flake.lock: update pvv-nettsiden

Fix networking in Openstack.

This rewrites the systemd-networkd config, fixing both dhcp and manual address/route configurations.
Now, everything should behave predictably, routing NTNU-internal and NTNU-global addresses separately and properly across both ipv4 and ipv6.

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/47

.sops.yaml

@@ -7,7 +7,7 @@ keys:
 
   # Hosts
   - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
-  - &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
+  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
 
@@ -17,10 +17,6 @@ creation_rules:
     key_groups:
     - age:
       - *host_jokum
-      - *host_ildkule
-      - *host_bekkalokk
-      - *host_bicep
-
       - *user_danio
       - *user_felixalb
       - *user_eirikwit

base.nix

@@ -4,7 +4,6 @@
   imports = [
     ./users
     ./modules/snakeoil-certs.nix
-    ./modules/debug-locations.nix
   ];
 
   networking.domain = "pvv.ntnu.no";
@@ -85,27 +84,50 @@
     settings.PermitRootLogin = "yes";
   };
 
-  sops.age = {
-    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    keyFile = "/var/lib/sops-nix/key.txt";
-    generateKey = true;
-  };
-
   # nginx return 444 for all nonexistent virtualhosts
 
   systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
 
-  environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
+  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
     "/etc/certs/nginx" = {
       owner = "nginx";
       group = "nginx";
     };
   };
 
-  services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
+  services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes auto;
+      worker_rlimit_nofile 100000;
+    '';
+    eventsConfig = ''
+      worker_connections 2048;
+      use epoll;
+      multi_accept on;
+    '';
+  };
+
+  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
+    LimitNOFILE = 65536;
+  };
+
+  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
     sslCertificate = "/etc/certs/nginx.crt";
     sslCertificateKey = "/etc/certs/nginx.key";
     addSSL = true;
     extraConfig = "return 444;";
   };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
 }

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710169806,
+        "lastModified": 1715445235,
-        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
+        "narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
+        "rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
         "type": "github"
       },
       "original": {
@@ -20,18 +20,58 @@
         "type": "github"
       }
     },
+    "fix-python": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "grzegorz",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1713887124,
+        "narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=",
+        "owner": "GuillaumeDesforges",
+        "repo": "fix-python",
+        "rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "GuillaumeDesforges",
+        "repo": "fix-python",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1689068808,
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-utils",
+        "type": "indirect"
+      }
+    },
     "grzegorz": {
       "inputs": {
+        "fix-python": "fix-python",
         "nixpkgs": [
           "nixpkgs-unstable"
         ]
       },
       "locked": {
-        "lastModified": 1696346665,
+        "lastModified": 1715364232,
-        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
+        "narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz",
-        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
+        "rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
         "type": "github"
       },
       "original": {
@@ -47,11 +87,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1693864994,
+        "lastModified": 1715384651,
-        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
+        "narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz-clients",
-        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
+        "rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
         "type": "github"
       },
       "original": {
@@ -67,41 +107,62 @@
         ]
       },
       "locked": {
-        "lastModified": 1710311999,
+        "lastModified": 1717234745,
-        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
+        "narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "6c9b67974b839740e2a738958512c7a704481157",
+        "rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
+        "ref": "v0.6.0",
         "repo": "nixos-matrix-modules",
         "type": "github"
       }
     },
+    "nix-gitea-themes": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1714416973,
+        "narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
+        "ref": "refs/heads/main",
+        "rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1710248792,
+        "lastModified": 1719520878,
-        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
+        "narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
+        "rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-23.11-small",
+        "ref": "nixos-24.05-small",
         "type": "indirect"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1710033658,
+        "lastModified": 1714858427,
-        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
+        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
+        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
         "type": "github"
       },
       "original": {
@@ -113,11 +174,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1710247538,
+        "lastModified": 1715435713,
-        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
+        "narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
+        "rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
         "type": "github"
       },
       "original": {
@@ -146,15 +207,37 @@
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       }
     },
+    "pvv-nettsiden": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722722932,
+        "narHash": "sha256-K81a2GQpY2kRX+C9ek9r91THlZB674CqRTSMMb5IO7E=",
+        "ref": "refs/heads/master",
+        "rev": "6580cfe546c902cdf11e17b0b8aa30b3c412bb34",
+        "revCount": 465,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      }
+    },
     "root": {
       "inputs": {
         "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
+        "nix-gitea-themes": "nix-gitea-themes",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
+        "pvv-nettsiden": "pvv-nettsiden",
         "sops-nix": "sops-nix"
       }
     },
@@ -166,11 +249,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1710195194,
+        "lastModified": 1715244550,
-        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
+        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
+        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
         "type": "github"
       },
       "original": {
@@ -178,6 +261,21 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -2,7 +2,7 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs.url = "nixpkgs/nixos-24.05-small";
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -11,12 +11,18 @@
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
+    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
+    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
+
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
+    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
+    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
+
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
     grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
@@ -58,7 +64,9 @@
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [ ] ++ config.overlays or [ ];
+            overlays = [
+              # Global overlays go here
+            ] ++ config.overlays or [ ];
           };
         }
         (removeAttrs config [ "modules" "overlays" ])
@@ -83,6 +91,12 @@
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
           })
+          inputs.nix-gitea-themes.overlays.default
+          inputs.pvv-nettsiden.overlays.default
+        ];
+        modules = [
+          inputs.nix-gitea-themes.nixosModules.default
+          inputs.pvv-nettsiden.nixosModules.default
         ];
       };
       bob = stableNixosConfig "bob" {
@@ -126,8 +140,13 @@
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
-        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
+      } //
-      } // nixlib.genAttrs allMachines
+      (nixlib.pipe null [
+        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
+        (nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+        (nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
+      ])
+      // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };
   };

hosts/bekkalokk/configuration.nix

@@ -6,16 +6,14 @@
     ../../base.nix
     ../../misc/metrics-exporters.nix
 
-    #./services/keycloak.nix
-
-    # TODO: set up authentication for the following:
-    # ./services/website.nix
-    ./services/nginx
     ./services/gitea/default.nix
-    ./services/kerberos
-    ./services/webmail
-    ./services/mediawiki
     ./services/idp-simplesamlphp
+    ./services/kerberos
+    ./services/mediawiki
+    ./services/nginx.nix
+    ./services/vaultwarden.nix
+    ./services/webmail
+    ./services/website
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
@@ -26,8 +24,6 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  virtualisation.podman.enable = true;
-
   networking.hostName = "bekkalokk";
 
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {

hosts/bekkalokk/services/gitea/ci.nix

@@ -27,4 +27,5 @@ lib.mkMerge [
   (mkRunner "alpha")
   (mkRunner "beta")
   (mkRunner "epsilon")
+  { virtualisation.podman.enable = true; }
 ]

hosts/bekkalokk/services/gitea/default.nix

@@ -1,4 +1,4 @@
-{ config, values, pkgs, ... }:
+{ config, values, pkgs, lib, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.pvv.ntnu.no";
@@ -6,6 +6,7 @@ let
 in {
   imports = [
     ./ci.nix
+    ./import-users.nix
   ];
 
   sops.secrets = {
@@ -13,36 +14,84 @@ in {
       owner = "gitea";
       group = "gitea";
     };
-    "gitea/passwd-ssh-key" = { };
+    "gitea/email-password" = {
-    "gitea/ssh-known-hosts" = { };
+      owner = "gitea";
-    "gitea/import-user-env" = { };
+      group = "gitea";
+    };
   };
 
   services.gitea = {
     enable = true;
-    stateDir = "/data/gitea";
     appName = "PVV Git";
 
     database = {
       type = "postgres";
       host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.port;
+      port = config.services.postgresql.settings.port;
       passwordFile = config.sops.secrets."gitea/database".path;
       createDatabase = false;
     };
 
+    mailerPasswordFile = config.sops.secrets."gitea/email-password".path;
+
+    # https://docs.gitea.com/administration/config-cheat-sheet
     settings = {
       server = {
         DOMAIN   = domain;
         ROOT_URL = "https://${domain}/";
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
-	      START_SSH_SERVER = true;
+        START_SSH_SERVER = true;
+        START_LFS_SERVER = true;
+        LANDING_PAGE = "explore";
+      };
+      mailer = {
+        ENABLED = true;
+        FROM = "gitea@pvv.ntnu.no";
+        PROTOCOL = "smtp";
+        SMTP_ADDR = "smtp.pvv.ntnu.no";
+        SMTP_PORT = 587;
+        USER = "gitea@pvv.ntnu.no";
+        SUBJECT_PREFIX = "[pvv-git]";
       };
       indexer.REPO_INDEXER_ENABLED = true;
-      service.DISABLE_REGISTRATION = true;
+      service = {
+        DISABLE_REGISTRATION = true;
+        ENABLE_NOTIFY_MAIL = true;
+      };
+      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
       session.COOKIE_SECURE = true;
       database.LOG_SQL = false;
+      repository = {
+        PREFERRED_LICENSES = lib.concatStringsSep "," [
+          "AGPL-3.0-only"
+          "AGPL-3.0-or-later"
+          "Apache-2.0"
+          "BSD-3-Clause"
+          "CC-BY-4.0"
+          "CC-BY-NC-4.0"
+          "CC-BY-NC-ND-4.0"
+          "CC-BY-NC-SA-4.0"
+          "CC-BY-ND-4.0"
+          "CC-BY-SA-4.0"
+          "CC0-1.0"
+          "GPL-2.0-only"
+          "GPL-3.0-only"
+          "GPL-3.0-or-later"
+          "LGPL-3.0-linking-exception"
+          "LGPL-3.0-only"
+          "LGPL-3.0-or-later"
+          "MIT"
+          "MPL-2.0"
+          "Unlicense"
+        ];
+        DEFAULT_REPO_UNITS = lib.concatStringsSep "," [
+          "repo.code"
+          "repo.issues"
+          "repo.pulls"
+          "repo.releases"
+        ];
+      };
       picture = {
         DISABLE_GRAVATAR = true;
         ENABLE_FEDERATED_AVATAR = false;
@@ -57,9 +106,9 @@ in {
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
     enableACME = true;
+    kTLS = true;
     locations."/" = {
       proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
-      recommendedProxySettings = true;
       extraConfig = ''
         client_max_body_size 512M;
       '';
@@ -68,38 +117,28 @@ in {
 
   networking.firewall.allowedTCPPorts = [ sshPort ];
 
-  # Automatically import users
+  # Extra customization
-  systemd.services.gitea-import-users = {
-    enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
-    serviceConfig = {
-      ExecStart = pkgs.writers.writePython3 "gitea-import-users" { libraries = [ pkgs.python3Packages.requests ]; } (builtins.readFile ./gitea-import-users.py);
-      LoadCredential=[
-        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
-        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
-      ];
-      DynamicUser="yes";
-      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
-    };
-  };
 
-  systemd.timers.gitea-import-users = {
+  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
-    requires = [ "gitea.service" ];
-    after = [ "gitea.service" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "*-*-* 02:00:00";
-      Persistent = true;
-      Unit = "gitea-import-users.service";
-    };
-  };
 
-  system.activationScripts.linkGiteaLogo.text = let
+  systemd.services.install-gitea-customization = {
-    logo-svg = ../../../../assets/logo_blue_regular.svg;
+    description = "Install extra customization in gitea's CUSTOM_DIR";
-    logo-png = ../../../../assets/logo_blue_regular.png;
+    wantedBy = [ "gitea.service" ];
-  in ''
+    requiredBy = [ "gitea.service" ];
-    install -Dm444 ${logo-svg} ${cfg.stateDir}/custom/public/img/logo.svg
+
-    install -Dm444 ${logo-png} ${cfg.stateDir}/custom/public/img/logo.png
+    serviceConfig =  {
-    install -Dm444 ${./loading.apng} ${cfg.stateDir}/custom/public/img/loading.png
+      Type = "oneshot";
-  '';
+      User = cfg.user;
+      Group = cfg.group;
+    };
+
+    script = let
+      logo-svg = ../../../../assets/logo_blue_regular.svg;
+      logo-png = ../../../../assets/logo_blue_regular.png;
+    in ''
+      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+    '';
+  };
 }

hosts/bekkalokk/services/gitea/import-users.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea;
+in
+{
+  sops.secrets = {
+    "gitea/passwd-ssh-key" = { };
+    "gitea/ssh-known-hosts" = { };
+    "gitea/import-user-env" = { };
+  };
+
+  systemd.services.gitea-import-users = lib.mkIf cfg.enable {
+    enable = true;
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
+    serviceConfig = {
+      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
+        libraries = with pkgs.python3Packages; [ requests ];
+      } (builtins.readFile ./gitea-import-users.py);
+      LoadCredential=[
+        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
+        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
+      ];
+      DynamicUser="yes";
+      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
+    };
+  };
+
+  systemd.timers.gitea-import-users = lib.mkIf cfg.enable {
+    requires = [ "gitea.service" ];
+    after = [ "gitea.service" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "*-*-* 02:00:00";
+      Persistent = true;
+      Unit = "gitea-import-users.service";
+    };
+  };
+}

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -22,7 +22,7 @@ let
       # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
       "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
         <?php
-	  $metadata['https://idp2.pvv.ntnu.no/'] = array(
+	  $metadata['https://idp.pvv.ntnu.no/'] = array(
 	    'host' => '__DEFAULT__',
 	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
 	    'certificate' => '${./idp.crt}',
@@ -84,16 +84,16 @@ let
         cp ${./config.php} "$out"
 
         substituteInPlace "$out" \
-          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
-          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
+          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
-          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
+          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
-          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
+          --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
-          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
+          --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
@@ -177,9 +177,10 @@ in
       };
     };
 
-    services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
+    services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
       forceSSL = true;
       enableACME = true;
+      kTLS = true;
       root = "${package}/share/php/simplesamlphp/public";
       locations =  {
         # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -197,6 +198,10 @@ in
             }
           '';
         };
+        "^~ /simplesaml/".extraConfig = ''
+	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
+	  return 404;
+	'';
       };
     };
   };

hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix

@@ -1,18 +1,18 @@
 ''
   <?php
-  $metadata['https://idp2.pvv.ntnu.no/'] = [
+  $metadata['https://idp.pvv.ntnu.no/'] = [
       'metadata-set' => 'saml20-idp-hosted',
-      'entityid' => 'https://idp2.pvv.ntnu.no/',
+      'entityid' => 'https://idp.pvv.ntnu.no/',
       'SingleSignOnService' => [
           [
               'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
+              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
           ],
       ],
       'SingleLogoutService' => [
           [
               'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
+              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
           ],
       ],
       'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],

hosts/bekkalokk/services/kerberos/default.nix

@@ -1,18 +1,5 @@
 { config, pkgs, lib, ... }:
 {
-  #######################
-  # TODO: remove these once nixos 24.05 gets released
-  #######################
-  imports = [
-    ./krb5.nix
-    ./pam.nix
-  ];
-  disabledModules = [
-    "config/krb5/default.nix"
-    "security/pam.nix"
-  ];
-  #######################
-
   security.krb5 = {
     enable = true;
     settings = {

hosts/bekkalokk/services/keycloak.nix

@@ -1,24 +0,0 @@
-{ pkgs, config, values, ... }:
-{
-  sops.secrets."keys/postgres/keycloak" = {
-    owner = "keycloak";
-    group = "keycloak";
-    restartUnits = [ "keycloak.service" ];
-  };
-
-  services.keycloak = {
-    enable = true;
-
-    settings = {
-      hostname = "auth.pvv.ntnu.no";
-      # hostname-strict-backchannel = true;
-    };
-
-    database = {
-      host = values.hosts.bicep.ipv4;
-      createLocally = false;
-      passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
-      caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-    };
-  };
-}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -17,21 +17,21 @@
         cp ${./simplesaml-config.php} "$out"
 
         substituteInPlace "$out" \
-          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
-          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
+          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
-          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
+          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
-          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
+          --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
-          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
-          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
+          --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
       '';
     };
   };
 in {
-  services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
+  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
 
   sops.secrets = lib.pipe [
     "mediawiki/password"
@@ -43,6 +43,7 @@ in {
     (map (key: lib.nameValuePair key {
       owner = user;
       group = group;
+      restartUnits = [ "phpfpm-mediawiki.service" ];
     }))
     lib.listToAttrs
   ];
@@ -64,12 +65,10 @@ in {
       name = "mediawiki";
     };
 
-    # Host through nginx
+    webserver = "nginx";
-    webserver = "none";
+    nginx.hostName = "wiki.pvv.ntnu.no";
-    poolConfig = let
+
-      listenUser = config.services.nginx.user;
+    poolConfig = {
-      listenGroup = config.services.nginx.group;
-    in {
       inherit user group;
       "pm" = "dynamic";
       "pm.max_children" = 32;
@@ -77,8 +76,6 @@ in {
       "pm.start_servers" = 2;
       "pm.min_spare_servers" = 2;
       "pm.max_spare_servers" = 4;
-      "listen.owner" = listenUser;
-      "listen.group" = listenGroup;
 
       "catch_workers_output" = true;
       "php_admin_flag[log_errors]" = true;
@@ -89,11 +86,24 @@ in {
     };
 
     extensions = {
-      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
+      inherit (pkgs.mediawiki-extensions)
+        CodeEditor
+        CodeMirror
+        DeleteBatch
+        PluggableAuth
+        Popups
+        Scribunto
+        SimpleSAMLphp
+        TemplateData
+        TemplateStyles
+        UserMerge
+        VisualEditor
+        WikiEditor
+        ;
     };
 
     extraConfig = ''
-      $wgServer = "https://wiki2.pvv.ntnu.no";
+      $wgServer = "https://wiki.pvv.ntnu.no";
       $wgLocaltimezone = "Europe/Oslo";
 
       # Only allow login through SSO
@@ -108,9 +118,7 @@ in {
       $wgGroupPermissions['*']['edit'] = false;
       $wgGroupPermissions['*']['read'] = true;
 
-      # Misc. URL rules
+      # Allow subdirectories in article URLs
-      $wgUsePathInfo = true;
-      $wgScriptExtension = ".php";
       $wgNamespacesWithSubpages[NS_MAIN] = true;
 
       # Styling
@@ -125,13 +133,27 @@ in {
 
       # Misc
       $wgEmergencyContact = "${cfg.passwordSender}";
-      $wgShowIPinHeader = false;
       $wgUseTeX = false;
       $wgLocalInterwiki = $wgSitename;
+      # Fix https://github.com/NixOS/nixpkgs/issues/183097
+      $wgDBserver = "${toString cfg.database.host}";
+      $wgAllowCopyUploads = true;
 
-      # SimpleSAML
+      # Misc program paths
+      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
+      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
+      $wgExiv2Command = '${pkgs.exiv2}/bin/exiv2';
+      # See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
+      $wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran';
+      $wgGitBin = '${pkgs.git}/bin/git';
+
+      # Debugging
+      $wgShowExceptionDetails = false;
+      $wgShowIPinHeader = false;
+
+      # EXT:{SimpleSAML,PluggableAuth}
       $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
-      $wgPluggableAuth_Config['Log in using my SAML'] = [
+      $wgPluggableAuth_Config['Log in using SAML'] = [
         'plugin' => 'SimpleSAMLphp',
         'data' => [
           'authSourceId' => 'default-sp',
@@ -141,8 +163,12 @@ in {
         ]
       ];
 
-      # Fix https://github.com/NixOS/nixpkgs/issues/183097
+      # EXT:Scribunto
-      $wgDBserver = "${toString cfg.database.host}";
+      $wgScribuntoDefaultEngine = 'luastandalone';
+      $wgScribuntoEngineConf['luastandalone']['luaPath'] = '${pkgs.lua}/bin';
+
+      # EXT:WikiEditor
+      $wgWikiEditorRealtimePreview = true;
     '';
   };
 
@@ -156,23 +182,13 @@ in {
 
   users.groups.mediawiki.members = [ "nginx" ];
 
-  services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+    kTLS = true;
     forceSSL = true;
     enableACME = true;
-    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
     locations =  {
-      "/" = {
+      "= /wiki/Main_Page" = lib.mkForce {
-	index = "index.php";
+        return = "301 /wiki/Programvareverkstedet";
-      };
-
-      "~ /(.+\\.php)" = {
-        extraConfig = ''
-          fastcgi_split_path_info ^(.+\.php)(/.+)$;
-          fastcgi_index index.php;
-          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
-          include ${pkgs.nginx}/conf/fastcgi_params;
-          include ${pkgs.nginx}/conf/fastcgi.conf;
-        '';
       };
 
       # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -194,23 +210,22 @@ in {
         '';
       };
 
-      "/images/".alias = "${config.services.mediawiki.uploadsDir}/";
-
       "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
       "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
       "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
         buildInputs = with pkgs; [ imagemagick ];
       } ''
         convert \
-	  -resize x64 \
+          -resize x64 \
-	  -gravity center \
+          -gravity center \
-	  -crop 64x64+0+0 \
+          -crop 64x64+0+0 \
-	  ${../../../../assets/logo_blue_regular.png} \
+          ${../../../../assets/logo_blue_regular.png} \
-	  -flatten \
+          -flatten \
-	  -colors 256 \
+          -colors 256 \
-	  -background transparent \
+          -background transparent \
-	  $out
+          $out
       '';
     };
+
   };
 }

hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php

@@ -5,7 +5,7 @@ $config = array(
     ),
     'default-sp' => array(
         'saml:SP',
-        'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
+        'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
-        'idp' => 'https://idp2.pvv.ntnu.no/',
+        'idp' => 'https://idp.pvv.ntnu.no/',
     ),
 );

hosts/bekkalokk/services/nginx.nix

@@ -0,0 +1,4 @@
+{ pkgs, config, ... }:
+{
+  services.nginx.enable = true;
+}

hosts/bekkalokk/services/nginx/default.nix

@@ -1,22 +0,0 @@
-{ pkgs, config, ... }:
-{
-  imports = [
-    ./ingress.nix
-  ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-
-  services.nginx = {
-    enable = true;
-
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-}

hosts/bekkalokk/services/nginx/ingress.nix

@@ -1,55 +0,0 @@
-{ config, lib, ... }:
-{
-  services.nginx.virtualHosts = {
-    "www2.pvv.ntnu.no" = {
-      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
-      addSSL = true;
-      enableACME = true;
-
-      locations = {
-        # Proxy home directories
-        "/~" = {
-          extraConfig = ''
-            proxy_redirect off;
-            proxy_pass https://tom.pvv.ntnu.no;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-          '';
-        };
-
-        # Redirect old wiki entries
-        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
-        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
-        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
-        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
-        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
-        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
-        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
-        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
-        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
-        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
-        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
-        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
-
-        # TODO: Redirect webmail
-        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
-
-        # Redirect everything else to the main website
-        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
-
-        # Proxy the matrix well-known files
-        # Host has be set before proxy_pass
-        # The header must be set so nginx on the other side routes it to the right place
-        "/.well-known/matrix/" = {
-          extraConfig = ''
-            proxy_set_header Host matrix.pvv.ntnu.no;
-            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-          '';
-        };
-      };
-    };
-  };
-}
-

hosts/bekkalokk/services/vaultwarden.nix

@@ -0,0 +1,68 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.vaultwarden;
+  domain = "pw.pvv.ntnu.no";
+  address = "127.0.1.2";
+  port = 3011;
+  wsPort = 3012;
+in {
+  sops.secrets."vaultwarden/environ" = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = config.sops.secrets."vaultwarden/environ".path;
+    config = {
+      domain = "https://${domain}";
+
+      rocketAddress = address;
+      rocketPort = port;
+
+      websocketEnabled = true;
+      websocketAddress = address;
+      websocketPort = wsPort;
+
+      signupsAllowed = true;
+      signupsVerify = true;
+      signupsDomainsWhitelist = "pvv.ntnu.no";
+
+      smtpFrom = "vaultwarden@pvv.ntnu.no";
+      smtpFromName = "VaultWarden PVV";
+
+      smtpHost = "smtp.pvv.ntnu.no";
+      smtpUsername = "vaultwarden";
+      smtpSecurity = "force_tls";
+      smtpAuthMechanism = "Login";
+
+      # Configured in environ:
+      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
+      # smtpPassword = hemli
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    kTLS = true;
+
+    extraConfig = ''
+      client_max_body_size 128M;
+    '';
+
+    locations."/" = {
+      proxyPass = "http://${address}:${toString port}";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub" = {
+      proxyPass = "http://${address}:${toString wsPort}";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub/negotiate" = {
+      proxyPass = "http://${address}:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/bekkalokk/services/webmail/default.nix

@@ -2,14 +2,20 @@
 {
   imports = [
     ./roundcube.nix
+    ./snappymail.nix
   ];
 
-  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
     forceSSL = true;
     enableACME = true;
-    #locations."/" = lib.mkForce { };
+    kTLS = true;
-    locations."= /" = {
+    locations = {
-      return = "301 https://www.pvv.ntnu.no/mail/";
+      "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+
+      "/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      "/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      "/rainloop".return = "302 https://snappymail.pvv.ntnu.no/";
+      "/snappymail".return = "302 https://snappymail.pvv.ntnu.no/";
     };
   };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -3,7 +3,7 @@
 with lib;
 let
   cfg = config.services.roundcube;
-  domain = "webmail2.pvv.ntnu.no";
+  domain = "webmail.pvv.ntnu.no";
 in 
 {
   services.roundcube = {
@@ -35,6 +35,7 @@ in
   services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
 
   services.nginx.virtualHosts.${domain} = {
+    kTLS = true;
     locations."/roundcube" = {
       tryFiles = "$uri $uri/ =404";
       index = "index.php";

hosts/bekkalokk/services/webmail/snappymail.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.snappymail;
+in {
+  imports = [ ../../../../modules/snappymail.nix ];
+
+  services.snappymail = {
+    enable = true;
+    hostname = "snappymail.pvv.ntnu.no";
+  };
+
+  services.nginx.virtualHosts.${cfg.hostname} = {
+    forceSSL = true;
+    enableACME = true;
+    kTLS = true;
+  };
+}
+

hosts/bekkalokk/services/website.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-
-}

hosts/bekkalokk/services/website/default.nix

@@ -0,0 +1,131 @@
+{ pkgs, lib, config, ... }:
+let
+  format = pkgs.formats.php { };
+  cfg = config.services.pvv-nettsiden;
+in {
+  imports = [
+    ./fetch-gallery.nix
+  ];
+
+  sops.secrets = lib.genAttrs [
+    "nettsiden/door_secret"
+    "nettsiden/mysql_password"
+    "nettsiden/simplesamlphp/admin_password"
+    "nettsiden/simplesamlphp/cookie_salt"
+  ] (_: {
+    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
+    group = config.services.phpfpm.pools.pvv-nettsiden.group;
+    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
+  });
+
+  services.idp.sp-remote-metadata = [
+    "https://www.pvv.ntnu.no/simplesaml/"
+    "https://pvv.ntnu.no/simplesaml/"
+    "https://www.pvv.org/simplesaml/" 
+    "https://pvv.org/simplesaml/" 
+  ];
+
+  services.pvv-nettsiden = {
+    enable = true;
+
+    package = pkgs.pvv-nettsiden.override {
+      extra_files = {
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
+          <?php
+          $config = array(
+              'admin' => array(
+                'core:AdminPassword'
+              ),
+              'default-sp' => array(
+                  'saml:SP',
+                  'entityID' => 'https://${cfg.domainName}/simplesaml/',
+                  'idp' => 'https://idp.pvv.ntnu.no/',
+              ),
+          );
+	'';
+      };
+    };
+
+    domainName = "www.pvv.ntnu.no";
+
+    settings = let
+      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
+    in {
+      DOOR_SECRET = includeFromSops "door_secret";
+
+      DB = {
+        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
+        USER = "www-data_nettsi";
+        PASS = includeFromSops "mysql_password";
+      };
+
+      # TODO: set up postgres session for simplesamlphp
+      SAML = {
+        COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
+        COOKIE_SECURE = true;
+        ADMIN_NAME = "PVV Drift";
+        ADMIN_EMAIL = "drift@pvv.ntnu.no";
+        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
+        TRUSTED_DOMAINS = [ cfg.domainName ];
+      };
+    };
+  };
+
+  services.phpfpm.pools."pvv-nettsiden".settings = {
+    # "php_admin_value[error_log]" = "stderr";
+    "php_admin_flag[log_errors]" = true;
+    "catch_workers_output" = true;
+  };
+
+  services.nginx.virtualHosts.${cfg.domainName} = {
+    serverAliases = [
+      "pvv.ntnu.no"
+      "www.pvv.org"
+      "pvv.org"
+    ];
+
+    locations = {
+      # Proxy home directories
+      "^~ /~" = {
+        extraConfig = ''
+          proxy_redirect off;
+          proxy_pass https://tom.pvv.ntnu.no;
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+        '';
+      };
+
+      # Redirect the old webmail/wiki paths from spikkjeposche
+      "^~ /webmail".return = "301 https://webmail.pvv.ntnu.no";
+      "~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
+      "= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
+
+      # Redirect old wiki entries
+      "/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
+      "/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
+      "/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
+      "/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
+      "/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
+      "/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
+      "/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
+      "/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
+      "/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
+      "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
+      "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
+      "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
+
+      # Proxy the matrix well-known files
+      # Host has be set before proxy_pass
+      # The header must be set so nginx on the other side routes it to the right place
+      "^~ /.well-known/matrix/" = {
+        extraConfig = ''
+          proxy_set_header Host matrix.pvv.ntnu.no;
+          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+        '';
+      };
+    };
+  };
+}

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -0,0 +1,67 @@
+{ pkgs, lib, config, ... }:
+let
+  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
+  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
+in {
+  users.users.${config.services.pvv-nettsiden.user} = {
+    useDefaultShell = true;
+
+    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
+    openssh.authorizedKeys.keys = [
+    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
+    ];
+  };
+
+  systemd.paths.pvv-nettsiden-gallery-update = {
+    wantedBy = [ "multi-user.target" ];
+    pathConfig = {
+      PathChanged = "${transferDir}/gallery.tar.gz";
+      Unit = "pvv-nettsiden-gallery-update.service";
+      MakeDirectory = true;
+    };
+  };
+
+  systemd.services.pvv-nettsiden-gallery-update = {
+    path = with pkgs; [ imagemagick gnutar gzip ];
+
+    script = ''
+      tar ${lib.cli.toGNUCommandLineShell {} {
+        extract = true;
+        file = "${transferDir}/gallery.tar.gz";
+        directory = ".";
+      }}
+
+      # Delete files and directories that exists in the gallery that don't exist in the tarball
+      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+      while IFS= read fname; do
+        rm -f "$fname" ||:
+        rm -f ".thumbnails/$fname.png" ||:
+      done <<< "$filesToRemove"
+
+      find . -type d -empty -delete
+
+      mkdir -p .thumbnails
+      images=$(find . -type f -not -path "./.thumbnails*")
+
+      while IFS= read fname; do
+        # Skip this file if an up-to-date thumbnail already exists
+        if [ -f ".thumbnails/$fname.png" ] && \
+           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
+        then
+          continue
+        fi
+
+        echo "Creating thumbnail for $fname"
+        mkdir -p $(dirname ".thumbnails/$fname")
+        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
+	touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
+      done <<< "$images"
+    '';
+
+    serviceConfig = {
+      WorkingDirectory = galleryDir;
+      User = config.services.pvv-nettsiden.user;
+      Group = config.services.pvv-nettsiden.group;
+    };
+  };
+}

hosts/bicep/services/matrix/element.nix

@@ -5,6 +5,7 @@ in {
   services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
     enableACME = true;
     forceSSL = true;
+    kTLS = true;
 
     root = pkgs.element-web.override {
       conf = {

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -7,6 +7,9 @@ from synapse import module_api
 
 import re
 
+import logging
+logger = logging.getLogger(__name__)
+
 class SMTPAuthProvider:
     def __init__(self, config: dict, api: module_api):
         self.api = api
@@ -43,8 +46,13 @@ class SMTPAuthProvider:
 
         if result == True:
             userid = self.api.get_qualified_user_id(username)
-            if not self.api.check_user_exists(userid):
+
-                self.api.register_user(username)
+            userid = await self.api.check_user_exists(userid)
+            if not userid:
+                logger.info(f"user did not exist, registering {username}")
+                userid = await self.api.register_user(username)
+                logger.info(f"registered userid: {userid}")
             return (userid, None)
         else:
+            logger.info("returning None")
             return None

hosts/bicep/services/matrix/synapse.nix

@@ -134,80 +134,6 @@ in {
         "129.241.0.0/16"
         "2001:700:300::/44"
       ];
-
-      saml2_config = {
-        sp_config.metadata.remote = [
-          { url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
-        ];
-
-        description = [ "Matrix Synapse SP" "en" ];
-        name = [ "Matrix Synapse SP" "en" ];
-
-        ui_info = {
-          display_name = [
-            {
-              lang = "en";
-              text = "PVV Matrix login";
-            }
-          ];
-          description = [
-            {
-              lang = "en";
-              text = "Matrix is a modern free and open federated chat protocol";
-            }
-          ];
-          #information_url = [
-          #  {
-          #    lang = "en";
-          #    text = "";
-          #  };
-          #];
-          #privacy_statement_url = [
-          #  {
-          #    lang = "en";
-          #    text = "";
-          #  };
-          #];
-          keywords = [
-            {
-              lang = "en";
-              text = [ "Matrix" "Element" ];
-            }
-          ];
-          #logo = [
-          #  {
-          #    lang = "en";
-          #    text = "";
-          #    width = "";
-          #    height = "";
-          #  }
-          #];
-        };
-
-        organization = {
-          name = "Programvareverkstedet";
-          display_name = [ "Programvareverkstedet" "en" ];
-          url = "https://www.pvv.ntnu.no";
-        };
-        contact_person = [
-          { given_name = "Drift";
-            sur_name = "King";
-            email_adress = [ "drift@pvv.ntnu.no" ];
-            contact_type = "technical";
-          }
-        ];
-
-        user_mapping_provider = {
-          config = {
-            mxid_source_attribute =  "uid"; # What is this supposed to be?
-            mxid_mapping = "hexencode";
-          };
-        };
-
-        #attribute_requirements = [
-        #  {attribute = "userGroup"; value = "medlem";} # Do we have this?
-        #];
-      };
     };
   };
 
@@ -217,6 +143,9 @@ in {
   services.redis.servers."".enable = true;
   
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
+  ({
+    kTLS = true;
+  })
   ({
     locations."/.well-known/matrix/server" = {
       return = ''
@@ -241,6 +170,8 @@ in {
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4};
           allow ${values.hosts.ildkule.ipv6};
+          allow ${values.hosts.ildkule.ipv4_global};
+          allow ${values.hosts.ildkule.ipv6_global};
           deny all;
         '';
       }))
@@ -252,6 +183,8 @@ in {
       extraConfig = ''
         allow ${values.hosts.ildkule.ipv4};
         allow ${values.hosts.ildkule.ipv6};
+        allow ${values.hosts.ildkule.ipv4_global};
+        allow ${values.hosts.ildkule.ipv6_global};
         deny all;
       '';
     };

hosts/bicep/services/nginx/default.nix

@@ -1,15 +1,8 @@
 { config, values, ... }:
 {
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "danio@pvv.ntnu.no";
-  };
-
   services.nginx = {
     enable = true;
-
     enableReload = true;
-
     defaultListenAddresses = [
       values.hosts.bicep.ipv4
       "[${values.hosts.bicep.ipv6}]"
@@ -18,28 +11,5 @@
       "127.0.0.2"
       "[::1]"
     ];
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes 8;
-      worker_rlimit_nofile 8192;
-    '';
-
-    eventsConfig = ''
-      multi_accept on;
-      worker_connections 4096;
-    '';
-
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-    recommendedOptimisation = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  systemd.services.nginx.serviceConfig = {
-    LimitNOFILE = 65536;
   };
 }

hosts/buskerud/configuration.nix

@@ -4,6 +4,8 @@
     ./hardware-configuration.nix
     ../../base.nix
     ../../misc/metrics-exporters.nix
+
+    ./services/libvirt.nix
   ];
 
   # buskerud does not support efi?

hosts/buskerud/services/libvirt.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+{
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+  boot.kernelModules = [ "kvm-intel" ];
+
+  # On a gui-enabled machine, connect with:
+  # $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
+}
+

hosts/ildkule/configuration.nix

@@ -6,8 +6,8 @@
       ../../base.nix
       ../../misc/metrics-exporters.nix
 
+      ./services/monitoring
       ./services/nginx
-      ./services/metrics
     ];
 
   sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
@@ -15,28 +15,37 @@
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;
 
-  boot.loader.systemd-boot.enable = true;
+  boot.loader.grub.device = "/dev/vda";
-  boot.loader.efi.canTouchEfiVariables = true;
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
 
   networking.hostName = "ildkule"; # Define your hostname.
 
-  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+  # Main connection, using the global/floatig IP, for communications with the world
-    matchConfig.Name = "ens18";
+  systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // {
-    address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
+    matchConfig.Name = "ens4";
+
+    # Add the global addresses in addition to the local address learned from DHCP
+    addresses = [
+      { addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; }
+      { addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; }
+    ];
+  };
+
+  # Secondary connection only for use within the university network
+  systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // {
+    matchConfig.Name = "ens3";
+    # Add the ntnu-internal addresses in addition to the local address learned from DHCP
+    addresses = [
+      { addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
+      { addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
+    ];
   };
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
-  # List services that you want to enable:
+  system.stateVersion = "23.11"; # Did you read the comment?
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
 
 }

hosts/ildkule/hardware-configuration.nix

@@ -1,37 +1,9 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+{ modulesPath, lib, ... }:
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-    ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/afe70fe4-681a-4675-8cbd-e5d08cdcf5b5";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/B71A-E5CD";
-      fsType = "vfat";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/ildkule/services/monitoring/default.nix

@@ -2,8 +2,9 @@
 
 {
   imports = [
-    ./prometheus
     ./grafana.nix
     ./loki.nix
+    ./prometheus
+    ./uptime-kuma.nix
   ];
 }

hosts/ildkule/services/monitoring/grafana.nix

@@ -7,7 +7,6 @@ in {
   in {
     "keys/grafana/secret_key" = { inherit owner group; };
     "keys/grafana/admin_password" = { inherit owner group; };
-    "keys/postgres/grafana" = { inherit owner group; };
   };
 
   services.grafana = {
@@ -18,7 +17,7 @@ in {
       secretFile = path: "$__file{${path}}";
     in {
       server = {
-        domain = "ildkule.pvv.ntnu.no";
+        domain = "grafana.pvv.ntnu.no";
         http_port = 2342;
         http_addr = "127.0.0.1";
       };
@@ -27,13 +26,6 @@ in {
         secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
         admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
       };
-
-      database = {
-        type = "postgres";
-        user = "grafana";
-        host = "${values.hosts.bicep.ipv4}:5432";
-        password = secretFile config.sops.secrets."keys/postgres/grafana".path;
-      };
     };
 
     provision = {
@@ -91,6 +83,7 @@ in {
   services.nginx.virtualHosts.${cfg.settings.server.domain} = {
     enableACME = true;
     forceSSL = true;
+    kTLS = true;
     locations = {
       "/" = {
         proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";

hosts/ildkule/services/monitoring/loki.nix

@@ -50,7 +50,6 @@ in {
         boltdb_shipper = {
           active_index_directory = "/var/lib/loki/boltdb-shipper-index";
           cache_location = "/var/lib/loki/boltdb-shipper-cache";
-          shared_store = "filesystem";
           cache_ttl = "24h";
         };
         filesystem = {
@@ -59,14 +58,13 @@ in {
       };
 
       limits_config = {
-        enforce_metric_name = false;
+	allow_structured_metadata = false;
         reject_old_samples = true;
         reject_old_samples_max_age = "72h";
       };
 
       compactor = {
         working_directory = "/var/lib/loki/compactor";
-        shared_store = "filesystem";
       };
 
       # ruler = {

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.uptime-kuma;
+  domain = "status.pvv.ntnu.no";
+in {
+  services.uptime-kuma = {
+    enable = true;
+    settings = {
+      PORT = "5059";
+      HOST = "127.0.1.2";
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+    kTLS = true;
+    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
+  };
+}

hosts/ildkule/services/nginx/default.nix

@@ -1,29 +1,7 @@
 { config, values, ... }:
 {
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-
   services.nginx = {
     enable = true;
-
     enableReload = true;
-
-    defaultListenAddresses = [
-      values.hosts.ildkule.ipv4
-      "[${values.hosts.ildkule.ipv6}]"
-
-      "127.0.0.1"
-      "127.0.0.2"
-      "[::1]"
-    ];
-
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
   };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

misc/metrics-exporters.nix

@@ -14,6 +14,8 @@
       "::1"
       values.hosts.ildkule.ipv4
       values.hosts.ildkule.ipv6
+      values.hosts.ildkule.ipv4_global
+      values.hosts.ildkule.ipv6_global
     ];
   };
 

modules/debug-locations.nix

@@ -1,13 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.environment.debug-locations;
-in
-{
-  options.environment.debug-locations = lib.mkOption {
-    description = "Paths and derivations to symlink in `/etc/debug`";
-    type = with lib.types; attrsOf path;
-    default = { };
-  };
-
-  config.environment.etc = lib.mapAttrs' (k: v: lib.nameValuePair "debug/${k}" { source = v; }) cfg;
-}

modules/grzegorz.nix

@@ -24,15 +24,12 @@ in {
   services.grzegorz-webui.hostName = "${config.networking.fqdn}";
   services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
-
   services.nginx.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   services.nginx.virtualHosts."${config.networking.fqdn}" = {
     forceSSL = true;
     enableACME = true;
+    kTLS = true;
     serverAliases = [
       "${config.networking.hostName}.pvv.org"
     ];

modules/snappymail.nix

@@ -0,0 +1,103 @@
+{ config, pkgs, lib, ... }:
+
+let
+  inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
+
+  cfg = config.services.snappymail;
+  maxUploadSize = "256M";
+in {
+  options.services.snappymail = {
+    enable = mkEnableOption "Snappymail";
+
+    package = mkPackageOption pkgs "snappymail" { };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/snappymail";
+      description = "State directory for snappymail";
+    };
+
+    hostname = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      example = "mail.example.com";
+      description = "Enable nginx with this hostname, null disables nginx";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "snappymail";
+      description = "System user under which snappymail runs";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "snappymail";
+      description = "System group under which snappymail runs";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users = mkIf (cfg.user == "snappymail") {
+      snappymail = {
+        description = "Snappymail service";
+        group = cfg.group;
+        home = cfg.dataDir;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "snappymail") {
+      snappymail = {};
+    };
+
+    services.phpfpm.pools.snappymail = {
+      user = cfg.user;
+      group = cfg.group;
+      phpOptions = generators.toKeyValue {} {
+        upload_max_filesize = maxUploadSize;
+        post_max_size = maxUploadSize;
+        memory_limit = maxUploadSize;
+      };
+
+      settings = {
+        "listen.owner" = config.services.nginx.user;
+        "listen.group" = config.services.nginx.group;
+        "pm" = "ondemand";
+        "pm.max_children" = 32;
+        "pm.process_idle_timeout" = "10s";
+        "pm.max_requests" = 500;
+      };
+    };
+
+    services.nginx = mkIf (cfg.hostname != null) {
+      virtualHosts."${cfg.hostname}" = {
+        locations."/".extraConfig = ''
+          index index.php;
+          autoindex on;
+          autoindex_exact_size off;
+          autoindex_localtime on;
+        '';
+        locations."^~ /data".extraConfig = ''
+          deny all;
+        '';
+        locations."~ \\.php$".extraConfig = ''
+          include ${config.services.nginx.package}/conf/fastcgi_params;
+
+          fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_pass unix:${config.services.phpfpm.pools.snappymail.socket};
+        '';
+        extraConfig = ''
+          client_max_body_size ${maxUploadSize};
+        '';
+
+        root = if (cfg.package == pkgs.snappymail) then
+          pkgs.snappymail.override {
+            dataPath = cfg.dataDir;
+          }
+        else cfg.package;
+      };
+    };
+  };
+}
+

packages/mediawiki-extensions/default.nix

@@ -1,7 +1,95 @@
 { pkgs, lib }:
-lib.makeScope pkgs.newScope (self: {
+let
-  DeleteBatch = self.callPackage ./delete-batch { };
+  kebab-case-name = project-name: lib.pipe project-name [
-  PluggableAuth = self.callPackage ./pluggable-auth { };
+    (builtins.replaceStrings
-  SimpleSAMLphp = self.callPackage ./simple-saml-php { };
+      lib.upperChars
-  UserMerge = self.callPackage ./user-merge { };
+      (map (x: "-${x}") lib.lowerChars)
-})
+    )
+    (lib.removePrefix "-")
+  ];
+
+  mw-ext = {
+    name
+  , commit
+  , hash
+  , tracking-branch ? "REL1_41"
+  , kebab-name ? kebab-case-name name
+  , fetchgit ? pkgs.fetchgit
+  }:
+  {
+    ${name} = (fetchgit {
+      name = "mediawiki-${kebab-name}-source";
+      url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}";
+      rev = commit;
+      inherit hash;
+    }).overrideAttrs (_: {
+      passthru = { inherit name kebab-name tracking-branch; };
+    });
+  };
+in
+# NOTE: to add another extension, you can add an mw-ext expression
+#       with an empty (or even wrong) commit and empty hash, and
+#       run the update script
+lib.mergeAttrsList [
+  (mw-ext {
+    name = "CodeEditor";
+    commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
+    hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
+  })
+  (mw-ext {
+    name = "CodeMirror";
+    commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
+    hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
+  })
+  (mw-ext {
+    name = "DeleteBatch";
+    commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
+    hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
+  })
+  (mw-ext {
+    name = "PluggableAuth";
+    commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
+    hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
+  })
+  (mw-ext {
+    name = "Popups";
+    commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
+    hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
+  })
+  (mw-ext {
+    name = "Scribunto";
+    commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
+    hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
+  })
+  (mw-ext {
+    name = "SimpleSAMLphp";
+    kebab-name = "simple-saml-php";
+    commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
+    hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
+  })
+  (mw-ext {
+    name = "TemplateData";
+    commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
+    hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
+  })
+  (mw-ext {
+    name = "TemplateStyles";
+    commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
+    hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
+  })
+  (mw-ext {
+    name = "UserMerge";
+    commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
+    hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
+  })
+  (mw-ext {
+    name = "VisualEditor";
+    commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
+    hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
+  })
+  (mw-ext {
+    name = "WikiEditor";
+    commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
+    hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
+  })
+]

packages/mediawiki-extensions/delete-batch/default.nix

@@ -1,7 +0,0 @@
-{ fetchzip }:
-
-fetchzip {
-  name = "mediawiki-delete-batch";
-  url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
-  hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
-}

packages/mediawiki-extensions/pluggable-auth/default.nix

@@ -1,7 +0,0 @@
-{ fetchzip }:
-
-fetchzip {
-  name = "mediawiki-pluggable-auth-source";
-  url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
-  hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
-}

packages/mediawiki-extensions/simple-saml-php/default.nix

@@ -1,7 +0,0 @@
-{ fetchzip }:
-
-fetchzip {
-  name = "mediawiki-simple-saml-php-source";
-  url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
-  hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
-}

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
+#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])" nix-prefetch-git
 
 import os
 from pathlib import Path
@@ -7,60 +7,149 @@ import re
 import subprocess
 from collections import defaultdict
 from pprint import pprint
+from dataclasses import dataclass
+from functools import cache
+import json
 
 import bs4
 import requests
 
-BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
 
-def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
+BASE_WEB_URL = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions"
-    content = requests.get(BASE_URL).text
+BASE_GIT_URL = "https://gerrit.wikimedia.org/r/mediawiki/extensions/"
-    soup = bs4.BeautifulSoup(content, features="html.parser")
+
-    result = defaultdict(list)
+
-    for a in soup.find_all('a'):
+@dataclass
-        if skip_master and 'master' in a.text:
+class PluginMetadata:
-            continue
+    project_name: str
-        split = a.text.split('-')
+    tracking_branch: str | None
-        result[split[0]].append(a.text)
+    commit: str
+    hash_: str
+
+
+@cache
+def get_package_listing_path():
+    return Path(__file__).parent / "default.nix"
+
+
+@cache
+def get_global_tracking_branch() -> str:
+    with open(get_package_listing_path()) as file:
+        file_content = file.read()
+    return re.search(r'\btracking-branch\b \? "([^"]+?)"', file_content).group(1)
+
+
+def get_metadata(package_expression: str) -> PluginMetadata | None:
+    project_name_search = re.search(r'\bname\b = "([^"]+?)";', package_expression)
+    tracking_branch_search = re.search(r'\btracking-branch\b = "([^"]+?)";', package_expression)
+    commit_search = re.search(r'\bcommit\b = "([^"]*?)";', package_expression)
+    hash_search = re.search(r'\bhash\b = "([^"]*?)";', package_expression)
+
+    if project_name_search is None:
+        print("Could not find project name in package:")
+        print(package_expression)
+        return None
+
+    tracking_branch = None;
+    if tracking_branch_search is not None:
+        tracking_branch = tracking_branch_search.group(1)
+
+    if commit_search is None:
+        print("Could not find commit in package:")
+        print(package_expression)
+        return None
+
+    if hash_search is None:
+        print("Could not find hash in package:")
+        print(package_expression)
+        return None
+
+    return PluginMetadata(
+        commit = commit_search.group(1),
+        tracking_branch = tracking_branch,
+        project_name = project_name_search.group(1),
+        hash_ = hash_search.group(1),
+    )
+
+
+def update_metadata(package_expression: str, metadata: PluginMetadata) -> str:
+    result = package_expression
+    result = re.sub(r'\bcommit\b = "[^"]*";', f'commit = "{metadata.commit}";', result)
+    result = re.sub(r'\bhash\b = "[^"]*";', f'hash = "{metadata.hash_}";', result)
     return result
 
-def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
-    assert package_file.is_file()
-    with open(package_file) as file:
-        content = file.read()
 
-    tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
+def get_newest_commit(project_name: str, tracking_branch: str) -> str:
-    split = tarball.split('-')
+    content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
-    updated_tarball = plugin_list[split[0]][-1]
+    soup = bs4.BeautifulSoup(content, features="html.parser")
+    try:
+        a = soup.find('li').findChild('a')
+        commit_sha = a['href'].split('/')[-1]
+    except AttributeError:
+        print(f"ERROR: Could not parse page for {project_name}:")
+        print(soup.prettify())
+        exit(1)
+    return commit_sha
 
-    _hash = re.search(f'hash = "(.+?)";', content).group(1)
 
+def get_nix_hash(url: str, commit: str) -> str:
     out, err = subprocess.Popen(
-        ["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
+        ["nix-prefetch-git", "--url", url, "--rev", commit, "--fetch-submodules", "--quiet"],
-        stdout=subprocess.PIPE,
-        stderr=subprocess.PIPE
-    ).communicate()
-    out, err = subprocess.Popen(
-        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE
     ).communicate()
 
-    updated_hash = out.decode().strip()
+    return json.loads(out.decode().strip())['hash']
 
-    if tarball == updated_tarball and _hash == updated_hash:
+
+def update_expression(package_expression: str) -> str:
+    old_metadata = get_metadata(package_expression)
+    if old_metadata is None:
+        print("ERROR: could not find metadata for expression:")
+        print(package_expression)
         return
 
-    print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
+    if old_metadata.commit == "":
+        old_metadata.commit = "<none>"
+    if old_metadata.hash_ == "":
+        old_metadata.hash_ = "<none>"
+
+    tracking_branch = old_metadata.tracking_branch
+    if tracking_branch is None:
+        tracking_branch = get_global_tracking_branch()
+
+    new_commit = get_newest_commit(old_metadata.project_name, tracking_branch)
+    new_hash = get_nix_hash(f"{BASE_GIT_URL}/{old_metadata.project_name}", new_commit)
+    if new_hash is None or new_hash == "":
+        print(f"ERROR: could not fetch hash for {old_metadata.project_name}")
+        exit(1)
+
+    print(f"Updating {old_metadata.project_name}[{tracking_branch}]: {old_metadata.commit} -> {new_commit}")
+
+    new_metadata = PluginMetadata(
+        project_name = old_metadata.project_name,
+        tracking_branch = old_metadata.tracking_branch,
+        commit = new_commit,
+        hash_ = new_hash,
+    )
+
+    return update_metadata(package_expression, new_metadata)
+
+
+def update_all_expressions_in_default_nix() -> None:
+    with open(get_package_listing_path()) as file:
+        file_content = file.read()
+
+    new_file_content = re.sub(
+        r"\(mw-ext\s*\{(?:.|\n)+?\}\)",
+        lambda m: update_expression(m.group(0)),
+        file_content,
+        flags = re.MULTILINE,
+    )
+
+    with open(get_package_listing_path(), 'w') as file:
+        file.write(new_file_content)
 
-    updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
-    updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
-    with open(package_file, 'w') as file:
-        file.write(updated_text)
 
 if __name__ == "__main__":
-    plugin_list = fetch_plugin_list()
+    update_all_expressions_in_default_nix()
-
-    for direntry in os.scandir(Path(__file__).parent):
-        if direntry.is_dir():
-            update(Path(direntry) / "default.nix", plugin_list)

packages/mediawiki-extensions/user-merge/default.nix

@@ -1,7 +0,0 @@
-{ fetchzip }:
-
-fetchzip {
-  name = "mediawiki-user-merge-source";
-  url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
-  hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -1,6 +1,7 @@
 gitea:
     password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
     database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
+    email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str]
@@ -15,13 +16,20 @@ mediawiki:
         postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
         cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
         admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
-keycloak:
-    database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
 idp:
     cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
     admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
     postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
     privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
+nettsiden:
+    mysql_password: ENC[AES256_GCM,data:Uv74HhWtYRbaFHcfh0Rk/Q==,iv:/lRTaMepwpJKZJWHnwb98Ywa1zP4e2EqYGmwI7BCl1I=,tag:ZnE0u2/65zdkONcoiBGSOQ==,type:str]
+    door_secret: ENC[AES256_GCM,data:t0jEN1WnyEi10KRSg4Dlcd7IuIMBiOU7riOdYSZjvZTQqPijRYIoMEQ6OemIkD1Yg67uISTxnjxP,iv:Ss02VGKRa4oZMubbi8IfQDAjh3h295+n07vOx/IZGBs=,tag:OvdxqIUdYi/cR7IjopSVQQ==,type:str]
+    simplesamlphp:
+        postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str]
+        cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
+        admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
+vaultwarden:
+    environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -55,8 +63,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-30T21:22:02Z"
+    lastmodified: "2024-05-26T02:07:41Z"
-    mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str]
+    mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -80,3 +88,4 @@ sops:
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
     version: 3.8.1
+

secrets/ildkule/ildkule.yaml

@@ -15,7 +15,6 @@ keys:
         secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
         admin_password: ENC[AES256_GCM,data:ttKwfC4WuXeL/6x4,iv:x1X+e3z08CR992GzC62YnFIN7SGrE81/nDNrgcgVzx0=,tag:YajUoy61kYbpeGeC7yNrXQ==,type:str]
     postgres:
-        grafana: ENC[AES256_GCM,data:D6qkg98WZYzKYegSNBb31v8o+KHisGmJ+ab5Ut7EMtsJz36kUup5RS4EbtM=,iv:rfE1uH1QycKMTpSq2p1ntQ2BIvptAh2J3l/QcQhiuLo=,tag:QxmGFcekjFRPf6orN86IxQ==,type:str]
         postgres_exporter_env: ENC[AES256_GCM,data:8MEoikoA6tFNm9qZbk0DFWANd7nRs5QSqrsGLoLKPIc1xykJaXTlyP5v8ywVGR8j7bfPs4p6QfpUIWK8CCnfQ1QhsFPXUMksl8p+K+xuMakYZr9OoWigGqvOHpFb9blfBN1FBdRrk38REXWAMUn74KSRI9v+0i5lpC4=,iv:anpjWVUadKfSAm9XbkeAKu+jAk+LxcpVYQ+gUe5szYw=,tag:4tzb/8B/e1uVoqTsQGlcKA==,type:str]
         postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
@@ -24,55 +23,55 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+        - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrN3lJM2xWTUZ3UkRBaENI
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURkY4WTZhQzJoREpxV1Vr
-            VmJiWDlQbHd0VUNYdllPdURyQmUvL3lKMzJzCkZlRFVxbmNLOVNqUFg1akJQQlBP
+            aUExZ1dxNkIyMkJtUXpqOWtTT1J0MGpmMkY4ClR4Wm1FTmhKN2pIMENRdERrWVY2
-            VmdOMUdjZ1M4U2lLVEpGaGI5NjNTR2MKLS0tIDRlQUtucEZhZmRYbmpadVdKK01v
+            SUlHblpEc3VackMrbFpHUUJwM2ltZHcKLS0tIEovMEtiOWc1L2tzZDh3ekZKbStr
-            cWxCQlBRR1VaZTBDQnkzNGE0WGttWm8KK5s/coWNsdCP5lKQ8LMK7/3ku179+Lg1
+            NEFkcW03ZTRJODNxTlVuUnFlcFFUUncKEZzOeUtRsZiuugTLzG2xU4eJ3XtVuop7
-            4ujTVn4LhvXy6JvgGTWS/UbMmJjJebVxkulzf5St3YMMs2mcIYjOtA==
+            hhlDBL/YoFn/CO3HjqFdCVv33QoPu7KKMeV52pbVEnv93mvdEeFxVA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa25taGsxdlhrUS96cXBi
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSY3cxSGFvdDdWcFVLRTRy
-            cUo3WDVmdEhKN256THJhS2tHSitDRkVraDJNCmhGZzlFUDFkN0JKNkFWUlVLVzcz
+            Zng2VnhjZlFkc1RQN0NqUjJGeW02WlFaMlFZCjVZc2x2UXNXS1I2WDBxeHdjNUdr
-            MjFhcDdmcmpxdTA3V3JRREFNVmNUbEEKLS0tIFNSU2xNZzN2Y1ZzR2hFM0dOK0Zy
+            WnZGc0l5NlArekUwUGU3Qkdub25EVm8KLS0tIDB2bGo3ZURtZ0pSZjFzcGpOdW5D
-            Tmk4bXd0ZHhPemxDSDREb3IvSjFza1EKsjtC6J3kYGRe8oLAoUZmg1BUmpkMyC98
+            aTI3aTBUS0d1MzFmMTVMbUlFYTR4VlUKzOvNCAzan1GTXjoRxeySkUYIYtI4Mpvu
-            uYq+IQmfJt48R/MKDei00j1w3zIK5+E5GU4o8+jILzwfpzYUUZWwiA==
+            MC0Q8e350SyoOsrF7fUvw+Ru68fDMLW27H6Ly36xP7D3eo/h4eZVXw==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPb09qTTc4cjRMcjIzRmxu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbDBYMDNQcWkySC8vN05t
-            RzZWTDBNTGdvaEc2VFJPakYvakRMK1RnS1FnCktHRVkwZGlUUXl4UTBRcGxMQzdn
+            U3hLMjlYVUE3Zms3U2R4R0VnMUtFcmVQclZvClY4aWZEYWZPdkltMElkUWxQeUtP
-            QVBCYVdlWEw5NW9tNytJTGIzRlpwa0UKLS0tIGdDdUtFMUgyT0phMXBxZE41Y1h4
+            TEF0a0txbVQ4d3lrelp3cG9TbG5OSkEKLS0tIHR1V3JIVEwwUjM3RVdES2pQUmhP
-            a2hQVVprakt5NURpNXdQUjREczJKWTgKn60yrLqco9brlqigAolO8rEkww9z3y3u
+            T1MwME1tbGQ2NysrOEVNYVZRT1R0YmcKFpfe9GfH7s779CNQswRm/W7zwYO6wK11
-            KmefLVZCGfoko+fnKLVE9UKFS/tAowqgPS1qE76u1Mmkk6yqZoG9rg==
+            z6IGPxtBlUGdshYiHA1BEz7fMVg3ZolL2D98cTNMM24U89Gssiw9qw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-08T12:46:19Z"
+    lastmodified: "2024-04-20T23:41:59Z"
-    mac: ENC[AES256_GCM,data:bQWG/GgSIv5LdhGTsyx3ENOAywtYVKjzK6nxOnUEZvD+RSi6jxj9Wze7qOhXvgjKWCz/cZj5oSuMQNRyoI8p8xJdxf0+UNdX8uPT05HiKuF7CBcXzprjKri/H6yFp87epOM9fMdn7ZUACn/iT1IZBo+5OuMtDnqVUm/GEmMcsog=,iv:ll/vEeiXsD3crbbxEFsJlxGbm9dZDUPC4GeO95RZZX4=,tag:TGCA721vK9EY3xlY6zIeIg==,type:str]
+    mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
     pgp:
-        - created_at: "2023-01-21T19:52:08Z"
+        - created_at: "2024-04-20T23:15:17Z"
-          enc: |
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ//Sw5EHNbC9iPXcHSULYVmSMOQCAH7GSGvaaFvey/KffPD
+            hQIMA0av/duuklWYAQ/+LSTWjii2dblTAkuqHan3uuuRRpt1ppmHEgHYkQZD+RzE
-            5gbFr00vIi1JfjYXmYfn3KKpUfs/mMMo5NzYU2Ou5fWcPsqFLXOwubebuf61X6p7
+            g+ljNaM/BPqci7Kr1NHFDw+cU2MYm/40Tz63l1cvfE3NEoVefsmoA5voNI3G/bx/
-            7YfLYQMnjgBzkpb972AJl2tWUlcBcOz89tIw3oMi8R5vvXjRjEdDY8Yp+Z2Apj9V
+            LTAe2aacPwO/TNoLtrCgRkzNyKXluUkM9OoIvkvB5DEGjYbe82+gI5Zi+NbW9N/p
-            YJCoSIe6RLBlubMs4I6VIOaTaKIM1DWthg95dozlShXYsEgFTYaJ6FbN9RuZOZPa
+            5ilr9Cc1jvIivjZMGGPLRgkAc/twOOuyrZlsFd9kddAL9YFO7wpd/dko886y1jE5
-            KzFs2DXtbylXXJtiCArQCHnOgA1Jnp80VvMYLO1ldteQhqGdmnxnqwjETx/uqy4l
+            jz9n9F4SKYOcgLPqZuG1iZ8qaA2zGT2bP2caai/QJAmL90stQCiRWtQgB8KeWugm
-            QE31LcRf2JFKi0BBJdQfEqBGW9LD4Mjfwi6tWbHq4Mn29u8IT6z5HJIB99JRAV/9
+            nRFBm5BLamtoqjXXwzdtXGKbFAhvL5/h+kPxnJDjylfFVbgCpoWJ/fxdE5xxxZtq
-            RfBPzF7UVLq2baWxDwG/M6TvZlVJPdAyhJ5QqhkVdrWir7D1D108u+cgtJWw+vlS
+            zCcGCQQsaa85eWkBByhu7TdwyAW7bJCm8z6kfFPGqhNDkS8ifxnEWm6ulgYVokiL
-            cP3hT73LWCo2bXUrHXxFnrWdDQQSDpew/x2cTHUNvqdqLZgMJWdZgh+mXOQLjzHP
+            WVBvuQCd1s8KSExs6zNWGcGlqgvcbovHXyVlmLeqZfBA7i/vYqksZtBT47rG7nCS
-            xGkjt0ae5/CEnUIse/Qt3SyoKN3rGVKJgoQ4D0AeBFU5z7NEOx7Ebl9t6IgVnJIB
+            YGfHy69yVrMdj4KrLuMXNfjtS92hkQqWmCyl5X5zOSJXqEL2dorMzSZn89gK4nL4
-            sDJXg+7jJ8A0V1xGan6BP8dFi7m0aAJH0xi8RB9jC1ZRVNxUjFow3Szh0JQ7u2P5
+            V4zOKkKtsj2MqynYn/XAoUf3AfYs2wtRhJiU+r/q+rx9Hx31H8mnUuUerT58yQCY
-            4jZ3FT4tWzPzLQsgJUd/H41QyKSd3ke4VMf97mEKULJ7prtXdyxQfRDcE93UgVXS
+            mAkjIhTzvZcWIalQo7xnZhos4p1IYaA7MAuGC6HxuWVaOsyiFkRaKwB9svWyZ/DS
-            XAF0u7pIl+O2RlJtki+UvuwVDszPBRSmGmfiQa4vsYfXahO4fmBjhdl2hdLtz82F
+            XAFID3fQ1xfNyYsW8nvXQmvZubnhE+dAQPaiAFP9ujY4RVXWBFOrV6NAs7y/LID/
-            dh+dPu+RSD9OKwIhUwsDLtWWlI/4BvIB1yXbQxP2MyjZm3uVf1CtgUHyjWw8
+            89lpfWN87JWSJWUk6DCD3AQ+1GiBCFy7uswUJkG4zou1RQBSl7X88ziVDILU
-            =rri5
+            =tXkN
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

users/adriangl.nix

@@ -6,15 +6,21 @@
     extraGroups = [
       "wheel"
       "drift"
+      "nix-builder-users"
     ];
 
     packages = with pkgs; [
-      eza
       neovim
+      htop
+      ripgrep
+      vim
+      foot.terminfo
     ];
 
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf7SlyHR6KgP7+IeFr/Iuiu2lL5vaSlzqPonaO8XU0J gunalx@aragon"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
     ];
   };
 }

users/felixalb.nix

@@ -1,8 +1,12 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:
 {
   users.users.felixalb = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [
+      "wheel"
+    ] ++ lib.optionals ( config.users.groups ? "libvirtd" ) [
+      "libvirtd"
+    ];
     shell = pkgs.zsh;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"

values.nix

@@ -30,8 +30,11 @@ in rec {
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = pvv-ipv4 187;
+      ipv4 = "10.212.25.209";
-      ipv6 = pvv-ipv6 "1:187";
+      ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
+
+      ipv4_global = "129.241.153.213";
+      ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;
@@ -70,4 +73,25 @@ in rec {
     DHCP = "no";
   };
 
+  openstackGlobalNetworkConfig = {
+    networkConfig.IPv6AcceptRA = "yes";
+    dns = [ "129.241.0.200" "129.241.0.201" ];
+    domains = [ "pvv.ntnu.no" "pvv.org" ];
+    DHCP = "yes";
+  };
+
+  openstackLocalNetworkConfig = {
+    networkConfig.IPv6AcceptRA = "no";
+    dns = [ "129.241.0.200" "129.241.0.201" ];
+    domains = [ "pvv.ntnu.no" "pvv.org" ];
+    DHCP = "yes";
+
+    # Only use this network for link-local networking, not global/default routes
+    dhcpV4Config.UseRoutes = "no";
+    routes = [
+      { routeConfig = { Destination = "10.0.0.0/8"; Gateway = "_dhcp4"; }; }
+    ];
+
+    linkConfig.RequiredForOnline = "no";
+  };
 }