gluttony: set nginx group for serving bluemap files

gluttony: bluemap don't create a new directory
bekkalokk: add back config added through bluemap module
2026-05-24 23:31:12 +02:00 · 2026-05-24 10:03:53 +02:00 · 2026-05-24 09:51:34 +02:00 · 2026-05-24 09:21:17 +02:00 · 2026-05-24 09:04:17 +02:00 · 2026-05-24 09:01:43 +02:00
27 changed files with 533 additions and 358 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -19,8 +19,8 @@ keys:
  - &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
  - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
  - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
-  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
+  - &host_gluttony age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq

 creation_rules:
  # Global secrets
@@ -91,19 +91,6 @@ creation_rules:
      pgp:
      - *user_oysteikt

-  - path_regex: secrets/ustetind/[^/]+\.yaml$
-    key_groups:
-    - age:
-      - *host_ustetind
-      - *user_danio
-      - *user_felixalb
-      - *user_pederbs_sopp
-      - *user_pederbs_nord
-      - *user_pederbs_bjarte
-      - *user_vegardbm
-      pgp:
-      - *user_oysteikt
-
  - path_regex: secrets/lupine/[^/]+\.yaml$
    key_groups:
    - age:
@@ -133,3 +120,16 @@ creation_rules:
      - *user_vegardbm
      pgp:
      - *user_oysteikt
+
+  - path_regex: secrets/gluttony/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_gluttony
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
--- a/base/default.nix
+++ b/base/default.nix
@@ -23,6 +23,7 @@
    ./services/acme.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
+    ./services/fluentbit.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/journald-upload.nix
@@ -33,7 +34,6 @@
    ./services/postfix.nix
    ./services/prometheus-node-exporter.nix
    ./services/prometheus-systemd-exporter.nix
-    ./services/promtail.nix
    ./services/roowho2.nix
    ./services/smartd.nix
    ./services/thermald.nix
--- a/base/hardening.nix
+++ b/base/hardening.nix
@@ -7,7 +7,13 @@
    "ax25"
    "batman-adv"
    "can"
+    "dccp"
+    "ipx"
+    "llc"
+    "n-hdlc"
    "netrom"
+    "p8022"
+    "p8023"
    "psnap"
    "rds"
    "rose"
@@ -23,7 +29,6 @@
    "cramfs"
    "efs"
    "exofs"
-    "orangefs"
    "freevxfs"
    "gfs2"
    "hfs"
@@ -35,10 +40,12 @@
    "nilfs2"
    "ntfs"
    "omfs"
+    "orangefs"
    "qnx4"
    "qnx6"
    "sysv"
    "ubifs"
+    "udf"
    "ufs"

    # Legacy hardware
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -1,17 +1,24 @@
-{ ... }:
+{ pkgs, lib, ... }:
+let
+  modulesToBan = [
+    # copy.fail
+    "af_alg"
+    "algif_aead"
+    "algif_hash"
+    "algif_rng"
+    "algif_skcipher"

+    # dirtyfrag / Fragnesia
+    "esp4"
+    "esp6"
+    "rxrpc"
+
+    # PinTheft
+    "rds"
+  ];
+in
 {
-  boot.blacklistedKernelModules = [
-  "rxrpc" # dirtyfrag
-  "esp6" # dirtyfrag
-  "esp4" # dirtyfrag
-];
-boot.extraModprobeConfig = ''
-  # dirtyfrag
-  install esp4 /bin/false
-  # dirtyfrag
-  install esp6 /bin/false
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
+  boot.blacklistedKernelModules = modulesToBan;
+
+  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
 }
--- a/base/services/fluentbit.nix
+++ b/base/services/fluentbit.nix
@@ -0,0 +1,135 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.fluent-bit;
+in
+{
+  services.fluent-bit = {
+    enable = lib.mkDefault true;
+    settings = {
+      service = {
+        flush = 1;
+        log_level = "warn";
+
+        http_server = "on";
+        http_listen = "127.0.0.1";
+        http_port = 28183;
+
+        # filesystem-backed buffering so logs survives potential outages.
+        "storage.path" = "/var/lib/fluent-bit/storage";
+        "storage.sync" = "normal";
+        "storage.max_chunks_up" = 64;
+        "storage.backlog.mem_limit" = "16M";
+      };
+
+      pipeline = {
+        inputs = [{
+          name = "systemd";
+          tag = "journal.*";
+
+          db = "/var/lib/fluent-bit/journal.db";
+          read_from_tail = true;
+          strip_underscores = true;
+          lowercase = true;
+          max_entries = 1000;
+          "storage.type" = "filesystem";
+        }];
+
+        filters = [{
+          name = "modify";
+          match = "journal.*";
+          rename = [
+            "hostname host"
+            "priority level"
+            "systemd_unit unit"
+          ];
+        }] ++ (lib.mapAttrsToList (k: v: {
+          name = "modify";
+          match = "journal.*";
+          condition = "Key_value_equals level ${k}";
+          set = "level ${v}";
+        }) {
+          "7" = "debug";
+          "6" = "info";
+          "5" = "notice";
+          "4" = "warning";
+          "3" = "error";
+          "2" = "crit";
+          "1" = "alert";
+          "0" = "emergency";
+        });
+
+        outputs = [{
+          name = "loki";
+          match = "*";
+
+          host = "ildkule.pvv.ntnu.no";
+          port = 3100;
+          uri = "/loki/api/v1/push";
+          compress = "gzip";
+
+          labels = lib.concatStringsSep ", " [
+            "job=systemd-journal"
+          ];
+          label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
+            "host"
+            "unit"
+            "level"
+          ];
+
+          # JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
+          # line_format = "key_value";
+          # drop_single_key = true;
+
+          "storage.total_limit_size" = "256M";
+        }];
+      };
+    };
+  };
+
+  systemd.services.fluent-bit = lib.mkIf cfg.enable {
+    serviceConfig = {
+      StateDirectory = "fluent-bit";
+
+      # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      # Lua JIT, maybe other things
+      MemoryDenyWriteExecute = false;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "~@resources"
+      ];
+      UMask = "0077";
+
+      BindReadOnlyPaths = [
+        "/run/systemd/journal"
+      ];
+    };
+  };
+}
--- a/base/services/promtail.nix
+++ b/base/services/promtail.nix
@@ -1,38 +0,0 @@
-{ config, lib, values, ... }:
-let
-  cfg = config.services.prometheus.exporters.node;
-in
-{
-  services.promtail = {
-    enable = lib.mkDefault true;
-    configuration = {
-      server = {
-        http_listen_port = 28183;
-        grpc_listen_port = 0;
-      };
-      clients = [{
-        url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
-      }];
-      scrape_configs = [{
-        job_name = "systemd-journal";
-        journal = {
-          max_age = "12h";
-          labels = {
-            job = "systemd-journal";
-            host = config.networking.hostName;
-          };
-        };
-        relabel_configs = [
-          {
-            source_labels = [ "__journal__systemd_unit" ];
-            target_label = "unit";
-          }
-          {
-            source_labels = [ "__journal_priority_keyword" ];
-            target_label = "level";
-          }
-        ];
-      }];
-    };
-  };
-}
--- a/flake.nix
+++ b/flake.nix
@@ -205,7 +205,6 @@
            inputs.disko.nixosModules.disko
          ];
        };
-        #ildkule-unstable = unstableNixosConfig "ildkule" { };
        skrot = stableNixosConfig "skrot" {
          modules = [
            inputs.disko.nixosModules.disko
@@ -216,7 +215,12 @@
        shark = stableNixosConfig "shark" {};
        wenche = stableNixosConfig "wenche" {};
        temmie = stableNixosConfig "temmie" {};
-        gluttony = stableNixosConfig "gluttony" {};
+        gluttony = stableNixosConfig "gluttony" {
+          overlays = [
+            (final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })
+          ];
+          modules = [ self.nixosModules.bluemap ];
+        };

        kommode = stableNixosConfig "kommode" {
          overlays = [
@@ -228,12 +232,6 @@
          ];
        };

-        ustetind = stableNixosConfig "ustetind" {
-          modules = [
-            "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-          ];
-        };
-
        brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
          modules = [
            inputs.grzegorz-clients.nixosModules.grzegorz-webui
--- a/hosts/bekkalokk/services/bluemap.nix
+++ b/hosts/bekkalokk/services/bluemap.nix
@@ -1,105 +1,10 @@
-{ config, lib, pkgs, inputs, ... }:
+{ values, ... }:
 let
-  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
-  format = pkgs.formats.hocon { };
+  webExport = "/var/lib/bluemap/web";
 in {
-  # NOTE: our versino of the module gets added in flake.nix
+  # NOTE: our version of the module gets added in flake.nix
  disabledModules = [ "services/web-apps/bluemap.nix" ];

-  sops.secrets."bluemap/ssh-key" = { };
-  sops.secrets."bluemap/ssh-known-hosts" = { };
-
-  services.bluemap = {
-    enable = true;
-
-    eula = true;
-    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
-
-    host = "minecraft.pvv.ntnu.no";
-
-    maps = let
-      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
-    in {
-      "verden" = {
-        extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
-        settings = {
-          world = vanillaSurvival;
-          dimension = "minecraft:overworld";
-          name = "Verden";
-          sorting = 0;
-          start-pos = {
-            x = 0;
-            z = 0;
-          };
-          ambient-light = 0.1;
-          cave-detection-ocean-floor = -5;
-        };
-      };
-      "underverden" = {
-        extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
-        settings = {
-          world = vanillaSurvival;
-          dimension = "minecraft:the_nether";
-          name = "Underverden";
-          sorting = 100;
-          start-pos = {
-            x = 0;
-            z = 0;
-          };
-          sky-color = "#290000";
-          void-color = "#150000";
-          sky-light = 1;
-          ambient-light = 0.6;
-          remove-caves-below-y = -10000;
-          cave-detection-ocean-floor = -5;
-          cave-detection-uses-block-light = true;
-          render-mask = [{
-            max-y = 90;
-          }];
-        };
-      };
-      "enden" = {
-        extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
-        settings = {
-          world = vanillaSurvival;
-          dimension = "minecraft:the_end";
-          name = "Enden";
-          sorting = 200;
-          start-pos = {
-            x = 0;
-            z = 0;
-          };
-          sky-color = "#080010";
-          void-color = "#080010";
-          sky-light = 1;
-          ambient-light = 0.6;
-          remove-caves-below-y = -10000;
-          cave-detection-ocean-floor = -5;
-        };
-      };
-    };
-  };
-
-  systemd.services."render-bluemap-maps" = {
-    serviceConfig = {
-      StateDirectory = [ "bluemap/world" ];
-      ExecStartPre = let
-        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
-          archive = true;
-          compress = true;
-          verbose = true;
-          no-owner = true;
-          no-group = true;
-          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
-        };
-      in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
-      LoadCredential = [
-        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
-        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
-      ];
-    };
-  };
-
  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
@@ -115,6 +20,30 @@ in {
      quic_retry on;
      add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    '';
+    root = webExport;
+    locations = {
+      "~* ^/maps/[^/]*/tiles/".extraConfig = ''
+        error_page 404 = @empty;
+      '';
+      "@empty".return = "204";
+    };
+  };
+
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${webExport} = {
+      user = "root";
+      rrsyncArgs.wo = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"gluttony.pvv.ntnu.no,${values.hosts.gluttony.ipv6},${values.hosts.gluttony.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5jrqMovXlWaFWZAV/aKyQReHvUQp5kb+7Ja4gnevSr root@gluttony bluemap";
+    };
  };

  networking.firewall.allowedUDPPorts = [ 443 ];
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -210,6 +210,8 @@ in {

      # EXT:WikiEditor
      $wgWikiEditorRealtimePreview = true;
+
+      $wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
    '';
  };

@@ -273,8 +275,6 @@ in {
  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
-      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
-      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
@@ -282,8 +282,6 @@ in {
  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
-      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
-      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -6,40 +6,58 @@ let
  port = 3011;
  wsPort = 3012;
 in {
-  sops.secrets."vaultwarden/environ" = {
+  sops.secrets."vaultwarden/rsa_key.pem" = {
    owner = "vaultwarden";
    group = "vaultwarden";
+    mode = "440";
+    restartUnits = [ "vaultwarden.service" ];
+  };
+  sops.secrets."vaultwarden/rsa_key.pub.pem" = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+    mode = "440";
+    restartUnits = [ "vaultwarden.service" ];
+  };
+  sops.secrets."vaultwarden/env/DATABASE_PASSWORD" = { };
+  sops.secrets."vaultwarden/env/SMTP_PASSWORD" = { };
+  sops.templates."vaultwarden/environment_file" = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+    mode = "440";
+    restartUnits = [ "vaultwarden.service" ];
+    content = ''
+        DATABASE_URL=postgresql://vaultwarden:${config.sops.placeholder."vaultwarden/env/DATABASE_PASSWORD"}@postgres.pvv.ntnu.no/vaultwarden
+        SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/env/SMTP_PASSWORD"}
+    '';
  };

  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
-    environmentFile = config.sops.secrets."vaultwarden/environ".path;
+    environmentFile = config.sops.templates."vaultwarden/environment_file".path;
    config = {
-      domain = "https://${domain}";
+      DOMAIN = "https://${domain}";

-      rocketAddress = address;
-      rocketPort = port;
+      ROCKET_ADDRESS = address;
+      ROCKET_PORT = port;

-      websocketEnabled = true;
-      websocketAddress = address;
-      websocketPort = wsPort;
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = address;
+      WEBSOCKET_PORT = wsPort;

-      signupsAllowed = true;
-      signupsVerify = true;
-      signupsDomainsWhitelist = "pvv.ntnu.no";
+      SIGNUPS_ALLOWED = true;
+      SIGNUPS_VERIFY = true;
+      SIGNUPS_DOMAINS_WHITELIST = "pvv.ntnu.no";

-      smtpFrom = "vaultwarden@pvv.ntnu.no";
-      smtpFromName = "VaultWarden PVV";
+      SMTP_FROM = "vaultwarden@pvv.ntnu.no";
+      SMTP_FROM_NAME = "VaultWarden PVV";

-      smtpHost = "smtp.pvv.ntnu.no";
-      smtpUsername = "vaultwarden";
-      smtpSecurity = "force_tls";
-      smtpAuthMechanism = "Login";
+      SMTP_HOST = "smtp.pvv.ntnu.no";
+      SMTP_USERNAME = "vaultwarden";
+      SMTP_SECURITY = "force_tls";
+      SMTP_AUTH_MECHANISM = "Login";

-      # Configured in environ:
-      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
-      # smtpPassword = hemli
+      RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa_key.pem".path;
    };
  };

@@ -66,40 +84,6 @@ in {
    };
  };

-  systemd.services.vaultwarden = lib.mkIf cfg.enable {
-    serviceConfig = {
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DeviceAllow = [ "" ];
-      LockPersonality = true;
-      NoNewPrivileges = true;
-      # MemoryDenyWriteExecute = true;
-      PrivateMounts = true;
-      PrivateUsers = true;
-      ProcSubset = "pid";
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        "AF_UNIX"
-      ];
-      RemoveIPC = true;
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-    };
-  };
-
  services.rsync-pull-targets = {
    enable = true;
    locations."/var/lib/vaultwarden" = {
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@@ -9,6 +9,12 @@ in
  sops.secrets."roundcube/postgres_password" = {
    owner = "nginx";
    group = "nginx";
+    restartUnits = [ "phpfpm-roundcube.service" ];
+  };
+  sops.secrets."roundcube/des_key" = {
+    owner = "nginx";
+    group = "nginx";
+    restartUnits = [ "phpfpm-roundcube.service" ];
  };

  services.roundcube = {
@@ -39,6 +45,7 @@ in
      $config['mail_domain'] = "pvv.ntnu.no";
      $config['smtp_user'] = "%u";
      $config['support_url'] = "";
+      $config['des_key'] = "${config.sops.secrets."roundcube/des_key".path}";
    '';
  };

--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -64,4 +64,11 @@ in
      '';
    };
  };
+
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = cfg.settings.rtc.port_range_start;
+      to = cfg.settings.rtc.port_range_end;
+    }
+  ];
 }
--- a/hosts/bicep/services/postgresql/cleanup-timers.nix
+++ b/hosts/bicep/services/postgresql/cleanup-timers.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.postgresql;
+in
+{
+  config = lib.mkIf cfg.enable {
+    systemd.services = {
+      postgresql-repack = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Repack all PostgreSQL databases";
+        startAt = "Mon 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
+        };
+      };
+
+      postgresql-vacuum-analyze = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Vacuum and analyze all PostgreSQL databases";
+        startAt = "Tue 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
+        };
+      };
+    };
+  };
+}
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -3,11 +3,15 @@ let
  cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
+    ./backup.nix
+    ./cleanup-timers.nix
+  ];

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_18;
+    extensions = ps: with ps; [ pg_repack ];
    enableTCPIP = true;

    authentication = ''
--- a/hosts/gluttony/configuration.nix
+++ b/hosts/gluttony/configuration.nix
@@ -7,6 +7,7 @@
 {
  imports = [
    ./hardware-configuration.nix
+    ./services/bluemap.nix
    (fp /base)
  ];

--- a/hosts/gluttony/services/bluemap.nix
+++ b/hosts/gluttony/services/bluemap.nix
@@ -0,0 +1,113 @@
+{ config, lib, pkgs, inputs, ... }:
+let
+  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
+in {
+  # NOTE: our version of the module gets added in flake.nix
+  disabledModules = [ "services/web-apps/bluemap.nix" ];
+
+  sops.secrets."bluemap/ssh-key" = { };
+  sops.secrets."bluemap/ssh-known-hosts" = { };
+
+  services.bluemap = {
+    enable = true;
+
+    eula = true;
+    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
+
+    enableNginx = false;
+
+    host = "minecraft.pvv.ntnu.no";
+
+    maps = let
+      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
+    in {
+      "verden" = {
+        extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
+        settings = {
+          world = vanillaSurvival;
+          dimension = "minecraft:overworld";
+          name = "Verden";
+          sorting = 0;
+          start-pos = {
+            x = 0;
+            z = 0;
+          };
+          ambient-light = 0.1;
+          cave-detection-ocean-floor = -5;
+        };
+      };
+      "underverden" = {
+        extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
+        settings = {
+          world = vanillaSurvival;
+          dimension = "minecraft:the_nether";
+          name = "Underverden";
+          sorting = 100;
+          start-pos = {
+            x = 0;
+            z = 0;
+          };
+          sky-color = "#290000";
+          void-color = "#150000";
+          sky-light = 1;
+          ambient-light = 0.6;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+          cave-detection-uses-block-light = true;
+          render-mask = [{
+            max-y = 90;
+          }];
+        };
+      };
+      "enden" = {
+        extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
+        settings = {
+          world = vanillaSurvival;
+          dimension = "minecraft:the_end";
+          name = "Enden";
+          sorting = 200;
+          start-pos = {
+            x = 0;
+            z = 0;
+          };
+          sky-color = "#080010";
+          void-color = "#080010";
+          sky-light = 1;
+          ambient-light = 0.6;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+        };
+      };
+    };
+  };
+
+  systemd.services."render-bluemap-maps" = {
+    serviceConfig = {
+      StateDirectory = [ "bluemap/world" ];
+      ExecStartPre = let
+        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
+          archive = true;
+          compress = true;
+          verbose = true;
+          no-owner = true;
+          no-group = true;
+          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
+        };
+      in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
+      ExecStartPost = let
+        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
+          archive = true;
+          compress = true;
+          verbose = true;
+          no-owner = true;
+          no-group = true;
+          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
+        };
+      in "${lib.getExe pkgs.rsync} ${rsyncArgs} --groupmap=root:nginx ${config.services.bluemap.webRoot}/ root@bekkalokk.pvv.ntnu.no:/";
+      LoadCredential = [
+        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
+        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
+      ];
+    };
+  };
+}
--- a/hosts/ildkule/services/monitoring/prometheus/default.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/default.nix
@@ -21,6 +21,7 @@ in {

  fileSystems."/var/lib/prometheus2" = {
    device = stateDir;
+    fsType = "bind";
    options = [ "bind" ];
  };
 }
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -27,7 +27,6 @@ in {
      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])

      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
--- a/hosts/ildkule/services/monitoring/uptime-kuma.nix
+++ b/hosts/ildkule/services/monitoring/uptime-kuma.nix
@@ -19,8 +19,9 @@ in {
    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
  };

-  fileSystems."/var/lib/uptime-kuma" = {
+  fileSystems."/var/lib/private/uptime-kuma" = {
    device = stateDir;
+    fsType = "bind";
    options = [ "bind" ];
  };
 }
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -226,16 +226,11 @@ in {
        # Logs are stored in the systemd journal
        skip-log = true;
      };
-    in lib.mkForce "${lib.getExe cfg.package} ${args}";
+    in lib.mkForce "${lib.getExe cfg.package} dump ${args}";

-    # Only keep n backup files at a time
-    postStop = let
-      cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
-      backupCount = 3;
-    in ''
-      for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
-        ${cu "rm"} "$file"
-      done
-      '';
+    # Only keep a single backup file at a time.
+    postStop = ''
+      ${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
+    '';
  };
 }
--- a/hosts/ustetind/configuration.nix
+++ b/hosts/ustetind/configuration.nix
@@ -1,40 +0,0 @@
-{ config, fp, pkgs, lib, values, ... }:
-
-{
-  imports = [
-    (fp /base)
-
-    ./services/gitea-runners.nix
-  ];
-
-  boot.loader.systemd-boot.enable = false;
-
-  networking.useHostResolvConf = lib.mkForce false;
-
-  systemd.network.networks = {
-    "30-lxc-eth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "eth*"
-        ];
-      };
-      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
-    };
-    "40-podman-veth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "veth*"
-        ];
-      };
-      DHCP = "yes";
-    };
-  };
-
-  # Don't change (even during upgrades) unless you know what you are doing.
-  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "24.11";
-}
--- a/hosts/ustetind/services/gitea-runners.nix
+++ b/hosts/ustetind/services/gitea-runners.nix
@@ -1,41 +0,0 @@
-{ config, lib, values, ... }:
-let
-  mkRunner = name: {
-    # This is unfortunately state, and has to be generated one at a time :(
-    # To do that, comment out all except one of the runners, fill in its token
-    # inside the sops file, rebuild the system, and only after this runner has
-    # successfully registered will gitea give you the next token.
-    # - oysteikt Sep 2023
-    sops.secrets."gitea/runners/${name}".restartUnits = [
-      "gitea-runner-${name}.service"
-    ];
-
-    services.gitea-actions-runner.instances = {
-      ${name} = {
-        enable = true;
-        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
-        labels = [
-          "debian-latest:docker://node:current-bookworm"
-          "ubuntu-latest:docker://node:current-bookworm"
-        ];
-        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
-      };
-    };
-  };
-in
-lib.mkMerge [
-  (mkRunner "alpha")
-  (mkRunner "beta")
-  (mkRunner "epsilon")
-  {
-    virtualisation.podman = {
-      enable = true;
-      defaultNetwork.settings.dns_enabled = true;
-      autoPrune.enable = true;
-    };
-
-    networking.dhcpcd.IPv6rs = false;
-
-    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
-  }
-]
--- a/modules/bluemap.nix
+++ b/modules/bluemap.nix
@@ -376,7 +376,7 @@ in {
      serviceConfig = {
        Type = "oneshot";
        CPUSchedulingPolicy = "batch";
-        Group = "nginx";
+        Group = lib.mkIf cfg.enableNginx "nginx";
        UMask = "026";
        ExecStart = [
          # If web folder doesnt exist generate it
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@@ -18,6 +18,7 @@ mediawiki:
        admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
 roundcube:
    postgres_password: ENC[AES256_GCM,data:fGHmq6r/ZCeIseHL8/gmm5DfWQYorI3OJq1TW0EHvh7rHL62M4TE+Lrlrmq8AIlmGLSWtO8AQzOP3toxidL6xWX3pcwLxtTefa1gom2oQf6ZL4TbAZLidHksdiro6pWtpMOO66bb8O9eXvZmns4=,iv:Irnb2/bgx8WilDyRLleWfo6HHafZ+vlDEwxIcgm1f18=,tag:eTNBUELmLwO7DsQN9CLX7Q==,type:str]
+    des_key: ENC[AES256_GCM,data:U5AHdFgDtidjN7XqPSJkT/anS/q29/9p,iv:okLPMdnNW3dawiqirLA6VmnhXsbPyP4QnqbRo0wfd58=,tag:ZVmCzJK9uhw6CvxK1On1Sg==,type:str]
 idp:
    cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
    admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
@@ -31,10 +32,11 @@ nettsiden:
        cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
        admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 vaultwarden:
-    environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
-bluemap:
-    ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
-    ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
+    env:
+        DATABASE_PASSWORD: ENC[AES256_GCM,data:uSaQuyx4yn1QfUABWpEjf8x97Imh6A==,iv:pukLl3k8X+ITRZ4bZfOPjsWKCHjVCo8Zd6qEHRERAYc=,tag:4y03dQbEhS+mTXUhzt54bA==,type:str]
+        SMTP_PASSWORD: ENC[AES256_GCM,data:Nr+4wZSvq6KjfzB169v4ojvWHa25Aw==,iv:HM4VYLUCI0HaBT8cDzusYA+49LpuJeg7v/Pz4nfulmM=,tag:T4TkDt+NdWnqbCDaRUERJw==,type:str]
+    rsa_key.pem: ENC[AES256_GCM,data:bYZzFj2ImB0jfiIP9N9V+nk1ROjql4PEuDcJIhVV96BeE++Kq+DGORrnfCyJaubNlqT7+nlMGN/D6bfzwKWivuXDd7T5s6wXplk480anOrFU4cJ9NYXHJjoT8Cn+jKSb7JEWO42cVwraB+qGWFZevOrRtdBM328ffOH4IDqVYgIonnM+pHe7oGglg2Xc97x3GQ46ODWKFZsAqU3ZZv+4SGJXJJorPv+cOIoVvXpqec7TuD2MnfdXvLQEl6o/zsGuV/yQkbJus/BqKUUR+RZ9i/0xuzCd/hJS9yFbHHBj82fDh6+D4TG+1PM+dVRSolkkxhcBvvBJtUPqRewTe5cNO9wZP1ocf9GNmXMbvopaNdAxh6uPJNH1Z6aZ+kLShF5ddE4FuKSvucEPgUdscZw01LeJIehZ7uzHCC99jmojU8rlsWFPvJqUfp0xAZDFDJgCIGt6AbKwBCCeFGuvqYT6w5GQ8uT8OQVBmRxUCZuplcDTUMsBXDxa/Q/5Q/O2zIev7jw7Rm0cJ23ovllu40VvLD+Xu/uQVYzivOOHkvUhQkjVkfbk073ZjrhlIMO3BOuA7PDKUsMBz3UVndtrYU+OOtCI0CoCVVP/K/CamNBGGHdvBoQ13bVn04OgdgJYgz04gP6MqFkr8AWoPFHVZe8+Z/tlW5DtV6SRoUfGFlnROWhiBVZpNuUj/ef1gUY1OoFuqY4GRc3nkC/Fwxi81+lSbAQ2ZdtqroJxquoVJhoUWuSonNDBtOYU0yczvF70R84AFzWKh1eJ7hr2iwcMJPSkhTzTm7LTrr0mQqU8qMxUz4pa0yxOZW0UkC2koz6jKdYlwXHMjjyiUZqfc2y9DrRF6Sa/NUPTrzIvikYk9yr3thnh4VtcsYdqvwlsnkbM/HtGvcmmtZjT4npLyD5t/7tUOs453Ntoo1BOto7+X+0IrFs9yHheBOqfj8dA1M2am0cjrS9LyaSnqBREgBFWVJdpSB0aDdh0M8vmpCBcdrzGPLCUXhNWihiZFEVh1ZrwzXWndRtqmhFLFfXmnEAhtEQL6l/GuA5WEYPHIThq+33BDhXAUB5oBcQQSI8TGPWw0IkOci8Q+SlUd81h2JtAmek/L+1kGZwmyolg1iA9c0LVxapM9cpSNVnmON/O2q3tFisQS82/ysKnNggeyD/ByY0dGMUZILAeONBqm41UcVGoAP5N5KE6Cb7FlppBRitn4QejVvLExPtK8NwQl503Yjq+yBTjSjhuZbB2mQaFgJeKhXrm34I3ZMKKm58j+NAGVJTi7RPzSfTW3kvPvtfm8GvM+vuOOxvNzdid8jR241pQl35d6hOYS3wvbkDVmkvbcjTJBPslvq6pGmAVPyHLHshgyTvvTweX1yodoV+4Z3dtrBb9wZKADT6VfTmEo4RXNjIoZFQrTJTdBeVQbgxejySKHAy2G0/8ZipvToj7zRULSOHh6yS4no8b7U7ZY9tEdxs8uxhDob0nkGy7VQUGG8YNXuwGsjLjVsTiawXiWnqdxeFLuTkKEvtMEEmDUfIRErY2juZbra4AKKWdjegc4ayW1ZyUq5i12eRdnpNbdXBQBtBjagvo3A29bse1TMV3Hww+B7oZ0wsHFD72byD159DdEqnLYlxzRjXns3E2qX8f5xvIUFkBIFNDqkKVaq9wqCrmS0vpbHvuiEJDwyr+nu32nWYT9M+RO41Ri/W63juukd/wf75QKVNNjV5WVrJaN2lgr1+3ux0LE5qs01nZZKqv0jzk4P2SnrPJLMq9NbEgXgKjmwqABnQm8KkeHpPQ8ns4JAY7L5pV6faf1rKWQnE71t9qpKSNMlOgtcv2Jd+5HZuUYbYw5SdDYmwsd+OT0cVu0jURz22k/OmT9GY09SnYpvgHrXLNjvEtY0Tr2vpX1SL5qTx6MWDs/nr47+t/DUEMC/JmUrIOE3OSZXpS9AO4BsBmTV0DF5SlvYBDnHAqkHuJbzRdQ1FjGg/wZLFDmIUy3F7m7bGB+5NX+1ZO1BmG2f0ICpHiR1SGnaK81mY3gmfUD8al7gmmKmAltfvw2kP+Z+Hv2d+XGqVk2csRlfq9e5wu0jFKgcGIs4NuA71V0oKfwL7a3gN0Drd270frH1lYzET0NRSQkqw4oeTt0y4my5TvYGmLEHE05IORdrmHUkHefUtomTEB6YQYY+wLyxVBo6z6MFLN7eCe1HtxjUBp8LFxTT+2l7IusDgIs+6I05Krrrz5GHgNHdMBhw==,iv:CtmysYvEFew/839Gj+vZEDoqu6TvrZ9bUIg9GwejIX0=,tag:CnTEOKLYDsVGRVrQDwfFKQ==,type:str]
+    rsa_key.pub.pem: ENC[AES256_GCM,data:B/2SQrEQ4zRie6A89jneHl5tXfHraYzVEBshY+IrRoufI9YpQw16VjGgrNVCpaG5+PSsCNjz8lXM33oQwg7HU1IWHmvrZdEgkguYv722Ngdb4D8IKHL1nsL9/gkVQFFFvty9ru3LDTfrFKF3cLX+6eIQMFk5W+qLuVO5Pbxh3LKWmN7zG8XHa/b+tvMQclHrtY2iomIThyxKi8w03uE1Fs6V80hyuMA/3TdIz9nUwl5WpiGxaelwaJyts2b5KoBzJ0zZbdR4IHCTYYqBkdjo8929M/gfPS6ZqZS2FPDReoWiujJSAyyoC9xZxglUk/g7vU/8CVwcrtVzn5DEbUot/om98p/1Hq/1Hk4zli49Ysy8nbPhlshZeH5RNSQIDkY6wT7TYD5m3QXjXV+siH7ClKAfri2zp4S4k9uEXvL27NTPqvoXKIUpSEl1b0A/ApQt761PODEMtEXx2PmlRKhg9T9cvLRNYbJavg3FMNivZ+2oQNZXeJZWUEjtqsEoPBAbEHklMtKJiQiThtIPHL3eEdTAhOVhjxBGYU2Kase2hU7g2YvgC3+8u48OarXZbZYgcJkoCHrm+hocYm5DZJ64rxURZQ==,iv:6x0vx8tiGOsQxHsp+qO+nvdUmqNKWINdFO1wXOnORVo=,tag:zuPNh7IfEG/c4lsFVNRYog==,type:str]
 sops:
    age:
        - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
@@ -100,8 +102,8 @@ sops:
            SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
            29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-26T08:40:13Z"
-    mac: ENC[AES256_GCM,data:ppgpARft/YDKP24QF4bLYVhxN4nRrCsf4wBug3UD4MXgQwdFyWPAHn086uONeMbVOvH8IdwlaNBc8h36I7M66cqwK1VsRc/vf9Ud2VnD/WkWijMSrJ80frIvuvREp7aMNlYbD20bjrp4sYohjcJ8KPqyPUFPj71dA+9LZvXJthQ=,iv:lr3R14lRx7RzclknKbOa/bHa6axGbMPqj1FRTjx34xE=,tag:pBHzSArxYs4bqq355T4yog==,type:str]
+    lastmodified: "2026-05-24T07:03:34Z"
+    mac: ENC[AES256_GCM,data:J9RFBasxTwjIMIV5ou7eEytKY4YBCmGq7DEw/thDIxd5nfPmM/T8OIyFYE9130OsMJu5LabmskaypxTQ2d7sW5ovqMfs3BVCI8FNjUiCmWfmwnFZ29hlDWMD3BYShgOVxI6XTlPiY/2AakQ4T5OwvQfO0sqIGReP+zhT1FIzZFk=,iv:J6v6qhRYFKq76OctU4zOCFqiaYcHbclQcfWMlj6Tig0=,tag:TYc0JcXheOlAidBZC3D6Sg==,type:str]
    pgp:
        - created_at: "2026-01-16T06:34:44Z"
          enc: |-
@@ -124,4 +126,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.13.0
--- a/secrets/gluttony/gluttony.yaml
+++ b/secrets/gluttony/gluttony.yaml
@@ -0,0 +1,93 @@
+bluemap:
+    ssh-key: ENC[AES256_GCM,data:UzXcgraLe6A+BjVx6Zzj4aX2M5J3mt5Rpc8iuNOYwWGz+SCzrfLNcCKGXtp5MkAu/CbxovptxqKYLb42fdjFT1TjOV4TipxUYN0e+PtKV16jfY4INJ+rqUykYXEcMTQc9Bwaor5yKxRV8+/V+T1qo9uHpr54n9o0mnU1cMZ/2yVBouSWIBuHXNxeG5STqe+0sqtFurMREUelLEHqMLIq4TtO3obf8l6vWQSUOvHBGINKjByIu38WtJ3eLKrZp+BQ6/t5vSgMUNlugrh8JQvgIyQanNCZbfT3/Q2oK4RsRJ6lLe6Z3wxsIQCvsYqgoX1/9xSZXt9JIuzJo+QP+bBEgk7JgKyW/UBdJlZnoPuRJc16fDbuJjZsWmSMNQ7wtbqNXY4gnwp9eoCUGaK6OScKBg9IzOj1tevlzg1jEcjU0em515m8mIySRWyBWlYyp4PLyyiBLgnwlCQDFHoNqL6hl3ZUO/zXxr55EFFtwsZtYMf5GttlUvaVPoxUXKOVMb33Y4CCmt1YpXzIY1NPaVQomIF8oritefL6PDm5,iv:y54tfAJqR9Qrv015wPl76jqRvfJfor+5BdsKMkYBMXY=,tag:QWNW2GsJDXl4Af64kPo42w==,type:str]
+    ssh-known-hosts: ENC[AES256_GCM,data:0RhRWtrj3U8ZJk40MvFwvUnbRzdAbVB7Z0DUsXJME7Hw4Gbg+CYX3JOQLwD3DZMMEKXcjyP6tkJdR9U1R2BwDs1GVUFgmIuNNE/Qz/5HTCIKHWmE3ZwMMKJhqBrEecr2wWABHMZbLscLoimvjX8CIKxxbsBFIFlsucG9PuIRMGXHE9VRhJxR/wMFVn7a6Ez0iLt8j4G8ebQQi1JJjyCvEjLCkoDvJ7XH3MoZ3PsMR2RCOvNzVACAsDE9GLIat/10/e26xTZ/C1HAC9OUDcQUSQIp6cWxcD4E3w6n02Zhl6att3sJm3eboJMp+0GfsqhC8AlUpvc/VXTeZIvmrKTN29mPv+KAcjgnHroicznVdv9rnNP5Rp0I/3fXBD9yZSedZtucNpX8O6CvYX8NOdItJMz/ya4TFuXaTrFOfuqhL5UvJ/JleU3DdELr+QStgtIUpUvIrTn/XrakSrDRprtje9d8+kFVRYM3V4nCLwWkP26xabiBeRLRrnpuiBj8e2j7g55AaDivBdYo24h57oxglgy0WrJt08+MKRPlek5QQl/E2dBCYcyh7pGaarKVYVvi4yjMlA0wvX4GPgAZkm345lWHS/pXKyGsrlRRUi9Pcghw2uO9zw2iaKecphK/Sps/zsShOQyaPd7TM8qfeUHRGPMxxbMo+N5Zxdy4X7c5z5UdgYJWrc0TZS3im9KHL4iOGQw38LisSD2hWjrzEjfQk4ijShJEDxM20TCkVsCJeIm4xlj3cODMX0c2T+PeFrqKqTlp44w4EFes/QNhsCofP4FVhxXT25mWK2pygtzspPfYb/Z9pqbFFtDC7/WZJ4sZXThkG1yMvf9SJCDWWWt/TDp5I6U7Z0525nBAyRxtvXa8T7PjS9dhBBh7nFIa8ZofRgZ2Ci0TAAuC2fD8uOvRoQTmvVr6In/6EpBpHZG9CCKvMRu3BPBOPqPEywop3fgRglRaJhnvpJ4eOQQNNQ3pgSX5hmxUQoSMM/IkOuwp6VaxyTlji0JJFUdiHIe83u17ZZ2BxYMmdqO7lRRCnEARgro6bKOnhoscbvPzcy8486DUYwwptdjUO6HVzLknFSCLd0318Tpm7fXdlrdK846mkZZ1INZ7aIB1oSnDR/0BS31oXRijJFQ/E0j8/5Cmoxqj0TP+JkLpkOnYPUXN07+HKB9Zx75StXeorGUQFuu++OZcYfyjTrparMVJDJaMEgtQ52L1dlqmdhEhS3TNMzxYmd4pQQt89Woe+mck3t2nFDj6pqC++wDJov0xhdnf+DMW/7LFT/mVdgy3/Ni6Z2/8SZd8Qh3CVdaMh8Tv/vF28uAd9ptGiE2KT2Zbu89n9wzyihrBf3DwK9mj+5DLPkCVbV048C/3SOcwuDzSrFuYZvikfhxT86bmHeHbNDi50Y3WmNoEPUuIyrDjKdUr/xp9V/i32X/OMr2IzLSeX23/pTKjLnGHnvje2MYTi+aIWJZxfFYH2Kkn5RqOt8pNZLT5c69zswsz9wRkyVbQwgwqk7VIsxiB64M44Nq2XoRwUtb3jHfGqsiS8tQmWYOUI5DM5erisqd0EKeOSUgzXEi6XmdpikSdSHiiVl1OqR3LE7/k9l4as8x3zwP9JT1Elv0Rf96fnW87s6UPrK0XU3OQiQjm+Csga5ZvHXXtQk2d+JVJ5G0bqNiQ2Oc5Exqjs6xgE4ES2bIZy/6mHd+bd0MoryOx4cs6F6tXiGw3wPgmjy20saCadICzdG2kHXu9tFK3oJCq5bgJH9XEbxvgptVlOU4MFjbaAnHs8ARo+oHHmvIFkQz2JBnhM3uwKGTraX1oHa+J1yW7Fv6wzKXKP/UDZhMaGtdu9egTpZANOzHay/l1ggdtIW6rVyUjHgUIMxpLV9qswldb1Yos+bhNofULrqV+p7CpJu/UKtP7i5luTiH2AOTiqBVxPvH79OSaG9IWLrF+6K/zxSlpCGG77LmxwTWRcMW/h0HVOYnZCvYs8QB0wnK5lriO3RSj5BHWibQLmMndOKx3+hk8RatbIIwAyGm9fGGdDX2Cuij+Ys6rQtHeEgEdnWgY9OF59TDPg8TbeCD1DjNnXpveGapDmNVlQoXkRteHmGpmI3sxmGB9hFplNJuQFJffxdoGXN9+DDqscqYwnxpre8JtGvC8AK2k5dnooOCLEUafr+XdTQa1s3I7p3v6FKI+8QcpyARIrQPLNAzO43ftRjtQf8GTeV7mjLfZiI6malOnZWTgHNhiOtbQuWN/JGfVw9KxndwkkXgt0mYjKD4heOZ4NWNMfkmWxNSp3Gr3X9tCvXgIrJKXqURDAd+y7ad0buZyuPpSiX5EbgznFGTctmTzZ/mPBwk2gQTcaLiz4RxJsmfrgA3xRv91jHWgeRbuk6eeBW9C9AlUC52b9LuUOR8EUGdo2sh0K5As9rUnqxZ0nNYc6Fg5zJW+xJ9GkcVUdBvUCOikOnMvJYmGxMtQ8VlqRcUukdGhPwLnDBjDIzOBMQlwaEYPpHNqIz4S9S4kr92VhXe0KOh9TF3HDODURt/VSdoit+FTWSHdAINjfkE0nlqfpE7fpFJbR309gnLKF8Pt/hTgweApiv3UAC4Be98Vkazs/aiuOOyML8fZykjiJboIcRqwznkoYp1AXeufyQBTn3fqRh+xU89HVyQtqyXxofaJXj2OqK6tOzbcu1JvgNGN9xK/L386SjWzLrhpmKo9fkV+JXSUBY99CClTSueLZ2H2pBOOsYfX+lwAJ491avUDVvwnWMcFL3uNNOozMAqSvz/0lCbtduhk2mSxwFYIplTgpXCKxrg=,iv:8Jcg3GQCTzOfVc47rlD9QXcsC+3Jxjsmyi6YDjQisNQ=,tag:KjZmgsi6HlVp6BiwI9BuKA==,type:str]
+sops:
+    age:
+        - recipient: age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeHFDb2xERDdQa3FDT1Ni
+            OFBBb1MzUXNqMktTVUlDWHhRWithYkN3OEcwCkd3OWlaSks4bnFhRzJud3AwZ1Bo
+            c0xNYXdDVzVxRjZna3FaMEJuR3hMbVUKLS0tIGNoZGpKUFBldDBDaGF5bG1SS3R2
+            VzBDc296WmFkdHcvVWVILzNFUzJKY2cKIHUNTXL28jYIgo7tMsR64gpydX6bg+1f
+            PntcQBsVXmjW/XOWg0XTa23BRkuL9a8wkWPKV+EvVaRAHLA+NdrCzw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNXJnNGxEaUtvazVyWVBn
+            NkZLbk0zYytTcmFVek5hWElPUUZ2NDc5S0J3Cll6NkRZbHBkREVtYmxSQjRiTG1w
+            THJRYXE2VzhhTUtqZUQ1Q2k5d1V0c00KLS0tIEpjb3gybTVSMlpnT0pHK3U5bkFP
+            aW9YZVZpbXE1Ty9tZjZWRTJXcDN1UTAK7NC7zqWWfsjwsg4RC6+pHgIRSr2NYdJU
+            JnSODgTDeRWNWTnlOsGLVBB4G4cs3sr+G1TTU6ECNeScVHjm5LEXpA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhamk3VWVheTZOUXVwUnU3
+            YnAzSzF0UDFNVTJycHJTdk1zNmtkWWVHeVJBCnZTQ0xEM1hSQ3dTcHhQYmt1UDdr
+            TWEzeE5SZ1FUVlhsd0N0NUdzNXB1V1kKLS0tIFlzRE4wNUdYN3kremxNUHlMRzVx
+            WWRKRGZza0hlU3JXQkdwY2psQkdqbGsK7XHA7aO7AN+fK65phQ2Wjuoz0/CylAKb
+            aEo6e2DDlEKoHyel6VtncYU7IytU8vx4f2KdBQuDIsypQqOCyjpcYg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcXhaNVJrUnlSVTQvVE9T
+            RnpDa2JBZFQwVG5oaVpUWG9ZeGM0UkNZakF3CmhsK3ByK1JaamV2cWgweTZUVjNk
+            QWdtREtiVnd4TllycDQybWxSb05IaFEKLS0tIDJXZzNKZzZJL3M4bTNiV1lHQ2lq
+            MW9uSUo2dzR4VzhmK09yU2Y3Vkl6T0UKz9PygM7wNx+SDO4ea4RKwENSpnzGC8jP
+            5N7p/MQZQjclpNyIUO3OKQECMQD8jPqN+OlBmctQqDR4vTSq4HmCvw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRVVucnNNVEk1TkRvb1V0
+            ZjlCMjcyVHdVVzRwVUxmQnFSSThZblcxc1JFCnVPS1NKRGxERzNPUmpOOUZWd0pa
+            bFJGZVVObzhNdEx5ZWFlWkdaOUZrS3cKLS0tIGdqV2FaNVNJM2Z0TUV3VklodDM3
+            SDQ5d2p4SnB4REdTbWRRZjYxVURqNkUK3wcPruP459YHsffOw8vWHNlOleUA0Iv5
+            /370YCc4uA3wp8YyLvotGsjn65IWlaZ1R9wUEiQTNa3wvChBYmtLVg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTW04bUZrMFMxVTdkbDNk
+            Z2dWTTgrUERRT243NkZtTmY1ZkFjQ0w5bVJBCnh6cmM0Z2hwcVRyL3R0YXdSbzRa
+            cFc5MmowbVhTMTZTZzFsK3ZpNXdxN1EKLS0tIERxYzN4S0dsYi9mU1UvVzRNZGZw
+            TXlrR3FKWlJLQ0NpWDdQVEo0aHFNZWsK1lUGm0uye00S07JYBPGvIZtdNFuknZv3
+            bViaCBUH8GKV7w+sWtnBoQlaD1F8rpoVd+l4SIW0pouEYdze4u/v9Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RVFKdjNDMURPVHY0eFc1
+            c0JUbk93RlppNjg5ZTlIMEdmRWI5Q3prWlh3CjdTNXk0YUtFeWtuNkkxVGpndVBu
+            WTIrdFh0QThQWkJTc1llSWN0OUtzWVEKLS0tIHF1NytpSUtnQ2xoSUlMR3NIdytV
+            WWE5WUVPVXVwMW9QY0F4RUo4K1JJSzgKu8KUfNcYkVPTIIy+AsqmbNsRwhe2OVH+
+            iTBo4DixGc4XFsflBYxTmu212DE8/Mr2spqZpa4brfbblF4JAmak6A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-05-24T04:34:10Z"
+    mac: ENC[AES256_GCM,data:FUX4TsCKt41KnV1Cgo2E6ucL558fVgH0pEEoITM/5g3Pj4cMKPHIalzqt3U12pBbxzNpuQm+HIwcwx8jktsmWnb9KaSxNLSfnhf7RlyxVOS+S17yTV6O89/lyTqub9Z2tybLeEeGSTbghPrCEgNb4d2NswPYXW/rZawpvgQlc84=,iv:I+NJ0t3n9x3gA/3s0PgRMX4AI/3X8M89UqN+QKAxfoM=,tag:6X+LT5FyfL7xZUSUiz3lpw==,type:str]
+    pgp:
+        - created_at: "2026-05-23T17:17:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYAQ/+ISNrWiNzl986g1c2S8x65xCWuJ8ntbb9k0nm56/Ve1TI
+            5bkkovKFUFCBUrcVEoRPA+uVDdnd/KWkwF6BX3me8jkhe9ogXNvNJh7FVWiPa70U
+            nxt0wL2TGDdj0RD2gneqTEsN3GtuwNw3gUcdRBg03vG9rmmNa3eWvVmwk/XNZ7J+
+            7LEyG21tLicB5ZPBYiGLznsQPbGvLg+FguCRngvjmz0IgvpNkNpylmlkkc6pmHka
+            T5UAekNgBY0H6H22T1xmD5O4/ZVsmyETHc+6TJn4jIS2fENVtfApbwJuF5B+x+Xf
+            fNIx8soxYOBLjN9CdPXWw+/nAuCQVnsOYxUVcHBoNvQ3KDm8c6R4Yv8B+gndpvUN
+            eRo3XQTGNCX2mvEdRHDlvJjMHgmP3a8qBsFVdKnS/7138HKO4dyIX8Ca+9gWvEmz
+            UGdTXtYjRl8Wxp+8mePAsR6OaDGLqRfyIveCsSAJiwsQDaVqnVElXUZBp93QySxq
+            RPY8yNrVayiw3lPLe2Q0iHJLfpUEqvIGz0WjfqCkfhMXb93lrjTywsvMRf6ocZOY
+            Xb4paiRlKsJo9a6ZvyH+vuIXv75SUVtdzWs7P998TGo/C8+0Tf/dVgvGB/UfnB0p
+            JkGndpicaJ98Xb+vTrE+/MNpMD0hBzWIbsKs6c50Hfml7Xjb8ngewuKAqXpvdE/S
+            XAEl1l+gnC44ekV0CBWbyWXcsBHopt4plVC1VIH4CgsnHz5xPxTfrrJCTWAvTDpI
+            arHX/6qD+QOMXpT4/W37WxIyTEICBUEGtn6gMbb1xU96WJ3zqp7EYjxO/IOU
+            =Mkw8
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2
--- a/topology/default.nix
+++ b/topology/default.nix
@@ -176,26 +176,6 @@ in {
    interfaces.ens18.network = "pvv";
  };

-  nodes.ustetind = {
-    guestType = "proxmox LXC";
-    parent = config.nodes.powerpuff-cluster.id;
-
-    # TODO: the interface name is likely wrong
-    # interfaceGroups = [ [ "eth0" ] ];
-    interfaces.eth0 = {
-      network = "pvv";
-      # mac = "";
-      addresses = [
-        "129.241.210.234"
-        "2001:700:300:1900::234"
-      ];
-      gateways = [
-        values.hosts.gateway
-        values.hosts.gateway6
-      ];
-    };
-  };
-
  ### PVV

  nodes.ntnu-veggen = mkRouter "NTNU-Veggen" {
--- a/values.nix
+++ b/values.nix
@@ -73,10 +73,6 @@ in rec {
      ipv4 = pvv-ipv4 233;
      ipv6 = pvv-ipv6 "4:233";
    };
-    ustetind = {
-      ipv4 = pvv-ipv4 234;
-      ipv6 = pvv-ipv6 234;
-    };
    skrot = {
      ipv4 = pvv-ipv4 237;
      ipv6 = pvv-ipv6 237;
Author	SHA1	Message	Date
Vegard Bieker Matthey	273110b304	gluttony: set nginx group for serving bluemap files	2026-05-24 10:03:53 +02:00
Vegard Bieker Matthey	32a14e262f	gluttony: bluemap don't create a new directory	2026-05-24 09:51:34 +02:00
Vegard Bieker Matthey	d66fef033d	bekkalokk: add back config added through bluemap module	2026-05-24 09:21:17 +02:00
Vegard Bieker Matthey	4d7fdcc059	bekkalokk: remove bluemap secrets	2026-05-24 09:04:17 +02:00
Vegard Bieker Matthey	52e1d693cc	bekkalokk: remove bluemap rendering	2026-05-24 09:01:43 +02:00
Vegard Bieker Matthey	df54bcd853	remove unused variable	2026-05-24 09:01:43 +02:00
Vegard Bieker Matthey	b8ec6308bd	gluttony: use webRoot variable	2026-05-24 09:01:33 +02:00
Vegard Bieker Matthey	c67e381065	gluttony: bluemap fix path	2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey	6bf2ede728	gluttony: add private key and set public key for bekkalokk	2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey	7c4439dbc0	bekkalokk: pull rendered map from gluttony	2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey	cbb587f79c	gluttony: bluemap export to bekkern	2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey	33b7a420e3	add bekkalokk to known_hosts	2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey	e08e61d6a1	bluemap: set group to nginx only if nginx is enabled	2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey	eeab3b8fa6	gluttony: setup bluemap	2026-05-24 08:37:25 +02:00
Vegard Bieker Matthey	6cca1db3b3	bekkalokk: fix permissions for mediawiki secrets	2026-05-22 20:21:24 +02:00
Vegard Bieker Matthey	bfd83c4c64	uptime-kuma: wants to use /var/lib/private for state	2026-05-22 17:58:00 +02:00
h7x4	9a6fdecb03	kommode/gitea/dump: only keep a single dump at a time	2026-05-22 18:27:57 +09:00
h7x4	82ab97fb45	bekkalokk/roundcube: restart service on changed sops secrets	2026-05-22 18:10:44 +09:00
h7x4	543fd19f8d	bekkalokk/vaultwarden: restart service on changed sops secrets	2026-05-22 18:10:40 +09:00
h7x4	6f99fa575d	bekkalokk/vaultwarden: render environment_file as sops template	2026-05-22 18:02:13 +09:00
h7x4	3141b1f76b	bekkalokk/vaultwarden: remove redundant hardening This has already been upstreamed	2026-05-22 17:51:03 +09:00
h7x4	475f6a8c9b	bekkalokk/vaultwarden: add rsa key to sops	2026-05-22 17:49:31 +09:00
h7x4	9c1687f8f2	bekkalokk/vaultwarden: use envvar keys It seems like the nixpkgs module is compensating for previous config that might've ended up in a file, which are now being turned into screaming snake case environment variables. Let's just name them as they are supposed to be named instead of having the upstream module translate them.	2026-05-22 17:08:31 +09:00
h7x4	0f53bcd731	bekkalokk/roundcube: add des_key to sops	2026-05-22 17:08:31 +09:00
Felix Albrigtsen	f433ae1e15	ustetind: remove from sops rg -. to the rescue	2026-05-22 10:01:15 +02:00
h7x4	5745648f87	bicep/postgres/repack: use local unix socket	2026-05-22 15:59:59 +09:00
h7x4	2c34a93abf	bicep/postgres/repack: don't kill connections on timeout	2026-05-22 15:57:57 +09:00
h7x4	9ebc947eab	ustetind: bai bai 👋	2026-05-22 15:41:28 +09:00
h7x4	6fcc19f0a2	base/fluentbit: init	2026-05-22 15:32:13 +09:00
h7x4	9224f04bd1	base/promtail: remove	2026-05-22 15:32:13 +09:00
Vegard Bieker Matthey	9c93f15569	change agekey for ildkule and update keys update keys	2026-05-21 17:27:11 +02:00
h7x4	5d6c153007	kommode/gitea: fix dump command	2026-05-21 17:54:54 +09:00
h7x4	8b483a92f8	ildkule: set `fsType` for bindmounts	2026-05-21 17:52:47 +09:00
h7x4	0d7f05e56d	bicep/postgres: add cleanup timers	2026-05-21 04:14:34 +09:00
Daniel Olsen	4a67eddf52	bicep/matrix/livekit: open the rtc ports	2026-05-20 20:04:33 +02:00
h7x4	08a23bd380	base/hardening: ban a few more modules	2026-05-20 23:15:25 +09:00
h7x4	28b67c3578	base/mitigations: blacklist modules for copyfail and pintheft	2026-05-20 23:15:25 +09:00