base/resolved: use RFC42 format

update keys

base/default.nix

@@ -23,6 +23,7 @@
     ./services/acme.nix
     ./services/auto-upgrade.nix
     ./services/dbus.nix
+    ./services/fluentbit.nix
     ./services/fwupd.nix
     ./services/irqbalance.nix
     ./services/journald-upload.nix
@@ -33,7 +34,6 @@
     ./services/postfix.nix
     ./services/prometheus-node-exporter.nix
     ./services/prometheus-systemd-exporter.nix
-    ./services/promtail.nix
     ./services/roowho2.nix
     ./services/smartd.nix
     ./services/thermald.nix
@@ -77,10 +77,10 @@
   '';
 
   # These are servers, sleep is for the weak
-  systemd.sleep.extraConfig = lib.mkDefault ''
+  systemd.sleep.settings.Sleep = {
-    AllowSuspend=no
+    AllowSuspend = lib.mkDefault false;
-    AllowHibernation=no
+    AllowHibernation = lib.mkDefault false;
-  '';
+  };
 
   # users.mutableUsers = lib.mkDefault false;
 

base/hardening.nix

@@ -7,7 +7,13 @@
     "ax25"
     "batman-adv"
     "can"
+    "dccp"
+    "ipx"
+    "llc"
+    "n-hdlc"
     "netrom"
+    "p8022"
+    "p8023"
     "psnap"
     "rds"
     "rose"
@@ -23,7 +29,6 @@
     "cramfs"
     "efs"
     "exofs"
-    "orangefs"
     "freevxfs"
     "gfs2"
     "hfs"
@@ -35,10 +40,12 @@
     "nilfs2"
     "ntfs"
     "omfs"
+    "orangefs"
     "qnx4"
     "qnx6"
     "sysv"
     "ubifs"
+    "udf"
     "ufs"
 
     # Legacy hardware

base/mitigations.nix

@@ -1,17 +1,24 @@
-{ ... }:
+{ pkgs, lib, ... }:
+let
+  modulesToBan = [
+    # copy.fail
+    "af_alg"
+    "algif_aead"
+    "algif_hash"
+    "algif_rng"
+    "algif_skcipher"
 
-{
+    # dirtyfrag / Fragnesia
-  boot.blacklistedKernelModules = [
+    "esp4"
-  "rxrpc" # dirtyfrag
+    "esp6"
-  "esp6" # dirtyfrag
+    "rxrpc"
-  "esp4" # dirtyfrag
+
+    # PinTheft
+    "rds"
   ];
-boot.extraModprobeConfig = ''
+in
-  # dirtyfrag
+{
-  install esp4 /bin/false
+  boot.blacklistedKernelModules = modulesToBan;
-  # dirtyfrag
+
-  install esp6 /bin/false
+  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
 }

base/networking.nix

@@ -8,6 +8,6 @@
 
   services.resolved = {
     enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
+    settings.Resolve.DNSSEC = false; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
   };
 }

base/services/fluentbit.nix

@@ -0,0 +1,135 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.fluent-bit;
+in
+{
+  services.fluent-bit = {
+    enable = lib.mkDefault true;
+    settings = {
+      service = {
+        flush = 1;
+        log_level = "warn";
+
+        http_server = "on";
+        http_listen = "127.0.0.1";
+        http_port = 28183;
+
+        # filesystem-backed buffering so logs survives potential outages.
+        "storage.path" = "/var/lib/fluent-bit/storage";
+        "storage.sync" = "normal";
+        "storage.max_chunks_up" = 64;
+        "storage.backlog.mem_limit" = "16M";
+      };
+
+      pipeline = {
+        inputs = [{
+          name = "systemd";
+          tag = "journal.*";
+
+          db = "/var/lib/fluent-bit/journal.db";
+          read_from_tail = true;
+          strip_underscores = true;
+          lowercase = true;
+          max_entries = 1000;
+          "storage.type" = "filesystem";
+        }];
+
+        filters = [{
+          name = "modify";
+          match = "journal.*";
+          rename = [
+            "hostname host"
+            "priority level"
+            "systemd_unit unit"
+          ];
+        }] ++ (lib.mapAttrsToList (k: v: {
+          name = "modify";
+          match = "journal.*";
+          condition = "Key_value_equals level ${k}";
+          set = "level ${v}";
+        }) {
+          "7" = "debug";
+          "6" = "info";
+          "5" = "notice";
+          "4" = "warning";
+          "3" = "error";
+          "2" = "crit";
+          "1" = "alert";
+          "0" = "emergency";
+        });
+
+        outputs = [{
+          name = "loki";
+          match = "*";
+
+          host = "ildkule.pvv.ntnu.no";
+          port = 3100;
+          uri = "/loki/api/v1/push";
+          compress = "gzip";
+
+          labels = lib.concatStringsSep ", " [
+            "job=systemd-journal"
+          ];
+          label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
+            "host"
+            "unit"
+            "level"
+          ];
+
+          # JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
+          # line_format = "key_value";
+          # drop_single_key = true;
+
+          "storage.total_limit_size" = "256M";
+        }];
+      };
+    };
+  };
+
+  systemd.services.fluent-bit = lib.mkIf cfg.enable {
+    serviceConfig = {
+      StateDirectory = "fluent-bit";
+
+      # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      # Lua JIT, maybe other things
+      MemoryDenyWriteExecute = false;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "~@resources"
+      ];
+      UMask = "0077";
+
+      BindReadOnlyPaths = [
+        "/run/systemd/journal"
+      ];
+    };
+  };
+}

base/services/promtail.nix

@@ -1,38 +0,0 @@
-{ config, lib, values, ... }:
-let
-  cfg = config.services.prometheus.exporters.node;
-in
-{
-  services.promtail = {
-    enable = lib.mkDefault true;
-    configuration = {
-      server = {
-        http_listen_port = 28183;
-        grpc_listen_port = 0;
-      };
-      clients = [{
-        url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
-      }];
-      scrape_configs = [{
-        job_name = "systemd-journal";
-        journal = {
-          max_age = "12h";
-          labels = {
-            job = "systemd-journal";
-            host = config.networking.hostName;
-          };
-        };
-        relabel_configs = [
-          {
-            source_labels = [ "__journal__systemd_unit" ];
-            target_label = "unit";
-          }
-          {
-            source_labels = [ "__journal_priority_keyword" ];
-            target_label = "level";
-          }
-        ];
-      }];
-    };
-  };
-}

flake.nix

@@ -228,12 +228,6 @@
           ];
         };
 
-        ustetind = stableNixosConfig "ustetind" {
-          modules = [
-            "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-          ];
-        };
-
         brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
           modules = [
             inputs.grzegorz-clients.nixosModules.grzegorz-webui

hosts/bicep/services/matrix/livekit.nix

@@ -64,4 +64,11 @@ in
       '';
     };
   };
+
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = cfg.settings.rtc.port_range_start;
+      to = cfg.settings.rtc.port_range_end;
+    }
+  ];
 }

hosts/bicep/services/postgresql/cleanup-timers.nix

@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.postgresql;
+in
+{
+  config = lib.mkIf cfg.enable {
+    systemd.services = {
+      postgresql-repack = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Repack all PostgreSQL databases";
+        startAt = "Mon 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
+        };
+      };
+
+      postgresql-vacuum-analyze = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Vacuum and analyze all PostgreSQL databases";
+        startAt = "Tue 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
+        };
+      };
+    };
+  };
+}

hosts/bicep/services/postgresql/default.nix

@@ -3,11 +3,15 @@ let
   cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
+    ./backup.nix
+    ./cleanup-timers.nix
+  ];
 
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_18;
+    extensions = ps: with ps; [ pg_repack ];
     enableTCPIP = true;
 
     authentication = ''

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -21,6 +21,7 @@ in {
 
   fileSystems."/var/lib/prometheus2" = {
     device = stateDir;
+    fsType = "bind";
     options = [ "bind" ];
   };
 }

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -27,7 +27,6 @@ in {
       (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
       (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
 
       (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -21,6 +21,7 @@ in {
 
   fileSystems."/var/lib/uptime-kuma" = {
     device = stateDir;
+    fsType = "bind";
     options = [ "bind" ];
   };
 }

hosts/kommode/services/gitea/default.nix

@@ -226,7 +226,7 @@ in {
         # Logs are stored in the systemd journal
         skip-log = true;
       };
-    in lib.mkForce "${lib.getExe cfg.package} ${args}";
+    in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
 
     # Only keep n backup files at a time
     postStop = let

hosts/ustetind/configuration.nix

@@ -1,40 +0,0 @@
-{ config, fp, pkgs, lib, values, ... }:
-
-{
-  imports = [
-    (fp /base)
-
-    ./services/gitea-runners.nix
-  ];
-
-  boot.loader.systemd-boot.enable = false;
-
-  networking.useHostResolvConf = lib.mkForce false;
-
-  systemd.network.networks = {
-    "30-lxc-eth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "eth*"
-        ];
-      };
-      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
-    };
-    "40-podman-veth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "veth*"
-        ];
-      };
-      DHCP = "yes";
-    };
-  };
-
-  # Don't change (even during upgrades) unless you know what you are doing.
-  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "24.11";
-}

hosts/ustetind/services/gitea-runners.nix

@@ -1,41 +0,0 @@
-{ config, lib, values, ... }:
-let
-  mkRunner = name: {
-    # This is unfortunately state, and has to be generated one at a time :(
-    # To do that, comment out all except one of the runners, fill in its token
-    # inside the sops file, rebuild the system, and only after this runner has
-    # successfully registered will gitea give you the next token.
-    # - oysteikt Sep 2023
-    sops.secrets."gitea/runners/${name}".restartUnits = [
-      "gitea-runner-${name}.service"
-    ];
-
-    services.gitea-actions-runner.instances = {
-      ${name} = {
-        enable = true;
-        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
-        labels = [
-          "debian-latest:docker://node:current-bookworm"
-          "ubuntu-latest:docker://node:current-bookworm"
-        ];
-        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
-      };
-    };
-  };
-in
-lib.mkMerge [
-  (mkRunner "alpha")
-  (mkRunner "beta")
-  (mkRunner "epsilon")
-  {
-    virtualisation.podman = {
-      enable = true;
-      defaultNetwork.settings.dns_enabled = true;
-      autoPrune.enable = true;
-    };
-
-    networking.dhcpcd.IPv6rs = false;
-
-    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
-  }
-]

packages/mediawiki-extensions/default.nix

@@ -12,7 +12,7 @@ let
     name
   , commit
   , hash
-  , tracking-branch ? "REL1_44"
+  , tracking-branch ? "REL1_45"
   , kebab-name ? kebab-case-name name
   , fetchgit ? pkgs.fetchgit
   }:
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
   (mw-ext {
     name = "CodeEditor";
-    commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a";
+    commit = "af7e82f24ba4b68393712fece6f1b5fa4bb049ec";
-    hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A=";
+    hash = "sha256-XT8E4O6MEZYHSs6Q+A/dfYaUvJ4kY13Kd/cq30dA5NA=";
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441";
+    commit = "f06dfd40a08562a841ddf11b4ae3444ef06c98c7";
-    hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ=";
+    hash = "sha256-5zXkBjOwFdoQezkPRJ2AcBZLZEEpGG6FawO2K3KzllI=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "1b947c0f80249cf052b58138f830b379edf080bc";
+    commit = "9bc75a753efefedfc88c598fb01f18a7e4b61f00";
-    hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI=";
+    hash = "sha256-1xA758fsvoioN9xuq0hRqZKtPXMQViVLtuRINDtowdk=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1";
+    commit = "64133683b73d8eeea8069fe7ed9cb7237fd5c212";
-    hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0=";
+    hash = "sha256-wqpfgVLenZp6XC510nrsrbvK1IMEPcWVYq5YuAOt5+c=";
   })
   (mw-ext {
     name = "Popups";
-    commit = "6732d8d195bd8312779d8514e92bad372ef63096";
+    commit = "f74a8639f57232898978d9f3792293eb2d370e40";
-    hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU=";
+    hash = "sha256-uunUtN3M/ksW/kcbeIzDVTdb1P/PHTeTwaTsvspMLko=";
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d";
+    commit = "cbab0c740e03c8e6184fd647d95e24e0826d20cb";
-    hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk=";
+    hash = "sha256-vXS3+wrUBVtPsETa19pMvud9sALGt4Ao9mM5rQRbBQc=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "4c615a9203860bb908f2476a5467573e3287d224";
+    commit = "fc5ad4501434fe85198f0b1f0087d798efa91f9f";
-    hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE=";
+    hash = "sha256-se0krTglo1fShJXj38bPLhw65tZC5P54Ywt7oeZrLes=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3";
+    commit = "d37b02f6ed194138ac7193a0782bbf6efb9164f8";
-    hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ=";
+    hash = "sha256-NpzVBzX7qfXkIE+jh33ndooS9GE8ZF3/Jynm22in7IQ=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab";
+    commit = "f85614c26a0057a9f418342f89214a04c9de9988";
-    hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs=";
+    hash = "sha256-XZOtM3iadjE5vavsjkx7kfJNhLZlnnFt1CN+mv6XVHQ=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "6c138ffc65991766fd58ff4739fcb7febf097146";
+    commit = "2f2432c909a36691ca0002daf6fb304d6c182beb";
-    hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU=";
+    hash = "sha256-ZP8Tp6u+uJxx3I39YGMmkP0sTnjAQUSaxImAJaRv+Ek=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9";
+    commit = "1508d49d0dd71fdc1d18badd23671441b3bc327b";
-    hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4=";
+    hash = "sha256-VNiCVNrCAImAr1tS9T28KPPzzNsKPz5ELFRIBtng+So=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780";
+    commit = "aba5e7c6701877a6b43583709751658fec606d47";
-    hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI=";
+    hash = "sha256-XmbQy0NXuY3oVGkkgC233kkzfBfx32HDylloGYXU/Nc=";
   })
 ]

topology/default.nix

@@ -176,26 +176,6 @@ in {
     interfaces.ens18.network = "pvv";
   };
 
-  nodes.ustetind = {
-    guestType = "proxmox LXC";
-    parent = config.nodes.powerpuff-cluster.id;
-
-    # TODO: the interface name is likely wrong
-    # interfaceGroups = [ [ "eth0" ] ];
-    interfaces.eth0 = {
-      network = "pvv";
-      # mac = "";
-      addresses = [
-        "129.241.210.234"
-        "2001:700:300:1900::234"
-      ];
-      gateways = [
-        values.hosts.gateway
-        values.hosts.gateway6
-      ];
-    };
-  };
-
   ### PVV
 
   nodes.ntnu-veggen = mkRouter "NTNU-Veggen" {

values.nix

@@ -73,10 +73,6 @@ in rec {
       ipv4 = pvv-ipv4 233;
       ipv6 = pvv-ipv6 "4:233";
     };
-    ustetind = {
-      ipv4 = pvv-ipv4 234;
-      ipv6 = pvv-ipv6 234;
-    };
     skrot = {
       ipv4 = pvv-ipv4 237;
       ipv6 = pvv-ipv6 237;