.com/gitea/runner-images
         "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
-        "ubuntu-26.04:docker://docker.gitea.com/runner-images:ubuntu-26.04"
-        "ubuntu-resolute:docker://docker.gitea.com/runner-images:ubuntu-26.04"
         "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
         "ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
         "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
         "ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
 
         "ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
-        "ubuntu-26.04-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
-        "ubuntu-resolute-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
         "ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
         "ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
         "ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"

hosts/skrott/configuration.nix

@@ -0,0 +1,112 @@
+{ config, pkgs, lib, modulesPath, fp, values, ... }: {
+  imports = [
+    (modulesPath + "/profiles/perlless.nix")
+
+    (fp /base)
+  ];
+
+  # Disable import of a bunch of tools we don't need from nixpkgs.
+  disabledModules = [ "profiles/base.nix" ];
+
+  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
+
+  boot = {
+    consoleLogLevel = 0;
+    enableContainers = false;
+    loader.grub.enable = false;
+    loader.systemd-boot.enable = false;
+    kernelPackages = pkgs.linuxPackages;
+  };
+
+  hardware = {
+    enableAllHardware = lib.mkForce false;
+    firmware = [ pkgs.raspberrypiWirelessFirmware ];
+  };
+
+  # Now turn off a bunch of stuff lol
+  # TODO: can we reduce further?
+  # See also https://nixcademy.com/posts/minimizing-nixos-images/
+  system.autoUpgrade.enable = lib.mkForce false;
+  services.irqbalance.enable = lib.mkForce false;
+  services.logrotate.enable = lib.mkForce false;
+  services.nginx.enable = lib.mkForce false;
+  services.postfix.enable = lib.mkForce false;
+  services.smartd.enable = lib.mkForce false;
+  services.udisks2.enable = lib.mkForce false;
+  services.thermald.enable = lib.mkForce false;
+  services.promtail.enable = lib.mkForce false;
+  # There aren't really that many firmware updates for rbpi3 anyway
+  services.fwupd.enable = lib.mkForce false;
+
+  documentation.enable = lib.mkForce false;
+
+  environment.enableAllTerminfo = lib.mkForce false;
+
+  programs.neovim.enable = lib.mkForce false;
+  programs.zsh.enable = lib.mkForce false;
+  programs.git.package = pkgs.gitMinimal;
+
+  nix.registry = lib.mkForce { };
+  nix.nixPath = lib.mkForce [ ];
+
+  sops.secrets = {
+    "dibbler/postgresql/password" = {
+      owner = "dibbler";
+      group = "dibbler";
+    };
+  };
+
+  # zramSwap.enable = true;
+
+  networking = {
+    hostName = "skrott";
+    defaultGateway = values.hosts.gateway;
+    defaultGateway6 = values.hosts.gateway6;
+    interfaces.eth0 = {
+      useDHCP = false;
+      ipv4.addresses = [{
+        address = values.hosts.skrott.ipv4;
+        prefixLength = 25;
+      }];
+      ipv6.addresses = [{
+        address = values.hosts.skrott.ipv6;
+        prefixLength = 25;
+      }];
+    };
+  };
+
+  services.dibbler = {
+    enable = true;
+    kioskMode = true;
+    limitScreenWidth = 80;
+    limitScreenHeight = 42;
+
+    settings = {
+      general.quit_allowed = false;
+      database = {
+        type = "postgresql";
+        postgresql = {
+          username = "pvv_vv";
+          dbname = "pvv_vv";
+          host = "postgres.pvv.ntnu.no";
+          password_file = config.sops.secrets."dibbler/postgresql/password".path;
+        };
+      };
+    };
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/84105
+  boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
+    "console=ttyUSB0,9600"
+    # "console=tty1" # Already part of the module
+  ];
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
+    enable = true;
+    wantedBy = [ "getty.target" ]; # to start at boot
+    serviceConfig.Restart = "always"; # restart when session is closed
+  };
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
+}

hosts/temmie/configuration.nix

@@ -6,7 +6,7 @@
     (fp /base)
 
     ./services/nfs-mounts.nix
-    ./services/userweb
+    ./services/userweb.nix
   ];
 
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {

hosts/temmie/services/userweb.nix

@@ -4,39 +4,19 @@ let
 
   homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
 
-  phpOptions = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k} = ${v}"){
-    display_errors = "Off";
-    display_startup_errors = "Off";
-    post_max_size = "40M";
-    upload_max_filesize = "40M";
-  });
-
   # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
   phpEnv = pkgs.php.buildEnv {
     extensions = { all, ... }: with all; [
-      bz2
-      curl
-      decimal
-      gd
       imagick
-      mysqli
+      opcache
-      mysqlnd
+      protobuf
-      pgsql
-      posix
-      protobuf sqlite3
-      uuid
-      xml
-      xsl
-      zlib
-      zstd
-
-      pdo
-      pdo_mysql
-      pdo_pgsql
-      pdo_sqlite
     ];
 
-    extraConfig = phpOptions;
+    extraConfig = ''
+      display_errors=0
+      post_max_size = 40M
+      upload_max_filesize = 40M
+    '';
   };
 
   perlEnv = pkgs.perl.withPackages (ps: with ps; [
@@ -45,15 +25,38 @@ let
     pkgs.irssi
     pkgs.nix.libs.nix-perl-bindings
 
+    AlgorithmDiff
+    AnyEvent
+    AnyEventI3
+    ArchiveZip
     CGI
+    CPAN
+    CPANPLUS
     DBDPg
     DBDSQLite
-    DBDmysql
     DBI
+    EmailAddress
+    EmailSimple
+    Env
     Git
+    HTMLMason
+    HTMLParser
+    HTMLTagset
+    HTTPDAV
+    HTTPDaemon
     ImageMagick
     JSON
-    TemplateToolkit
+    LWP
+    MozillaCA
+    PathTiny
+    Switch
+    SysSyslog
+    TestPostgreSQL
+    TextPDF
+    TieFile
+    Tk
+    URI
+    XMLLibXML
   ]);
 
   # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
@@ -67,88 +70,102 @@ let
     ignoreCollisions = true;
   };
 
-  sendmailWrapper = pkgs.writeShellApplication {
-    name = "sendmail";
-    runtimeInputs = [ ];
-    text = ''
-      args=("$@")
-
-      if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
-          # Prepend -fusername to the argument list, so bounces go to the user
-          args=("-f$USERDIR_USER" "''${args[@]}")
-      fi
-
-      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
-    '';
-  };
-
   # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
   fhsEnv = pkgs.buildEnv {
     name = "userweb-env";
-    ignoreCollisions = true;
     paths = with pkgs; [
       bash
 
-      sendmailWrapper
-
       perlEnv
       pythonEnv
+
       phpEnv
     ]
     ++ (with phpEnv.packages; [
       # composer
     ])
     ++ [
-      # Useful packages for homepages
-      exiftool
-      gnuplot
-      ikiwiki-full
-      imagemagick
-      jhead
-      ruby
-      sbcl
-      sourceHighlight
-
-      # Missing packages from tom
-      # blosxom
-      # pyblosxom
-      # mediawiki (TODO: do people host their own mediawikis in userweb?)
-      # nanoblogger
-
-      # Version control
-      cvs
-      rcs
-      git
-
-      # Compression/Archival
-      bzip2
-      gnutar
-      gzip
-      lz4
-      unzip
-      xz
-      zip
-      zstd
-
-      # Other tools you might expect to find on a normal system
       acl
+      aspell
+      autoconf
+      autotrash
+      bazel
+      bintools
+      bison
+      bsd-finger
+      catdoc
+      ccache
+      clang
+      cmake
       coreutils-full
       curl
+      devcontainer
       diffutils
+      emacs
+      # exiftags
+      exiftool
+      ffmpeg
       file
       findutils
       gawk
+      gcc
+      glibc
       gnugrep
       gnumake
       gnupg
+      gnuplot
       gnused
+      gnutar
+      gzip
+      html-tidy
+      imagemagick
+      inetutils
+      iproute2
+      jhead
       less
-      man
+      libgcc
+      lndir
+      mailutils
+      man # TODO: does this one want a mandb instance?
+      meson
+      more
+      mpc
+      mpi
+      mplayer
+      ninja
+      nix
+      openssh
+      openssl
+      patchelf
+      pkg-config
+      ppp
+      procmail
+      procps
+      qemu
+      rc
+      rhash
+      rsync
+      ruby # TODO: does this one want systemwide packages?
+      salt
+      sccache
+      sourceHighlight
+      spamassassin
+      strace
+      subversion
+      system-sendmail
+      systemdMinimal
+      texliveMedium
+      tmux
+      unzip
       util-linux
+      valgrind
       vim
       wget
       which
+      wine
       xdg-utils
+      zip
+      zstd
     ];
 
     extraOutputsToInstall = [
@@ -158,10 +175,6 @@ let
   };
 in
 {
-  imports = [
-    ./mail.nix
-  ];
-
   services.httpd = {
     enable = true;
     adminAddr = "drift@pvv.ntnu.no";
@@ -176,7 +189,6 @@ in
 
     enablePHP = true;
     phpPackage = phpEnv;
-    inherit phpOptions;
 
     enablePerl = true;
 
@@ -213,32 +225,12 @@ in
         UserDir disabled root
         AddHandler cgi-script .cgi
         DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
-        SetEnvIf Request_URI "^/~([^/]+)" USERDIR_USER=$1
 
         <Directory "/home/pvv/?/*/web-docs">
           Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
           AllowOverride All
           Require all granted
         </Directory>
-
-        <DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
-          "\\.git"
-          "\\.hg"
-          "\\.svn"
-          "\\.ssh"
-          "\\.env"
-          "\\.envrc"
-          "\\.bzr"
-          "\\.venv"
-          "CVS"
-          "RCS"
-          ".*\\.swp"
-          ".*\\.bak"
-          ".*~"
-        ]})(/|$)">
-            AllowOverride All
-            Require all denied
-        </DirectoryMatch>
       '';
     };
   };

hosts/temmie/services/userweb/mail.nix

@@ -1,12 +0,0 @@
-{ config, lib, ... }:
-{
-  services.postfix.enable = lib.mkForce false;
-
-  services.nullmailer = {
-    enable = true;
-    config = {
-      me = config.networking.fqdn;
-      remotes = "mail.pvv.ntnu.no smtp --port=25";
-    };
-  };
-}

modules/matrix-ooye.nix

@@ -77,29 +77,29 @@ in
 
         id
         echo "Before if statement"
-        stat "''${REGISTRATION_FILE}"
+        stat ''${REGISTRATION_FILE}
 
-        if [[ ! -f "''${REGISTRATION_FILE}" ]]; then
+        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
           echo "No registration file found at '$REGISTRATION_FILE'"
-          cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
+          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
         fi
 
         echo "After if statement"
-        stat "''${REGISTRATION_FILE}"
+        stat ''${REGISTRATION_FILE}
 
-        AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")"
+        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
-        HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")"
+        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
-        DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)"
+        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
-        DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)"
+        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
 
         # Check if we have all required tokens
         if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
-          AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
+          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
           echo "Generated new AS token: ''${AS_TOKEN}"
         fi
 
         if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
-          HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
+          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
           echo "Generated new HS token: ''${HS_TOKEN}"
         fi
 
@@ -115,13 +115,13 @@ in
           exit 1
         fi
 
-        shred -u "''${REGISTRATION_FILE}"
+        shred -u ''${REGISTRATION_FILE}
-        cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
+        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
 
-        '${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp"
+        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
 
-        shred -u "''${REGISTRATION_FILE}"
+        shred -u ''${REGISTRATION_FILE}
-        mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}"
+        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
       '';
 
     in

modules/snakeoil-certs.nix

@@ -51,24 +51,24 @@ in
       script = let
         openssl = lib.getExe pkgs.openssl;
       in lib.concatMapStringsSep "\n" ({ name, value }: ''
-        mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')"
+        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
-        if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}'
+        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
         then
           echo "Regenerating '${value.certificate}'"
           ${openssl} req \
             -newkey rsa:4096 \
             -new -x509 \
-            -days '${toString value.daysValid}' \
+            -days "${toString value.daysValid}" \
             -nodes \
-            -subj '${value.subject}' \
+            -subj "${value.subject}" \
-            -out '${value.certificate}' \
+            -out "${value.certificate}" \
-            -keyout '${value.certificateKey}' \
+            -keyout "${value.certificateKey}" \
             ${lib.escapeShellArgs value.extraOpenSSLArgs}
         fi
-        chown '${value.owner}:${value.group}' '${value.certificate}'
+        chown "${value.owner}:${value.group}" "${value.certificate}"
-        chown '${value.owner}:${value.group}' '${value.certificateKey}'
+        chown "${value.owner}:${value.group}" "${value.certificateKey}"
-        chmod '${value.mode}' '${value.certificate}'
+        chmod "${value.mode}" "${value.certificate}"
-        chmod '${value.mode}' '${value.certificateKey}'
+        chmod "${value.mode}" "${value.certificateKey}"
 
         echo "\n-----------------\n"
       '') (lib.attrsToList cfg);

packages/bluemap.nix

@@ -1,14 +1,12 @@
-{ lib, stdenvNoCC, fetchurl, makeWrapper, javaPackages }:
+{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
-let
+
-  jre = javaPackages.compiler.temurin-bin.jre-25;
-in
 stdenvNoCC.mkDerivation rec {
   pname = "bluemap";
-  version = "5.20";
+  version = "5.15";
 
   src = fetchurl {
     url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
-    hash = "sha256-txDN/vG429BHT09TrSB8uQhmB8irrmvvOXX4OX3OSC0=";
+    hash = "sha256-g50V/4LtHaHNRMTt+PK/ZTf4Tber2D6ZHJvuAXQLaFI=";
   };
 
   dontUnpack = true;
@@ -17,10 +15,7 @@ stdenvNoCC.mkDerivation rec {
 
   installPhase = ''
     runHook preInstall
-
+    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
-    makeWrapper ${jre}/bin/java $out/bin/bluemap \
-      --add-flags "-jar $src"
-
     runHook postInstall
   '';
 

packages/mediawiki-extensions/default.nix

@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
   (mw-ext {
     name = "CodeEditor";
-    commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a";
+    commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
-    hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A=";
+    hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441";
+    commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
-    hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ=";
+    hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "1b947c0f80249cf052b58138f830b379edf080bc";
+    commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
-    hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI=";
+    hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1";
+    commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
-    hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0=";
+    hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
   })
   (mw-ext {
     name = "Popups";
-    commit = "6732d8d195bd8312779d8514e92bad372ef63096";
+    commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
-    hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU=";
+    hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d";
+    commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
-    hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk=";
+    hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "4c615a9203860bb908f2476a5467573e3287d224";
+    commit = "a2f77374713473d594e368de24539aebcc1a800a";
-    hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE=";
+    hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3";
+    commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
-    hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ=";
+    hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab";
+    commit = "7de60a8da6576d7930f293d19ef83529abf52704";
-    hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs=";
+    hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "6c138ffc65991766fd58ff4739fcb7febf097146";
+    commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
-    hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU=";
+    hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9";
+    commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
-    hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4=";
+    hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780";
+    commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
-    hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI=";
+    hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
   })
 ]

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
     content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
     soup = bs4.BeautifulSoup(content, features="html.parser")
     try:
-        a = soup.find('li').find('a')
+        a = soup.find('li').findChild('a')
         commit_sha = a['href'].split('/')[-1]
     except AttributeError:
         print(f"ERROR: Could not parse page for {project_name}:")

packages/ooye/package.nix

@@ -10,19 +10,22 @@ let
 in
 buildNpmPackage {
   pname = "delete-your-element";
-  version = "3.5.1";
+  version = "3.3-unstable-2026-01-21";
   src = fetchFromGitea {
     domain = "git.pvv.ntnu.no";
     owner = "Drift";
     repo = "delete-your-element";
-    rev = "80ac1d9d79207b6327975a264fcd9747b99a2a5d";
+    rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
-    hash = "sha256-fcBpUZ+WEMUXyyo/uaArl4D1NJmK95isWqhFSt6HzUU=";
+    hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
   };
 
   inherit nodejs;
 
-  npmDepsHash = "sha256-EYxJi6ObJQOLyiJq4C3mV6I62ns9l64ZHcdoQxmN5Ao=";
+  patches = [ ./fix-lockfile.patch ];
+
+  npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
   dontNpmBuild = true;
+  makeCacheWritable = true;
 
   nativeBuildInputs = [ makeWrapper ];
 

packages/simplesamlphp/default.nix

@@ -8,18 +8,18 @@
 
 php.buildComposerProject rec {
   pname = "simplesamlphp";
-  version = "2.5.0";
+  version = "2.4.3";
 
   src = fetchFromGitHub {
     owner = "simplesamlphp";
     repo = "simplesamlphp";
     tag = "v${version}";
-    hash = "sha256-Md07vWhB/5MDUH+SPQEs8PYiUrkEgAyqQl+LO+ap0Sw=";
+    hash = "sha256-vv4gzcnPfMapd8gER2Vsng1SBloHKWrJJltnw2HUnX4=";
   };
 
   composerStrictValidation = false;
 
-  vendorHash = "sha256-GrEoGJXEyI1Ib+06GIuo5eRwxQ0UMKeX5RswShu2CHM=";
+  vendorHash = "sha256-vu3Iz6fRk3Gnh9Psn46jgRYKkmqGte+5xHBRmvdgKG4=";
 
   # TODO: metadata could be fetched automagically with these:
   #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html

packages/simplesamlphptheme/default.nix

@@ -0,0 +1,29 @@
+{ lib
+, php
+, stdenv
+, writeText
+, fetchFromGitea
+, extra_files ? { }
+
+}:
+
+
+stdenv.mkDerivation {
+  pname = "ssp-theme";
+  version = "v1.2026";
+  
+  src = fetchFromGitea {
+    owner = "drift";
+    repo = "ssp-theme";
+    rev = "master";
+    hash = "sha256-4d0TwJubfJrThctvE50HpPg0gqdJy595hewEcjfXlrs=";
+    domain = "git.pvv.ntnu.no";
+  };
+  
+   installPhase = ''
+    mkdir -p $out/bin
+    cp -r ./ $out/bin/
+    chmod -R +x $out/bin/
+  '';
+
+}

secrets/bakke/bakke.yaml

@@ -0,0 +1,99 @@
+hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
+example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
+#ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
+    - ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
+example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
+sops:
+    age:
+        - recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOE50MkkxV1p0UlVUT0dE
+            WCtLMEk0ZSttY25UMjNHSHB1QzJ4N2l5WnpFCkNpdmlCY1VxWVo0ZStVclZ0amo4
+            dGhSRWY1SElRZXZzdWo5UDNjUHMzUjAKLS0tIDI3elNXSXJHQU5qb3hCSHYwWnoy
+            N3BhNmJQZjIrbWlVRytxZ3dFMjBtL1kKn7/DTPfJtdBomSplnBomYhsxJbX7kJQa
+            1Qsr+bmugWxHFIPhoDwPIBpChQkLvAo8exQpduos18FsXgvMmB0guQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdnNSSEJoaUQwdTNTMDY4
+            QUxuLzRIWVNkM25QNTZ5VTBwQlYvT2p3SURzCnJmd2g1YUY0cmdLL3FkQTQ4NURL
+            YncyY3VROTFUeDc5ZlB1aWdXVGNNdjgKLS0tIEtXeDdRLzl4RXhpS2o5ZUE4YkpI
+            RjBObVhlWncrRnVidEtGN2N0ZitzNlUK/ooEeWCY5nDgny43q45wvl/e6qq/X4B/
+            7Q/DPj13BcrWRgoCYeHlq6VlIerz5ERNgxyR/qKuVSGAVroSVY6spA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRy9CaHY1WEEzOXdUSjd2
+            aFlGU3NGcW5MeHg3U2d0UEk0SXJIcmg4RVFzCkpwODhBWld6T1VNS2haSkpxL0hn
+            b0VRWVNFcTE5c0t3VkFZQ1R1d2dnbmMKLS0tIDdNMHBrU0RRSmlBZUJobXQxZUt2
+            MzZSYlM5bjYzUlRYNXkzNzZlWmx3L0UKkH6WOXHFRRbCprSjxcONSVUN/9NEQvtS
+            Jg+dJSMviq6GvUfUNmNvPJHfyy+CYT6a2Zd+4NdYCetRLsRJPc6p3A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUckpiMzYrU1NnNFJ4MGps
+            OEt0c0o3Ty9QejhEM29wZFMrNTNyMHlHWlRBCnBHUUdvcmxoL0FqVEtBSHlma25P
+            c2tITUtZTGVzOGdidC84OUYvRlpxSjAKLS0tIFNMVmdiWmJNZUdLS1g3T3ZINUh6
+            Mjg5RHdKYnV3Z2V0L3E3ZlA2WDB0WlkKJr4Vg6rnKqGpL6N143QYfLqS4lQIED/J
+            SYQds8mCiyCNGvV6ON4k096jXcuMAZ1w+0bA16AHlTXnqgIgfaHpKA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL1QvSUlWUTN4OTBKOURa
+            VkVVb29McWgxa3gwb2lkVTdSZmUrVVZpSERjCm9oTTFRckg3SUM1a0tJRVlaU3RL
+            dUtsU0FpY1JyNkx6K1U1MWcrSjNYbUUKLS0tICtvTjJVdG1PSXF4TVltZ204SnVu
+            VE9aT3l2dGgxMWNHUXQ0bDN2RjVOek0KwOa/vczHZa+SRr8j6KvkfZZ0kajxXOq0
+            5AoDz2Mtcs+qBctTuogdLCZoL2ZpRVV7v1dGI+Fm1cVLoutV19IvTQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVFp0ZlRhU29DNUhMSmRy
+            Y3VVV2pmajJmaU9qN0tHR1E3ekFMS3o0K2pRClIwek5GYzNNZEliK2ZTT1NVZklQ
+            YWpqY3poN0E1ZTVOTVRhL3FQSVZmZW8KLS0tIHpuWktoa1EwcXc1bEJJYk5VbEw3
+            blE2VXBuTDdlbHJTVjRzOWdyem1UWTQKg5uZRhcLpmiVcadqdJoscqsBD2u6UGx+
+            qT0IoSVOzsBlJw2t9rH1zR7WfRSlCXT1NYzu9aTWGqQaB8qvEtyk4g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdjhMM1ZpM2xFVXlvOXZK
+            MlRZT2U5YzhMUVR1L0FqVVdiSTFTYUpyN25rCjB6ajMwTnNTaWk5d21vM0Zza243
+            dHhSOHM0c3cwS1c5dGxhbzBNVm9DeFEKLS0tIEpOY1lWVE04UkNYNDdCcUdnTUhI
+            NC9xOENWZUNyay9SeXRjSUdkMlE4UXcKiygSIWelRUZQPbiK2ASQya7poe1KCXmo
+            XIlgOaUe1+lvY8s2bjdud0+7QlPOKeyciCSFNNqIxzHMYSEKwNCbpg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-15T21:42:17Z"
+    mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
+    pgp:
+        - created_at: "2026-01-16T06:34:38Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYAQ/+O1tft/OfS52K8cmcQE7I7aFb85P2L+7u1TdmTjHwNFkC
+            3jhvzPkNDQDkMIc5EPZKX5WLUS8F1UaqCw4b8zZtqoTqKDpu0S92KL500iXwBxft
+            D3cRMFFb6GBoSlPJVBt6LMRJjGLWCkBihlYL1AknoVV7VERj8m1cvcstdp3qbEd7
+            c+X6t5B+7N0/QPdh2KyrHWXyCzFc/6emVjNGy2EoXRt7idFF2yTbafobCs/hZ8LZ
+            RJyhpGyR9QPtAwFP9Und62tCd4ZwG5FazZBLevRrmD7AOW1WnQhyYvxBvqQp/Oz+
+            lFmhcirLw5CaC1AbF2k3uNoAHXVWyexaQeu2gsNYXq+lpsdCWT8WtrAtNCyC2StI
+            PtdrdQ9oikJptmoWQ0zEBXKXdV8AhukLSX0wtis74KbmcS+2YyNKvQksGF2ZfHBh
+            U9ycfJr1kwm7TAg5Lg6XOmKrdOJkPoIcUCk2QW7MfS3nwwMLt3BjhhpRVUfeUmjB
+            Jjjs+jUXEusnmwmvGGgEU2pT944FLuFClSI8JTnIZ61YkjF7zAtrURvsNKlqu/UG
+            JLrWR+dnnh1YK0qQEcqt6giNSX2IWrw5SpJ8Jekt0TWfB1HDHybQUyFC/n/je/XK
+            0ouAeDL9oqh0eRU3ng4KKhOXNn+WO3/HrnG//KFwokc//BNNvP8qM0CTtPQbQ1HS
+            XgFjhTfzV0T4LyUryuict4rLVI+DDbzWGRp0umdobvQE1CGLhKCanrd2/Ng6fAny
+            9G09vYF5zK95uzqFBCTh1zFr6+rhfbMI501TwBu1KxOaJdYs3vzLiTGWoyI48JM=
+            =5fyo
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

secrets/ildkule/ildkule.yaml

@@ -9,90 +9,90 @@ keys:
         postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
     age:
-        - recipient: age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
+        - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWRSM3IwMmxtTmZVcCsw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRm5XY3kydDJSRUYrcmRk
-            OUhlakxHZzgrSEhEdUZFTXE1anNjQ2wvdkZFCnB6S1l3TXQ3ZGFYWmtYM1cwMFZT
+            K21WUEZSSEpYOHFrVkFyOVJYYnRUSU1aYkV3CkVEUllvUm0wZjlmOFU0VSt3OStL
-            V2UrTkk0Z1BVQ1U2N1hsaTc5NjFsVUEKLS0tIGZYV041M01DYndQWUNCVGxUVXZa
+            Tmdkc3JHRWplS3lnQWlkT3ROVkxkVUEKLS0tIFRJRkFEeE15Q3A1Z24wQzNlbUx1
-            YlltQ3FBU3RBYUx4TnNPRk1SUWNqZG8KAJjc09x553ncaWduGLsnIHdroaOmMasP
+            a2tmd21zSWUzbmw5NDdSRUVDcmVwbHcKn+DJ1PnlQApX8fwJoN9DtMqeKzoih6Hr
-            /fq0GzW6UNfmE2rQ6qrQti21B37/sN0WMLCSPLUPG45kBgx20GG4hQ==
+            sSh2z6rsTj1UmXocbBm1SduattqZFjvO5XGpp25mM9ZBlpcnVjB/hg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTOWFvcFFzc1lmNVdmV3lX
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaEdlWnJCdHVpM0ZHTlJj
-            cVVLNHowcGdENzI5UUJLZTNSMHhjNlI2c0FnCmdwOS9oL1kwTnhwbXRodWxxWVE3
+            WmNrQnIxYmxmWlJ4Z29WKytHd1plUURPSDBFCnBHU1MyMS9FNnRCMmJ6Ymd4UWcr
-            TEtzVmMyN0lkdDBPNzhSR0J6SVhwM3MKLS0tIHhSOFA2TEdMdEd5TlpJb3h0N2xr
+            RGV6QmhrbDFObDM1MW1NdTdDU3ZIVU0KLS0tIEtBR01OOVdITExFcUN1dHEyaklD
-            eDVwd2dKMG9FRW1OY1pyUkhLeWw3b0EKtJpsQ/Ss39ZLiRNqUhn8sdB3hpQy7Syv
+            TVFnZXRva3FUZjcxYlRuQnpFTDhpZzQKxZM0ZB6dVwFr5QkT6YmEA+3RhhsX0pl4
-            ererqhMkqmDugGEHPk6KpZuj7DVSK1di7JgA2qZOUPzI7UpxjaC0Kg==
+            SolLZXFal1BluDERtZ2Clb5VzrcV3PUfFo8Yx6ncFjcisyFXUHVnYg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQU1iVXRkQmo4b3F1Vngz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYmNZSTBrUzg5d3NPSHhM
-            S0pkNkVFR1FUb1djdmI0eHh3V3BBTDJTSTJZClA0S0Z0cTdFRmRaOEZQdHQzdGZ3
+            Z2s4KzlVZldKVitmL3RFNHFiQnJlcmlCS3k0CkZ4YlBvbW1DTzEzRTZMUVBOWDNT
-            SC9HRkF3eHQ3MHh6VUFiTW1MZmZoQ2sKLS0tIGlXcWtCczBuOXZBTE9IcVQ1aFJz
+            SHQwcTBQL0NQbXA3WHVZcFhjZW5ZeE0KLS0tIHU2TVErZ0I0dGRuTGIzZkVoeDJC
-            REdjRFZyY2pNdEd6cmgvQisyVDhLUEkKRItJ0CGbzlEB5RNAyem4feMVhTfcLef3
+            MHJkcXlGdFN2Y1p4Q08rT0phODlLOVEKhSEO8hUZ0d3SA1tFvXN2HuZR35SRzhUq
-            QIqltZ2l4LLexnkECi3FCJZHxrbUa+/RF6p1DsueUw7LLUnOcphB9A==
+            +J3eN/qUBu0LcuiBq+qbGYIAHggXy9ZSGCGfrNw35czzGpzfbK/fwQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZTBpaWM0c1hmODBaK0Iw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdDBxd3J5MWZ0R1IwVWRw
-            bmp1NzRacklXMHU0K2J2d0g5ajBiNlRNWGhRCm1DOWI0cm5BdTdlNmFzM2JVekNk
+            cklOOENFM2R4Q01JdFd2cDZCQ2pSTGNucmhrClgra0tCSGdqZExLbWNoaDZkSzJD
-            U0VnQmJKMU9ZczZBN0o3czAxOXc4TkkKLS0tIDA1aFRsS3VHdmFtUDY3S25qK01p
+            aDc3YXdOZi9jMDdwc1duTWdKbEdUVDgKLS0tIGxKbTYzRnAyRVlwbUxGS3JySFJS
-            U0ZCT2toZ1ZMZ3E0bXRhSTQvNGFWNVkKhxfQDIDe2LQW7OMBJv0J267AW1wI32df
+            VXNrSldhMDV4V2preEJ3ZDk5UlZ1YzgK8K2R4LETFFKpUZVdofJoE6eXw/tlz3+9
-            ZQxd657TEqzm7i19azrCS0jyRbfj2MYzEJAtTGiGZaNC9uKDFzBhKw==
+            k0iXQX6zMj1uSDmenjztU04FIfRxzIur5xifd8hCJnWmxlOCFDqLag==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRlJROHRKb21YUnlicmc1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc2dCdGNSeWo4RkovV1Vn
-            MlptQllEcXFhajNKS1krMDdUMWk5QWo4eVJBCndGSlhXS1Vaa2RSTllIcmF1ZVpl
+            ckRYYW1xZldjVDRuSjM4elQyRVFROWduL1QwCmNSVzk3aG90MHNWZWlzVDg5RE55
-            V28wUGpPVE04Q3VPdzFYdlNpdXBPWHMKLS0tIGJLNStURVJ2NkZKNHVURXh3SjBL
+            L3JKODZlMDJudTZYNGVNQldaNEhPcjQKLS0tIE41dDYxWE84Wk9XbG9iMUhpMHBu
-            TE41aFdjU0h0ekQ2Zjg4Z3VQVjFWcnMK6zjSalqeYjyc4NH6nOeghlhYJydrz4pM
+            VlJZM1VMYkRkQXNlSVVoT3RYZXRaRU0KqqIjxe05oO67IUt/LMIYsUAaZw1qQFNv
-            N5ZcXjRbrIVFdhbYnvQGKvGKZm0kK6vjzBjdT7BM6ctr8cq/qrz1xQ==
+            mmVu5GvHdpSrp3PttxlZC7OiP84Jzj7zM/idj0wBIeVCWedWO59aKQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRXpBa2tYc2xEeldub0VK
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL3RId3Q4SGJkYjM5STJu
-            bkFwOFdlUGRZM0FVT0tyUW1RWnl0TjRUTUh3CnZlMC92MU1hRW1yZU1NSUdoUEZh
+            ZU9BbkgxaXdva3g5ek1hZUF5YWcvZHI5c0VRClhLazhueTRLU2N0T2c2REllT0R1
-            YmhHN3pjd0lhOXk3KzFqRVhaU2IvWFUKLS0tIGxVRGNmZmd1QS9sc0NMVFZMNGVB
+            LzFrdDdiVVhLQ3BPdkwvVTg1RjdscG8KLS0tIHRYTmg4NFF2c2FpVHphUFdqWmhH
-            aXFQWlNVQ2laVm1ETStRemNZRXc3TUEKlPYSU3gp67dsPfbEJkru4ieMvspC7+pu
+            TFNhSDNUMEo0Z05mbmlwRUs5VHhUWHMKJUCyLDJx2voDttv4UrpFKYyNz+HhtyFj
-            rfp315HLyj1FGhrA8f2qOxE/PYI2rn0yKm80KffWBV7ylX/uonm4Fg==
+            X3OrNbmJQYuNpq4hzQs7jN5UD/4YCtFi9mb5pmFr8MTHLb6UsZN++A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaTEzOFBEeG9LVThSVmQ5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNzZ4Y2U2NXpXWHA3Y3Zw
-            VXBoaFpueFRCbFJ1akE4RWc1aE1HUmVGcXdZCjFnbU0wd2drazNsTmNBMHNuOFhO
+            S1BKbTNXaGxRaE55QkZNSFV6b3VURFBXWlEwCmpJUjM3VVJRc0dwdjFLOGdQQTlz
-            b21MZmNPSVNDU2RycEtXTys1V3BVVVEKLS0tIG5oc0VoTXlzeVh3b2NjcFl6WE9U
+            a0hVUC9tSXNDQ3NyTnlnVlNNalFOZmcKLS0tIFNXYThsRHd2eUQyOGtVT1RLaTdR
-            dC9meDZlc3d3aUJEVjc4REF0Y1BLcGcK79LbJzc5KVgEgyJR11crGuX8YcVoJBbT
+            RmlST2JZS2gwbDBpZ2xMblpWNzB5ZWcKTkKF9aonrBMolxqcj9a5d9JLoCj229KU
-            Fin7Zoon06L7qx0Zw5u27wV7RKMnYT7hOMiWs6660ZTLcYJ5M1aEZQ==
+            It2KjhlzBcgcJUIiIPWMoV9VbEpKkTsCLkWxFSLle++ryOUYh3kgaA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-03-16T20:08:18Z"
     mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
     pgp:
-        - created_at: "2026-05-20T17:35:58Z"
+        - created_at: "2026-01-16T06:34:50Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+ONarLX0spY0m0iLGEp4Qe9YcfKrf4G0QLbiYMW8Bko7M
+            hQIMA0av/duuklWYARAAgrn0irD12kqDfIEvpLpa0Ys/hMG9GwCMeU186iFfJ193
-            iV5PSn4MeDlu5vIkNy1vbYqN2kCQZJDNtirtVqggoq+h/lEvXlkgmkJXeMnnVugy
+            72UVEzx2GwIfSt0qQlpBFZtueL9Bb7ka81IrqhAepq8J5//WxEGvv6H9aIm8V7ov
-            xJZCG1SnGnx9BD/tWaFZp4IY9m8sQtEqcpQIvitQTCgovdWPb7NddlDaHbn4R95t
+            ZkS4eZpFksu0ZRFP5HWQvEQwRKj8WxYQY/TS/5QGNSPeHOZYnpQcBhAVLjn9Uj/O
-            SeTZxnxT2MCYiGHyESMrdy8JEFER81O4XIGuccBV4GyoDcEAxDD7PXf7Y5YlwUQk
+            6ojnIVoKxDdo235fuDQdiLwCpPXsKi2OQuSFOwq7Acg/fm1pvc76h9dqr5DqrspZ
-            /sQ3awgsy1WJF4YzQ4zCvK8dO4meiD6asEijQEXNTyrXrkkIX6pS14l9HLzg8HLT
+            c3stdbYwVOedgYjRrdSYpkplGSqNeVtYYJ3apdauMSRNaKmgMwbkxkzXO9YrWASa
-            ZLelRyCYeIGEPyEJtbBKxMEu28SAmCMESCdLImqz3RnT0Z6QV1Z+DqAPck3aij2v
+            beYilvhNgr0rnQB617IhgBZrgik9CvqrqGZqim0fWI+s4bcbgfvK8UORt4+QgJjO
-            VCeJZgK7tmjuusThzi0ymSb0tC14JS7eK/BNGIvVK/41TlzI0qBeA1yYf8Fdtsqt
+            FPqAtVE6sNGzElKQ6ZZPWZoXeK7vfIfxwxU+oLcijAnUmLy88zqIUjUZKzmyhDZa
-            7OGfCR7aUdBn7yweGuo9L9eHRFiJvoB9tNiPnw7rdr/SrptL0ovsML7m1nvg6mO1
+            YAAwxBL1nh+UzIbn4GGeVbYHLbKJ6XnznF7zfTWph6GbeFfdWuaSwxmnGjE6n1y2
-            os1JCL5E6u7d6cGbqaTmjwKLhvNuI1keJoVGtlOYt95tfEAwWeuG2ML6wJ6u6oJ4
+            ye3GQaW2aeq7RKoqyLJO3oIHyGHZXFe4pB4adz60uKNPJz47/gtA5OofNs0qbxqQ
-            WAw/g5Tqb4jeLpcgw8iclhK5JzAL9Uz3G95VXkS6CcTrOfQfvIJHxs5JtsxFC98l
+            Dp5fmrvZZtDa/TYIV9o1bSp7cYk49TGKHPbX7tLjEIIfRxd4y6rYgwNpPdukjZsk
-            xMgnMY4SNQ6sHAHZ+6Wku8X+lnZ0uKZkYlRqpH95/VTp+I6QpuqydIOeZ+ILn+jS
+            bbdxypWrJkMx+9xk84DGo3e+RY738JgLjc0ylDO+pIzThUruBOcDjUKeGNmVQYnS
-            XAHa6CahC07yA93g8kgTeMhI3ezqOQD0gYnY3QROX5kKVD/bNu3JwNTprO5b/kRK
+            XAGofG3JSI97wFdYOB+4yoYPqs5rovgPbkGGuT5SBIxH5zVv3X+SE4wCGu3CLFC4
-            2Ehg8D0wdaJ9OM+pShGyf6CK5wVBvSq2VQHKxjEIifi62RYtUvnf+sx/ob9h
+            A4cdwXmuERPxszVZW+V8CSGq9XnH/OzrpiWVhzqXCRH03F2BmnAx9Fp/zMTH
-            =9nB8
+            =DooK
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/lupine/lupine.yaml

@@ -7,126 +7,126 @@ gitea:
         lupine-5: ENC[AES256_GCM,data:+PYUtLBx9MdIebR0nWSNGKKCyKcGpI62BXj7AN1iV4wU4+2awrWZ2Q==,iv:PALEU/sYebhPTO4ZXEm2uV6z9hN678ZxqOSnaHVlyro=,tag:Enb08N6TYlOh+x70pcpJYA==,type:str]
 sops:
     age:
-        - recipient: age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
+        - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRDdtTmdvRDRPaU53Mjd3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOTAzdEFVNmRWUFNzY211
-            S25SeU5rUnZibmh2Y01HZUVhZjVWUVBJVXlvCm1uaURNYURGRUhhc25vSmFodEJC
+            NUpoMnpoVmpCeFIzU3JacDIxcjNYUTBCZTFrCnpFMUtydndyUDY3emdVVEp4dUpy
-            RnRob3VLNHYycDlMRkwya3JJK092UlUKLS0tIFMwMExQZTVxVDAwYzRSaDhTRC80
+            ZWhTRGEvdG9pQ2JvQ3pGL2s0M3Z1WHcKLS0tIExjaWh3MHk5WEZVQS9lYnkyemxE
-            VU5jeTBFcGYvNE9tVUVuNmV5WjMycjgKF9GIvJTczigKH+dbTAOHK0S966/QE/7M
+            UjhRL0swUnBJNmNzaGtUMjE2WlZ2VDAKYV8T2iXVEr77e0vuV8e8xpbhStxUoM9l
-            HtgdJi9roiyDwI9k56r35/MP3eURffXBWTmc8WZRHTxnhzo1GBpg0A==
+            Jpn3XiYuoWHk/bmQyjQIQzjB4oqx4TqEnHccSmN3XtUIPGr296zwMg==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
+        - recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMGtpL3JJaDN2Qm95b1cz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVVdmdEdZcTYxajVHQmtF
-            VEF2bHU3VjJLNUQya25lL01qYkFreFpTVGdBCkdHdnBUUjlXOU4yTkE5ZTF2OFll
+            L1pad0ZxVUdlWXVjNHl3eEIxZlNtdlY2WGlBCi9NUUVEakZLV044dldDSkZzaFhS
-            UXNQTWsrQ2FGV21kRkllY2E5S0NRS1kKLS0tIGY1aHkyVE5XbHpLbGVBUVFmNlVy
+            U3FJanBaL0JGV3AyS2daTFNrM0J1M1EKLS0tIGs5ZjRZcVREenN0L2RPaWp5c0s1
-            VDcvTUY5YVEvOWFQOG5ULzFlQU9IMTAKQ601N8YNayuYrkZqqsKqlsnHN4rSMzN1
+            U3AxOEpvdmozU3RRMGYzZGZOZGVhSWsKHEz+eL/fHgLUuixFIeA2dUAjZekzRIHy
-            sesAmJVuj7ZddGQlzIJC9cydXkssmY5oDIj92J7DXTzhFQlO0o9tfA==
+            NgYmzaWhY7IlPg4mZRIW7hW+ckfr9brdgOR3Gn5Fp3tPbAL9GO7bnQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
+        - recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZFV6cWN3OEloVmIrWG9Z
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5THp4MkRiUGd0VDVERjU2
-            U0RxNVF0RlJ6UDNMK0psQjVKUkJiR0JUMWxBCll3NHpFempRcCtSYUQzWi9kclFP
+            bmR5OWlkTFFmQUM2QmRNWU5DSUI3eFV4djBVCnF3dTV1aGlMUTd2UWlyUWtXcnlG
-            Z3k5MXdCcTMxT21GL3E3Yk5md0o2cjAKLS0tIFZML05kSm1sVnIyRmpsSmdGbG8z
+            TFFRdUp4dnpXZ2FLSGZoRUsvRlR6ekUKLS0tIDVBMC9oUnBuQXpkcEZHSUd0NzNp
-            SllNcDVzSE4wTTB5NTNTYXJoemlIMUEKbJwinjEIjgwlShvUr+Jcfay0ha8Ndo6L
+            U2czY3YxRG10aW9hVGJsbkJwWTEwV0kKaNQRm6qmIIbztzrmw6nZSA131lxw7PA9
-            KM0QvKlcsx5Z6pqyYt6TvnlhyhcljN1IFfoUO5r3E9lYSyanv3HJRA==
+            MBPmPQmskIbGJ/bQCfZ7Sp/Pe51sL3moA8tWMqGZEVa+xuxa/KEKSQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
+        - recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SG15dS9JNmRETjBZL001
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmYUJkQkhJbjU4a3ZNbzJM
-            VnNSN1o1ZENwdStLdnMxaGp2OVg4WFVUWmpvClJESk9KVi8rdkU5Q0ZHSnhOell2
+            NGFXS2ZDSjM0Nk9BVVVCNUx0Um9mbmVXT21BCmRjL0pNcUs1NWdxYkQyc25nMG53
-            K1UzMWpOMVUwUFc1STdVUjNsekt6L1UKLS0tIEIyTG9UMWs0UjZIZUpvMFA0ZWlZ
+            c1lkaHVyRnloRGZmWk82K3RZVzNnTjAKLS0tIERndWk2TFJWSFUraldwczFOVm13
-            THhnZWZNckdTOXNpSjVDUEFWQW8rOE0K5ts7BAbcZ7L3cId+jjbC8ZDOnCEAjFW7
+            NWRDWGdMNXFraE5ueTM0ZG9hMHpKTjgK4xTJKPcrk3EHwMoXlTHzqeDgx9ZJl962
-            lizGlAPolgH6uNpPczneeFBczfU8nnWOcJTpPXQDxXiWv7y0aemJRQ==
+            8lyQMOSeICyXLzRgKQWuXssDMuev0CZfvnXeWp8megmXuU5Eq1GW5A==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
+        - recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQUEwa0cvcndUbnlpTlYr
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY1p6QjViNmdHcjY2and5
-            ZUtEdlRKcmlrQU1USlZVeXNXejhBSUdLdGxNCmpzRHpoM1VNemo5angweW9QMGJ2
+            aEYvOXpxWEtqUnRTNEgxeE44NzZ3VW00OEZFCjJVN0Q4c0FJNEZEaDVXZlNkMTlr
-            ZGpqZHpWeUwzZWl2NWJnbTBGYlcxZ2MKLS0tIHZJT05EZmI2NGRsZ05sL0Y1VmY1
+            cGQ1WWhMY0JCTEVLUDNGMHZFZDAvOU0KLS0tIDE4ZklUMWtKL3JlbzlrUXdvekJt
-            Q1p0b2dJMXNhRFdYdHV3UFhUQzVmQVEK/3E/fDJcuwN8UJq05Dg0YLHhFRLjl4i7
+            cjhrRmQrQ3g0UG8wKzZHMllidmRaQ0EKVG9D8Fh7xMzNPXecdX6zTfank2/ZNnjl
-            98dDpycvPV8Py82q4pNpvI+goZ2T19QcxArSLNLQwd3TqIYvLHB+FA==
+            mwxCXnM2e5udtviQURJstLvlCElNtvdY5WdMkUoCXwHoMspPwGByFw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOEhSZzhkZ25rL1dZVlRw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NGpoWUVmK2ttVno2cG44
-            R0JMaUR2VXQ5cnYvdjRwQjU5VWYwcGRYbUMwClVBYi9nOHZkejBxamxKeHJSZmFC
+            aGRVSStsc280cGFZL0xERUdrNjJVV01HemdBCmZBSEg0V3FHNVEzWDBId1RYck4w
-            NUFuQkVxS3VCMVZaMERYUG5Ba2FyTjQKLS0tIE5BTlN5MnYzTnlZbXpmNXBOL0NZ
+            dEd3WnVhUk0wdHRxOE9WUnpaUThLa2MKLS0tIHhWbXJmZ1Y4RWZ3Y1g3dTI0MzMw
-            TGpFN2xCTWcybnBBL0o2MVFoQzNRMkEKtprwI3p45huVaLJvqTNLU1k17uSObJaA
+            eGdwemRYSCtoM0FseXhLd0Fzc1dzUG8KdPDyA/XJSgjHFycEwSg7KWX4fMA30CDq
-            QEL/qzgLr//fSxiMQfJRtvqpcGuL/kTnmU56tJdLVCDAfFvW0OH9gQ==
+            GIWYDVDicgzbxjNKcQdGzFvL02B1igogHtuIJn1qE/bNrK6L9PQ3pA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTWVYY3hPMi85QjhYQWlW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTG81cS96bWtOWHJTK0RC
-            R0s0bnVpNEFmalFBS3lISmtWanNPcEpPRlF3CjY2TnliWGJocWtkbjZZQUpPZ3dS
+            WlAzWWdiZkhncWRBVXZtVXdQeTR4WEl5MVJ3CkY5NEpnMmdpVnh1eXBCajhPT1Rr
-            TUlDS3JVb09CZ3pUNGZvQkVFMHIreW8KLS0tIE0wS1Q0THdocmw2RGZ1RWtvbjY1
+            ZWpkUm40WHpFcVdQcStWWVZWZU41VjgKLS0tIGRyUnBsb3FnRE9IL3RkTktjN3dO
-            a3hmLzNiY2ZQdk5TQzExOGJPeTd0U0kKVqulWO1BniSTpYHa7fYwG0oj+hq+clGq
+            ZEY3d0I3WVVhQUNPcmhKYW1sVlBGSmsKTsZwHdholYxIhOn49WTdb3pnjT8oTkH5
-            /XlvYUYNIApaAid3G9LrZNL7g3mhq1ANuDGMY7n0Z6/xhysTZwRzEQ==
+            mfayWji2cOBRRRB9X40OaVg8SCIhVAQNdvbn64XaJWqWbXFtXamgLw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNkM5ZjRIK2FKL1B3S0tl
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhejJHU2N3cVF0TnNqZytD
-            ZUdzMC9ONStkYnZZRm1VQy9FMVJkNk9SY1IwCnJFTVRTL1FkRlAySmF1ZDdBVUxz
+            UERpTmNnT0FJMysvbVYvNGM5ejNVcE5wemhjCjhyYVpsaDJlNHI2aVg1eXZtV21a
-            M1lOdEhnRjI4blNhL1FYVEJubmQ5YVEKLS0tIEtLWktCQVp1eW10SnhkaUJDYnNv
+            eHVFL1ljWXRkYlFrTkgvWHhKS2NZOHcKLS0tIEVLRFhKR0tyeUJ3Z3ZoREY2c2VI
-            cDdvRVl6a3VhZXhwUkl6eHo0OGxxUDQK5/Z3OCFIb4HOBBxHj0B7a0AuPXgPbuh5
+            c29MWkcvUFlzU0VCTnFTV01rWkxDVGsKcyKsGo6Ep7f2dBwaUYoMsqSqQrn3Obzm
-            TPGvfJpa3Ow/eJSpEdXOm6chTrvPsgGHKYZS75SAgHMP8SHHIPuxuQ==
+            sDovKBx+Y7+Yn6fnxy3ISQ9FUjupMtKffiO2AAK7AAI3MFjDOUb9zg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzVXhHTE83aDFvN3U3Tncz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVGVOcE9TdVFDYURFeEE5
-            TzlYSVB1NzdvQVY5bU1yZTRhU0V1bXgyZ21RCm1WekpqcHE3cG5sRkM4Z2k4UzFK
+            M0t1Zm95SUZpNzdFR0N3UVYwdG1yOWErUTNBCjB4WWtRdXNJV1FVd0xNODUzTDZD
-            TlZMOFFrb3BBZ0d3dDMzUzFueDJiZFUKLS0tIHkraEY4STNWbDZmQm4rUnFHWU5a
+            ZXRteEpwendneS95alVhckJyMXZucXMKLS0tIDZLNFdGUTNMTm5KUkF2TWxPNk1O
-            bHpyUUM4NlN3VDhVYVhFNVYyeElqVDQKm44tte4aQ5/0XVMd7IvnahRxdrSePHKn
+            V0FISGRYNmZ0N3dXc3RHdGNpQldOVE0Kkc7MRhVvpKlIVGKRvvPGyW/DzatxM7+Z
-            f6EUC0tBdSAifbe8JdCvTz2DDbUbXRxDxZCJ35ATyB0K1AEgcVEVvA==
+            VP4kAf0Vu6DyKZINDXH5XQh6qxeAccYXhv/QhxdSuCW4bjplMMBSnw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VTZXR2hZT2FERFNhNXVs
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVDZVbDBOR0d2VDJHY0Q5
-            MkREdWxxNWNvZy9jRkp0d2YwNm5IRDY3Zm44CjZ0SC9NWE40TmFtR2NSMUZtMmV2
+            VkdETUV2dFVWcUM0N3pwU0dlekJqYzZPZEhZCkZWd0dVS25jYm5Eb1hES3Z5SmFk
-            MXJ1SjI0V2lBWElXS1FHUTNRa3g5MVEKLS0tIGhnYW1yd3h5Zk1UYXpzZG1XeUdF
+            WnVEYmFtRURTa2FUYXhpQkNLUnhjbFUKLS0tIForS3RPcFkvenJNaW9wMFAyOEpP
-            Q2VuWG8yOE1ob1Ayd2Z6NllhNnMxK2MK1BzxHusN/Ad0+2ExwK/q8qyPObDL+112
+            c2g3UlRHc1ljVGZaWVRlTUVORzNoczQKFvxD6ty10YobBU2BuyVpDsqGI1nie4Oh
-            o5/LeOh2vA3KQOG7QmlfhOK8NEID2dcWXoK3Kg8H24rowZq+WQryqg==
+            eQbvBEqfTN3zR38ujT6/tLfyNrtj71oGzI9M+vUUGbrmob+/y2VABg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXblVrSXJjVUVtaWltVzQy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOblRZRERwT1k0cUVkeXlF
-            OGFDR05TNTJEY2M3dUQ5bEtnaVF2dnd3VVdjCmFlL3MwVEFrYml5UE54U3Z5bUNU
+            bXZ6VnU1TmE2dFlaU1IwMXV0V09FZjR1bUFFCnFUa0hzeXhvTjlaSk9lZFZHT1d2
-            dVRiUmlZS1lEMms2YzNxRjQ2NzAxdW8KLS0tIFhKS2hZS1Y4a2E0SzY2dHFPTUk0
+            RU5NQXJBb1FISTVnSFJheEZLTFNWa28KLS0tIFEzUWFvOXE4WGRkWmxtd1hvUGZu
-            MTc3MVhaU0s5anZPdUg4RlFiZmU4MHcKepCAfP8iMOJ39LL4S8XA18pXAYZgcdLO
+            QlBkaCsxdlEyT1hhbVA0c3J4bkhHU0EKbdPpiKgu416P0Ciacs3wkH0OAeHKyzQE
-            xNV7kAcdXpywk/ffnWAukwI32LegGQ+efNtysCeESNKomSDtXKtm6Q==
+            ekyNhHHKT7IqJSvEl47PpTIsgk99SrLgImNKY8sDieOqDVuM0bhgTA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-04T05:53:51Z"
     mac: ENC[AES256_GCM,data:o55keAaJEXVOAGvoMp8FWvtlxMgfF/qR50FGnNM1whYz+5+naRJ1dAOW9NKYHWbtOa/ZXEMTkjoFrTJidAaIXza1Ot8llbTGYh56fsnu0FKZfVM+rvecRDhXKWxiAqyiLUvtUfA2fSg9LGveh2U+0dulcU25sb3Wf0RcFrtM3xI=,iv:3/UllekmGIaluv8y8I6Azd/52dJzk+C5ah6XLJj7Zik=,tag:T5ILXiC5hK++0jGOnHCMYA==,type:str]
     pgp:
-        - created_at: "2026-04-18T16:25:16Z"
+        - created_at: "2026-01-16T06:34:51Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+KtiEJNL7M4M8NH+UhisZPM5q7RecKdQde4yjJF5YrXey
+            hQIMA0av/duuklWYAQ//S5CPlAJka09zfxhQCKY9SnHOlkNL3mQxSN9EcxiKFgQD
-            SNcy98WJJrX4p5ZBccLxJ6IW6UNIxFz7JX227jQDCAbPvGBh0uCJTpSosChJHs7s
+            G2/qlFze7CiswTr608TXNQ/lPb+SJHgLrJvcBwISh0MCKKOZtyNjfSIIdR1A/JTE
-            GUt/7CHfyV2+Z0FJS6iN6AZrE6Kjkkc3Uyp/Wt1va56gQ8Xx9hZHhjjgXEiORYWZ
+            OaA/JCJ76j2W7YWYrL18dY57n7DOMmhf/BZj0hI4PtDqh+dB2vX/U2i3kWdODb/K
-            bU7DKvX5n5A7GNkrBTZ/+YKtRqT/m6ZPVWfVnY0rY9KhzfvmmyOpQrB7n/DcdUbf
+            fowmPrqustOLGAXOhuKegtQ8K5KLsP3NHjrp5TiOYmI7fDVkwvBnqXj52n94pw3n
-            +OhAP7p3UdEWquh9OJOiDRUqo7ykGCw/dYltmt2I9JcGiyKsLyyTTtFWgZSnUCsm
+            o+HpvmyWFSm7QExGsjbbMbtDEmJJ/u8arx+Tb+ELumrz7QgwXt9ZGoPpJnmz9SsC
-            DFCGXkFwPOsxE1WxRpl0mR7P77rMvHxJEukUNUW0DMPUjzaaHH8LINukgpOD0hpQ
+            4MoTF8Ul4HRwMoMyGEQAzb1J32THFKWSUtWaLjNDOW91l/eiLpY0Kk5f1BTVcD4W
-            yvfFjRKUG4Ygi4mSmETylll7pD9XBRfihTjJ5vh4VQH5PAHecWtIXgYSso12Zx6v
+            GsA63BsSqnIDB4Tisz4ZRhaRGY6sxyXHDSnHzVQmKrv3kwTJm8ODA18gu+HZ021h
-            nmvgZTmikSBImEqS/MOM5Zx+esmjlEsgKuXP9HmIwBwHExLGF7U93OGswF3vEW+X
+            ShG+m81PYrGkeqYwJHnEMfSo4XY4/lHdsZ0yldF8eSjZ2raPbsw+lmadot8mc1eE
-            GuMguPfwmW/w4fFX8t2Ln9uA/E06SlD7wG9sZji1NkwW/h0/3BEOdcg5MTyQQdNe
+            leiEJOP6+ZOs60dJ+dOwaeCb5CDjFaCrq6c0+6ESWpN354tN9L9DZGLlYIt2AlcM
-            mn5pyFKoH88Km2ktjVRq10ImUa2ZLyL/6RTHZ+BryXvRDtBW0zzbZhPHVvpCLKbZ
+            /N/5DO5F81jxlBbxI4IFwRvBDBwO81eQlVtjQB5V1+dbeIaZYS6GN72xHUSjICNJ
-            lkLSEwVhGFfWaRWfGsEx28MGMKicirZjw/RsRXq19alruLW3entRRRkFV71zeMXS
+            0Wv8iDwxKRjQI2uol7KmPN0Vr9siMIMAP4yCppnmdxF5VcGbLWNu9lZfxlj5o4fS
-            XgESJpGWxo709IBQvsooJ/2VRHnGZNkvJipWc9pPmRYQLrxP9jxX34jcmjkNYX08
+            XgHq8TJTMWKGF2Yq25/5rKmIb/8cCOU8XLNZ3xT4X2dErqV+nWtmXgmNySCphn+C
-            wcmJ+ioRqPV1qvYfxdnKTtth4g7ePZywDo6FUgiCwaEa8jhR8ISsDM2DCDAg/LA=
+            xK/cKHseztzXzffdqCrJCaeo2KmTou+gMyDEmJrVLhrcIMayptt9dc0dgJ12N3s=
-            =3HI1
+            =pLWS
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/skrott/skrott.yaml

@@ -0,0 +1,93 @@
+dibbler:
+    postgresql:
+        password: ENC[AES256_GCM,data:2n85TO709GJc7/qoYp2RXO8Ttfo=,iv:5ZCZPEQQXPGYfDd1qPhDwDfm1Gds1M8PEX9IiCsHcrw=,tag:PAseyFBAe56pLj5Uv8Jd7A==,type:str]
+sops:
+    age:
+        - recipient: age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdjk1L1N4QU5SK3pjTit6
+            V0hIZHhyOW9Rc2xWdE9yN0tmMG93V0IzZzA4Ck5OSUlRTE5mVGZtMTl3NDh1QzA2
+            Uk9RVnRENmVnQUZuQUVSeGxBS0VaK2sKLS0tIHRHbUUzcmlQbW0weXU0eWJKVmVT
+            ZUxJKzV3UDVVSW11SHRrWGxOSmgrZk0KyWxjEmCvNhiZfgXfObQfQ5riscy0mLFn
+            3pslIN7fbxgxnEVyAhl9FOUS65GrmWrrhvN0pkIpgMw1cqtCrZHxyw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVFh2WC9iVHpURDBzckdB
+            UjVGcHkyR3V6VHVMbXc4c21ob1lSMDRWeW44ClgzRXhLY2RYN2hleDNLWHoyeXVm
+            T2xJMlNZMml2NGZDNmlQWGp6RXJRQ1EKLS0tIGNmK0lGdjRLM3l4S3JVazZ0MkFU
+            SzZOMFNvcGZRcjJsU242cnZ4NU9OZmcKxlRdhZlXP4KQBHFLFt195H5R33hLuQ0O
+            bVHtQk00IZmMPq4R4aOc0WMkuJxcFaLi0YDQigcFtReSvWDhTHns7A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua0cvc21qeFp4d1NZZ0Vw
+            aWhldXVjUm1wSmJPdnpZV1JvTVowSWw4RVU0CngzUWkrcXA1TkpZN1M4QVBCS0pX
+            Z0w5aURoQU9Xck1RckNsRTlGeWk2N2cKLS0tIFlSdG05V2l6eStURDJVTXEzc0Zh
+            U2tFemF1djFGeVFQYWg5NjFhdW13Vm8K/QztsuBUcmJNBta3R7uYHGzqKOCRus3s
+            bFd2AOC0PNqvAe8e5q2XYf87MUt/U6AaFjroaDpoC3IUI2+qLJDXDA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcUVib2tsd3lNS0VmOGNS
+            WWR6NDE5RWw3bStqVjRtdWFSM1E2QUp2cEg0Cm0zdjE3eVpUS3M1L241akM3cyta
+            WGVFVGtQVnQ1d2U1QVRSYXE1YUYrTU0KLS0tIGRTK29EdzVka3hmaFIrSnVUQ1c5
+            c0YxcWZIRHRxZEVjVk9MckJMVisyS28KGH6+9IXIBeXrrZ3AoL3zU1v6EA5TNwN5
+            8DgPO9+yfVesZiEJ0MNhs6tXAA4ODInpU1CUdsjKWRA6/QXBbmEUQw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLS0RnMDNOZzBIZzF4VG1R
+            T083bXFOdE1JSzl0SE1SUGlxdnFFQVluWVgwCnRLMThOSU45RTRFMVZybm9YV01n
+            K1pCMThGUFhMMzZhUEszRlZlK2FoQXcKLS0tIHdJRGw4aEU5UkgrU3ZEZXl4bDhi
+            dCtIVkdSWmg1dGNzNmhjZDBiWUJVWkEKSZySabmhM3HDXdduzFGAbOPR6m1CjwWb
+            ttMA9hTvl+T/UqYjxSHj8hmsyTfDY7a4sfHaFcMBJMJrjuEllm/L9g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYmF6cm5xUHVKMWw3MHJD
+            cWsvZTNWUjRZNDQxbFdDWGh5dUpCc2lGTTNjCm1uV0FCVEgxOG5WbXJUdXlkYTZW
+            KzFzaDNma3RJWEtlUmFHNGxNVUFKN28KLS0tIFFCSi82Q3EvV01UeHg4bG96K1Jm
+            S2JrZlcwcGsrTzdFTDlHcktJd0hmUVUKt0W/8r+L1m25kHKbh5RcweKbl4JB5xqX
+            DYUhUW1Rh1EI63CgVzriz4HZjuNGiuqG9cFv72wIg9Hl2lBPpkC4LQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYUtHY1djWno1MG1zQTRB
+            ZHNjbitQbTUwVjFkZWtHU0gwUFFMTTIrQUVZCkUwd3UrbmpyMndXcVl6MEFsSktX
+            L1ZBM2ZPbGMycXd0MDRyWGI1SHh2NVkKLS0tIHFKcS82cUJYZ2V6dHJ6djJSajFy
+            RkIzYUI3dUZjenpxRnplOTZKZmhoS0kKDw9Zuf57k+MAINMReYcCN1DoTtFMgKGJ
+            CWwkNN59Ojgz757xS+2cmK6oxAkDRcN+KZc3sANdj0LY//rXq/UJgw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-25T14:03:57Z"
+    mac: ENC[AES256_GCM,data:RBf3LjVNSclsPN7I4QPaDUjWbKlaccjk3rzsRNdRe3+OvJSd7MsS9RfpUFCqUtO7ZkkocXHmkHA8z8LNxs6vejT9czMsLLQD14qHZS6fFdTnToOx3Kt5UuviPO/2UryVI+6HWORkH1aqFJhzkSMop2TO5mzuOTfbCEBLYUUuS6s=,iv:NQs8O1hIbjzGBTZo+gCuisj3edraFGk/Y146HmfPmQY=,tag:4g9IXw2UFC5V9EIHuWJqdA==,type:str]
+    pgp:
+        - created_at: "2026-02-07T21:15:24Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYARAAsIJXQn91VrFoSuu0ppgC79T2juR6mA7H5Z2NSGypbild
+            BsNPlWy+q8rpctGkria2Jm37Wz8Qu+sUNQ8Y2w6Z8Bv+M5tks62wc7qBjJkcZKmw
+            IjumrbsEmKQsZKS2YzGFcTjuwpBTGnACAMjUTz1rqnRcaq4U8Wqfi+mmf81yRSnR
+            F0emN015EmGCAUQYD6YRFMAw0PGbP3HiQrXQxdmv8zObbCg9d3+ZozurqFO2RmB4
+            SeZIUEtxgVDuMsr87AmHgbCr8Ux9eZmHU0qv+ejgbnXE7/MaUbppa1gy3RdcwHqG
+            DaETVa6YLUQqP9GOuTVy4gVr3AHtaGwMYRz30gjgQuoGUlQOG1U38PRtqe/94iHF
+            1lo14e31BSfHTnv66vupvWdfDXZme/1rOBJw0lM8Q+wHHJrr3mKmiLus85bJsMD7
+            M4Cn+5n3lE4kSrup8Y5fOsYSwq1WM9GYUfkVR+x2eHNmNdXLVHS0No6kA2TpKeqg
+            zbTyL59i+VBPfANCPehVYxFv7JM9pTFYQXDzMEAJcFerWBmB70HUoYXPZxeDEpiC
+            6seUT9lXM733QGbxwZLXRhXX4sDhJ7rMQJOvrxSvVDhiJx+Arqhz5srM8FlQHdjG
+            kfC507phCarRqXoef55G4trYjrr3zf+sWHRnPuh1IdFch3U+2CMrBUZIRU+C1nXS
+            XgHnubHvfLECTWfeEZUQvZaTtio1K3NSWqv/KBivBBRMfNI20A5erQXnocCYXB7o
+            RYisThHMQomNI7bT8vbf5/N/xlqEra5par0SDX16jl4FuU6dgKRuQ3SrpzFjQTA=
+            =ySHN
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

topology/default.nix

@@ -228,7 +228,7 @@ in {
         (mkConnection "demiurgen" "eno1")
         (mkConnection "sanctuary" "ethernet_0")
         (mkConnection "torskas" "eth0")
-        (mkConnection "skrot" "enp2s0")
+        (mkConnection "skrott" "eth0")
         (mkConnection "homeassistant" "eth0")
         (mkConnection "orchid" "eth0")
         (mkConnection "principal" "em0")
@@ -270,4 +270,10 @@ in {
 
     interfaces.ens18.network = "pvv";
   };
+  nodes.bakke = {
+    guestType = "openstack";
+    parent = config.nodes.stackit.id;
+
+    interfaces.enp2s0.network = "pvv";
+  };
 }

users/alfhj.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.alfhj = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
+    ];
+  };
+}

users/amalieem.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.amalieem = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsMtFIj4Dem/onwMoWYbosOcU4y7A5nTjVwqWaU33E1 amalieem@matey-aug22"
+    ];
+  };
+}

values.nix

@@ -32,15 +32,19 @@ in rec {
     gateway = pvv-ipv4 129;
     gateway6 = pvv-ipv6 1;
 
+    bakke = {
+      ipv4 = pvv-ipv4 173;
+      ipv6 = pvv-ipv6 173;
+    };
     bekkalokk = {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "129.241.100.145";
+      ipv4 = "129.241.153.213";
-      ipv4_internal = "192.168.1.17";
+      ipv4_internal = "192.168.12.209";
-      ipv4_internal_gw = "192.168.1.1";
+      ipv4_internal_gw = "192.168.12.1";
-      ipv6 = "2001:700:305:8a0f:f816:3eff:fef5:e400";
+      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;
@@ -77,6 +81,10 @@ in rec {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;
     };
+    skrott = {
+      ipv4 = pvv-ipv4 235;
+      ipv6 = pvv-ipv6 235;
+    };
     skrot = {
       ipv4 = pvv-ipv4 237;
       ipv6 = pvv-ipv6 237;
@@ -86,10 +94,10 @@ in rec {
       ipv6 = pvv-ipv6 167;
     };
     gluttony = {
-      ipv4 = "129.241.100.37";
+      ipv4 = "129.241.100.118";
-      ipv4_internal = "192.168.1.219";
+      ipv4_internal = "192.168.20.77";
-      ipv4_internal_gw = "192.168.1.1";
+      ipv4_internal_gw = "192.168.20.1";
-      ipv6 = "2001:700:305:8a0f:f816:3eff:fe9b:7a46";
+      ipv6 = "2001:700:305:aa07::3b3";
     };
     wenche = {
       ipv4 = pvv-ipv4 240;
@@ -118,9 +126,9 @@ in rec {
   };
 
   defaultNetworkConfig = {
-    dns = ["129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201"];
+    dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
-    domains = ["pvv.ntnu.no" "pvv.org"];
+    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    gateway = [hosts.gateway hosts.gateway6];
+    gateway = [ hosts.gateway hosts.gateway6 ];
 
     networkConfig.IPv6AcceptRA = "no";
     DHCP = "no";