kvernberg/taler: various fixes

.sops.yaml

@@ -13,7 +13,7 @@ keys:
   - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
-  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
+  - &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
 
 creation_rules:
   # Global secrets
@@ -79,15 +79,9 @@ creation_rules:
       - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
-
-  - path_regex: secrets/ustetind/[^/]+\.yaml$
+  
+  - path_regex: secrets/kvernberg/[^/]+$
     key_groups:
-    - age:
-      - *host_ustetind
-      - *user_danio
-      - *user_felixalb
-      - *user_pederbs_sopp
-      - *user_pederbs_nord
-      - *user_pederbs_bjarte
-      pgp:
-      - *user_oysteikt
+      - age:
+          - *host_kvernberg
+          - *user_danio

base/services/auto-upgrade.nix

@@ -2,12 +2,12 @@
 {
   system.autoUpgrade = {
     enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
     flags = [
       # --update-input is deprecated since nix 2.22, and removed in lix 2.90
       # https://git.lix.systems/lix-project/lix/issues/400
       "--refresh"
-      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
+      "--override-input" "nixpkgs" "github:NixOS/nixpkgs/refs/pull/332699/merge"
       "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
       "--no-write-lock-file"
     ];

base/services/logrotate.nix

@@ -31,7 +31,6 @@
       ProtectSystem = "full";
       RestrictNamespaces = true;
       RestrictRealtime = true;
-      RestrictSUIDSGID = true; # disable for creating setgid directories
       SocketBindDeny = [ "any" ];
       SystemCallArchitectures = "native";
       SystemCallFilter = [
@@ -39,4 +38,4 @@
       ];
     };
   };
-}
+}

base/services/smartd.nix

@@ -1,20 +1,8 @@
 { config, pkgs, lib, ... }:
 {
-  services.smartd = {
-    enable = lib.mkDefault true;
-    notifications = {
-      mail = {
-        enable = true;
-        sender = "root@pvv.ntnu.no";
-        recipient = "root@pvv.ntnu.no";
-      };
-      wall.enable = false;
-    };
-  };
+  services.smartd.enable = lib.mkDefault true;
 
   environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
     smartmontools
   ]);
-
-  systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
-}
+}

flake.lock

@@ -119,16 +119,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731663789,
-        "narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=",
+        "lastModified": 1731779898,
+        "narHash": "sha256-oxxCrYZM0WNRoaokDyVXcPIlTc8Z2yX4QjKbgXGI3IM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36",
+        "rev": "9972661139e27eed0237df4dde34839e09028cd5",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05-small",
+        "ref": "refs/pull/332699/merge",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,7 +2,7 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
+    nixpkgs.url = "github:NixOS/nixpkgs/refs/pull/332699/merge"; # remember to also update the url in base/services/auto-upgrade.nix
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -33,13 +33,13 @@
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
   let
-    inherit (nixpkgs) lib;
+    nixlib = nixpkgs.lib;
     systems = [
       "x86_64-linux"
       "aarch64-linux"
       "aarch64-darwin"
     ];
-    forAllSystems = f: lib.genAttrs systems f;
+    forAllSystems = f: nixlib.genAttrs systems f;
     allMachines = builtins.attrNames self.nixosConfigurations;
     importantMachines = [
       "bekkalokk"
@@ -49,11 +49,11 @@
       "ildkule"
     ];
   in {
-    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
+    inherit inputs;
 
     nixosConfigurations = let
       unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
-      nixosConfig = nixpkgs: name: config: lib.nixosSystem (lib.recursiveUpdate
+      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
           specialArgs = {
@@ -115,12 +115,6 @@
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
 
-      ustetind = stableNixosConfig "ustetind" {
-        modules = [
-         "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-        ];
-      };
-
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
@@ -139,18 +133,10 @@
           inputs.greg-ng.overlays.default
         ];
       };
-
-      grevling = stableNixosConfig "grevling" {
+      kvernberg = stableNixosConfig "kvernberg" {
         modules = [
-          ./hosts/grevling/configuration.nix
-          sops-nix.nixosModules.sops
-        ];
-      };
-
-      tuba = stableNixosConfig "grevling" {
-        modules = [
-          ./hosts/tuba/configuration.nix
-          sops-nix.nixosModules.sops
+          disko.nixosModules.disko
+          { disko.devices.disk.disk1.device = "/dev/sda"; }
         ];
       };
     };
@@ -170,19 +156,19 @@
       in rec {
         default = important-machines;
         important-machines = pkgs.linkFarm "important-machines"
-          (lib.getAttrs importantMachines self.packages.x86_64-linux);
+          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
-          (lib.getAttrs allMachines self.packages.x86_64-linux);
+          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
       } //
-      (lib.pipe null [
+      (nixlib.pipe null [
         (_: pkgs.callPackage ./packages/mediawiki-extensions { })
-        (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
-        (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
+        (nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+        (nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
       ])
-      // lib.genAttrs allMachines
+      // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };
   };

hosts/bekkalokk/services/gitea/ci.nix

@@ -27,15 +27,5 @@ lib.mkMerge [
   (mkRunner "alpha")
   (mkRunner "beta")
   (mkRunner "epsilon")
-  {
-    virtualisation.podman = {
-      enable = true;
-      defaultNetwork.settings.dns_enabled = true;
-      autoPrune.enable = true;
-    };
-
-    networking.dhcpcd.IPv6rs = false;
-
-    networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
-  }
+  { virtualisation.podman.enable = true; }
 ]

hosts/bekkalokk/services/gitea/default.nix

@@ -5,7 +5,7 @@ let
   sshPort  = 2222;
 in {
   imports = [
-    ./gpg.nix
+    ./ci.nix
     ./import-users
     ./web-secret-provider
   ];

hosts/bekkalokk/services/gitea/gpg.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.gitea;
-  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
-in
-{
-  sops.secrets."gitea/gpg-signing-key" = {
-    owner = cfg.user;
-    inherit (cfg) group;
-  };
-
-  systemd.services.gitea.environment = { inherit GNUPGHOME; };
-
-  systemd.tmpfiles.settings."20-gitea-gnugpg".${GNUPGHOME}.d = {
-    inherit (cfg) user group;
-    mode = "700";
-  };
-
-  systemd.services.gitea-ensure-gnupg-homedir = {
-    description = "Import gpg key for gitea";
-    environment = { inherit GNUPGHOME; };
-    serviceConfig = {
-      Type = "oneshot";
-      User = cfg.user;
-      PrivateNetwork = true;
-    };
-    script = ''
-      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
-    '';
-  };
-
-  services.gitea.settings."repository.signing" = {
-    SIGNING_KEY = "0549C43374D2253C";
-    SIGNING_NAME = "PVV Git";
-    SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
-    INITIAL_COMMIT = "always";
-  };
-}

hosts/grevling/configuration.nix

@@ -1,36 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-  imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../base.nix
-      ../../misc/metrics-exporters.nix
-
-      ./services/openvpn
-    ];
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "grevling";
-
-  # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
-  #   matchConfig.Name = "eno1";
-  #   address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  # };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
-}

hosts/grevling/hardware-configuration.nix

@@ -1,40 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/145E-7362";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/grevling/services/openvpn/default.nix

@@ -1,77 +0,0 @@
-{ pkgs, lib, values, ... }:
-{
-  services.openvpn.servers."ov-tunnel" = {
-    config = let
-      conf = {
-        # TODO: use aliases
-        local = "129.241.210.191";
-        port = 1194;
-        proto = "udp";
-        dev = "tap";
-
-        # TODO: set up
-        ca = "";
-        cert = "";
-        key = "";
-        dh = "";
-
-        # Maintain a record of client <-> virtual IP address
-        # associations in this file.  If OpenVPN goes down or
-        # is restarted, reconnecting clients can be assigned
-        # the same virtual IP address from the pool that was
-        # previously assigned.
-        ifconfig-pool-persist = ./ipp.txt;
-
-        server-bridge = builtins.concatStringsSep " " [
-          "129.241.210.129"
-          "255.255.255.128"
-          "129.241.210.253"
-          "129.241.210.254"
-        ];
-
-        keepalive = "10 120";
-        cipher = "none";
-
-        user = "nobody";
-        group = "nobody";
-
-        status = "/var/log/openvpn-status.log";
-
-        client-config-dir = pkgs.writeTextDir "tuba" ''
-          # Sett IP-adr. for tap0 til tubas PVV-adr.
-          ifconfig-push ${values.services.tuba-tap} 255.255.255.128
-          # Hvordan skal man faa dette til aa funke, tro?
-          #ifconfig-ipv6-push 2001:700:300:1900::xxx/64
-          
-          # La tuba bruke std. PVV-gateway til all trafikk (unntatt
-          # VPN-tunnellen).
-          push "redirect-gateway"
-        '';
-
-        persist-key = true;
-        persist-tun = true;
-
-        verb = 5;
-
-        explicit-exit-notify = 1;
-      };
-    in lib.pipe conf [
-      (lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
-      (builtins.mapAttrs (_: value:
-        if builtins.isList value then builtins.concatStringsSep " " (map toString value)
-        else if value == true then value
-        else if builtins.any (f: f value) [
-          builtins.isString
-          builtins.isInt
-          builtins.isFloat
-          lib.isPath
-          lib.isDerivation
-        ] then toString value
-        else throw "Unknown value in grevling openvpn config, deading now\n${value}"
-      ))
-      (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
-      (builtins.concatStringsSep "\n")
-      (x: x + "\n\n")
-    ];
-  };
-}

hosts/kvernberg/configuration.nix

@@ -0,0 +1,45 @@
+{ config, fp, pkgs, values, ... }:
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
+    ./disks.nix
+
+    ./services/nginx.nix
+    ./services/pvvvvvv
+  ];
+
+  sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+ 
+  networking.hostName = "kvernberg"; # Define your hostname.
+
+  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+    matchConfig.Name = "en*";
+    address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+    
+  ];
+
+  # No devices with SMART
+  services.smartd.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}

hosts/kvernberg/disks.nix

@@ -0,0 +1,39 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/kvernberg/hardware-configuration.nix

@@ -5,36 +5,22 @@
 
 {
   imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/145E-7362";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
-    ];
+  swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/kvernberg/services/nginx.nix

@@ -0,0 +1,5 @@
+{ config, lib, ... }:
+
+{
+  services.nginx.enable = true;
+}

hosts/kvernberg/services/pvvvvvv/bank.nix

@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.libeufin.bank;
+  tcfg = config.services.taler;
+  inherit (tcfg.settings.taler) CURRENCY;
+in {
+  services.libeufin.bank = {
+    enable = true;
+    debug = true;
+    createLocalDatabase = true;
+    initialAccounts = [
+      { username = "exchange";
+        password = "exchange";
+        name = "Exchange";
+      }
+    ];
+    settings = {
+      libeufin-bank = {
+        WIRE_TYPE = "x-taler-bank";
+        X_TALER_BANK_PAYTO_HOSTNAME = "bank.kvernberg.pvv.ntnu.no";
+        BASE_URL = "bank.kvernberg.pvv.ntnu.no/";
+
+        ALLOW_REGISTRATION = "yes";
+
+        REGISTRATION_BONUS_ENABLED = "yes";
+        REGISTRATION_BONUS = "${CURRENCY}:500";
+
+        DEFAULT_DEBT_LIMIT = "${CURRENCY}:0";
+
+        ALLOW_CONVERSION = "no";
+        ALLOW_EDIT_CASHOUT_PAYTO_URI = "yes";
+
+        SUGGESTED_WITHDRAWAL_EXCHANGE = "https://exchange.kvernberg.pvv.ntnu.no/";
+
+        inherit CURRENCY;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."bank.kvernberg.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+    kTLS = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8082";
+      extraConfig = ''
+         proxy_read_timeout 300s; 
+      '';
+    };
+  };
+}

hosts/kvernberg/services/pvvvvvv/default.nix

@@ -0,0 +1,13 @@
+{
+  imports = [
+    ./exchange.nix
+    ./bank.nix
+  ];
+
+  services.taler = {
+    settings = {
+      taler.CURRENCY = "SCHPENN";
+      taler.CURRENCY_ROUND_UNIT = "${cfg.settings.taler.CURRENCY}:1";
+    };
+  };
+}

hosts/kvernberg/services/pvvvvvv/exchange.nix

@@ -0,0 +1,187 @@
+{ config, lib, fp, pkgs, ... }:
+let
+  cfg = config.services.taler;
+  inherit (cfg.settings.taler) CURRENCY;
+in {
+  sops.secrets.exchange-offline-master = {
+    format = "binary";
+    sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
+  };
+
+  services.taler.exchange = {
+    enable = true;
+    debug = true;
+    denominationConfig = ''
+      ## Old denomination names cannot be used again
+      # [COIN-${CURRENCY}-k1-1-0]
+
+      ## NOK Denominations
+      [coin-${CURRENCY}-nok-1-0]
+      VALUE = ${CURRENCY}:1
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-5-0]
+      VALUE = ${CURRENCY}:5
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+
+      [coin-${CURRENCY}-nok-10-0]
+      VALUE = ${CURRENCY}:10
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-20-0]
+      VALUE = ${CURRENCY}:20
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-50-0]
+      VALUE = ${CURRENCY}:50
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-100-0]
+      VALUE = ${CURRENCY}:100
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-200-0]
+      VALUE = ${CURRENCY}:200
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-500-0]
+      VALUE = ${CURRENCY}:500
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-1000-0]
+      VALUE = ${CURRENCY}:1000
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+
+      ## PVV Special Prices
+      # 2024 pizza egenandel
+      [coin-${CURRENCY}-pvv-64-0]
+      VALUE = ${CURRENCY}:64
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+    '';
+    settings = {
+      exchange = {
+        inherit (config.services.taler.settings.taler) CURRENCY CURRENCY_ROUND_UNIT; 
+        MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
+        BASE_URL = "https://exchange.kvernberg.pvv.ntnu.no/";
+        TERMS_DIR = "${./terms}";
+        TERMS_ETAG = "0";
+        ENABLE_KYC = "NO";
+      };
+      exchange-offline = {
+        MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
+      };
+      exchange-account-test = {
+        PAYTO_URI = "payto://x-taler-bank/bank.kvernberg.pvv.ntnu.no/exchange?receiver-name=Exchange";
+        ENABLE_DEBIT = "YES";
+        ENABLE_CREDIT = "YES";
+      };
+      exchange-accountcredentials-test = {
+        WIRE_GATEWAY_URL = "https://bank.kvernberg.pvv.ntnu.no/accounts/exchange/taler-wire-gateway/";
+        WIRE_GATEWAY_AUTH_METHOD = "BASIC";
+        USERNAME = "exchange";
+        PASSWORD = "exchange";
+      };
+      "currency-${CURRENCY}" = {
+        ENABLED = "YES";
+        CODE = "SCHPENN";
+        NAME = "SCHPENN";
+        FRACTIONAL_NORMAL_DIGITS = 0;
+        FRACTIONAL_INPUT_DIGITS = 0;
+        FRACTIONAL_TRAILING_ZERO_DIGITS = 0;
+        ALT_UNIT_NAMES = "{\"0\": \"S\"}";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."exchange.kvernberg.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+    kTLS = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8081";
+      extraConfig = ''
+        proxy_read_timeout 300s;
+      '';
+    };
+  };
+}

hosts/kvernberg/services/pvvvvvv/terms/en/0.txt

@@ -0,0 +1,147 @@
+Terms of Service
+================
+
+Last update: 19.11.2024
+----------------------
+
+Welcome! A subset of PVVers who cares about Dibbler (“we,” “our,” or “us”) provides a experimental payment service
+through our Internet presence (collectively the “Services”). Before using our
+Services, please read the Terms of Service (the “Terms” or the “Agreement”)
+carefully.
+
+Overview
+--------
+
+This section provides a brief summary of the highlights of this
+Agreement. Please note that when you accept this Agreement, you are accepting
+all of the terms and conditions and not just this section. We and possibly
+other third parties provide Internet services which interact with the Taler
+Wallet’s self-hosted personal payment application. When using the Taler Wallet
+to interact with our Services, you are agreeing to our Terms, so please read
+carefully.
+
+Research
+----------
+
+This is research, any dibbler credits sent to the dibbler account could be lost at any time.
+We would make an effort to send the credits back to their canonical owners, but this may be difficult.
+We make no guarantees on the state of this. The dibbler economy is totally unsecured, and so are these services!
+Usage is wholly on your own risk.
+
+Highlights:
+-----------
+
+* You are responsible for keeping the data in your Taler Wallet at all times under your control. Any losses arising from you not being in control of your private information are your problem.
+
+* For our Services, we may charge transaction fees. The specific fee structure is provided based on the Taler protocol and should be shown to you when you withdraw electronic coins using a Taler Wallet. You agree and understand that the Taler protocol allows for the fee structure to change.
+
+* You agree to not intentionally overwhelm our systems with requests and follow responsible disclosure if you find security issues in our services.
+
+* We cannot be held accountable for our Services not being available due to circumstances beyond our control. If we modify or terminate our services, we will try to give you the opportunity to recover your funds. However, given the experimental state of the Services today, this may not be possible. You are strongly advised to limit your use of the Service to small-scale experiments expecting total loss of all funds.
+
+These terms outline approved uses of our Services. The Services and these
+Terms are still at an experimental stage. If you have any questions or
+comments related to this Agreement, please send us a message on IRC, or on our Matrix server.
+If you do not agree to this Agreement, you must not use our Services.
+
+How you accept this policy
+--------------------------
+
+By sending funds to us (to top-up your Taler Wallet), you acknowledge that you
+have read, understood, and agreed to these Terms. We reserve the right to
+change these Terms at any time. If you disagree with the change, we may in the
+future offer you with an easy option to recover your unspent funds. However,
+in the current experimental period you acknowledge that this feature is not
+yet available, resulting in your funds being lost unless you accept the new
+Terms. If you continue to use our Services other than to recover your unspent
+funds, your continued use of our Services following any such change will
+signify your acceptance to be bound by the then current Terms. Please check
+the effective date above to determine if there have been any changes since you
+have last reviewed these Terms.
+
+Services
+--------
+
+We will try to transfer funds that we hold in escrow for our users to any
+legal recipient to the best of our ability and within the limitations of the
+law and our implementation. However, the Services offered today are highly
+experimental and the set of recipients of funds is severely restricted. The
+Taler Wallet can be loaded by exchanging ordinary dibbler credit for electronic
+coins. We are providing this exchange service. Once your Taler Wallet is
+loaded with electronic coins they can be spent for purchases if the seller is
+accepting Taler as a means of payment. We are not guaranteeing that any seller
+is accepting Taler at all or a particular seller. The seller or recipient of
+deposits of electronic coins must specify the target account, as per the
+design of the Taler protocol. They are responsible for following the protocol
+and specifying the correct dibbler account, and are solely liable for any losses
+that may arise from specifying the wrong account. We will allow the government
+to link wire transfers to the underlying contract hash. It is the
+responsibility of recipients to preserve the full contracts and to pay
+whatever taxes and charges may be applicable. Technical issues may lead to
+situations where we are unable to make transfers at all or lead to incorrect
+transfers that cannot be reversed. We will only refuse to execute transfers if
+the transfers are prohibited by a competent legal authority and we are ordered
+to do so.
+
+When using our Services, you agree to not take any action that intentionally
+imposes an unreasonable load on our infrastructure. If you find security
+problems in our Services, you agree to first report them to
+security@taler-systems.com and grant us the right to publish your report. We
+warrant that we will ourselves publicly disclose any issues reported within 3
+months, and that we will not prosecute anyone reporting security issues if
+they did not exploit the issue beyond a proof-of-concept, and followed the
+above responsible disclosure practice.
+
+Fees
+----
+
+You agree to pay the fees for exchanges and withdrawals completed via the
+Taler Wallet ("Fees") as defined by us, which we may change from time to
+time.
+
+
+Copyrights and trademarks
+-------------------------
+
+The Taler Wallet is released under the terms of the GNU General Public License
+(GNU GPL). You have the right to access, use, and share the Taler Wallet, in
+modified or unmodified form. However, the GPL is a strong copyleft license,
+which means that any derivative works must be distributed under the same
+license terms as the original software. If you have any questions, you should
+review the GNU GPL’s full terms and conditions on the GNU GPL Licenses page 
+(https://www.gnu.org/licenses/). “Taler” itself is a trademark
+of Taler Systems SA. You are welcome to use the name in relation to processing
+payments based on the Taler protocol, assuming your use is compatible with an
+official release from the GNU Project that is not older than two years.
+
+
+
+Discontinuance of services and Force majeure
+--------------------------------------------
+
+We may, in our sole discretion and without cost to you, with or without prior
+notice, and at any time, modify or discontinue, temporarily or permanently,
+any portion of our Services. We will use the Taler protocol’s provisions to
+notify Wallets if our Services are to be discontinued. It is your
+responsibility to ensure that the Taler Wallet is online at least once every
+three months to observe these notifications. We shall not be held responsible
+or liable for any loss of funds in the event that we discontinue or depreciate
+the Services and your Taler Wallet fails to transfer out the coins within a
+three months notification period.
+
+We shall not be held liable for any delays, failure in performance, or
+interruptions of service which result directly or indirectly from any cause or
+condition beyond our reasonable control, including but not limited to: any
+delay or failure due to any act of God, act of civil or military authorities,
+act of terrorism, civil disturbance, war, strike or other labor dispute, fire,
+interruption in telecommunications or Internet services or network provider
+services, failure of equipment and/or software, other catastrophe, or any
+other occurrence which is beyond our reasonable control and shall not affect
+the validity and enforceability of any remaining provisions.
+
+
+Questions or comments
+---------------------
+
+We welcome comments, questions, concerns, or suggestions. Please send us a
+message via the usual communication channels at PVV

hosts/tuba/configuration.nix

@@ -1,36 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-  imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../base.nix
-      ../../misc/metrics-exporters.nix
-
-      ./services/openvpn
-    ];
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "tuba";
-
-  # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
-  #   matchConfig.Name = "eno1";
-  #   address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  # };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
-}

hosts/tuba/services/openvpn/default.nix

@@ -1,54 +0,0 @@
-{ lib, values, ... }:
-{
-  services.openvpn.servers."ov-tunnel" = {
-    config = let
-      conf = {
-        # TODO: use aliases
-        client = true;
-        dev = "tap";
-        proto = "udp";
-        remote = "129.241.210.191 1194";
-
-        resolv-retry = "infinite";
-        nobind = true;
-
-        # # TODO: set up
-        ca = "";
-        cert = "";
-        key = "";
-        remote-cert-tls = "server";
-        cipher = "none";
-
-        user = "nobody";
-        group = "nobody";
-
-        status = "/var/log/openvpn-status.log";
-
-        persist-key = true;
-        persist-tun = true;
-
-        verb = 5;
-
-        # script-security = 2;
-        # up = "systemctl restart rwhod";
-      };
-    in lib.pipe conf [
-      (lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
-      (builtins.mapAttrs (_: value:
-        if builtins.isList value then builtins.concatStringsSep " " (map toString value)
-        else if value == true then value
-        else if builtins.any (f: f value) [
-          builtins.isString
-          builtins.isInt
-          builtins.isFloat
-          lib.isPath
-          lib.isDerivation
-        ] then toString value
-        else throw "Unknown value in tuba openvpn config, deading now\n${value}"
-      ))
-      (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
-      (builtins.concatStringsSep "\n")
-      (x: x + "\n\n")
-    ];
-  };
-}

hosts/ustetind/configuration.nix

@@ -1,44 +0,0 @@
-{ config, fp, pkgs, lib, values, ... }:
-
-{
-  imports = [
-    (fp /base)
-    (fp /misc/metrics-exporters.nix)
-
-    ./services/gitea-runners.nix
-  ];
-
-  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  networking.hostName = "ustetind";
-
-  networking.useHostResolvConf = lib.mkForce false;
-
-  systemd.network.networks = {
-    "30-lxc-eth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "eth*"
-        ];
-      };
-      address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
-    };
-    "40-podman-veth" = values.defaultNetworkConfig // {
-      matchConfig = {
-        Type = "ether";
-        Kind = "veth";
-        Name = [
-          "veth*"
-        ];
-      };
-      DHCP = "yes";
-    };
-  };
-
-  system.stateVersion = "24.11";
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -5,9 +5,12 @@ gitea:
     database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
     email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
-    gpg-signing-key: ENC[AES256_GCM,data:y/g1rpsEgiGEJ9BGii6te166ABpg1jgsyYMT1Ji5njLbT8/juBBMc7BFEM5BcIxKpQGijymsB+Htl8CZAN4Bl3FHSRyrnXGuMCnveJfw1qTVjMa6soriHv7EdTDFPCp3TYMbs1OgY/bhGJIvp8e4hCVd4F3x8eAlFmiwHhkxr62qQNHjH7SRNIyUNibf/TTttOeEcercxOy7FeUE99D+CWG4pnJNEYyRHDdddalgpSJyZIJvPpXoKmeCDk3futnxiZ15Vr7bDS5u4dqnE+no7DKoZ5fvk38f/77JH3w/Qom7NCYSG6L+unJ3r3RKuuGMRDjdz09TPZ4APpmrlyOElfGMmm134g6mdhgXmwNCo65Z7VOd1OKFA/uyZm2b7XsT3tCgRalE8gBa0R3MBMi3JK+5KUdS6ZUvYXDt8D8C68ldM3K9E7lyeeHn775rV6L4JIXcj/NL1O23sXtjeVuUPQmsUesgYlllRaiTSTfY7K+yOIG3wqqCuCDSAeILQICkvod4iw4xdVMQzd8eQtbD6bCjOzHwvBcu+rOSN6ti+xOQ7bJ9+6xhCgJJsiADkp2q09cUu8mDbUh+YJxfu+oZhPomOJVDMSqfS4qNXcVM9mbak/L9KPR4b83GqTpmXHnDMlGe4BHGXrkIUKPsBQ5TmdckXbpRDBQFrnjVvFT+Gfx3xwHxWc9fbxcFID2wp69EzQrGC77bDPCFxBT5vAVwffGYUezPQEo25bKRpCWxTFTpiIQfACrwzZc/O9cmwDgrYN7bTZyrrp8cbyBtllZGYmXxLDkDOzIqzpLG3b0yJC2jSnw0f1DkU6M2mD/j9FRTVW1MVymyLPiZQ7T9QyZ3MekHEEY1QqmyiJMIOekSzC5+3Us6Nl32MeBrIry6NuV8ewIQF5bcZEHtSmZ0k/wBtK0fpFHUuc/vETFuRUiQw/InhN5W8iH78vFvflxBfg61Qp7PzEx0k0axwEc6VAKbEg/uFNL+fhUKKt7sYiEBmwg2Vsj3pyZgdmjPZEsOQ86+psaxv+2feH94wog47jDHFRrc4iRC5w7kZ6UJXHfZt9lkBbwl4qNwiOLlPnUUcR+CpTBpPoKD9ulidQGfcYY49+iE+PM5dAI2CtisKpLQiwmrvjOzB1a/rC9QnH679frgH5Ebb57WRL4uSAVNRdIvIGzAF5MNwQOu+cxKoiW6ZmuNJSb547XUB1UO,iv:aKzrgAV30sLfPEpgdQ26ZzdM3+gYtoSpZ9mNyqCqf/M=,tag:vjywN4qxh2zsCE3RPG6Yrw==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
+    runners:
+        alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
+        beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
+        epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
 mediawiki:
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
     postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
@@ -94,8 +97,8 @@ sops:
             UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
             4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T21:18:23Z"
-    mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
+    lastmodified: "2024-10-12T21:56:27Z"
+    mac: ENC[AES256_GCM,data:bZ1BbVC6D+B6SFze2ReeCUcQamK/O14zH3YxCjWBwMC++w3niIiEx4Bq7Ulci5yuMld0luVsfUzHoqFN/+zvZbV2rGVk8lVRiTrpFoSZ78aUUgeHG9ROLXsR7T7rVhLWbl86y1G5LcKws7G55V0wAh6f58WjYYzwR8fnBmfW1Ko=,iv:7xtMdtXQB9uZirE/CkUSmeu0qnG++R7DUR7zn/Bo0lM=,tag:DH/BJPpAp//quDqKNXyHcg==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:28Z"
           enc: |-

secrets/kvernberg/exhange-offline-master.priv

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:dhVo1B+ZG1B6s0bTLgph4ipPmi0mveaObbJAffDQbpY=,iv:P5plvu4DQYa99cQZQ6B/gEFcSffu3lTY3+Z80Cfoj94=,tag:4xcqCbn6fFSmCbYmmEgQEg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MzVHSE15Nk9MODQxc2g0\nbHlqNmFKclBYbUNKQTNUOGo0VThiaEZTVzJFCmU2YkYwMXlyeHM3ZzAxOWZpa3k4\nUUJLanVFbkNMa25RcGZmOTBsVmtzazQKLS0tIE1sTTBqT3VJMDFOYXl0T1JvcDRV\nRFpsZGNOZzFzMFc3YzcxeXdIK1d6QUUKzy0n7DJsOmrNvU03Tn6Zcj/l/kAylzzP\nhNnFLXfStdKl3A/qrzBPhTVbYD73yFkZuQ+bDr7/IMsHAmDsztuA9g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbEdBWjdEbmtNYWJHQnFj\nSU1yb0NYVG4xVlZkYTdUWUpDcGdmbFF6U1NrCjBlWFZkcC9FMVJLYUtDNlBTUWcw\nNHBwWFNESDBQQmJNb3NDN2tDekM4eUUKLS0tICtMVGc1L2JFQ1BqKzM3eWFPRmRQ\nWXlQUWpvdUdOUlZ1OFhtS0ErL0JKSlUKzxLKbsnXvEqnR2HVsTxNqmM7YPjWfCjG\nZ4Bf046NdseomkNuTvWuPzjzPTe4GvjudMYc4ODchkIMOo6hXyf5kw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-17T01:12:23Z",
+		"mac": "ENC[AES256_GCM,data:aXIM/pmgVmfNSa+PwpfK6Efh/kCWXUqZNcKLkyhRwl++vaIBQUIQgQjv09hWHOF77V3ZjRQjh2E1uNe2baBLEmrDT5Au+7VABW+j49KX/vKMd+1l4w47l3DukOVnoo50bsOQFtH+amSl2P2imxpO15sjVDu9/nUeu2qXrtbIUh8=,iv:BQVs3P9p86uzTH2BfuSOxycpE6di4ZIwSz7OTZdcQPg=,tag:mT4Ek8dDbVINGp4Odt62zw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

secrets/ustetind/ustetind.yaml

@@ -1,90 +0,0 @@
-gitea:
-    runners:
-        alpha: ENC[AES256_GCM,data:aAFv+/ygC7oxGT3qnoEf+AZL3Nk1yOq3HupL9l0j8P913GefPKqlBt/mbuRVug==,iv:usXElENwbOHxUdoqHScK7PjeZavXUwoxpQWEMjxU2u4=,tag:E8OzZ9pmxIru7Glgh7v0lg==,type:str]
-        beta: ENC[AES256_GCM,data:riRSBDzX9DAxKl2UCds1ANddl3ij+byAgigOafJ5RjWl8cNVlowK21klBiKTxw==,iv:clijEUKX9o52p5A94eEW0f8qGGhFpy/LFe+uQG/iQLg=,tag:PchXbsZMnW//O7brEAEeWw==,type:str]
-        epsilon: ENC[AES256_GCM,data:lUt8uaqh9eC1IdIUfiw3dzxcDErSWaiT9lzg4ONf/QZeXj7Do7Es0GXBFd41Hw==,iv:hPm5Lez5ISHIlw1+i4z/oBsh4H5ZXPVYnXXSGq1eal0=,tag:/KcmPw30622tN9ruMUwfUw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYVl6ZnI5TkhxK0JKNnlL
-            WE5YZUZ2T1JEbCtvSVUxemZ1QUs4R2pjMWc0ClJ0cnU0c0d5bU5jWU1aVGd6WE45
-            Wm9OT0xPaTJ3Y2kxMU5RTHdRKy81b2sKLS0tIEx4SkFoV240VUJieWFlc3hRWU1Y
-            SWlwZnNOT3paRHRsTC9CQUp5SlBvTncKdcMI8pWtsfBpgeUagOmZUXIC6svkfmwE
-            QF3GpWZgeVvo8e2oT2kBjerCDlUlzd0jJ8aK+B56xifTm7ii3oCAIA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3QVBaQWlSZk43dEtHVWF1
-            WmFBcmx3eFUvU2lrd0RCUGx3a2hDWHEzTUR3Cm9BclM3OU9SUnpySDZJZHRudmtO
-            Ulp5OEZvZmMyRGJvQXJnUDVLdVRJUVkKLS0tIHE3M3MycE9pU1huYUREN3luWEZV
-            WlNuN3BWeHhqL1dEOUJBSVNTaVJ3eTgKb5MRfeaay22PI9V5hni5mhnb0QF8PG8H
-            bKWbc2SwdMNolrxhUiiIhdppEtXGHqLyBel786tuOdtEwVcy+m/rtA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaDB6enozMFpqcWxFdU93
-            MEg5RTRzZExzWGppenlBTlZZRlpqWDBPT0UwCnhOaXI5R3Jrd0hWY0xqc1VXaDJZ
-            TUxwSTZDcHd0bnZPR2N2d0JVTUJONnMKLS0tIENzOW9PM0tQSndVNmF1bTZ4anpw
-            b1RzL0NEOWg0dGZUa0Jpd3hiTlRGSm8KleRV5c/Xoe0B1VtnR3y0sgXpmhMS8pKl
-            TWaAQTRlM9X2Pk5M/J/bu369ncmw/kycJKjK6W1yluaGwBNuEP+K4Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N1JvRVE0Y0xOMERMVXdB
-            enZiNk1DZTJTUnluRVBIWm9WNmFPc21rU0FZCjBIeHErSHgveFFFdk9ybWwrRXZG
-            WGpVcHliUW9Qb3dLb2Q0aWlrZmpiVm8KLS0tIG0wcXJVK2dMeG9NUTFQSzVtY2RG
-            UE1FS3MvSXlxdEtJVWxJVDRFSkRmQkkK/2z7Lu6LVd6RLZAXKs+JsPc+1kcqFAET
-            0zlTTTU0goTBLuXZ7uxFVZtqc1Nmoarf5Ksm/zcZ2B80P5ox9CzcWQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SFpKcVBTTlp3SXhVaGQy
-            QVVEV3h6dTZVcmx6aFc1eHF4UzJPbXQ2RnhvCkZiOEYydWhCYUtwcUdieGpBeTZh
-            Z3dYVno5bFNkOUszNHBJNTdQWS9jUTQKLS0tIEhPVEdLK0RaclVvdklFNUJCcHNi
-            OXVobVJCTjhQZ2RTQ21xK2dUY0h5RGcKcPBgD5FIWuyQBhmPt5aqrWgEG1tzhtr0
-            gVyLxgtMFGeeShjdpivgcWI/GZZlhWJilJOoZo7f6TknvCIIKsrUSA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlhiS1dxekZGZkRCQU9O
-            SktHRHRXL2VhNUJSRVhBeEM5UEZ1R0pFdXdrCnZQOUZaYitpSlJ0aXFpZXFrRFJj
-            MmZiLytvekZtVXYzamJDakc1RjdIREEKLS0tICtiOTZMRGZuWEdHTmZwRjZ2dUNT
-            aU4xWjVYYlNvSmYxajVGdzk5dTQ4WG8Klq12bSegsW29xp4qteuCB5Tzis6EhVCk
-            53jqtYe5UG9MjFVQYiSi2jJz5/dxfqSINMZ/Y/EB5LxbwgbFws8Yuw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T21:17:40Z"
-    mac: ENC[AES256_GCM,data:HensJbPU1Kx9aQNUhdtFkX/6qdxj7yby6GeSruOT+HYEtoq0py/zvMtdCqmfjc4AOptYlXdgK7w30P976dG1esjlYwF07qtVvAbUqvExkksuV4zp81VKHMXUOAyiQK79kLe3rx6cvEdUDbOjZOsxN02eRrcanN+7rJS6f7vNN88=,iv:PlePCik6JcOtVBQhhOj9khhp2LwwfXBwAGpzu4ywhTA=,tag:Clz+xX1Cffs8Zpv2LdsGVA==,type:str]
-    pgp:
-        - created_at: "2024-12-09T21:17:27Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA0av/duuklWYARAAv2XS2jzoymOzpRHquUbYpUtbIeKXhPS8i9uk2zBvSKnr
-            b/jZCpvtkCcSz1UFm+HzSn/i1eNkj9ghObisifvqY6JbO0DIa1jFlx1TfE9pj8dE
-            rrNTsYfxNwdGOvklPBHm3vKY5qPiGlE71TaKkJcO79vE5jxwhUqzWI9SWAZY3cFw
-            IVJN44DT0I4ctTlwPM9eAYYodL8QP8OMXHJ/mjI4SPODRsvrOyy6rpip40Q+dU/N
-            DwRupzrRlxJ8BDSh/x6J/AryZSwkmChX9cYyGaDknJ3ONQ0XLhVUtLkAvPWtWeow
-            6NVHmUOJ39ockT1clhYy2P5rQTraZESuI7vaSS9zVIuScBnJwbSRZ5xgxSD6Fj+C
-            Y/JyogXa8FtyG6xeMgIwW7t/m/rbXL5OkP4w8D+CJs+4I55WXz054XOZ937EisVH
-            XAlNBIHixjQVckbb+sS7rEmegfoC+rvOXA0irpwXFiapAbMGUePCwQHdSBMP8orC
-            Tb3E8kqHATN40b8CpUBcPw6HCQKmbhe8o+R8NG6TZh6JH7kSztl2+SIIuMzhDflr
-            1AphY047Ku2RANaWfo+xyVZMWgAQcnoaUOeYaHJ9nZ7f2klJ3fnRtdXJn1gcO3i3
-            NZVRjjYHJgzCVCIZJa1b1TMGep84naF7NmRkNlS4wyv6MXGqSpHHZUGUBAQOCMPS
-            XAEqjZt8va0LKtsPsBOTGQDuzTar+2069fu6TjS07mJM2sTp/G8bGBnvjc0TIplZ
-            M5FOiCilI9yX7vQ0O3LUKJW5zELWnW2d+3okpGjgkr0BFERtM7BMCp6nxR6+
-            =rEY5
-            -----END PGP MESSAGE-----
-          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

users/frero.nix

@@ -1,11 +0,0 @@
-{ pkgs, ... }:
-{
-  users.users.frero = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" "drift" "nix-builder-users" ];
-    shell = pkgs.zsh;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII09JbtSUMurvmHpJ7TmUQctXpNVhjFYhoJ3+1ZITmMx"
-    ];
-  };
-}

values.nix

@@ -21,12 +21,6 @@ in rec {
       ipv4 = pvv-ipv4 213;
       ipv6 = pvv-ipv6 213;
     };
-    grevling-tap = {
-      ipv4 = pvv-ipv4 251;
-    };
-    tuba-tap = {
-      ipv4 = pvv-ipv4 252;
-    };
   };
 
   hosts = {
@@ -66,17 +60,9 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
-    ustetind = {
-      ipv4 = pvv-ipv4 234;
-      ipv6 = pvv-ipv6 234;
-    };
-    grevling = {
-      ipv4 = pvv-ipv4 198;
-      ipv6 = pvv-ipv6 198;
-    };
-    tuba = {
-      ipv4 = pvv-ipv4 199;
-      ipv6 = pvv-ipv6 199;
+    kvernberg = {
+      ipv4 = pvv-ipv4 206;
+      ipv6 = pvv-ipv6 "1:206";
     };
   };