uptime-kuma: wants to use /var/lib/private for state

kommode/gitea/dump: only keep a single dump at a time
bekkalokk/roundcube: restart service on changed sops secrets
2026-05-24 23:31:12 +02:00 · 2026-05-22 17:58:00 +02:00 · 2026-05-22 18:27:57 +09:00 · 2026-05-22 18:10:44 +09:00 · 2026-05-22 18:10:40 +09:00 · 2026-05-22 18:02:13 +09:00
122 changed files with 11257 additions and 26817 deletions
--- a/.gitea/workflows/build-topology-graph.yml
+++ b/.gitea/workflows/build-topology-graph.yml
@@ -7,16 +7,13 @@ jobs:
  evals:
    runs-on: debian-latest
    steps:
    - name: Install sudo
      run: apt-get install --update --assume-yes sudo
    - uses: actions/checkout@v6
    - name: Install sudo
      run: apt-get update && apt-get -y install sudo
    - uses: https://github.com/cachix/install-nix-action@v31
    - name: Configure Nix
      run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
    - name: Build topology graph
      run: nix build .#topology -L
--- a/.gitea/workflows/eval.yml
+++ b/.gitea/workflows/eval.yml
@@ -6,8 +6,11 @@ jobs:
  evals:
    runs-on: debian-latest
    steps:
    - name: Install sudo
      run: apt-get install --update --assume-yes sudo
    - uses: actions/checkout@v6
-    - run: apt-get update && apt-get -y install sudo
+
    - uses: https://github.com/cachix/install-nix-action@v31
-    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+
    - run: nix flake check
--- a/.mailmap
+++ b/.mailmap
@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
 Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
 Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
 Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
 Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
 Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -10,17 +10,16 @@ keys:
  - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
  # Hosts
  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
  - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
-  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+  - &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
-  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
+  - &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
-  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
+  - &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
-  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
+  - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
-  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
-  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
+  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
 creation_rules:
  # Global secrets
@@ -91,19 +90,6 @@ creation_rules:
      pgp:
      - *user_oysteikt
  - path_regex: secrets/ustetind/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_ustetind
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/lupine/[^/]+\.yaml$
    key_groups:
    - age:
@@ -121,10 +107,10 @@ creation_rules:
      pgp:
      - *user_oysteikt
-  - path_regex: secrets/bakke/[^/]+\.yaml$
+  - path_regex: secrets/skrot/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_bakke
+      - *host_skrot
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
@@ -133,14 +119,3 @@ creation_rules:
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrott/[^/]+\.yaml$
    key_groups:
    - age:
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
--- a/README.md
+++ b/README.md
@@ -39,10 +39,12 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
 | [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
 | [skrot][skr]               | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 ## Documentation
@@ -56,7 +58,9 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
 [glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
 [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
--- a/base/default.nix
+++ b/base/default.nix
@@ -10,7 +10,10 @@
    (fp /users)
    (fp /modules/snakeoil-certs.nix)
    ./mitigations.nix
    ./flake-input-exporter.nix
    ./hardening.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
@@ -20,6 +23,7 @@
    ./services/acme.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fluentbit.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/journald-upload.nix
@@ -30,7 +34,6 @@
    ./services/postfix.nix
    ./services/prometheus-node-exporter.nix
    ./services/prometheus-systemd-exporter.nix
    ./services/promtail.nix
    ./services/roowho2.nix
    ./services/smartd.nix
    ./services/thermald.nix
@@ -68,8 +71,6 @@
    fi
  '';
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
@@ -81,7 +82,7 @@
    AllowHibernation=no
  '';
-  users.mutableUsers = lib.mkDefault false;
+  # users.mutableUsers = lib.mkDefault false;
  users.groups."drift".name = "drift";
--- a/base/hardening.nix
+++ b/base/hardening.nix
@@ -0,0 +1,71 @@
 { ... }:
 {
  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "appletalk"
    "atm"
    "ax25"
    "batman-adv"
    "can"
    "dccp"
    "ipx"
    "llc"
    "n-hdlc"
    "netrom"
    "p8022"
    "p8023"
    "psnap"
    "rds"
    "rose"
    "sctp"
    "tipc"
    # Filesystems we don't use
    "adfs"
    "affs"
    "befs"
    "bfs"
    "cifs"
    "cramfs"
    "efs"
    "exofs"
    "freevxfs"
    "gfs2"
    "hfs"
    "hfsplus"
    "hpfs"
    "jffs2"
    "jfs"
    "minix"
    "nilfs2"
    "ntfs"
    "omfs"
    "orangefs"
    "qnx4"
    "qnx6"
    "sysv"
    "ubifs"
    "udf"
    "ufs"
    # Legacy hardware
    "pcspkr"
    "floppy"
    "parport"
    "ppdev"
    # Other stuff we don't use
    "firewire-core"
    "firewire-ohci"
    "ksmbd"
    "ib_core"
    "l2tp_eth"
    "l2tp_netlink"
    "l2tp_ppp"
    "nfc"
    "soundwire"
  ];
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
 }
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -0,0 +1,24 @@
 { pkgs, lib, ... }:
 let
  modulesToBan = [
    # copy.fail
    "af_alg"
    "algif_aead"
    "algif_hash"
    "algif_rng"
    "algif_skcipher"
    # dirtyfrag / Fragnesia
    "esp4"
    "esp6"
    "rxrpc"
    # PinTheft
    "rds"
  ];
 in
 {
  boot.blacklistedKernelModules = modulesToBan;
  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
 }
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -13,9 +13,15 @@
    # Debug and find files
    file
    # Process json data
    jq
    # Check computer specs
    lshw
    # Check who is keeping open files
    lsof
    # Scan for open ports with netstat
    net-tools
@@ -54,6 +60,8 @@
  programs.nano.enable = true;
  # Same reasoning as nano
  programs.vim.enable = true;
  # Same reasoning as vim
  programs.neovim.enable = true;
  # Some people like this shell for some reason
  programs.zsh.enable = true;
--- a/base/services/acme.nix
+++ b/base/services/acme.nix
@@ -8,8 +8,6 @@
  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
  virtualisation.vmVariant = {
    security.acme.defaults.server = "https://127.0.0.1";
    security.acme.preliminarySelfsigned = true;
    users.users.root.initialPassword = "root";
  };
 }
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -28,7 +28,7 @@ in
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
    "current-system-flake-inputs.json".source
      = pkgs.writers.writeJSON "flake-inputs.json" (
        lib.flip lib.mapAttrs inputs (name: input:
--- a/base/services/fluentbit.nix
+++ b/base/services/fluentbit.nix
@@ -0,0 +1,135 @@
 { config, lib, ... }:
 let
  cfg = config.services.fluent-bit;
 in
 {
  services.fluent-bit = {
    enable = lib.mkDefault true;
    settings = {
      service = {
        flush = 1;
        log_level = "warn";
        http_server = "on";
        http_listen = "127.0.0.1";
        http_port = 28183;
        # filesystem-backed buffering so logs survives potential outages.
        "storage.path" = "/var/lib/fluent-bit/storage";
        "storage.sync" = "normal";
        "storage.max_chunks_up" = 64;
        "storage.backlog.mem_limit" = "16M";
      };
      pipeline = {
        inputs = [{
          name = "systemd";
          tag = "journal.*";
          db = "/var/lib/fluent-bit/journal.db";
          read_from_tail = true;
          strip_underscores = true;
          lowercase = true;
          max_entries = 1000;
          "storage.type" = "filesystem";
        }];
        filters = [{
          name = "modify";
          match = "journal.*";
          rename = [
            "hostname host"
            "priority level"
            "systemd_unit unit"
          ];
        }] ++ (lib.mapAttrsToList (k: v: {
          name = "modify";
          match = "journal.*";
          condition = "Key_value_equals level ${k}";
          set = "level ${v}";
        }) {
          "7" = "debug";
          "6" = "info";
          "5" = "notice";
          "4" = "warning";
          "3" = "error";
          "2" = "crit";
          "1" = "alert";
          "0" = "emergency";
        });
        outputs = [{
          name = "loki";
          match = "*";
          host = "ildkule.pvv.ntnu.no";
          port = 3100;
          uri = "/loki/api/v1/push";
          compress = "gzip";
          labels = lib.concatStringsSep ", " [
            "job=systemd-journal"
          ];
          label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
            "host"
            "unit"
            "level"
          ];
          # JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
          # line_format = "key_value";
          # drop_single_key = true;
          "storage.total_limit_size" = "256M";
        }];
      };
    };
  };
  systemd.services.fluent-bit = lib.mkIf cfg.enable {
    serviceConfig = {
      StateDirectory = "fluent-bit";
      # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      # Lua JIT, maybe other things
      MemoryDenyWriteExecute = false;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
        "~@resources"
      ];
      UMask = "0077";
      BindReadOnlyPaths = [
        "/run/systemd/journal"
      ];
    };
  };
 }
--- a/base/services/promtail.nix
+++ b/base/services/promtail.nix
@@ -1,38 +0,0 @@
 { config, lib, values, ... }:
 let
  cfg = config.services.prometheus.exporters.node;
 in
 {
  services.promtail = {
    enable = lib.mkDefault true;
    configuration = {
      server = {
        http_listen_port = 28183;
        grpc_listen_port = 0;
      };
      clients = [{
        url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
      }];
      scrape_configs = [{
        job_name = "systemd-journal";
        journal = {
          max_age = "12h";
          labels = {
            job = "systemd-journal";
            host = config.networking.hostName;
          };
        };
        relabel_configs = [
          {
            source_labels = [ "__journal__systemd_unit" ];
            target_label = "unit";
          }
          {
            source_labels = [ "__journal_priority_keyword" ];
            target_label = "level";
          }
        ];
      }];
    };
  };
 }
--- a/base/vm.nix
+++ b/base/vm.nix
@@ -11,5 +11,6 @@
  };
  config.virtualisation.vmVariant = {
    virtualisation.isVmVariant = true;
    virtualisation.graphics = false;
  };
 }
--- a/docs/secret-management.md
+++ b/docs/secret-management.md
@@ -151,7 +151,7 @@ is up to date, you can do the following:
 ```console
 # Fetch gpg (unless you have it already)
-nix-shell -p gpg
+nix shell nixpkgs#gnupg
 # Import oysteikts key to the gpg keychain
 gpg --import ./keys/oysteikt.pub
--- a/flake.lock
+++ b/flake.lock
@@ -1,18 +1,32 @@
 {
  "nodes": {
    "crane": {
      "locked": {
        "lastModified": 1776635034,
        "narHash": "sha256-OEOJrT3ZfwbChzODfIH4GzlNTtOFuZFWPtW7jIeR8xU=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "dc7496d8ea6e526b1254b55d09b966e94673750f",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "dibbler": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1768138611,
+        "lastModified": 1771267058,
-        "narHash": "sha256-KfZX6wpuwE2IRKLjh0DrEviE4f6kqLJWwKIE5QJSqa4=",
+        "narHash": "sha256-EEL4SmD1b3BPJPsSJJ4wDTXWMumJqbR+BLzhJJG0skE=",
        "ref": "main",
-        "rev": "cb385097dcda5fb9772f903688d078b30a66ccd4",
+        "rev": "e3962d02c78b9c7b4d18148d931a9a4bf22e7902",
-        "revCount": 221,
+        "revCount": 254,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
      },
@@ -48,11 +62,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1765835352,
+        "lastModified": 1772408722,
-        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
        "type": "github"
      },
      "original": {
@@ -61,35 +75,18 @@
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "id": "flake-utils",
        "type": "indirect"
      }
    },
    "gergle": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unstable"
        ]
      },
      "locked": {
-        "lastModified": 1767906545,
+        "lastModified": 1777067150,
-        "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
+        "narHash": "sha256-vqPz8jCS1zTQlvmgctUFpvnr6f9ISR5h7CPG/HgQvf0=",
        "ref": "main",
-        "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
+        "rev": "b452a854fb78d6df9fe062b45e23a968657d115d",
-        "revCount": 23,
+        "revCount": 35,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      },
@@ -102,15 +99,15 @@
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unstable"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1767906494,
+        "lastModified": 1777019032,
-        "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
+        "narHash": "sha256-29lw7THThWb5DW01rVRj1b816Apwz/P4m2wVWaSIadU=",
        "ref": "main",
-        "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
+        "rev": "55262afca46c96f75a834d4e00e30d5fb20affb6",
        "revCount": 61,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
@@ -192,11 +189,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768749374,
+        "lastModified": 1769500363,
-        "narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
+        "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
        "ref": "main",
-        "rev": "040294f2e1df46e33d995add6944b25859654097",
+        "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
-        "revCount": 37,
+        "revCount": 47,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
      },
@@ -213,11 +210,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767906352,
+        "lastModified": 1770960722,
-        "narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
+        "narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=",
        "ref": "main",
-        "rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
+        "rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2",
-        "revCount": 13,
+        "revCount": 15,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
      },
@@ -235,11 +232,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768955766,
+        "lastModified": 1778407980,
-        "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
+        "narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
+        "rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc",
        "type": "github"
      },
      "original": {
@@ -251,11 +248,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1768877948,
+        "lastModified": 1778544512,
-        "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
+        "narHash": "sha256-VIsPgfIpZ/01XUO6WN+o1NZbP5iKPKPHdHPWqfm4XIg=",
-        "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
+        "rev": "c417517f9d525181ee5619c683419d308ee29fe8",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10745.c417517f9d52/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
@@ -264,11 +261,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1765674936,
+        "lastModified": 1772328832,
-        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
+        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
+        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
        "type": "github"
      },
      "original": {
@@ -279,11 +276,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1768886240,
+        "lastModified": 1778586796,
-        "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
+        "narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=",
-        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
+        "rev": "b25e938b89759b5f9466fc53c4a970244f84dc39",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
@@ -318,11 +315,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768636400,
+        "lastModified": 1778960428,
-        "narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
+        "narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
        "ref": "main",
-        "rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
+        "rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
-        "revCount": 573,
+        "revCount": 583,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -376,22 +373,24 @@
    },
    "roowho2": {
      "inputs": {
        "crane": "crane",
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
-        "lastModified": 1768140181,
+        "lastModified": 1778600367,
-        "narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
+        "narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=",
        "ref": "main",
-        "rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
+        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
-        "revCount": 43,
+        "revCount": 91,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      },
      "original": {
        "ref": "main",
        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      }
@@ -404,11 +403,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767840362,
+        "lastModified": 1777000482,
-        "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
+        "narHash": "sha256-CZ5FKUSA8FCJf0h9GWdPJXoVVDL9H5yC74GkVc5ubIM=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
+        "rev": "403c09094a877e6c4816462d00b1a56ff8198e06",
        "type": "github"
      },
      "original": {
@@ -446,11 +445,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767322002,
+        "lastModified": 1776914043,
-        "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
+        "narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
+        "rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3",
        "type": "github"
      },
      "original": {
@@ -466,11 +465,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768863606,
+        "lastModified": 1777944972,
-        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
        "type": "github"
      },
      "original": {
@@ -479,21 +478,6 @@
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -32,13 +32,13 @@
    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
-    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
+    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939";
    roowho2.inputs.nixpkgs.follows = "nixpkgs";
    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
-    greg-ng.inputs.nixpkgs.follows = "nixpkgs";
+    greg-ng.inputs.nixpkgs.follows = "nixpkgs-unstable";
    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
-    gergle.inputs.nixpkgs.follows = "nixpkgs";
+    gergle.inputs.nixpkgs.follows = "nixpkgs-unstable";
    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
@@ -49,8 +49,14 @@
    qotd.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = {
-  let
+    self,
    nixpkgs,
    nixpkgs-unstable,
    sops-nix,
    disko,
    ...
  } @ inputs: let
    inherit (nixpkgs) lib;
    systems = [
      "x86_64-linux"
@@ -62,9 +68,11 @@
    importantMachines = [
      "bekkalokk"
      "bicep"
      "brzeczyszczykiewicz"
      "georg"
      "ildkule"
      "kommode"
      "lupine-1"
      "skrot"
    ];
  in {
    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
@@ -72,7 +80,8 @@
    pkgs = forAllSystems (system:
      import nixpkgs {
        inherit system;
-        config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        config.allowUnfreePredicate = pkg:
          builtins.elem (lib.getName pkg)
          [
            "nvidia-x11"
            "nvidia-settings"
@@ -80,55 +89,74 @@
      });
    nixosConfigurations = let
-      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
+      nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
-
+        localSystem ? "x86_64-linux", # buildPlatform
-      nixosConfig =
+        crossSystem ? "x86_64-linux", # hostPlatform
        nixpkgs:
        name:
        configurationPath:
        extraArgs@{
          system ? "x86_64-linux",
        specialArgs ? {},
        modules ? [],
        overlays ? [],
        enableDefaults ? true,
        ...
-        }:
+      }: let
-        lib.nixosSystem (lib.recursiveUpdate
+        commonPkgsConfig =
          {
-          inherit system;
+            config.allowUnfreePredicate = pkg:
-
+              builtins.elem (lib.getName pkg)
          specialArgs = {
            inherit unstablePkgs inputs;
            values = import ./values.nix;
            fp = path: ./${path};
          } // specialArgs;
          modules = [
            {
              networking.hostName = lib.mkDefault name;
            }
            configurationPath
          ] ++ (lib.optionals enableDefaults [
            sops-nix.nixosModules.sops
            inputs.roowho2.nixosModules.default
          ]) ++ modules;
          pkgs = import nixpkgs {
            inherit system;
            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
              [
                "nvidia-x11"
                "nvidia-settings"
              ];
-            overlays = (lib.optionals enableDefaults [
+            overlays =
              (lib.optionals enableDefaults [
                # Global overlays go here
                inputs.roowho2.overlays.default
-            ]) ++ overlays;
+              ])
-          };
+              ++ overlays;
          }
          // (
            if localSystem != crossSystem
            then {
              inherit localSystem crossSystem;
            }
            else {
              system = crossSystem;
            }
          );
        pkgs = import nixpkgs commonPkgsConfig;
        unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
      in
        lib.nixosSystem (
          lib.recursiveUpdate
          {
            system = crossSystem;
            inherit pkgs;
            specialArgs =
              {
                inherit inputs unstablePkgs;
                values = import ./values.nix;
                fp = path: ./${path};
              }
              // specialArgs;
            modules =
              [
                {
                  networking.hostName = lib.mkDefault name;
                }
                configurationPath
              ]
              ++ (lib.optionals enableDefaults [
                sops-nix.nixosModules.sops
                inputs.roowho2.nixosModules.default
                self.nixosModules.rsync-pull-targets
              ])
              ++ modules;
          }
          (builtins.removeAttrs extraArgs [
-          "system"
+            "localSystem"
            "crossSystem"
            "modules"
            "overlays"
            "specialArgs"
@@ -138,12 +166,8 @@
      stableNixosConfig = name: extraArgs:
        nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
-    in {
+    in
-      bakke = stableNixosConfig "bakke" {
+      {
        modules = [
          disko.nixosModules.disko
        ];
      };
        bicep = stableNixosConfig "bicep" {
          modules = [
            inputs.matrix-next.nixosModules.default
@@ -163,7 +187,6 @@
        bekkalokk = stableNixosConfig "bekkalokk" {
          overlays = [
            (final: prev: {
            heimdal = unstablePkgs.heimdal;
              mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
              simplesamlphp = final.callPackage ./packages/simplesamlphp {};
              bluemap = final.callPackage ./packages/bluemap.nix {};
@@ -177,8 +200,19 @@
            inputs.qotd.nixosModules.default
          ];
        };
-      ildkule = stableNixosConfig "ildkule" { };
+        ildkule = stableNixosConfig "ildkule" {
          modules = [
            inputs.disko.nixosModules.disko
          ];
        };
        #ildkule-unstable = unstableNixosConfig "ildkule" { };
        skrot = stableNixosConfig "skrot" {
          modules = [
            inputs.disko.nixosModules.disko
            inputs.dibbler.nixosModules.default
          ];
          overlays = [inputs.dibbler.overlays.default];
        };
        shark = stableNixosConfig "shark" {};
        wenche = stableNixosConfig "wenche" {};
        temmie = stableNixosConfig "temmie" {};
@@ -190,12 +224,7 @@
          ];
          modules = [
            inputs.nix-gitea-themes.nixosModules.default
-        ];
+            inputs.disko.nixosModules.disko
      };
      ustetind = stableNixosConfig "ustetind" {
        modules = [
         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
          ];
        };
@@ -221,38 +250,40 @@
            inputs.gergle.overlays.default
          ];
        };
      skrott = stableNixosConfig "skrott" {
        system = "aarch64-linux";
        modules = [
          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
          inputs.dibbler.nixosModules.default
        ];
        overlays = [
          inputs.dibbler.overlays.default
        ];
      };
      }
-    //
+      // (let
    (let
        machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
        stableLupineNixosConfig = name: extraArgs:
          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
-    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
+      in
        lib.genAttrs machineNames (name:
          stableLupineNixosConfig name {
            modules = [{networking.hostName = name;}];
            specialArgs.lupineName = name;
          }));
    nixosModules = {
      bluemap = ./modules/bluemap.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
      robots-txt = ./modules/robots-txt.nix;
      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
    };
    devShells = forAllSystems (system: {
-      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = let
        pkgs = import nixpkgs-unstable {
          inherit system;
          overlays = [
            (final: prev: {
              inherit (inputs.disko.packages.${system}) disko;
            })
          ];
        };
      in
        pkgs.callPackage ./shell.nix {};
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
@@ -261,18 +292,23 @@
            cudaSupport = true;
          };
        };
-      in cuda-pkgs.callPackage ./shells/cuda.nix { };
+      in
        cuda-pkgs.callPackage ./shells/cuda.nix {};
    });
    packages = {
      "x86_64-linux" = let
-        pkgs = nixpkgs.legacyPackages."x86_64-linux";
+        system = "x86_64-linux";
-      in rec {
+        pkgs = nixpkgs.legacyPackages.${system};
      in
        rec {
          default = important-machines;
-        important-machines = pkgs.linkFarm "important-machines"
+          important-machines =
-          (lib.getAttrs importantMachines self.packages.x86_64-linux);
+            pkgs.linkFarm "important-machines"
-        all-machines = pkgs.linkFarm "all-machines"
+            (lib.getAttrs importantMachines self.packages.${system});
-          (lib.getAttrs allMachines self.packages.x86_64-linux);
+          all-machines =
            pkgs.linkFarm "all-machines"
            (lib.getAttrs allMachines self.packages.${system});
          simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};
@@ -292,20 +328,15 @@
        lib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
        //
      # Skrott is exception
      {
        skrott = self.nixosConfigurations.skrott.config.system.build.sdImage;
      }
      //
        # Nix-topology
        (let
          topology' = import inputs.nix-topology {
            pkgs = import nixpkgs {
-            system = "x86_64-linux";
+              inherit system;
              overlays = [
                inputs.nix-topology.overlays.default
                (final: prev: {
-                inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
+                  inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
                })
              ];
            };
@@ -317,7 +348,8 @@
            modules = [
              ./topology
              {
-              nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
+                nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
                  nixosCfg.extendModules {
                    modules = [
                      inputs.nix-topology.nixosModules.default
                      ./topology/service-extractors/greg-ng.nix
@@ -325,13 +357,15 @@
                      ./topology/service-extractors/mysql.nix
                      ./topology/service-extractors/gitea-runners.nix
                    ];
-              }) self.nixosConfigurations;
+                  })
                self.nixosConfigurations;
              }
            ];
          };
        in {
          topology = topology'.config.output;
-        topology-png = pkgs.runCommand "pvv-config-topology-png" {
+          topology-png =
            pkgs.runCommand "pvv-config-topology-png" {
              nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
            } ''
              mkdir -p "$out"
--- a/hosts/bakke/configuration.nix
+++ b/hosts/bakke/configuration.nix
@@ -1,18 +0,0 @@
 { config, pkgs, values, ... }:
 {
  imports = [
      ./hardware-configuration.nix
      ../../base
      ./filesystems.nix
    ];
  networking.hostId = "99609ffc";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.05";
 }
--- a/hosts/bakke/disks.nix
+++ b/hosts/bakke/disks.nix
@@ -1,83 +0,0 @@
 {
  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
  disko.devices = {
    disk = {
      one = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
      two = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
    };
    mdadm = {
      boot = {
        type = "mdadm";
        level = 1;
        metadata = "1.0";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/boot";
        };
      };
      raid1 = {
        type = "mdadm";
        level = 1;
        content = {
          type = "gpt";
          partitions.primary = {
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/bakke/filesystems.nix
+++ b/hosts/bakke/filesystems.nix
@@ -1,26 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives:
  boot.swraid.enable = true;
  # ZFS Data pool:
  environment.systemPackages = with pkgs; [ zfs ];
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
    supportedFilesystems = [ "zfs" ];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  # NFS Exports:
  #TODO
  # NFS Import mounts:
  #TODO
 }
--- a/hosts/bakke/hardware-configuration.nix
+++ b/hosts/bakke/hardware-configuration.nix
@@ -1,52 +0,0 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
      fsType = "btrfs";
      options = [ "subvol=nix" "noatime" ];
    };
  fileSystems."/boot" =
    { device = "/dev/sdc2";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -28,5 +28,5 @@
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }
--- a/hosts/bekkalokk/services/idp-simplesamlphp/config.php
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/config.php
@@ -556,7 +556,6 @@ $config = [
    'module.enable' => [
        'admin' => true,
 	'authpwauth' => true,
 	'themepvv' => true,
    ],
@@ -859,7 +858,7 @@ $config = [
    /*
     * Which theme directory should be used?
     */
-    'theme.use' => 'themepvv:pvv',
+    'theme.use' => 'default',
    /*
     * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want
--- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
@@ -1,24 +1,8 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  themePvv = pkgs.fetchFromGitea {
    domain = "git.pvv.ntnu.no";
    owner = "Drift";
    repo = "ssp-theme";
    rev = "bda4314030be5f81aeaf2fb1927aee582f1194d9";
    hash = "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=";
  };
  pwAuthScript = pkgs.writeShellApplication {
    name = "pwauth";
-    runtimeInputs = with pkgs; [
+    runtimeInputs = with pkgs; [ coreutils heimdal ];
      coreutils
      heimdal
    ];
    text = ''
      read -r user1
      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -101,27 +85,18 @@ let
        substituteInPlace "$out" \
          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
            config.sops.secrets."idp/cookie_salt".path
          }")' \
          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
            config.sops.secrets."idp/admin_password".path
          }")' \
          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
          --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
            config.sops.secrets."idp/postgres_password".path
          }")' \
          --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
      '';
      "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
      # PVV theme module (themepvv).
      "modules/themepvv" = themePvv;
    };
  };
 in
@@ -183,12 +158,10 @@ in
    services.phpfpm.pools.idp = {
      user = "idp";
      group = "idp";
-      settings =
+      settings = let
        let
        listenUser = config.services.nginx.user;
        listenGroup = config.services.nginx.group;
-        in
+      in {
        {
        "pm" = "dynamic";
        "pm.max_children" = 32;
        "pm.max_requests" = 500;
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, fp, config, values, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
@@ -34,6 +34,7 @@ in {
  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
  sops.secrets = lib.pipe [
    "mediawiki/secret-key"
    "mediawiki/password"
    "mediawiki/postgres_password"
    "mediawiki/simplesamlphp/postgres_password"
@@ -48,6 +49,23 @@ in {
    lib.listToAttrs
  ];
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.uploadsDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
    };
  };
  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
@@ -144,6 +162,24 @@ in {
      $wgDBserver = "${toString cfg.database.host}";
      $wgAllowCopyUploads = true;
      # Files
      $wgFileExtensions = [
        'bmp',
        'gif',
        'jpeg',
        'jpg',
        'mp3',
        'odg',
        'odp',
        'ods',
        'odt',
        'pdf',
        'png',
        'tiff',
        'webm',
        'webp',
      ];
      # Misc program paths
      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -179,15 +215,15 @@ in {
  # Cache directory for simplesamlphp
  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
    user = "mediawiki";
    group = "mediawiki";
    mode = "0770";
  };
-  users.groups.mediawiki.members = [ "nginx" ];
+  users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
    kTLS = true;
    forceSSL = true;
    enableACME = true;
@@ -233,4 +269,22 @@ in {
    };
  };
  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
 }
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, values, ... }:
 let
  cfg = config.services.vaultwarden;
  domain = "pw.pvv.ntnu.no";
@@ -6,40 +6,58 @@ let
  port = 3011;
  wsPort = 3012;
 in {
-  sops.secrets."vaultwarden/environ" = {
+  sops.secrets."vaultwarden/rsa_key.pem" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
  };
  sops.secrets."vaultwarden/rsa_key.pub.pem" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
  };
  sops.secrets."vaultwarden/env/DATABASE_PASSWORD" = { };
  sops.secrets."vaultwarden/env/SMTP_PASSWORD" = { };
  sops.templates."vaultwarden/environment_file" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
    content = ''
        DATABASE_URL=postgresql://vaultwarden:${config.sops.placeholder."vaultwarden/env/DATABASE_PASSWORD"}@postgres.pvv.ntnu.no/vaultwarden
        SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/env/SMTP_PASSWORD"}
    '';
  };
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
-    environmentFile = config.sops.secrets."vaultwarden/environ".path;
+    environmentFile = config.sops.templates."vaultwarden/environment_file".path;
    config = {
-      domain = "https://${domain}";
+      DOMAIN = "https://${domain}";
-      rocketAddress = address;
+      ROCKET_ADDRESS = address;
-      rocketPort = port;
+      ROCKET_PORT = port;
-      websocketEnabled = true;
+      WEBSOCKET_ENABLED = true;
-      websocketAddress = address;
+      WEBSOCKET_ADDRESS = address;
-      websocketPort = wsPort;
+      WEBSOCKET_PORT = wsPort;
-      signupsAllowed = true;
+      SIGNUPS_ALLOWED = true;
-      signupsVerify = true;
+      SIGNUPS_VERIFY = true;
-      signupsDomainsWhitelist = "pvv.ntnu.no";
+      SIGNUPS_DOMAINS_WHITELIST = "pvv.ntnu.no";
-      smtpFrom = "vaultwarden@pvv.ntnu.no";
+      SMTP_FROM = "vaultwarden@pvv.ntnu.no";
-      smtpFromName = "VaultWarden PVV";
+      SMTP_FROM_NAME = "VaultWarden PVV";
-      smtpHost = "smtp.pvv.ntnu.no";
+      SMTP_HOST = "smtp.pvv.ntnu.no";
-      smtpUsername = "vaultwarden";
+      SMTP_USERNAME = "vaultwarden";
-      smtpSecurity = "force_tls";
+      SMTP_SECURITY = "force_tls";
-      smtpAuthMechanism = "Login";
+      SMTP_AUTH_MECHANISM = "Login";
-      # Configured in environ:
+      RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa_key.pem".path;
      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
      # smtpPassword = hemli
    };
  };
@@ -66,37 +84,20 @@ in {
    };
  };
-  systemd.services.vaultwarden = lib.mkIf cfg.enable {
+  services.rsync-pull-targets = {
-    serviceConfig = {
+    enable = true;
-      AmbientCapabilities = [ "" ];
+    locations."/var/lib/vaultwarden" = {
-      CapabilityBoundingSet = [ "" ];
+      user = "root";
-      DeviceAllow = [ "" ];
+      rrsyncArgs.ro = true;
-      LockPersonality = true;
+      authorizedKeysAttrs = [
-      NoNewPrivileges = true;
+        "restrict"
-      # MemoryDenyWriteExecute = true;
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
-      PrivateMounts = true;
+        "no-agent-forwarding"
-      PrivateUsers = true;
+        "no-port-forwarding"
-      ProcSubset = "pid";
+        "no-pty"
-      ProtectClock = true;
+        "no-X11-forwarding"
      ProtectControlGroups = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@@ -9,6 +9,12 @@ in
  sops.secrets."roundcube/postgres_password" = {
    owner = "nginx";
    group = "nginx";
    restartUnits = [ "phpfpm-roundcube.service" ];
  };
  sops.secrets."roundcube/des_key" = {
    owner = "nginx";
    group = "nginx";
    restartUnits = [ "phpfpm-roundcube.service" ];
  };
  services.roundcube = {
@@ -39,6 +45,7 @@ in
      $config['mail_domain'] = "pvv.ntnu.no";
      $config['smtp_user'] = "%u";
      $config['support_url'] = "";
      $config['des_key'] = "${config.sops.secrets."roundcube/des_key".path}";
    '';
  };
--- a/hosts/bekkalokk/services/webmail/snappymail.nix
+++ b/hosts/bekkalokk/services/webmail/snappymail.nix
@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, ... }:
+{ config, lib, fp, pkgs, values, ... }:
 let
  cfg = config.services.snappymail;
 in {
@@ -14,5 +14,21 @@ in {
    enableACME = true;
    kTLS = true;
  };
 }
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.dataDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
    };
  };
 }
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@@ -80,9 +80,40 @@ in {
  };
  services.phpfpm.pools."pvv-nettsiden".settings = {
-    # "php_admin_value[error_log]" = "stderr";
+    "php_admin_value[error_log]" = "syslog";
    "php_admin_flag[log_errors]" = true;
    "catch_workers_output" = true;
    "php_admin_value[max_execution_time]" = "30";
    "request_terminate_timeout" = "60s";
    "php_admin_value[sendmail_path]" = let
      fakeSendmail = pkgs.writeShellApplication {
        name = "fake-sendmail";
        text = ''
          TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
          (
            echo "SENDMAIL ARGS:"
            echo "$@"
            echo "SENDMAIL STDIN:"
            cat -
          ) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
        '';
      };
    in lib.getExe fakeSendmail;
    "php_admin_value[disable_functions]" = lib.concatStringsSep "," [
      "curl_exec"
      "curl_multi_exec"
      "exec"
      "parse_ini_file"
      "passthru"
      "popen"
      "proc_open"
      "shell_exec"
      "show_source"
      "system"
    ];
  };
  services.nginx.virtualHosts."pvv.ntnu.no" = {
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -1,15 +1,30 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, values, ... }:
 let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
  users.users.${config.services.pvv-nettsiden.user} = {
    # NOTE: the user unfortunately needs a registered shell for rrsync to function...
    #       is there anything we can do to remove this?
    useDefaultShell = true;
  };
  # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
+  services.rsync-pull-targets = {
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
+    enable = true;
    locations.${transferDir} = {
      user = config.services.pvv-nettsiden.user;
      rrsyncArgs.wo = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
    };
  };
  systemd.paths.pvv-nettsiden-gallery-update = {
@@ -25,15 +40,15 @@ in {
    path = with pkgs; [ imagemagick gnutar gzip ];
    script = ''
-      tar ${lib.cli.toGNUCommandLineShell {} {
+      tar ${lib.cli.toCommandLineShellGNU { } {
        extract = true;
        file = "${transferDir}/gallery.tar.gz";
        directory = ".";
      }}
      # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+      filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
-      while IFS= read fname; do
+      while IFS= read -r fname; do
        rm -f "$fname" ||:
        rm -f ".thumbnails/$fname.png" ||:
      done <<< "$filesToRemove"
@@ -41,9 +56,9 @@ in {
      find . -type d -empty -delete
      mkdir -p .thumbnails
-      images=$(find . -type f -not -path "./.thumbnails*")
+      images=$(find . -type f -not -path './.thumbnails*')
-      while IFS= read fname; do
+      while IFS= read -r fname; do
        # Skip this file if an up-to-date thumbnail already exists
        if [ -f ".thumbnails/$fname.png" ] && \
          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -52,7 +67,7 @@ in {
        fi
        echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
+        mkdir -p "$(dirname ".thumbnails/$fname")"
        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
--- a/hosts/bekkalokk/services/well-known/root/security.txt
+++ b/hosts/bekkalokk/services/well-known/root/security.txt
@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
 Preferred-Languages: no, en
 Expires: 2032-12-31T23:59:59.000Z
-# This file was last updated 2024-09-14.
+# This file was last updated 2026-02-27.
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
 # Please note that we are a student organization, and unfortunately we do not
 # have a bug bounty program or offer monetary compensation for disclosure of
 # security vulnerabilities.
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -9,8 +9,8 @@
    ./services/calendar-bot.nix
    #./services/git-mirrors
    ./services/minecraft-heatmap.nix
-    ./services/mysql.nix
+    ./services/mysql
-    ./services/postgres.nix
+    ./services/postgresql
    ./services/matrix
  ];
@@ -30,5 +30,5 @@
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "22.11";
+  system.stateVersion = "25.11";
 }
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -1,8 +1,9 @@
 { config, ... }:
 {
  imports = [
    ./synapse.nix
    ./synapse-admin.nix
    ./synapse-auto-compressor.nix
    ./synapse.nix
    ./element.nix
    ./coturn.nix
    ./livekit.nix
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -37,6 +37,7 @@ in {
          # element call group calls
          feature_group_calls = true;
        };
        default_country_code = "NO";
        default_theme = "dark";
        # Servers in this list should provide some sort of valuable scoping
        # matrix.org is not useful compared to matrixrooms.info,
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -14,6 +14,10 @@ in
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/hs_token";
  };
  sops.secrets."matrix/hookshot/passkey" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "hookshot/passkey";
  };
  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
  };
  systemd.services.matrix-hookshot = {
-    serviceConfig.SupplementaryGroups = [
+    serviceConfig = {
      SupplementaryGroups = [
        config.users.groups.keys-matrix-registrations.name
      ];
      LoadCredential = [
        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
      ];
    };
  };
  services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
    package = unstablePkgs.matrix-hookshot;
    registrationFile = config.sops.templates."hookshot-registration.yaml".path;
    settings = {
      passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
      bridge = {
        bindAddress = "127.0.0.1";
        domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
        mediaUrl = "https://matrix.pvv.ntnu.no";
        port = 9993;
      };
      listeners = [
        {
          bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
          ];
        }
      ];
      generic = {
        enabled = true;
        outbound = true;
--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -43,7 +43,7 @@ in
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
  };
-  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
  services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
    locations."^~ /livekit/jwt/" = {
@@ -64,4 +64,11 @@ in
      '';
    };
  };
  networking.firewall.allowedUDPPortRanges = [
    {
      from = cfg.settings.rtc.port_range_start;
      to = cfg.settings.rtc.port_range_end;
    }
  ];
 }
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, fp, ... }:
+{ config, pkgs, lib, values, fp, ... }:
 let
  cfg = config.services.matrix-ooye;
 in
@@ -28,6 +28,23 @@ in
    };
  };
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations."/var/lib/private/matrix-ooye" = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
    };
  };
  services.matrix-ooye = {
    enable = true;
    homeserver = "https://matrix.pvv.ntnu.no";
--- a/hosts/bicep/services/matrix/synapse-auto-compressor.nix
+++ b/hosts/bicep/services/matrix/synapse-auto-compressor.nix
@@ -0,0 +1,56 @@
 { config, lib, utils, ... }:
 let
  cfg = config.services.synapse-auto-compressor;
 in
 {
  services.synapse-auto-compressor = {
    # enable = true;
    postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
  };
  # NOTE: nixpkgs has some broken asserts, vendored the entire unit
  systemd.services.synapse-auto-compressor = {
    description = "synapse-auto-compressor";
    requires = [
      "postgresql.target"
    ];
    inherit (cfg) startAt;
    serviceConfig = {
      Type = "oneshot";
      DynamicUser = true;
      User = "matrix-synapse";
      PrivateTmp = true;
      ExecStart = utils.escapeSystemdExecArgs [
        "${cfg.package}/bin/synapse_auto_compressor"
        "-p"
        cfg.postgresUrl
        "-c"
        cfg.settings.chunk_size
        "-n"
        cfg.settings.chunks_to_compress
        "-l"
        (lib.concatStringsSep "," (map toString cfg.settings.levels))
      ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateUsers = true;
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      ProcSubset = "pid";
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
    };
  };
 }
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -27,6 +27,23 @@ in {
    '';
  };
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.settings.media_store_path} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
    };
  };
  services.matrix-synapse-next = {
    enable = true;
--- a/hosts/bicep/services/minecraft-heatmap.nix
+++ b/hosts/bicep/services/minecraft-heatmap.nix
@@ -22,7 +22,7 @@ in
    };
  };
-  systemd.services.minecraft-heatmap-ingest-logs = {
+  systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
    serviceConfig.LoadCredential = [
      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
    ];
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -0,0 +1,83 @@
 { config, lib, pkgs, values, ... }:
 let
  cfg = config.services.mysql;
  backupDir = "/data/mysql-backups";
 in
 {
  # services.mysqlBackup = lib.mkIf cfg.enable {
  #   enable = true;
  #   location = "/var/lib/mysql-backups";
  # };
  systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
 	  user = "mysql";
 	  group = "mysql";
 	  mode = "700";
 	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations.${backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
    };
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves.
  systemd.services."backup-mysql" = lib.mkIf cfg.enable {
    description = "Backup MySQL data";
    requires = [ "mysql.service" ];
    path = with pkgs; [
      cfg.package
      coreutils
      zstd
    ];
    script = let
      rotations = 2;
    in ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
      mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
      # NOTE: this needs to be a hardlink for rrsync to allow sending it
      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "mysql";
      Group = "mysql";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      StateDirectory = [ "mysql-backups" ];
      BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
      # TODO: hardening
    };
    startAt = "*-*-* 02:15:00";
  };
 }
--- a/hosts/bicep/services/mysql/default.nix
+++ b/hosts/bicep/services/mysql/default.nix
@@ -1,5 +1,11 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
 let
  cfg = config.services.mysql;
  dataDir = "/data/mysql";
 in
 {
  imports = [ ./backup.nix ];
  sops.secrets."mysql/password" = {
    owner = "mysql";
    group = "mysql";
@@ -9,8 +15,7 @@
  services.mysql = {
    enable = true;
-    dataDir = "/data/mysql";
+    package = pkgs.mariadb_118;
    package = pkgs.mariadb;
    settings = {
      mysqld = {
        # PVV allows a lot of connections at the same time
@@ -21,6 +26,9 @@
        # This was needed in order to be able to use all of the old users
        # during migration from knakelibrak to bicep in Sep. 2023
        secure_auth = 0;
        slow-query-log = 1;
        slow-query-log-file = "/var/log/mysql/mysql-slow.log";
      };
    };
@@ -36,14 +44,24 @@
    }];
  };
-  services.mysqlBackup = {
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
-    enable = true;
+
-    location = "/var/lib/mysql/backups";
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
    inherit (cfg) user group;
    mode = "0700";
  };
-  networking.firewall.allowedTCPPorts = [ 3306 ];
+  systemd.services.mysql = lib.mkIf cfg.enable {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
    ];
    serviceConfig = {
      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
      LogsDirectory = "mysql";
  systemd.services.mysql.serviceConfig = {
      IPAddressDeny = "any";
      IPAddressAllow = [
        values.ipv4-space
@@ -52,4 +70,5 @@
        values.hosts.ildkule.ipv6
      ];
    };
  };
 }
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -0,0 +1,84 @@
 { config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
  backupDir = "/data/postgresql-backups";
 in
 {
  # services.postgresqlBackup = lib.mkIf cfg.enable {
  #   enable = true;
  #   location = "/var/lib/postgresql-backups";
  #   backupAll = true;
  # };
  systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
 	  user = "postgres";
 	  group = "postgres";
 	  mode = "700";
 	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
    locations.${backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
    };
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves
  systemd.services."backup-postgresql" = {
    description = "Backup PostgreSQL data";
    requires = [ "postgresql.service" ];
    path = with pkgs; [
      coreutils
      zstd
      cfg.package
    ];
    script = let
      rotations = 2;
    in ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
      pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
      # NOTE: this needs to be a hardlink for rrsync to allow sending it
      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "postgres";
      Group = "postgres";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      StateDirectory = [ "postgresql-backups" ];
      BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
      # TODO: hardening
    };
    startAt = "*-*-* 01:15:00";
  };
 }
--- a/hosts/bicep/services/postgresql/cleanup-timers.nix
+++ b/hosts/bicep/services/postgresql/cleanup-timers.nix
@@ -0,0 +1,37 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.postgresql;
 in
 {
  config = lib.mkIf cfg.enable {
    systemd.services = {
      postgresql-repack = {
        requires = [ "postgresql.service" ];
        after = [ "postgresql.target" ];
        description = "Repack all PostgreSQL databases";
        startAt = "Mon 06:00:00";
        serviceConfig = {
          Type = "oneshot";
          User = "postgres";
          Group = "postgres";
          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
        };
      };
      postgresql-vacuum-analyze = {
        requires = [ "postgresql.service" ];
        after = [ "postgresql.target" ];
        description = "Vacuum and analyze all PostgreSQL databases";
        startAt = "Tue 06:00:00";
        serviceConfig = {
          Type = "oneshot";
          User = "postgres";
          Group = "postgres";
          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
        };
      };
    };
  };
 }
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -1,8 +1,17 @@
-{ config, pkgs, values, ... }:
+{ config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
 in
 {
  imports = [
    ./backup.nix
    ./cleanup-timers.nix
  ];
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_18;
    extensions = ps: with ps; [ pg_repack ];
    enableTCPIP = true;
    authentication = ''
@@ -74,13 +83,13 @@
    };
  };
-  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
    user = config.systemd.services.postgresql.serviceConfig.User;
    group = config.systemd.services.postgresql.serviceConfig.Group;
    mode = "0700";
  };
-  systemd.services.postgresql-setup = {
+  systemd.services.postgresql-setup = lib.mkIf cfg.enable {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
@@ -95,7 +104,7 @@
    };
  };
-  systemd.services.postgresql = {
+  systemd.services.postgresql = lib.mkIf cfg.enable {
    after = [
      "systemd-tmpfiles-setup.service"
      "systemd-tmpfiles-resetup.service"
@@ -110,18 +119,12 @@
    };
  };
-  environment.snakeoil-certs."/etc/certs/postgres" = {
+  environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
    owner = "postgres";
    group = "postgres";
    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
  };
-  networking.firewall.allowedTCPPorts = [ 5432 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
-  networking.firewall.allowedUDPPorts = [ 5432 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
  services.postgresqlBackup = {
    enable = true;
    location = "/var/lib/postgres/backups";
    backupAll = true;
  };
 }
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@@ -17,5 +17,5 @@
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -32,5 +32,5 @@
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }
--- a/hosts/gluttony/configuration.nix
+++ b/hosts/gluttony/configuration.nix
@@ -11,6 +11,15 @@
  ];
  systemd.network.enable = lib.mkForce false;
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.loader = {
    systemd-boot.enable = false; # no uefi support on this device
    grub.device = "/dev/sda";
    grub.enable = true;
  };
  boot.tmp.cleanOnBoot = true;
  networking =
    let
      hostConf = values.hosts.gluttony;
--- a/hosts/gluttony/hardware-configuration.nix
+++ b/hosts/gluttony/hardware-configuration.nix
@@ -22,7 +22,7 @@
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
@@ -31,7 +31,7 @@
  };
  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/D00A-B488";
+    device = "/dev/disk/by-uuid/BD97-FCA0";
    fsType = "vfat";
    options = [
      "fmask=0077"
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -1,8 +1,14 @@
 { config, fp, pkgs, lib, values, ... }:
 {
  config,
  fp,
  pkgs,
  lib,
  values,
  ...
 }: {
  imports = [
      # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./disks.nix
    (fp /base)
    ./services/monitoring
@@ -10,8 +16,8 @@
    ./services/journald-remote.nix
  ];
-  boot.loader.systemd-boot.enable = false;
+  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/vda";
+  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
@@ -27,13 +33,22 @@
    nameservers = values.defaultNetworkConfig.dns;
    defaultGateway.address = hostConf.ipv4_internal_gw;
-    interfaces."ens4" = {
+    interfaces."ens3" = {
      ipv4.addresses = [
-        { address = hostConf.ipv4;          prefixLength = 32; }
+        {
-        { address = hostConf.ipv4_internal; prefixLength = 24; }
+          address = hostConf.ipv4;
          prefixLength = 32;
        }
        {
          address = hostConf.ipv4_internal;
          prefixLength = 24;
        }
      ];
      ipv6.addresses = [
-        { address = hostConf.ipv6;          prefixLength = 64; }
+        {
          address = hostConf.ipv6;
          prefixLength = 64;
        }
      ];
    };
  };
--- a/hosts/ildkule/disks.nix
+++ b/hosts/ildkule/disks.nix
@@ -0,0 +1,27 @@
 {
  disko.devices = {
    disk = {
      sda = {
        device = "/dev/sda";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            bios = {
              size = "1M";
              type = "EF02";
            };
            root = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/ildkule/hardware-configuration.nix
+++ b/hosts/ildkule/hardware-configuration.nix
@@ -1,16 +1,24 @@
-{ modulesPath, lib, ... }:
+# Do not modify this file!  It was generated by 'nixos-generate-config'
-{
+# and may be overwritten by future invocations.  Please make changes
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+# to /etc/nixos/configuration.nix instead.
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+{ config, lib, pkgs, modulesPath, ... }:
  boot.initrd.kernelModules = [ "nvme" ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
    fsType = "ext4";
  };
  fileSystems."/data" = {
    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
    fsType = "ext4";
  };
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/ildkule/services/monitoring/dashboards/go-processes.json
+++ b/hosts/ildkule/services/monitoring/dashboards/go-processes.json
--- a/hosts/ildkule/services/monitoring/dashboards/mysql.json
+++ b/hosts/ildkule/services/monitoring/dashboards/mysql.json
@@ -13,7 +13,7 @@
    ]
  },
  "description": "",
-  "editable": true,
+  "editable": false,
  "gnetId": 11323,
  "graphTooltip": 1,
  "id": 31,
@@ -1899,7 +1899,7 @@
      "dashes": false,
      "datasource": "$datasource",
      "decimals": 0,
-      "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool,  TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB 's internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
+      "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool,  TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB ‘s internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
      "editable": true,
      "error": false,
      "fieldConfig": {
@@ -3690,7 +3690,7 @@
        },
        "hide": 0,
        "includeAll": false,
-        "label": "Data Source",
+        "label": "Data source",
        "multi": false,
        "name": "datasource",
        "options": [],
@@ -3713,12 +3713,12 @@
        "definition": "label_values(mysql_up, job)",
        "hide": 0,
        "includeAll": true,
-        "label": "job",
+        "label": "Job",
        "multi": true,
        "name": "job",
        "options": [],
        "query": "label_values(mysql_up, job)",
-        "refresh": 1,
+        "refresh": 2,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
@@ -3742,12 +3742,12 @@
        "definition": "label_values(mysql_up, instance)",
        "hide": 0,
        "includeAll": true,
-        "label": "instance",
+        "label": "Instance",
        "multi": true,
        "name": "instance",
        "options": [],
        "query": "label_values(mysql_up, instance)",
-        "refresh": 1,
+        "refresh": 2,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
--- a/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
+++ b/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
--- a/hosts/ildkule/services/monitoring/dashboards/postgres.json
+++ b/hosts/ildkule/services/monitoring/dashboards/postgres.json
@@ -328,7 +328,7 @@
        "rgba(50, 172, 45, 0.97)"
      ],
      "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
      "gauge": {
        "maxValue": 100,
        "minValue": 0,
@@ -411,7 +411,7 @@
        "rgba(50, 172, 45, 0.97)"
      ],
      "datasource": "${DS_PROMETHEUS}",
-      "format": "decbytes",
+      "format": "short",
      "gauge": {
        "maxValue": 100,
        "minValue": 0,
@@ -1410,7 +1410,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "pg_settings_seq_page_cost",
+          "expr": "pg_settings_seq_page_cost{instance=\"$instance\"}",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -1872,7 +1872,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -1966,7 +1966,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2060,7 +2060,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2251,7 +2251,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2439,7 +2439,7 @@
      },
      "yaxes": [
        {
-          "format": "bytes",
+          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
@@ -2589,35 +2589,35 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_backend",
          "refId": "A"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_alloc",
          "refId": "B"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "backend_fsync",
          "refId": "C"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_checkpoint",
          "refId": "D"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
          "refId": "B"
        },
        {
-          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
+          "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
--- a/hosts/ildkule/services/monitoring/dashboards/synapse.json
+++ b/hosts/ildkule/services/monitoring/dashboards/synapse.json
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -47,13 +47,13 @@ in {
        {
          name = "Node Exporter Full";
          type = "file";
-          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
+          url = "https://grafana.com/api/dashboards/1860/revisions/42/download";
          options.path = dashboards/node-exporter-full.json;
        }
        {
          name = "Matrix Synapse";
          type = "file";
-          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
+          url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
        {
@@ -65,15 +65,9 @@ in {
        {
          name = "Postgresql";
          type = "file";
-          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
+          url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
          options.path = dashboards/postgres.json;
        }
        {
          name = "Go Processes (gogs)";
          type = "file";
          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
          options.path = dashboards/go-processes.json;
        }
        {
          name = "Gitea Dashboard";
          type = "file";
--- a/hosts/ildkule/services/monitoring/prometheus/default.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/default.nix
@@ -21,6 +21,7 @@ in {
  fileSystems."/var/lib/prometheus2" = {
    device = stateDir;
    fsType = "bind";
    options = [ "bind" ];
  };
 }
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -19,15 +19,15 @@ in {
      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-      # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+      (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
--- a/hosts/ildkule/services/monitoring/uptime-kuma.nix
+++ b/hosts/ildkule/services/monitoring/uptime-kuma.nix
@@ -19,8 +19,9 @@ in {
    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
  };
-  fileSystems."/var/lib/uptime-kuma" = {
+  fileSystems."/var/lib/private/uptime-kuma" = {
    device = stateDir;
    fsType = "bind";
    options = [ "bind" ];
  };
 }
--- a/hosts/kommode/configuration.nix
+++ b/hosts/kommode/configuration.nix
@@ -4,6 +4,7 @@
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    (fp /base)
    ./disks.nix
    ./services/gitea
    ./services/nginx.nix
--- a/hosts/kommode/disks.nix
+++ b/hosts/kommode/disks.nix
@@ -0,0 +1,80 @@
 { lib, ... }:
 {
  disko.devices = {
    disk = {
      sda = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
            root = {
              name = "root";
              label = "root";
              start = "1MiB";
              end = "-5G";
              content = {
                type = "btrfs";
                extraArgs = [ "-f" ]; # Override existing partition
                # subvolumes = let
                #   makeSnapshottable = subvolPath: mountOptions: let
                #     name = lib.replaceString "/" "-" subvolPath;
                #   in {
                #     "@${name}/active" = {
                #       mountpoint = subvolPath;
                #       inherit mountOptions;
                #     };
                #     "@${name}/snapshots" = {
                #       mountpoint = "${subvolPath}/.snapshots";
                #       inherit mountOptions;
                #     };
                #   };
                # in {
                #   "@" = { };
                #   "@/swap" = {
                #     mountpoint = "/.swapvol";
                #     swap.swapfile.size = "4G";
                #   };
                #   "@/root" = {
                #     mountpoint = "/";
                #     mountOptions = [ "compress=zstd" "noatime" ];
                #   };
                # }
                # // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
                # // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
                # swap.swapfile.size = "4G";
                mountpoint = "/";
              };
            };
            swap = {
              name = "swap";
              label = "swap";
              start = "-5G";
              end = "-1G";
              content.type = "swap";
            };
            ESP = {
              name = "ESP";
              label = "ESP";
              start = "-1G";
              end = "100%";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/kommode/hardware-configuration.nix
+++ b/hosts/kommode/hardware-configuration.nix
@@ -13,21 +13,6 @@
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/86CD-4C23";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -10,6 +10,59 @@ in
    catppuccin = pkgs.gitea-theme-catppuccin;
  };
  services.gitea.settings = {
    ui = {
      DEFAULT_THEME = "gitea-auto";
      REACTIONS = lib.concatStringsSep "," [
        "+1"
        "-1"
        "laugh"
        "confused"
        "heart"
        "hooray"
        "rocket"
        "eyes"
        "100"
        "anger"
        "astonished"
        "no_good"
        "ok_hand"
        "pensive"
        "pizza"
        "point_up"
        "sob"
        "skull"
        "upside_down_face"
        "shrug"
        "huh"
        "bruh"
        "okiedokie"
        "grr"
      ];
      CUSTOM_EMOJIS = lib.concatStringsSep "," [
        "bruh"
        "grr"
        "huh"
        "ohyeah"
      ];
    };
    "ui.meta" = {
      AUTHOR = "Programvareverkstedet";
      DESCRIPTION = "Bokstavelig talt programvareverkstedet";
      KEYWORDS = lib.concatStringsSep "," [
        "git"
        "hackerspace"
        "nix"
        "open source"
        "foss"
        "organization"
        "software"
        "student"
      ];
    };
  };
  systemd.services.gitea-customization = lib.mkIf cfg.enable {
    description = "Install extra customization in gitea's CUSTOM_DIR";
    wantedBy = [ "gitea.service" ];
@@ -46,18 +99,23 @@ in
        ];
      } ''
        # Bigger icons
-        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
+        install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
        sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
      '';
    in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+      install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+      install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
-      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
+      install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
-      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+      install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
-      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
+      install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
      install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
      install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
      install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
      '${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
    '';
  };
 }
--- a/hosts/kommode/services/gitea/customization/emotes/bruh.png
+++ b/hosts/kommode/services/gitea/customization/emotes/bruh.png
--- a/hosts/kommode/services/gitea/customization/emotes/grr.png
+++ b/hosts/kommode/services/gitea/customization/emotes/grr.png
--- a/hosts/kommode/services/gitea/customization/emotes/huh.gif
+++ b/hosts/kommode/services/gitea/customization/emotes/huh.gif
--- a/hosts/kommode/services/gitea/customization/emotes/okiedokie.jpg
+++ b/hosts/kommode/services/gitea/customization/emotes/okiedokie.jpg
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -83,11 +83,24 @@ in {
        AUTO_WATCH_NEW_REPOS = false;
      };
      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
      session.COOKIE_SECURE = true;
      security = {
        SECRET_KEY = lib.mkForce "";
        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
      };
      cache = {
        ADAPTER = "redis";
        HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
        ITEM_TTL = "72h";
      };
      session = {
        COOKIE_SECURE = true;
        PROVIDER = "redis";
        PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
      };
      queue = {
        TYPE = "redis";
        CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
      };
      database.LOG_SQL = false;
      repository = {
        PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -118,41 +131,14 @@ in {
          "repo.pulls"
          "repo.releases"
        ];
        ALLOW_FORK_INTO_SAME_OWNER = true;
      };
      picture = {
        DISABLE_GRAVATAR = true;
        ENABLE_FEDERATED_AVATAR = false;
        AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
        # NOTE: go any bigger than this, and gitea will freeze your gif >:(
        AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
      };
      actions.ENABLED = true;
      ui = {
        REACTIONS = lib.concatStringsSep "," [
          "+1"
          "-1"
          "laugh"
          "confused"
          "heart"
          "hooray"
          "rocket"
          "eyes"
          "100"
          "anger"
          "astonished"
          "no_good"
          "ok_hand"
          "pensive"
          "pizza"
          "point_up"
          "sob"
          "skull"
          "upside_down_face"
          "shrug"
        ];
      };
      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
    };
    dump = {
@@ -164,12 +150,26 @@ in {
  environment.systemPackages = [ cfg.package ];
-  systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
+  systemd.services.gitea = lib.mkIf cfg.enable {
    wants = [ "redis-gitea.service" ];
    after = [ "redis-gitea.service" ];
-  systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
+    serviceConfig = {
-  systemd.services.gitea.serviceConfig.BindPaths = [
+      CPUSchedulingPolicy = "batch";
      CacheDirectory = "gitea/repo-archive";
      BindPaths = [
        "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
      ];
    };
  };
  services.redis.servers.gitea = lib.mkIf cfg.enable {
    enable = true;
    user = config.services.gitea.user;
    save = [ ];
    openFirewall = false;
    port = 5698;
  };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
@@ -195,9 +195,26 @@ in {
  networking.firewall.allowedTCPPorts = [ sshPort ];
  services.rsync-pull-targets = {
    enable = true;
    locations.${cfg.dump.backupDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
    };
  };
  systemd.services.gitea-dump = {
    serviceConfig.ExecStart = let
-      args = lib.cli.toGNUCommandLineShell { } {
+      args = lib.cli.toCommandLineShellGNU { } {
        type = cfg.dump.type;
        # This should be declarative on nixos, no need to backup.
@@ -209,16 +226,11 @@ in {
        # Logs are stored in the systemd journal
        skip-log = true;
      };
-    in lib.mkForce "${lib.getExe cfg.package} ${args}";
+    in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
-    # Only keep n backup files at a time
+    # Only keep a single backup file at a time.
-    postStop = let
+    postStop = ''
-      cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
+      ${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
      backupCount = 3;
    in ''
      for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
        ${cu "rm"} "$file"
      done
    '';
  };
 }
--- a/hosts/kommode/services/gitea/web-secret-provider/default.nix
+++ b/hosts/kommode/services/gitea/web-secret-provider/default.nix
@@ -28,7 +28,7 @@ in
  users.users."gitea-web" = {
    group = "gitea-web";
    isSystemUser = true;
-    shell = pkgs.bash;
+    useDefaultShell = true;
  };
  sops.secrets."gitea/web-secret-provider/token" = {
@@ -53,7 +53,7 @@ in
      Slice = "system-giteaweb.slice";
      Type = "oneshot";
      ExecStart = let
-        args = lib.cli.toGNUCommandLineShell { } {
+        args = lib.cli.toCommandLineShellGNU { } {
          org = "%i";
          token-path = "%d/token";
          api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
--- a/hosts/lupine/configuration.nix
+++ b/hosts/lupine/configuration.nix
@@ -1,10 +1,9 @@
-{ fp, values, lupineName, ... }:
+{ fp, values, lib, lupineName, ... }:
 {
  imports = [
    ./hardware-configuration/${lupineName}.nix
    (fp /base)
    ./services/gitea-runner.nix
  ];
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -14,27 +14,28 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
+    { device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
-      fsType = "ext4";
+      fsType = "btrfs";
      options = [ "subvol=@root" "compress=zstd" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
      fsType = "btrfs";
      options = [ "subvol=@nix" "compress=zstd" "noatime" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/81D6-38D3";
      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-2.nix
+++ b/hosts/lupine/hardware-configuration/lupine-2.nix
@@ -14,27 +14,27 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
+    { device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
-      fsType = "ext4";
+      fsType = "btrfs";
      options = [ "subvol=@root" "compress=zstd" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
      fsType = "btrfs";
      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/4A34-6AE5";
      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -14,27 +14,28 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
+    { device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
-      fsType = "ext4";
+      fsType = "btrfs";
      options = [ "subvol=@root" "compress=zstd" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
      fsType = "btrfs";
      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/63FA-297B";
      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-4.nix
+++ b/hosts/lupine/hardware-configuration/lupine-4.nix
@@ -14,21 +14,27 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
+    { device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
-      fsType = "ext4";
+      fsType = "btrfs";
      options = [ "subvol=@root" "compress=zstd" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
      fsType = "btrfs";
      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/A22E-E41A";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -14,27 +14,27 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
+    { device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
-      fsType = "ext4";
+      fsType = "btrfs";
      options = [ "subvol=@root" "compress=zstd" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
      fsType = "btrfs";
      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/F372-37DF";
      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/lupine/services/gitea-runner.nix
+++ b/hosts/lupine/services/gitea-runner.nix
@@ -39,17 +39,22 @@
        "debian-bullseye-slim:docker://node:current-bullseye-slim"
        "alpine-latest:docker://node:current-alpine"
        "alpine-3.23:docker://node:current-alpine3.23"
        "alpine-3.22:docker://node:current-alpine3.22"
        "alpine-3.21:docker://node:current-alpine3.21"
        # See https://gitea.com/gitea/runner-images
        "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
        "ubuntu-26.04:docker://docker.gitea.com/runner-images:ubuntu-26.04"
        "ubuntu-resolute:docker://docker.gitea.com/runner-images:ubuntu-26.04"
        "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
        "ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
        "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
        "ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
        "ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
        "ubuntu-26.04-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
        "ubuntu-resolute-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
        "ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
        "ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
        "ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@@ -15,5 +15,5 @@
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
-  system.stateVersion = "23.05";
+  system.stateVersion = "25.11";
 }
--- a/hosts/skrot/configuration.nix
+++ b/hosts/skrot/configuration.nix
@@ -0,0 +1,63 @@
 {
  fp,
  lib,
  config,
  values,
  ...
 }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./disk-config.nix
    (fp /base)
  ];
  boot.consoleLogLevel = 0;
  sops.defaultSopsFile = fp /secrets/skrot/skrot.yaml;
  systemd.network.networks."enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.skrot; [
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  sops.secrets = {
    "dibbler/postgresql/password" = {
      owner = "dibbler";
      group = "dibbler";
    };
  };
  services.dibbler = {
    enable = true;
    kioskMode = true;
    limitScreenWidth = 80;
    limitScreenHeight = 42;
    settings = {
      general.quit_allowed = false;
      database = {
        type = "postgresql";
        postgresql = {
          username = "pvv_vv";
          dbname = "pvv_vv";
          host = "postgres.pvv.ntnu.no";
          password_file = config.sops.secrets."dibbler/postgresql/password".path;
        };
      };
    };
  };
  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
    enable = true;
    wantedBy = [ "getty.target" ]; # to start at boot
    serviceConfig.Restart = "always"; # restart when session is closed
  };
  system.stateVersion = "25.11"; # Did you read the comment? Nah bro
 }
--- a/hosts/skrot/disk-config.nix
+++ b/hosts/skrot/disk-config.nix
@@ -0,0 +1,41 @@
 {
  disko.devices = {
    disk = {
      main = {
        device = "/dev/sda";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              type = "EF00";
              size = "1G";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            plainSwap = {
              size = "8G";
              content = {
                type = "swap";
                discardPolicy = "both";
                resumeDevice = false;
              };
            };
            root = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/skrot/hardware-configuration.nix
+++ b/hosts/skrot/hardware-configuration.nix
@@ -0,0 +1,15 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/skrott/configuration.nix
+++ b/hosts/skrott/configuration.nix
@@ -1,77 +0,0 @@
 { config, pkgs, lib, fp, values, ... }: {
  imports = [
    # ./hardware-configuration.nix
    (fp /base)
  ];
  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
  boot = {
    consoleLogLevel = 0;
    enableContainers = false;
    loader.grub.enable = false;
    loader.systemd-boot.enable = false;
    kernelPackages = pkgs.linuxPackages;
  };
  # Now turn off a bunch of stuff lol
  system.autoUpgrade.enable = lib.mkForce false;
  services.irqbalance.enable = lib.mkForce false;
  services.logrotate.enable = lib.mkForce false;
  services.nginx.enable = lib.mkForce false;
  services.postfix.enable = lib.mkForce false;
  # TODO: can we reduce further?
  sops.secrets = {
    "dibbler/postgresql/url" = {
      owner = "dibbler";
      group = "dibbler";
    };
  };
  # zramSwap.enable = true;
  networking = {
    hostName = "skrot";
    interfaces.eth0 = {
      useDHCP = false;
      ipv4.addresses = [{
        address = values.hosts.skrott.ipv4;
        prefixLength = 25;
      }];
      ipv6.addresses = [{
        address = values.hosts.skrott.ipv6;
        prefixLength = 25;
      }];
    };
  };
  services.dibbler = {
    enable = true;
    kioskMode = true;
    limitScreenWidth = 80;
    limitScreenHeight = 42;
    settings = {
      general.quit_allowed = false;
      database.url = config.sops.secrets."dibbler/postgresql/url".path;
    };
  };
  # https://github.com/NixOS/nixpkgs/issues/84105
  boot.kernelParams = [
    "console=ttyUSB0,9600"
    # "console=tty1" # Already part of the module
  ];
  systemd.services."serial-getty@ttyUSB0" = {
    enable = true;
    wantedBy = [ "getty.target" ]; # to start at boot
    serviceConfig.Restart = "always"; # restart when session is closed
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.05";
 }
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -6,7 +6,7 @@
    (fp /base)
    ./services/nfs-mounts.nix
-    ./services/userweb.nix
+    ./services/userweb
  ];
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
--- a/hosts/temmie/services/nfs-mounts.nix
+++ b/hosts/temmie/services/nfs-mounts.nix
@@ -52,9 +52,6 @@ in
      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
      # "ro"
      "rw"
      # TODO: can we enable this and still run cgi stuff?
      # "noexec"
    ];
  }) letters;
 }
--- a/hosts/temmie/services/userweb.nix
+++ b/hosts/temmie/services/userweb.nix
@@ -1,29 +0,0 @@
 { ... }:
 {
  services.httpd = {
    enable = true;
    # extraModules = [];
    # virtualHosts."userweb.pvv.ntnu.no" = {
    virtualHosts."temmie.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
    };
  };
  systemd.services.httpd = {
    after = [ "pvv-homedirs.target" ];
    requires = [ "pvv-homedirs.target" ];
    serviceConfig = {
      ProtectHome = "tmpfs";
      BindPaths = let
        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
    };
  };
  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
 }
--- a/hosts/temmie/services/userweb/default.nix
+++ b/hosts/temmie/services/userweb/default.nix
@@ -0,0 +1,352 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.httpd;
  homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
  phpOptions = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k} = ${v}"){
    display_errors = "Off";
    display_startup_errors = "Off";
    post_max_size = "40M";
    upload_max_filesize = "40M";
  });
  # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
  phpEnv = pkgs.php.buildEnv {
    extensions = { all, ... }: with all; [
      bz2
      curl
      decimal
      gd
      imagick
      mysqli
      mysqlnd
      pgsql
      posix
      protobuf sqlite3
      uuid
      xml
      xsl
      zlib
      zstd
      pdo
      pdo_mysql
      pdo_pgsql
      pdo_sqlite
    ];
    extraConfig = phpOptions;
  };
  perlEnv = pkgs.perl.withPackages (ps: with ps; [
    pkgs.exiftool
    pkgs.ikiwiki
    pkgs.irssi
    pkgs.nix.libs.nix-perl-bindings
    CGI
    DBDPg
    DBDSQLite
    DBDmysql
    DBI
    Git
    ImageMagick
    JSON
    TemplateToolkit
  ]);
  # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
  pythonEnv = pkgs.python3.buildEnv.override {
    extraLibs = with pkgs.python3Packages; [
      legacy-cgi
      matplotlib
      requests
    ];
    ignoreCollisions = true;
  };
  sendmailWrapper = pkgs.writeShellApplication {
    name = "sendmail";
    runtimeInputs = [ ];
    text = ''
      args=("$@")
      if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
          # Prepend -fusername to the argument list, so bounces go to the user
          args=("-f$USERDIR_USER" "''${args[@]}")
      fi
      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
    '';
  };
  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
  fhsEnv = pkgs.buildEnv {
    name = "userweb-env";
    ignoreCollisions = true;
    paths = with pkgs; [
      bash
      sendmailWrapper
      perlEnv
      pythonEnv
      phpEnv
    ]
    ++ (with phpEnv.packages; [
      # composer
    ])
    ++ [
      # Useful packages for homepages
      exiftool
      gnuplot
      ikiwiki-full
      imagemagick
      jhead
      ruby
      sbcl
      sourceHighlight
      # Missing packages from tom
      # blosxom
      # pyblosxom
      # mediawiki (TODO: do people host their own mediawikis in userweb?)
      # nanoblogger
      # Version control
      cvs
      rcs
      git
      # Compression/Archival
      bzip2
      gnutar
      gzip
      lz4
      unzip
      xz
      zip
      zstd
      # Other tools you might expect to find on a normal system
      acl
      coreutils-full
      curl
      diffutils
      file
      findutils
      gawk
      gnugrep
      gnumake
      gnupg
      gnused
      less
      man
      util-linux
      vim
      wget
      which
      xdg-utils
    ];
    extraOutputsToInstall = [
      "man"
      "doc"
    ];
  };
 in
 {
  imports = [
    ./mail.nix
  ];
  services.httpd = {
    enable = true;
    adminAddr = "drift@pvv.ntnu.no";
    # TODO: consider upstreaming systemd support
    # TODO: mod_log_journald in v2.5
    package = pkgs.apacheHttpd.overrideAttrs (prev: {
      nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
      buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
      configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
    });
    enablePHP = true;
    phpPackage = phpEnv;
    inherit phpOptions;
    enablePerl = true;
    # TODO: mod_log_journald in v2.5
    extraModules = [
      "systemd"
      "userdir"
      # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
      #       incorrect or restrictive assumptions upstream, either nixpkgs or source
      # {
      #   name = "perl";
      #   path = let
      #     mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
      #       apacheHttpd = cfg.package.out;
      #       perl = perlEnv;
      #     };
      #   in "${mod_perl}/modules/mod_perl.so";
      # }
    ];
    extraConfig = ''
      TraceEnable on
      LogLevel warn rewrite:trace3
      ScriptLog ${cfg.logDir}/cgi.log
    '';
    # virtualHosts."userweb.pvv.ntnu.no" = {
    virtualHosts."temmie.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
        UserDir disabled root
        AddHandler cgi-script .cgi
        DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
        SetEnvIf Request_URI "^/~([^/]+)" USERDIR_USER=$1
        <Directory "/home/pvv/?/*/web-docs">
          Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
          AllowOverride All
          Require all granted
        </Directory>
        <DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
          "\\.git"
          "\\.hg"
          "\\.svn"
          "\\.ssh"
          "\\.env"
          "\\.envrc"
          "\\.bzr"
          "\\.venv"
          "CVS"
          "RCS"
          ".*\\.swp"
          ".*\\.bak"
          ".*~"
        ]})(/|$)">
            AllowOverride All
            Require all denied
        </DirectoryMatch>
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  # socket activation comes in v2.5
  # systemd.sockets.httpd = {
  #   wantedBy = [ "sockets.target" ];
  #   description = "HTTPD socket";
  #   listenStreams = [
  #     "0.0.0.0:80"
  #     "0.0.0.0:443"
  #   ];
  # };
  systemd.services.httpd = {
    after = [ "pvv-homedirs.target" ];
    requires = [ "pvv-homedirs.target" ];
    environment = {
      PATH = lib.mkForce "/usr/bin";
    };
    serviceConfig = {
      Type = lib.mkForce "notify";
      ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
      ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
      ExecStop = lib.mkForce "";
      KillMode = "mixed";
      ConfigurationDirectory = [ "httpd" ];
      LogsDirectory = [ "httpd" ];
      LogsDirectoryMode = "0700";
      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
      LockPersonality = true;
      PrivateDevices = true;
      PrivateTmp = true;
      # NOTE: this removes CAP_NET_BIND_SERVICE...
      # PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = "tmpfs";
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectSystem = true;
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
        "AF_NETLINK"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SocketBindDeny = "any";
      SocketBindAllow = [
        "tcp:80"
        "tcp:443"
      ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
         "@system-service"
      ];
      UMask = "0077";
      RuntimeDirectory = [ "httpd/root-mnt" ];
      RootDirectory = "/run/httpd/root-mnt";
      MountAPIVFS = true;
      BindReadOnlyPaths = [
        builtins.storeDir
        "/etc"
        # NCSD socket
        "/var/run"
        "/var/lib/acme"
        "${fhsEnv}/bin:/bin"
        "${fhsEnv}/sbin:/sbin"
        "${fhsEnv}/lib:/lib"
        "${fhsEnv}/share:/share"
      ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
        parent = [
          "/local"
          "/opt"
          "/opt/local"
          "/store"
          "/store/gnu"
          "/usr"
          "/usr/local"
        ];
        child = [
          "/bin"
          "/sbin"
          "/lib"
          "/libexec"
          "/include"
          "/share"
        ];
      });
      BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
    };
  };
  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
 }
--- a/hosts/temmie/services/userweb/mail.nix
+++ b/hosts/temmie/services/userweb/mail.nix
@@ -0,0 +1,12 @@
 { config, lib, ... }:
 {
  services.postfix.enable = lib.mkForce false;
  services.nullmailer = {
    enable = true;
    config = {
      me = config.networking.fqdn;
      remotes = "mail.pvv.ntnu.no smtp --port=25";
    };
  };
 }
--- a/hosts/ustetind/configuration.nix
+++ b/hosts/ustetind/configuration.nix
@@ -1,40 +0,0 @@
 { config, fp, pkgs, lib, values, ... }:
 {
  imports = [
    (fp /base)
    ./services/gitea-runners.nix
  ];
  boot.loader.systemd-boot.enable = false;
  networking.useHostResolvConf = lib.mkForce false;
  systemd.network.networks = {
    "30-lxc-eth" = values.defaultNetworkConfig // {
      matchConfig = {
        Type = "ether";
        Kind = "veth";
        Name = [
          "eth*"
        ];
      };
      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
    };
    "40-podman-veth" = values.defaultNetworkConfig // {
      matchConfig = {
        Type = "ether";
        Kind = "veth";
        Name = [
          "veth*"
        ];
      };
      DHCP = "yes";
    };
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.11";
 }
--- a/hosts/ustetind/services/gitea-runners.nix
+++ b/hosts/ustetind/services/gitea-runners.nix
@@ -1,41 +0,0 @@
 { config, lib, values, ... }:
 let
  mkRunner = name: {
    # This is unfortunately state, and has to be generated one at a time :(
    # To do that, comment out all except one of the runners, fill in its token
    # inside the sops file, rebuild the system, and only after this runner has
    # successfully registered will gitea give you the next token.
    # - oysteikt Sep 2023
    sops.secrets."gitea/runners/${name}".restartUnits = [
      "gitea-runner-${name}.service"
    ];
    services.gitea-actions-runner.instances = {
      ${name} = {
        enable = true;
        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
        labels = [
          "debian-latest:docker://node:current-bookworm"
          "ubuntu-latest:docker://node:current-bookworm"
        ];
        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
      };
    };
  };
 in
 lib.mkMerge [
  (mkRunner "alpha")
  (mkRunner "beta")
  (mkRunner "epsilon")
  {
    virtualisation.podman = {
      enable = true;
      defaultNetwork.settings.dns_enabled = true;
      autoPrune.enable = true;
    };
    networking.dhcpcd.IPv6rs = false;
    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
  }
 ]
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -77,29 +77,29 @@ in
        id
        echo "Before if statement"
-        stat ''${REGISTRATION_FILE}
+        stat "''${REGISTRATION_FILE}"
-        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
+        if [[ ! -f "''${REGISTRATION_FILE}" ]]; then
          echo "No registration file found at '$REGISTRATION_FILE'"
-          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+          cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
        fi
        echo "After if statement"
-        stat ''${REGISTRATION_FILE}
+        stat "''${REGISTRATION_FILE}"
-        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
+        AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")"
-        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
+        HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")"
-        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
+        DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)"
-        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
+        DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)"
        # Check if we have all required tokens
        if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
-          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
          echo "Generated new AS token: ''${AS_TOKEN}"
        fi
        if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
-          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
          echo "Generated new HS token: ''${HS_TOKEN}"
        fi
@@ -115,13 +115,13 @@ in
          exit 1
        fi
-        shred -u ''${REGISTRATION_FILE}
+        shred -u "''${REGISTRATION_FILE}"
-        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+        cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
-        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
+        '${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp"
-        shred -u ''${REGISTRATION_FILE}
+        shred -u "''${REGISTRATION_FILE}"
-        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
+        mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}"
      '';
    in
--- a/modules/rsync-pull-targets.nix
+++ b/modules/rsync-pull-targets.nix
@@ -0,0 +1,146 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.rsync-pull-targets;
 in
 {
  options.services.rsync-pull-targets = {
    enable = lib.mkEnableOption "";
    rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
    locations = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
        options = {
          enable = lib.mkEnableOption "" // {
            default = true;
            example = false;
          };
          user = lib.mkOption {
            type = lib.types.str;
            description = "Which user to use as SSH login";
            example = "root";
          };
          location = lib.mkOption {
            type = lib.types.path;
            default = name;
            defaultText = lib.literalExpression "<name>";
            example = "/path/to/rsyncable/item";
          };
          # TODO: handle autogeneration of keys
          # autoGenerateSSHKeypair = lib.mkOption {
          #   type = lib.types.bool;
          #   default = config.publicKey == null;
          #   defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
          #   example = true;
          # };
          publicKey = lib.mkOption {
            type = lib.types.str;
            # type = lib.types.nullOr lib.types.str;
            # default = null;
            example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
          };
          rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
            default = cfg.rrsyncPackage;
            defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
          };
          enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
          rrsyncArgs = {
            ro = lib.mkEnableOption "" // {
              description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
            };
            wo = lib.mkEnableOption "" // {
              description = "Allow only writing to the DIR.";
            };
            munge = lib.mkEnableOption "" // {
              description = "Enable rsync's --munge-links on the server side.";
              # TODO: set a default?
            };
            no-del = lib.mkEnableOption "" // {
              description = "Disable rsync's --delete* and --remove* options.";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
            no-lock = lib.mkEnableOption "" // {
              description = "Avoid the single-run (per-user) lock check.";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
            no-overwrite = lib.mkEnableOption "" // {
              description = "Prevent overwriting existing files by enforcing --ignore-existing";
              default = submoduleArgs.config.enableRecommendedHardening;
              defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
            };
          };
          authorizedKeysAttrs = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
              "restrict"
              "no-agent-forwarding"
              "no-port-forwarding"
              "no-pty"
              "no-X11-forwarding"
            ];
            defaultText = lib.literalExpression ''
              lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
                "restrict"
                "no-agent-forwarding"
                "no-port-forwarding"
                "no-pty"
                "no-X11-forwarding"
              ]
            '';
            example = [
              "restrict"
              "no-agent-forwarding"
              "no-port-forwarding"
              "no-pty"
              "no-X11-forwarding"
            ];
          };
        };
      }));
    };
  };
  config = lib.mkIf cfg.enable {
    # assertions = lib.pipe cfg.locations [
    #   (lib.filterAttrs (_: value: value.enable))
      # TODO: assert that there are no duplicate (user, publicKey) pairs.
      #       if there are then ssh won't know which command to provide and might provide a random one, not sure.
      # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
      #   assertion =
      #   message = "";
      # })
    # ];
    services.openssh.enable = true;
    users.users = lib.pipe cfg.locations [
      (lib.filterAttrs (_: value: value.enable))
      lib.attrValues
      # Index locations by SSH user
      (lib.foldl (acc: location: acc // {
        ${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
      }) { })
      (lib.mapAttrs (_name: locations: {
        openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
          rrsyncArgString = lib.cli.toCommandLineShellGNU {
            isLong = _: false;
          } rrsyncArgs;
          # TODO: handle " in location
        in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
        ) locations;
      }))
    ];
  };
 }
--- a/modules/snakeoil-certs.nix
+++ b/modules/snakeoil-certs.nix
@@ -51,24 +51,24 @@ in
      script = let
        openssl = lib.getExe pkgs.openssl;
      in lib.concatMapStringsSep "\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
+        mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')"
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+        if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}'
        then
          echo "Regenerating '${value.certificate}'"
          ${openssl} req \
            -newkey rsa:4096 \
            -new -x509 \
-            -days "${toString value.daysValid}" \
+            -days '${toString value.daysValid}' \
            -nodes \
-            -subj "${value.subject}" \
+            -subj '${value.subject}' \
-            -out "${value.certificate}" \
+            -out '${value.certificate}' \
-            -keyout "${value.certificateKey}" \
+            -keyout '${value.certificateKey}' \
            ${lib.escapeShellArgs value.extraOpenSSLArgs}
        fi
-        chown "${value.owner}:${value.group}" "${value.certificate}"
+        chown '${value.owner}:${value.group}' '${value.certificate}'
-        chown "${value.owner}:${value.group}" "${value.certificateKey}"
+        chown '${value.owner}:${value.group}' '${value.certificateKey}'
-        chmod "${value.mode}" "${value.certificate}"
+        chmod '${value.mode}' '${value.certificate}'
-        chmod "${value.mode}" "${value.certificateKey}"
+        chmod '${value.mode}' '${value.certificateKey}'
        echo "\n-----------------\n"
      '') (lib.attrsToList cfg);
--- a/packages/bluemap.nix
+++ b/packages/bluemap.nix
@@ -1,12 +1,14 @@
-{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
+{ lib, stdenvNoCC, fetchurl, makeWrapper, javaPackages }:
-
+let
  jre = javaPackages.compiler.temurin-bin.jre-25;
 in
 stdenvNoCC.mkDerivation rec {
  pname = "bluemap";
-  version = "5.15";
+  version = "5.20";
  src = fetchurl {
    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
-    hash = "sha256-g50V/4LtHaHNRMTt+PK/ZTf4Tber2D6ZHJvuAXQLaFI=";
+    hash = "sha256-txDN/vG429BHT09TrSB8uQhmB8irrmvvOXX4OX3OSC0=";
  };
  dontUnpack = true;
@@ -15,7 +17,10 @@ stdenvNoCC.mkDerivation rec {
  installPhase = ''
    runHook preInstall
-    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
+
    makeWrapper ${jre}/bin/java $out/bin/bluemap \
      --add-flags "-jar $src"
    runHook postInstall
  '';
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
  (mw-ext {
    name = "CodeEditor";
-    commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
+    commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a";
-    hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
+    hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A=";
  })
  (mw-ext {
    name = "CodeMirror";
-    commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
+    commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441";
-    hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
+    hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ=";
  })
  (mw-ext {
    name = "DeleteBatch";
-    commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
+    commit = "1b947c0f80249cf052b58138f830b379edf080bc";
-    hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
+    hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI=";
  })
  (mw-ext {
    name = "PluggableAuth";
-    commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
+    commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1";
-    hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
+    hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0=";
  })
  (mw-ext {
    name = "Popups";
-    commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
+    commit = "6732d8d195bd8312779d8514e92bad372ef63096";
-    hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
+    hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU=";
  })
  (mw-ext {
    name = "Scribunto";
-    commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
+    commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d";
-    hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
+    hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk=";
  })
  (mw-ext {
    name = "SimpleSAMLphp";
    kebab-name = "simple-saml-php";
-    commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
+    commit = "4c615a9203860bb908f2476a5467573e3287d224";
-    hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
+    hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE=";
  })
  (mw-ext {
    name = "TemplateData";
-    commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
+    commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3";
-    hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
+    hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ=";
  })
  (mw-ext {
    name = "TemplateStyles";
-    commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
+    commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab";
-    hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
+    hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs=";
  })
  (mw-ext {
    name = "UserMerge";
-    commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
+    commit = "6c138ffc65991766fd58ff4739fcb7febf097146";
-    hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
+    hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU=";
  })
  (mw-ext {
    name = "VisualEditor";
-    commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
+    commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9";
-    hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
+    hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4=";
  })
  (mw-ext {
    name = "WikiEditor";
-    commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
+    commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780";
-    hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
+    hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI=";
  })
 ]
--- a/packages/mediawiki-extensions/update-mediawiki-extensions.py
+++ b/packages/mediawiki-extensions/update-mediawiki-extensions.py
@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
    content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
    soup = bs4.BeautifulSoup(content, features="html.parser")
    try:
-        a = soup.find('li').findChild('a')
+        a = soup.find('li').find('a')
        commit_sha = a['href'].split('/')[-1]
    except AttributeError:
        print(f"ERROR: Could not parse page for {project_name}:")
--- a/packages/ooye/fix-lockfile.patch
+++ b/packages/ooye/fix-lockfile.patch
--- a/packages/ooye/package.nix
+++ b/packages/ooye/package.nix
@@ -10,22 +10,19 @@ let
 in
 buildNpmPackage {
  pname = "delete-your-element";
-  version = "3.3-unstable-2026-01-21";
+  version = "3.5.1";
  src = fetchFromGitea {
    domain = "git.pvv.ntnu.no";
    owner = "Drift";
    repo = "delete-your-element";
-    rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
+    rev = "80ac1d9d79207b6327975a264fcd9747b99a2a5d";
-    hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
+    hash = "sha256-fcBpUZ+WEMUXyyo/uaArl4D1NJmK95isWqhFSt6HzUU=";
  };
  inherit nodejs;
-  patches = [ ./fix-lockfile.patch ];
+  npmDepsHash = "sha256-EYxJi6ObJQOLyiJq4C3mV6I62ns9l64ZHcdoQxmN5Ao=";
  npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
  dontNpmBuild = true;
  makeCacheWritable = true;
  nativeBuildInputs = [ makeWrapper ];
--- a/packages/simplesamlphp/default.nix
+++ b/packages/simplesamlphp/default.nix
@@ -8,18 +8,18 @@
 php.buildComposerProject rec {
  pname = "simplesamlphp";
-  version = "2.4.3";
+  version = "2.5.0";
  src = fetchFromGitHub {
    owner = "simplesamlphp";
    repo = "simplesamlphp";
    tag = "v${version}";
-    hash = "sha256-vv4gzcnPfMapd8gER2Vsng1SBloHKWrJJltnw2HUnX4=";
+    hash = "sha256-Md07vWhB/5MDUH+SPQEs8PYiUrkEgAyqQl+LO+ap0Sw=";
  };
  composerStrictValidation = false;
-  vendorHash = "sha256-vu3Iz6fRk3Gnh9Psn46jgRYKkmqGte+5xHBRmvdgKG4=";
+  vendorHash = "sha256-GrEoGJXEyI1Ib+06GIuo5eRwxQ0UMKeX5RswShu2CHM=";
  # TODO: metadata could be fetched automagically with these:
  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
--- a/secrets/bakke/bakke.yaml
+++ b/secrets/bakke/bakke.yaml
@@ -1,99 +0,0 @@
 hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
 example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
 #ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
 example_array:
    - ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
    - ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
 example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
 example_booleans:
    - ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
 sops:
    age:
        - recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOE50MkkxV1p0UlVUT0dE
            WCtLMEk0ZSttY25UMjNHSHB1QzJ4N2l5WnpFCkNpdmlCY1VxWVo0ZStVclZ0amo4
            dGhSRWY1SElRZXZzdWo5UDNjUHMzUjAKLS0tIDI3elNXSXJHQU5qb3hCSHYwWnoy
            N3BhNmJQZjIrbWlVRytxZ3dFMjBtL1kKn7/DTPfJtdBomSplnBomYhsxJbX7kJQa
            1Qsr+bmugWxHFIPhoDwPIBpChQkLvAo8exQpduos18FsXgvMmB0guQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdnNSSEJoaUQwdTNTMDY4
            QUxuLzRIWVNkM25QNTZ5VTBwQlYvT2p3SURzCnJmd2g1YUY0cmdLL3FkQTQ4NURL
            YncyY3VROTFUeDc5ZlB1aWdXVGNNdjgKLS0tIEtXeDdRLzl4RXhpS2o5ZUE4YkpI
            RjBObVhlWncrRnVidEtGN2N0ZitzNlUK/ooEeWCY5nDgny43q45wvl/e6qq/X4B/
            7Q/DPj13BcrWRgoCYeHlq6VlIerz5ERNgxyR/qKuVSGAVroSVY6spA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRy9CaHY1WEEzOXdUSjd2
            aFlGU3NGcW5MeHg3U2d0UEk0SXJIcmg4RVFzCkpwODhBWld6T1VNS2haSkpxL0hn
            b0VRWVNFcTE5c0t3VkFZQ1R1d2dnbmMKLS0tIDdNMHBrU0RRSmlBZUJobXQxZUt2
            MzZSYlM5bjYzUlRYNXkzNzZlWmx3L0UKkH6WOXHFRRbCprSjxcONSVUN/9NEQvtS
            Jg+dJSMviq6GvUfUNmNvPJHfyy+CYT6a2Zd+4NdYCetRLsRJPc6p3A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUckpiMzYrU1NnNFJ4MGps
            OEt0c0o3Ty9QejhEM29wZFMrNTNyMHlHWlRBCnBHUUdvcmxoL0FqVEtBSHlma25P
            c2tITUtZTGVzOGdidC84OUYvRlpxSjAKLS0tIFNMVmdiWmJNZUdLS1g3T3ZINUh6
            Mjg5RHdKYnV3Z2V0L3E3ZlA2WDB0WlkKJr4Vg6rnKqGpL6N143QYfLqS4lQIED/J
            SYQds8mCiyCNGvV6ON4k096jXcuMAZ1w+0bA16AHlTXnqgIgfaHpKA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL1QvSUlWUTN4OTBKOURa
            VkVVb29McWgxa3gwb2lkVTdSZmUrVVZpSERjCm9oTTFRckg3SUM1a0tJRVlaU3RL
            dUtsU0FpY1JyNkx6K1U1MWcrSjNYbUUKLS0tICtvTjJVdG1PSXF4TVltZ204SnVu
            VE9aT3l2dGgxMWNHUXQ0bDN2RjVOek0KwOa/vczHZa+SRr8j6KvkfZZ0kajxXOq0
            5AoDz2Mtcs+qBctTuogdLCZoL2ZpRVV7v1dGI+Fm1cVLoutV19IvTQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVFp0ZlRhU29DNUhMSmRy
            Y3VVV2pmajJmaU9qN0tHR1E3ekFMS3o0K2pRClIwek5GYzNNZEliK2ZTT1NVZklQ
            YWpqY3poN0E1ZTVOTVRhL3FQSVZmZW8KLS0tIHpuWktoa1EwcXc1bEJJYk5VbEw3
            blE2VXBuTDdlbHJTVjRzOWdyem1UWTQKg5uZRhcLpmiVcadqdJoscqsBD2u6UGx+
            qT0IoSVOzsBlJw2t9rH1zR7WfRSlCXT1NYzu9aTWGqQaB8qvEtyk4g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdjhMM1ZpM2xFVXlvOXZK
            MlRZT2U5YzhMUVR1L0FqVVdiSTFTYUpyN25rCjB6ajMwTnNTaWk5d21vM0Zza243
            dHhSOHM0c3cwS1c5dGxhbzBNVm9DeFEKLS0tIEpOY1lWVE04UkNYNDdCcUdnTUhI
            NC9xOENWZUNyay9SeXRjSUdkMlE4UXcKiygSIWelRUZQPbiK2ASQya7poe1KCXmo
            XIlgOaUe1+lvY8s2bjdud0+7QlPOKeyciCSFNNqIxzHMYSEKwNCbpg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-15T21:42:17Z"
    mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
    pgp:
        - created_at: "2026-01-16T06:34:38Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA0av/duuklWYAQ/+O1tft/OfS52K8cmcQE7I7aFb85P2L+7u1TdmTjHwNFkC
            3jhvzPkNDQDkMIc5EPZKX5WLUS8F1UaqCw4b8zZtqoTqKDpu0S92KL500iXwBxft
            D3cRMFFb6GBoSlPJVBt6LMRJjGLWCkBihlYL1AknoVV7VERj8m1cvcstdp3qbEd7
            c+X6t5B+7N0/QPdh2KyrHWXyCzFc/6emVjNGy2EoXRt7idFF2yTbafobCs/hZ8LZ
            RJyhpGyR9QPtAwFP9Und62tCd4ZwG5FazZBLevRrmD7AOW1WnQhyYvxBvqQp/Oz+
            lFmhcirLw5CaC1AbF2k3uNoAHXVWyexaQeu2gsNYXq+lpsdCWT8WtrAtNCyC2StI
            PtdrdQ9oikJptmoWQ0zEBXKXdV8AhukLSX0wtis74KbmcS+2YyNKvQksGF2ZfHBh
            U9ycfJr1kwm7TAg5Lg6XOmKrdOJkPoIcUCk2QW7MfS3nwwMLt3BjhhpRVUfeUmjB
            Jjjs+jUXEusnmwmvGGgEU2pT944FLuFClSI8JTnIZ61YkjF7zAtrURvsNKlqu/UG
            JLrWR+dnnh1YK0qQEcqt6giNSX2IWrw5SpJ8Jekt0TWfB1HDHybQUyFC/n/je/XK
            0ouAeDL9oqh0eRU3ng4KKhOXNn+WO3/HrnG//KFwokc//BNNvP8qM0CTtPQbQ1HS
            XgFjhTfzV0T4LyUryuict4rLVI+DDbzWGRp0umdobvQE1CGLhKCanrd2/Ng6fAny
            9G09vYF5zK95uzqFBCTh1zFr6+rhfbMI501TwBu1KxOaJdYs3vzLiTGWoyI48JM=
            =5fyo
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Vegard Bieker Matthey	bfd83c4c64	uptime-kuma: wants to use /var/lib/private for state	2026-05-22 17:58:00 +02:00
h7x4	9a6fdecb03	kommode/gitea/dump: only keep a single dump at a time	2026-05-22 18:27:57 +09:00
h7x4	82ab97fb45	bekkalokk/roundcube: restart service on changed sops secrets	2026-05-22 18:10:44 +09:00
h7x4	543fd19f8d	bekkalokk/vaultwarden: restart service on changed sops secrets	2026-05-22 18:10:40 +09:00
h7x4	6f99fa575d	bekkalokk/vaultwarden: render environment_file as sops template	2026-05-22 18:02:13 +09:00
h7x4	3141b1f76b	bekkalokk/vaultwarden: remove redundant hardening This has already been upstreamed	2026-05-22 17:51:03 +09:00
h7x4	475f6a8c9b	bekkalokk/vaultwarden: add rsa key to sops	2026-05-22 17:49:31 +09:00
h7x4	9c1687f8f2	bekkalokk/vaultwarden: use envvar keys It seems like the nixpkgs module is compensating for previous config that might've ended up in a file, which are now being turned into screaming snake case environment variables. Let's just name them as they are supposed to be named instead of having the upstream module translate them.	2026-05-22 17:08:31 +09:00
h7x4	0f53bcd731	bekkalokk/roundcube: add des_key to sops	2026-05-22 17:08:31 +09:00
Felix Albrigtsen	f433ae1e15	ustetind: remove from sops rg -. to the rescue	2026-05-22 10:01:15 +02:00
h7x4	5745648f87	bicep/postgres/repack: use local unix socket	2026-05-22 15:59:59 +09:00
h7x4	2c34a93abf	bicep/postgres/repack: don't kill connections on timeout	2026-05-22 15:57:57 +09:00
h7x4	9ebc947eab	ustetind: bai bai 👋	2026-05-22 15:41:28 +09:00
h7x4	6fcc19f0a2	base/fluentbit: init	2026-05-22 15:32:13 +09:00
h7x4	9224f04bd1	base/promtail: remove	2026-05-22 15:32:13 +09:00
Vegard Bieker Matthey	9c93f15569	change agekey for ildkule and update keys update keys	2026-05-21 17:27:11 +02:00
h7x4	5d6c153007	kommode/gitea: fix dump command	2026-05-21 17:54:54 +09:00
h7x4	8b483a92f8	ildkule: set `fsType` for bindmounts	2026-05-21 17:52:47 +09:00
h7x4	0d7f05e56d	bicep/postgres: add cleanup timers	2026-05-21 04:14:34 +09:00
Daniel Olsen	4a67eddf52	bicep/matrix/livekit: open the rtc ports	2026-05-20 20:04:33 +02:00
h7x4	08a23bd380	base/hardening: ban a few more modules	2026-05-20 23:15:25 +09:00
h7x4	28b67c3578	base/mitigations: blacklist modules for copyfail and pintheft	2026-05-20 23:15:25 +09:00
Vegard Bieker Matthey	e5804c043a	README: add gluttony	2026-05-20 06:24:26 +02:00
Vegard Bieker Matthey	9c227f3022	update gluttony IPs and boot device	2026-05-20 06:07:41 +02:00
Felix Albrigtsen	69fdf709d7	grr: fix the heccin quotes	2026-05-19 16:38:34 +02:00
Adrian G L	30ec70fa5f	fix: ildkule grub duplicated devices, format nix files	2026-05-19 16:26:36 +02:00
Adrian G L	1024b428ac	feat: ildkule disco config	2026-05-19 12:16:39 +02:00
Adrian G L	1e6b692fbf	fix: updated ildkule config and ips to match trd1 new setup	2026-05-19 11:37:05 +02:00
Vegard Bieker Matthey	beac6e91dd	flake.lock: bump pvv-nettsiden	2026-05-17 16:58:04 +02:00
h7x4	0fd41c214a	flake.{nix,lock}: bump deps	2026-05-13 01:19:35 +09:00
h7x4	5c1ee958ea	flake.{nix,lock}: bump roowho2	2026-05-12 00:25:55 +09:00
h7x4	d8e97715c9	flake.lock: bump pvv-nettsiden	2026-05-12 00:24:56 +09:00
h7x4	33297b0436	treewide: `lib.cli.toGNUCommandLineShell` -> `lib.cli.toCommandLineShellGNU`	2026-05-11 23:09:50 +09:00
h7x4	be33c95c83	bekkalokk/website: more logging, specify timeouts, ban spooky funcs, fake sendmail	2026-05-11 21:14:08 +09:00
h7x4	2abf36a9af	packages/simplesamlphp: 2.4.3 -> 2.5.0	2026-05-11 16:12:15 +09:00
h7x4	a60be532ce	packages/mediawiki-extensions: bump all	2026-05-11 16:11:10 +09:00
h7x4	9c142fd56f	kommode/gitea: remove deprecated config options	2026-05-11 16:00:51 +09:00
Øystein Tveit	b98e8679e6	temmie/userweb: set same phpOptions for env and apache	2026-05-11 14:54:56 +09:00
h7x4	ea092ec0b3	temmie/userweb: pass userdir user to sendmail through custom envvar	2026-05-11 14:26:47 +09:00
h7x4	5e50b617fb	temmie/userweb: switch from postfix to nullmailer	2026-05-11 13:52:58 +09:00
h7x4	258c5a7b25	temmie/userweb: set up sendmail wrapper	2026-05-11 12:26:39 +09:00
h7x4	b9eda3dc56	temmie/userweb: reduce package list	2026-05-11 10:17:09 +09:00
Vegard Bieker Matthey	2fcaf5893f	fix deprecation warning for mediawiki update script	2026-05-09 20:40:14 +02:00
h7x4	b009da31af	temmie/userweb: deny a bunch of spooky directories by default It should still be possible for the user to re-enable these with `.htaccess`	2026-05-10 03:33:43 +09:00
h7x4	e9a267e2a3	temmie/userweb: ignore collisions in fhs env	2026-05-10 03:02:27 +09:00
h7x4	338c2f2531	temmie/userweb: adjust perl and php env This adds and removes a few packages to make the environments closer to how they are on tom	2026-05-10 03:02:26 +09:00
Felix Albrigtsen	8db3034baf	Run shellcheck	2026-05-08 09:31:35 +02:00
h7x4	f64f9c944e	topology: hook skrot up to the switch at the office	2026-05-08 16:27:01 +09:00
h7x4	baeb1e5e60	base/hardening: move hardening options from base/default	2026-05-08 16:23:17 +09:00
h7x4	86ca8dcdc3	base/hardening: ban a bunch more unimportant kernel modules	2026-05-08 16:23:17 +09:00
Daniel Olsen	11d1f8b442	bakke: the owls sick motorbike	2026-05-08 03:07:09 +02:00
Felix Albrigtsen	d8115c4031	bakke: add shading	2026-05-08 03:06:06 +02:00
Felix Albrigtsen	0d41326d9f	bakke: rest of the owl	2026-05-08 03:06:06 +02:00
Felix Albrigtsen	7baf3ffcb4	bakke: uninit	2026-05-08 03:06:06 +02:00
Daniel Olsen	45f10be9b4	secrets: delete skrott	2026-05-08 03:01:11 +02:00
Daniel Olsen	06cd860d2f	README: change skrot link to point to skrot, not skrott	2026-05-08 02:38:54 +02:00
Daniel Olsen	ebd8b871f4	skrott: yeetus deletus	2026-05-08 01:08:48 +02:00
Daniel Olsen	14994485c5	base: mitigate dirtyfrag	2026-05-08 01:03:45 +02:00
h7x4	f2752ee9a6	.gitea/workflows/*: remove redundant config All of the extra config is now being included by default with the github action	2026-05-06 23:34:22 +09:00
h7x4	bb20f32df8	.gitea/workflows: simplify some steps	2026-04-29 08:34:38 +09:00
h7x4	f83ae6de37	flake.lock: bump roowho2	2026-04-29 08:29:02 +09:00
h7x4	f490e64516	flake.nix: bump greg-ng and gergle Also follow unstable nixpkgs in order to use bleeding edge flutter	2026-04-25 07:09:41 +09:00
Vegard Bieker Matthey	61c6639d3a	remove inactive users	2026-04-23 14:18:52 +02:00
h7x4	eee7e9ad7b	lupine/gitea-runner: register docker images for alpine v3.23 and ubuntu 26.04	2026-04-23 21:05:23 +09:00
h7x4	3160d64167	packages/bluemap: 5.15 -> 5.20	2026-04-19 05:31:15 +09:00
h7x4	23355317d6	lupine-3: update hardware config	2026-04-19 01:26:25 +09:00
h7x4	683e4b2dbc	lupine-3: update sops key	2026-04-19 01:26:12 +09:00
h7x4	f52cf697cc	lupine-5: update hardware config	2026-04-19 00:38:32 +09:00
h7x4	8a9e92c706	lupine-5: update sops key	2026-04-19 00:38:24 +09:00
h7x4	6dce8bac0e	lupine-4: re-enable gitea runner	2026-04-19 00:22:30 +09:00
h7x4	e2abbf224b	lupine-{1,2,4}: update hardware config	2026-04-18 23:58:53 +09:00
h7x4	a399f23785	lupine-{1,2,4}: update sops keys	2026-04-18 23:58:43 +09:00
h7x4	69a22e2ba0	flake.lock: bump	2026-04-02 13:06:30 +09:00
h7x4	6be23feeca	packages/ooye: 3.3-unstable-2026-01-21 -> 3.5.1	2026-04-02 12:44:43 +09:00
Vegard Bieker Matthey	1bfd4fe595	avoid using lupine-4 for gitea actions	2026-03-26 06:05:41 +01:00
Felix Albrigtsen	2efe4a1d1e	Revert "base/acme: use different email alias for account" This reverts commit `0d40c7d7a7`.	2026-03-22 12:52:33 +01:00
h7x4	6ef02bd485	kommode/gitea: allow me to go fork myself	2026-03-10 14:50:56 +09:00
Vegard Bieker Matthey	6b1fb4c065	only cross-compile when necessary This fixes issues with rebuilding georg and brzeczyszczykiewicz. Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/128 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com> Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>	2026-02-21 21:14:04 +01:00
Vegard Bieker Matthey	18167dca0a	update README to reflect added host	2026-02-14 19:12:41 +01:00
Vegard Bieker Matthey	b5fecc94a7	hosts: add skrot Co-authored-by: System administrator <root@skrot.pvv.ntnu.no> Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/124 Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com> Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>	2026-02-14 18:53:54 +01:00
h7x4	0d40c7d7a7	base/acme: use different email alias for account	2026-02-13 19:45:45 +09:00
h7x4	b327582236	kommode/gitea: use redis for sessions and queue	2026-02-13 18:55:42 +09:00
h7x4	7e39bf3ba2	bicep/matrix/ooye: add rsync pull target for principal backups	2026-02-13 18:26:55 +09:00
h7x4	5bb0cd0465	kommode/gitea: set default theme	2026-02-13 14:32:36 +09:00
h7x4	9efda802cb	kommode/gitea: move ui configuration to `customization`	2026-02-13 14:23:48 +09:00
h7x4	3c08be3d73	kommode/gitea: configure redis cache	2026-02-13 03:50:21 +09:00
Øystein Tveit	b1a2836b5d	kommode/gitea: custom emoji	2026-02-13 03:38:45 +09:00
h7x4	ba1f30f737	kommode/gitea: configure more meta fields	2026-02-13 03:13:49 +09:00
Daniel Olsen	c455c5a7e3	bicep/matrix/livekit: fix matrix domain in livekit, allow dan's server as well	2026-02-11 22:58:19 +01:00
Vegard Bieker Matthey	35907be4f2	update sops keys for skrott	2026-02-07 22:17:09 +01:00
h7x4	210f74dc59	secrets: sops updatekeys	2026-02-08 05:19:26 +09:00
Vegard Bieker Matthey	d35de940c1	update gpg install cmd for secrets	2026-02-07 21:12:03 +01:00
h7x4	daa4b9e271	bekkalokk/mediawiki: adjust umask	2026-02-07 01:46:55 +09:00
h7x4	12eb0b3f53	bekkalokk/mediawiki: allow uploading more filetypes	2026-02-07 00:56:38 +09:00
h7x4	02bdb8d45b	kommode/gitea/web: use default login shell	2026-02-05 13:25:06 +09:00
h7x4	a5143c0aaa	bekkalokk/nettsiden: fix gallery rsync target	2026-02-05 13:19:29 +09:00
Vegard Bieker Matthey	561404cd87	bump dibbler	2026-02-04 04:11:56 +01:00
System administrator	3338b4cd61	gluttony: fix ipv4 addr	2026-02-03 21:05:53 +01:00
Vegard Bieker Matthey	2354dcf578	gluttony: update disk id	2026-02-03 16:18:43 +01:00
h7x4	304304185c	base: add `lsof` to list of default installed packages	2026-02-02 23:59:35 +09:00
h7x4	b712f3cda3	temmie/userweb: add a few more packages	2026-01-31 21:53:12 +09:00
h7x4	cc272a724c	temmie/userweb: add directory index search path	2026-01-31 21:30:23 +09:00
h7x4	fcaa97884e	temmie/userweb: add a bunch more normal packages	2026-01-31 21:20:26 +09:00
h7x4	11f2cf504f	temmie/userweb: add a bunch more perl packages	2026-01-31 20:31:03 +09:00
h7x4	7ab16bc949	temmie/userweb: restrict log access	2026-01-31 19:08:02 +09:00
h7x4	c4d5cfde56	temmie/userweb: add `legacy-cgi` to the python package set	2026-01-31 18:53:44 +09:00
h7x4	100d09f6b7	temmie/userweb: get first iteration working	2026-01-31 18:41:17 +09:00
h7x4	3b0742bfac	temmie: combine homedirs in overlayfs	2026-01-31 18:41:17 +09:00
h7x4	3ba1ea2e4f	flake.lock: bump	2026-01-31 13:44:39 +09:00
h7x4	91de031896	treewide: limit rsync pull target access to principal	2026-01-31 11:14:18 +09:00
h7x4	c3ce6a40ea	ildkule/grafana: update a bunch of dashboards	2026-01-31 01:07:26 +09:00
h7x4	beee0ddc75	ildkule/grafana: remove dashboard for gogs	2026-01-31 00:58:34 +09:00
h7x4	359f599655	bekkalokk/snappymail: add rsync pull target for principal	2026-01-31 00:19:09 +09:00
h7x4	5b1c6f16d1	bekkalokk/vaultwarden: add rsync pull target for principal	2026-01-31 00:18:57 +09:00
h7x4	cec69d89a8	bicep/{postgres,mysql}: fix old backup deletion (again)	2026-01-30 13:26:10 +09:00
h7x4	af0bf7b254	bicep/{postgres,mysql}: fix old backup deletion	2026-01-29 14:57:46 +09:00
h7x4	bcf8b1607f	bicep/{postgres,mysql}: use hardlink for latest backup file	2026-01-29 14:53:07 +09:00
h7x4	1d46fd1ec6	bicep/{postgres,mysql}: keep multiple backups, point at latest with symlink	2026-01-29 14:16:34 +09:00
h7x4	bac53be707	bicep/{postgres,mysql}: use zstd for backup compression	2026-01-29 13:50:35 +09:00
h7x4	f08bd96b74	bicep/{postgres,mysql}: move backups to `/data`	2026-01-29 13:41:06 +09:00
h7x4	25f2a13391	packages/mediawiki-extensions: bump all	2026-01-29 13:34:42 +09:00
h7x4	8774c81d23	bicep/{postgres,mysql}: custom backup units	2026-01-29 13:32:28 +09:00
h7x4	d6eca5c4e3	bicep/{postgres,mysql}: split config into several files	2026-01-29 13:18:25 +09:00
h7x4	49d1122ee5	bicep/mysql: enable slow query logs	2026-01-28 14:55:52 +09:00
h7x4	31bbf4b25f	bicep/synapse: enable auto-compressor timer	2026-01-28 14:50:57 +09:00
h7x4	2f7e1439d0	bicep/mysql: pin version, upgrade from 11.4 -> 11.8	2026-01-28 14:01:14 +09:00
h7x4	fa31a84bd2	bicep/postgres: upgrade from 15 -> 18	2026-01-28 14:00:25 +09:00
h7x4	b77c8eb5c0	modules/rsync-pull-targets: fix multiple pull targets with same user	2026-01-27 21:10:17 +09:00
h7x4	949661113e	bicep/mysql: move backup dir	2026-01-27 20:47:40 +09:00
h7x4	f442c4d65f	bicep/minecraft-heatmap: gate remaining config behind `cfg.enable`	2026-01-27 20:44:20 +09:00
h7x4	690aee634b	bicep/postgres: gate remaining config behind `cfg.enable`	2026-01-27 20:44:20 +09:00
h7x4	2ed1c83858	bicep/{postgres,mysql}: add rsync pull targets for backups	2026-01-27 20:39:12 +09:00
h7x4	d43de08a3b	flake.lock: bump	2026-01-27 19:44:45 +09:00
h7x4	e8c7f177e8	kommode: use disko to configure disks	2026-01-27 19:00:12 +09:00
h7x4	fb59a242fb	kommode/gitea: add rsync pull target for gitea dump dir	2026-01-27 18:55:25 +09:00
h7x4	65d095feb1	bekkalokk/mediawiki, bicep/matrix/synapse: add keys for rsync targets	2026-01-27 18:55:03 +09:00
h7x4	8273d98788	flake.nix: add `disko` to default devshell	2026-01-27 18:35:18 +09:00
h7x4	8a84069dcf	bicep/mysql: use `BindPaths` to access `dataDir`	2026-01-27 17:23:38 +09:00
h7x4	cda84be5b0	bekkalokk/well-known: add note about bug bounty program to `security.txt`	2026-01-27 17:11:07 +09:00
h7x4	79a46ce3f6	bicep/element: set default country code	2026-01-27 04:11:40 +09:00
h7x4	19e45be83a	.mailmap: further dedup	2026-01-27 04:07:25 +09:00
h7x4	a8892e2fb2	hosts/various: bump `stateVersion`	2026-01-27 04:00:48 +09:00
h7x4	a149f97ac0	bicep: bump `stateVersion` from 22.11 -> 25.11	2026-01-27 03:59:40 +09:00
h7x4	e76c656378	bekkalokk: bump `stateVersion` from 22.11 -> 25.11	2026-01-27 03:52:34 +09:00
h7x4	5877ef60b1	modules/rsync-pull-targets: leave TODO about assertion	2026-01-27 00:27:00 +09:00
h7x4	73456de527	bekkalokk/mediawiki, bicep/matrix/synapse: leave principal rsync target stubs	2026-01-27 00:26:42 +09:00
h7x4	2f8e9ea190	modules/rsync-pull-targets: init, migrate bekkalokk/website/fetch-gallery	2026-01-26 23:57:20 +09:00
h7x4	c3c98392ad	bicep/hookshot: add passkey to sops	2026-01-26 21:52:58 +09:00
h7x4	e01fd902eb	bekkalokk/mediawiki: move `secret.key` to sops	2026-01-26 17:55:55 +09:00
h7x4	ce8d759f79	skrott: yeet 700MB worth of firmware, leave raspberry-specific firmware be	2026-01-26 17:09:18 +09:00
h7x4	ea6296f47a	base/vm: disable graphics for vms by default	2026-01-26 17:08:35 +09:00
h7x4	c28fc3f229	ildkule/prometheus: add temmie,gluttony, re-enable lupine-2	2026-01-26 17:04:55 +09:00
h7x4	c124183d95	ildkule/prometheus: scrape skrott	2026-01-26 17:04:52 +09:00
h7x4	d7bb316056	skrott: yeetus ncdu	2026-01-26 15:45:10 +09:00
h7x4	c78c29aaa6	skrott: don't pull in nixpkgs/nixpkgs-unstable source tarballs	2026-01-26 15:43:23 +09:00
h7x4	7d451f1db5	base/auto-upgrade: don't install `flake-inputs.json` when disabled	2026-01-26 15:42:56 +09:00
h7x4	1d57cec04d	base/acme: remove deprecated argument	2026-01-26 15:07:40 +09:00
h7x4	f50372fabd	.sops.yaml: remove yet more remains of jokum	2026-01-26 13:53:30 +09:00
h7x4	0f355046de	.sops.yaml: add skrott	2026-01-26 13:53:16 +09:00
h7x4	285f5b6a84	flake.nix: point `skrott-x86_64` at correct nixosConfiguration, add `-sd` variants	2026-01-26 13:46:15 +09:00
h7x4	20eec03cd4	bakke: fix eval warnings about kernel packages	2026-01-26 13:46:14 +09:00
h7x4	fffdf77d6f	skrott: disable more stuff	2026-01-26 13:46:13 +09:00
h7x4	42bbb1eca1	flake.nix: make native skrott default, misc cleaning	2026-01-26 13:28:42 +09:00
h7x4	34fdc9159c	bekkalokk/mediawiki: remove nonused module import	2026-01-26 13:19:48 +09:00
h7x4	1b6ff9876d	Remove global packages from users, skrott: remove neovim properly	2026-01-26 13:16:06 +09:00
h7x4	0206c159a2	skrott: cross compile and further minimize	2026-01-26 13:15:46 +09:00
h7x4	15004829a8	flake.lock: bump dibbler	2026-01-26 02:30:53 +09:00
h7x4	48ffb3cda1	skrott/dibbler: fix postgres url	2026-01-26 02:27:21 +09:00
h7x4	9bbc64afc8	skrott: disable promtail, documentation	2026-01-26 02:25:12 +09:00
h7x4	1cf956f37b	skrott: disable thermald	2026-01-26 02:04:03 +09:00
h7x4	38a1d38c7f	skrott: disable zfs, udisks2	2026-01-26 01:31:46 +09:00
h7x4	f1a6e47e67	skrott: disable smartd	2026-01-26 00:48:36 +09:00
h7x4	c061c5be0c	base: re-enable `mutableUsers` (absolute state)	2026-01-26 00:25:20 +09:00
h7x4	08e3e1a287	README: add skrott to machine overview	2026-01-25 23:30:41 +09:00
h7x4	034f6540d9	secrets/skrott: add database password	2026-01-25 23:30:41 +09:00
h7x4	695fe48ba8	skrott: set gateway	2026-01-25 23:30:41 +09:00
h7x4	b37551209a	flake.nix: bump dibbler	2026-01-25 22:54:52 +09:00
Felix Albrigtsen	19059b742e	users/felixalb: update SSH keys	2026-01-25 13:17:39 +01:00
h7x4	e336c119a5	skrott: bump `stateVersion`	2026-01-25 21:08:28 +09:00
h7x4	52ac4ca775	skrott: update dibbler + config	2026-01-25 20:56:33 +09:00
Vegard Bieker Matthey	6b352507a3	Merge pull request 'gluttony: use grub as bootloader because of no uefi support' (!121 ) from gluttony-boot into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/121	2026-01-24 22:25:28 +01:00
Vegard Bieker Matthey	604b528dd3	use grub as bootloader because of no uefi support	2026-01-24 22:04:54 +01:00