sops: grr

Co-authored-by: Daniel Olsen <daniel.olsen99@gmail.com>

.sops.yaml

@@ -1,18 +1,19 @@
 keys:
   # Users
   - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
   - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
   - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
-  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
-  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
-  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
   - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
 
   # Hosts
-  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
+  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
+  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
 
 creation_rules:
   # Global secrets
@@ -78,3 +79,15 @@ creation_rules:
       - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
+
+  - path_regex: secrets/bakke/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_bakke
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      pgp:
+      - *user_oysteikt

base/services/openssh.nix

@@ -11,11 +11,11 @@
     '';
     settings.PermitRootLogin = "yes";
 
+  };
     users.users."root".openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
 
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
     ];
-  };
 }
 

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725242307,
+        "lastModified": 1728763831,
-        "narHash": "sha256-a2iTMBngegEZvaNAzzxq5Gc5Vp3UWoGUqWtK11Txbic=",
+        "narHash": "sha256-KOp33tls7jRAhcmu77aVxKpSMou8QgK0BC+Y3sYLuGo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "96073e6423623d4a8027e9739d2af86d6422ea7a",
+        "rev": "b6215392ec3bd05e9ebfbb2f7945c414096fce8f",
         "type": "github"
       },
       "original": {
@@ -158,11 +158,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1725198597,
+        "lastModified": 1728843132,
-        "narHash": "sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs=",
+        "narHash": "sha256-VWIF1sMD6MJZyB+x5z0ZpirQdH8Cqb3avboq1VfSjRg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3524b030c839db4ea4ba16737789c6fb8a1769c6",
+        "rev": "414e01b61f0015e49353a6104824b9385a430a5d",
         "type": "github"
       },
       "original": {
@@ -174,11 +174,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1721524707,
+        "lastModified": 1728156290,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "17ae88b569bb15590549ff478bab6494dde4a907",
         "type": "github"
       },
       "original": {
@@ -190,11 +190,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1725183711,
+        "lastModified": 1728805616,
-        "narHash": "sha256-gkjg8FfjL92azt3gzZUm1+v+U4y+wbQE630uIf4Aybo=",
+        "narHash": "sha256-CfPKX2yaHwTOpGqcul89N12zjRfZ8GOSxG24/Ao9BcQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a2c345850e5e1d96c62e7fa8ca6c9d77ebad1c37",
+        "rev": "73057677e8557925e999ac54196423fa34418c24",
         "type": "github"
       },
       "original": {
@@ -267,11 +267,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1725201042,
+        "lastModified": 1728345710,
-        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
+        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
+        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
         "type": "github"
       },
       "original": {

flake.nix

@@ -57,7 +57,7 @@
         rec {
           system = "x86_64-linux";
           specialArgs = {
-            inherit nixpkgs-unstable inputs;
+            inherit unstablePkgs inputs;
             values = import ./values.nix;
           };
 
@@ -79,6 +79,11 @@
       stableNixosConfig = nixosConfig nixpkgs;
       unstableNixosConfig = nixosConfig nixpkgs-unstable;
     in {
+      bakke = stableNixosConfig "bakke" {
+        modules = [
+          disko.nixosModules.disko
+        ];
+      };
       bicep = stableNixosConfig "bicep" {
         modules = [
           inputs.matrix-next.nixosModules.default

hosts/bakke/configuration.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      ./hardware-configuration.nix
+      ../../base
+      ../../misc/metrics-exporters.nix
+      ./filesystems.nix
+    ];
+
+  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "bakke";
+  networking.hostId = "99609ffc";
+  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp2s0";
+    address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  system.stateVersion = "24.05";
+}

hosts/bakke/disks.nix

@@ -0,0 +1,83 @@
+{
+  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
+  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
+  disko.devices = {
+    disk = {
+      one = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "mdraid";
+                name = "boot";
+              };
+            };
+            mdadm = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid1";
+              };
+            };
+          };
+        };
+      };
+      two = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "mdraid";
+                name = "boot";
+              };
+            };
+            mdadm = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid1";
+              };
+            };
+          };
+        };
+      };
+    };
+    mdadm = {
+      boot = {
+        type = "mdadm";
+        level = 1;
+        metadata = "1.0";
+        content = {
+          type = "filesystem";
+          format = "vfat";
+          mountpoint = "/boot";
+        };
+      };
+      raid1 = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "gpt";
+          partitions.primary = {
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/bakke/filesystems.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot drives:
+  boot.swraid.enable = true;
+
+  # ZFS Data pool:
+  environment.systemPackages = with pkgs; [ zfs ];
+  boot = {
+    zfs = {
+      extraPools = [ "tank" ];
+      requestEncryptionCredentials = false;
+    };
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  };
+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "Wed *-*-8..14 00:00:00";
+  };
+
+  # NFS Exports:
+  #TODO
+
+  # NFS Import mounts:
+  #TODO
+}

hosts/bakke/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/873e1891-d9f8-470f-9c57-e1b4c8b7bf0e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71-part1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault false;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/bekkalokk/services/gitea/default.nix

@@ -104,6 +104,30 @@ in {
         ENABLE_FEDERATED_AVATAR = false;
       };
       actions.ENABLED = true;
+      ui = {
+        REACTIONS = lib.concatStringsSep "," [
+          "+1"
+          "-1"
+          "laugh"
+          "confused"
+          "heart"
+          "hooray"
+          "rocket"
+          "eyes"
+          "100"
+          "anger"
+          "astonished"
+          "no_good"
+          "ok_hand"
+          "pensive"
+          "pizza"
+          "point_up"
+          "sob"
+          "skull"
+          "upside_down_face"
+          "shrug"
+        ];
+      };
       "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
   };

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -6,6 +6,11 @@ let
   domain = "webmail.pvv.ntnu.no";
 in
 {
+  sops.secrets."roundcube/postgres_password" = {
+    owner = "nginx";
+    group = "nginx";
+  };
+
   services.roundcube = {
     enable = true;
 
@@ -20,6 +25,11 @@ in
     maxAttachmentSize = 20;
     hostName = "roundcubeplaceholder.example.com";
 
+    database = {
+      host = "postgres.pvv.ntnu.no";
+      passwordFile = config.sops.secrets."roundcube/postgres_password".path;
+    };
+
     extraConfig = ''
       $config['enable_installer'] = false;
       $config['default_host'] = "ssl://imap.pvv.ntnu.no";

hosts/bicep/services/matrix/default.nix

@@ -10,6 +10,7 @@
     ./mjolnir.nix
 
     ./discord.nix
+    ./hookshot
   ];
 
 

hosts/bicep/services/matrix/discord.nix

@@ -6,15 +6,42 @@ in
 {
   users.groups.keys-matrix-registrations = { };
 
-  sops.secrets."matrix/registrations/mx-puppet-discord" = {
+  sops.secrets."matrix/discord/as_token" = {
     sopsFile = ../../../../secrets/bicep/matrix.yaml;
-    key = "registrations/mx-puppet-discord";
+    key = "discord/as_token";
+  };
+  sops.secrets."matrix/discord/hs_token" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "discord/hs_token";
+  };
+
+  sops.templates."discord-registration.yaml" = {
     owner = config.users.users.matrix-synapse.name;
     group = config.users.groups.keys-matrix-registrations.name;
+    content = ''
+      as_token: "${config.sops.placeholder."matrix/discord/as_token"}"
+      hs_token: "${config.sops.placeholder."matrix/discord/hs_token"}"
+      id: discord-puppet
+      namespaces:
+        users:
+          - exclusive: true
+            regex: '@_discordpuppet_.*'
+        rooms: []
+        aliases:
+          - exclusive: true
+            regex: '#_discordpuppet_.*'
+      protocols: []
+      rate_limited: false
+      sender_localpart: _discordpuppet_bot
+      url: 'http://localhost:8434'
+      de.sorunome.msc2409.push_ephemeral: true
+    '';
   };
 
   systemd.services.mx-puppet-discord = {
-    serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
+    serviceConfig.SupplementaryGroups = [
+      config.users.groups.keys-matrix-registrations.name
+    ];
   };
 
 
@@ -29,11 +56,16 @@ in
     relay.whitelist = [ ".*" ];
     selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
   };
-  services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
+  services.mx-puppet-discord.serviceDependencies = [
+    "matrix-synapse.target"
+    "nginx.service"
+  ];
 
 
   services.matrix-synapse-next.settings = {
-    app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
+    app_service_config_files = [
+      config.sops.templates."discord-registration.yaml".path
+    ];
     use_appservice_legacy_authorization = true;
   };
 

hosts/bicep/services/matrix/hookshot/default.nix

@@ -0,0 +1,139 @@
+{ config, lib, unstablePkgs, inputs, ... }:
+
+let
+  cfg = config.services.matrix-hookshot;
+  webhookListenAddress = "127.0.0.1";
+  webhookListenPort = 8435;
+in
+{
+  imports = [
+    ./module.nix
+  ];
+
+  sops.secrets."matrix/hookshot/as_token" = {
+    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
+    key = "hookshot/as_token";
+  };
+  sops.secrets."matrix/hookshot/hs_token" = {
+    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
+    key = "hookshot/hs_token";
+  };
+
+  sops.templates."hookshot-registration.yaml" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.groups.keys-matrix-registrations.name;
+    content = ''
+      id: matrix-hookshot
+      as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
+      hs_token: "${config.sops.placeholder."matrix/hookshot/hs_token"}"
+      namespaces:
+        rooms: []
+        users:
+          - regex: "@_webhooks_.*:pvv.ntnu.no"
+            exclusive: true
+          - regex: "@bot_feeds:pvv.ntnu.no"
+            exclusive: true
+        aliases: []
+
+      sender_localpart: hookshot
+      url: "http://${cfg.settings.bridge.bindAddress}:${toString cfg.settings.bridge.port}"
+      rate_limited: false
+
+      # If enabling encryption
+      de.sorunome.msc2409.push_ephemeral: true
+      push_ephemeral: true
+      org.matrix.msc3202: true
+    '';
+  };
+
+  systemd.services.matrix-hookshot = {
+    serviceConfig.SupplementaryGroups = [
+      config.users.groups.keys-matrix-registrations.name
+    ];
+  };
+
+  services.matrix-hookshot = {
+    enable = true;
+    package = unstablePkgs.matrix-hookshot;
+    registrationFile = config.sops.templates."hookshot-registration.yaml".path;
+    settings = {
+      bridge = {
+        bindAddress = "127.0.0.1";
+        domain = "pvv.ntnu.no";
+        url = "https://matrix.pvv.ntnu.no";
+        mediaUrl = "https://matrix.pvv.ntnu.no";
+        port = 9993;
+      };
+      listeners = [
+        {
+          bindAddress = webhookListenAddress;
+          port = webhookListenPort;
+          resources = [
+            "webhooks"
+            # "metrics"
+            # "provisioning"
+            "widgets"
+          ];
+        }
+      ];
+      generic = {
+        enabled = true;
+        outbound = true;
+        urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
+        userIdPrefix = "_webhooks_";
+        allowJsTransformationFunctions = false;
+        waitForComplete = false;
+      };
+      feeds = {
+        enabled = true;
+        pollIntervalSeconds = 600;
+      };
+      
+      serviceBots = [
+        { localpart = "bot_feeds";
+          displayname = "Aya";
+          avatar = ./feeds.png;
+          prefix = "!aya";
+          service = "feeds";
+        }
+      ];
+
+      permissions = [
+        # Users of the PVV Server
+        { actor = "pvv.ntnu.no";
+          services = [ { service = "*"; level = "commands"; } ];
+        }
+        # Members of Medlem space (for people with their own hs)
+        { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
+          services = [ { service = "*"; level = "commands"; } ];
+        }
+        # Members of Drift
+        { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
+          services = [ { service = "*"; level = "admin"; } ];
+        }
+        # Dan bootstrap
+        { actor = "@dandellion:dodsorf.as";
+          services = [ { service = "*"; level = "admin"; } ];
+        }
+      ];
+    };
+  };
+
+  services.matrix-hookshot.serviceDependencies = [
+    "matrix-synapse.target"
+    "nginx.service"
+  ];
+
+  services.matrix-synapse-next.settings = {
+    app_service_config_files = [
+      config.sops.templates."hookshot-registration.yaml".path
+    ];
+  };
+
+  services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
+    };
+  };
+}

hosts/bicep/services/matrix/hookshot/module.nix

@@ -0,0 +1,127 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.matrix-hookshot;
+  settingsFormat = pkgs.formats.yaml { };
+  configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
+in
+{
+  options = {
+    services.matrix-hookshot = {
+      enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
+
+      package = lib.mkPackageOption pkgs "matrix-hookshot" { };
+
+      registrationFile = lib.mkOption {
+        type = lib.types.path;
+        description = ''
+          Appservice registration file.
+          As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
+        '';
+        example = lib.literalExpression ''
+          pkgs.writeText "matrix-hookshot-registration" \'\'
+            id: matrix-hookshot
+            as_token: aaaaaaaaaa
+            hs_token: aaaaaaaaaa
+            namespaces:
+              rooms: []
+              users:
+                - regex: "@_webhooks_.*:foobar"
+                  exclusive: true
+
+            sender_localpart: hookshot
+            url: "http://localhost:9993"
+            rate_limited: false
+            \'\'
+        '';
+      };
+
+      settings = lib.mkOption {
+        description = ''
+          {file}`config.yml` configuration as a Nix attribute set.
+
+          For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
+        '';
+        example = {
+          bridge = {
+            domain = "example.com";
+            url = "http://localhost:8008";
+            mediaUrl = "https://example.com";
+            port = 9993;
+            bindAddress = "127.0.0.1";
+          };
+          listeners = [
+            {
+              port = 9000;
+              bindAddress = "0.0.0.0";
+              resources = [ "webhooks" ];
+            }
+            {
+              port = 9001;
+              bindAddress = "localhost";
+              resources = [
+                "metrics"
+                "provisioning"
+              ];
+            }
+          ];
+        };
+        default = { };
+        type = lib.types.submodule {
+          freeformType = settingsFormat.type;
+          options = {
+            passFile = lib.mkOption {
+              type = lib.types.path;
+              default = "/var/lib/matrix-hookshot/passkey.pem";
+              description = ''
+                A passkey used to encrypt tokens stored inside the bridge.
+                File will be generated if not found.
+              '';
+            };
+          };
+        };
+      };
+
+      serviceDependencies = lib.mkOption {
+        type = with lib.types; listOf str;
+        default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
+        defaultText = lib.literalExpression ''
+          lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
+        '';
+        description = ''
+          List of Systemd services to require and wait for when starting the application service,
+          such as the Matrix homeserver if it's running on the same host.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.matrix-hookshot = {
+      description = "a bridge between Matrix and multiple project management services";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+
+      preStart = ''
+        if [ ! -f '${cfg.settings.passFile}' ]; then
+          mkdir -p $(dirname '${cfg.settings.passFile}')
+          ${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
+        fi
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+        ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ flandweber ];
+}

keys/oysteikt.pub

@@ -8,34 +8,47 @@ FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM
 N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA
 Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK
 KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH
-EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3
+EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLiJAEExYKADgWIQT303iQIoqQdEDh/UhG
-eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF
+uSKOgUoqrAUCYuaF5AIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKO
-AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+
+gUoqrKWiAQC1yFpodz5PGsZbFgihEA0UQ5jcoXBojoAlVRgmkwm41gEA782rsvyl
-IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB
+87ExoluDD3eV/Z5ILp7Ex6JeaE3JUix8Sgi0Jmg3eDQgKGFsdGVybmF0aXZlKSA8
-3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk
+aDd4NC5hbHRAbmFuaS53dGY+iJAEExYKADgWIQT303iQIoqQdEDh/UhGuSKOgUoq
-jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5
+rAUCYvuPSgIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKOgUoqrK3L
-Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs
+AP4h0cjFuNFwMQlg6oVfWvjCvKZO+ePP+SnTNRKvKbAxSgEA/yG48r9im6M0Xr9z
-xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO
+DAHcDlbClaONX4X+6rZ6OoU6hw24MwRi5oZHFgkrBgEEAdpHDwEBB0CyZzQZNAiz
-c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT
+OmSMNjCBK3rMjzU/b6T1a8GDogQhKfK5VYj1BBgWCgAmFiEE99N4kCKKkHRA4f1I
-ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7
+RrkijoFKKqwFAmLmhkcCGwIFCQPCZwAAgQkQRrkijoFKKqx2IAQZFgoAHRYhBPPN
-Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx
+qGzFWp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323T
-VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM
+aM5zdJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9
-s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss
+CpNl4GzpD4CRDu55AP9mpAyRoKt3yjYvTaHz1TpsXHLzqfJO6sYBRXH3YXyNTAEA
-gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD
+prtmn/S9HltHijnsLs1PEHmRua14XQBdL1HuzFID8ASI9QQYFgoAJgIbAhYhBPfT
-XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID
+eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
-MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu
+Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
-MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys
+dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
-KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2
+4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
-dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU
+Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLuQINBGLmhnoB
-aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR
+EADa1yBK0NKxVIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXt
-eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r
+jAcqUmMyC+PMs1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRv
-VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ
+hPxzTsOaeOssgMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7a
-dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm
+SQ+pk6k1uzODXX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC
-W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y
++LuCSGm66gIDMC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0h
-QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW
+BFOgDhKKCHBuMwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp
-RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK
+6lsAg6/T8EysKG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0G
-KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa
+ycOvqb9PoEO2dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDR
-T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR
+mkv+wWJoipwUaVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6j
-SNkE
+gpCGtxnHW2zReIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBH
-=oTMO
+OjXZe3LzBt2rVgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYW
+IQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoq
+rDE0AQDBxRsmW9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0
+YRbyh1LPYL6YQePL0dQkYsjm6XVmrAKIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9
+SEa5Io6BSiqsBQJmqp4FBQkFpUsIAAoJEEa5Io6BSiqsydsA/ihBulpSSLg4B9pJ
+sffqphMht7yT3Dnz57iexUEgj3jBAQDedI+gwpZlMjV6IdH/Epz244j82Ta04cqk
+SOz2Y63LBrgzBGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1
+OWOoVU3mZX/K7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaG
+xQIbIAUJA8JnAAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9du
+IJ7zdR0U15tONAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQY
+FgoAJgIbIBYhBPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5
+Io6BSiqsjF0BAJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/l
+DkrvOytuFnKbkDrCaTrtLh/JAmBXpSERIejmDw==
+=7cFp
 -----END PGP PUBLIC KEY BLOCK-----

secrets/bakke/bakke.yaml

@@ -0,0 +1,94 @@
+hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
+example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
+#ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
+    - ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
+example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYmlqekUzY2NlQzAxQmZB
+            QllRaVVWSnpNNm4xWlpwNHdMOTJRS2hnS0FzClhkd1hHZk9NWWF3K25HWkxwbEUv
+            bXpmQjNTTERaRDlKODh2NEdIaytJYlUKLS0tIE5ZNGhrbUNONU1rY2dqR08rclRO
+            VHF2MXB2VGNhRzJ2czk5RGlLRm1QM0kKFQhRRrISgmU1neqwAewsS2AVog4Gg2QX
+            ukHvwzO8B6EHH83ppR9Z56aThSmyTSrU5TMwRiLRCWjKGpbL8Gap3Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSamUvT015TW9iQ3F5UHla
+            SWJ6cjQ0aEdmd0U0WUViL293MEtUazMrY1NVCmgvNXNhZzBSM1Y4b1JnbktQcm9Q
+            Rm9CaU9oZExyMFg5aVlQaHhZMkdhQUkKLS0tIDRiSHY2eFA5NmRtaTNYcnNiQ1Fx
+            RzhPY2l5UnREeFArWE5lS0p1TlBFdFkKoaV8MHuRCvPapWy/SDFjbtRSnzpU9qpL
+            uTfUHMYAkzTwftoQyKYRXY3Qizznn6O8e8SGgLUGPBk0HwrU9vq/8A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaDVaaVAzSnMxSERHT1BM
+            TkthN0VQL3QzNGUranBxSE41ZW5ZeW5hL3cwCmR3SVk4bEtRdW53cURRbDh6SEZ3
+            OUx1ZDZtZmdSRjlKWWpSTi9ndnNsZTgKLS0tIDlja3h0N2dxUUZzMWVmZ1lTY0lO
+            VVBiSzAyamlTV3RXRTB4VDJubnRJbzAKZKALwMcN8rpCZdTPE17wNcqt81Lyh0lb
+            paU9GRRp5qBxMaNZaHGirhZWChf3ZjyA/assN4EWSNYe1yzNq9TCPg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCdW0vOHpiUnYwNkRaTzdH
+            NVlKazBUWHlzazRKZlZKZVpXZ1BNdjUreVV3CnlIRXpCTUdwSUNkSXRFdVdnM0E1
+            blZYdnpDK3orcTdQNVk5U3JiMEVEaTgKLS0tIGR1V1d0dW1TSDROQ1pVY0ZvellP
+            WnNxOFlNTWpxV0J2VWk1WDE4UjViUHcKZcGxaNaoalFmc1h2AOf5MKS9O7Kid+Xx
+            WatBjO9oU+lVcy2HGJhuDYoEg6cQ0ER+HTnfZwJRzDwBB6DCyeH8IQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbm0wMW92U0tMaGR3bzdJ
+            c3QrODN3eXIvb1V2TVZldExpNzZoWEc5UkdjCmtETGxvK0ZHbWVvL1MrdVJOL2V1
+            R3Y4SjhlT3lObGdWRVZQSHh6MUJFd0kKLS0tIDhnOFQ3dEsrVnJWU1lUQlFzd3l1
+            Ny9NbUd1L201cTdkYWQvbHJIRjVWa1UKcHICycS4yPtk0lXrDJmFpS66C7c+GIdS
+            XzghorP2JQxpb3uUcy2XwOHJZMWy0KbFKYjLsIH48oJqqQ9j43WS8w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0YmFheU4wSG9QZTNtRVRz
+            Z21zalZBcWNObEFabXgxOWdYY3F1MENlMlc4CmtWeFl0ZSt4bUo0R3dydEozK3V1
+            dnZlZmtjMk9rdFZlTzFqUXJUdFNZWVUKLS0tIGU2VTdNVCsvRitZMXVleUg0L3lC
+            dU5QblEyZzJBOWJOeGoxQ29OS29hczgKC03MEGwaYq7WKKhh7pq1QOQfjH+L5+8b
+            HXP90cOyvc+dnpV/D2lSns6iK92FYOYVQ+wMjCsoB7zMj24MjPc03w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-15T21:42:17Z"
+    mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
+    pgp:
+        - created_at: "2025-03-15T21:46:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYAQ//QdHVK0PzPDj4BhvVm/FCiRMdKGw7BFDR/+qhxhEULMnu
+            6YSBtO5HMNhIkLlb+3gs/iIJ9+RxQjcxl00sUoEKpucE03QdmRD5EhGoNk3lNKc+
+            A2xelfPFOtbJpzjLub6JwsyfAQMO3c+Wj4f3SKCWK/ad8MVr2xHEhCUfoG9g5w4O
+            KprijBL98/nCXnhhseXFQLvlSIeAUcGMSj+nyvIpBVDIOsYPmgYxZDTOajRFQhcT
+            ZfAA36ViPwEz9LKSMvZe1KYHJVwrUsSrCdTZWZtRUb2udiVXCh6bFNd/eTqdMKiz
+            OBWtnYjD/JNpCtQmy+Y6xsy16udvuPZigY7Rb7CGKOoM4F32QUb22yY5DBLZDq+e
+            XCq1cQCZ+CCqHa3+7dqvZcnbTDa1plCdoinRaZNLuT9cKoclIZjFNW7bBbPTnFhx
+            0e8Zs85CJgarEE8K4b+6unBRN1C+awjCCeSXrPCcz59+qIyY/DC5EsjjV/11VTC3
+            WlHrafbOF1umDZ+Vp2ihylQO+gedVKvQ4qPLkweXn0u1UqokoxcCh+FsdUiGeeDp
+            PsRAQukmo60IPfnwVlZqpMVmJJ5gXIUOEZF7BmTvvcRzZIHTtJZFcNjYHyl5+/Un
+            r6CWiJbExYJm6cLVr8ZBA7gCg6XiVmdRQ/edkVfMHBharH0H8PNxd8WCgkelmsPS
+            XgFfQwymmSTaZHewifFWYe75rDJ8TPLmmmR1JCkIK8lJy6vygQ4k+JL6rKekVW/P
+            SYLrwup1QwcZR78gxjr7lzZNbAKij331EoSsO2+O+MQcfJIeUP51G6+UgJkxRfo=
+            =DyBj
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

secrets/bekkalokk/bekkalokk.yaml

@@ -18,6 +18,8 @@ mediawiki:
         postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
         cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
         admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
+roundcube:
+    postgres_password: ENC[AES256_GCM,data:fGHmq6r/ZCeIseHL8/gmm5DfWQYorI3OJq1TW0EHvh7rHL62M4TE+Lrlrmq8AIlmGLSWtO8AQzOP3toxidL6xWX3pcwLxtTefa1gom2oQf6ZL4TbAZLidHksdiro6pWtpMOO66bb8O9eXvZmns4=,iv:Irnb2/bgx8WilDyRLleWfo6HHafZ+vlDEwxIcgm1f18=,tag:eTNBUELmLwO7DsQN9CLX7Q==,type:str]
 idp:
     cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
     admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
@@ -95,8 +97,8 @@ sops:
             UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
             4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-01T01:33:50Z"
+    lastmodified: "2024-10-12T21:56:27Z"
-    mac: ENC[AES256_GCM,data:PkcOD9hJWD5tILO9PuZkOgIoujt4q2qtHBB9KF8ikrNKo0yw24Jf1ceI5/+BHCxhdi8sF4qQM/zty61zqwNaBsvrsLUkdWDwUDsuJQa1KKZiCEZPqYBc+qGIQ5wNPsU2zJ0c8+wU8H0LtGqKOH9GmaQtTdm0Rt2IcexV823uTjQ=,iv:GYTI85OgqnN8iUc6OOXO7Sz2XIthWJtz8zwMuWutEYs=,tag:2rhfhjXXzZLzoVlkINo0ZQ==,type:str]
+    mac: ENC[AES256_GCM,data:bZ1BbVC6D+B6SFze2ReeCUcQamK/O14zH3YxCjWBwMC++w3niIiEx4Bq7Ulci5yuMld0luVsfUzHoqFN/+zvZbV2rGVk8lVRiTrpFoSZ78aUUgeHG9ROLXsR7T7rVhLWbl86y1G5LcKws7G55V0wAh6f58WjYYzwR8fnBmfW1Ko=,iv:7xtMdtXQB9uZirE/CkUSmeu0qnG++R7DUR7zn/Bo0lM=,tag:DH/BJPpAp//quDqKNXyHcg==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:28Z"
           enc: |-
@@ -119,4 +121,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

secrets/bicep/matrix.yaml

@@ -6,8 +6,12 @@ coturn:
     static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
 mjolnir:
     access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str]
-registrations:
+discord:
-    mx-puppet-discord: ENC[AES256_GCM,data:FleyXxgOmc05nTP6M2DBJlacufN3p/05eZm4kB8+K4ci0k24o3zli988wlM/kyeZmxu4pgQlJ3lNLte4uip2hBXHWG5t5Ldzmr7bNCUD+r7nM+I1lfNkrDROPZ54bHysmn9O5CHpEa16rSo6RJgncIPqsLJxTwjC7qZlkOpzqvMhkq/MHCVOpvg0M/6AUR+AlSZoggujBMoXLznQNQapN13foEsbuo/QxjszM/ObGmhYMVyaS+TDBXzQLA8Yuj50Q/gZCIINWZ4G2qmgsGxxNR4I+usUQml/jxCtIXS4zn/ettXfL9G4Fdm2F9u1v11DehtTGa5xoxDq94M9rIxOqeJpvgEQEyyKAyFUIrlINfGl7tAj4Zu7+9Z8JTRAnppjM1q8iInwn/Z2L9KgB0YFi/Go1whgXly+TH6hpreo7m5klXV/ff/aV3ghOgFCGA8nBrZFqE8Uw268q9tV1s1dxCb6TbpGf19V5c9MD6BsCIVeoq+j9I/I8iZpzg2Reb4IlHhMDwbwsL2w2ks30wiZ9XO/CFrXDY4uBlI=,iv:3vvkGvldS8Raibg6tzlV8VY1O9NCLxSuNX/lwi1QgiA=,tag:D/noIsE3xlOiYM6Pk+cc8Q==,type:str]
+    as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
+    hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
+hookshot:
+    as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
+    hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -68,8 +72,8 @@ sops:
             WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
             pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-27T04:34:10Z"
+    lastmodified: "2024-10-13T23:30:01Z"
-    mac: ENC[AES256_GCM,data:FACb/Ow4s6dqjghAphCa1ZwIwX7+CRhIudQ9UlDtxB+4Bdpa/T0l73oaMa5lmmyCEyuVM3HXOFcm4I/urLtvaN+QQoqRYnUHKkdNYFhayGpeckZUNu7JWsFsQWk0kfKZEDqHIBoee7xBVzrVtRJeKVWv+JPlch4NVOakm3MitZA=,iv:rvve5MRDpDD/FblN8KaQ2PvxsYZSQPSw5oDfyko/Nvs=,tag:vuB0jYmO6AiNtZuSJ3ipBQ==,type:str]
+    mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:46Z"
           enc: |-

values.nix

@@ -27,6 +27,10 @@ in rec {
     gateway = pvv-ipv4 129;
     gateway6 = pvv-ipv6 1;
 
+    bakke = {
+      ipv4 = pvv-ipv4 173;
+      ipv6 = pvv-ipv6 173;
+    };
     bekkalokk = {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;