flake update

Co-authored-by: Daniel Olsen <daniel.olsen99@gmail.com>

README.MD

@@ -26,10 +26,14 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
 
 som root på maskinen.
 
+Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
+
+`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
+
 ## Seksjonen for hemmeligheter
 
 For at hemmeligheter ikke skal deles med hele verden i git - eller å være world

base/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 
 {
   imports = [
@@ -14,10 +14,13 @@
     ./services/logrotate.nix
     ./services/nginx.nix
     ./services/openssh.nix
+    ./services/postfix.nix
     ./services/smartd.nix
     ./services/thermald.nix
   ];
 
+  boot.tmp.cleanOnBoot = lib.mkDefault true;
+
   time.timeZone = "Europe/Oslo";
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -44,6 +47,11 @@
 
   programs.zsh.enable = true;
 
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/networking.nix

@@ -1,16 +1,13 @@
 { lib, values, ... }:
 {
+  systemd.network.enable = true;
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
 
-  systemd.network.enable = true;
+  # The rest of the networking configuration is usually sourced from /values.nix
 
   services.resolved = {
     enable = lib.mkDefault true;
     dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
   };
-}
+}

base/nix.nix

@@ -23,8 +23,12 @@
     */
     registry = {
       "nixpkgs".flake = inputs.nixpkgs;
+      "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
       "pvv-nix".flake = inputs.self;
     };
-    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+    nixPath = [
+      "nixpkgs=${inputs.nixpkgs}"
+      "unstable=${inputs.nixpkgs-unstable}"
+    ];
   };
-}
+}

base/services/auto-upgrade.nix

@@ -1,12 +1,26 @@
-{ ... }:
+{ inputs, pkgs, lib, ... }:
 {
   system.autoUpgrade = {
     enable = true;
     flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
-      "--update-input" "nixpkgs"
-      "--update-input" "nixpkgs-unstable"
+      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
+      # https://git.lix.systems/lix-project/lix/issues/400
+      "--refresh"
+      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
+      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
       "--no-write-lock-file"
     ];
   };
-}
+
+  # workaround for https://github.com/NixOS/nix/issues/6895
+  # via https://git.lix.systems/lix-project/lix/issues/400
+  environment.etc."current-system-flake-inputs.json".source
+    = pkgs.writers.writeJSON "flake-inputs.json" (
+      lib.flip lib.mapAttrs inputs (name: input:
+        # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
+        lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
+          // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
+      )
+    );
+}

base/services/openssh.nix

@@ -2,6 +2,7 @@
 {
   services.openssh = {
     enable = true;
+    startWhenNeeded = true;
     extraConfig = ''
       PubkeyAcceptedAlgorithms=+ssh-rsa
       Match Group wheel
@@ -9,5 +10,12 @@
       Match All
     '';
     settings.PermitRootLogin = "yes";
+
   };
-}
+    users.users."root".openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
+
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
+    ];
+}
+

base/services/postfix.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.postfix;
+in
+{
+  services.postfix = {
+    enable = true;
+
+    hostname = "${config.networking.hostName}.pvv.ntnu.no";
+    domain = "pvv.ntnu.no";
+
+    relayHost = "smtp.pvv.ntnu.no";
+    relayPort = 465;
+
+    config = {
+      smtp_tls_wrappermode = "yes";
+      smtp_tls_security_level = "encrypt";
+    };
+
+    # Nothing should be delivered to this machine
+    destination = [ ];
+  };
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715445235,
-        "narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
+        "lastModified": 1728763831,
+        "narHash": "sha256-KOp33tls7jRAhcmu77aVxKpSMou8QgK0BC+Y3sYLuGo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
+        "rev": "b6215392ec3bd05e9ebfbb2f7945c414096fce8f",
         "type": "github"
       },
       "original": {
@@ -29,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713887124,
-        "narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=",
+        "lastModified": 1725463969,
+        "narHash": "sha256-d3c1TAlIN1PtK+oQP1wO6XbDfmR4SUp/C/4s7G46ARo=",
         "owner": "GuillaumeDesforges",
         "repo": "fix-python",
-        "rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf",
+        "rev": "2926402234c3f99aa8e4608c51d9ffa73ea403c0",
         "type": "github"
       },
       "original": {
@@ -63,21 +63,21 @@
       "inputs": {
         "fix-python": "fix-python",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1715364232,
-        "narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
-        "owner": "Programvareverkstedet",
-        "repo": "grzegorz",
-        "rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
-        "type": "github"
+        "lastModified": 1726861911,
+        "narHash": "sha256-pXPmVp4AgszzJXlLjj8r9NxoDvxoV4USGaiMwqCyb4M=",
+        "ref": "refs/heads/master",
+        "rev": "d10db19d7df5c5c2cd2dcb878376d5d681f6c2f2",
+        "revCount": 94,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/grzegorz.git"
       },
       "original": {
-        "owner": "Programvareverkstedet",
-        "repo": "grzegorz",
-        "type": "github"
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/grzegorz.git"
       }
     },
     "grzegorz-clients": {
@@ -87,17 +87,17 @@
         ]
       },
       "locked": {
-        "lastModified": 1715384651,
-        "narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
-        "owner": "Programvareverkstedet",
-        "repo": "grzegorz-clients",
-        "rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
-        "type": "github"
+        "lastModified": 1726861934,
+        "narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
+        "ref": "refs/heads/master",
+        "rev": "546d921ec46735dbf876e36f4af8df1064d09432",
+        "revCount": 78,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
       },
       "original": {
-        "owner": "Programvareverkstedet",
-        "repo": "grzegorz-clients",
-        "type": "github"
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
       }
     },
     "matrix-next": {
@@ -107,20 +107,35 @@
         ]
       },
       "locked": {
-        "lastModified": 1717234745,
-        "narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
+        "lastModified": 1727410897,
+        "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
+        "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
-        "ref": "v0.6.0",
+        "ref": "v0.6.1",
         "repo": "nixos-matrix-modules",
         "type": "github"
       }
     },
+    "minecraft-data": {
+      "locked": {
+        "lastModified": 1725277886,
+        "narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
+        "ref": "refs/heads/master",
+        "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
+        "revCount": 2,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+      }
+    },
     "nix-gitea-themes": {
       "inputs": {
         "nixpkgs": [
@@ -143,48 +158,50 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719520878,
-        "narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
+        "lastModified": 1728843132,
+        "narHash": "sha256-VWIF1sMD6MJZyB+x5z0ZpirQdH8Cqb3avboq1VfSjRg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
+        "rev": "414e01b61f0015e49353a6104824b9385a430a5d",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "NixOS",
         "ref": "nixos-24.05-small",
-        "type": "indirect"
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1714858427,
-        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+        "lastModified": 1728156290,
+        "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+        "rev": "17ae88b569bb15590549ff478bab6494dde4a907",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1715435713,
-        "narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
+        "lastModified": 1728805616,
+        "narHash": "sha256-CfPKX2yaHwTOpGqcul89N12zjRfZ8GOSxG24/Ao9BcQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
+        "rev": "73057677e8557925e999ac54196423fa34418c24",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "NixOS",
         "ref": "nixos-unstable-small",
-        "type": "indirect"
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "pvv-calendar-bot": {
@@ -214,11 +231,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722722932,
-        "narHash": "sha256-K81a2GQpY2kRX+C9ek9r91THlZB674CqRTSMMb5IO7E=",
+        "lastModified": 1725212759,
+        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
         "ref": "refs/heads/master",
-        "rev": "6580cfe546c902cdf11e17b0b8aa30b3c412bb34",
-        "revCount": 465,
+        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
+        "revCount": 473,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -233,6 +250,7 @@
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
+        "minecraft-data": "minecraft-data",
         "nix-gitea-themes": "nix-gitea-themes",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
@@ -249,11 +267,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1715244550,
-        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
+        "lastModified": 1728345710,
+        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
+        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,8 +2,8 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05-small";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,16 +17,18 @@
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
     nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
     nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
 
-    grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
+    grzegorz.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz.git";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs";
+    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -55,7 +57,7 @@
         rec {
           system = "x86_64-linux";
           specialArgs = {
-            inherit nixpkgs-unstable inputs;
+            inherit unstablePkgs inputs;
             values = import ./values.nix;
           };
 
@@ -92,6 +94,7 @@
             heimdal = unstablePkgs.heimdal;
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+            bluemap = final.callPackage ./packages/bluemap.nix { };
           })
           inputs.nix-gitea-themes.overlays.default
           inputs.pvv-nettsiden.overlays.default
@@ -123,7 +126,6 @@
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
-      buskerud = stableNixosConfig "buskerud" { };
     };
 
     nixosModules = {

hosts/bekkalokk/configuration.nix

@@ -6,6 +6,7 @@
     ../../base
     ../../misc/metrics-exporters.nix
 
+    ./services/bluemap/default.nix
     ./services/gitea/default.nix
     ./services/idp-simplesamlphp
     ./services/kerberos

hosts/bekkalokk/services/bluemap/default.nix

@@ -0,0 +1,83 @@
+{ config, lib, pkgs, inputs, ... }:
+let
+  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
+in {
+  imports = [
+    ./module.nix # From danio, pending upstreaming
+  ];
+
+  disabledModules = [ "services/web-servers/bluemap.nix" ];
+
+  sops.secrets."bluemap/ssh-key" = { };
+  sops.secrets."bluemap/ssh-known-hosts" = { };
+
+  services.bluemap = {
+    enable = true;
+    eula = true;
+    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
+
+    host = "minecraft.pvv.ntnu.no";
+
+    maps = {
+      "verden" = {
+        settings = {
+          world = vanillaSurvival;
+          sorting = 0;
+          ambient-light = 0.1;
+          cave-detection-ocean-floor = -5;
+          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
+        };
+      };
+      "underverden" = {
+        settings = {
+          world = "${vanillaSurvival}/DIM-1";
+          sorting = 100;
+          sky-color = "#290000";
+          void-color = "#150000";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+          cave-detection-uses-block-light = true;
+          max-y = 90;
+          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
+        };
+      };
+      "enden" = {
+        settings = {
+          world = "${vanillaSurvival}/DIM1";
+          sorting = 200;
+          sky-color = "#080010";
+          void-color = "#080010";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+        };
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  # TODO: render somewhere else lmao
+  systemd.services."render-bluemap-maps" = {
+    preStart = ''
+      mkdir -p /var/lib/bluemap/world
+      ${pkgs.rsync}/bin/rsync \
+        -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
+        -avz --no-owner --no-group \
+        root@innovation.pvv.ntnu.no:/ \
+        ${vanillaSurvival}
+    '';
+    serviceConfig = {
+      LoadCredential = [
+        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
+        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
+      ];
+    };
+  };
+}

hosts/bekkalokk/services/bluemap/module.nix

@@ -0,0 +1,343 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.bluemap;
+  format = pkgs.formats.hocon { };
+
+  coreConfig = format.generate "core.conf" cfg.coreSettings;
+  webappConfig = format.generate "webapp.conf" cfg.webappSettings;
+  webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
+
+  storageFolder = pkgs.linkFarm "storage"
+    (lib.attrsets.mapAttrs' (name: value:
+      lib.nameValuePair "${name}.conf"
+        (format.generate "${name}.conf" value))
+      cfg.storage);
+
+  mapsFolder = pkgs.linkFarm "maps"
+    (lib.attrsets.mapAttrs' (name: value:
+      lib.nameValuePair "${name}.conf"
+        (format.generate "${name}.conf" value.settings))
+      cfg.maps);
+
+  webappConfigFolder = pkgs.linkFarm "bluemap-config" {
+    "maps" = mapsFolder;
+    "storages" = storageFolder;
+    "core.conf" = coreConfig;
+    "webapp.conf" = webappConfig;
+    "webserver.conf" = webserverConfig;
+    "packs" = cfg.resourcepacks;
+    "addons" = cfg.resourcepacks; # TODO
+  };
+
+  renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
+    "maps" = pkgs.linkFarm "maps" {
+      "${name}.conf" = (format.generate "${name}.conf" value.settings);
+    };
+    "storages" = storageFolder;
+    "core.conf" = coreConfig;
+    "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
+    "webserver.conf" = webserverConfig;
+    "packs" = value.resourcepacks;
+    "addons" = cfg.resourcepacks; # TODO
+  };
+
+  inherit (lib) mkOption;
+in {
+  options.services.bluemap = {
+    enable = lib.mkEnableOption "bluemap";
+
+    eula = mkOption {
+      type = lib.types.bool;
+      description = ''
+        By changing this option to true you confirm that you own a copy of minecraft Java Edition,
+        and that you agree to minecrafts EULA.
+      '';
+      default = false;
+    };
+
+    defaultWorld = mkOption {
+      type = lib.types.path;
+      description = ''
+        The world used by the default map ruleset.
+        If you configure your own maps you do not need to set this.
+      '';
+      example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
+    };
+
+    enableRender = mkOption {
+      type = lib.types.bool;
+      description = "Enable rendering";
+      default = true;
+    };
+
+    webRoot = mkOption {
+      type = lib.types.path;
+      default = "/var/lib/bluemap/web";
+      description = "The directory for saving and serving the webapp and the maps";
+    };
+
+    enableNginx = mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable configuring a virtualHost for serving the bluemap webapp";
+    };
+
+    host = mkOption {
+      type = lib.types.str;
+      default = "bluemap.${config.networking.domain}";
+      defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
+      description = "Domain to configure nginx for";
+    };
+
+    onCalendar = mkOption {
+      type = lib.types.str;
+      description = ''
+        How often to trigger rendering the map,
+        in the format of a systemd timer onCalendar configuration.
+        See {manpage}`systemd.timer(5)`.
+      '';
+      default = "*-*-* 03:10:00";
+    };
+
+    coreSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          data = mkOption {
+            type = lib.types.path;
+            description = "Folder for where bluemap stores its data";
+            default = "/var/lib/bluemap";
+          };
+          metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
+        };
+      };
+      description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
+    };
+
+    webappSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+      default = {
+        enabled = true;
+        webroot = cfg.webRoot;
+      };
+      defaultText = lib.literalExpression ''
+        {
+          enabled = true;
+          webroot = config.services.bluemap.webRoot;
+        }
+      '';
+      description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
+    };
+
+    webserverSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          enabled = mkOption {
+            type = lib.types.bool;
+            description = ''
+              Enable bluemap's built-in webserver.
+              Disabled by default in nixos for use of nginx directly.
+            '';
+            default = false;
+          };
+        };
+      };
+      default = { };
+      description = ''
+        Settings for the webserver.conf file, usually not required.
+        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
+      '';
+    };
+
+    maps = mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          resourcepacks = mkOption {
+            type = lib.types.path;
+            default = cfg.resourcepacks;
+            defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
+            description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
+          };
+          settings = mkOption {
+            type = (lib.types.submodule {
+              freeformType = format.type;
+              options = {
+                world = mkOption {
+                  type = lib.types.path;
+                  description = "Path to world folder containing the dimension to render";
+                };
+              };
+            });
+            description = ''
+              Settings for files in `maps/`.
+              See the default for an example with good options for the different world types.
+              For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
+            '';
+          };
+        };
+      });
+      default = {
+        "overworld".settings = {
+          world = "${cfg.defaultWorld}";
+          ambient-light = 0.1;
+          cave-detection-ocean-floor = -5;
+        };
+
+        "nether".settings = {
+          world = "${cfg.defaultWorld}/DIM-1";
+          sorting = 100;
+          sky-color = "#290000";
+          void-color = "#150000";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+          cave-detection-uses-block-light = true;
+          max-y = 90;
+        };
+
+        "end".settings = {
+          world = "${cfg.defaultWorld}/DIM1";
+          sorting = 200;
+          sky-color = "#080010";
+          void-color = "#080010";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+        };
+      };
+      defaultText = lib.literalExpression ''
+        {
+          "overworld".settings = {
+            world = "''${cfg.defaultWorld}";
+            ambient-light = 0.1;
+            cave-detection-ocean-floor = -5;
+          };
+
+          "nether".settings = {
+            world = "''${cfg.defaultWorld}/DIM-1";
+            sorting = 100;
+            sky-color = "#290000";
+            void-color = "#150000";
+            ambient-light = 0.6;
+            world-sky-light = 0;
+            remove-caves-below-y = -10000;
+            cave-detection-ocean-floor = -5;
+            cave-detection-uses-block-light = true;
+            max-y = 90;
+          };
+
+          "end".settings = {
+            world = "''${cfg.defaultWorld}/DIM1";
+            sorting = 200;
+            sky-color = "#080010";
+            void-color = "#080010";
+            ambient-light = 0.6;
+            world-sky-light = 0;
+            remove-caves-below-y = -10000;
+            cave-detection-ocean-floor = -5;
+          };
+        };
+      '';
+      description = ''
+        map-specific configuration.
+        These correspond to views in the webapp and are usually
+        different dimension of a world or different render settings of the same dimension.
+        If you set anything in this option you must configure all dimensions yourself!
+      '';
+    };
+
+    storage = mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          storage-type = mkOption {
+            type = lib.types.enum [ "FILE" "SQL" ];
+            description = "Type of storage config";
+            default = "FILE";
+          };
+        };
+      });
+      description = ''
+        Where the rendered map will be stored.
+        Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
+        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
+      '';
+      default = {
+        "file" = {
+          root = "${cfg.webRoot}/maps";
+        };
+      };
+      defaultText = lib.literalExpression ''
+        {
+          "file" = {
+            root = "''${config.services.bluemap.webRoot}/maps";
+          };
+        }
+      '';
+    };
+
+    resourcepacks = mkOption {
+      type = lib.types.path;
+      default = pkgs.linkFarm "resourcepacks" { };
+      description = ''
+        A set of resourcepacks/mods to extract models from loaded in alphabetical order.
+        Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
+      '';
+    };
+  };
+
+
+  config = lib.mkIf cfg.enable {
+    assertions =
+      [ { assertion = config.services.bluemap.eula;
+          message = ''
+            You have enabled bluemap but have not accepted minecraft's EULA.
+            You can achieve this through setting `services.bluemap.eula = true`
+          '';
+        }
+      ];
+
+    services.bluemap.coreSettings.accept-download = cfg.eula;
+
+    systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
+      serviceConfig = {
+        Type = "oneshot";
+        Group = "nginx";
+        UMask = "026";
+      };
+      script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
+        (name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
+        cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
+    };
+
+    systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.onCalendar;
+        Persistent = true;
+        Unit = "render-bluemap-maps.service";
+      };
+    };
+
+    services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
+      "${cfg.host}" = {
+        root = config.services.bluemap.webRoot;
+        locations = {
+          "~* ^/maps/[^/]*/tiles/".extraConfig = ''
+            error_page 404 = @empty;
+          '';
+          "@empty".return = "204";
+        };
+      };
+    };
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ dandellion h7x4 ];
+  };
+}

hosts/bekkalokk/services/gitea/default.nix

@@ -55,6 +55,11 @@ in {
         USER = "gitea@pvv.ntnu.no";
         SUBJECT_PREFIX = "[pvv-git]";
       };
+      metrics = {
+        ENABLED = true;
+        ENABLED_ISSUE_BY_LABEL = true;
+        ENABLED_ISSUE_BY_REPOSITORY = true;
+      };
       indexer.REPO_INDEXER_ENABLED = true;
       service = {
         DISABLE_REGISTRATION = true;
@@ -99,6 +104,30 @@ in {
         ENABLE_FEDERATED_AVATAR = false;
       };
       actions.ENABLED = true;
+      ui = {
+        REACTIONS = lib.concatStringsSep "," [
+          "+1"
+          "-1"
+          "laugh"
+          "confused"
+          "heart"
+          "hooray"
+          "rocket"
+          "eyes"
+          "100"
+          "anger"
+          "astonished"
+          "no_good"
+          "ok_hand"
+          "pensive"
+          "pizza"
+          "point_up"
+          "sob"
+          "skull"
+          "upside_down_face"
+          "shrug"
+        ];
+      };
       "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
   };
@@ -109,11 +138,20 @@ in {
     forceSSL = true;
     enableACME = true;
     kTLS = true;
-    locations."/" = {
-      proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
-      extraConfig = ''
-        client_max_body_size 512M;
-      '';
+    locations = {
+      "/" = {
+        proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+        extraConfig = ''
+          client_max_body_size 512M;
+        '';
+      };
+      "/metrics" = {
+        proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+        extraConfig = ''
+          allow ${values.hosts.ildkule.ipv4}/32;
+          deny all;
+        '';
+      };
     };
   };
 

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -202,6 +202,12 @@ in
           rewrite ^/simplesaml/(.*)$ /$1 redirect;
           return 404;
         '';
+        "/robots.txt" = {
+          root = pkgs.writeTextDir "robots.txt" ''
+            User-agent: *
+            Disallow: /
+          '';
+        };
       };
     };
   };

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -6,6 +6,11 @@ let
   domain = "webmail.pvv.ntnu.no";
 in
 {
+  sops.secrets."roundcube/postgres_password" = {
+    owner = "nginx";
+    group = "nginx";
+  };
+
   services.roundcube = {
     enable = true;
 
@@ -20,6 +25,11 @@ in
     maxAttachmentSize = 20;
     hostName = "roundcubeplaceholder.example.com";
 
+    database = {
+      host = "postgres.pvv.ntnu.no";
+      passwordFile = config.sops.secrets."roundcube/postgres_password".path;
+    };
+
     extraConfig = ''
       $config['enable_installer'] = false;
       $config['default_host'] = "ssl://imap.pvv.ntnu.no";

hosts/bicep/acmeCert.nix

@@ -1,24 +0,0 @@
-{ values, ... }:
-{
-  users.groups.acme.members = [ "nginx" ];
-
-  security.acme.certs."postgres.pvv.ntnu.no" = {
-    group = "acme";
-    extraDomainNames = [
-      # "postgres.pvv.org"
-      "bicep.pvv.ntnu.no"
-      # "bicep.pvv.org"
-      # values.hosts.bicep.ipv4
-      # values.hosts.bicep.ipv6
-    ];
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."postgres.pvv.ntnu.no" = {
-      forceSSL = true;
-      enableACME = true;
-      # useACMEHost = "postgres.pvv.ntnu.no";
-    };
-  };
-}

hosts/bicep/configuration.nix

@@ -7,8 +7,6 @@
     ../../misc/metrics-exporters.nix
     ./services/nginx
 
-    ./acmeCert.nix
-
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix
@@ -36,6 +34,9 @@
     anyInterface = true;
   };
 
+  # There are no smart devices
+  services.smartd.enable = false;
+
   # Do not change, even during upgrades.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";

hosts/bicep/services/matrix/coturn.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, secrets, ... }:
+{ config, lib, pkgs, secrets, values, ... }:
 
 {
   sops.secrets."matrix/synapse/turnconfig" = {
@@ -60,12 +60,14 @@
     pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
 
     use-auth-secret = true;
-    # World readable but I  dont think it's that bad
     static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
 
     secure-stun = true;
 
-    listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ];
+    listening-ips = [
+      values.services.turn.ipv4
+      # values.services.turn.ipv6
+    ];
 
     tls-listening-port = 443;
     alt-tls-listening-port = 5349;

hosts/bicep/services/matrix/default.nix

@@ -10,6 +10,7 @@
     ./mjolnir.nix
 
     ./discord.nix
+    ./hookshot
   ];
 
 

hosts/bicep/services/matrix/hookshot/default.nix

@@ -0,0 +1,103 @@
+{ config, lib, unstablePkgs, inputs, ... }:
+
+let
+  cfg = config.services.matrix-hookshot;
+  webhookListenAddress = "127.0.0.1";
+  webhookListenPort = 8435;
+in
+{
+  imports = [
+    ./module.nix
+  ];
+
+  sops.secrets."matrix/registrations/matrix-hookshot" = {
+    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
+    key = "registrations/matrix-hookshot";
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.groups.keys-matrix-registrations.name;
+  };
+
+  systemd.services.matrix-hookshot = {
+    serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
+  };
+
+  services.matrix-hookshot = {
+    enable = true;
+    package = unstablePkgs.matrix-hookshot;
+    registrationFile = config.sops.secrets."matrix/registrations/matrix-hookshot".path;
+    settings = {
+      bridge = {
+        bindAddress = "127.0.0.1";
+        domain = "pvv.ntnu.no";
+        url = "https://matrix.pvv.ntnu.no";
+        mediaUrl = "https://matrix.pvv.ntnu.no";
+        port = 9993;
+      };
+      listeners = [
+        {
+          bindAddress = webhookListenAddress;
+          port = webhookListenPort;
+          resources = [
+            "webhooks"
+            # "metrics"
+            # "provisioning"
+            "widgets"
+          ];
+        }
+      ];
+      generic = {
+        enabled = true;
+        outbound = true;
+        urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
+        userIdPrefix = "_webhooks_";
+        allowJsTransformationFunctions = false;
+        waitForComplete = false;
+      };
+      feeds = {
+        enabled = true;
+        pollIntervalSeconds = 600;
+      };
+      
+      serviceBots = [
+        { localpart = "bot_feeds";
+          displayname = "Aya";
+          avatar = ./feeds.png;
+          prefix = "!aya";
+          service = "feeds";
+        }
+      ];
+
+      permissions = [
+        # Users of the PVV Server
+        { actor = "pvv.ntnu.no";
+          services = [ { service = "*"; level = "commands"; } ];
+        }
+        # Members of Medlem space (for people with their own hs)
+        { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
+          services = [ { service = "*"; level = "commands"; } ];
+        }
+        # Members of Drift
+        { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
+          services = [ { service = "*"; level = "admin"; } ];
+        }
+        # Dan bootstrap
+        { actor = "@dandellion:dodsorf.as";
+          services = [ { service = "*"; level = "admin"; } ];
+        }
+      ];
+    };
+  };
+
+  services.matrix-hookshot.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
+
+  services.matrix-synapse-next.settings = {
+    app_service_config_files = [ config.sops.secrets."matrix/registrations/matrix-hookshot".path ];
+  };
+
+  services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
+    };
+  };
+}

hosts/bicep/services/matrix/hookshot/module.nix

@@ -0,0 +1,127 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.matrix-hookshot;
+  settingsFormat = pkgs.formats.yaml { };
+  configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
+in
+{
+  options = {
+    services.matrix-hookshot = {
+      enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
+
+      package = lib.mkPackageOption pkgs "matrix-hookshot" { };
+
+      registrationFile = lib.mkOption {
+        type = lib.types.path;
+        description = ''
+          Appservice registration file.
+          As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
+        '';
+        example = lib.literalExpression ''
+          pkgs.writeText "matrix-hookshot-registration" \'\'
+            id: matrix-hookshot
+            as_token: aaaaaaaaaa
+            hs_token: aaaaaaaaaa
+            namespaces:
+              rooms: []
+              users:
+                - regex: "@_webhooks_.*:foobar"
+                  exclusive: true
+
+            sender_localpart: hookshot
+            url: "http://localhost:9993"
+            rate_limited: false
+            \'\'
+        '';
+      };
+
+      settings = lib.mkOption {
+        description = ''
+          {file}`config.yml` configuration as a Nix attribute set.
+
+          For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
+        '';
+        example = {
+          bridge = {
+            domain = "example.com";
+            url = "http://localhost:8008";
+            mediaUrl = "https://example.com";
+            port = 9993;
+            bindAddress = "127.0.0.1";
+          };
+          listeners = [
+            {
+              port = 9000;
+              bindAddress = "0.0.0.0";
+              resources = [ "webhooks" ];
+            }
+            {
+              port = 9001;
+              bindAddress = "localhost";
+              resources = [
+                "metrics"
+                "provisioning"
+              ];
+            }
+          ];
+        };
+        default = { };
+        type = lib.types.submodule {
+          freeformType = settingsFormat.type;
+          options = {
+            passFile = lib.mkOption {
+              type = lib.types.path;
+              default = "/var/lib/matrix-hookshot/passkey.pem";
+              description = ''
+                A passkey used to encrypt tokens stored inside the bridge.
+                File will be generated if not found.
+              '';
+            };
+          };
+        };
+      };
+
+      serviceDependencies = lib.mkOption {
+        type = with lib.types; listOf str;
+        default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
+        defaultText = lib.literalExpression ''
+          lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
+        '';
+        description = ''
+          List of Systemd services to require and wait for when starting the application service,
+          such as the Matrix homeserver if it's running on the same host.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.matrix-hookshot = {
+      description = "a bridge between Matrix and multiple project management services";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+
+      preStart = ''
+        if [ ! -f '${cfg.settings.passFile}' ]; then
+          mkdir -p $(dirname '${cfg.settings.passFile}')
+          ${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
+        fi
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+        ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ flandweber ];
+}

hosts/bicep/services/matrix/synapse.nix

@@ -22,11 +22,6 @@ in {
     group = config.users.users.matrix-synapse.group;
   };
 
-  sops.secrets."matrix/sliding-sync/env" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
-    key = "sliding-sync/env";
-  };
-
   services.matrix-synapse-next = {
     enable = true;
 
@@ -43,8 +38,6 @@ in {
     workers.eventPersisters = 2;
     workers.useUserDirectoryWorker = true;
 
-    enableSlidingSync = true;
-
     enableNginx = true;
 
     settings = {
@@ -137,9 +130,6 @@ in {
     };
   };
 
-  services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
-
-
   services.redis.servers."".enable = true;
 
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
@@ -182,8 +172,6 @@ in {
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4};
           allow ${values.hosts.ildkule.ipv6};
-          allow ${values.hosts.ildkule.ipv4_global};
-          allow ${values.hosts.ildkule.ipv6_global};
           deny all;
         '';
       })
@@ -195,8 +183,6 @@ in {
       extraConfig = ''
         allow ${values.hosts.ildkule.ipv4};
         allow ${values.hosts.ildkule.ipv6};
-        allow ${values.hosts.ildkule.ipv4_global};
-        allow ${values.hosts.ildkule.ipv6_global};
         deny all;
       '';
     };

hosts/buskerud/configuration.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../base
-    ../../misc/metrics-exporters.nix
-
-    ./services/libvirt.nix
-  ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sdb";
-
-  networking.hostName = "buskerud";
-  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-
-  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
-    matchConfig.Name = "enp3s0f0";
-    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-}

hosts/buskerud/hardware-configuration.nix

@@ -1,37 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/buskerud/services/libvirt.nix

@@ -1,10 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  virtualisation.libvirtd.enable = true;
-  programs.dconf.enable = true;
-  boot.kernelModules = [ "kvm-intel" ];
-
-  # On a gui-enabled machine, connect with:
-  # $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
-}
-

hosts/ildkule/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, lib, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
@@ -19,33 +19,37 @@
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
-  networking.hostName = "ildkule"; # Define your hostname.
+  # Openstack Neutron and systemd-networkd are not best friends, use something else:
+  systemd.network.enable = lib.mkForce false;
+  networking = let
+    hostConf = values.hosts.ildkule;
+  in {
+    hostName = "ildkule";
+    tempAddresses = "disabled";
+    useDHCP = lib.mkForce true;
 
-  # Main connection, using the global/floatig IP, for communications with the world
-  systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // {
-    matchConfig.Name = "ens4";
+    search = values.defaultNetworkConfig.domains;
+    nameservers = values.defaultNetworkConfig.dns;
+    defaultGateway.address = hostConf.ipv4_internal_gw;
 
-    # Add the global addresses in addition to the local address learned from DHCP
-    addresses = [
-      { addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; }
-      { addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; }
-    ];
-  };
-
-  # Secondary connection only for use within the university network
-  systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // {
-    matchConfig.Name = "ens3";
-    # Add the ntnu-internal addresses in addition to the local address learned from DHCP
-    addresses = [
-      { addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
-      { addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
-    ];
+    interfaces."ens4" = {
+      ipv4.addresses = [
+        { address = hostConf.ipv4;          prefixLength = 32; }
+        { address = hostConf.ipv4_internal; prefixLength = 24; }
+      ];
+      ipv6.addresses = [
+        { address = hostConf.ipv6;          prefixLength = 64; }
+      ];
+    };
   };
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
+  # No devices with SMART
+  services.smartd.enable = false;
+
   system.stateVersion = "23.11"; # Did you read the comment?
 
 }

hosts/ildkule/services/monitoring/grafana.nix

@@ -75,6 +75,12 @@ in {
           url = "https://grafana.com/api/dashboards/240/revisions/3/download";
           options.path = dashboards/go-processes.json;
         }
+        {
+          name = "Gitea Dashbaord";
+          type = "file";
+          url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
+          options.path = dashboards/gitea-dashbaord.json;
+        }
       ];
 
     };

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -1,11 +1,11 @@
 { config, ... }: {
   imports = [
-    ./gogs.nix
+    ./gitea.nix
     ./matrix-synapse.nix
     # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
     # ./mysqld.nix
-    ./node.nix
     ./postgres.nix
+    ./machines.nix
   ];
 
   services.prometheus = {

hosts/ildkule/services/monitoring/prometheus/gitea.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  services.prometheus.scrapeConfigs = [{
+    job_name = "gitea";
+    scrape_interval = "60s";
+    scheme = "https";
+
+    static_configs = [
+      {
+        targets = [
+          "git.pvv.ntnu.no:443"
+        ];
+      }
+    ];
+  }];
+}

hosts/ildkule/services/monitoring/prometheus/gogs.nix

@@ -1,16 +0,0 @@
-{ config, ... }: let
-  cfg = config.services.prometheus;
-in {
-  services.prometheus.scrapeConfigs = [{
-    job_name = "git-gogs";
-    scheme = "https";
-    metrics_path = "/-/metrics";
-    static_configs = [
-      {
-        targets = [
-          "essendrop.pvv.ntnu.no:443"
-        ];
-      }
-    ];
-  }];
-}

hosts/ildkule/services/monitoring/prometheus/machines.nix

@@ -0,0 +1,54 @@
+{ config, ... }: let
+  cfg = config.services.prometheus;
+in {
+  services.prometheus.scrapeConfigs = [{
+    job_name = "base_info";
+    static_configs = [
+      { labels.hostname = "ildkule";
+        targets = [
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
+        ];
+      }
+      { labels.hostname = "bekkalokk";
+        targets = [
+          "bekkalokk.pvv.ntnu.no:9100"
+          "bekkalokk.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "bicep";
+        targets = [
+          "bicep.pvv.ntnu.no:9100"
+          "bicep.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "brzeczyszczykiewicz";
+        targets = [
+          "brzeczyszczykiewicz.pvv.ntnu.no:9100"
+          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname = "georg";
+        targets = [
+          "georg.pvv.ntnu.no:9100"
+          "georg.pvv.ntnu.no:9101"
+        ];
+      }
+      { labels.hostname =  "hildring";
+        targets = [
+          "hildring.pvv.ntnu.no:9100"
+        ];
+      }
+      { labels.hostname =  "isvegg";
+        targets = [
+          "isvegg.pvv.ntnu.no:9100"
+        ];
+      }
+      { labels.hostname =  "microbel";
+        targets = [
+          "microbel.pvv.ntnu.no:9100"
+        ];
+      }
+    ];
+  }];
+}

hosts/ildkule/services/monitoring/prometheus/node.nix

@@ -1,22 +0,0 @@
-{ config, ... }: let
-  cfg = config.services.prometheus;
-in {
-  services.prometheus.scrapeConfigs = [{
-    job_name = "node";
-    static_configs = [
-      {
-        targets = [
-          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
-          "microbel.pvv.ntnu.no:9100"
-          "isvegg.pvv.ntnu.no:9100"
-          "knakelibrak.pvv.ntnu.no:9100"
-          "hildring.pvv.ntnu.no:9100"
-          "bicep.pvv.ntnu.no:9100"
-          "essendrop.pvv.ntnu.no:9100"
-          "andresbu.pvv.ntnu.no:9100"
-          "bekkalokk.pvv.ntnu.no:9100"
-        ];
-      }
-    ];
-  }];
-}

justfile

@@ -18,7 +18,7 @@ run-vm machine=`just _a_machine`:
   nix eval .#inputs --apply builtins.attrNames --json \
     | jq '.[]' -r \
     | gum choose --no-limit --height=15 \
-    | xargs nix flake update --commit-lock-file
+    | xargs -L 1 nix flake lock --update-input
 
 
 _a_machine:

misc/metrics-exporters.nix

@@ -14,13 +14,31 @@
       "::1"
       values.hosts.ildkule.ipv4
       values.hosts.ildkule.ipv6
-      values.hosts.ildkule.ipv4_global
-      values.hosts.ildkule.ipv6_global
     ];
   };
 
 
-  networking.firewall.allowedTCPPorts = [ 9100 ];
+  services.prometheus.exporters.systemd = {
+    enable = true;
+    port = 9101;
+    extraFlags = [
+      "--systemd.collector.enable-restart-count"
+      "--systemd.collector.enable-ip-accounting"
+    ];
+  };
+
+  systemd.services.prometheus-systemd-exporter.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+    ];
+  };
+  
+
+  networking.firewall.allowedTCPPorts = [ 9100 9101 ];
 
   services.promtail = {
     enable = true;

packages/bluemap.nix

@@ -0,0 +1,30 @@
+{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "bluemap";
+  version = "5.2";
+
+  src = fetchurl {
+    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
+    hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
+  };
+
+  dontUnpack = true;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    runHook preInstall
+    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "3D minecraft map renderer";
+    homepage = "https://bluemap.bluecolored.de/";
+    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dandellion ];
+    mainProgram = "bluemap";
+  };
+}

secrets/bekkalokk/bekkalokk.yaml

@@ -18,6 +18,8 @@ mediawiki:
         postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
         cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
         admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
+roundcube:
+    postgres_password: ENC[AES256_GCM,data:fGHmq6r/ZCeIseHL8/gmm5DfWQYorI3OJq1TW0EHvh7rHL62M4TE+Lrlrmq8AIlmGLSWtO8AQzOP3toxidL6xWX3pcwLxtTefa1gom2oQf6ZL4TbAZLidHksdiro6pWtpMOO66bb8O9eXvZmns4=,iv:Irnb2/bgx8WilDyRLleWfo6HHafZ+vlDEwxIcgm1f18=,tag:eTNBUELmLwO7DsQN9CLX7Q==,type:str]
 idp:
     cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
     admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
@@ -32,6 +34,9 @@ nettsiden:
         admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 vaultwarden:
     environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
+bluemap:
+    ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
+    ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -92,8 +97,8 @@ sops:
             UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
             4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-26T19:38:58Z"
-    mac: ENC[AES256_GCM,data:3FyfZPmJ7znQEul+IwqN1ZaM53n6os3grquJwJ9vfyDSc2h8UZBhqYG+2uW9Znp9DSIjuhCUI8iqGKRJE0M/6IDICeXms/5+ynVFOS9bA2cdzPvWaj0FFAd2x3g4Vhs47+vRlsnIe/tMiKU3IOvzOfI6KAUHc9L2ySrzH7z2+fo=,iv:1iZSR9qOIEtf+fNbtWSwJBIUEQGKadfHSVOnkFzOwq8=,tag:Sk6JEU1B6Rd1GXLYC6rQtQ==,type:str]
+    lastmodified: "2024-10-12T21:56:27Z"
+    mac: ENC[AES256_GCM,data:bZ1BbVC6D+B6SFze2ReeCUcQamK/O14zH3YxCjWBwMC++w3niIiEx4Bq7Ulci5yuMld0luVsfUzHoqFN/+zvZbV2rGVk8lVRiTrpFoSZ78aUUgeHG9ROLXsR7T7rVhLWbl86y1G5LcKws7G55V0wAh6f58WjYYzwR8fnBmfW1Ko=,iv:7xtMdtXQB9uZirE/CkUSmeu0qnG++R7DUR7zn/Bo0lM=,tag:DH/BJPpAp//quDqKNXyHcg==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:28Z"
           enc: |-
@@ -116,4 +121,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

secrets/bicep/matrix.yaml

@@ -2,14 +2,13 @@ synapse:
     turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
     user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
     signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
-sliding-sync:
-    env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
 coturn:
     static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
 mjolnir:
     access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str]
 registrations:
     mx-puppet-discord: ENC[AES256_GCM,data:FleyXxgOmc05nTP6M2DBJlacufN3p/05eZm4kB8+K4ci0k24o3zli988wlM/kyeZmxu4pgQlJ3lNLte4uip2hBXHWG5t5Ldzmr7bNCUD+r7nM+I1lfNkrDROPZ54bHysmn9O5CHpEa16rSo6RJgncIPqsLJxTwjC7qZlkOpzqvMhkq/MHCVOpvg0M/6AUR+AlSZoggujBMoXLznQNQapN13foEsbuo/QxjszM/ObGmhYMVyaS+TDBXzQLA8Yuj50Q/gZCIINWZ4G2qmgsGxxNR4I+usUQml/jxCtIXS4zn/ettXfL9G4Fdm2F9u1v11DehtTGa5xoxDq94M9rIxOqeJpvgEQEyyKAyFUIrlINfGl7tAj4Zu7+9Z8JTRAnppjM1q8iInwn/Z2L9KgB0YFi/Go1whgXly+TH6hpreo7m5klXV/ff/aV3ghOgFCGA8nBrZFqE8Uw268q9tV1s1dxCb6TbpGf19V5c9MD6BsCIVeoq+j9I/I8iZpzg2Reb4IlHhMDwbwsL2w2ks30wiZ9XO/CFrXDY4uBlI=,iv:3vvkGvldS8Raibg6tzlV8VY1O9NCLxSuNX/lwi1QgiA=,tag:D/noIsE3xlOiYM6Pk+cc8Q==,type:str]
+    matrix-hookshot: ENC[AES256_GCM,data:fBt9h6gRkEc7QLpeIJhOpizZwA9By89PjgEKNCOqrdnfbWfBk3ueol2W4DU1vcsjNpOpTsvwAm5KmoqhBIEpjGaycwtt9c399/dJGP6YQC3puk3c4Psz2C+SZJgk4erJ8GOeiUT7kjUkxAOgU+Hl+TteWSYylgd7PGVElJa0oXIbaxkpHZXuk42VlZl/bny4Fw3ckW19+2iuPbZtflmPrGNvGHuCSc6IwQC665/HmPJzENruLcqirICqgy7l9ZnkbrVqVabQTcLqa8GVM7zcpXzsoAMOuRdM3rvEPyaruPcBbemvlQnM1p/2NEnjDwbRKaZr1FtDpBnuEkQwHf1AQyOKZLJLEdqqDRiYrH27/Ps+voMQjZeB+IcPqbBBcdrF0DpFclWOKbNYWci2qW2Zpni242nJM4vVKQPfqi+UJSqhDjs1czDN2Z2stuyt+N1Nv3ykmfjSJz2/HeqYHTti6kkbxfcB2rDdwYWYNlrvTTsvzOewvhY8t0JImBHXiJtp2Zs/ej6p63cuto9RiU55JifJrQx8Fq0BEHeAzcmT39lHzXd/EQoCJqStz2/lnLMfzff5zlRkl4FgSaBoxoWs6DjLztysC/ibwcn92HI8pHRUc41jLslQLT//dV5QBOyW7F2JyCe/A4J5VEVphn3xLqLC/1xH0pwNaevWxR5hqPzm9XC9zn4UV3OMzVj76xDxywh3QaC3B7ZdHlOoyKNXeL5UDhmDjXbGyrxP1HdOAfITpafS9tbfCYROp31j0Q32PC5fUvEjbVYMq5do17/+MEfVdk4p695N3cqLnyoinh0u7KZZw7Im80mk0+zJrChy6D6dVAEZd/AQFgvcY2q3cbOWA/EuniCZrVFAp9u/mljPdeO3MZiJSc7MyElo2CD0YllZeE+KYoHQrIgWJZ6TiItVk3CyLGsYfqNDcJ+o6iicqAdsCiF9IeXO/BfscN2o5sbcvmAShdxCqCYYVtb3Fp6or7bIUf16fq1jkz4XkGwEj+VT9JTXjRbavx5O74VpnyIuTzI7oXYIU4ZUVI5Fkw==,iv:2ffGONfuT9GUVxEStQoZftYUFQc/HcnSLNpZG1t1oCM=,tag:idETgOr/XgfpueTt3gPLHQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -70,8 +69,8 @@ sops:
             WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
             pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-22T00:31:46Z"
-    mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
+    lastmodified: "2024-10-13T05:04:30Z"
+    mac: ENC[AES256_GCM,data:Qtw6ZPxUIp28fw1xFR72Utt+aZZXcXOOJO9lwCsZEsqMKPCtxwNw2NumB4aEBuv16dL14boy/FRtwq0mu/DyA6zgnOeeEzxlcxtFAkqK2A03ZMGEIGYTdB3sBDb2Rm7gnK7J9ypoxb0EP40x18lErk7Cn54B28DPlCkY/tj4B/0=,iv:MRXfroBOUCeWKknjDTfUNNHH91cCkf3vUFAAP+UIN7Y=,tag:awdtYAtmMP2Y72m8PlmgwA==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:46Z"
           enc: |-
@@ -94,4 +93,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

users/danio.nix

@@ -3,7 +3,7 @@
 {
   users.users.danio = {
     isNormalUser = true;
-    extraGroups = [ "drift" "nix-builder-users" ];
+    extraGroups = [ "drift" "nix-builder-users" "wheel" ];
     shell = pkgs.zsh;
 
     openssh.authorizedKeys.keys = [

values.nix

@@ -25,16 +25,17 @@ in rec {
 
   hosts = {
     gateway = pvv-ipv4 129;
+    gateway6 = pvv-ipv6 1;
+
     bekkalokk = {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "10.212.25.209";
-      ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
-
-      ipv4_global = "129.241.153.213";
-      ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
+      ipv4 = "129.241.153.213";
+      ipv4_internal = "192.168.12.209";
+      ipv4_internal_gw = "192.168.12.1";
+      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;
@@ -59,39 +60,14 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
-    buskerud = {
-      ipv4 = pvv-ipv4 231;
-      ipv6 = pvv-ipv6 231;
-    };
   };
 
   defaultNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
-    gateway = [ hosts.gateway ];
-    dns = [ "129.241.0.200" "129.241.0.201" ];
+    dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
     domains = [ "pvv.ntnu.no" "pvv.org" ];
+    gateway = [ hosts.gateway hosts.gateway6 ];
+
+    networkConfig.IPv6AcceptRA = "no";
     DHCP = "no";
   };
-
-  openstackGlobalNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "yes";
-    dns = [ "129.241.0.200" "129.241.0.201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    DHCP = "yes";
-  };
-
-  openstackLocalNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
-    dns = [ "129.241.0.200" "129.241.0.201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    DHCP = "yes";
-
-    # Only use this network for link-local networking, not global/default routes
-    dhcpV4Config.UseRoutes = "no";
-    routes = [
-      { routeConfig = { Destination = "10.0.0.0/8"; Gateway = "_dhcp4"; }; }
-    ];
-
-    linkConfig.RequiredForOnline = "no";
-  };
 }