From b5ec5fd763b70347fc698492f39c797b34a793b1 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 16 Jan 2024 02:33:13 +0100
Subject: [PATCH 001/170] Update spaceapid

---
 config/hosts/public-web-static/spaceapid.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index f3aa25b..0a87c4f 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -4,7 +4,7 @@ let
   spaceapidSrc = builtins.fetchGit {
     url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
     ref = "main";
-    rev = "cf9678d7126e1951f9e4aabaa30d7350eb76973b";
+    rev = "bbeb0d0e2b4538faed275b9891fb55149bc3a2f8";
   };
   spaceapid = pkgs.buildGoModule {
     pname = "spaceapid";

From 7cef911b6159bff46fd4239240e17de5200aa645 Mon Sep 17 00:00:00 2001
From: Bennett Wetters <contact@bendo.org>
Date: Tue, 16 Jan 2024 02:46:09 +0100
Subject: [PATCH 002/170] Set -ldflags for spaceapid to set version string

Co-authored-by: June <june@jsts.xyz>
---
 config/hosts/public-web-static/spaceapid.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 0a87c4f..8c9cb87 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -6,11 +6,15 @@ let
     ref = "main";
     rev = "bbeb0d0e2b4538faed275b9891fb55149bc3a2f8";
   };
-  spaceapid = pkgs.buildGoModule {
+  spaceapid = pkgs.buildGoModule rec {
     pname = "spaceapid";
     version = "main";
 
     src = spaceapidSrc;
+    
+    ldflags = [
+      "-X main.version=${version}-${spaceapidSrc.rev}"
+    ];
 
     # Since spaceapid doesn't have any dependencies, we can set this to null and
     # use the nonexistend vendored dependencies.

From 8faf83158f9e5de20ac405ac2bb107264a6ebe89 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 16 Jan 2024 20:35:56 +0100
Subject: [PATCH 003/170] Disable HTTP Basic authentication and set default
 repo units for Forgejo

---
 config/hosts/git/forgejo.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index f907552..342a06a 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -43,6 +43,10 @@
         ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
         DEFAULT_USER_VISIBILITY = "limited";
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        ENABLE_BASIC_AUTHENTICATION = false;
+      };
+      repo = {
+        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
       };
       mailer = {
         ENABLED = true;

From 4970f5905227bbc3c707378f20226302117d0c58 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 18 Jan 2024 05:02:47 +0100
Subject: [PATCH 004/170] Enable Forgejo Actions for our Forgejo

---
 config/hosts/git/forgejo.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 342a06a..a6e6b81 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -48,6 +48,9 @@
       repo = {
         DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
       };
+      actions = {
+        ENABLED = true;
+      };
       mailer = {
         ENABLED = true;
         FROM = "no-reply@git.hamburg.ccc.de";

From 85c059c75c6e4e2e96c591af4295a4c56b8db6bf Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 18 Jan 2024 05:03:21 +0100
Subject: [PATCH 005/170] Configure new forgejo-actions-runner host

Configure it to host a forgejo-actions-runner capable of handling CI
workloads running on Docker.
---
 .../forgejo-actions-runner/configuration.nix  |  7 +++++
 .../hosts/forgejo-actions-runner/default.nix  | 10 +++++++
 .../hosts/forgejo-actions-runner/docker.nix   | 13 ++++++++
 .../forgejo-actions-runner.nix                | 30 +++++++++++++++++++
 .../forgejo-actions-runner/networking.nix     | 20 +++++++++++++
 flake.nix                                     | 14 +++++++++
 6 files changed, 94 insertions(+)
 create mode 100644 config/hosts/forgejo-actions-runner/configuration.nix
 create mode 100644 config/hosts/forgejo-actions-runner/default.nix
 create mode 100644 config/hosts/forgejo-actions-runner/docker.nix
 create mode 100644 config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
 create mode 100644 config/hosts/forgejo-actions-runner/networking.nix

diff --git a/config/hosts/forgejo-actions-runner/configuration.nix b/config/hosts/forgejo-actions-runner/configuration.nix
new file mode 100644
index 0000000..d2a52da
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "forgejo-actions-runner";
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/forgejo-actions-runner/default.nix b/config/hosts/forgejo-actions-runner/default.nix
new file mode 100644
index 0000000..6a01b20
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./docker.nix
+    ./forgejo-actions-runner.nix
+    ./networking.nix
+  ];
+}
diff --git a/config/hosts/forgejo-actions-runner/docker.nix b/config/hosts/forgejo-actions-runner/docker.nix
new file mode 100644
index 0000000..b626e9f
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/docker.nix
@@ -0,0 +1,13 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Docker
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker = {
+    enable = true;
+    autoPrune = {
+      enable = true;
+      dates = "weekly";
+    };
+  };
+}
diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
new file mode 100644
index 0000000..b2efcbe
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
@@ -0,0 +1,30 @@
+# Sources for this configuration:
+# - https://forgejo.org/docs/latest/admin/actions/
+# - https://forgejo.org/docs/latest/user/actions/
+# - https://docs.gitea.com/next/usage/actions/act-runner
+
+{ config, pkgs, ... }:
+
+{
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.ccchh-forgejo-global-docker = {
+      enable = true;
+      name = "Global Docker Forgejo Actions Runner";
+      url = "https://git.hamburg.ccc.de/";
+      tokenFile = "/secrets/registration-token.secret";
+      labels = [ "docker:docker://node:current-bookworm" ];
+    };
+  };
+
+  deployment.keys = {
+    "registration-token.secret" = {
+      keyCommand = [ "pass" "noc/services/forgejo-actions-runner/registration_token" ];
+      destDir = "/secrets";
+      user = "gitea-runner";
+      group = "gitea-runner";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+  };
+}
diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix
new file mode 100644
index 0000000..7c5e178
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/networking.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.155";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/flake.nix b/flake.nix
index 086c076..6bc74ee 100644
--- a/flake.nix
+++ b/flake.nix
@@ -178,6 +178,20 @@
           ./config/hosts/git
         ];
       };
+
+      forgejo-actions-runner = {
+        deployment = {
+          targetHost = "forgejo-actions-runner-intern.hamburg.ccc.de";
+          targetPort = 22;
+          targetUser = "colmena-deploy";
+          tags = [ "chaosknoten" ];
+        };
+        imports = [
+          ./config/common
+          ./config/proxmox-vm
+          ./config/hosts/forgejo-actions-runner
+        ];
+      };
     };
 
     packages.x86_64-linux = {

From f6567bffb238f506d2dff1488ab3bef072af4642 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 20 Jan 2024 21:34:09 +0100
Subject: [PATCH 006/170] Use Forgejo 1.21 from NixOS unstable to make Actions
 work properly

1.21 has scheduled Actions for example, which we need.
---
 config/hosts/git/forgejo.nix | 3 ++-
 flake.nix                    | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index a6e6b81..22be46b 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -7,11 +7,12 @@
 # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
 # - https://forgejo.org/docs/latest/admin/email-setup/
 
-{ ... }:
+{ pkgs-unstable, ... }:
 
 {
   services.forgejo = {
     enable = true;
+    package = pkgs-unstable.forgejo;
     database.type = "postgres";
     mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret";
 
diff --git a/flake.nix b/flake.nix
index 6bc74ee..63ecb99 100644
--- a/flake.nix
+++ b/flake.nix
@@ -57,6 +57,7 @@
           '';
         });
       };
+      pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in {
     colmena = {
       meta = {
@@ -65,6 +66,9 @@
           audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
           audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
         };
+        nodeSpecialArgs = {
+          git = { inherit pkgs-unstable; };
+        };
       };
 
       audio-hauptraum-kueche = {

From 598e11064150df05c8a8d7b7f60ba9ff3746dcbd Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 20 Jan 2024 21:39:22 +0100
Subject: [PATCH 007/170] Don't keep artifacts for so long

Keep them for 30 days instead of the default 90.
---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 22be46b..cd8477a 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -51,6 +51,7 @@
       };
       actions = {
         ENABLED = true;
+        ARTIFACT_RETENTION_DAYS = 30;
       };
       mailer = {
         ENABLED = true;

From aa25b300e3c98fcd5703c5f24357805a46f1bfeb Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 21 Jan 2024 03:54:01 +0100
Subject: [PATCH 008/170] Fix temperature unit in spaceapid response

See:
https://github.com/SpaceApi/directory/pull/247#pullrequestreview-1825757336
https://git.hamburg.ccc.de/CCCHH/spaceapid/pulls/26
https://spaceapi.io/docs/#schema-key-sensors-temperature-unit
---
 .../public-web-static/spaceapid-config/ccchh-dynamic.json   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index f7688ff..1872a53 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -4,7 +4,7 @@
       "temperature": [
         {
           "sensor_data": {
-            "unit": "C",
+            "unit": "°C",
             "location": "Hauptraum",
             "description": "Sensor im Hauptraum"
           },
@@ -14,7 +14,7 @@
         },
         {
           "sensor_data": {
-            "unit": "C",
+            "unit": "°C",
             "location": "Loetschlauch",
             "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
           },
@@ -24,7 +24,7 @@
         },
         {
           "sensor_data": {
-            "unit": "C",
+            "unit": "°C",
             "location": "Innenhof",
             "description": "Sensor im Innenhof (erreichbar durch das Flurfenster)"
           },

From 7fd115ca2295966f9c9b31fbcf8bc4c33fa3a066 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 21 Jan 2024 04:55:57 +0100
Subject: [PATCH 009/170] Use new infrastructure-authorized-keys url and latest
 commit

---
 config/common/users.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 54970ec..06170bc 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -10,9 +10,9 @@
 
 let
   authorizedKeysRepo = builtins.fetchGit {
-    url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git";
+    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
     ref = "trunk";
-    rev = "6dbf11113603a4f6c12f781c2dc7a8980e65a131";
+    rev = "0db6df46b68c07edbefe2a5f9ce4002fb6462980";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 12c38aac8bcf4607764012a5219b0302ee2da8ef Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 02:05:48 +0100
Subject: [PATCH 010/170] Add CO2 sensors to spaceapid response

---
 .../spaceapid-config/ccchh-dynamic.json       | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index 1872a53..b2f9f8e 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -64,6 +64,28 @@
             "club-assistant"
           ]
         }
+      ],
+      "CO2": [
+        {
+          "sensor_data": {
+            "unit": "ppm",
+            "location": "Hauptraum",
+            "description": "Sensor im Hauptraum (Typ: SCD41)"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        },
+        {
+          "sensor_data": {
+            "unit": "ppm",
+            "location": "Loetschlauch",
+            "description": "Sensor im Lötschlauch (Teil der Werkstatt, Typ: SCD41)"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        }
       ]
     },
     "state": {

From 485ed0fec2e892944845dd125a4cd3342f4ca8cc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 17:59:01 +0100
Subject: [PATCH 011/170] Use opensearch for code and issue search

---
 config/hosts/git/default.nix    |  1 +
 config/hosts/git/forgejo.nix    |  7 +++++++
 config/hosts/git/opensearch.nix | 12 ++++++++++++
 3 files changed, 20 insertions(+)
 create mode 100644 config/hosts/git/opensearch.nix

diff --git a/config/hosts/git/default.nix b/config/hosts/git/default.nix
index e2f517b..0f4664e 100644
--- a/config/hosts/git/default.nix
+++ b/config/hosts/git/default.nix
@@ -6,6 +6,7 @@
     ./forgejo.nix
     ./networking.nix
     ./nginx.nix
+    ./opensearch.nix
     ./redis.nix
   ];
 }
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index cd8477a..d571fb6 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -66,6 +66,13 @@
         ADAPTER = "redis";
         HOST = "redis+socket:///run/redis-forgejo/redis.sock";
       };
+      indexer = {
+        ISSUE_INDEXER_TYPE = "elasticsearch";
+        ISSUE_INDEXER_CONN_STR = "http://127.0.0.1:9200";
+        REPO_INDEXER_ENABLED = true;
+        REPO_INDEXER_TYPE = "elasticsearch";
+        REPO_INDEXER_CONN_STR = "http://127.0.0.1:9200";
+      };
     };
   };
 
diff --git a/config/hosts/git/opensearch.nix b/config/hosts/git/opensearch.nix
new file mode 100644
index 0000000..1dc4490
--- /dev/null
+++ b/config/hosts/git/opensearch.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  services.opensearch = {
+    enable = true;
+  };
+
+  systemd.services.forgejo = {
+    after = [ "opensearch.service" ];
+    requires = [ "opensearch.service" ];
+  };
+}

From 394f4fe562673be980c32371b8653a230262b8ea Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 23:08:38 +0100
Subject: [PATCH 012/170] Deploy new website under hamburg.ccc.de

Make next.hamburg.ccc.de hamburg.ccc.de and add redirects to handle URLs
of the old website deployment properly.
Also redirect the old spaceapi endpoint to the new one.

Add staging.hamburg.ccc.de for hosting upcoming changes (PRs).
Also give it a robots.txt, since its contents don't need to show up in
search engines.

Add www.hamburg.ccc.de and let it redirect to hamburg.ccc.de.
---
 .../virtualHosts/default.nix                  |  4 +-
 .../virtualHosts/hamburg.ccc.de.nix           | 87 +++++++++++++++++++
 ....ccc.de.nix => staging.hamburg.ccc.de.nix} | 18 ++--
 .../virtualHosts/www.hamburg.ccc.de.nix       | 46 ++++++++++
 4 files changed, 148 insertions(+), 7 deletions(-)
 create mode 100644 config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
 rename config/hosts/public-web-static/virtualHosts/{next.hamburg.ccc.de.nix => staging.hamburg.ccc.de.nix} (69%)
 create mode 100644 config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 5036faf..e22165f 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -5,7 +5,9 @@
     ./branding-resources.hamburg.ccc.de.nix
     ./c3cat.de.nix
     ./element.hamburg.ccc.de.nix
-    ./next.hamburg.ccc.de.nix
+    ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
+    ./staging.hamburg.ccc.de.nix
+    ./www.hamburg.ccc.de.nix
   ];
 }
diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
new file mode 100644
index 0000000..a318fec
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -0,0 +1,87 @@
+{ pkgs, ... }:
+
+{
+  services.nginx.virtualHosts = {
+    "acme-hamburg.ccc.de" = {
+      enableACME = true;
+      serverName = "hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "/var/www/hamburg.ccc.de/";
+
+      # Redirect the old spaceapi endpoint to the new one.
+      locations."/dooris/status.json" = {
+        return = "302 https://spaceapi.hamburg.ccc.de/";
+      };
+
+      # Redirect pages starting with 4 digits for redirecting the old blog
+      # article URLs.
+      # We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we
+      # just match the first 4 digits for simplicity.
+      locations."~ \"^/[\\d]{4}\"" = {
+        return = "302 https://$host/blog$request_uri";
+      };
+
+      # Redirect pages, which previously lived on the old website, to their
+      # successors in the wiki.
+      locations."/club/satzung" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:satzung";
+      };
+      locations."/club/hausordnung" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:hausordnung";
+      };
+      locations."/club/vertrauenspersonen" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:vertrauenspersonen";
+      };
+      locations."/club/beitragsordnung" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:beitragsordnung";
+      };
+      locations."/club/mitgliedschaft" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:foemi-formular";
+      };
+      locations."/club/geschichte" = {
+        return = "302 https://wiki.hamburg.ccc.de/club:geschichte";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  users.users.ccchh-website-deploy = {
+    isNormalUser = true;
+    group = "ccchh-website-deploy";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key"
+    ];
+  };
+  users.groups.ccchh-website-deploy = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
similarity index 69%
rename from config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix
rename to config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
index a0dff81..a36a099 100644
--- a/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
@@ -2,9 +2,9 @@
 
 {
   services.nginx.virtualHosts = {
-    "acme-next.hamburg.ccc.de" = {
+    "acme-staging.hamburg.ccc.de" = {
       enableACME = true;
-      serverName = "next.hamburg.ccc.de";
+      serverName = "staging.hamburg.ccc.de";
 
       listen = [
         {
@@ -14,9 +14,9 @@
       ];
     };
 
-    "next.hamburg.ccc.de" = {
+    "staging.hamburg.ccc.de" = {
       forceSSL = true;
-      useACMEHost = "next.hamburg.ccc.de";
+      useACMEHost = "staging.hamburg.ccc.de";
 
       listen = [
         {
@@ -27,7 +27,13 @@
         }
       ];
 
-      root = "/var/www/next.hamburg.ccc.de/";
+      root = "/var/www/staging.hamburg.ccc.de/";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
 
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
@@ -46,7 +52,7 @@
     isNormalUser = true;
     group = "ccchh-website-deploy";
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb next.hamburg.ccc.de deployment key"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key"
     ];
   };
   users.groups.ccchh-website-deploy = { };
diff --git a/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix
new file mode 100644
index 0000000..a29fbd2
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix
@@ -0,0 +1,46 @@
+{ pkgs, ... }:
+
+{
+  services.nginx.virtualHosts = {
+    "acme-www.hamburg.ccc.de" = {
+      enableACME = true;
+      serverName = "www.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "www.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "www.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/" = {
+        return = "302 https://hamburg.ccc.de$request_uri";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}

From 1dd8651bda7ddde8d145143470b53900a7f5e947 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 23:15:03 +0100
Subject: [PATCH 013/170] Update wiki links to point to wiki.hamburg.ccc.de

---
 .../public-web-static/spaceapid-config/ccchh-response.json      | 2 +-
 config/hosts/public-web-static/virtualHosts/c3cat.de.nix        | 2 +-
 .../virtualHosts/element-web-config/config.json                 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
index 47d11aa..3127d20 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
@@ -33,7 +33,7 @@
     "links": [
       {
         "name": "Wiki",
-        "url": "https://wiki.ccchh.net"
+        "url": "https://wiki.hamburg.ccc.de"
       },
       {
         "name": "Git (Forgejo)",
diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index 9533e93..f1ad527 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -28,7 +28,7 @@
       ];
 
       locations."/" = {
-        return = "302 https://wiki.ccchh.net/club:c3cat:start";
+        return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
       };
 
       extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/element-web-config/config.json b/config/hosts/public-web-static/virtualHosts/element-web-config/config.json
index 393c215..19cfdf0 100644
--- a/config/hosts/public-web-static/virtualHosts/element-web-config/config.json
+++ b/config/hosts/public-web-static/virtualHosts/element-web-config/config.json
@@ -49,7 +49,7 @@
         "auth_header_logo_url": "https://branding-resources.hamburg.ccc.de/logo/ccchh-logo-no-background.png",
         "auth_footer_links": [
             { "text": "Website", "url": "https://hamburg.ccc.de/" },
-            { "text": "Wiki", "url": "https://wiki.ccchh.net/" },
+            { "text": "Wiki", "url": "https://wiki.hamburg.ccc.de/" },
             { "text": "Status", "url": "https://status.ccchh.net/status/main" }
         ]
     }

From 6bb4577a33af2d4d1641ee57088932fb6640c680 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 23:15:57 +0100
Subject: [PATCH 014/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/246219bc21b943c6f6812bb7744218ba0df08600' (2023-12-04)
  → 'github:nix-community/nixos-generators/ed8ab00e8d92076a7cac1b428881b4d5304bb771' (2024-01-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/76fc2dd7efd18cb4251db2f35ab6655ee746e961' (2024-01-12)
  → 'github:nixos/nixpkgs/a1aa4980b64eb5fbfa652da57ed4de92e92be630' (2024-01-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/391d29cb04fe2ca9a4744c10d6b8a7783f6b0f6d' (2024-01-12)
  → 'github:nixos/nixpkgs/8cccce637e19577815de54c5ecc3132dff965aee' (2024-01-22)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 51cd067..fdcf157 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701689616,
-        "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=",
+        "lastModified": 1705931262,
+        "narHash": "sha256-JU8Dn3FeLlpC2aCXDbVH+E9koZYw/r1LW+fofWq87mE=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "246219bc21b943c6f6812bb7744218ba0df08600",
+        "rev": "ed8ab00e8d92076a7cac1b428881b4d5304bb771",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1705044370,
-        "narHash": "sha256-QmzSiphBSOCvhzMNUzhtZT/HpK4VyXqWEYRRPNtIfMQ=",
+        "lastModified": 1705864497,
+        "narHash": "sha256-GVjAt3eHgSGp76Nx6/BXkl38w25FyLbS5Y3hn+BvLk0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "76fc2dd7efd18cb4251db2f35ab6655ee746e961",
+        "rev": "a1aa4980b64eb5fbfa652da57ed4de92e92be630",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1705069489,
-        "narHash": "sha256-kXk4DUZS5uEdowgcv5PWVJ1s37xZKPvhpD/CFNdWMbs=",
+        "lastModified": 1705891108,
+        "narHash": "sha256-PQ0Df5BzByg+0gPE1goa9WYVXSoEP6gtjblrbYC8WOI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "391d29cb04fe2ca9a4744c10d6b8a7783f6b0f6d",
+        "rev": "8cccce637e19577815de54c5ecc3132dff965aee",
         "type": "github"
       },
       "original": {

From c83f1faaa7552f894774ce85a3887125141defb4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 23:32:00 +0100
Subject: [PATCH 015/170] Use custom 404 page for hamburg.ccc.de

---
 config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index a318fec..0f43a9d 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -72,6 +72,8 @@
         # Then tell the realip_module to get the addreses from the proxy protocol
         # header.
         real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
       '';
     };
   };

From 7ce5c934df9dac3024735d1e4f55b3eec81b93d5 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 23 Jan 2024 19:57:20 +0100
Subject: [PATCH 016/170] Redirect old feed location to new one for CCCHH
 website

---
 .../hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index 0f43a9d..bb78b63 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -63,6 +63,11 @@
         return = "302 https://wiki.hamburg.ccc.de/club:geschichte";
       };
 
+      # Redirect old feed location.
+      locations."/feed.xml" = {
+        return = "302 https://$host/blog/index.xml";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy

From a0e92ff92a3b73a6af9cf014239e7bbae6160120 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 23 Jan 2024 23:24:20 +0100
Subject: [PATCH 017/170] Give Git an IPv6

---
 config/hosts/git/networking.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix
index 088d7ea..b73b953 100644
--- a/config/hosts/git/networking.nix
+++ b/config/hosts/git/networking.nix
@@ -1,3 +1,6 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Networking
+
 { ... }:
 
 {
@@ -13,6 +16,16 @@
   networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
   networking.search = [ "hamburg.ccc.de" ];
 
+  networking.interfaces.net0 = {
+    ipv6.addresses = [
+      {
+        address = "2a00:14b0:f000:23:51:136::1";
+        prefixLength = 64;
+      }
+    ];
+  };
+  networking.defaultGateway6 = "2a00:14b0:f000:23::1";
+
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "92:7B:E6:12:A4:FA";
     linkConfig.Name = "net0";

From e18b840d20475e6b4224091c8939ef81703e0551 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 24 Jan 2024 20:17:59 +0100
Subject: [PATCH 018/170] Enable offline mode for Forgejo to disable use of CDN
 and Gravatar

---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index d571fb6..103881c 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -28,6 +28,7 @@
         ROOT_URL = "https://git.hamburg.ccc.de/";
         # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
         # Doesn't need to be set.
+        OFFLINE_MODE = true;
       };
       admin = {
         DISABLE_REGULAR_ORG_CREATION = false;

From 4c0decea4a89cadde8b7cd8258e5048a3ae99223 Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sun, 28 Jan 2024 05:05:53 +0100
Subject: [PATCH 019/170] Update element-web to 1.11.55

---
 .../virtualHosts/element.hamburg.ccc.de.nix                  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index a72703a..da11e0f 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,9 +1,10 @@
 { pkgs, ... }:
 
 let
+  elementWebVersion = "1.11.55";
   element-web = pkgs.fetchzip {
-    url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
-    sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
+    url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
+    sha256 = "sha256-lM1P23MTqAgrw3vjNSzDswmn0n8SRY6dBD0aELmoqsQ=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 2ae1ad36043f331a27b57c5a936cf0eb2ed7d14a Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sun, 28 Jan 2024 21:59:08 +0100
Subject: [PATCH 020/170] Configure matrix server .well-known delegation

---
 .../virtualHosts/hamburg.ccc.de.nix                 | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index bb78b63..aac7fa2 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -34,6 +34,19 @@
         return = "302 https://spaceapi.hamburg.ccc.de/";
       };
 
+    locations."/.well-known/matrix/server" = {
+      return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
+      extraConfig = ''
+        add_header Content-Type application/json;
+      '';
+    };
+    locations."/.well-known/matrix/client" = {
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
       # Redirect pages starting with 4 digits for redirecting the old blog
       # article URLs.
       # We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we

From d8d02368700bb4b10502704f1bba02492839d8e2 Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sun, 28 Jan 2024 22:03:15 +0100
Subject: [PATCH 021/170] Fix indentation

---
 .../virtualHosts/hamburg.ccc.de.nix           | 28 ++++++++++---------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index aac7fa2..1d8eef1 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -34,19 +34,21 @@
         return = "302 https://spaceapi.hamburg.ccc.de/";
       };
 
-    locations."/.well-known/matrix/server" = {
-      return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
-      extraConfig = ''
-        add_header Content-Type application/json;
-      '';
-    };
-    locations."/.well-known/matrix/client" = {
-      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
-      extraConfig = ''
-        default_type application/json;
-        add_header Access-Control-Allow-Origin *;
-      '';
-    };
+      # Add .well-known/matrix stuff for Matrix to work.
+      locations."/.well-known/matrix/server" = {
+        return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
+        extraConfig = ''
+          add_header Content-Type application/json;
+        '';
+      };
+      locations."/.well-known/matrix/client" = {
+        return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin *;
+        '';
+      };
+
       # Redirect pages starting with 4 digits for redirecting the old blog
       # article URLs.
       # We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we

From 85951e2e59213f600bb07154f492cb976776a6d4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 4 Feb 2024 00:21:47 +0100
Subject: [PATCH 022/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/ed8ab00e8d92076a7cac1b428881b4d5304bb771' (2024-01-22)
  → 'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/a1aa4980b64eb5fbfa652da57ed4de92e92be630' (2024-01-21)
  → 'github:nixos/nixpkgs/ac0524b807cb04a3e792c0bcc9e853e9a1547aa1' (2024-02-02)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/8cccce637e19577815de54c5ecc3132dff965aee' (2024-01-22)
  → 'github:nixos/nixpkgs/4f301350dacb4eb0a93578ef3b07c8a996c777e7' (2024-02-03)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index fdcf157..47917b6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705931262,
-        "narHash": "sha256-JU8Dn3FeLlpC2aCXDbVH+E9koZYw/r1LW+fofWq87mE=",
+        "lastModified": 1706085261,
+        "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "ed8ab00e8d92076a7cac1b428881b4d5304bb771",
+        "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1705864497,
-        "narHash": "sha256-GVjAt3eHgSGp76Nx6/BXkl38w25FyLbS5Y3hn+BvLk0=",
+        "lastModified": 1706905405,
+        "narHash": "sha256-Jts2FPpB58OXRxIk6Lq1w3O2RelpmJ9fEkgTaVJT6nM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a1aa4980b64eb5fbfa652da57ed4de92e92be630",
+        "rev": "ac0524b807cb04a3e792c0bcc9e853e9a1547aa1",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1705891108,
-        "narHash": "sha256-PQ0Df5BzByg+0gPE1goa9WYVXSoEP6gtjblrbYC8WOI=",
+        "lastModified": 1706941790,
+        "narHash": "sha256-V4apg6WJS6hc1VhHuUpaLt0r/ulu/hvFruP6NKdEdfo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8cccce637e19577815de54c5ecc3132dff965aee",
+        "rev": "4f301350dacb4eb0a93578ef3b07c8a996c777e7",
         "type": "github"
       },
       "original": {

From c0142ad1a59392090fc5c15ae7cf5c384843708a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 24 Feb 2024 15:51:03 +0100
Subject: [PATCH 023/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24)
  → 'github:nix-community/nixos-generators/f4631dee1a0fd56c0db89860e83e3588a28c7631' (2024-02-22)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/f5af57d3ef9947a70ac86e42695231ac1ad00c25' (2023-09-03)
  → 'github:nix-community/nixpkgs.lib/e623008d8a46517470e6365505f1a3ce171fa46a' (2024-02-18)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/ac0524b807cb04a3e792c0bcc9e853e9a1547aa1' (2024-02-02)
  → 'github:nixos/nixpkgs/79032939bc8d409bcc16121c4ad694ca862895e4' (2024-02-24)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/4f301350dacb4eb0a93578ef3b07c8a996c777e7' (2024-02-03)
  → 'github:nixos/nixpkgs/5ab08ad057499977d489f1b378e79d166a684e6c' (2024-02-24)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 47917b6..da0b6f6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1693701915,
-        "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
+        "lastModified": 1708217146,
+        "narHash": "sha256-nGfEv7k78slqIR5E0zzWSx214d/4/ZPKDkObLJqVLVw=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
+        "rev": "e623008d8a46517470e6365505f1a3ce171fa46a",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706085261,
-        "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=",
+        "lastModified": 1708563055,
+        "narHash": "sha256-FaojUZNu+YPFi3eCI7mL4kxPKQ51DoySa7mqmllUOuc=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132",
+        "rev": "f4631dee1a0fd56c0db89860e83e3588a28c7631",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706905405,
-        "narHash": "sha256-Jts2FPpB58OXRxIk6Lq1w3O2RelpmJ9fEkgTaVJT6nM=",
+        "lastModified": 1708760845,
+        "narHash": "sha256-xkSxjVuYLQGvteX4CCuC4c5daBwMKIDAvp0Mvvg2spE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ac0524b807cb04a3e792c0bcc9e853e9a1547aa1",
+        "rev": "79032939bc8d409bcc16121c4ad694ca862895e4",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1706941790,
-        "narHash": "sha256-V4apg6WJS6hc1VhHuUpaLt0r/ulu/hvFruP6NKdEdfo=",
+        "lastModified": 1708765437,
+        "narHash": "sha256-pFAbQn7RR2lMRpyNhyAogUp7c4reB4uM4fnnbIvUw4k=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4f301350dacb4eb0a93578ef3b07c8a996c777e7",
+        "rev": "5ab08ad057499977d489f1b378e79d166a684e6c",
         "type": "github"
       },
       "original": {

From 7ab1563c88d97acdf374fd6743d584ca1a7177d9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 2 Mar 2024 15:40:55 +0100
Subject: [PATCH 024/170] Add entry to public-reverse-proxy for acme challenge
 for light-werkstatt

---
 config/hosts/public-reverse-proxy/nginx.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix
index f23e7a9..ff14adb 100644
--- a/config/hosts/public-reverse-proxy/nginx.nix
+++ b/config/hosts/public-reverse-proxy/nginx.nix
@@ -26,6 +26,7 @@
         club-assistant.ccchh.net 10.31.208.10;
         netbox.ccchh.net 10.31.208.29:31820;
         light.ccchh.net 10.31.208.23;
+        light-werkstatt.ccchh.net 10.31.208.23;
         thinkcccore0.ccchh.net 10.31.242.3;
         thinkcccore1.ccchh.net 10.31.242.4;
         thinkcccore2.ccchh.net 10.31.242.5;

From a5a994f87f26cd23d4e2a31695e08c8199205b2f Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sat, 2 Mar 2024 17:22:15 +0100
Subject: [PATCH 025/170] Bump element-web to 1.11.59

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index da11e0f..8a6c629 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.55";
+  elementWebVersion = "1.11.59";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-lM1P23MTqAgrw3vjNSzDswmn0n8SRY6dBD0aELmoqsQ=";
+    sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 71e1684f762845c5efa69033bd0e28c2c39cacea Mon Sep 17 00:00:00 2001
From: Julian Schacher <julian@jsts.xyz>
Date: Wed, 6 Mar 2024 22:50:26 +0100
Subject: [PATCH 026/170] Add a formatter, which can be used by running "nix
 fmt"

Use nixpkgs-fmt because what it does closely aligns to this repos
already established conventions and it doesn't do weird stuff.

Also see:
https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-fmt.html
https://github.com/nix-community/nixpkgs-fmt
---
 flake.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/flake.nix b/flake.nix
index 63ecb99..8768c79 100644
--- a/flake.nix
+++ b/flake.nix
@@ -220,5 +220,7 @@
         format = "proxmox";
       };
     };
+    
+    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
   };
 }

From 1ad6ac9dc0b711a1169a1bea56f86140c4362542 Mon Sep 17 00:00:00 2001
From: Julian Schacher <julian@jsts.xyz>
Date: Wed, 6 Mar 2024 22:50:32 +0100
Subject: [PATCH 027/170] Run "nix fmt" to format this entire flake

---
 config/common/nix.nix                        |   2 +-
 config/common/users.nix                      |  34 +-
 config/hosts/esphome/nginx.nix               |   2 +-
 config/hosts/matrix/matrix-synapse.nix       |   2 +-
 config/hosts/matrix/nginx.nix                |   2 +-
 config/hosts/matrix/postgresql.nix           |   2 +-
 config/hosts/public-web-static/spaceapid.nix |   2 +-
 flake.nix                                    | 315 ++++++++++---------
 8 files changed, 181 insertions(+), 180 deletions(-)

diff --git a/config/common/nix.nix b/config/common/nix.nix
index f19f681..1b253d6 100644
--- a/config/common/nix.nix
+++ b/config/common/nix.nix
@@ -1,4 +1,4 @@
-{ ... }: 
+{ ... }:
 
 {
   nix = {
diff --git a/config/common/users.nix b/config/common/users.nix
index 06170bc..c36e20a 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -16,24 +16,24 @@ let
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
-  {
-    users.mutableUsers = false;
+{
+  users.mutableUsers = false;
 
-    users.users.chaos = {
-      isNormalUser = true;
-      description = "Chaos";
-      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = authorizedKeys;
-    };
+  users.users.chaos = {
+    isNormalUser = true;
+    description = "Chaos";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = authorizedKeys;
+  };
 
-    users.users.colmena-deploy = {
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = authorizedKeys;
-    };
+  users.users.colmena-deploy = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = authorizedKeys;
+  };
 
-    nix.settings.trusted-users = [ "colmena-deploy" ];
+  nix.settings.trusted-users = [ "colmena-deploy" ];
 
-    # Since our user doesn't have a password, allow passwordless sudo for wheel.
-    security.sudo.wheelNeedsPassword = false;
-  }
+  # Since our user doesn't have a password, allow passwordless sudo for wheel.
+  security.sudo.wheelNeedsPassword = false;
+}
diff --git a/config/hosts/esphome/nginx.nix b/config/hosts/esphome/nginx.nix
index ed93972..3c5cfb9 100644
--- a/config/hosts/esphome/nginx.nix
+++ b/config/hosts/esphome/nginx.nix
@@ -40,6 +40,6 @@
 
     };
   };
-  
+
   networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
 }
diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix
index e574a59..bcc097d 100644
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@@ -39,7 +39,7 @@
 
       media_store_path = "/mnt/data/synapse_media_store";
       max_upload_size = "500M";
-      
+
       admin_contact = "mailto:yuri+ccchh@nekover.se";
     };
 
diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix
index 03dba97..74d4291 100644
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@@ -60,6 +60,6 @@
       '';
     };
   };
-  
+
   networking.firewall.allowedTCPPorts = [ 8443 8448 31820 ];
 }
diff --git a/config/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix
index a241efd..62b600e 100644
--- a/config/hosts/matrix/postgresql.nix
+++ b/config/hosts/matrix/postgresql.nix
@@ -4,7 +4,7 @@
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_15;
-    
+
     initialScript = pkgs.writeText "synapse-init.sql" ''
       CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
       CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 8c9cb87..d2a25b6 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -11,7 +11,7 @@ let
     version = "main";
 
     src = spaceapidSrc;
-    
+
     ldflags = [
       "-X main.version=${version}-${spaceapidSrc.rev}"
     ];
diff --git a/flake.nix b/flake.nix
index 8768c79..f66397d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -58,169 +58,170 @@
         });
       };
       pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
-    in {
-    colmena = {
-      meta = {
-        nixpkgs = nixpkgs.legacyPackages."x86_64-linux";
-        nodeNixpkgs = {
-          audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
-          audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
+    in
+    {
+      colmena = {
+        meta = {
+          nixpkgs = nixpkgs.legacyPackages."x86_64-linux";
+          nodeNixpkgs = {
+            audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
+            audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
+          };
+          nodeSpecialArgs = {
+            git = { inherit pkgs-unstable; };
+          };
         };
-        nodeSpecialArgs = {
-          git = { inherit pkgs-unstable; };
+
+        audio-hauptraum-kueche = {
+          deployment = {
+            targetHost = "audio-hauptraum-kueche.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/audio-hauptraum-kueche
+          ];
+        };
+
+        audio-hauptraum-tafel = {
+          deployment = {
+            targetHost = "audio-hauptraum-tafel.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/audio-hauptraum-tafel
+          ];
+        };
+
+        esphome = {
+          deployment = {
+            targetHost = "esphome.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/esphome
+          ];
+        };
+
+        public-reverse-proxy = {
+          deployment = {
+            targetHost = "public-reverse-proxy.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/public-reverse-proxy
+          ];
+        };
+
+        netbox = {
+          deployment = {
+            targetHost = "netbox-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/netbox
+          ];
+        };
+
+        matrix = {
+          deployment = {
+            targetHost = "matrix-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/matrix
+          ];
+        };
+
+        public-web-static = {
+          deployment = {
+            targetHost = "public-web-static-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/public-web-static
+          ];
+        };
+
+        git = {
+          deployment = {
+            targetHost = "git.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/git
+          ];
+        };
+
+        forgejo-actions-runner = {
+          deployment = {
+            targetHost = "forgejo-actions-runner-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/forgejo-actions-runner
+          ];
         };
       };
 
-      audio-hauptraum-kueche = {
-        deployment = {
-          targetHost = "audio-hauptraum-kueche.z9.ccchh.net";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
+      packages.x86_64-linux = {
+        proxmox-nixos-template = nixos-generators.nixosGenerate {
+          system = "x86_64-linux";
+          modules = [
+            ./config/nixos-generators/proxmox.nix
+            ./config/common
+            ./config/proxmox-vm
+          ];
+          format = "proxmox";
+        };
+
+        proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
+          system = "x86_64-linux";
+          modules = [
+            ./config/nixos-generators/proxmox-chaosknoten.nix
+            ./config/proxmox-chaosknoten-additional-initial-config.nix
+            ./config/common
+            ./config/proxmox-vm
+          ];
+          format = "proxmox";
         };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/audio-hauptraum-kueche
-        ];
       };
 
-      audio-hauptraum-tafel = {
-        deployment = {
-          targetHost = "audio-hauptraum-tafel.z9.ccchh.net";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/audio-hauptraum-tafel
-        ];
-      };
-
-      esphome = {
-        deployment = {
-          targetHost = "esphome.z9.ccchh.net";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/esphome
-        ];
-      };
-
-      public-reverse-proxy = {
-        deployment = {
-          targetHost = "public-reverse-proxy.z9.ccchh.net";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/public-reverse-proxy
-        ];
-      };
-
-      netbox = {
-        deployment = {
-          targetHost = "netbox-intern.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/netbox
-        ];
-      };
-
-      matrix = {
-        deployment = {
-          targetHost = "matrix-intern.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/matrix
-        ];
-      };
-
-      public-web-static = {
-        deployment = {
-          targetHost = "public-web-static-intern.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/public-web-static
-        ];
-      };
-
-      git = {
-        deployment = {
-          targetHost = "git.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/git
-        ];
-      };
-
-      forgejo-actions-runner = {
-        deployment = {
-          targetHost = "forgejo-actions-runner-intern.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/forgejo-actions-runner
-        ];
-      };
+      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
     };
-
-    packages.x86_64-linux = {
-      proxmox-nixos-template = nixos-generators.nixosGenerate {
-        system = "x86_64-linux";
-        modules = [
-          ./config/nixos-generators/proxmox.nix
-          ./config/common
-          ./config/proxmox-vm
-        ];
-        format = "proxmox";
-      };
-
-      proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
-        system = "x86_64-linux";
-        modules = [
-          ./config/nixos-generators/proxmox-chaosknoten.nix
-          ./config/proxmox-chaosknoten-additional-initial-config.nix
-          ./config/common
-          ./config/proxmox-vm
-        ];
-        format = "proxmox";
-      };
-    };
-    
-    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
-  };
 }

From fc5b5bb9b71bd67f6f063cf8ab8c3972f69d03ad Mon Sep 17 00:00:00 2001
From: Julian Schacher <julian@jsts.xyz>
Date: Sun, 10 Mar 2024 03:58:41 +0100
Subject: [PATCH 028/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/f4631dee1a0fd56c0db89860e83e3588a28c7631' (2024-02-22)
  → 'github:nix-community/nixos-generators/bef32a05496d9480b02be586fa7827748b9e597b' (2024-03-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/e623008d8a46517470e6365505f1a3ce171fa46a' (2024-02-18)
  → 'github:nix-community/nixpkgs.lib/7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c' (2024-03-03)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/79032939bc8d409bcc16121c4ad694ca862895e4' (2024-02-24)
  → 'github:nixos/nixpkgs/fcaa81ed3c273237217330cf342ef1873b77c80a' (2024-03-09)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/5ab08ad057499977d489f1b378e79d166a684e6c' (2024-02-24)
  → 'github:nixos/nixpkgs/e389a1133d14925b942e0ad76ce75f32637db20d' (2024-03-09)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index da0b6f6..50f72f6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1708217146,
-        "narHash": "sha256-nGfEv7k78slqIR5E0zzWSx214d/4/ZPKDkObLJqVLVw=",
+        "lastModified": 1709426687,
+        "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e623008d8a46517470e6365505f1a3ce171fa46a",
+        "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708563055,
-        "narHash": "sha256-FaojUZNu+YPFi3eCI7mL4kxPKQ51DoySa7mqmllUOuc=",
+        "lastModified": 1709887845,
+        "narHash": "sha256-803UIoB8+vGkm/VK/g55aBAAOf/ncTGvxXyjTF4ydm0=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "f4631dee1a0fd56c0db89860e83e3588a28c7631",
+        "rev": "bef32a05496d9480b02be586fa7827748b9e597b",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1708760845,
-        "narHash": "sha256-xkSxjVuYLQGvteX4CCuC4c5daBwMKIDAvp0Mvvg2spE=",
+        "lastModified": 1709953752,
+        "narHash": "sha256-LW84B4vM1cn7E6cDNQn2LndT9iJXI1dRE5fwbNFbQa8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "79032939bc8d409bcc16121c4ad694ca862895e4",
+        "rev": "fcaa81ed3c273237217330cf342ef1873b77c80a",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1708765437,
-        "narHash": "sha256-pFAbQn7RR2lMRpyNhyAogUp7c4reB4uM4fnnbIvUw4k=",
+        "lastModified": 1709987164,
+        "narHash": "sha256-W3KoCToX0gnwpZARkRteYd8Ns0Kie3C4u057YepUP5I=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5ab08ad057499977d489f1b378e79d166a684e6c",
+        "rev": "e389a1133d14925b942e0ad76ce75f32637db20d",
         "type": "github"
       },
       "original": {

From 6a0218c132b0bb92c241461c647491655199e199 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 19 Feb 2024 00:28:51 +0100
Subject: [PATCH 029/170] Serve old easterhegg pages from public-web-static.

The old easterhegg pages from 2003, 2005, 2007, 2009, 2011 are served on the
easterhegg.eu domain and all old subdomains under hamburg.ccc.de
redirect to the corresponding pages under easterhegg.eu
---
 .../virtualHosts/default.nix                  |   1 +
 .../historic-easterhegg/default.nix           |  11 ++
 .../virtualHosts/historic-easterhegg/eh03.nix | 101 +++++++++++++++++
 .../virtualHosts/historic-easterhegg/eh05.nix | 100 +++++++++++++++++
 .../virtualHosts/historic-easterhegg/eh07.nix | 106 ++++++++++++++++++
 .../virtualHosts/historic-easterhegg/eh09.nix | 105 +++++++++++++++++
 .../virtualHosts/historic-easterhegg/eh11.nix | 106 ++++++++++++++++++
 7 files changed, 530 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index e22165f..3678a96 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -9,5 +9,6 @@
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
     ./www.hamburg.ccc.de.nix
+    ./historic-easterhegg
   ];
 }
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
new file mode 100644
index 0000000..f9805cf
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -0,0 +1,11 @@
+{...}:
+
+{
+  imports = [
+    ./eh03.nix
+    ./eh05.nix
+    ./eh07.nix
+    ./eh09.nix
+    ./eh11.nix
+  ];
+}
\ No newline at end of file
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
new file mode 100644
index 0000000..60d4f21
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
@@ -0,0 +1,101 @@
+{ pkgs, ... }:
+
+let
+  eh03 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2003-website.git";
+    rev = "74977c56486cd060566bf06678a936e801952f9e";
+    hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
+  };
+in 
+{
+  security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
+    "eh2003.hamburg.ccc.de"
+    "www.eh2003.hamburg.ccc.de"
+    "easterhegg2003.hamburg.ccc.de"
+    "www.easterhegg2003.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh03.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh03.easterhegg.eu";
+      serverAliases = [
+        "eh2003.hamburg.ccc.de"
+        "www.eh2003.hamburg.ccc.de"
+        "easterhegg2003.hamburg.ccc.de"
+        "www.easterhegg2003.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2003.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh03.easterhegg.eu";
+      serverAliases = [
+        "eh2003.hamburg.ccc.de"
+        "www.eh2003.hamburg.ccc.de"
+        "www.easterhegg2003.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh03.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh03.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh03.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "index.html";
+        root = eh03;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        '';
+      };
+
+      extraConfig = ''
+        set $chosen_lang "de";
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
new file mode 100644
index 0000000..7651666
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
@@ -0,0 +1,100 @@
+{ pkgs, ... }:
+
+let
+  eh05 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2005-website.git";
+    rev = "f1455aee35b6462ab5c46f3d52c47e0b200c1315";
+    hash = "sha256-lA4fxO05K39nosSYNfKUtSCrK+dja1yWKILqRklSNy8=";
+  };
+in
+{
+  security.acme.certs."eh05.easterhegg.eu".extraDomainNames = [
+    "eh2005.hamburg.ccc.de"
+    "www.eh2005.hamburg.ccc.de"
+    "easterhegg2005.hamburg.ccc.de"
+    "www.easterhegg2005.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh05.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh05.easterhegg.eu";
+      serverAliases = [
+        "eh2005.hamburg.ccc.de"
+        "www.eh2005.hamburg.ccc.de"
+        "easterhegg2005.hamburg.ccc.de"
+        "www.easterhegg2005.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2005.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh05.easterhegg.eu";
+      serverAliases = [
+        "eh2005.hamburg.ccc.de"
+        "www.eh2005.hamburg.ccc.de"
+        "www.easterhegg2005.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh05.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+    
+    "eh05.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh05.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+      
+      locations."/" = {
+        index = "index.shtml";
+        root = eh05;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        ''; 
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
new file mode 100644
index 0000000..40fe480
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
@@ -0,0 +1,106 @@
+{ pkgs, ... }:
+
+let
+  eh07 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2007-website.git";
+    rev = "0bb06fd2654814ddda28469a1bf9e50a9814dd9a";
+    hash = "sha256-jMpDxgxbL3ipG3HLJo0ISTdWfYYrd2EfwpmoiWV0qCM=";
+  };
+in
+{
+  security.acme.certs."eh07.easterhegg.eu".extraDomainNames = [
+    "eh2007.hamburg.ccc.de"
+    "www.eh2007.hamburg.ccc.de"
+    "eh07.hamburg.ccc.de"
+    "www.eh07.hamburg.ccc.de"
+    "easterhegg2007.hamburg.ccc.de"
+    "www.easterhegg2007.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh07.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh07.easterhegg.eu";
+      serverAliases = [
+        "eh2007.hamburg.ccc.de"
+        "www.eh2007.hamburg.ccc.de"
+        "eh07.hamburg.ccc.de"
+        "www.eh07.hamburg.ccc.de"
+        "easterhegg2007.hamburg.ccc.de"
+        "www.easterhegg2007.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2007.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh07.easterhegg.eu";
+      serverAliases = [
+        "eh2007.hamburg.ccc.de"
+        "www.eh2007.hamburg.ccc.de"
+        "eh07.hamburg.ccc.de"
+        "www.eh07.hamburg.ccc.de"
+        "www.easterhegg2007.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh07.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh07.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh07.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "index.shtml";
+        root = eh07;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        ''; 
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
new file mode 100644
index 0000000..f7416ed
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
@@ -0,0 +1,105 @@
+{ pkgs, ... }:
+
+let
+  eh09 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2009-website.git";
+    rev = "6d4a50c5ab23870072f0b33dd0171b0c56d6cab5";
+    hash = "sha256-kPJOrKseJD/scRxhYFa249DT1cYmeCjnK50Bt0IJZK8=";
+  };
+in
+{
+  security.acme.certs."eh09.easterhegg.eu".extraDomainNames = [
+    "eh2009.hamburg.ccc.de"
+    "www.eh2009.hamburg.ccc.de"
+    "eh09.hamburg.ccc.de"
+    "www.eh09.hamburg.ccc.de"
+    "easterhegg2009.hamburg.ccc.de"
+    "www.easterhegg2009.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh09.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh09.easterhegg.eu";
+      serverAliases = [
+        "eh2009.hamburg.ccc.de"
+        "www.eh2009.hamburg.ccc.de"
+        "eh09.hamburg.ccc.de"
+        "www.eh09.hamburg.ccc.de"
+        "easterhegg2009.hamburg.ccc.de"
+        "www.easterhegg2009.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2009.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh09.easterhegg.eu";
+      serverAliases = [
+        "eh2009.hamburg.ccc.de"
+        "www.eh2009.hamburg.ccc.de"
+        "eh09.hamburg.ccc.de"
+        "www.eh09.hamburg.ccc.de"
+        "www.easterhegg2009.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh09.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh09.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh09.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "index.shtml";
+        root = eh09;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        ''; 
+      };
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
new file mode 100644
index 0000000..c409641
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
@@ -0,0 +1,106 @@
+{ pkgs, ... }:
+
+let
+  eh11 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2011-website.git";
+    rev = "c20540af71d4a0bd1fa12f49962b92d04293415b";
+    hash = "sha256-9hhtfU8fp2HOThcyQ4R7kuGQBjZktqMtiiYQhOas2QA=";
+  };
+in
+{
+  security.acme.certs."eh11.easterhegg.eu".extraDomainNames = [
+    "eh2011.hamburg.ccc.de"
+    "www.eh2011.hamburg.ccc.de"
+    "eh11.hamburg.ccc.de"
+    "www.eh11.hamburg.ccc.de"
+    "easterhegg2011.hamburg.ccc.de"
+    "www.easterhegg2011.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh11.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh11.easterhegg.eu";
+      serverAliases = [
+        "eh2011.hamburg.ccc.de"
+        "www.eh2011.hamburg.ccc.de"
+        "eh11.hamburg.ccc.de"
+        "www.eh11.hamburg.ccc.de"
+        "easterhegg2011.hamburg.ccc.de"
+        "www.easterhegg2011.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2011.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh11.easterhegg.eu";
+      serverAliases = [
+        "eh2011.hamburg.ccc.de"
+        "www.eh2011.hamburg.ccc.de"
+        "eh11.hamburg.ccc.de"
+        "www.eh11.hamburg.ccc.de"
+        "www.easterhegg2011.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh11.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh11.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh11.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "index.shtml";
+        root = eh11;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        ''; 
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}

From c97f169b776fefad29c5432cc3325e2259896ec0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 14 Apr 2024 18:46:51 +0200
Subject: [PATCH 030/170] Add print server for label printer to have it easily
 usable via SSH

Add and configure a print server for the Brother P-touch QL 500 label
printer, so that it can be easily used via SSH.

Do the following to make that work:
- Configure the print server host.
- Package printer-driver-ptouch to have a working driver for the label
  printer.
- Configure CUPS.
- Add a script "forcecommand-lpr-wrapper", which works together with the
  ForceCommand sshd_config option and wraps lpr to provide an easy
  interface to use the Brother QL 500 label printer via SSH.
- Add a print user and configure SSH to have the
  "forcecommand-lpr-wrapper" script accessible without a password using
  the print user via SSH.
---
 .../ptouch-print-server/configuration.nix     |   7 ++
 config/hosts/ptouch-print-server/default.nix  |   9 ++
 .../forcecommand-lpr-wrapper.py               |  84 ++++++++++++++
 .../forcecommand-lpr-wrapper/setup.py         |   7 ++
 .../hosts/ptouch-print-server/networking.nix  |  23 ++++
 config/hosts/ptouch-print-server/printing.nix | 104 ++++++++++++++++++
 flake.nix                                     |  14 +++
 7 files changed, 248 insertions(+)
 create mode 100644 config/hosts/ptouch-print-server/configuration.nix
 create mode 100644 config/hosts/ptouch-print-server/default.nix
 create mode 100644 config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py
 create mode 100644 config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py
 create mode 100644 config/hosts/ptouch-print-server/networking.nix
 create mode 100644 config/hosts/ptouch-print-server/printing.nix

diff --git a/config/hosts/ptouch-print-server/configuration.nix b/config/hosts/ptouch-print-server/configuration.nix
new file mode 100644
index 0000000..1bb1448
--- /dev/null
+++ b/config/hosts/ptouch-print-server/configuration.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  networking.hostName = "ptouch-print-server";
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/ptouch-print-server/default.nix b/config/hosts/ptouch-print-server/default.nix
new file mode 100644
index 0000000..248bae6
--- /dev/null
+++ b/config/hosts/ptouch-print-server/default.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./printing.nix
+  ];
+}
diff --git a/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py
new file mode 100644
index 0000000..d42469c
--- /dev/null
+++ b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py
@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+
+# A script for usage with the ForceCommand sshd_config option.
+# It calls lpr with some standard arguments, but also parses
+# SSH_ORIGINAL_COMMAND to potentially provide a different set of arguments to
+# lpr.
+#
+# This wrapper is written for interacting with the Brother QL 500 label printer.
+#
+# The following options can be provided as an SSH command and this script will
+# then pass them to the lpr call: <MediaType> <PageSize>
+# - MediaType can be one of:
+#   - Labels
+#   - Tape (this is the default)
+# - PageSize can be one of:
+#   - 12mm
+#   - 12mm-circular
+#   - 17x54mm
+#   - 17x87mm
+#   - 23x23mm
+#   - 24mm-circular
+#   - 29mm
+#   - 29x90mm
+#   - 38mm
+#   - 38x90mm
+#   - 50mm
+#   - 54mm
+#   - 58mm-circular
+#   - 62mm
+#   - 62x29mm
+#   - 62x100mm
+#   - Custom.WIDTHxHEIGHT (with WIDTH and HEIGHT needing to be either one to
+#     three digits)
+#   - label-wide (this being a convenience alias for Custom.62x35mm and it also
+#     being the default)
+#   - label-item (this being a convenience alias for 38x90mm)
+# 
+# So using these options in a complete setup would look like this for example:
+# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net labels label-item
+# This being equivalent to:
+# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net Labels 38x90mm
+#
+# The options are case-insensitive.
+#
+# The options are derived from: lpoptions -p Brother-QL-500 -l
+
+import os, re, subprocess
+
+mediaType = "Tape"
+pageSize = "Custom.62x35mm"
+
+def parseGivenOptions():
+    givenOptionsString = os.environ["SSH_ORIGINAL_COMMAND"]
+    givenOptionsIterator = iter(givenOptionsString.split(" "))
+
+    givenMediaType = next(givenOptionsIterator, "")
+    givenPageSize = next(givenOptionsIterator, "")
+
+    global mediaType
+    if givenMediaType.lower() == "labels":
+        mediaType = "Labels"
+    elif givenMediaType.lower() == "tape":
+        mediaType = "Tape"
+
+    global pageSize
+    pageSizeRegex = re.compile(r"^((12mm(-circular)?)|(24mm-circular)|(58mm-circular)|(((17x(54|87))|(23x23)|((29|38)(x90)?)|(62x(29|100))|50|54|62)mm))$", re.ASCII | re.IGNORECASE)
+    pageSizeMatch = pageSizeRegex.match(givenPageSize)
+    pageSizeCustomRegex = re.compile(r"^custom\.(\d{1,3})x(\d{1,3})$", re.ASCII | re.IGNORECASE)
+    pageSizeCustomMatch = pageSizeCustomRegex.match(givenPageSize)
+    if givenPageSize.lower() == "label-wide":
+        pageSize = "Custom.62x35mm"
+    elif givenPageSize.lower() == "label-item":
+        pageSize = "38x90mm"
+    elif pageSizeMatch:
+        pageSize = givenPageSize.lower()
+    elif pageSizeCustomMatch:
+        width = pageSizeCustomMatch.group(1)
+        height = pageSizeCustomMatch.group(2)
+        pageSize = "Custom.{}x{}".format(width, height)
+
+if "SSH_ORIGINAL_COMMAND" in os.environ:
+    parseGivenOptions()
+
+subprocess.run(["lpr", "-P", "Brother-QL-500", "-o", "MediaType={}".format(mediaType), "-o", "PageSize={}".format(pageSize)])
diff --git a/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py
new file mode 100644
index 0000000..ef2b170
--- /dev/null
+++ b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py
@@ -0,0 +1,7 @@
+from distutils.core import setup
+
+setup(
+    name = "forcecommand-lpr-wrapper",
+    version = "0.0.1",
+    scripts = ["./forcecommand-lpr-wrapper.py"]
+)
diff --git a/config/hosts/ptouch-print-server/networking.nix b/config/hosts/ptouch-print-server/networking.nix
new file mode 100644
index 0000000..7c7cb62
--- /dev/null
+++ b/config/hosts/ptouch-print-server/networking.nix
@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.208.13";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "10.31.208.1";
+    nameservers = [
+      "10.31.208.1"
+    ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:F2:CF:8F";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/ptouch-print-server/printing.nix b/config/hosts/ptouch-print-server/printing.nix
new file mode 100644
index 0000000..5964f56
--- /dev/null
+++ b/config/hosts/ptouch-print-server/printing.nix
@@ -0,0 +1,104 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Printing
+
+{ pkgs, lib, ... }:
+
+let
+  # https://github.com/philpem/printer-driver-ptouch
+  printer-driver-ptouch = pkgs.stdenv.mkDerivation rec {
+    pname = "printer-driver-ptouch";
+    version = "1.7";
+
+    src = pkgs.fetchgit {
+      url = "https://github.com/philpem/printer-driver-ptouch";
+      rev = "v${version}";
+      hash = "sha256-3ZotSHn7lERp53hAzx47Ct/k565rEoensCcltwX/Xls=";
+    };
+
+    nativeBuildInputs = [
+      pkgs.autoreconfHook
+      pkgs.perl
+    ];
+
+    buildInputs = [
+      pkgs.cups
+      pkgs.libpng
+      pkgs.perlPackages.XMLLibXML
+      pkgs.foomatic-db-engine
+    ];
+
+    patches = [
+      # Add this patch to have the package actually build sucessfully.
+      # https://github.com/philpem/printer-driver-ptouch/pull/35
+      (pkgs.fetchpatch {
+        name = "fix-brother-ql-600.xml.patch";
+        url = "https://patch-diff.githubusercontent.com/raw/philpem/printer-driver-ptouch/pull/35.patch";
+        hash = "sha256-y5bHKFeRXx8Wdl1++l4QNGgiY41LY5uzrRdOlaZyF9I=";
+      })
+    ];
+
+    # Used the following as a reference on how to generate the ppd files.
+    # https://salsa.debian.org/printing-team/ptouch-driver/-/blob/4ba5d2c490ea1230374aa4b0bf711bf77f1ab0c7/debian/rules#L34
+    postInstall = ''
+      mkdir -p $out/share/cups
+      FOOMATICDB=$out/share/foomatic ${pkgs.foomatic-db-engine}/bin/foomatic-compiledb -t ppd -d $out/share/cups/model
+      rm -r $out/share/foomatic
+    '';
+
+    postPatch = ''
+      patchShebangs --build foomaticalize
+    '';
+  };
+  forcecommand-lpr-wrapper = pkgs.python3Packages.buildPythonApplication {
+    name = "forcecommand-lpr-wrapper";
+    src = ./forcecommand-lpr-wrapper;
+
+    propagatedBuildInputs = [
+      pkgs.cups
+    ];
+  };
+in
+{
+  services.printing = {
+    enable = true;
+    drivers = [ printer-driver-ptouch ];
+    stateless = true;
+  };
+
+  hardware.printers = {
+    ensurePrinters = [
+      {
+        name = "Brother-QL-500";
+        location = "Z9";
+        deviceUri = "usb://Brother/QL-500?serial=J8Z249208";
+        model = "Brother-QL-500-ptouch-ql.ppd";
+        ppdOptions = {
+          PageSize = "Custom.62x35mm";
+        };
+      }
+    ];
+    ensureDefaultPrinter = "Brother-QL-500";
+  };
+
+  users.users.print = {
+    isNormalUser = true;
+    description = "User for printing via SSH.";
+    password = "";
+  };
+
+  # PasswordAuthentication being set to false just puts "auth required
+  # pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
+  # PasswordAuthentication to have it not do that.
+  services.openssh.settings.PasswordAuthentication = lib.mkForce true;
+  # The following doesn't need to be set in order for empty passwords to work
+  # apparently:
+  # security.pam.services.sshd.allowNullPassword = true;
+  services.openssh.extraConfig = ''
+    Match User print
+      PubkeyAuthentication no
+      AuthenticationMethods none
+      PermitEmptyPasswords yes
+      ForceCommand ${forcecommand-lpr-wrapper}/bin/forcecommand-lpr-wrapper.py 
+    Match User *
+  '';
+}
diff --git a/flake.nix b/flake.nix
index f66397d..5360d1f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -197,6 +197,20 @@
             ./config/hosts/forgejo-actions-runner
           ];
         };
+
+        ptouch-print-server = {
+          deployment = {
+            targetHost = "ptouch-print-server.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/ptouch-print-server
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From b229494eac326c992ea01bac7277467e91831a72 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 14 Apr 2024 18:50:13 +0200
Subject: [PATCH 031/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/bef32a05496d9480b02be586fa7827748b9e597b?narHash=sha256-803UIoB8%2BvGkm/VK/g55aBAAOf/ncTGvxXyjTF4ydm0%3D' (2024-03-08)
  → 'github:nix-community/nixos-generators/d942db8df8ee860556a38754f15b8d03bf7e6933?narHash=sha256-yYlxv1sg/TNl6hghjAe0ct%2B/p5PwXiT1mpuaExjhR88%3D' (2024-04-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c?narHash=sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA%3D' (2024-03-03)
  → 'github:nix-community/nixpkgs.lib/3c62b6a12571c9a7f65ab037173ee153d539905f?narHash=sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw%3D' (2024-04-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/fcaa81ed3c273237217330cf342ef1873b77c80a?narHash=sha256-LW84B4vM1cn7E6cDNQn2LndT9iJXI1dRE5fwbNFbQa8%3D' (2024-03-09)
  → 'github:nixos/nixpkgs/6ec8515bc79f396159a67b2ed8012b2e988d9dc6?narHash=sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U%2BGs%3D' (2024-04-14)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/e389a1133d14925b942e0ad76ce75f32637db20d?narHash=sha256-W3KoCToX0gnwpZARkRteYd8Ns0Kie3C4u057YepUP5I%3D' (2024-03-09)
  → 'github:nixos/nixpkgs/bc59f72803cf40fb50f05cb73068d85b5ce21297?narHash=sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU%3D' (2024-04-14)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 50f72f6..733defa 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1709426687,
-        "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=",
+        "lastModified": 1712450863,
+        "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c",
+        "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709887845,
-        "narHash": "sha256-803UIoB8+vGkm/VK/g55aBAAOf/ncTGvxXyjTF4ydm0=",
+        "lastModified": 1712537332,
+        "narHash": "sha256-yYlxv1sg/TNl6hghjAe0ct+/p5PwXiT1mpuaExjhR88=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "bef32a05496d9480b02be586fa7827748b9e597b",
+        "rev": "d942db8df8ee860556a38754f15b8d03bf7e6933",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709953752,
-        "narHash": "sha256-LW84B4vM1cn7E6cDNQn2LndT9iJXI1dRE5fwbNFbQa8=",
+        "lastModified": 1713088269,
+        "narHash": "sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U+Gs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fcaa81ed3c273237217330cf342ef1873b77c80a",
+        "rev": "6ec8515bc79f396159a67b2ed8012b2e988d9dc6",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1709987164,
-        "narHash": "sha256-W3KoCToX0gnwpZARkRteYd8Ns0Kie3C4u057YepUP5I=",
+        "lastModified": 1713064665,
+        "narHash": "sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e389a1133d14925b942e0ad76ce75f32637db20d",
+        "rev": "bc59f72803cf40fb50f05cb73068d85b5ce21297",
         "type": "github"
       },
       "original": {

From bc6af32a36cbc0d176c39533f5f9117608461505 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 15 Apr 2024 17:07:50 +0200
Subject: [PATCH 032/170] Update spaceapid to latest commit and use correct
 logo URL

---
 .../public-web-static/spaceapid-config/ccchh-response.json      | 2 +-
 config/hosts/public-web-static/spaceapid.nix                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
index 3127d20..9a5793e 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
@@ -4,7 +4,7 @@
       "14"
     ],
     "space": "CCCHH",
-    "logo": "https://next.hamburg.ccc.de/images/logo.svg",
+    "logo": "https://hamburg.ccc.de/images/logo.svg",
     "ext_ccc": "erfa",
     "url": "https://hamburg.ccc.de/",
     "location": {
diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index d2a25b6..86d40bb 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -4,7 +4,7 @@ let
   spaceapidSrc = builtins.fetchGit {
     url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
     ref = "main";
-    rev = "bbeb0d0e2b4538faed275b9891fb55149bc3a2f8";
+    rev = "17753f535c68157e80f30f50deb488133cc98258";
   };
   spaceapid = pkgs.buildGoModule rec {
     pname = "spaceapid";

From 856c4ac696a305dc11eac5d65a4011ebcc4440a7 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Apr 2024 21:13:11 +0200
Subject: [PATCH 033/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d942db8df8ee860556a38754f15b8d03bf7e6933?narHash=sha256-yYlxv1sg/TNl6hghjAe0ct%2B/p5PwXiT1mpuaExjhR88%3D' (2024-04-08)
  → 'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e?narHash=sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE%2B9ytRWxsA5aWtmyI%3D' (2024-04-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/6ec8515bc79f396159a67b2ed8012b2e988d9dc6?narHash=sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U%2BGs%3D' (2024-04-14)
  → 'github:nixos/nixpkgs/d4df7c26d03e94dbdabbd350cb89c9565cae07bb?narHash=sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI%3D' (2024-04-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/bc59f72803cf40fb50f05cb73068d85b5ce21297?narHash=sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU%3D' (2024-04-14)
  → 'github:nixos/nixpkgs/de52a47e961d45f6a8c7f9f086c60ff89ecdddaf?narHash=sha256-HLpr4EgxIRB1UJCpupvF%2BAi8pFa93BJh8anPJ68FwOI%3D' (2024-04-22)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 733defa..02b9836 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712537332,
-        "narHash": "sha256-yYlxv1sg/TNl6hghjAe0ct+/p5PwXiT1mpuaExjhR88=",
+        "lastModified": 1713783234,
+        "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d942db8df8ee860556a38754f15b8d03bf7e6933",
+        "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713088269,
-        "narHash": "sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U+Gs=",
+        "lastModified": 1713787398,
+        "narHash": "sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6ec8515bc79f396159a67b2ed8012b2e988d9dc6",
+        "rev": "d4df7c26d03e94dbdabbd350cb89c9565cae07bb",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1713064665,
-        "narHash": "sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU=",
+        "lastModified": 1713761662,
+        "narHash": "sha256-HLpr4EgxIRB1UJCpupvF+Ai8pFa93BJh8anPJ68FwOI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bc59f72803cf40fb50f05cb73068d85b5ce21297",
+        "rev": "de52a47e961d45f6a8c7f9f086c60ff89ecdddaf",
         "type": "github"
       },
       "original": {

From 14bbdea9dcb6b708c9dbe0b8d81a62d5814a4d9f Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 23 Apr 2024 19:12:16 +0200
Subject: [PATCH 034/170] Add MPD to audio service module

---
 config/hosts/audio-hauptraum-kueche/audio.nix |  1 +
 config/hosts/audio-hauptraum-tafel/audio.nix  |  1 +
 modules/services/audio/default.nix            |  1 +
 modules/services/audio/mpd.nix                | 33 +++++++++++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 modules/services/audio/mpd.nix

diff --git a/config/hosts/audio-hauptraum-kueche/audio.nix b/config/hosts/audio-hauptraum-kueche/audio.nix
index aa49f2f..2a75d8a 100644
--- a/config/hosts/audio-hauptraum-kueche/audio.nix
+++ b/config/hosts/audio-hauptraum-kueche/audio.nix
@@ -8,6 +8,7 @@
     enable = true;
     name = "Audio Hauptraum Küche";
   };
+  services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
 
   users.users.chaos.extraGroups = [ "pipewire" ];
 }
diff --git a/config/hosts/audio-hauptraum-tafel/audio.nix b/config/hosts/audio-hauptraum-tafel/audio.nix
index 3389720..f090fd9 100644
--- a/config/hosts/audio-hauptraum-tafel/audio.nix
+++ b/config/hosts/audio-hauptraum-tafel/audio.nix
@@ -8,6 +8,7 @@
     enable = true;
     name = "Audio Hauptraum Tafel";
   };
+  services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
 
   users.users.chaos.extraGroups = [ "pipewire" ];
 }
diff --git a/modules/services/audio/default.nix b/modules/services/audio/default.nix
index 6e8a43b..ccd7527 100644
--- a/modules/services/audio/default.nix
+++ b/modules/services/audio/default.nix
@@ -11,6 +11,7 @@ in
 {
   imports = [
     ./librespot.nix
+    ./mpd.nix
     ./networking.nix
     ./pipewire.nix
     ./shairport-sync.nix
diff --git a/modules/services/audio/mpd.nix b/modules/services/audio/mpd.nix
new file mode 100644
index 0000000..30ce12e
--- /dev/null
+++ b/modules/services/audio/mpd.nix
@@ -0,0 +1,33 @@
+# Links & Resources:
+# - https://mpd.readthedocs.io/en/stable/user.html
+
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+
+  cfg = config.ccchh.services.audio;
+
+in
+
+{
+  config = mkIf cfg.enable {
+    services.mpd = {
+      enable = true;
+      network.listenAddress = "any";
+      extraConfig = ''
+        audio_output {
+          type "pipewire"
+          name "Pipewire"
+        }
+      '';
+    };
+
+    users.users.mpd.extraGroups = [ "pipewire" ];
+
+    networking.firewall = {
+      allowedTCPPorts = [ 6600 ];
+    };
+  };
+}

From c96486aa9107a74de3487a4a3fd20e95574665b4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 27 Apr 2024 23:28:31 +0200
Subject: [PATCH 035/170] Let MPD mix the audio itself to work around PW/WP
 restore bug

jtbx discovered that MPD is using the Pipewire stream volume for volume
control, but that when Pipewire/Wireplumber restores the stream volumes
on restart, it wrongly assigns the MPD stream volume to the Shaireport
Sync stream as well.
Work around that bug by making MPD mix itself and not through
Pipewire/Wireplumber.
---
 modules/services/audio/mpd.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/services/audio/mpd.nix b/modules/services/audio/mpd.nix
index 30ce12e..4c149af 100644
--- a/modules/services/audio/mpd.nix
+++ b/modules/services/audio/mpd.nix
@@ -20,6 +20,7 @@ in
         audio_output {
           type "pipewire"
           name "Pipewire"
+          mixer_type "software"
         }
       '';
     };

From c378fc64c6c122819ba385eb7357b1dc28b512f6 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 28 Apr 2024 19:51:45 +0200
Subject: [PATCH 036/170] Deploy shairport-sync with more verbosity for easier
 debugging

---
 modules/services/audio/shairport-sync.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix
index adf5911..1f04862 100644
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@@ -17,7 +17,7 @@ in
   config = mkIf cfg.enable {
     services.shairport-sync = {
       enable = true;
-      arguments = "-o pw";
+      arguments = "-o pw -v";
     };
 
     users.users.shairport.extraGroups = [ "pipewire" ];

From 320f4afb4a748074581d480f81f9e8751bb41f61 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 14 May 2024 03:46:01 +0200
Subject: [PATCH 037/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d4df7c26d03e94dbdabbd350cb89c9565cae07bb?narHash=sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI%3D' (2024-04-22)
  → 'github:nixos/nixpkgs/8a4282c38b6cbea9f0989c0eafc6ce1837a26442?narHash=sha256-t1t39%2B9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968%3D' (2024-05-13)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/de52a47e961d45f6a8c7f9f086c60ff89ecdddaf?narHash=sha256-HLpr4EgxIRB1UJCpupvF%2BAi8pFa93BJh8anPJ68FwOI%3D' (2024-04-22)
  → 'github:nixos/nixpkgs/7ed944be63682d0c5bc37e66f3c997390d0bbd8e?narHash=sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw%3D' (2024-05-13)
---
 flake.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/flake.lock b/flake.lock
index 02b9836..77cd85b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713787398,
-        "narHash": "sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI=",
+        "lastModified": 1715615524,
+        "narHash": "sha256-t1t39+9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d4df7c26d03e94dbdabbd350cb89c9565cae07bb",
+        "rev": "8a4282c38b6cbea9f0989c0eafc6ce1837a26442",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1713761662,
-        "narHash": "sha256-HLpr4EgxIRB1UJCpupvF+Ai8pFa93BJh8anPJ68FwOI=",
+        "lastModified": 1715616897,
+        "narHash": "sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "de52a47e961d45f6a8c7f9f086c60ff89ecdddaf",
+        "rev": "7ed944be63682d0c5bc37e66f3c997390d0bbd8e",
         "type": "github"
       },
       "original": {

From 475ab8cc6687a0e8c5e67671295eb2d9e48f5cd7 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 17 May 2024 20:42:48 +0200
Subject: [PATCH 038/170] Configure EH22 Wiki

---
 config/hosts/eh22-wiki/configuration.nix |   7 +
 config/hosts/eh22-wiki/default.nix       |   9 ++
 config/hosts/eh22-wiki/dokuwiki.nix      | 165 +++++++++++++++++++++++
 config/hosts/eh22-wiki/networking.nix    |  23 ++++
 flake.nix                                |  14 ++
 5 files changed, 218 insertions(+)
 create mode 100644 config/hosts/eh22-wiki/configuration.nix
 create mode 100644 config/hosts/eh22-wiki/default.nix
 create mode 100644 config/hosts/eh22-wiki/dokuwiki.nix
 create mode 100644 config/hosts/eh22-wiki/networking.nix

diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix
new file mode 100644
index 0000000..ff45e49
--- /dev/null
+++ b/config/hosts/eh22-wiki/configuration.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  networking.hostName = "eh22-wiki";
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix
new file mode 100644
index 0000000..2d90c6b
--- /dev/null
+++ b/config/hosts/eh22-wiki/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./dokuwiki.nix
+    ./networking.nix
+  ];
+}
diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
new file mode 100644
index 0000000..133e39a
--- /dev/null
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -0,0 +1,165 @@
+# Sources for this configuration:
+# - https://www.dokuwiki.org/dokuwiki
+# - https://www.dokuwiki.org/install
+# - https://www.dokuwiki.org/requirements
+# - https://www.dokuwiki.org/install:php
+# - https://www.dokuwiki.org/security
+# - https://www.dokuwiki.org/config:xsendfile
+# - https://www.dokuwiki.org/install:nginx
+# - https://www.dokuwiki.org/faq:uploadsize
+# - https://nixos.wiki/wiki/Phpfpm
+# - https://wiki.archlinux.org/title/Nginx#FastCGI
+# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
+# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
+# - https://www.php.net/manual/en/install.fpm.php
+# - https://www.php.net/manual/en/install.fpm.configuration.php
+
+{ config, pkgs, ... }:
+
+let
+  # This is also used for user and group names.
+  app = "dokuwiki";
+  domain = "eh22.easterhegg.eu";
+  dataDir = "/srv/www/${domain}";
+in {
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${app} ${app}"
+  ];
+
+  services.phpfpm.pools."${app}" = {
+    user = "${app}";
+    group = "${app}";
+    phpOptions = ''
+      short_open_tag = Off
+      open_basedir =
+      output_buffering = Off
+      output_handler =
+      zlib.output_compression = Off
+      implicit_flush = Off
+      allow_call_time_pass_reference = Off
+      max_execution_time = 30
+      max_input_time = 60
+      max_input_vars = 10000
+      memory_limit = 128M
+      error_reporting = E_ALL & ~E_NOTICE
+      display_errors = Off
+      display_startup_errors = Off
+      log_errors = On
+      ; error_log should be handled by NixOS.
+      variables_order = "EGPCS"
+      register_argc_argv = Off
+      file_uploads = On
+      upload_max_filesize = 20M
+      post_max_size = 20M
+      session.use_cookies = 1
+      ; Checked the default NixOS PHP extensions and the only one missing from
+      ; DokuWikis list of PHP extensions was bz2, so add that.
+      ; Checked with NixOS 23.11 on 2024-05-02.
+      extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
+    '';
+    extraConfig = ''
+      listen.owner = ${config.services.nginx.user};
+      listen.group = ${config.services.nginx.group};
+      pm = dynamic
+      pm.max_children = 32
+      pm.start_servers = 2
+      pm.min_spare_servers = 2
+      pm.max_spare_servers = 4
+      pm.max_requests = 500
+    '';
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."acme-${domain}" = {
+      default = true;
+      enableACME = true;
+      serverName = "${domain}";
+      
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    virtualHosts."${domain}" = {
+      default = true;
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      locations = {
+        "~ /(conf|bin|inc|vendor)/" = {
+          extraConfig = "deny all;";
+        };
+
+        "~ /install.php" = {
+          extraConfig = "deny all;";
+        };
+
+        "~ ^/data/" = {
+          extraConfig = "internal;";
+        };
+
+        "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
+          extraConfig = "expires 31d;";
+        };
+
+        "/" = {
+          index = "doku.php";
+          extraConfig = "try_files $uri $uri/ @dokuwiki;";
+        };
+
+        "@dokuwiki" = {
+          extraConfig = ''
+            # Rewrites "doku.php/" out of the URLs if the userwrite setting is
+            # set to .htaccess in the DokuWiki config page.
+            rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
+            rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
+            rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
+            rewrite ^/(.*) /doku.php?id=$1&$args last;
+          '';
+        };
+
+        "~ \\.php$" = {
+          extraConfig = ''
+            try_files $uri $uri/ /doku.php;
+            include ${config.services.nginx.package}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param REDIRECT_STATUS 200;
+            fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
+          '';
+        };
+      };
+
+      extraConfig = ''
+        # Set maximum file upload size to 20MB (same as upload_max_filesize and
+        # post_max_size in the phpOptions).
+        client_max_body_size 20M;
+        client_body_buffer_size 128k;
+      '';
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+
+  users.users."${app}" = {
+    isSystemUser = true;
+    group = "${app}";
+  };
+  users.groups."${app}" = { };
+}
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
new file mode 100644
index 0000000..44d478a
--- /dev/null
+++ b/config/hosts/eh22-wiki/networking.nix
@@ -0,0 +1,23 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Networking
+
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.156";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:37:F0:AB";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/flake.nix b/flake.nix
index 5360d1f..d7d7fc9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -211,6 +211,20 @@
             ./config/hosts/ptouch-print-server
           ];
         };
+
+        eh22-wiki = {
+          deployment = {
+            targetHost = "eh22-wiki-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/eh22-wiki
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From ca816ba50bec6d701c81355e5e958d086bfa51ef Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 23 May 2024 21:25:22 +0200
Subject: [PATCH 039/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e?narHash=sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE%2B9ytRWxsA5aWtmyI%3D' (2024-04-22)
  → 'github:nix-community/nixos-generators/d14b286322c7f4f897ca4b1726ce38cb68596c94?narHash=sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J%2Bve1w%3D' (2024-05-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/8a4282c38b6cbea9f0989c0eafc6ce1837a26442?narHash=sha256-t1t39%2B9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968%3D' (2024-05-13)
  → 'github:nixos/nixpkgs/dff68ababdd2c2616d03f26546ba632f5f09d3c6?narHash=sha256-e4pjcLqe1Dexz7enk/%2Bui0aVdcoSiWnrTGjk7KLtAPw%3D' (2024-05-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/7ed944be63682d0c5bc37e66f3c997390d0bbd8e?narHash=sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw%3D' (2024-05-13)
  → 'github:nixos/nixpkgs/2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4?narHash=sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q%3D' (2024-05-23)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 77cd85b..be7c1a6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713783234,
-        "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=",
+        "lastModified": 1716210724,
+        "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e",
+        "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1715615524,
-        "narHash": "sha256-t1t39+9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968=",
+        "lastModified": 1716408408,
+        "narHash": "sha256-e4pjcLqe1Dexz7enk/+ui0aVdcoSiWnrTGjk7KLtAPw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8a4282c38b6cbea9f0989c0eafc6ce1837a26442",
+        "rev": "dff68ababdd2c2616d03f26546ba632f5f09d3c6",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1715616897,
-        "narHash": "sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw=",
+        "lastModified": 1716479278,
+        "narHash": "sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7ed944be63682d0c5bc37e66f3c997390d0bbd8e",
+        "rev": "2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4",
         "type": "github"
       },
       "original": {

From eab352303329fbe56e84763679f1f9e45cbe28c0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 23 May 2024 22:25:32 +0200
Subject: [PATCH 040/170] Make MPD be put into pause mode instead of start.
 playback after startup

---
 modules/services/audio/mpd.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/services/audio/mpd.nix b/modules/services/audio/mpd.nix
index 4c149af..048e979 100644
--- a/modules/services/audio/mpd.nix
+++ b/modules/services/audio/mpd.nix
@@ -22,6 +22,7 @@ in
           name "Pipewire"
           mixer_type "software"
         }
+        restore_paused "yes"
       '';
     };
 

From 88e3da11a6d344567002accbdb99ce57c7e8fdc9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 25 May 2024 16:47:34 +0200
Subject: [PATCH 041/170] Introduce sops and sops-nix for secret management

Use the GPG keys used for the password-store noc directory for the admin
keys.
Switch the git hosts secret management from colmena to sops-nix.

https://github.com/getsops/sops
https://github.com/Mic92/sops-nix
---
 .sops.yaml                    |  46 +++++++
 config/hosts/git/default.nix  |   1 +
 config/hosts/git/forgejo.nix  |  16 +--
 config/hosts/git/secrets.yaml | 233 ++++++++++++++++++++++++++++++++++
 config/hosts/git/sops.nix     |   7 +
 flake.lock                    |  40 +++++-
 flake.nix                     |  10 +-
 7 files changed, 341 insertions(+), 12 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 config/hosts/git/secrets.yaml
 create mode 100644 config/hosts/git/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..26086a9
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,46 @@
+keys:
+  - &admin_gpg_djerun EF643F59E008414882232C78FFA8331EEB7D6B70
+  - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+  - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+  - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
+  - &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+  - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+  - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+  - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+  - &admin_gpg_max 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+  - &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
+  - &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+  - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
+creation_rules:
+  - path_regex: config/hosts/git/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_git
+  - key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+stores:
+  yaml:
+    indent: 2
diff --git a/config/hosts/git/default.nix b/config/hosts/git/default.nix
index 0f4664e..d3494e6 100644
--- a/config/hosts/git/default.nix
+++ b/config/hosts/git/default.nix
@@ -8,5 +8,6 @@
     ./nginx.nix
     ./opensearch.nix
     ./redis.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 103881c..ced70db 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -14,7 +14,7 @@
     enable = true;
     package = pkgs-unstable.forgejo;
     database.type = "postgres";
-    mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret";
+    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
 
     settings = {
       DEFAULT = {
@@ -77,14 +77,10 @@
     };
   };
 
-  deployment.keys = {
-    "forgejo-git-smtp-password.secret" = {
-      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ];
-      destDir = "/secrets";
-      user = "forgejo";
-      group = "forgejo";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."forgejo_git_smtp_password" = {
+    mode = "0440";
+    owner = "forgejo";
+    group = "forgejo";
+    restartUnits = [ "forgejo.service" ];
   };
 }
diff --git a/config/hosts/git/secrets.yaml b/config/hosts/git/secrets.yaml
new file mode 100644
index 0000000..85e2ccd
--- /dev/null
+++ b/config/hosts/git/secrets.yaml
@@ -0,0 +1,233 @@
+forgejo_git_smtp_password: ENC[AES256_GCM,data:ZRj5GpQKRlTxdu5CfbJirRGAKPCLAIG1F0V5USz5m5D49V3lu5uLomxHapmEwb0yYoE7e7ZLYK4VQUoQgpUnSw==,iv:K7+9E2gi8cdYu0lX/HgWitLxnxARywIwh5glEL0uOsM=,tag:s9UC8e+E5E3vM6cTKW7Vqw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZFhrMlF1YnV6bHlJZFp1
+            SExjNXk0aTE3U2pBd0lHODlkZW9La1M2cHhjCjd1VTdKWkE2ZWxoMWFjREsvLzdS
+            K3lSSkRMZ3lLZ0tSaDZMRkt4MXBMeXcKLS0tIDFlVjNXcktpbHdJc2hraGNrNGJh
+            UHlJWFN4NW1tNWFCU2EyNjkveXZML3cKrKk1w3IBAgdmicuFyGOaU26fwpULAcy9
+            eZPlcbRPUPHoRhy9GhNTAcXXDQzimKL39XZGAd0U29Kt9AvWAf8Qpg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-25T14:17:29Z"
+    mac: ENC[AES256_GCM,data:JeqYsVtogbB4oMWNEpLsF6zxsgUoAt7UzRUL2JzxDUtXDUndW/AxJxVxQaipYvblA3q2MzRyQN+j9khavlL02DR/ANtZFLQmH3OREV7M9eHmeeCa4Lm5D7gFYmqWkULJ7yEJsKz5AaiJTWlWgCcBITB901H3Z12dsz2a1+4WrUc=,iv:5Xm5Rjw8PS7hkTcRD1kj5XS5uiOgsPwXYeaMqUReB7E=,tag:2Y5R1/Why1TQd+ZYTF0qDA==,type:str]
+    pgp:
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ/+Pw0v8i3ZGw4QNjAu9NX6ZJ5hvBHJgtcOWch3ZHlIAuxs
+            rNoPYhuKaYZL6QJcPTjP8AHVkFIEp+mVbXnsS3PCNUxPnwBS3DfAk+b9OmIJ5U8i
+            H0VYv4FpdAblyq59GPYx5cBaKUxAagATqlYmMh8b530DYBGcoAHPtzhCaZj+aJI9
+            ybakmmNfSqtdhJoWwRaRekqhbZ++wmS7axeefawuicXpdlNxhypEMKBUpGA847cH
+            lI4hw1/+KvyN/BT1q66vQanYpM8NNFLyyamT6HeBxQ1lP6gfb/T0a805qnaCXaZY
+            z2Ui6XJL/lbUWzG/0xnSJIFiQc7hIqMGIz+EHyYep5NBu/hiIUK1RpIFL4ClEOh3
+            kfVlWC16ys3fGHlFOTTBc3yJPGtyPjd5lGGfFmawwnegPH2wdNIt5tjrA7+vwKRE
+            f+RFNzvfc11o8rhGnbGd4ZGNgexuhxVaRGDSNqO0aixprSurcOa21Z1U76tvnJGq
+            IoeFtZf5KutqqLIyLoK0JM0YkSb92S/BHkIKpUO9fsKLRdQdnvm++8NRLJ/jXLVz
+            lZZnLxMC7QvKMyxE7J8GKye7nQa6S6CkEcqUsgXSMaxB3GMe9MiGWS9nqh16tHDX
+            p9YR9FVj8BUKWsTbIPKkomIaoxhRJvW6cakVcM7RG0rySVjGxrc2oAvYgjpVmmDU
+            aAEJAhAxPM/qlV+JghqnmnjP9Kn6KTIvGV2NGvX5YbY4k/NgL/sZ7VLsGZldemiu
+            1ogKtLzjRnvtruPhXBXPv3Ivw+a4ie7YBPsyyyh4RFfnZq7abAwBVDZDVXPA2GUS
+            9JOUdkYe2Q1T
+            =1km6
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2ARAAiyKB1LVhFUxkC/bKs7TmtXGbA+2xWwrtt9gUACD+GNlT
+            P0jQJ4N7x0xpvgo+ELNx4Owq4EXFYH8bI27zUxW9FmJu672uFVIpud4nZX+2AfFs
+            +Iy7VBp95kfS77Mc9VClJTJEaLMZOvciqlY58p1FB6C4pNwOuEhMvZ7athLVLlEz
+            hOrKkJAAtnjWXOFLBkq7BKCBVsxSLOUXMBgmK1Fr4dTJPifiXIIbO2BdNXanzMpv
+            8ANtENZ4JpqBHDW/DGoACkAh/hqu8p4B4TBC3L7szvFktsxy93w3i59CDXUroKXO
+            cG//41R5OH/EguctfO84qUWCe+eqA2D2ZuWIqSD6Aa4izQE+aTl+WDx/oxKuQcJB
+            UgKiLm/HXI7w1Zp7v2oRUt4BFr2EXHicsEkV+ztCGDMMPw0zBA3EE4fMFDmM9BXh
+            Y6bOT1cV/TQ1IgWvH6gMe4qdJscqYEfNMJNl6kZzylUSLBxK0YAfqxSnvV6lZ2D7
+            82KLl0TRZOiCWO0EMcRuN2L8AasrO4PaBGI/kbU2dCr8q4ku3qTjW7b77d6pVW29
+            Gh2eV+goXcdnk9tJt4hPcmz3vYIFJL8Pbmy5mSO0BetFdFVFnIhBuQzrXwe+Iq7z
+            nQ2L1eeDT0WI4PMEIz+YM0QVCMM52d0fK+JeiVz8H/bO7NcPCYTylcK68BA6QaLS
+            XgEP7Vp6aB2qQPbLYI1CfNrjiHLyCHXBJwyWGR3sSFB6LmvHsfx3tsHWdKxyrz3E
+            9AM9WvP+taIpK0F7OjDBcadaMo3Bzl74WVEtznaEmu9Vex7HxNXIMXXBHMj5RAU=
+            =CbYz
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//RSjkwW/PxItmHjB0luZ8pP6sMP5iTrgvwie04F3y1gu6
+            mIdAvh8QgCn/5Q/IqKZo7zdUzTQhyuq03DNUzuKyB/Sel6klohnW0QXes8Jt3vUe
+            W9bFFmIaFTk4mDc/tD5Vleph0ruNMXHlQRO4ia5wcYpVw0LtT3pKM5XApNl/9UKT
+            UFZ9/Fvad2a/p277Ai/N5dPUwM535s8H3Kkz473BvoS4Az7cjVnyxKHhguNQH9pw
+            n6hgXEjvyzDrzWvJwrX1T84KvCsPh0idAA9W5YfMU/4loL4RJUqvjkUvn2ErsPrl
+            gNoPTRY+BiivW2HV2uWRkiOyKTwVLdgs/oawZX7LB4aIaI9b5y8rcmHV4fKP8OEh
+            3q7LB5HU1peGmd6agwu1/ejbIc3+4WytVfoqHDI7MJ7jPE3iyfAxaZm1x5PFbVhA
+            7zmYs6tXs891l3ZJps84I/S1uSHjxJbMuGh954RHMmPHCrnLosS8yeNLEO2AHpQi
+            m2FFxbXCRFx7Xd8SvW2lAaKfeU+x36yUYCf7APaQeb59QLTnustIle6i4XQl070m
+            7GK/Hj2uanq6TEhAKWJlyVAucw4gruCfrjC7extPyY4pC4yXVUpM0jqJO37yCw+F
+            k64syU8yhR6whTmOPA/c2JsYoGKbV22NYRj6WIK9cIyiL34ellZVO9Ccsz6QGgHS
+            XgHve1EpLmsR1h1OKCKyUJNnNjvOnehZwyjCFwqT/DrIS1NUgoOaFr7As50YMfhU
+            ymMhQyDGYjjMHdmGoqmgPMOrJf/MJIECdzx/K/0e+eKM1RsC5XpwZnwKme+cVJc=
+            =5GW+
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ//djObFBa/PnDRF/Q9ngtQy6VmuyUfErLqj9x1OOojB0g6
+            yMCvqH9zrN4JT82rb2xqvjbqEtZGq/35B2GccMXBifJy5JQj3SHOyTEPuoVr+yVK
+            4fzZ9k6vEUYl7FicEZABud8uasfoIGC/jn7EpYgP4v49RtXsESF0aTCnrcwqg03E
+            /cVJW4ovtIQM6UiE/BQPIdbUNPgVrwbDSxilNQrShvJvu3jVfCkdXuyOqlhF/lnH
+            weR/P1dNRhtNzZKLFYHNJRiJA3RuS+h2BFxG1pKhBfMfI/s46g74GkP/R+SEX3o1
+            l83P18t0br2pqqEE/qGHeLQ8PvEsTVHzxAzX8Qgx6qJQQfCDm2jDb6FlsxX6HT0y
+            TC3leI5q0u1A7Oj6nEl7p70/NjW2+W+cXWw4hmwMMnV0xNXsOBBDqk3sA9rJ8Mwx
+            oO6CuLqsWMsO0jGWptLebIzGnwMvaSWMGTMRgweW4gKNzcmiOXUrv5OT4ImJxgwt
+            7rFFPGcrVWUzBdGtTquLryAN1Gf1Co59ndG2SS0LKxVnY1sYspwd1FINpJA6x+99
+            kX4zJlK5qA8wcqkgj5WhTTXIQGLKD+R58pGjizEJzDt4aMB536uZa86ntP4bd1/5
+            Q4zjzwF0aIMWX9FdaCilFMjWjT+iMOl6m2dI3EBcUuTzqL8JTKbBxQ9z+Hc+yELS
+            XgHe79QN5IUbyoH/Fi7jNA7XEUwI6WIrhZ8TWF4nS3HgZkVfsZ/oK1DFBdVcZ5Zd
+            /rJaKqgeQLCxoRFroI1vZYsBRKInRs+7yziK8YtbFhmX0azW5G0NiUtsYXBOguU=
+            =YSsr
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ//byQSYLjXciKE2ryqYXiz3/OgDd0pIVr9HZLlxwUFJFMR
+            DLuxWPK+SxUj6F81mi4A9xq9CmTa3jMEVkGgblvjGoWjtEKKgJrdllMCvo5Q/Gcu
+            CLbMPXGfs/eDEjqEbX1rAdzR31TcFl9FI6bGUIXxGE21DeLIDCgInl5gNzVL+Ser
+            M5OAxpQCqe23wUMPya16XTzpaxug+mertfyOxC3XUk2A23y/8gey0pjAnaDTPIhD
+            q35ni2gA1eigiitJv2IWxIfbZ7rFuwmb9qi+vpBeqMTNLBBbhKgbSg4PUl6usFeC
+            65uRvNJOeMeXfwpPgMlphtz7pABg4ihW7tusVe//Utrph7QJs8bsiokXA/RYtTQO
+            uMK8oYdre9c4FboINGL4hznzUi02ZRiMh2Hf+V4cf4VK+YoBKsRYfO79lHytFHPF
+            6XCv9hh6qLuzTCHlUrAfOYbXbduS5mMLcfX6OYay4lYTEpx3dKBZz34wtg3TtMpP
+            eDuafUXNOfpx/E+4ZtB5X8Y99ax+3resPv9IQMTNOHQJ/vPa4JT8Avkrv/q4wIsJ
+            yMOixzR2bIPjetZbY4ykOwJxL2b0F/Bm5yu0rVHQp9+lYqrypjAzt5vhbdAMkDZD
+            CPxhEU/Kq7DC4fSE6ysTGEBBW+s4i7lwqvfds6RqHbQXL/0jginU4zSxZuZ26xvS
+            XgFinTWqnia1WkhfAZsH+UobDK92lKDiQRtM/xhWkNCB/WZQB4Q4EpJJeXIidTse
+            xQpG0tREIIuS75dJ6nD+Kh2CkOnalSVVvb3VVN8Ft9PEPLf76mE+x9Zk4Mu0vOc=
+            =BDOC
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ/+P1WAWxpVnCVQpoHmEFNnK8x1ZeDN9IyYvFFpFRbRJ4f5
+            naL0ROxP/E19LGtD/bGbdBfVU4nNXdiXbGYtAlvAybAky9/8a8AJ97n2KVULR3xX
+            JnsXIjavi57MB3ty+Nop4Fgmv4p4AAsPOzDQtc07Uj5xzxrK9ARtv7w7UyJooOiG
+            Sp692SFChyskAjTVHWU9WKomqsqZY7XvbHJPQT6Y+wUbAjx9iAhpv0CEJcxX/irF
+            D3SkUD1tCJ0NHlzCZ0ORLdhDos+FNCASbhYZiCyUJn1mBfW6PcHmNevzaqSQQaoM
+            hd3vOxx5MFO81K3GtE/r1RA0waY/7knBHk0cBuscBOLhs6MC6i6mMfY711WoiOTj
+            Y9xCjAIYdOeK22fceg0Wk/FMtivFbgddpk+jOrAR6Wh6n2qJZDJFdxFpcaSF2fHj
+            dBZuJ/q5vRedjdLYFnL2uTejAKkQLthqL3F4m2Fzyr5wk80eGRYqQHDtSlwagVLD
+            ZoTLCtGp8qnSLF6Z+nnS9lmsf+X0286wAmRtxHsrTTGm2CDhBmvQjNeq086Bdhp4
+            z6S3WlgX5oMbTS3hD0BIr4euKIUT3CZcbyXzicuS4iwYOq1iaQEMGvXJ2TKkaOsI
+            9W2CPSySkIzp/z5Cpet4Z2JFBcO4QwgCvScm3yK53ZXkRoSwkUWBiWUO8GihgWzS
+            XgEGOQGCaBNxYr/B1ePYUTxZG7gz3qe3QzzrYebHUmYlEFcC1BkyD0CfWZy59oM6
+            mHL30p7LuuoQbO0VocvsnxR8ObQhXsncc+EyZx03zyeDSIbOFqs1sSQ/w+K1708=
+            =dnme
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/+IDsMHXF8Xpm7Mz8EuZ6OjINDfe1aVJqkq6dislIuniSn
+            z62K3gIlYKVCkPC4uQ5KAQBC6mCv/IYmy82OFmexeaHO1uYhLiM5z+5efxkbChK6
+            jxKYudsVe0l0vd7JpJVCO+GSw/jelALUhwtrr/A5URNQ+fQZrTAd5SE9bFEFf0P7
+            exTBlw6Cus5671R+s7G7OGbKgx47Kf4CDzMizYruRBvjwDPkKOAPAGnoNApjl598
+            m2uR4PmlqUJ0z/aFcBtcs1au05vGmVvckSMz8BiqpGsmlbZEVIQRiXqsZ5A7X88B
+            D6Nx0nb0t4WM1EV1UUbSLPFwwcVkOSHHfs8SGk3gaStCNWunkrPGQStUFBmU1TpL
+            2exHEKopll2gQ+XKfvE+mPF0cqd8dq2SfZpLZgp80pKieuHXN/DJhEHoBSELixDe
+            zRXB5/s6Gr2Hlgd3lfp910UndiycP5ROJZbEwJ6O0x8QRxeIqbpk4eXiIK/4lxiK
+            ENepdeFSk8/DS/yEMc4M1kWxxm0rkQO/dxn3SvYV49eNFvkRMWkWimMrSbaIUKNM
+            k8KSLYr6JuoKP0v3NZHGcBZUGd8KuDi8R0A9KZtqz0pHyRIh/Ox+to+Gmlw7EP0r
+            ARPQOBQBUjcxqW6BRJ31onE24AxZN0b3pAAPMt7Z7KXmveHGGqolU1peZfeATKrS
+            XgHJDBQkCm1SOX89yw0O0DVZ43z0b9UqyP157R4JgdyEleNsMbPl+KDPCPx6vAnm
+            iGrsjpWeKMwA3s2biSYUb8T00KD48vH1nidc+XEjfQ/fBDJIsR8Ku7YMZtzKmNY=
+            =xEYv
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAkAuIMiq8rw37IFlLlVv1tzQbGMmWjNhQndBAlwA/dAaf
+            zk8dNuKA8wlmAFv6uwbmfOzvdiwunoYq8cgIRdaP7ieNPRppHIm+pbojWKOvXoZZ
+            6b2+ILacE6JBHpk5o+KbrILrnn1ciyfhGq6CX9gCi9+vvQkZk3+WexgaHEOfFL6x
+            zCp5jVEIbVeDMZIxVbDDVHMiXBy2qmpYrSDMnky05/szu9BBJodcsqZFAqgumVf2
+            kBFFvnzdhJgKWBfJ2H2CfVOWx3CUhLXidqJyFgzs338aGhSNO4jGKvOn1Yx/PLlg
+            LSRphptnmzM83BS4ev9/ejvYiWbxorKSBTPZBqehpKFtPdNNUqbWMpq/lmAn3yLu
+            S+yAVAklCHSDtKEdS9YHAFqycgxvj1VNxLx1DI2mNPyUBoOgzfdD1NiUDQp2s3j4
+            EX8EsH1+b1eKk93751yLKMaSfLjU6lnd2d/h++WIt5tDx71XvIJ91yV3NJVr2wIo
+            MVIUJFh16+zQOWvc6rKCQh8U5cu3AVcB8EfoRrn5fCNh6tu7Aw/fHxz/l/U0vzId
+            cWFZCYFrg4i3T5w3U+ZV5kgoMQaRDh6T8yVXZQTzKSi5qAQW/qeGn6h2zHWARznC
+            J3IJ6M9pX6zibz1ao9oc0ePhU3Vy2vNFdFcpGgLe3gl10BM7GbU7rrmAlHFgG4nS
+            XgHhWFZtUAcYwEuhuOVDfmN4J/QNWlzl20RML92pf0UNCx1VHrStAbA64MqyvE4V
+            Dgallu5Dr+u5SHLgAaNj9HfgAGuDLPCXGrCoYK8KLUR8fIYwkuO13FN2A0YnHOY=
+            =IKCU
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pARAAomxJSaPmNrFFIiqfWzwdemWBUK4oujqRSvfRmnK3fg7s
+            p+Q/eV8/jYqxPk1q/P9thQSu9gq3OXLkgT2TlMwcsFBG1+xnksu3Xcqr47ON7N9H
+            J5K6a0KPX07O9fuP6VZtn4cDatLq6ag7RYLp2D7v68eRMi1Kyc3W3mZyz2AlbrUO
+            7T/tOqQzD1Zb/vwIy0Vfn8w2KMCPBi3TxlfSdohPsZWehrIAAKZHDRp2931iKPXQ
+            0gDwjTd0sEdXwi+sfXxq00988R4uXIjJhBd+ZFOxIHg9yEcXSW02eUauVwETuLzv
+            2ohAB/LOKQx59mVyE9gFxtMM7oo3vb5zWcnX9pHG+N0UE/RU2C+aR8a3KCOtysk9
+            cHwBLT6Iv3zijeJCeKG7IvSgsp/WW71rqDZCMphs5cFZdzEola+lRXNPIpz6YJ/t
+            qyTFbu4BG76LZyRRTg+i35NhS/GiQCUMyZoUxW0mLgjDsbYS55FQdFP3xaH5BaPg
+            81UrfF3hV1Vrwe6DHbSEYe3qutk3p4NMruHvIIJJLwimIe3i6+MP3/N+ACLV1wBl
+            caNH/e7H4KStDwuNFb3BjXEXHBLPgnnbdkTSTHZFtmEA0o2avrM/EzVDvvVxTCT2
+            e9pbfNCAoXCNo6nstaWRPKjwP8u5HN7RCxjufpZnySt0H/5Ux4qy2v/01i7OARrS
+            XgE58F0/szyLPmsigEpWhFPIunfIF6esq+4u9OVyqBicYFZHfUddyqTLl64swDHk
+            r7vxwxH/A8QMGj2GSmQez25MDU/NBTBTotEzRSyxvqZFTxn7IOxKDblSYPhEfCY=
+            =Tf91
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAhuqKLIrt0ortv8L+5ex4c8h3ZbiIDTLSGhML7jbMAUww
+            ntvI7quM3pEBFfdBT4BuPCrgka9gA9KRKGRwxYX3uSe5jPtgnH8GI1+gImeyWIu5
+            0l4BEMzlg3LOwADrDONa9xStlwAIlxgH53bqmCVQ2t6zHkxAcSGeHLn2y+aCh6wI
+            9oicvnC69DuQLkMwBFMEMUNiQwwGH8EMfQRacoFAEtH5YqiwBT1qxsnOC8ALfZ+9
+            =1uoR
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/7BfqXXAGvvQVGeGJDi3+XhvZ0wKQvfS4UmjP7FFa4gm26
+            4W1eS5hM007yxpjOH7NAsVbWpej8jYA6dDfeuo7P34owws61F7LQLa0X61mC1qOZ
+            IXx4n4kdYSV/CyqJa8HrDe56B0dpou01vjbVZ383Pbf8+VzxaKeJ2X2y3ioRijZJ
+            +T+rCkDHx4neOrrUkutOTJhiezQaeOnFWPEAbNRVfdLAM9jFuuG0uKtnd7hkXf0W
+            8sv7z1xEYN8VF3bE70IGuyZtiTeXwhbTD0gq5kze8LldMLwBIxsrTd/xrH/Oc5Od
+            nY8vvdiLMlAwBrI4z+JI12Hi+b1nglldk3Hu34KaV7jG8DjgBGBy8yolqvKo0cT/
+            9T4aAe9eLANvyHpYfA1CkcFW4CHWOBRS79rC2HcHM1tQ8+coq+jxrzlYEBRwQcpE
+            2jBcP7mnIGPm1csIhB6u/UUKVMqlnZ57MdKHwwXja1vzxfnRNBqFdzq5uZEyU+OQ
+            dDJmURqxK4zCdhk+De7Nm/wR8J7xtIJLUszu2lDJ6SWQEsut2cNUVUvmd5XV1BWV
+            kZaIFKADZI9qcbivci6fpCEH1/qoU5jIZJ+zvOEOZLsIJXBw1M1/fgfSZ8Aosl2t
+            RpikITTF0S1HL2QLbWoogdgBp6X+6xjpoWIhHVi5lqm5CX8HTRwqrJL+hPi0GW3S
+            XgGQv0OqaxGfD6lwyVjokWvCSEoEfK0e7se+ZyJifwAlarGaLvG0PU/iW5cVUolV
+            QT3TwrxD94ZB412nL2+4/QPCT/ZtOXcO+9dhLiSLneHrNrSReByIAOE1s1ZU8MM=
+            =XvKN
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/git/sops.nix b/config/hosts/git/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/git/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/flake.lock b/flake.lock
index be7c1a6..9d52703 100644
--- a/flake.lock
+++ b/flake.lock
@@ -52,6 +52,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1716061101,
+        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1716479278,
@@ -72,7 +88,29 @@
       "inputs": {
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1716400300,
+        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index d7d7fc9..b2887bf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,9 +14,16 @@
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # Add sops-nix as an input for secret management.
+    # See here: https://github.com/Mic92/sops-nix?tab=readme-ov-file#flakes-current-recommendation
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, ... }:
+  outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
       shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
@@ -180,6 +187,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/git
           ];
         };

From 361ccac69f10aca35029f504a0a05e48e1fa4e8e Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 02:50:08 +0200
Subject: [PATCH 042/170] Switch the forgejo-actions-runners secret mngmt from
 colmena to sops-nix

---
 .sops.yaml                                    |  17 ++
 .../hosts/forgejo-actions-runner/default.nix  |   1 +
 .../forgejo-actions-runner.nix                |  16 +-
 .../hosts/forgejo-actions-runner/secrets.yaml | 233 ++++++++++++++++++
 config/hosts/forgejo-actions-runner/sops.nix  |   7 +
 flake.nix                                     |   1 +
 6 files changed, 265 insertions(+), 10 deletions(-)
 create mode 100644 config/hosts/forgejo-actions-runner/secrets.yaml
 create mode 100644 config/hosts/forgejo-actions-runner/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 26086a9..47f0075 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,6 +11,7 @@ keys:
   - &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
   - &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
   - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
+  - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -28,6 +29,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_git
+  - path_regex: config/hosts/forgejo-actions-runner/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_forgejo_actions_runner
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/forgejo-actions-runner/default.nix b/config/hosts/forgejo-actions-runner/default.nix
index 6a01b20..f5a8ddd 100644
--- a/config/hosts/forgejo-actions-runner/default.nix
+++ b/config/hosts/forgejo-actions-runner/default.nix
@@ -6,5 +6,6 @@
     ./docker.nix
     ./forgejo-actions-runner.nix
     ./networking.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
index b2efcbe..4b4d4dc 100644
--- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
+++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
@@ -12,19 +12,15 @@
       enable = true;
       name = "Global Docker Forgejo Actions Runner";
       url = "https://git.hamburg.ccc.de/";
-      tokenFile = "/secrets/registration-token.secret";
+      tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
       labels = [ "docker:docker://node:current-bookworm" ];
     };
   };
 
-  deployment.keys = {
-    "registration-token.secret" = {
-      keyCommand = [ "pass" "noc/services/forgejo-actions-runner/registration_token" ];
-      destDir = "/secrets";
-      user = "gitea-runner";
-      group = "gitea-runner";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."forgejo_actions_runner_registration_token" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ];
   };
 }
diff --git a/config/hosts/forgejo-actions-runner/secrets.yaml b/config/hosts/forgejo-actions-runner/secrets.yaml
new file mode 100644
index 0000000..456230a
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/secrets.yaml
@@ -0,0 +1,233 @@
+forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZEFkeThaUkhoVlVXV1V0
+            eXBja2hueWJzZm5RNVdaNTdKNGp6OC9mVmt3Cit6S2tBQjNGb0N0RkdDdWtpR1Vv
+            REd5WjJrTnJYR0lGRkFGU2RXTjZkdncKLS0tIHJoV3I0YTNkcHdZQWZySVNyVm4y
+            TGR6Sm9uZ0ZQeEFNK1lJRE82eUluclUKL4mGDJkQ3mQu+7Xc2KflVqLUjbr/5a16
+            VlYUplTqUCYXtkzq/3RKZV/pM4RVYBDHvuSzVr4hXBSxW5j93dhezA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T00:29:52Z"
+    mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str]
+    pgp:
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtARAAoDySYGJ2Xf27El8y/UTYOUaM51stw95ZfnU7JtKfPNyM
+            Ct+xymnyxAwR2OJ7oDluxwEItdPufp/Mr96zkw+TfrqI5lowTiH4YGtDsbioiScN
+            qxiZgHN4qVZcRHwzgmLcDa6GSIg6rEcDcBygakprmoI4Qeqp3Bioii0/OMuLeleN
+            igauRUzroFLIlS0QCgI5PaUSIPtSMxgKiEc5yM91EBh6w93RaoQmG0k9TWpfLmgo
+            ZVB164SYCCW45vts6T7WQ8cE7Pxkkti+rrOrjaDfB4ape1u4gS6xKc4dFJ+nWcE8
+            5l6MXoDLRd69VWRN6P+G5YGQzB5QRicNnuwk6H2q7CwIqZyi7ZqaCIZfcpvuUzCJ
+            OGJQInCFFVSdLj/3WFyXk+wemmZPna5xFxFb6WVwfSU1ikM/umrZ5yBly+mvDGzs
+            l+8YGcsZ9D//qjVIsWbiRwhGgeA3eU6f7SwdZdX/zOFy8bP85xwDcbwdOSkhifAA
+            l3Ud3rswmAnzSYAw5wK9tcSxS+G4JeCPU1iKABifugLohgME09Z31ljvyqWPBRe/
+            Rct5zvcQV2yjMbToudXafvRUb9nU+uJuWUEUe8xFSrAC1ijA3mBYfIrGNvD2eVCY
+            MTYK1ugKA9X7Sgls3vQ0A7fLHeR6C3+zhl7SzGHUZC3bh5+oXTq6cuXD8DjCwV/U
+            ZgEJAhAkZc7MICSMkACItUHxyyEMbBYNpIJ6P7GQA6ErhLcV1VpKWo6abJVVES36
+            j97RpaD1tL3OyGPfiivMkk650MkPrgpMKR0hasl770B8jkjVPyDV9mSn+sc7N+tK
+            D7IbDW18mA==
+            =EhAw
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2ARAArCPbAnHJrNpP4B755wKuDEzwVMsqCR+gumSX/XcuQJMI
+            O3/34FJOI+++S/+z94y4O+A7XPsG4xr+UpDIGdGFAsOQBrbxyqD7c0BIToJgq6iG
+            22j7y6N6OZFo0g8hGkUVSMeAZXCkg/t70e2POeHeEwnlsNX3cRuFWC54KxfVwr4w
+            UjlQmjV26+r1uZd3DKj/+eMi5E63XTsgUhAlJqixpHt3PEKZ5UNtnCAbYXqF2FOF
+            qqNyB5X1M2ncee+RGzLqnXaQTSEdKmlEwteVlXWtsqBs4gICOz+6ehfA+gk6r+si
+            Hv5dW5W7OjHsZfRfLxaF05vBUqQ+M5FdYl0hBFZzco3zuNQ+c9om+c/3Fd+B0tZC
+            0pUs4JiNa/chjuSCiJ0ZJE8kh7xCmmjIrFqsvWi4ZiTk2GWPEeuPq91TC/azfQea
+            ZV/Ozh09wAMGnGYUY0OqH7BIGsV6mEFKy/oEpwvoPuI1sNLiMig3ZAMHcIdqYzta
+            S16/JVmVirTnOTCL7p0CZLtiQuQH158gn9F2T7WCfX/XA8ifVSAyjWnYL3+rJUr1
+            zuhndbJTXD+5K9RKVM+FXC+G5VRzmWKNN9riijtLFhPKuOqDwPDst81XGsO23gGn
+            QIFGGEfQ8vuC9lmF8jDPHZfgUWy3kMVaLW+ti7y5IWhWEJASYVXF2JknKeOw2zjS
+            XAE4hG6ck97ZiT9V5bKC/fk/Ep/GWPnQTMdISinbak9hZigPPQ3KCyf4WZoJ1+sE
+            r+rk9v7NO1N5rnVQokL+kO/sBCV/t9XrHuFDx16cZrSHpHubQUi9daxc6EQ1
+            =7d/s
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//QF80EGvpode+J0kDjrrFKdSXREPhfCtFU+EpmE+f+aGO
+            mMPZ0SEuBX4g+5K8u0IdeWR2weqYqY0O9Ar2m18YlpniSWFBZqzmW+/yk7vmDzqr
+            l9pV/SdRomGrKyXk9JehkLm5vwUrj/xlPAU0DQEKIPLZ/MMRh7bIfL5Fdujc9cLD
+            nybCqSXccYy59SDqVku5Q6A9FTTzLL8uFf5D3mthp/FgWpxIEQIau8G16PZm0aSJ
+            cBu2eZ3XDjmgIQLG+TMrW77lp/2AhFe23RtK4y5aZjzGhzO+Ax3Cn7pZI9zTGW6X
+            iF/ePoR+AQeXMWfwIujGR5Zy4NvdNKSfniFrjgXpsWSMjCp8pKTOlhkknL3gE+HU
+            etQDmPPCYvaVUwITpmrEAswTNPw0xekXGUe1HgETfhWAGw8zAEYRlOqw3Jt9mMX2
+            QczfXc2sA5Z4TcylESIUcpTAFQVMVMB9bZM762tZu3bM9qg6qybNVJBk9UPpi0RW
+            ZFbXA6lkOnJLG5/m/Ie4UDoxXxtOOqkFzjV57GEBy/HtYuC15LeyOuAgDp0Ta57L
+            0f/ufET/T3z5qBE8GN2zSTO7gGnFAEQ+028ZB0vGVR9C0JdCwVBMlGglC6NiaKqP
+            xPDLPdBqrCczUQyIJ4f7JJaFCfndLszuchb7IzCy95I7nMmATREpP06uRbnuRU3S
+            XAHno1TtKtfy/+T536cmGhke9gNLZXBjSg+W9ndHPo7r115Ytap5nlQqhM84qOyE
+            bhKZlipM9hkhfeT/6X2NzYL48/hsxJ7nh2sbmJQ0d/2DtmXT2gRGkbYq/f9+
+            =tuO+
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ/+IK+UPsLOltPFjdvN21ICHY4De1c6qqMrrDAskqeDWZet
+            9eoal403d0fY6E03o1Acq3XlTzR4srWLp9qo+soAhruZ3+W5M/6zBaq/f2XF4fu2
+            U+bjVplM5U/pHTtGb05nHJ+UN7dgq2OJkURAe7aLSwLLScxTH9cggHAo6wpsaUTQ
+            Uujbo508P5/Vt0efbnyNbk54M/UMH0s93YmWSuxu4XvyUPaVFcjXkh61Tfc8vY+v
+            l5P1qDEjQrRjSE11/xzqAmZ5x58cMK1Q9yB+cy5Lw6K+rFT+5r1jdJem5NBsIRFP
+            eJjmTj/rzehujAciA1EOCF16ZsVIG6HFb3SLcNoRRL3DDgQIHgjHT38qbKrobjGr
+            Ww2Trekg17t2C48+qa/fGZO8dSz+/97gfAMMA2DdWHPlZxVCraucZMG0p9CkNxcO
+            kEtpD5hYJE456MqJQJoF2x2m+/SylJntfeKstKDhD5MZevTkNhD3MRE/8XPW/abE
+            byO8hxz7g76l2OKSjJdOUkYTDsjr23qKAuYq3/tENOMC+Z0eTKjQbzyLdSitQkM4
+            eOxRMm1qJZM7Y27kYLZcLadkewuBgmXqpDePcH6lHuLZp6S9o9LmrzvAsG79RjGs
+            wWiITzj4oG7ROT1Np9h9iCrfKiQ3fM/5/4zJvFvGm62DaeqNSwVT9NSLodrpj/XS
+            XAF3ozQWD5ib0d/yUKcwZZcbbJyn7HyaCn/95zxOMu+C4K0qhJLZeMyOYQOj2pfb
+            T7EnwyXB5vdL3JJlhVmnFCTMFv/RjhNOJX4qbDnV1sqTj5fFMgcbA067BLEQ
+            =TU7Q
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ/8C0go1iw89B1ibjbrJTxnmYD6iep01wAwZjHNm9/cC3BV
+            yFRj/D7d84gO2YX2hZxnjlnFQYRsNez7HpsjZvUmp6FN9LpJNDp2NvukebtS5v86
+            hrcqODTdHNa+/ffHIhUoXVSjw5kwpQNT0JI6PR3EyV7kjCGkFAFMzHbaNRbdup5O
+            vC5cD6Ty+aihB/E0st7/KUw2PH7bMiJ+lAlx53Z4v7xZYSxS0vFXRDAJRYd6Bt2t
+            LvHO68aRMF7czDB0JoV8BOSohSvv+ZXBqe2zCZwl8kUZoW3n9eym8iF7yZ+itT2M
+            OdLTOg6SIhhtxcm7qFRHsOsBMjmT+MuzQVNGKDQ6Gga6NiiboyuURso64L7F0SbA
+            3MnHeYoTm39hUs50xqWXdFfi8G3d/SfYcxYghJJx+SwlTd1ZhdSDxQ1uJtUi7ccK
+            8pHwIVCdkOF1hvko3w0/B9kHmnlWKBUF1wN8QHTmlViCOo4vIpepowzN4fLlpTug
+            VtyW08lbdMWqq17OcTUK3O7Z6hDDUaIKV8vGvjxrJ7wJp3kok5cI7jXOYEPjxfSr
+            ZjJpcdrAuJTZjSIsFFopGXFbUkI8bqRpo75lDuK2fA6x38WQqedwNo6YTXvtMn0V
+            bhYLeEt5VeRSohGWNsdGvpjB6BtPhKoD6hK+aQAeOhhxyuF2cH4o0/lFZSkDo0/S
+            XAFiYzGNuu1nJulLjaAGGeoiom42N+MEmQvlIfG7AR/XgMSXs5d0JH/COJkL3V6W
+            zyhAGxTzEmDYmddbhelxXn38obOnsAJU92GXwLg+PXT7ZkFHrCfg9jEvgwmT
+            =98Lv
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ/+M0Y24jgYhl4VEAT8ymoiCiNIsqGuk4yIXO6LrTIsNGlc
+            6YwkJu9Gj52AH8XKdvLuBGtWstjVoVrBOFyTtS2vzW01Eh+sFKfm3tF8CywjSMZ+
+            Xg/v+rtbj7s0EZ2JeE0DOk2X1zg26HsNd4X0HkIqTAm89gNVSTMWGGhDbTBSxtFx
+            ain5e14rUMM5qeIZg4IEMlY0mEbpGC7AqV1LKclN8pp2e0/6AS4fxamoMtPOhwld
+            /feF4/9AwZ04HIwF0ucbrDDkoZrW7YaYZPapxBTCMU0alkX4c+WTBMKTWICC1DkZ
+            lVF1zmLm2rhxebM0AaIw+eT2MymaecTcVrEHdhbtCGbfIL0sram2Qw0ZfeYDxIas
+            5W2z0a+qSQtlaCZfq/kc3UBQpRgv0Vrc0CBoZJhFmhfsH0F7uPE5rThqeT1w6TMd
+            bc6Y09Yorfyio+ZhbB8BJ5fzlolEo8opSZLm1K3YAik5Tw7toIvZqeXZoS6DfZhk
+            o7K/uUJTDKHuscxRLAfFKqBoZOBuf7d+ski5arMcjMqOYvmGKCn2pzs0TuO0ZaDG
+            gKbvSz2a6KyUSU822W0l2HSfM36HxxH7bDdJ12iqbBtWPcob+KcKrLowpbzzHpMT
+            o23ct/g5qpKpEvH+AkXQ9nOO9VKXx7voQyFM0gS0LXZGJcXeeeVbttcD28Td7WvS
+            XAFWumenh3Yc2VUSF4PUICL4g7o/4sLPjHhctlNHQ4+iaF6beZljWD/lwFkKxbqt
+            oHFjNx+ajtTxQpzpBQgqO6twKwLjND4lQ1yRlXp3mGm3U0BI7QUCRp+D+RcK
+            =N//k
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoARAAtsPz8vCvZ84eAoI3bZwP69V1coDW0SgSVqAi0XDfsRbo
+            LJIU//nkp4pKjUMoBgc++TdLa94/mqeFVhXozAW2T7nFhYOOK2HoVl+JqvgvTGVy
+            ZhGEWTud++inzjSAKAEll6x89dYE07DLtbLNaLs8w3X/cSDF9fZekmTvyaks9AwQ
+            oI+RXPK1ao3Nvgw0pkvRzFze7HJansA25+Ojcr3wnhP3qtKqfHjbXRs5Qu46fB3b
+            mz3SPNcN/JihodKBhZ0suCk+HZx69EXbBV8i9EDBOX+2Azxn3aCGh0jlDAyCMMNp
+            CWiDuYduzYFV0mF5vAGQC8ifrQZDOjvJR1qqJ2115c2bB9cP0asTS7ZoJEEqfkz1
+            mGLHsOhhuP/DkHhX2B61nDl0LQ+eoc1ZdZEcDV0hrKptiFlxmPySlOXD1LpOU+uk
+            JFBot/Sc9GEZzaInyNSmSvd2Y6SiNOl9t7QAwIPwmGYGY3iNDPD6RRl/CQb7raLG
+            rfNH04BYltboG7HQeEqiEEijn7xctTSNp1O3EKrcdEpg/sAlQzarCOmEUvLXWeBj
+            YhPRH6Z3+PMyn7m2Jb8VFO3hAX4zfb7eJcXhsKHBhfYIXViyuuzJNBoXYnorqSRK
+            n5OobCGQAhxeLHOrG2J059HbfUgGtfD/4MJNiGxuCGmXJc5oSJVRhy3d11ttGIzS
+            XAGuD/Vw5GUqWVZKNp/k2Kfuxauqu6jDPI534dLf35qaROkvbWz2bbfwPx4hxtkE
+            dZCVWILFq/BbXXiCVEMeJf6FrXcB2rJETBgknQWtxRP18Q7Rb4a2jybv5TDk
+            =ATJq
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqAQ//WVgNIjTv+F0kaoyM5stNqV7lDHPNF3jKVLOZBV1d8wbL
+            NhHnNRiadls8SwazCHgds/ahoaUTv+4IF9hvmyLvksN6iEN5/YnyHa1nFDBC8kow
+            pzA97WD6/bo5SjCk5oqLHjbR7ApKAYHOnI/XDum3QyWUV3KzO5wQQBAVki736l6q
+            ccUVeYLgjcnlTSlz42TcNnPw5DbudAizU4DRu4KyqQX1hBJEYA9lLDvFxvjrSidb
+            TzGWzyY0ERkrgrW73K9il9xqGsnyDZLvHPZ3f+nwEuNjM+ITxliZrsfxmqbWZ29f
+            sid5Z8Z9lZ88jIC2VR4+XW1q3LAe4WPhp3MjvhELfKLUWTRp3zRN6kabxuBtJcuC
+            0s212dm2ctKbkTaDbn7Q0NyJ2CLX+5IMjWs/i1NoLAyjre6hFmie2Ldx0RGwxrJp
+            wCA7EiZ02UJcLQw4QT3o/2Pxg8Spi+eGmqxSmMV/PDJ1gSdUv85gPobdDcotky6n
+            ng3I3G1o2XRUKnfDwv//4mFbDHXsCPXs7fMLwsSYZi5Cp49NhfbCbQHeusCdchLY
+            dA0Eik9ckUDH6ihyEN8DyVcZyspxoIFONFqly21rNECcKy1i2HxTsq5SbkZmmUS5
+            XiNQTGoLsx0CKI78oAXNfgY3wdpi02Xykkctjga4U2L/u8Wg7dVRgUFmq64rJfDS
+            XAGHB1X4194RVvPcpYP6tScEDnmQCs55wsiEuWPUyvclwb/aO8y5K1o6Uz5IW7/o
+            8lfAj6gHs775Z5xZE3FD8O1NkXVOyLmzkH2bJbkZAQ+JVfQS2UKshMtnQgz7
+            =dG/+
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/9He59UueuO4GXg4uBxLASQiaGKS/F1pPfTU9W4E1f+C4k
+            Dw8hwiLIZWRDsj0huYd+klyg2VJnjmPf0tB8qj5nrHo0bTKH0oJpiDpX8Bi/8j7d
+            WBNyS8LmUrSub3TdM3Ob1muUt/nHvgGQmWKt3dH+Jkc/um0B/+Og3Yka/JcKRF0Q
+            IAYkzVFlPdh95IhPEJ0Lo7zyN1FU0UwlyMasjB8Xae7VoyDhtgwur60gTktNIuyU
+            tAvLPKSSyu//Uz9olGW8RKw5//5A/EYNlP8WrVV0crDNBGegTlX68EsZlZQp1uXc
+            GK0ZB0OtphMUJiF9dUXNfzbGz02l3voLs5DUIpE+EAyEDu7hZEDgU8e9oTJRv05f
+            TumOjDlgSrhALyewO1ig92fU407JxxwW9aNl8gFv2Ph9lEbSaQWpo/VAHA178x/p
+            j5caXUUh5qUFGYhtOoHB9KtxL9X+F7Z5FjHmHxFQBtLrxP/olmQ/5jjbiz5sgf8A
+            iW7bRu2tBmiT5TrMcDxFSf3d+v5o0kOngwPl+8e9NC681uXuddI9g4s76f7KrpuE
+            bb483XW0CZUdpt8eFXAvk6CJ97gi9H9iZBrqhMKjGnWbE6e0683PE8WNTwCafoYz
+            mCelVHHjX1Qsk8Zg/vI0EBEHkeigCiev9O85dUVbCxHVniBkvIF4ZNo9n7NRnAbS
+            XAHQ23ARYRtF676DYWSH50sHJ5v98BTKn+Ca1QWMRCb2kyqUSfn+XzgyP9Sv2nqx
+            dT8DO2oTOraOaFS2+j9N3wRjbocVRuTV2EPwdgPVPg9IakNaO3qBUwEnNM+b
+            =EzwG
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAy+TLSybMtug+TfJVBd4WJP4q5V6Qf0yPtgj4YUF4YCsw
+            rUctAxIueheQq5uqoPm3bTeLUYeticEVf090hr0613uh+l5DZcD/vqoHUK5dx7Zs
+            0lwBTi6sRElMIJiXplIvCMyYAOne/QZG3WaLx+LqqaNlNKPz8OVPhbokC++VNpwz
+            l5GE8Cv1ZoEDxbjLWurS772NiIumo+lAnjQMAxhHo4lVPXTxZZCqx3/98agyKQ==
+            =oiZp
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CARAAvnyyMeBLfWLFU6dBK2lNAzJy/gHb674YQbCe4W/w9Cjl
+            2pbiw1Hhpe0P7d7MGy2mB3Hi7cLygklFZADkHnrOoRIaJ8KqJELsNSHjapIE4+jW
+            8NWIcRSyZzOQFeKGFPNCJgyYd68clNmiLNlIAI/Xuxf4xSb3BLkBDRx1cIoug5gZ
+            pn7RrWYDPgrUyn9YfAJDr5OJsBcJD70sdi1TmCK6X6UCGZpNUI22yqS40LX6aCvj
+            WzZ6gd+nyjLlHXBBSG8R2lywPdoEVo4Y0pWvd5oK85Xl80gtlXSpFBfEg+EWbLCa
+            EkiAXthSAWwgBfjV0UCM+Qd5aiwNb8Q9j90AqPhIAawnsGWRrSL40finvJOdf4lW
+            f8R8Xk38RovBlHii1u0iw9O3Efur0UJ+aEntIEjaoND6K+32oJI56CWev0ARgR9N
+            ECROL+57Z1121S4QfDGp3LuClgAJDPB/LTL9ly39jOVaPZ7Ym+8qe45C0nkO3SDI
+            nyIkv+GA/gz9EuClfShc4N3T+XPjSe+wz7gt9hACpSai+Muea+2ruUpa9Kn8hasi
+            1zq7qR+3+ueJc5+8P6xIyCKxBTneBM2VNlh2e0GZlCxqCrx5Vt0spr4fijM/JvEo
+            +/2oIRv75NtF9zAwk7foSbyw8WQCReW61hLr9rVnYMoCkhYhlEIEGBZiq/94SHzS
+            XAEUZMZIyLdgzXVIoP8GVEqCErVYT5qCpo8Ett/v8efm27ucV797SrRibqiFEwIo
+            SsEKMoULNyHXQfnuKviNnuG1ril/azjsAtiucJvTdol7pY2nRWeYXIVecX0G
+            =Dlro
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/forgejo-actions-runner/sops.nix b/config/hosts/forgejo-actions-runner/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/flake.nix b/flake.nix
index b2887bf..fc4fe7d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -202,6 +202,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/forgejo-actions-runner
           ];
         };

From 154edc19727ad1a02625da219214d03c78928c4f Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 02:58:15 +0200
Subject: [PATCH 043/170] Switch the matrix hosts secret management from
 colmena to sops-nix

---
 .sops.yaml                             |  17 ++
 config/hosts/matrix/default.nix        |   1 +
 config/hosts/matrix/matrix-synapse.nix |  16 +-
 config/hosts/matrix/secrets.yaml       | 233 +++++++++++++++++++++++++
 config/hosts/matrix/sops.nix           |   7 +
 flake.nix                              |   1 +
 6 files changed, 265 insertions(+), 10 deletions(-)
 create mode 100644 config/hosts/matrix/secrets.yaml
 create mode 100644 config/hosts/matrix/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 47f0075..47c6197 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -12,6 +12,7 @@ keys:
   - &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
   - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
   - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
+  - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -45,6 +46,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_forgejo_actions_runner
+  - path_regex: config/hosts/matrix/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_matrix
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix
index c0a7703..1c1f783 100644
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
@@ -7,5 +7,6 @@
     ./postgresql.nix
     ./matrix-synapse.nix
     ./nginx.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix
index bcc097d..dd92a5c 100644
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@@ -44,20 +44,16 @@
     };
 
     extraConfigFiles = [
-      "/secrets/matrix-registration-shared-secret.secret"
+      "/run/secrets/matrix_registration_shared_secret"
     ];
   };
 
   systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ];
 
-  deployment.keys = {
-    "matrix-registration-shared-secret.secret" = {
-      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ];
-      destDir = "/secrets";
-      user = "matrix-synapse";
-      group = "matrix-synapse";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."matrix_registration_shared_secret" = {
+    mode = "0440";
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    restartUnits = [ "matrix-synapse.service" ];
   };
 }
diff --git a/config/hosts/matrix/secrets.yaml b/config/hosts/matrix/secrets.yaml
new file mode 100644
index 0000000..26253ce
--- /dev/null
+++ b/config/hosts/matrix/secrets.yaml
@@ -0,0 +1,233 @@
+matrix_registration_shared_secret: ENC[AES256_GCM,data:5fKfTqwoUreSIPbua5t1lYZFRnQQjNzFvrIBVIBfKWu20kH4BhlDboL/zYnhWLELq/KykX/EUvijoZxxTnUiN7T8H3L6fKOCQKacZkIwKfg/JjqLVnXIaY0JOwg=,iv:Cazhdo7YR0zSgiyQoHLsk2e4dWGSoSfEtOuMA1LEJcg=,tag:KsbnGvEyRbzbIXuAayQk5A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZzNVUm1keldaNExycVNM
+            OEV5SUZQNC9uSW8zMVNZOHQrMUQrNm01Tmg0ClF4Wm9uSzRTL055ZnlHUlplUHFO
+            QmhXQU5yMFJDMytyMjFiaWFXa1RuR3cKLS0tIDM2d014TTRySXVtOEJieVRxdlVp
+            NG95TjFjUjZFMXh2STIyakxqbUJnRlUKQ64ahDiNJ4nPUQ5pLH4Jb5yidNrK11dT
+            YSg9QNr++FTdYaQ/TXmYTg0d4kF3yb/xyG1vZMcpZP6+omwN73DSfg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T00:55:05Z"
+    mac: ENC[AES256_GCM,data:ix01bcc6i1dTxoYkXbnEbLgMC1bcplI/hZhyO1mFzPAyjfn8h2d4AHUS9CG8UnIDYGky8Wx3BqrC6MmWMtt829m8bS6t83JTPxOEm1pFEa41sUkW9NYuNPL4LQ8X2BzwteQaI8nfscIuwOZ0nK5CmArZneuUookQEszAGX2R0Mw=,iv:mZlEG2pPfKLgZ+6k9iN+NexRzlibYi1HzqBzbrVFj3w=,tag:PIXA+vyOSaZdU0CaI+03/A==,type:str]
+    pgp:
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ//Zi8QfQ8Ahr8WyEeaJIvXBRGUzmyg84aboRweI9D/MeJ2
+            CnVm91xr74HylD6sAXbGcTnwTtWChrrgSJ7vGBj5t2UOuW9zpKFl/pgs7o4jzwoc
+            C2Kmgug7S/chaQJsfKTkAs0t/MTHO+DZru+O/pT90zgdQEig/19i1smnrseBuAiU
+            zow7lc9mwBTIEsTlkYoIr1+Ihoiizv/q9oeMvfaZr8hKV4wYTp1Cx9xCgXxVcv+X
+            SpzIqqTT/lm87znJcSWCQY9fTRrhAQu4RdhXzEIxTODljmFhQcx/Nug82EAc1Xjh
+            B7qMIsblbabJyrBUk5BypvDHJiso8qLd/6/i/rRztzK1q3vtT37XPKk8KIJz84cy
+            ZDqAGDWj8jWDctwac0xTAFKVr/5oF4TGIf1Ydwv7+GMOeXvn2ZInmiMGUKxdGhwW
+            vg2azqqatmRQxI+kHUHz+FBiQSTgKIkVplg8daCIhQVK4r4CkOU5dPvDjw7FLahV
+            LN7XVNVCZw7p9yACd5KkjWX2E7bfpHr/EADOr5epc/EZwOmblFmGPzFPNR/IfF+E
+            QJrw2bTDuMGZRzvn+6CozZOnOFpSrYtzbUHTvdt+iskHS1jD237NOvPe4j2Od401
+            c2LjekRPo9BpkrufIlDQrgjflH6RGHOLdgqPE9j2zIOfmKjdIYiQlIIjNlh/xeDU
+            aAEJAhCoQ0WS+mj/YL0Y7lu2/GEf5FxjkOwa0o6SOd7iR17zrTwRkBdSfsSUAiu1
+            pw4vkDFzgvwR+80vYfZcnYyCGOQKMYcn0PLtmnQfy/LUUGW+B1/kxqSHZDDhCuWr
+            o287s9GBxBoQ
+            =BImL
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ//VYKib9HvGAxzknrRfI15qFSHdvRxWDiR0M8Jo7JWTOCJ
+            e0BGytT/dkYAKXeZvLX4W/65jQ4GhBMi20NSnyfqsWt/ENoLc3v9mXX3JleBRceX
+            8Gyz7tlqjg+pVW7lUtotz4vM6TeKBJUT6tHm5K0OiQBeAtjitphIkmakw4wrS0+Y
+            +3Y7dOpktefQDSWVDPtbDOImcMFS6EYn5JCPG9xOhsX7XoK7/wCmZuSF3p/q6/CV
+            3NgTK0W2L68CiUye+ajrtn4545f3jnQXiu+JkZGcHdKsHaexW6dzpTsSgsSc1S+t
+            NlhEty6Q7kXXylG3OAtoEhsA3PP2Av2o0oaIpn1Syd5czHvmV7M+QT1M9HU6U96l
+            Nwio5cSX7faMrlGfaBNY681kVtOiOSFDMvDes8oPEqrqKEDkIiIQwMnh68iCTXzX
+            jRj+dpCLLfrHdo1+oB1JI151eB3ofUPbvTSdz/pASJ9gkFJBgGCl89atxZ7BDNQZ
+            oCbk0NxorDG4RBA2mliITnctqAe8ZcpBrOJoGO8oJ6u4fH2SNNuoc5A+7tMEHCqb
+            2E06TYmUASROR87g0yZdtffK6+ZlLZzzNI4riTUGaGUu3wXDh1ZbXB1CwF5LJ67d
+            4P3gJApHJ+ZDrJGnWr/4Tx0NlvPJgJ9bKNT6F45ZZcQzq6bt+RUh6RC1Axvdns7S
+            XgE7EN6IttIGME/AAeNdGh6O/1XnE2CEiqwqTePb9kgwIufoJWLarnz19qcbnMp6
+            mfHNrJlF5FSVuipVtgCYgfWDos7ft1qDqvgRSD1awmdFIk/2ct3wjXKxyB52Vxg=
+            =5zOY
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//cBAsMfpoC02vbVtRPf02VS4NIVu2lM1JdB/IcPo0BHSF
+            PHNaVh3bl2a3cqbfMvNG9nquFVpDgtAXcSaIvozlsWgMuBIukfYKgeoFNh4fhyy1
+            Wgcl26wZj15Tpu4rYHK27CmXBHVusQUyTZVx2CUZwoSdtI2zveWqs7+Qvfhdjb6r
+            Yt1bDr+Zkrd+AxUuU5Njlp2eGOcuxINGLln2lh8jrdSytOzKll+G/nI8yBdk1Vql
+            P7iTQ4hHlCzs6HBsgeA7mpkJMP/h0Ts18DQ9sOYCi1SB8JR1eOqZWUu/1nSAk/hV
+            ntHk3+FnOta4wx7VqYNjRi2JROpvi935JBu0UqwGkVVMdqQNB33/qnJdzcdcfoa1
+            3o5UtsQNuFZW/SgJ3uiPYshIZZGujH3j05aKZV2yULyBRfP7j4KrIq+3dQLlW4J6
+            TihPL1Y3aqVvlU0rGOjjKeBL/nTEbEQtbkyCcIrW6WjdWvUYtTeIGnBJt+ExkyH2
+            cmuoch5XjiwMrXDnIFzOqeKbLsIZIAatFOzP0jsy66w2VAeNY9AyXCJI4cTqE6py
+            RVc1QK6+ynhrQ/zJ5XKJD4ATequVJidshC8ci900KBW/1R3XLm7zGQtw3gj5QQ6M
+            lMfA3bPS3H/DzFHq9NWbQ7Lfkm8N5W8ZSQwBKum9o1uWJC/79lFkyfgf4JqDjDzS
+            XgFfOjk/KKVSrS7P/3V6YHfQscFuq+Tiepr3LCNt8o+0IbNJbsr1Zg+sutuMFhrq
+            2lblr+MKkvUpYBhUYYen/PULpr8c6QZYiVX14xJQqFzYk4U/4WoFZm/8dXuAQ8s=
+            =z9Gs
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ/+JcEj7POTdpKoqBO0W8sxpvNafGlxWBmGF9nVMKsCe6r0
+            +z2iyj0TF2ffRe822djXoG0Kod4Gf1Ihg+u/EKGgoL41CRt3DhszervSesm/pHJU
+            9+IMJYj7Wz64GekkIVkYgcLkJr7AeIYM47W9kr5XGWCI4ogQLHJEVgrwFMWVsynV
+            meIBjn8ntS1aI9xZQC0EePlBekD6zvwQHOyEkar1MD4NaMqLKf+9x7IAErY0msXz
+            czBfBVZY74q0Aq27YqfUcl2QkksxfLsti3WrB4Nb2YIqzGJ6bED9TsqRhy9CQRBf
+            TSN+jh9Snit8NgLMAD2eyBgGUcQbwvyW2OHEYWpDXqsMbGmXQ21wygBAN0vfSCyx
+            v9m2+DSJ0jG9icBj31JqZcztI5fRsaForxIRmuT6EwGHc0YfuJwk8LWW1YOTRhYq
+            KbOMzGZnB1aNI9i7jVYHgraU1vB6u6R3hU2hOJq0zzqP7w/XuSitzb4+EzwuFkw8
+            zVRNJ406ZYJvMhZp8NQ878WkJRqsV3C++LevnLkHLNfMOfDcD+nltmctVXf99Fc6
+            ebc7FQj6jOsUlbNQMxnqOZ/6fV9WesjPgCsUMJFxC7/5/5th8CU5VJHYOwwMUEMS
+            +zbwM41MxUeknII7dc22MHUXxMocVkhlmGPYNc+jRv85nuDwbYqMa9Ht4JychK7S
+            XgEZyWSvHupNW3XMwspeyYZMS3pSDO+2YExopgpP6c9Uq1TgvkHo2L66SXj/E4EA
+            RaUR/bY7EoEdNTrqWlHpuLyRihgqHLHzlRsdJZYBinaIfwmKzvINRiQbGjqhKLs=
+            =mbJg
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ//Vo1ZEeqpfN2gJUEKHZs6L3dXmRSd5RedwTxivQSDUZaw
+            CS5CQgBHd6H8ly5Phc2+QrXSjn6sJubDPaCAVmWKOf4WTMOATgdbp7eNEKlX06iT
+            igr5UuptY04tM6AauuXNLatD9F/2p545VkLUYVNQriVMgXjrSd2MWo7/J3P7G7lA
+            xupGHMQ/L3gwU2A50sJUtAc1/SW6h9RMNwHjx6FVRvQtdWUdAoRYCT+r2fICKs1m
+            MKYOUzOA4CW3uURM2NZEFrVdmES0izv0vNAQqx0lVxAL/qhqwsGqTAZkXryef39J
+            WkIpqwQWWutvwmpVu07yBllfWU5XzoxaH+ye64p7+3SyrRwdrZc7IVW8NM9NSAru
+            +2lio54b/dp1Sh7GGV2Y3hNMmGuPOym/PEOLVG99mkfZaPDG+Ui6enV1Ol+dFRaJ
+            9VqSa1zIo5N1QdW4iy/Rke7oMlTINcJDCA/KgYeLXK5IRz/iv6q1QyzhR+dNH/pu
+            JzxDSru/ZSTP+oMXZ1AgGf9UDUy258A7oDRt/ECN2c3oggj+Oh/HfnPXfD+9Mlzq
+            c/FGIRDQE7lLQoHqBaEgp9pejepAAocCci3UMgAO3ZTgIlXwJyE7fWZKrbATIqEX
+            GYr/tLNIyb1df4Cg2Pp+kS0i5+KnPqcbPkN+IhJq1BA3qG0rzFJiQtIR5Yn7BxXS
+            XgEVc+mwjUlUnQuVxFzfyZSlVh8tipwLZck6aG3IrLn/9WSHMY22GDOprsy3bMta
+            OOy9KLyPgZIdPr1v4BmX77x+2Z5EeijAEswFgfPvSPEuWKSiqkXvaVDy9w+U8kM=
+            =0phM
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fARAAleXLoRXh1RP5u4Hk4zsVpSbbhKKW8dypXDBVMa4trCi/
+            Xq5Z7XM/Nip1iBCUHoLRaJdi2MlM2aDfVFo+PEx4JagpjxFjzqW21WUa5vqct9Fy
+            UVgdsssSVq8hNrMvlxDJwYVYfyQIOUqKyzDMbXOGh6AaOHaZsNsWtOBDJRqHMSXy
+            ULXMH9xxHmheDDV/ZnlOl4fOBJT+qC/F02Yo92Q7rMHWMcNs5NITGN3DDYrQqs6i
+            uHopbwuTpRMggnHldaMM2l2n4eCBiKxxz0dGit7FlpFL0kgsZROGBkQUyAZdkkwQ
+            LKnaqgodCv9t/6VZNATp8+iJP7ji5IvXeW6WQOztb8+h8JV3j8pHdadNzgXxH4av
+            LVnqAABQMhay9jEGlPzgQFT7zDbaAiUd3bSLz1i02Dyi/FYCIylHFEmBErr5RBsn
+            lqbG/vAxJPKOkiDL31nkjugd09UeFYNp2WqO1DpeoYQoMltFD26TvUnbOAQo+v/y
+            xxl7hhCTzbd6kF1VxSCNtv0LhDdirq0+eiFN89E+5ijLjhmpg23S2E90etuRgjuF
+            b050aoEJyXosRqgXVl0qkOEnXgQDbAXrEobbbRixrIQRHmNN1NjRCudzJjxs+p39
+            tucfUPZJO5np8ITgE7XCt82IYxW7b3HO2kejJAluIfUxOkdBgORKuc79vEaP+rrS
+            XgGAqi7CdzN/lfoLononCBOhce9XgdgpbpQRohO+jLp+abqmbnEzI1ZnzxpWXo8Z
+            taWKvUIySWbN8bWhmiIky9TyUXEfRVKe9I0MUC3Q94NAnlnj+dNXXr3mS/AxNcQ=
+            =ZYXj
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoARAAsBC/uAbTVpBWv3dmzvVglih0Zlnumbz6wcDbeDTVP3r+
+            XiUyiDFE/Hdnm5J0be2jSj7s5RIXj8Gb5BkXPoytAkGF6NMtHjZJLmeo7NciQ6Bo
+            wDf5IXCmv/PbyuydqkHJEztsSMWoCQbGQo+dMeWoAY+WKt+dQGyGmoB8BbeUjuH+
+            lgKlUk3W1INTV74Qz6avuEQpwc+6hvb1w3Vb5kdzgRjplLUB4w45wP+79HE8Ub3V
+            7PhhEQMza/CIyYqHEGQ8fKzd+tuX/naYXnbfTCu64eyKCz2fQZOMdqKNA49aMWGC
+            vo8K38Nd8haQ+tcJvT9Vuis3n5X0Qdzpk/8u+M2XM4UQLHSaKSQRnJLpslumLJGK
+            fI2ErQJoD/TR+vvwrKXmCOEeiFjs0GC8zQEVP6Qa1JE7Fr8iKIEtYYXmGK0Q5Sku
+            5eUkrzJC9Lh4rBvGXLX1PZefBVxnnlBMNk0Cae7vGnKKKuARE4aYgRkIhzIp0GuG
+            pdwSir1iTVMKtfrkpJ7BqPANKxApbLzYHBi9rFWJboA7HAXe/E73HD4Ov0tIs1La
+            9rwRiJ0LYUixsngf6YvtGuj0ZiuTe0t+VhYzg9sYOcBWW8z/AAuZ3FQoBWLdOFPA
+            GBVI2KV+vr5h4dy7+yCqPxpqhkKe5ObCdwksBrl9tiaPVoQuN6Zv63kLlCtkP7jS
+            XgFYwBL4tKcCPfG+9J61T3LqItNLmzrT56LMN6LIz3pvRtASRbSRRnqKuuPgAL9g
+            IeFHe8lblLErRwKz+iNre6wwQCEfwbVf5NPF+rLh3nfEIZzCf/CF3qrxBpdYzwQ=
+            =P+bx
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAtl2tC6rlB5O8+4t+b7ZEo4GU578OHN06nJKxxFQHG5zn
+            mkcANcm5gVDSRAOecM2FyZe4ns18rH4OCvp+uegEQyMVN/XNUEj4/+bGzgXX0NZf
+            AazE5s2+0i2NETv9bhPjJB0RR+U47PEgx9vKf4EnvL9MAfWyPbGwzR6HdXXDEE/I
+            c3GNaIOY7YWBgXEuX5LnZbON5hQhbFADY/BRhP1S0d7Wzff6sYgtJhbtaTQFSX2p
+            j2+pTA3D+tI2h9VvKnZw3n1t8Jc9apP81KNFCURpNpdR8Jh8KQ0aSEcYWTusjah9
+            QOX8RmsnFnvWKTN+gU6tffcSbu/r76gmXyUCF47mWvn89ETVA8azp/66zfLTTTvO
+            CmFVx8+2X1TK04SIKa+MQcpAuS5cTHH6bw7N8u1YfX6O8mbHX/ZH7NJi/Bhxmube
+            Cau4DtdZ8mX4yz0EjUF62skJoaYYUl3UBrkGXl5A4NXK75ZHlBHT9Cn4YQYIPP1b
+            5MAnTsy6UtsGVBZPf6O/kvkA2gAQNjtOjQ2nB1FF6fjqEFFopzmLnAgGvW7lWkeo
+            lTbrylmv6SrrvX/0wN5Dsayni2iRb7pisEAFs7JAythm463PDrzaRmLoPBNBmJz9
+            l88QlYWDQaet4QbJ1AnEaOu5K03coEy6CTzJYqgkTWdLuFC4tUyKsD3P/1EANonS
+            XgG1y8ifC6F27sgwQribg28RPRvwoiRSGszAXCAeIwo834NQLIvswid5C4VCvPje
+            XG4X8m9pipP+BoXF8UuX7naRFnIGfXBOVH9N+1+SoTeZtXRX4GIWUGcRtk4nrJQ=
+            =FQZ1
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/+MLPIERHeZTiyNPEUc6YnWYcfW3Zgnsnc7EzfFn7NJla7
+            HpD82Y14w1gpQrUiPu7wdjzh7xeOQ3fnk2819g4wEXU32M5rCUay9XUWqWFnzpMZ
+            /Gy0tdwE9TgwrSQ6GDNd6JO93hLNByq1QqhsIkKEL640Wv6doLVfQW07O59hDrPd
+            AQ3UxWnohbNbD333yXa3kjfYcNugjtERM2wZ6qqZoXp58SG2RE0A2wMV77H0jOQj
+            Rx0arENCNBS5XZlIJW6v+I1Ak1wYnW5vAlVRMcUXo8vJNu93WaZ906EnmVCQ0cYn
+            LeNVH2ajcuOud/uiVntwdYKMr85rMBl9eOlsPP3dHqbhsrXn/+Oqagh7YUwEvJ8g
+            LK1krKc4Jlj9a5J6dPl0lCsEAv6vGaVCICJkNnd0JikTViu7DhajImfGrSLrA6y+
+            81hx/TTKqisAL1xBwOOu+LbwlhFZrkrTQaKnueswKzwrS3utxSX7OIepui7Ib7JK
+            h5R5VDq1bTCbRvo/rRpCaOt1KI6g4ZX+o5TI/60TUcGvzLRRAv7jZZ05PKhcfRuJ
+            4ZrKoRu2qKVxA6+kcOfy4Gi5MgkI4Keue4tgJsYJ+LCP8tV7+Jntxf4XXVMLoFCH
+            jQDe3vIHOxNKqlPUEnLlVmv+g3K9Y7N5uBLuk3xkVYrxWRhBmY6e0WtTVEF/lWjS
+            XgFWqfLHx/JAJgIU2tiO9oLkJWcdHuXAHNYDvTKP+a8WLcJDZdS8X1feqOpWYbaH
+            zVbYkg4MGJqO7K9f3jlCtyszh3Kpu5CFbfXA0MZ3M2eRoJTv91iWViIWY7UP3VI=
+            =vsm4
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdANu3CeUuv/SDkBQG+aROPeiWBauWaQBDUm6UdXAhEBXUw
+            Tuj49QiBBCQ440R3SBkHOzOOUUTMPkWo/wESnJm+EPla800tb9B8rOvUj7PnkbiY
+            0l4Boe0q5XPHSysz9eIQ7zRwSKoClgd+zi/GOtcsvxkLWlISoBzAVOVEvk55OeKb
+            7J70fuIMl5rZPPFBzbF9gjnCHxAtfSyze5774nPfFI/zoQo3WaDfL/9viRhP7Eqb
+            =i8o+
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/+N5yVnEm3ejyw10aDPkLjJoUIoxZl0Nof6pGZxdWYgiF5
+            VrEsLv9vYQD8Wp7/nXuI2HW7OoA+vTG9KBZt2Tw9R0iPIMXpEf0fewPSBZ2n10lk
+            KJPvkMP4w2OV1AfGT+PrRPLaX8/2E4p6dE8BPviWEh9HptYKodhs9lRlcq2C3Kjh
+            sE88eJOSA+fQpASVZLNHKYn1UrXXENRTHE4tw3+OIpE2KSxHvIv7sI8LuXZb8Jxy
+            OpmUP+v9fmhsPJYIlP7SAvITMgZdMHceH7SDgOZn0kVU0inr7MJ+FCcNQkQOl7aP
+            jMp2B7qSXOdC2NHUmdYvzeUx6B8O9Bn19VM5LGte9n1RBnknw6TQfQO+fkQTjUyl
+            3FhVqQAxrutOBjud5xn7H0Grj+7oqRI51LLUjLQdOzpEi4hul9Of3FfGnKxjOxUf
+            yVBHqZzFco5rcN2fzMgWytjuSED0AE8UPS/tcd01oXXEsTj4YBSKWox0gZuyn9B1
+            mspU7vr9I39igceGVE6LJQ4EBnpR8xC7v5CDFpEbCr1qt4VlaH4nUgfN2tEGtOGW
+            2mmrX2nGC1r1VRm0K+ACRW4htDsOsBzSxQttVJ/5IWkP5fqegcwIajjo18VXz8IH
+            BtZdJKzXuhQLG0B+sXndOAgACWkVQw4F2hD5CYRpiFtungAqUbtSDbeb43x7ICjS
+            XgFrmwLxkGfZYKOPehbp8L9glbHpfHYE4CopRHPtUkhLTNWTqzEyE7YQYYVu9Cui
+            E9Q3v2/+2swn6nKOQtB1Adu8ItCqu8Om+d3IJQvKVS24k4+fKPWa7/ccmkXz7OU=
+            =w7hs
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/matrix/sops.nix b/config/hosts/matrix/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/matrix/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/flake.nix b/flake.nix
index fc4fe7d..7bb4e77 100644
--- a/flake.nix
+++ b/flake.nix
@@ -159,6 +159,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/matrix
           ];
         };

From dc439abefefa1f14d581d6aa6a65422ce224fab8 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 03:14:31 +0200
Subject: [PATCH 044/170] Switch the netbox hosts secret management from
 colmena to sops-nix

---
 .sops.yaml                       |  17 +++
 config/hosts/netbox/default.nix  |   1 +
 config/hosts/netbox/netbox.nix   |  14 +-
 config/hosts/netbox/secrets.yaml | 233 +++++++++++++++++++++++++++++++
 config/hosts/netbox/sops.nix     |   7 +
 flake.nix                        |   1 +
 6 files changed, 264 insertions(+), 9 deletions(-)
 create mode 100644 config/hosts/netbox/secrets.yaml
 create mode 100644 config/hosts/netbox/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 47c6197..2e7e376 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,6 +13,7 @@ keys:
   - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
   - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
+  - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -62,6 +63,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_matrix
+  - path_regex: config/hosts/netbox/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_netbox
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix
index d4a02cf..6ef3469 100644
--- a/config/hosts/netbox/default.nix
+++ b/config/hosts/netbox/default.nix
@@ -7,5 +7,6 @@
     ./networking.nix
     ./nginx.nix
     ./postgresql.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
index 9c07233..ff32349 100644
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@@ -10,21 +10,17 @@
   services.netbox = {
     enable = true;
     package = pkgs.netbox;
-    secretKeyFile = "/secrets/netbox-secret-key.secret";
+    secretKeyFile = "/run/secrets/netbox_secret_key";
     settings = {
       ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
       SESSION_COOKIE_SECURE = true;
     };
   };
 
-  deployment.keys."netbox-secret-key.secret" = {
-    keyCommand = [ "env" "pass" "noc/vm-secrets/z9/netbox/netbox_secret_key" ];
-
-    destDir = "/secrets";
-    user = "netbox";
+  sops.secrets."netbox_secret_key" = {
+    mode = "0440";
+    owner = "netbox";
     group = "netbox";
-    permissions = "0440";
-
-    uploadAt = "pre-activation";
+    restartUnits = [ "netbox.service" ];
   };
 }
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
new file mode 100644
index 0000000..6f9e3e5
--- /dev/null
+++ b/config/hosts/netbox/secrets.yaml
@@ -0,0 +1,233 @@
+netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
+            c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
+            dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
+            V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
+            a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T01:07:35Z"
+    mac: ENC[AES256_GCM,data:0zWNPrUqpuC/qXOaTE8ayrTbnZdg9VA2NqxSNnV0bogqxVkg8zhbx8OKYfNQ0DswjxKNEnKsqjp62gA678VfRfGHJU5ZoHfAC7kBbrkDy+pMzS6LRwT+7n0C1AbaaG7hienGJQsx2gUUYqu7OSQuS722lXAw65deFvZGtL6lt8E=,iv:mOLkzF5pJFazmH9XX94Hjd04FcgSh0hY4juEO3vKNBc=,tag:lSk0lnVONQCmuO0KmxlL0Q==,type:str]
+    pgp:
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
+            UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
+            YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
+            e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
+            fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
+            29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
+            g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
+            Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
+            2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
+            ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
+            7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
+            aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
+            Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
+            6PA24RxtGxVm
+            =ES/O
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
+            kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
+            UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
+            t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
+            2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
+            MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
+            PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
+            Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
+            W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
+            Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
+            NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
+            XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
+            zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
+            =zG3F
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
+            wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
+            o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
+            yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
+            y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
+            vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
+            OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
+            xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
+            +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
+            9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
+            9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
+            XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
+            CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
+            =PqbF
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
+            eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
+            5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
+            /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
+            E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
+            aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
+            U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
+            5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
+            vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
+            Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
+            PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
+            XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
+            9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
+            =o7cj
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
+            QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
+            2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
+            NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
+            vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
+            PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
+            FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
+            n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
+            nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
+            TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
+            ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
+            XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
+            fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
+            =4agQ
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
+            H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
+            JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
+            ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
+            blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
+            fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
+            APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
+            H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
+            dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
+            VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
+            FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
+            XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
+            Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
+            =x1QX
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
+            RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
+            I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
+            GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
+            Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
+            arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
+            dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
+            cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
+            6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
+            jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
+            rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
+            XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
+            pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
+            =FXTF
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
+            /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
+            FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
+            wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
+            3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
+            Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
+            6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
+            wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
+            wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
+            7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
+            N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
+            XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
+            z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
+            =7WGw
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
+            nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
+            3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
+            07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
+            fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
+            24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
+            QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
+            BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
+            3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
+            zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
+            RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
+            XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
+            yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
+            =pFkW
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
+            kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
+            0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
+            5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
+            =Lvnj
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
+            77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
+            XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
+            4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
+            T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
+            k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
+            QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
+            9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
+            U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
+            kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
+            1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
+            XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
+            02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
+            =WqHP
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/netbox/sops.nix b/config/hosts/netbox/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/netbox/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/flake.nix b/flake.nix
index 7bb4e77..72b89c0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -145,6 +145,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/netbox
           ];
         };

From 3aae597752440e2b8971da507cc6932759c624fd Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 03:49:43 +0200
Subject: [PATCH 045/170] Switch the public-web-static hosts secret mngmt from
 colmena to sops-nix

---
 .sops.yaml                                   |  17 ++
 config/hosts/public-web-static/default.nix   |   1 +
 config/hosts/public-web-static/secrets.yaml  | 233 +++++++++++++++++++
 config/hosts/public-web-static/sops.nix      |   7 +
 config/hosts/public-web-static/spaceapid.nix |  16 +-
 flake.nix                                    |   1 +
 6 files changed, 265 insertions(+), 10 deletions(-)
 create mode 100644 config/hosts/public-web-static/secrets.yaml
 create mode 100644 config/hosts/public-web-static/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 2e7e376..c42474e 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -14,6 +14,7 @@ keys:
   - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
+  - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -79,6 +80,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_netbox
+  - path_regex: config/hosts/public-web-static/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_public_web_static
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/public-web-static/default.nix b/config/hosts/public-web-static/default.nix
index 60487fe..9ef00e4 100644
--- a/config/hosts/public-web-static/default.nix
+++ b/config/hosts/public-web-static/default.nix
@@ -6,6 +6,7 @@
     ./networking.nix
     ./nginx.nix
     ./virtualHosts
+    ./sops.nix
     ./spaceapid.nix
   ];
 }
diff --git a/config/hosts/public-web-static/secrets.yaml b/config/hosts/public-web-static/secrets.yaml
new file mode 100644
index 0000000..5802514
--- /dev/null
+++ b/config/hosts/public-web-static/secrets.yaml
@@ -0,0 +1,233 @@
+spaceapid_config_ccchh_credentials: ENC[AES256_GCM,data:5IClrKKMO/AztQuGabrnoRFItYNeEmVWGeafomVO94pL1RKzL1sCxBxnmzvJFPb/8Y+6FXMh+Mim4DP8B2RaJMLpmqCv+76N/5+527SZ6gn9i2Klg6q0kD9RzJv40qHq/NYLCa24tpcZDt7eB0EOgqLsKUmtX2LrQjjnN3NzjAevJGKQ5ypnb7xygjft2KrpvlR1hMnZ0XpSLDTNR1AmImxE24JtDaJKzwXbptr2IZvm1UFkNslxdqHPjN+N8+MSSLhqHy/FdcY2ADvsTX1jtjnjkb+9E30QOeCiFPKSmWtSGiQ9sPcQna1yr717Vk0EiNSAWDQ2fMZyJUgBXG6w3wiZbxfJmxvshLPs5KguF9NHER+Seps1QiE0p16c0IS/0Y24UYrK2GyUIcSReGufjxUFGTJHFSsNANac34H/RTs7BkoZ,iv:8WzTRaXVeH5GKmigMVTLVBnhy6nXZnTZHLAYHcqDs2s=,tag:jTdgz0gmruMWWDBQ3h70vw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclhsVmM1TTVCY1ljcmxz
+            TkNMQnhUMGsvWlQyTkZtQ1RDTjhoYVBhOWlFCk9ERUdvaTNBQ1QwamtleTJPbUo4
+            dkpYYjVSR1J0UkJML3RtUlRXNEsvTFUKLS0tIHNTdEFGL01vYStRaVVmWFZySWZM
+            MzEvb2IvZUZwSTgrL282VU9WUVpGNEUKFg1INcr/YbkmV6/F/4hWbTXj3PCscAMY
+            dlr4Pii9Tbhn39yOXyzt3DF+XivkdMsG7fQTHSYdvzMAnvEJ1CLOtA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T01:21:16Z"
+    mac: ENC[AES256_GCM,data:ENLJIlcUXLEt+vXp/F2YATUZrc9ZjaE4AWwvG280etdsufEw/vGAWBhG2KT+CkcZLaJ4ctVvNlJEqU/pRzae+m/43SV3GNAG+jjT2VmNm0NyNYN27bpsj4tq11D27LPn7CkfBUB0gnmGJXVKalxhFkHBf+eq3ted8dPIv9YNRt8=,iv:Yfz7scjN3qDY9lV1SYOqrejiEwf4dVSPJhiFRJyFPio=,tag:SOw4Nhx6wwYIisRJl0SSRA==,type:str]
+    pgp:
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtARAAkz8cMmtau9sLQQFafUnjIkuq8UWKn9TFcAfjAWDjnLTx
+            WAP4RQE56FXzVCo3DXWvucOjOlVNR9Y86x99eXaMLgYLtJfOTZOCbn2nSIDxQI1S
+            XNHAPEXEH/UXEoQ2lffIjR+VfSOpJlwD6acfVEu13NZMvxlO9/51EOvAAo+qKa0L
+            EwMczgDh8QsYohBV13UIxC3Et1Hsj0Guawrx4M6pzL4OvXGUKkpDfw4NCx9to0XK
+            3L4k+DHur3KhpZJg4QhrM1O1XJeb8RdlkCBMCrcteXkzKMQotVeee6Avr7kfti9s
+            R0hYuVswmiRJP+dxkQx1n84nnFkakY85LOxXIv7Mo3CT5xV/n/teUgZhyU+97aK0
+            Soq68sBMBqo8v3Izrfi1wp5iF7nnjbkMBzkDVFsRkA7bqYlEpTqZenzTzdEhm/Kt
+            e+A1mY+hcWI5Gr3kkz8+LGOXgBHHjXjVslK5+KmOxzcpm77IBIQCXaTViUwTJPbW
+            kmrDT9MSiS+bpTHS6NPLgRz21FltbCL4d0QD7bCiMnLjdeYwfRzT+if/yR6YIGMb
+            1I2odrB2Qf42CXHZooB/fV5OO5ziUXBpos3HZLxIvCUjOHyCYnoL1s4M3A6Zjf3v
+            0rZvSOy0UNwYwSbxRe5G9Z2xfFddFCTE5dp0cPV2RUEVMVlNU/kgpsMtxCFwIN/U
+            ZgEJAhDOqBVfz4bsqSMs4t2I4Vys7oeOfYJveNT88qc/PNPqjXgEoWSWp2DZdSvV
+            dNHaoVQHHRyZbRxfIwe0q+xoNjv6H5NafDIMnRk0gWl0gCSJQpCIQ9j1IQrXUoPq
+            cArG8aqHSA==
+            =rUJB
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ/+PCUJ7JMkGZ37gSURfBI/fM9Ow1oRp1MH8mHiflICRsio
+            RJhrcuThlqWHYYSFE1OlQhha8Uu+s6oaps153LKS7ZH1dzomqr5H8LfuKsaO6GDg
+            QyuiSGGAfudtyQ5ILN1CHjO8ifh/4469J7P/SyKkQ2AhZGQePbGkrR4kqGhj5axn
+            fY3Ar8HreWssm30k797x6zSs0z3BDS5vUd8JZjpt2E1nmbVTX5dLcDud06UwE3ae
+            B6lC+T/lxwp4LptskgsaBiikPTYspPAL8M1yG5XxKvvQlU8a9Lta7jOoXWnJ0kYE
+            mLoSRFBxsQsrpir4msR3oEXS7H30gkCT5j8bLdON+vbbK3d6nE5v3SXkOZhJKm8P
+            Zhk70lkj1HWe1uh5XRRAjn5YDelnipuml6dQMUJdxw8YrUmnVXjL+AGT0p0gcf3S
+            kMU6FZfELOmdR1zqCt1HicVQDmQJA2wct2+2hXRRQ91M/FAxCILOA/mqq6jZNrw1
+            uz1Sa43IlI5lz/ts9bIhR8rZj/Iuq18tRgmKdLhxtuJyZKcN1v1CDiIgNOvlc67x
+            ydVbVHygWVs95WZyya/PjF1+K5Tuq+VkfHMIJz3cW5xDy4PwYS8GsTqG6r8gEYbx
+            Qn2NC3h2gtrJ76/Qo8xs+8KCbQAUgST/uSJRK8peyhvqJXSrbhFBvq7ewvJbroHS
+            XAHl1yNdyWNwC9t2G9twEd9c2FjLuyXGhrincAcQ0gdH1jhKHY7/LoBiVIRMBJDe
+            kDD+RjcCB9jXRGln/l4teKs5TeCKzpaJiONEcecl2tSqjSaOzNE8rJh0kihH
+            =Edso
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJARAAzGzj3TJVDsnArDe7GziE2avL5WHkHFUJNoQcEBqNhfTU
+            PNu8RKSpKelWeOFEFzgr3Q1imapoR1+UXzTC1dP0QL+6sEWiqImxrbHygpm9tPSp
+            HvLMIvAvS0zPjX9q7HFgsw2fm489To0tuEK0oTFcayatAAijpWBl63KyslFbk5f+
+            tHSnaYTeRZq9QkRZlNGI3uJgMXyrHnmoyUUIb5wdKKQ2tpt1nR5okh307kU6fwqb
+            vT5ylRSTEZ0eWDyQbb0hThJkQS2j8QnsBN/xabDN8QGTFORrPDDobW3iro22SKJv
+            iVyh1yAm7QiA9yTdqcB8J1QuYvnP4RzSoCSNCAK0gZ+DklPUGC9DIEK4VTdmUaWs
+            cJM/dZw861D8Jnavf2RToEa4binehYHvi/+TNv7vBE+2xe9cp2Y3UZq891gHKbmr
+            OdlaIUv5yvU6dJfV/aib33PoGxcim1jGmRnDDu+aYv215WqoUxfNniib/HcNFb9M
+            JT70R4Ixo6Hnp9DyvSh+wGKPGg2WRuwrspbAjFucwMdBuY4a3XoBE4QE8QhFjLWc
+            2JTegdfx4yKovY9raJ1U5LxYWkErpfdvPgYOpn2xIvhHBy9Y9F8RgnI5CIyQ2haO
+            KL82cNunEeljvluG+vH5bhbWNOjWKcRXfy474+KOBGSu8UJsZJr3s8n6RSAjmN7S
+            XAE8nvvN86y/RxvwxG0qUX3tEjVZwvipqrzxeAcY2lEX1zFpW8HyHzqWlnpN2LlG
+            pfqdqn6A6wocTpuaKhCWNc34Ws4uJ+XJd59nrNP6j/4Wl6SenxcJef7bgqru
+            =X/V9
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1ARAApyVhDae44C6aOlE8j+oAmoPWBiTc0j6VGAwo7y6OzRVx
+            p6W/l/ALDRd2eVfttzTtS/J3EZ85gQEt1RTOVTR/vTTL1j+XzNF6adPuC2+uJBAb
+            FFhiReuD9YGyT7aW84qmfI797kKFfdkjIUiUr62iGr+kJ/urC9JK2mNSnhKJVTct
+            lP0HA0vrUlEHzU1LACUWw2FylyOpO+248Nxx+SXgP8ol3kQk0hAGtEq3+p7ViQdl
+            K9fYMM5bxlNGmMav6WVaR8ipyjf7Q6jrwOrtNymVlxKoWfzuQy8o0ACsn2PADeG9
+            QZsKAmbp33S1hVYdTeXajTlPwtHhNewkxIQdahP2Ni1netzV6I8kp3HHoGO1XN0i
+            TtHlqZnd9/aJb5Uvuqsz4Ei+nHL0WGS7UJYKphWfw58MaYGkJ9xwEZVxoEWY9+ZQ
+            prQrXbIwbt6XJnuDnlgO/XZQs76/h/SAK9JQoXV13mC00SwcNqB9iav7S9+d5U3H
+            QOerfUDzEOjE9AehSmeruaNIdqr/V54dY9eQFGQ5hrM30JTycWdhxl0TZkAYsT+d
+            qd79FKXceBSodL00kg4OUS1pGwI7w6pe7RsQZ0hl9O8X8JXsRebe8Ardyh5oGe+W
+            yiKKGj0xi63MdzVm8r6FH4HoWPnmfTq5gcI8urUB/157aU8jlJen3TM4i4bwydzS
+            XAEldvNa4/1McnNpPAWGDNPGObSg71kAIR/opGGkS8atywKgkNSCUJ6wAJhyksqd
+            FVdrCl5Mt3GSgk5uVWeYfDuuIxM/aZ8WMjxjtxQMyOnkXQYmQD+D6dgkqiTb
+            =q5Tx
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ/8Dc0JtpbZLDLway7kk2YWhLvjTmBRzIZCAaa9WSEuDVWg
+            u1koIDIaeAi1Y7xNUbDeEACMo1gT23mRG7Dy6QSqi+6DUY4f4v7/UCwqyJdwAb0V
+            ig6ENedYzYoCKZ3t/kqeeZmKnQehj2hzmIci1avzQjUmsI+u1YGJOZGDCPK9W1CA
+            nkZ69BlsI7ZWwkaO7J9KKd8wLp1/XVcSnRjYxvowOHmUyDd1Mlm/I+umcqWZU9De
+            hXc9/4cPkUk+h5c4M9XeFFqxorOozMK0dyEBjFw7Dd7BMyPfyh5OnxPazp/aqgz3
+            T6SxedaTv0kH8U8dNkPkGc5NYv+D8gfZb7kLdzDglGvcHwL3HTwq7JUCFVvzCD9y
+            PN5XvFYIzwd1cxAbozhzX54almMFgvd8d1v+03ioEjxOJbAqMXRTgd8C5xUbFvH8
+            SJ8v4YsN5XksT6AME3MyZAZgWgbDqdQDAtUvP2cWlBFFJz4+43+71sec4AK9bqph
+            mG/aTXDHAQ+JjLUGH+hul87F+mIa5WspbSYJ0hky1Sz7JBr1153X1xutFMiIqafL
+            GwfUzkDqIY2AKZPocqyRthLUkSaf2axLdWMi3VfErzD8fu9XhpM7xY/sI1S7sCBs
+            HGfjBTF2zTvyNo4cS5SPW1QXGrGoAy6cpxJDkuOQMq/YvW2kIeO4Wv+as3TUtLzS
+            XAFxzoYXYbes+SGlxaRYY62CONNdFpvF66q8IgDN1/QNC0j8g0gE0bNc14KOamxr
+            Qg43kRmxOVlB+zbpY5lYI4YL7XbFusFGM9dKJVg9g390nRgDnD4yBZXfqkq/
+            =rthq
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ/5AXvpR4o2fsfev/U/qdJ5Zz8jKwGpZ+xAhEEL8E64+f/P
+            Y542Oqig04emeGgvZat+jnc3ihKa+Z6k1ysSd4cod/yDUAy4NVtYzTsTziDekmaF
+            A1nEkbZoBrwXHQVGnO0PtFttqa0JEr5LcFlYgF8NIQRTQSQQgKp8p3llUFZYx+Pb
+            vuhOtWbZMFtl+yq0p03nDP3mrj32nPyyLIngvj82jMRQmw0em+Zw1JAwIIg3svWq
+            bp6F9a++PP2Pboc/piEGT3BIq/41gjKoIwz9m+p0NoSIcDRgmIIxflS9vzG/APC9
+            E4lVM/U/px0OmLcrmlBTjQ7HwHhVEVEYjZiByeHCm5UjSYWF6yHcmyLp9etD3GsR
+            pPwFsmc2PWFiEWrM0aV+3EPGkSV1Kwkvd7v34sRqAsGkb8HO5KxtfIQMccMqwMRG
+            kwBUgLcVuft9H6k2N+MHY6yidr4LLopGfd2FZ8BkQGNy9kIVNdZw9v+6R5HkVpoD
+            cY0NpzwvX21M9CPuMoXzjwXLnoKHHt9sWoxL7L0XIjyTkvKmETFqvKIY7cPFU837
+            4uxnsPhVESL3UfXrIk3maCgIZfFFL60eglVHdSLUy9XvAIXkLrLzqZLTW0LVYsuY
+            ZAlqUkkqZ4jjrF9OlmHsjgn5znOiMlW35bcKppC+MonrNXCJHjCdGmpj1v0cc4nS
+            XAE0EBSF6XDG2rxXETyWzKJurkfveD1njjcRwYeBiBRZEXKKqWuICLIgR5h/WBQI
+            KPv2k2RhxjH6Zk6FWgc6EWhIWUM/6+zN24m5VnAgMg+DRp8d1mO6t4ZaS+WU
+            =p4B8
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ//Z0+gyWwynvznK8WbrU9aP583JpI53BilDDl+dJ34P28f
+            Kd2wr/l/Aw6QZ43kp0JGA3ZMB9SbWKy56L6MXPcDXHM42ojRCN1Z3am6NZEx4M+K
+            cstyV9qHZp/bUQjlUna3eZBlehHgRM0tRCKn/83Gi08nNK15wRlfZR5tg0aNbdXT
+            4ymxyUfA3+n8k4K/rZlBxJ59UESUcuUJCb/oPiUCrS7lXJwA8f85F5/M9t7D1xwO
+            2AfkoYl5b2NU48JrICY7SQp+xYg0jwEB2nAC/Gpmk9FGxCMIeFIT4MfpGmMah0t6
+            +2qDWQFQ86TEoAHVTqcW77Qmw7WLjNm8oLh0FWYb8VxaRo2B2jnbTtC0cosLWyl2
+            TrOwSYfzOOclQQchbmoK1JQb5+dUV+qUN4BO4MuI0mSXk85QFys3CY9a9X2pRXSh
+            SW7uMCj3SQ784uoYDBNprIYv4qsfzTEgCxrG9Ev/h35JyuNUr/oKGVsVfsLETJC/
+            Leepo2FjQIzr9qe52AVcUe9JH++jrPOgUM6JQEHHz+jp+N9arsuTGakxu/5saNjT
+            +E7WtWdBM5mtr82DDoTKsKLEUJKsMKFpQovFjvz5tgCAsoMhFP5oem2gbfOVi2+A
+            uQjQH+xJow4OMjb58Qx7fILcky6XYDTNWn9hlf2zrXmtEnhkSwf6U/Gyo71qCtDS
+            XAHIEr8bpFS9ndb1tchTO8mcDANnKLWttuqs/UdN/W0nl895hIP7C6esi7vLF1gM
+            OfYLVy+X8FyS5hpjd9rcEd5jj7XBMJ4kHaW7QLMGWHYS2zLjGOhYHS4rt7nk
+            =hag6
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAi01+TuUHgBT2UH75pacaptBmEYedNUkzqhUn98AA1yr5
+            PtYV1NGNP/rq7LDXP367yXhCslrwr+1BO7qnfAsEsEFr6InAyhOyZmAs18u5ilwc
+            RxW5EXrANm8SQLODBPH3/gxltpW7vzfayxdTOTNyCUH0x22eKfYknawOfpaMevAm
+            95nhILE05Unqd4FSoQId+Zw6djuMdSdQ6iAANKmvRpgs1Y8RNb9P/JG1TmbVvqQm
+            dbx5hfoLuNnLR4q0r64tGej0iVeBljSjUDrxusjMkhwgiinFTTz8oNoLoOuPjPMm
+            MymkjV1m6HzdwB9JMU7kMcHDEsqhXiKcxZ5mPDQJIXSG7TTuIZndRsln2ske9ibm
+            uZusIC7y1868R409UWhjGXjxsoFzqOKpOCo8tFoZSdE250E6o7U8PKOgSUxRAQlb
+            va7LUhP10ODZof5jM9xUDorrcamT1kbnmz4SlYDIOSliR0ofsmX0ObyxZmL3CZhN
+            /iC5BVv9D14U7iU0PsKZl0XUOP+urJwSZSCid0zq8rjUXdqy0YH81eBG9Y360ZHB
+            AlfhfeaYindnJYkPpZe1XWyI0yaKOjrKgdz8/vuDTZWyNseKAcofA7cgjUHtIUvu
+            uMPhFk+RHd0xZnk3yrlTnEOht8MiAZxVFPk3NK/P7W3D3r0li5D5f7+2ph8RsI/S
+            XAFXDSRXTIDsHCWPjvTAftTKbS8dq4A28yFHJg8+Ber+RxBbOWH7NpBIgmO2SNAJ
+            9CkU9neCROJuNBY9h0Xl4Yp7g6XNOeFeWdgxqJgZWhoKYSR0W8ILzQD45PXj
+            =ALYc
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/+L9uVnDe2jK1unhCFjKv0YhHobPNSQAhXaYoIiw2qTJ/q
+            ntduHgPFvLjQdeGT6EsfS+vxGcsLtS2FlG8woiLzX0iyc9sB0AmcwwKdG2FwyemY
+            +ZPE8BfjVKrGq0oiYASIceYxTfdp1kNX2aTIpuBzm36ccHQb/RSzUhEeZjyN4xtO
+            c6j8HJ6TANoh4eBG+X4LDVGFQPMToozqw/2hX5HPn+EDqP6Egprf/6hAetX4VcCk
+            csbP2AB2wl75U8Q8xSmlNUj/CTz4wpOpNj5tjsADP/ZlkH6EUcGIPk3+BC6ovy54
+            zoydEnTi6uy+gMAZDLP2bRdSgjW887TIh3qPsZiyG0SEygC3B+Fb1EY/NIL7Yh5R
+            mJDdMbrAb9rBSXYS1ptLvq2QSjbyIpVK2n+PLtycySsaktsAEopotlwxlbf/QSBv
+            FCRgws0djwZ4+qtXJ/D1pMNSHD4sdRxGANPdqNJem7S4fHmegtlVWNphDP8V2bUa
+            krGYBc0pn/cTusEJgkccp898ghJQ7bjKxD41qtIkfceB8FnaKgdxBrNfIrucaMjb
+            xv0NLk5NLTCbv/ES5R6Pb4MDKEBpInUp6gygcbaDybyn5lu/jT+6pYFp8Sq0F81B
+            +Vk7+iz9MsV8Yz9dHJnqIiypZREF1KRPWpenNAK9XGdy5SxezfBS7Zz1VShYgoPS
+            XAGKmeK4A1VarYym4wSb/AXhT6HXLBM6VWB6OFvz3sXR02sAUI7GXuZOjY2raezt
+            Usn+dhqFnRUHgUqgtLYGXlgyXiSjUTGQnh4c18n/mkbApUKcTdX2VigoivLo
+            =Xjqf
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAEZMgepQuERqKK4S8uiXmIYIRdeN5swy6S4hmzdL3yj8w
+            E45ScSNMVsvKD3pQq8EqxTFPb5pQ+2LfpP8gbbhYoDomGDm4tcbr8pyH3AXXoFwl
+            0lwBFFDJa1GSmHSgnJqrIaqmOZJgBE5t3IEIiDQksVjV7KTwPMwoU+wx42AAU/dS
+            hjxQwPAfpwO9mH6FN4JC8OTVSU1VfWLCO4e8HroG44c2gOxFfnflaMjaXuIsDA==
+            =kkiD
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ//Z5yRTQUt73bYUIrnaBPwQCLB4lmlutSICdQvdlQFcqDZ
+            Tw0kBNBS+4dEhxlYuEmCJgM6H+2KEH+6/M5IdFErlTz8Ly0R73adlSMu0R+os/6i
+            clLQQAwWIyFVuRaaNxSDdJ06sl4+hZyGZlbpo9kYBjslTUpJC4urvc+6xlRnlIuf
+            gae9+Zmh1K9+BpUH5svExyTERwWQI1HzvcqSc+tsEYugNvJitBHTyfpFN8xjtbns
+            h1aDXgKo4riFHzlZHftWfaLdot8++0jgluc7fCNXfnNVYf+nREIP49A/bkDFH4Re
+            Lwhq1iQte48KE0JKiaXDsAwLSanNYOfEZo5LSAFYAaEGJ6gUwnyoRgH+2T9FiWoJ
+            Z3myWbrm0SUr8Za2k1AA1FGz8tmGppxGZp3llyqaY/hbP84myfnfpvis6IUAzyfl
+            xMZOGs0Q3VlOJRAYXOWS64oM6cvCg9rJiOsPMr75P+9nWhz+Ur/X8hPTPr4ku/D1
+            ewUhDd406/a7aAGe7m6RyRnVCK2mybuKKYt3BGu0usYvKcPIMUYq+g2zqt6/fQ5r
+            gS2c+uuvMqM6o9dxkRxZWt99o8E29cGH51yl9IdrXsr7F/EyymjBENQxbDApp9mG
+            DHokBg9QdRvwRyyC2YBttgob8QrkZTI4xE7oRFaq9wuZqhjv6VGZXO0jauIRYV7S
+            XAFidvRJ2EMZlPeVpDkosbXLsux2q4v0ECXy1ciRRYJn50vLN8Fqk2fKg4aKkqeV
+            riCQgu8aliCMtTRTa+/NQoTpXbqD9XaPz8hf9betygs+6y3zVyBn7k7WQqmj
+            =yfan
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/public-web-static/sops.nix b/config/hosts/public-web-static/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/public-web-static/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 86d40bb..13de76b 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -38,7 +38,7 @@ in
       After = [ "network.target" "network-online.target" ];
     };
     serviceConfig = {
-      ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/secrets/spaceapid-config-ccchh-credentials.secret";
+      ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/run/secrets/spaceapid_config_ccchh_credentials";
       User = "spaceapi";
       Group = "spaceapi";
       Restart = "on-failure";
@@ -47,14 +47,10 @@ in
     wantedBy = [ "multi-user.target" ];
   };
 
-  deployment.keys = {
-    "spaceapid-config-ccchh-credentials.secret" = {
-      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/public-web-static/spaceapid-config-ccchh-credentials" ];
-      destDir = "/secrets";
-      user = "spaceapi";
-      group = "spaceapi";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."spaceapid_config_ccchh_credentials" = {
+    mode = "0440";
+    owner = "spaceapi";
+    group = "spaceapi";
+    restartUnits = [ "spaceapid.service" ];
   };
 }
diff --git a/flake.nix b/flake.nix
index 72b89c0..ec4d55f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -175,6 +175,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/public-web-static
           ];
         };

From 7c7da0db052ca7638ce5f7ff926d2250699fd703 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 14:39:28 +0200
Subject: [PATCH 046/170] Add a nix box managed by June

Every admin can login as its own user with the keys listed here:
https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/src/branch/trunk/authorized_keys
---
 config/hosts/nix-box-june/configuration.nix |  7 +++
 config/hosts/nix-box-june/default.nix       |  9 ++++
 config/hosts/nix-box-june/networking.nix    | 22 ++++++++
 config/hosts/nix-box-june/users.nix         | 59 +++++++++++++++++++++
 flake.nix                                   | 13 +++++
 5 files changed, 110 insertions(+)
 create mode 100644 config/hosts/nix-box-june/configuration.nix
 create mode 100644 config/hosts/nix-box-june/default.nix
 create mode 100644 config/hosts/nix-box-june/networking.nix
 create mode 100644 config/hosts/nix-box-june/users.nix

diff --git a/config/hosts/nix-box-june/configuration.nix b/config/hosts/nix-box-june/configuration.nix
new file mode 100644
index 0000000..7dddcc1
--- /dev/null
+++ b/config/hosts/nix-box-june/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "nix-box-june";
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix
new file mode 100644
index 0000000..cb94765
--- /dev/null
+++ b/config/hosts/nix-box-june/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./users.nix
+  ];
+}
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
new file mode 100644
index 0000000..073250b
--- /dev/null
+++ b/config/hosts/nix-box-june/networking.nix
@@ -0,0 +1,22 @@
+# Networking configuration for the host.
+
+{ config, pkgs, ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.158";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:6A:33:5F";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
new file mode 100644
index 0000000..9f1b217
--- /dev/null
+++ b/config/hosts/nix-box-june/users.nix
@@ -0,0 +1,59 @@
+{ lib, ... }:
+
+{
+  users.users = {
+    chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+    colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+
+    djerun = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
+      ];
+    };
+    june = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+    };
+    jtbx = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
+    };
+    dario = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
+    };
+    yuri = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ 
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
+      ];
+    };
+    max = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
+    };
+    haegar = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
+    };
+    stb = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
+    };
+    hansenerd = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
+    };
+    echtnurich = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
+    };
+    c6ristian = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index ec4d55f..8f76279 100644
--- a/flake.nix
+++ b/flake.nix
@@ -237,6 +237,19 @@
             ./config/hosts/eh22-wiki
           ];
         };
+
+        nix-box-june = {
+          deployment = {
+            targetHost = "nix-box-june-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/nix-box-june
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 58ec317b0295cc68fb78de2b6cfd2d736d64edc4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 18:00:20 +0200
Subject: [PATCH 047/170] Use IP address for eh22-wiki, which isn't already in
 use

---
 config/hosts/eh22-wiki/networking.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
index 44d478a..bddeabf 100644
--- a/config/hosts/eh22-wiki/networking.nix
+++ b/config/hosts/eh22-wiki/networking.nix
@@ -7,7 +7,7 @@
   networking.interfaces.net0 = {
     ipv4.addresses = [
       {
-        address = "172.31.17.156";
+        address = "172.31.17.159";
         prefixLength = 25;
       }
     ];

From a7541eefa8fc17ccd72bccd84a0831fea8d18bef Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 18:32:55 +0200
Subject: [PATCH 048/170] Add tools and other stuff for a more comf. admin
 enviorn. on the hosts

---
 config/common/admin-environment.nix | 21 +++++++++++++++++++++
 config/common/default.nix           |  1 +
 2 files changed, 22 insertions(+)
 create mode 100644 config/common/admin-environment.nix

diff --git a/config/common/admin-environment.nix b/config/common/admin-environment.nix
new file mode 100644
index 0000000..80fc2bf
--- /dev/null
+++ b/config/common/admin-environment.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    vim
+    joe
+    nano
+    htop
+    btop
+    ripgrep
+    fd
+    tmux
+    git
+    curl
+    rsync
+    usbutils
+    nix-tree
+    # For kitty terminfo.
+    kitty
+  ];
+}
diff --git a/config/common/default.nix b/config/common/default.nix
index 76bece1..5457e4e 100644
--- a/config/common/default.nix
+++ b/config/common/default.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./acme.nix
+    ./admin-environment.nix
     ./default-host-platform.nix
     ./default-state-version.nix
     ./localization.nix

From 41f04732c2f9bbb6b30f8564a0dabb2d1e2565c1 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 27 May 2024 01:43:53 +0200
Subject: [PATCH 049/170] Switch from colmena to standard nixosConfigurations

Those can then be deployed using for example nixos-rebuild or bij.
Also ensure all hosts have an fqdn, where possible, in order for bij to
be able to work with them more easily. Tho not really, since for actual
deployment one still needs to set the target manually to set usage of
the colmena-deploy user.

https://git.clerie.de/clerie/bij
---
 .../audio-hauptraum-kueche/configuration.nix  |   1 +
 .../audio-hauptraum-tafel/configuration.nix   |   1 +
 config/hosts/esphome/configuration.nix        |   1 +
 .../ptouch-print-server/configuration.nix     |   5 +-
 .../public-reverse-proxy/configuration.nix    |   5 +-
 flake.nix                                     | 150 +++++-------------
 6 files changed, 54 insertions(+), 109 deletions(-)

diff --git a/config/hosts/audio-hauptraum-kueche/configuration.nix b/config/hosts/audio-hauptraum-kueche/configuration.nix
index afab440..93a6b53 100644
--- a/config/hosts/audio-hauptraum-kueche/configuration.nix
+++ b/config/hosts/audio-hauptraum-kueche/configuration.nix
@@ -2,6 +2,7 @@
 {
   networking = {
     hostName = "audio-hauptraum-kueche";
+    domain = "z9.ccchh.net";
   };
 
   system.stateVersion = "23.05";
diff --git a/config/hosts/audio-hauptraum-tafel/configuration.nix b/config/hosts/audio-hauptraum-tafel/configuration.nix
index d7b128c..2f14d0c 100644
--- a/config/hosts/audio-hauptraum-tafel/configuration.nix
+++ b/config/hosts/audio-hauptraum-tafel/configuration.nix
@@ -2,6 +2,7 @@
 {
   networking = {
     hostName = "audio-hauptraum-tafel";
+    domain = "z9.ccchh.net";
   };
 
   system.stateVersion = "23.05";
diff --git a/config/hosts/esphome/configuration.nix b/config/hosts/esphome/configuration.nix
index fc13d89..0ef1dce 100644
--- a/config/hosts/esphome/configuration.nix
+++ b/config/hosts/esphome/configuration.nix
@@ -2,6 +2,7 @@
 {
   networking = {
     hostName = "esphome";
+    domain = "z9.ccchh.net";
   };
 
   system.stateVersion = "23.05";
diff --git a/config/hosts/ptouch-print-server/configuration.nix b/config/hosts/ptouch-print-server/configuration.nix
index 1bb1448..33f9681 100644
--- a/config/hosts/ptouch-print-server/configuration.nix
+++ b/config/hosts/ptouch-print-server/configuration.nix
@@ -1,7 +1,10 @@
 { ... }:
 
 {
-  networking.hostName = "ptouch-print-server";
+  networking = {
+    hostName = "ptouch-print-server";
+    domain = "z9.ccchh.net";
+  };
 
   system.stateVersion = "23.11";
 }
diff --git a/config/hosts/public-reverse-proxy/configuration.nix b/config/hosts/public-reverse-proxy/configuration.nix
index 31aa8e8..a80f516 100644
--- a/config/hosts/public-reverse-proxy/configuration.nix
+++ b/config/hosts/public-reverse-proxy/configuration.nix
@@ -1,7 +1,10 @@
 { config, pkgs, ... }:
 
 {
-  networking.hostName = "public-reverse-proxy";
+  networking = {
+    hostName = "public-reverse-proxy";
+    domain = "z9.ccchh.net";
+  };
 
   system.stateVersion = "23.05";
 }
diff --git a/flake.nix b/flake.nix
index 8f76279..dd47820 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,7 @@
 
   outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
+      system = "x86_64-linux";
       # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
       shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
         shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
@@ -67,82 +68,48 @@
       pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in
     {
-      colmena = {
-        meta = {
-          nixpkgs = nixpkgs.legacyPackages."x86_64-linux";
-          nodeNixpkgs = {
-            audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
-            audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
-          };
-          nodeSpecialArgs = {
-            git = { inherit pkgs-unstable; };
-          };
-        };
-
-        audio-hauptraum-kueche = {
-          deployment = {
-            targetHost = "audio-hauptraum-kueche.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+      nixosConfigurations = {
+        audio-hauptraum-kueche = nixpkgs-unstable.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
+            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
         };
 
-        audio-hauptraum-tafel = {
-          deployment = {
-            targetHost = "audio-hauptraum-tafel.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+        audio-hauptraum-tafel = nixpkgs-unstable.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
+            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
         };
 
-        esphome = {
-          deployment = {
-            targetHost = "esphome.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+        esphome = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/esphome
           ];
         };
 
-        public-reverse-proxy = {
-          deployment = {
-            targetHost = "public-reverse-proxy.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+        public-reverse-proxy = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/public-reverse-proxy
           ];
         };
 
-        netbox = {
-          deployment = {
-            targetHost = "netbox-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        netbox = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
@@ -150,14 +117,9 @@
           ];
         };
 
-        matrix = {
-          deployment = {
-            targetHost = "matrix-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        matrix = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
@@ -165,14 +127,9 @@
           ];
         };
 
-        public-web-static = {
-          deployment = {
-            targetHost = "public-web-static-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        public-web-static = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
@@ -180,29 +137,22 @@
           ];
         };
 
-        git = {
-          deployment = {
-            targetHost = "git.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        git = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
             ./config/hosts/git
           ];
+          specialArgs = {
+            inherit pkgs-unstable;
+          };
         };
 
-        forgejo-actions-runner = {
-          deployment = {
-            targetHost = "forgejo-actions-runner-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        forgejo-actions-runner = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
@@ -210,41 +160,27 @@
           ];
         };
 
-        ptouch-print-server = {
-          deployment = {
-            targetHost = "ptouch-print-server.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+        ptouch-print-server = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/ptouch-print-server
           ];
         };
 
-        eh22-wiki = {
-          deployment = {
-            targetHost = "eh22-wiki-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        eh22-wiki = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/eh22-wiki
           ];
         };
 
-        nix-box-june = {
-          deployment = {
-            targetHost = "nix-box-june-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-          };
-          imports = [
+        nix-box-june = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/nix-box-june

From 9d7f9d0ec82445b47d44ef46d9bee5fde6cb6b25 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 6 Jun 2024 20:17:00 +0200
Subject: [PATCH 050/170] Emulate aarch64-linux on nix-box-june to be able to
 build aarch64 pkgs

---
 config/hosts/nix-box-june/default.nix          | 1 +
 config/hosts/nix-box-june/emulated-systems.nix | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 config/hosts/nix-box-june/emulated-systems.nix

diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix
index cb94765..489fd67 100644
--- a/config/hosts/nix-box-june/default.nix
+++ b/config/hosts/nix-box-june/default.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./configuration.nix
+    ./emulated-systems.nix
     ./networking.nix
     ./users.nix
   ];
diff --git a/config/hosts/nix-box-june/emulated-systems.nix b/config/hosts/nix-box-june/emulated-systems.nix
new file mode 100644
index 0000000..b6065dd
--- /dev/null
+++ b/config/hosts/nix-box-june/emulated-systems.nix
@@ -0,0 +1,5 @@
+{ config, pkgs, ... }:
+
+{
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+}

From 46e43e51aaca3865ed1eaaff86b3307d00b645cb Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 8 Jun 2024 19:57:40 +0200
Subject: [PATCH 051/170] Add deployment_configuration to make deployment using
 infra-rebuild work

Also document usage of infra-rebuild and its configuration file.
---
 README.md                     | 20 ++++++++++++++++++++
 deployment_configuration.json | 28 ++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 README.md
 create mode 100644 deployment_configuration.json

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..fff8bbf
--- /dev/null
+++ b/README.md
@@ -0,0 +1,20 @@
+# nix-infra
+
+nix infrastructure configuration for CCCHH.
+
+For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \
+To easily get a shell with `infra-rebuild` going, use the following command:
+
+```
+nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
+```
+
+After that you can simply run the following to deploy e.g. the git and matrix hosts:
+
+```
+infra-rebuild switch git matrix
+```
+
+By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
+However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
+This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
diff --git a/deployment_configuration.json b/deployment_configuration.json
new file mode 100644
index 0000000..2cc3215
--- /dev/null
+++ b/deployment_configuration.json
@@ -0,0 +1,28 @@
+{
+  "default": {
+    "targetUser": "colmena-deploy"
+  },
+  "hosts": {
+    "netbox": {
+      "targetHostname": "netbox-intern.hamburg.ccc.de"
+    },
+    "matrix": {
+      "targetHostname": "matrix-intern.hamburg.ccc.de"
+    },
+    "public-web-static": {
+      "targetHostname": "public-web-static-intern.hamburg.ccc.de"
+    },
+    "git": {
+      "targetHostname": "git.hamburg.ccc.de"
+    },
+    "forgejo-actions-runner": {
+      "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
+    },
+    "eh22-wiki": {
+      "targetHostname": "eh22-wiki-intern.hamburg.ccc.de"
+    },
+    "nix-box-june": {
+      "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
+    }
+  }
+}

From ef1710b09fdf739fc240e020ad9d295099a24206 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 8 Jun 2024 20:18:59 +0200
Subject: [PATCH 052/170] Configure basic yate host

---
 config/hosts/yate/configuration.nix | 10 ++++++++++
 config/hosts/yate/default.nix       |  9 +++++++++
 config/hosts/yate/networking.nix    | 23 +++++++++++++++++++++++
 config/hosts/yate/yate.nix          | 10 ++++++++++
 flake.nix                           |  9 +++++++++
 5 files changed, 61 insertions(+)
 create mode 100644 config/hosts/yate/configuration.nix
 create mode 100644 config/hosts/yate/default.nix
 create mode 100644 config/hosts/yate/networking.nix
 create mode 100644 config/hosts/yate/yate.nix

diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
new file mode 100644
index 0000000..6b4bb71
--- /dev/null
+++ b/config/hosts/yate/configuration.nix
@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+  networking = {
+    hostName = "yate";
+    domain = "z9.ccchh.net";
+  };
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
new file mode 100644
index 0000000..62851d8
--- /dev/null
+++ b/config/hosts/yate/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./yate.nix
+  ];
+}
diff --git a/config/hosts/yate/networking.nix b/config/hosts/yate/networking.nix
new file mode 100644
index 0000000..225edd2
--- /dev/null
+++ b/config/hosts/yate/networking.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.208.12";
+          prefixLength = 23;
+        }
+      ];
+    };
+    defaultGateway = "10.31.208.1";
+    nameservers = [
+      "10.31.210.1"
+    ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:73:3E:F7";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
new file mode 100644
index 0000000..7d4f8be
--- /dev/null
+++ b/config/hosts/yate/yate.nix
@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = [
+    pkgs.yate
+  ];
+
+  # Just disable it for now.
+  networking.firewall.enable = false;
+}
diff --git a/flake.nix b/flake.nix
index dd47820..8a8ebf7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -186,6 +186,15 @@
             ./config/hosts/nix-box-june
           ];
         };
+
+        yate = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/yate
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 579b63fe8999418852a6d87b5e7926fe3c187903 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 8 Jun 2024 21:39:24 +0200
Subject: [PATCH 053/170] Update authorizedKeysRepo rev in common/users.nix

to add echtnurich secondary device key
---
 config/common/users.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index c36e20a..ab29904 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -12,7 +12,7 @@ let
   authorizedKeysRepo = builtins.fetchGit {
     url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
     ref = "trunk";
-    rev = "0db6df46b68c07edbefe2a5f9ce4002fb6462980";
+    rev = "da9d3ead9d97ce0fef7538638326264957e2f1b4";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 06e52eed74eff22659c8b972e0d4bbc4b9eeb9de Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 9 Jun 2024 21:08:52 +0200
Subject: [PATCH 054/170] Document how to use sops and sops-nix

---
 README.md | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/README.md b/README.md
index fff8bbf..c89b549 100644
--- a/README.md
+++ b/README.md
@@ -18,3 +18,46 @@ infra-rebuild switch git matrix
 By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
 However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
 This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
+
+## Setting up secrets with sops-nix for a host
+
+1. Convert the hosts SSH host public key to an age public key.
+   This can be done by connecting to the host and running:
+   ```
+   cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
+   ``` 
+2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
+   It should be named something like: `host_age_hostname`
+3. Add a new creation rule for the hosts config directory.
+   It should probably have all admin keys and the hosts age key. \
+   You can use existing creation rules as a reference.
+4. Create a file containing the relevant secrets in the hosts config directory.
+   This can be accomplished with a command similar to this:
+   ```
+   sops config/hosts/hostname/secrets.yaml
+   ```
+   Note: Nested keys don't seem to be compatible with sops-nix.
+5. Add the following entry to the modules of the hosts `nixosConfiguration`:
+   ```
+   sops-nix.nixosModules.sops
+   ```
+6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
+   ```
+   { ... }:
+
+   {
+     sops = {
+       defaultSopsFile = ./secrets.yaml;
+     };
+   }
+   ```
+7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
+8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
+   ```
+   sops.secrets."forgejo_git_smtp_password" = {
+     mode = "0440";
+     owner = "forgejo";
+     group = "forgejo";
+     restartUnits = [ "forgejo.service" ];
+   };
+   ```

From bc98327cda900346961236b050243abe7c39af33 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 9 Jun 2024 21:09:37 +0200
Subject: [PATCH 055/170] Add ssh-to-age to the admin tooling

---
 config/common/admin-environment.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/common/admin-environment.nix b/config/common/admin-environment.nix
index 80fc2bf..5af7454 100644
--- a/config/common/admin-environment.nix
+++ b/config/common/admin-environment.nix
@@ -13,6 +13,7 @@
     git
     curl
     rsync
+    ssh-to-age
     usbutils
     nix-tree
     # For kitty terminfo.

From 22eff9248873b91bcffdd5a0732a8f607ce1be90 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Sat, 8 Jun 2024 22:18:23 +0200
Subject: [PATCH 056/170] add yate service for autostart

---
 config/hosts/yate/default.nix |  1 +
 config/hosts/yate/service.nix | 21 +++++++++++++++++++++
 config/hosts/yate/yate.nix    |  3 +++
 3 files changed, 25 insertions(+)
 create mode 100644 config/hosts/yate/service.nix

diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 62851d8..5304abd 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -5,5 +5,6 @@
     ./configuration.nix
     ./networking.nix
     ./yate.nix
+    ./service.nix
   ];
 }
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
new file mode 100644
index 0000000..e426a31
--- /dev/null
+++ b/config/hosts/yate/service.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  systemd.services.yate = {
+    enable = true;
+    description = "Yate telehony engine";
+    unitConfig = {
+      Type = "simple";
+      After="network.target";
+    };
+    serviceConfig = {
+      ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
+      Type="simple";
+      Restart="always";
+      # ...
+    };
+    wantedBy = [ "default.target" ];
+    requiredBy = [ "network.target" ]; 
+    # ...
+  };
+}
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 7d4f8be..c4834bb 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -3,6 +3,9 @@
 {
   environment.systemPackages = [
     pkgs.yate
+    pkgs.git
+    pkgs.tcpdump
+    pkgs.tmux
   ];
 
   # Just disable it for now.

From d08007fd1cef3c13dd6e692d939d3be4fc7e2e27 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 9 Jun 2024 21:15:14 +0200
Subject: [PATCH 057/170] Document where a secret is then actually available on
 the host

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index c89b549..52a25e6 100644
--- a/README.md
+++ b/README.md
@@ -61,3 +61,4 @@ This is exactly what we're doing to set the default deployment user to `colmena-
      restartUnits = [ "forgejo.service" ];
    };
    ```
+   This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.

From bb2f1e12526d0de0e1bf93a9a2e5d7896d49d070 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 9 Jun 2024 21:24:42 +0200
Subject: [PATCH 058/170] Mark nix code blocks as containing nix code for
 syntax highlighting

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 52a25e6..b55e1f2 100644
--- a/README.md
+++ b/README.md
@@ -38,11 +38,11 @@ This is exactly what we're doing to set the default deployment user to `colmena-
    ```
    Note: Nested keys don't seem to be compatible with sops-nix.
 5. Add the following entry to the modules of the hosts `nixosConfiguration`:
-   ```
+   ```nix
    sops-nix.nixosModules.sops
    ```
 6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
-   ```
+   ```nix
    { ... }:
 
    {
@@ -53,7 +53,7 @@ This is exactly what we're doing to set the default deployment user to `colmena-
    ```
 7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
 8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
-   ```
+   ```nix
    sops.secrets."forgejo_git_smtp_password" = {
      mode = "0440";
      owner = "forgejo";

From 8a2d406d4e2f2ffe14ff8756fbf5d63c3e145933 Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sun, 9 Jun 2024 22:51:42 +0200
Subject: [PATCH 059/170] Bump element-web to 1.11.68

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 8a6c629..0d7792b 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.59";
+  elementWebVersion = "1.11.68";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18=";
+    sha256 = "sha256-SsEvc+TWyJG6YPBcyQm9mqQVUegqIcspxSGuL3TzVeY=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From b30952a049f9b809cfc764260bbf00d87806afa1 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 10 Jun 2024 15:38:48 +0200
Subject: [PATCH 060/170] Add mqtt server (mosquitto)

The config was based on the exsisting mosquitto setup.
---
 config/hosts/mqtt/configuration.nix | 10 +++++++++
 config/hosts/mqtt/default.nix       |  9 ++++++++
 config/hosts/mqtt/mosquitto.nix     | 33 +++++++++++++++++++++++++++++
 config/hosts/mqtt/networking.nix    | 20 +++++++++++++++++
 flake.nix                           |  9 ++++++++
 5 files changed, 81 insertions(+)
 create mode 100644 config/hosts/mqtt/configuration.nix
 create mode 100644 config/hosts/mqtt/default.nix
 create mode 100644 config/hosts/mqtt/mosquitto.nix
 create mode 100644 config/hosts/mqtt/networking.nix

diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix
new file mode 100644
index 0000000..18d0184
--- /dev/null
+++ b/config/hosts/mqtt/configuration.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+	networking = {
+        hostName = "mqtt";
+        domain = "z9.ccchh.net";
+	};
+
+	system.stateVersion = "23.11";
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix
new file mode 100644
index 0000000..bb61c12
--- /dev/null
+++ b/config/hosts/mqtt/default.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+	imports = [
+		./configuration.nix
+		./networking.nix
+		./mosquitto.nix
+	];
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
new file mode 100644
index 0000000..672c05d
--- /dev/null
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -0,0 +1,33 @@
+# Sources for this configuration:
+# - https://search.nixos.org/options?sort=relevance&type=packages&query=services.mosquitto
+# - https://mosquitto.org/man/mosquitto-conf-5.html
+# - https://winkekatze24.de
+{ ... }:
+
+{
+    services.mosquitto = {
+        enable = true;
+        persistence = true;
+
+        # set config for all listeners
+        listeners = [ {
+            settings.allow_anonymous = true;
+            omitPasswordAuth = true;
+            acl = ["topic readwrite #"];
+        } ];
+
+        bridges.winkekatz = {
+            addresses = [
+                { address = "mqtt.winkekatze24.de"; }
+            ];
+            topics = [
+                "winkekatze/allcats/eye/set in 2"
+                "winkekatze/allcats in 2"
+                "+/status out 2 winkekatze/ \"\""
+                "+/connected out 2 winkekatze/ \"\""
+            ];
+        };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 1883 ];
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/networking.nix b/config/hosts/mqtt/networking.nix
new file mode 100644
index 0000000..5bd6616
--- /dev/null
+++ b/config/hosts/mqtt/networking.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+    networking = {
+        interfaces.net0 = {
+            ipv4.addresses = [ {
+                address = "10.31.208.14";
+                prefixLength = 23;
+            } ];
+        };
+        defaultGateway = "10.31.208.1";
+        nameservers = [
+            "10.31.210.1"
+        ];
+    };
+    systemd.network.links."10-net0" = {
+        matchConfig.MACAddress = "BC:24:11:48:85:73";
+        linkConfig.Name = "net0";
+    };
+}
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index 8a8ebf7..22bcdd7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -195,6 +195,15 @@
             ./config/hosts/yate
           ];
         };
+
+        mqtt = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/mqtt
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 6411ae8b80bfd2d1d0aa59082c75ef61648451c3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 13 Jun 2024 22:53:06 +0200
Subject: [PATCH 061/170] Add hacker.tours and a staging env. similar to the
 CCCHH website one

---
 .../virtualHosts/default.nix                  |  2 +
 .../virtualHosts/hacker.tours.nix             | 63 +++++++++++++++++++
 .../virtualHosts/staging.hacker.tours.nix     | 60 ++++++++++++++++++
 3 files changed, 125 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/hacker.tours.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 3678a96..c78cf8b 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -5,8 +5,10 @@
     ./branding-resources.hamburg.ccc.de.nix
     ./c3cat.de.nix
     ./element.hamburg.ccc.de.nix
+    ./hacker.tours.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
+    ./staging.hacker.tours.nix
     ./staging.hamburg.ccc.de.nix
     ./www.hamburg.ccc.de.nix
     ./historic-easterhegg
diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
new file mode 100644
index 0000000..7eaa086
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
@@ -0,0 +1,63 @@
+{ pkgs, ... }:
+
+let
+  domain = "hacker.tours";
+  dataDir = "/var/www/${domain}";
+  deployUser = "hackertours-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
new file mode 100644
index 0000000..382f1b6
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.hacker.tours";
+  dataDir = "/var/www/${domain}";
+  deployUser = "hackertours-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # Hackertours deploy user already defined in hacker.tours.nix.
+}

From 33599951ef0cb9f16eafe011318c5db75c6818bc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 17 Jun 2024 20:59:03 +0200
Subject: [PATCH 062/170] Upgrade to NixOS 24.05

Also bump the default state version to 24.05.

See the release notes of the 24.05 release for more information:
https://nixos.org/manual/nixos/stable/release-notes#sec-release-24.05
---
 config/common/default-state-version.nix | 2 +-
 flake.lock                              | 8 ++++----
 flake.nix                               | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/common/default-state-version.nix b/config/common/default-state-version.nix
index 090e729..a3343c7 100644
--- a/config/common/default-state-version.nix
+++ b/config/common/default-state-version.nix
@@ -13,5 +13,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = lib.mkDefault "23.05";
+  system.stateVersion = lib.mkDefault "24.05";
 }
diff --git a/flake.lock b/flake.lock
index 9d52703..4e5ec23 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,16 +38,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1716408408,
-        "narHash": "sha256-e4pjcLqe1Dexz7enk/+ui0aVdcoSiWnrTGjk7KLtAPw=",
+        "lastModified": 1718543618,
+        "narHash": "sha256-/VAxV/4lvtOtq4Zxq0MrqTGj7g8aSR/eJQDXB37ozvs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "dff68ababdd2c2616d03f26546ba632f5f09d3c6",
+        "rev": "de0ae76b011bf0000d58ab71821199ce310128b2",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-23.11-small",
+        "ref": "nixos-24.05-small",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index 22bcdd7..26bd521 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
 
     # Add nixos-generators as an input.

From f3f5d5a6116fda1e69182a2ed3a342b06dc328fc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 20 Jun 2024 04:12:42 +0200
Subject: [PATCH 063/170] Use forgejo package from stable (24.05) instead of
 from unstable

---
 config/hosts/git/forgejo.nix | 1 -
 flake.nix                    | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index ced70db..bb7099f 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -12,7 +12,6 @@
 {
   services.forgejo = {
     enable = true;
-    package = pkgs-unstable.forgejo;
     database.type = "postgres";
     mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
 
diff --git a/flake.nix b/flake.nix
index 26bd521..eb9d236 100644
--- a/flake.nix
+++ b/flake.nix
@@ -145,9 +145,6 @@
             sops-nix.nixosModules.sops
             ./config/hosts/git
           ];
-          specialArgs = {
-            inherit pkgs-unstable;
-          };
         };
 
         forgejo-actions-runner = nixpkgs.lib.nixosSystem {

From 3059843e1ab07ede862dd630c1e0e3badf41b281 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 20 Jun 2024 23:45:44 +0200
Subject: [PATCH 064/170] Add mjolnir host running mjolnir for Matrix
 moderation

Also see:
https://wiki.hamburg.ccc.de/infrastructure:services:mjolnir
---
 .sops.yaml                             |  17 ++
 config/hosts/mjolnir/configuration.nix |   9 +
 config/hosts/mjolnir/default.nix       |  10 ++
 config/hosts/mjolnir/mjolnir.nix       |  28 +++
 config/hosts/mjolnir/networking.nix    |  20 +++
 config/hosts/mjolnir/secrets.yaml      | 233 +++++++++++++++++++++++++
 config/hosts/mjolnir/sops.nix          |   7 +
 deployment_configuration.json          |   3 +
 flake.nix                              |  10 ++
 9 files changed, 337 insertions(+)
 create mode 100644 config/hosts/mjolnir/configuration.nix
 create mode 100644 config/hosts/mjolnir/default.nix
 create mode 100644 config/hosts/mjolnir/mjolnir.nix
 create mode 100644 config/hosts/mjolnir/networking.nix
 create mode 100644 config/hosts/mjolnir/secrets.yaml
 create mode 100644 config/hosts/mjolnir/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index c42474e..1705da9 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -15,6 +15,7 @@ keys:
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+  - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -96,6 +97,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_public_web_static
+  - path_regex: config/hosts/mjolnir/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_mjolnir
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/mjolnir/configuration.nix b/config/hosts/mjolnir/configuration.nix
new file mode 100644
index 0000000..869c3de
--- /dev/null
+++ b/config/hosts/mjolnir/configuration.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  networking = {
+    hostName = "mjolnir";
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/mjolnir/default.nix b/config/hosts/mjolnir/default.nix
new file mode 100644
index 0000000..7dca51b
--- /dev/null
+++ b/config/hosts/mjolnir/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./mjolnir.nix
+    ./networking.nix
+    ./sops.nix
+  ];
+}
diff --git a/config/hosts/mjolnir/mjolnir.nix b/config/hosts/mjolnir/mjolnir.nix
new file mode 100644
index 0000000..49b196d
--- /dev/null
+++ b/config/hosts/mjolnir/mjolnir.nix
@@ -0,0 +1,28 @@
+# Sources for this configuration:
+# - https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md
+# - https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml
+
+{ ... }:
+
+{
+  services.mjolnir = {
+    enable = true;
+    homeserverUrl = "https://matrix.hamburg.ccc.de";
+    managementRoom = "#moderation-management:hamburg.ccc.de";
+    pantalaimon = {
+      enable = true;
+      username = "moderation";
+      passwordFile = "/run/secrets/matrix_moderation_user_password";
+      options = {
+        ssl = true;
+      };
+    };
+  };
+
+  sops.secrets."matrix_moderation_user_password" = {
+    mode = "0440";
+    owner = "mjolnir";
+    group = "mjolnir";
+    restartUnits = [ "mjolnir.service" ];
+  };
+}
diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix
new file mode 100644
index 0000000..04559f7
--- /dev/null
+++ b/config/hosts/mjolnir/networking.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.161";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:C9:F8:C5";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/mjolnir/secrets.yaml b/config/hosts/mjolnir/secrets.yaml
new file mode 100644
index 0000000..0aaa2f7
--- /dev/null
+++ b/config/hosts/mjolnir/secrets.yaml
@@ -0,0 +1,233 @@
+matrix_moderation_user_password: ENC[AES256_GCM,data:NXJrbRh0A+NQh6Jy9iVAfYhsGR1BSOSuk1LjmArSiVF6jnuJAP9f750cRP7bu7Ai8xgxTlhjAtv9ck6SqlJ6Vw==,iv:IN/siIPCFKE+Nfl/aogYRYAHVgEGhMtTbmEZKZWQYgM=,tag:xxlnl5GU+uusSeh1OvoU1g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEhUMThoY3Nuc253NnBX
+            ZkplNmRzOGZFNWlQNDVpL08yRk5VTHZDUkZNCnIxMUJoUHJBYlJpbUViMW9GUmhR
+            V1F6SWh2NjRGWk9RWjMycGZYZXFZbkkKLS0tIE5MNk0xekwxY0NYYm9mc1ZGZFlH
+            NDN2dUpuQWFFMTZQRzFIS0ZieTRzQm8KUDRpPJwcWwePKMp6KQMnQLhqqyvuhgQh
+            rXpKW5fjxyT0Sh2u3FM2ET/9U0TUfpBVYBJojAJBFs1ntI8kFmqSYg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-20T20:02:16Z"
+    mac: ENC[AES256_GCM,data:5BhSo3YpF3QNqgGnx6YnymaEQB6pchMhokaJqk4rHg22xhbUAzOhWg4BQepT7vrCQlfOZIq4o//dGO+NQxqliiyyywrSYm3CBWD4xfZ9cdfinHC7Pc9lj6Dd4uPNxRjgTRNFuMyC+ATIABI2mHKpg+T2bxSalroIlvNr4vXWZo4=,iv:yPHJZ5PvI5zJlQIMRdbJ6eKGe1xN+teKF5GluD2pyK8=,tag:s4hO9RCdkHDsQ1W+KfXq7A==,type:str]
+    pgp:
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ//Y/GVthqtuK7bY8Ne5CNfn/CD1RUTdX1+KwX1zy3YsgUC
+            CGxhoFFy1UoXR3QB4Hxnk8R/vaFVHezCWKWY45MAuPtwM1VGwjVsuknrJnSs8k7/
+            jrzVO9xXgTd26H6DLmPVfH1hKB0/lh84hwVgF5rlPS/P7l92LL0hDIIwZz3dB0kU
+            d6jLa1Fajqd4MSdLWbZRBPcioC5v1Ip/SXYAJp7IGLDgXm5MN+MnAdybAFsl1K5p
+            dCUmGqK5IjyPVP564TqL0ZEIXMxSSwex47in3cTYPaOO0L8P3kbKDNWxZQLaqZkn
+            4RZC4/aBqlfD2STxMez/ksi6kCcPuC7UPRzuq4oH3kOcJHxwIN8Df+DZYA4PJKsl
+            T9QDL1EylHBhsPIZCoxpmnGl3j+hVmONj2V1awlCaOagbgDlClEUEMyw7QCVVbtK
+            CW4DOgVnnTxcUaLHep8BgHxKkYjIDIbDMmg315h2ekT86gGgZavL8IiFTWSLzSrK
+            XChIjUdjpKZhanmSWpj4w8ZpdGOOjernL2EBWtSC23AibBZmQe9OB/QzMpLTdCvV
+            9t9mMoSayP61oJylBtOKhDnEW0Xib0U7tqzwpaow2V+CU2dr27qie1jh5GqMaoJR
+            qpu1KT3Z9eqpF3Dl8aI3dEovbmvDMVXErU3pmFu2zRJtm6TOXp4NNOYWCetUfxPU
+            aAEJAhCFerTI/ow/LWkCQ78cCMFjgKrYabA3lHu11Mr/PiHirwJ/vCmsUMiOhdRw
+            49lsyqJlO3IA79yW4exG5tYXvPgeJMTdz36fseUEKsewfrPEqMUa2T4onet2+GN6
+            GALPdepytjg+
+            =v+qv
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQILA6EyPtWBEI+2AQ/2L7fbbhBH3BfgD7IbgtVn+nEhNJw5tWR2+0z1k72TIr9j
+            rPAvV6NQY8oVV2+uNLa4fMl+ueqYTFd3/E4IsRXkmexjx+vos27LjDNSu6w0OPJU
+            BSq5TFqZWYIPiWaivQz4+rt+vbxvpv4Lh3FAXlV9YubprJ4GRrlwyheve/l3F0BN
+            3vCDLsfXijZjxaptb9nf7WiT9vvWrY0sD4g71ARZdWi7Lb+TgCxzbQMue+4VC0Zu
+            y/AWIymVo13BD+apoYltVYYvkn7yz3REzsx3NN4bkJyoCAevr6UeO2fGvlT7b7eG
+            F7CN/TusFlOqWV9M0VbiOGLfL7Q9tGAG3xDAyFh+yMQNadp0M3m9UiYUlHps5DRT
+            CVsIPnPUr3V/oycRm3s+UeVyBg3rpdzWyNtETOjNY/AqVmRQ0toqZOm//ZOg609U
+            6+EX1Oc/GosfNoHWJuFmfKJRhPpy2gXZX2rQuLWaVJUXzzKM5sbLnycCV03S24PU
+            Fi7Z5lIu334QTLG8PV6agO5UprZb946qPmW+b/QnUol23XXcgh1GIgMV+lEK8+83
+            UPT0aUkdtOTaKbWUg5xokx+0Ni9syJ4Nl7naQq57qOGiecMnBbeE3TYxaNOcjTBh
+            CY0/hdcrZYH6VPeDye4yghSDF9WCaNUvzZNePGzdqKK3F9O/NmBSiYd/cToyDdJe
+            AZMZCKxSw0/HyBqTRd3wC/VhC9uO2I4HWE3LuqBPUXYFWc4W1buJs+P8pFjqT5rZ
+            puHPH8IxIeIiVNO5SFhdL8ecSu/nawakvih65aMGSa102e6B2HfP6tD4SmarmA==
+            =tr5G
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJARAA02rGmKxyQkvxoXM1i2dLOiH6Gw/pUcdDxYSwKfdkNU3X
+            zc0He4FNG8CAURVq5jARD066VecamkBmlr+rwFJlaeqDPEiITfkz7DEGO8pPxKG0
+            GBnFVA9r/+OU351yLjHYB+72jvw1ey0PPHvKg6/sKjovssYvQLipUcktH33kPqVQ
+            yJzuQWFMWA7Jn/wTa/TP/53o0e//Kw9df69J3BSmnw9F6rKHGsIXLBmyR9HpQsLR
+            KAuClMzjPqHszCICND7vUDEzUvCcOVyizZAcRzWfDi/llwKGUanvEGUVXvyDXw/E
+            Q/FyR+VJXCzRlhsFTTuavjy6nhDsRf/N8N0Vsd9euDXOPQ4wuPAgpvdi58CPBmzP
+            8jU3xpFSXStYBIMt5u7t+UJT4IwdbjnClyIrSuyaV/7N5UQdYTv0fBy1mRrYLBAj
+            VhlRDa1y79n22Kg8mvDqJ16rC3VypkkQ6DaPvyDwlrG8iRLG/xi3Zz8HHnXxAGAm
+            SzliIolwEDHJZHI9ZE3YzpFJkB6UyOpXS1zMsDycupFvQ4jd2fQ0C7w5OaJHCkeQ
+            3zTKgtufjJGo7R2Nf0bTWTfi85GU3jpMsOHCEcChgBVXcO32ZZ/zzmqtXa/u3m5v
+            sjUstyBXEmG9eyIaiEtRAMAblwRsJPMszLaCUuBpzQw+mm9uTCsIaf5Xdud7GFzS
+            XgH+whlmbv/UeUC7bo65uxrG8SgTVAaPZpcQ2dP3rXYs45zYmYGKJaZuW+Hrl+nZ
+            pd6zT6rb6R8TMmXkNA1TjhvZ/A+ONlza1fH0dmsh7U9oqINXNFJU7Qm2r7imFvg=
+            =ZIDr
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ//f51KkC9oViW/0EA0TLdWgXa76ZXMeu4b3UhWaQvYDT9+
+            8wuWE+slGEWsRnFZ+pgWZoV3HIv2p+xisX2lmBvepOufaRh6cyNpQaZNl0kFtpBo
+            ShQ66SmkorunYyM+OIh3ceI4PC7ca4KsRKB8nWkA935NWssFN9zMlkVW6GjqzTft
+            2JVJFL8GRlhIRMhJwSzp8zZ3XiYD0sB/2y+ffCMAOSCnDVcDjANyiSds6MPxfPy0
+            /kaNTXuUI7H50tHQP6vzJ3q1mRpAhUTIxubnmBTdvAQz/kaD0qPt55z+Q0xSXsLa
+            yfb+Zd2g/2o+IFiCrwqcki5yX49Ol89l69JRyIWe1T2VtqBSUVIiiYreX5OnmWPQ
+            OjJ1mAn9tpIlVSHzlaONtmJEmAJ+n55rP0itBMs1CrIBiQleLaCbSWqp6q3RfaJr
+            gpXnfHQpsU7cKEDQeyvxmH8qgrSR9AVh/knyGOJy8LnJQ93aQpr3xr/2MiFPYiKz
+            dcSrxHesrfx2Zl7bNB5OZ7VZTWFSunZQUnOn3F3+7yaaT9ePsvWsyTKBOSGUiA7s
+            VMxT5+P8QM6UOC8KxJj/q1eAVrWvN7vYbCA25+SzbdTtr1RweOVHzNgqZH5/Q2ZY
+            fguwHlCGg5Q7UKYKBk4QJFg6oClDgzBYCFL76K4aymtR7rxKl4sJxWoug84oP6DS
+            XgEZvNS3xsY8Pxm0bAmor93Q08Mii1svnNZ74Eqmbo9GxBjHReIGKDDZ08SaPhbc
+            NJxAP2C2sRUda2R4GvsNYmXHzGYfFTrfe+AXqEV42ZSD9vHDJMCiX9JrY/r4uSM=
+            =+F4l
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVARAAq/cP9y/7kxSXDFOD/xhI/3RjGzIN5dyHlfrmEQWJ8J7z
+            ov0VfBCJp6gFht37dGWuLtWi1qqWRgN+9hiBnkj2zONoph0SRGP9uNfadBSzYSD4
+            wvlOFrWeM9cswnk4i0q8Go+qdCC6U0g1szjirdifF7I9KdqKpOFwXzjnzsPTF42o
+            9oFCP32esOYv++DfTBgrSv8/STublJYABcs+lzjvURqBsFvdz7PBphH66++yxt7v
+            bTTmu8O9WHC8/5QTfUzOBAfgyu4CwF3YLRZd81ERtzO/udNYgGO3bifofCfpv+nY
+            MMyCbGxoiAfBWcAHhka+8nMnBj0as+ln220O99N6zH1rTmqqDxRQkEiYek1MqEU1
+            f319u3KqB6STWmZvjlwQ5AhwSLCLT2VpIJX4CpMClWlLb3E2rpZ+B1uBRMQQ3fMe
+            jSynatL2vXn3rKWzxIEIxA/BkVKQ8zXgOT9JyqyCZdHTvjEmWuQitILi7wKWJb7/
+            qhTGEBoQbjIKP2Bpso286RKhS3erE0wqLeXXFb7e6bkEEHXa/jVHCZk8/qDcAAIB
+            3eIb5SNnLxQwo07JlWdDPzCvqeC4fx5AWxXmHsKWI+91PA0jdNjcEPt2sxwAEQYq
+            LWBW6BL22Hqo/VOBXhM1T5mFKomqySLSrxTYeWXtJLZwh0aHbm6RyGGMjHpCiU3S
+            XgE8EQeKefLHoTixb1Rl/amIvtOUUcTtdqlyat9hhIdMl/7ZMesmNuD1ZsEzdCJd
+            20/DgHzFE7WvZKrjt73GDETUjwLHZSl5fydQMgcNFgzU2mdV6nYNhF18gE/af74=
+            =UA8K
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//RVzQX4Ua5XZHTIe7ffYiqMxy/KoJdbCxpgjbdD0sx2ou
+            zCB13t13UkLjLo5GkTE7kRGtyKOdhQ/7NUA7tOZ+rwWOq3NehOTLfU0wMkgT7tOh
+            byWwNHrY9VHz3ndFnya5nNcnrqILA1rEn32PnioNyWcU6832jyUWvtRqwF+JRrKr
+            yRJMvz4T8vmLwrxqarB1uqU0OVHXy8bq8d9/pVrAmk6+C/H5FINFlApD0dKYftd2
+            phoTSA5WG8j1e0v5p4+r9cRHlYXFMinMMkpzD/JMyNB1WVZ9aGQxU7WiuYzuv1bh
+            PKN/LEgfh3ypI8W960NHv/OMRjVs/VxA+G3ml3Lw6acRnaLr++MhF2G7ZBTx8rgi
+            fjyF6m4XtacwIKYZ7SNt9eQewGI8VU30o8np33qb9KeOt7v8PrMH1G3X+bTLnJGw
+            VjxjvaBaePmPplYYS7xaPuUnzFNabDXTE8XCQpdJMy26ef77gaWr6TQwXbRlZXrx
+            S60EecMLwUj+daR0PkVBkCDxXkW8+0uPkt6EEn5rmPdMXoh4DUw+4A14t7yyUU50
+            j3M9tv6DuYs/KhgZYfLe+6hVD7fY4lAs5Ge6QGLA/TljAatE3zpSZQK+b7C4HKJS
+            3eRpcAt6CJFhXaCBwl4+gigrg3voX1ykh62oqY/4ecKbAiiVXLIrcflv9kx2Ht7S
+            XgEDhoIRIvXoOUy6j/qjp/OFxwu5y6MpBX4vHxlpL36daL2yShMkCYyY3ajea4eX
+            9k7B9fpRu3sjbDTNr1heffI+5n/HKc8j9a52hzu5eF0e+v+vKY32uk1jlUhZdj4=
+            =R/pX
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/+OHZshi2zBfbVQ91WKLqei7bT4CZGiPxQsl7aogv8JkyL
+            D8p+VgIReMvq4F5QFaIsA8yqMSnjxfIi5bFd9SKjuhOKvuQjyh1rSsFb0t8ESuYi
+            fHBnVw4tDNfTEGQa9YhNJPTq60TwR4P2xYFEgc//AQqfs9XH0cTbvkFS9dkug092
+            u4yJfB2aZEJa0Eh0AenUYzP13bFH0sJwL1hQop1v9gF44JeKHpRNd0Yixlp0Yucs
+            Ccww+WaNFVQ4+zvyW7MnI8/D27/SQGRXXqQE6sOQlsg5SUzF2vIpYbIeuu1NR5WK
+            v1ZB0DlWVuOshIB7M9WUCZcAS5cMAWKc1vvZ/K0l+6tNskZvGE4p/lv1bmZ5zfc3
+            gT/2L6ENuoKW7RoF071SsG9Xn7VJync+iNTtg0m7Je7HRAZAGGc8vfIkrTXAmoIE
+            QkGuog0R+EZxq9L1WMbppV/bnbBxiutFxwWOGTxzsn+DksVrVLvyI/EbHJvcEwzN
+            hISPFmAiCEKzGAGfaO24F5Xcs+U6AgumS5V5kwY6zA/kZpJEdQm38rcC12ZpXR9C
+            oHGs9ACtgf+g8H3/Ks5DL48FTbYuZADamVA5+pV97B7xCS8TxYChuFNPLwU2s52G
+            liiZV9NevlFlbsXFZS/EWgR8b0aH9Nhjl5TAPOajBOu0Nm/83XEP9nbbbjJjGRHS
+            XgHop/OMkJRuZZ35JQjUS6dIBzSivqplpr51wHbyilxbvOHdvuu6w9kqGY9VhuVt
+            nCszg+IQ0SM8YFuu1M5UPO4txYQTHx8zO5SD/d8kh5HEu9fmTNyJXblRcyAzYZc=
+            =TxDz
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqAQ//co7jg6v5QUB7eHXJPMLxsgtbC/VYp7C7QqXQda5qhohW
+            t0F9lysBybhIGoYuvfZGzNMYqqkVpFxzlOO2vFlcYFsQhjCpJrHBWYT4XOmIBR64
+            6Az/iKqNLS+cG+rFIIuc8BqRk3r4lrM32dCqz0a+3qRkdmbff4yKuzg8FTPlv1RI
+            O9SzRqfptcKDXItnQF+8CAziqcGyy4jL2wnl1Q2I2Pksr+Zw1eZVbFfHmCpG7A5C
+            TVihozz51jeXlggDp9/NPJOQDsmV+KdpvNx2Eqj6PQ6aGWtyYv5YZG3X/eRKW90+
+            qUOJxwpW5KGcROnuvQt1AggcXquOTLHFyJ85M8tpJcl+JYVZsIeNDo+LO8sbrCTA
+            cjp/YSLOms+GullbGAwrJh4TYtwJE9sEKr9OAFUvd+AxVFWj08BqMe1eN5YBbwwB
+            vNurVdvjE8jaTCmZgPPOIP5KXSrsG8bA02YlZ4MnzodYidIhTudJ8VB4NYCtNgOL
+            G/x7h/KA5KYgDWEtr21z2oy0QkGijtrcNa02GpslirjufZ6TPGCbJjAeEsPbYBm7
+            mDXm5+PzZpb1pbcSVNlVG5Ry73JrZxBpYCPGnxLs5yAmWOlNa/xcgDHBU+iXyVg0
+            Wm8pHRAVNfbvL7NB8yeaxSDoTSE7/BsisL6tUHoV+bdlpVsTF26bQZBc/zhxiZrS
+            XgGJ8ChRZbpi2qUzP4nA2jPkYtQ4cquA+ftDx4i+ZqVNtAhVSnTiBZoYu/21+BUB
+            oxDa5m2vD0s0t0fGfmmIvpLZKZIF7NcwnCdNVQve/D3qNNa4T3YnXb8JTGH0PYc=
+            =mu1s
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/8D4mAcC6vsHLkSryz1yIYoBqqtJnG62pITFEbafhVLR6V
+            nWAw/zP9DqNj15MsrM67xaQxlMVgkVM7QTchgp0CjXsyZ/gWPgDl0NaC92Uj93Ov
+            Gi2OpkfHQFaAW6JsAFl5NrF0ZBw/flx8X0l2klIxBV+ztpkLADEtXWsoGsmz5L4m
+            n41icEp9+nb9nwy7p+Je0s4jZCBB0sVlbkX9i4IpMOgEhA0HcWemc940VJp3UyRg
+            LkOs5C0J4Y4qjS12248y16gV/IhNaJ4PCPgVwSj1Xzz6VXauQosmWhnUbnqJbi3F
+            KWEV0IJJO+dlj5VShzFDnkN2bM1GeyQx1S+FkNp+Mmm6JNrUK+CZL8fUYka06O0V
+            DD/sg1Pyq8VawNG5RxwAWA5F1F1SIrJzF0T4HyIN1UFRCjWC466sdrBTQLtx472k
+            NdBCvabHS/bx5miPKF5iglJYzz4biUdevc3EU7q4hwgMYM2oep3m2EsaTbKWzjnY
+            PLB4d0bCsRlya0YfHaFX5f3xSNb/FzBcUlTHzX2asyB2DolMug1VqS3jCEkWGbk/
+            vfNfR5yRuwkwNlJRqHbGIfH7fYEgwSTW+VW2iUdY7Dra7xjgTzqZgLi5W8QwKJqq
+            1V5H4KlRQNYwloVJzQZCwoPcY+tBfTZ4LsDKtjyJzFY9vdTGGGqb9lAG7YBUdubS
+            XgE72UuZvbPQZuI7uVKMEORGVssQjwZFhs4InR/Ixe03a7hb8fdRHfu/ueS/3KQx
+            mRXVino/iVQ6M936mtibfeH9TpBpjqH8sBKNHv2hgnoap9QpkrVn1yWqrOcpht8=
+            =+sXL
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdA/tIZCvQv0E4dHN5jBHsAGclKEeLFhyf4lIQx+xa+uwQw
+            /VGCdNT8U13EawRC66KLXRrRgsNPpwUg15wAoTzQ8gW/tLpgvL5nsEYPfaowYwBD
+            0l4BmNV4o4J+NHF7Tk1af2kx0pp6kF9eJynn6irr336tGzY004lZfZlqwgeOk+qN
+            93XcSfdAOlIktfex1q1oTPrSpGIv32zsLPoRNVa50dO+IKu1tmYAxi9N9sQgbWa4
+            =rnF9
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/9HNG41mTgq8VavF9DBX7+upnsmoDtwblck18l3rurJ1mo
+            k2ki7tWwIxRyLLHtsUxJ9S55cmXuhhPJK8Kzc32SnY5irDkqK/4JZnDvofg+z68B
+            8pQOunN1BQp50k8vd4Mha43re8s24iqrM+fj59uHM2YYsQYt9TCR/NvUopOdi6l2
+            8OnKI2KdRvYhtzzCY3wmQKhG7p0hc8y8pP/0DmPW5IGQ6OP4zO+Qnc4EbVnA9Uhr
+            tZ4sTNn0o80kfvILKANkAm81v86KdSRXdd3+1IpH1c7rTqm9o+DEm8nKnwWOF63O
+            P0klsYLlfqiZyQ0AyS67RHPTw/y57mAyWVFbABDLtXQQHWcIkADMLKTJLpnhKkRn
+            Cp94EXBBBwViAUBUzzskE4lgKXncl1h5ogLum8btU+cLky0qa8Hzie5QqszlErf8
+            fci0AEHV8u+Kf5EARf1FiY6K2aVnFOJchdeL98qllwRu6f8zz7+bfLq1UXcGBlQS
+            JnbAlXiL4vEBxQyW5awYYzpaMUTW1ejjujZUitdaUeIQJdv/IJvHe9y6/F0uukdt
+            AMrDI7E+JKa6hLPe4g6H1hUzh6GcaHuNU9z2NSDfzxcOHkqALsCDLVDxsjPhahCc
+            UZkSn8ebyqv7/jpTgWnsls0Fx8XqvKKJNoqXfK81oIvWlJsEwqSaBczkq9HQbO7S
+            XgH2N8XPOJWmqDc+xS26eERNJ8ZlhYaODWwatgqt2si6EdBpVRZL4PXsOrOlI8Xi
+            Uaag1/Uljqbk5mN18+CtSfSt0ded79d44B9zAbc70hgvkRrpcotDBnO8YQ9MxB0=
+            =O0Sg
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/mjolnir/sops.nix b/config/hosts/mjolnir/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/mjolnir/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 2cc3215..94ff2f0 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -23,6 +23,9 @@
     },
     "nix-box-june": {
       "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
+    },
+    "mjolnir": {
+      "targetHostname": "mjolnir-intern.hamburg.ccc.de"
     }
   }
 }
diff --git a/flake.nix b/flake.nix
index eb9d236..9ee17cf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -201,6 +201,16 @@
             ./config/hosts/mqtt
           ];
         };
+
+        mjolnir = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            sops-nix.nixosModules.sops
+            ./config/hosts/mjolnir
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From dfcb961fd3ce6a84abd7176bb5b4c4fe3fde5ef3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 02:55:54 +0200
Subject: [PATCH 065/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d14b286322c7f4f897ca4b1726ce38cb68596c94?narHash=sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J%2Bve1w%3D' (2024-05-20)
  → 'github:nix-community/nixos-generators/35c20ba421dfa5059e20e0ef2343c875372bdcf3?narHash=sha256-WZ1gdKq/9u1Ns/oXuNsDm%2BW0salonVA0VY1amw8urJ4%3D' (2024-06-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/de0ae76b011bf0000d58ab71821199ce310128b2?narHash=sha256-/VAxV/4lvtOtq4Zxq0MrqTGj7g8aSR/eJQDXB37ozvs%3D' (2024-06-16)
  → 'github:nixos/nixpkgs/201ed88e66f7f34d5c74e46d2e4399cc4bea1501?narHash=sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0%2BnI%3D' (2024-06-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4?narHash=sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q%3D' (2024-05-23)
  → 'github:nixos/nixpkgs/1c0bec249943cd3e03f876554b8af7d1e32a09e1?narHash=sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs%3D' (2024-06-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/b549832718b8946e875c016a4785d204fcfc2e53?narHash=sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb%2BcyGsqOKa4c%3D' (2024-05-22)
  → 'github:Mic92/sops-nix/797ce4c1f45a85df6dd3d9abdc53f2691bea9251?narHash=sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg%3D' (2024-06-16)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/e7cc61784ddf51c81487637b3031a6dd2d6673a2?narHash=sha256-H0eCta7ahEgloGIwE/ihkyGstOGu%2BkQwAiHvwVoXaA0%3D' (2024-05-18)
  → 'github:NixOS/nixpkgs/c884223af91820615a6146af1ae1fea25c107005?narHash=sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs%3D' (2024-06-15)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 4e5ec23..a0b58e2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716210724,
-        "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
+        "lastModified": 1718025593,
+        "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
+        "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1718543618,
-        "narHash": "sha256-/VAxV/4lvtOtq4Zxq0MrqTGj7g8aSR/eJQDXB37ozvs=",
+        "lastModified": 1718955215,
+        "narHash": "sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0+nI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "de0ae76b011bf0000d58ab71821199ce310128b2",
+        "rev": "201ed88e66f7f34d5c74e46d2e4399cc4bea1501",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1716061101,
-        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "lastModified": 1718478900,
+        "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "rev": "c884223af91820615a6146af1ae1fea25c107005",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1716479278,
-        "narHash": "sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q=",
+        "lastModified": 1718954653,
+        "narHash": "sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4",
+        "rev": "1c0bec249943cd3e03f876554b8af7d1e32a09e1",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1716400300,
-        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "lastModified": 1718506969,
+        "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251",
         "type": "github"
       },
       "original": {

From df17b25009018aed5d337dd61b284f9b5f7c0c96 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 04:20:38 +0200
Subject: [PATCH 066/170] Add woodpecker host running a woodpecker-server and
 -agent for CI

---
 .sops.yaml                                    |  17 ++
 config/hosts/woodpecker/configuration.nix     |   7 +
 config/hosts/woodpecker/default.nix           |  11 +
 config/hosts/woodpecker/networking.nix        |  23 ++
 config/hosts/woodpecker/secrets.yaml          | 234 ++++++++++++++++++
 config/hosts/woodpecker/sops.nix              |   7 +
 .../woodpecker/woodpecker-agent/default.nix   |   8 +
 .../woodpecker/woodpecker-agent/podman.nix    |  13 +
 .../woodpecker-agent/woodpecker-agent.nix     |  27 ++
 .../woodpecker/woodpecker-server/default.nix  |   9 +
 .../woodpecker/woodpecker-server/nginx.nix    |  57 +++++
 .../woodpecker-server/postgresql.nix          |  18 ++
 .../woodpecker-server/woodpecker-server.nix   |  56 +++++
 deployment_configuration.json                 |   3 +
 flake.nix                                     |  13 +
 15 files changed, 503 insertions(+)
 create mode 100644 config/hosts/woodpecker/configuration.nix
 create mode 100644 config/hosts/woodpecker/default.nix
 create mode 100644 config/hosts/woodpecker/networking.nix
 create mode 100644 config/hosts/woodpecker/secrets.yaml
 create mode 100644 config/hosts/woodpecker/sops.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-agent/default.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-agent/podman.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-server/default.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-server/nginx.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-server/postgresql.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix

diff --git a/.sops.yaml b/.sops.yaml
index 1705da9..52a8aa7 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -16,6 +16,7 @@ keys:
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
+  - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -113,6 +114,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_mjolnir
+  - path_regex: config/hosts/woodpecker/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_woodpecker
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/woodpecker/configuration.nix b/config/hosts/woodpecker/configuration.nix
new file mode 100644
index 0000000..45e228e
--- /dev/null
+++ b/config/hosts/woodpecker/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "woodpecker";
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/woodpecker/default.nix b/config/hosts/woodpecker/default.nix
new file mode 100644
index 0000000..1db0c8c
--- /dev/null
+++ b/config/hosts/woodpecker/default.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./woodpecker-agent
+    ./woodpecker-server
+    ./configuration.nix
+    ./networking.nix
+    ./sops.nix
+  ];
+}
diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix
new file mode 100644
index 0000000..17fa56c
--- /dev/null
+++ b/config/hosts/woodpecker/networking.nix
@@ -0,0 +1,23 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Networking
+
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.160";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:5F:A9:B7";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml
new file mode 100644
index 0000000..f7b11ce
--- /dev/null
+++ b/config/hosts/woodpecker/secrets.yaml
@@ -0,0 +1,234 @@
+woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
+woodpecker_agent_secret_environment_file: ENC[AES256_GCM,data:iXsElY7/XhHYC3OAHZOY2TUzcL6dyjLkmuVgRUP1W/ZpTYsBuVbPZFX5WGGX1Pw33sPo1SAp6a8k+qqh0HeqyTxnjj/7T/HOE2DbdHoqF3EK/ryhtQVNNm4=,iv:6rrWRFxoZuXstWrKKo4siHqktcuZqrdjM4DwiFdDfJA=,tag:YvyIYFd/N1Z6tpO2O0ewrQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQlN5NmlaUjR5dGJ3Y3BP
+            bW4rWm1KaVFsbytwZDQ1QjV1d1VEOEZlSTJ3Cmgxc1BmMnBmWjRyNmNDWmpWcnJt
+            Q3lBZUFOY3FtREFUYmhJNCtKcTUxY0kKLS0tIHhKbVVBYjN4WHRzdERNbkRQeHlS
+            UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
+            YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-22T00:01:07Z"
+    mac: ENC[AES256_GCM,data:3WLe5X+wMVRth2jnu3xVe209mk+HzFcwkj45N9L0UOgoc5zdBShvdEXcevX98HTldC4kU0IEZZowLHbiDxlIozu2lrkU+0avxzM8jWWcyqMJCLTcBoOHaqKX9EfQ9OvHh2HMz8hJ/AFD/LTDzpTYXpHqSnagt1SRGjUKGZuF3K0=,iv:CPpfAP+bInTtHPRBeVih9s2/YoBJKpwuDq5VUIOkoLs=,tag:0Exia5cJctV6f+mYVgDM/A==,type:str]
+    pgp:
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ//QR84p3zGjW2CtPcPxlmdYui5nx8FV3MHog4R24s4RKNK
+            y4n9993z8m3y2at4yIWDi4LBKrhm/6mSLBHfoxnuiptoaSXSWXfaXebXkYiinkyP
+            GMvwegN6KkRZh4stJMD7W0g7w/trkNEAvPDoInqCnvT4NomrKIV+ZrZuCBLd1tXn
+            JRd2tsH8yYzoZr/PJBBDTZtke/nbosb6drjgG6ow/eHyF++HxKNTWfjCiWn4AWSb
+            c/E1VWsigYdBs8XSTbBkfSLr/b5FcXYb8tyy4gpGe9zOrxc7cW5diK5+x4bM8FHz
+            85ShPA5S3PXXEnuifuk/ZK8+CEYWUS3MXUhuEFUo7F3Pt/Eb+5CtfTX6kvMe1xe9
+            iqFAsRce/qm9Evns4ygZ4+LoI2ro2HFwgQ2fu1gi7PyZsDyW5eRL5P+vfxPUOxYY
+            z9cXXo+U1NEzWMDEBWt4mgoW9URye6O3k+WLQmYbQIhDkftUYmvRrPYQvP282m4k
+            NMucRIRUMkx7rpRQQP8yU6AlgZ1LsOmruV4XJYVxsTpSZq7YgTQP4kd3wMgBhwOV
+            j3hGc9gI9Sq06SdyU0C8PuUHt+mZGkVnYIOTw6BXHgY1tK8X5XnWK4NJXL9bR0pY
+            kfzDWLjD0hiiM3QYqieTbnDUiVTDGyf7Cop+EifYvy7um+CPjlYLLkDkEsWcy/HU
+            aAEJAhDEzP5eiU1e01GSNbWL49ghD7DqZiYdo0F/BGMk6jQloM1HUDnkhgBhVSZo
+            TjNPV3UFBxeRnT5DvouD6uJ8SDs42ARdb4F80vJVHknt0yBvGWfCQsXqKwuRDd1j
+            zkj4zG7btJRv
+            =sgSP
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ//V6IIW3Hr3xuQWOWitDGn1bo+x95jePPpXNayKGJuaSMf
+            00gaOyMpqP5hRd3lEQRyqHgPtmszlGrxq2y77CxnnZMbE6n+axwQQLoMzROBGyGF
+            iqe6hNbNFZPjWv5BTAl3iOHWrw3x/TpgcNmSBDfctU+CZlMWzCMuXJw1bK57wQd4
+            B6xcoBxidK55Ubc7GQ8mlAEuZ89fYorTRBfv2rBgUh8ZAAsUmn1jEz7HsQMMd2a8
+            5V4TzicdzXO2cZ+0DqU8Xqt5U9C0IjGgZRPzDYkh7slkbyYomAIfCq+zN5ieecz9
+            Mp8vvuMYfT66P+heNRZ7w/sgmGlarcmNKlOcXlakVYm5qVddPMx6M5Ovl4O5sABz
+            V4O4NRehYx0XFbjzXr59LCzpusS9xQoh49288dLTFudOInHUYq6ss0TbGfFJMDYU
+            mjHokzdG3ds8C9/lMR82X9rbyZDchUytHUwX4eGxUDMmhydFpgJko0bbozPbE2ll
+            NTlWegCc1yrkSGn6U9EYKtibitJnIMdas5HapcErMH2vYILsJOl9ifG1GIsuWe1+
+            ipPyZy7jqP7p18WCcDnUhgaGdQ67UjSLqX2zz0SZDcfI46SUeyeSelFVpTlmKriS
+            4bW6hC1FSe+bLkPZ0y5aRLgL5ipK6jdlZepAj/DNXdKAtchLHcddF3rKdBdzsxrS
+            XgFvvZPgj1JleYr+q/+ju4k1d4cE0HnQZIBnkAfKXZHwSPCw1d9vbeLipuRTJrEH
+            2CpOjtiXl3S2ZcCS1ama9lgAqPBOOoH7jgHvoCzqfkBsi3/QlIpQs+C8ro4hXE8=
+            =KZWk
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJARAA5+vcORn/YX2bHcAno9KCUGTzeiCP/DOoSePMdsCAmABj
+            P8XoYJOyZoZgW3qgvtKZ4pLGB26FuJXC2y6Z3yyQ4Xj2PeBj1og9xM8p7GnF6T6n
+            7wqALwJOamyer3A+OXx2Gc8kZ0ObqgBbbn5QTPnHzsRljC3Irgk+ZZE8ZRshoPmu
+            6TEuMW0NT5INmijtPAxer/eaAor3KKxMTf+sqqr/VGNopAyFUCGZynlnjcei6X+T
+            tVKh6zqr/eaTlnhoP2kr4u+wKcHvLV8an8sfsyIGL90O11LNcX8Sf4EyPDYSXOe7
+            AXTFcvfw9+ALu3cbTVPN0aI2e8fCir2S00F8x28Ffc2xDSrXjWEDCXLuRNVXz5KA
+            Mjq4afyQN6mtVZ6ZmtvaLQoG8D2f2sGzvrsBjaXwxPLHKPpUFZVBiiP0C08yokUR
+            7FrYaOjnvQVALLxGJMAhMf02g2dYDFxMw18cY2a+bLrYUVd9EMbuFwCJNzmU0of7
+            EpSvXrA0wTKddk+vL3JoJgIrOxz2IQbaC24NiCUzbyakhT+qDX/oXXILxL2x0GfR
+            RaTL1inkTQO//ooAjlPeMA3OIDQo5CdoV4VlvSUgagYfDvMfDCAO04Xxvezh1uvz
+            //4Jz13+LFoUgbtVUYiT4oqWyfTKOV0D8ILYWKZJtjJt4TeYpEfbQFEzIYyF3OHS
+            XgE7aGyB0ArPBovSr55eQGmW+FaeG1VtH7TRLU367FyQmGep5O2SUxQXqFFiWyDy
+            bseIYdRqNsmlgdXBnADdkVCFJtF4C/VA2DOk+wOO8XtQoMQ8zrIl+0Viq1s66OY=
+            =xc00
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ//abtgoFEWd+zbeSbiwey8nCNQUSklHV9kbLuBK8+ipX/Q
+            qjweWnnPVN6ODhgfXm93k1tSqeJjYqjqfxVsAEUiXC61UhvS6JBZuVUt4nRUWHk2
+            cdu3eKlBx7Nhm6th1gZ+Wf7PcryT5fmJQP5a8VEM/nUuRjnAmG7RuSiWbNzBbTDx
+            4jh4GTvlFkupxZvLsXYf2T+7qn0eHymdQI8+5WSHQH6kApBvINYoq1m55it5ilEp
+            M0tYNFMzi10OjKVbNRQXuKhROzzYGtW8qWGtc33WBB5rvkRVelSDmleTbRywWjE0
+            rNo7vj97SbmGdCHydzcEwPIBOd11ZgFWpamX/36ALeKCxgHgc3HsnjIkDsEffpoN
+            SFHAhyYqXTDRqq5/HuBQBDBJLVVcIbqlJo3us47gI3rhojjSayzTBd5TnGOZt5N0
+            rFOqoZ1i3vf3C5sjKivTzCJ/P3yFgD271hQjv49jSqXgSF8ZIvzaDr0xLiy+XnZ+
+            EsUyqxZBKWy246BtyZ4qBvRjVKbezpxQFh6MzxccY+toUaG2v2I5muvFJRHe7qEA
+            fT6XDl7W6aQ/RBL/Ij9OWYvCMWS27mzkLQi0uBH5gyA1t6Bg9O6+CjGpK6Mmd8fx
+            1Q2Ml5ClzLnEq94FX3f2hpqLdSlwREPoBYULeJNr+WhayDvfRjuh5+MvN+wjbs/S
+            XgGYwgGCrFmzXN1mWElNGc3+3sMEpiuvJp6Z1nRfr17YvIPUrtCU7zVHWR1lWFKU
+            gjJacBX/Qw9Kly+5jADM0UorWkZxaby+q+j8rN43nPatjDlDRI+BrNta0l0ulOA=
+            =2cbn
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVARAAu8l79uJlVLz++foLhk83zrPSZsX+1TQduJl06Kx2VrJ+
+            dZX/0okzpHmHeZGhGH+e1Gv7MpyM4UxAGwE03NIk32p43LF/biad0zc4TB8yr9r6
+            N3Sr/ZbaB0oYC/K4r1Sj8W1XWmuYZB8lc1dyfwhf96KIXGutvG22O5XI0pOA9yHL
+            x4AWt8OHYsaWCt941M6pbFtBsJEl/TaKgYF7YNITvsfj/oG7cPESKLOkcJdmhN1r
+            ADpJRcs6rVvMLWxUBjZICqZvDlwnXK5gCu30MmLs/oQbFmHjBRB01Ird+Mb5e6l4
+            vrYC+zO3RG3dZ+VXJD0rBn+56nDMtiKISJCy4I4Vz/ekwx94cIci+BlD9/3YYix7
+            HVgR6flBgInZEvaBxyj2e0G5i2gKvYTfea5+6bwPpszLUaYba/YLQQ2mSXcwWPsV
+            ipuNSjJ8swK2OpOFTfzs7Ua1OZChCOhhduxiKCwASYrbncfexObsQfeobj3wrwXH
+            N4M+h5ghm+y7UFKDW+gfN79WGfltWiMdy9vZNwwEYF0NE8jkwPfIt2dLvyU73MFU
+            NivYWp6kUj+gbLkb3gLClAi4CyYqNQyBjbKEbt+470UIMZ44WWMEJy7bMwAVzLBk
+            VxBHphqSuP04pgb5a+PHPApCZC6KEntnW1zX+DKrCn3/+NhoD6COhCvetWxq4f7S
+            XgFop4XZPWYJb6ypqkFLbkHIg7tCbr/xae4HABncVj0BaS1Z7TBdMiGi8SQvHti5
+            70rNGZIpQe/59DmBrLT06VdQRY5rt20bDoN+DaUrE2tc0k5h+uwI71TG4//Db2A=
+            =m4ec
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//Tz2g90bOkkY942MaLO5/k8MFMf4QEDMZAiw9tVZ39Rqf
+            udMTcGyOX6zLzr+xxNX3gwn8X+bl0yw4Tg/FiyOzl9RjMZDxvzUaj1gYZI9kKPne
+            aEmAYcP2mv+ITUDnApZonDZE5hUnLGAyfEZMU6ExF9XkU94dXFdU4nd+gF5XHzou
+            STiNryBYaxWP1WMkW4SlZqdJiCfrkI0Z7iTF86QtXN5S8qLSIyjP3hIv5QxJg5Xo
+            NwK5IXQhV/0ZHp1Wl8Xys2iUw3iuwPga7sBrMHdJ0PHVBg3Wg/bG7YtrfEAfUbcr
+            UHt9rNGFZluuqNctvcvkSUjv5DISCgl8lSSbzC8DK/vT9o0DQYWvySNpVwXO3tqs
+            9aCxKc8trCXrd9qePnO259Ni0ALRjyh/GHZipzhZo/mgyUWc5nAdTLM49MsmAKHc
+            PnBBSntXnVHfFoFvgyBAmyISVuH/L5j8mezQ/37AevcTfuWemjDRGWIiIJZ73CyF
+            tG6ida5En9QouMO18gKBBzfR/2s6tt60bEp4bE3j2rRgEhwblBfl1NtGSw2WGVVZ
+            bU8KormLDT8aurMIp/Rd1pzAxDpEhDa13TV1IfRECOQvY35aBC59upt+XLwJ83ch
+            Zgi5cRGtSoj1G9OziQGCtJjGqkZoFy7Htou6AyFUEln+2Px0EKGJC3yCUcOF0orS
+            XgEtK2wEJNnJ84LctjrRM4ZSeb/8nycfWiR9riJi1lq6J+WSeiGME3cvhgObDTtG
+            EwuAjG6vhwUdr3aovsENQhvHnQWID844CeBtB9jMHbFJy41vbt0rC0JJG/6RoRg=
+            =5Ijl
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ//dwisvTFgYUCFICbaNZ+8jttF4lTQ2fjdP6UHb0evav84
+            PUYpqUfmMF1BUvxDx0rwzzP1OaSKuesxAG46i1Nha1Tq/LOURtzZtXPW4+xSHWge
+            ifbcbGTBkACviKkRuVUqaQBAbzDnFIHtcQy7nbILmzM0aRwm1IC1WzKpPRBgzAy0
+            o/UE4geZjPuNqkix4mcLz8sXvKMz11FE3QpZ44JqiRhmAITTDVo2ymhbvA6R2C1w
+            AL0tjJwKRb0qfoBegyPbuUW399l3CCtEE7voW8AxZ3Y6EGO8DQ1i/MkR81zymFep
+            PUDVYDmhqmh38Z79v5iKqnruzS+rOaitzMRqsUfOJfa4UoFkjO6tYdi5cOY8T4cD
+            w0rgCpvWriaGKGHDuRIdu031GFyf26+SvOWEbiOhMv+h18Hj5P7uT+Is+VuEhHEo
+            i7EYTqzsRwyIfybNkb0mBVluvXb4CpZRdRq5AzC49qu4IezvKoAT99KG1yf7XJvI
+            Ijc/ZITFqCBxE7REA4JBDuivPHfML4CgxG+5PiBJ3JDdaP+xRuoVQQv5E55Y4YwF
+            NM+NTNcvsTv2vKXJ8mmWLBn9xMxN32gmDyy7jW0elW46AQidIL6C+W2Zhxn6GNvc
+            2faDhNQ3yV0A9mIsgQjdWeQemqhsiVU6Sg4Mmattm/b6plGCM1DIcJgMV2RRAobS
+            XgGt7zD15Ju4S+fQqL7MVGGD3y5v0C5eLx78MScygpNQKS0vfTfTE2+wRCzCjZAG
+            /6HU85E6ru1VeXc0TwQBrpX3Wi2ga/momalsCGoh3oHBd+jRqzwpRxojKLy65qU=
+            =g4RA
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAmTOXbn+qa0wgjSvK3juGqVemxKvaD2zFG57ivYdC1Jdn
+            PIVi5aBCvZ8KY/0W9k83LVcGUY1f8eRkCU8ohJU+rmRbiTvT0qo1hfLzxrqaNbke
+            gN+YsYW8bgXioF6nHVWI158GvqNfmvRl4WyJzBQ41cAyMpdGXiIzUoCba3Y6f+1N
+            muljMhgvEtWUddf4zheZX89xV+aLa9Mga6aQbwRcL451UcKxmE2nk4+00rMn7R7R
+            vmsC677/RrKkI7RxubzCVFFlzaH+ZZ1Ott6ozKUWs2vCcB6vTzwwvmrJwmr760lC
+            pozfNp/+WzLZOkA3rO2qAvIUc1DxYA6CgukrAAObCbvmcgMeLtVR29wwWs01qxI+
+            cTxmH+btbiM0PL8+/sW2KlC19hfMmeryiJXxbUN30a3fMDJz1wVor54DsaqG9kIJ
+            zIxGsQ6t8fzfaVfeQwoxODnTWqUClWCY4is251O4Gxw3C0oPWZvzoPvxljaPrYYY
+            SE3dcktWmGoOxLj56lLfceKq0qAtYmJD4Q5k2GDYYU+8dwp95UTf0lbRwauMBROT
+            OMe4r/emH4Z1LiG2/HLoM4QuV5VVQGSAqoE3c42YjjS9uh/aOtmeNNLehwS93F5E
+            J/bXNY6VnHcALRGMZF60g5OxM3QUioNkGqcCWGjSaRPcKhwaXvvIaTCdz8apnBHS
+            XgHeuszpU9/O1nCsNPF2vQUjcNxz+KsL39RwHCVJBVJskxd4HcJQUM7uArV1Fjbk
+            fl4nQuueBrZ4tXzimRK2QOjgy8F2n/Kxpjlr4rXn+Pi9jyhx0Jq4Blu3wrR4LAg=
+            =4Xvm
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ//fo1yfBspyD2O84d8UCHWoUJTNYql2p26H/vC2BsVzAmL
+            6nylQACeslISLlXbrW+ILPOFZ5x21THOFcJdvCGAQAkY+jC7Ry3D2gwsZi/RLFpP
+            wbEgbzk9hcimmvuHW/NJtrqvXiTJy7GH7el5Zwqe6rtUkTW5IUtaOmZjn2fQBVoq
+            9mMT86vOYlqgIISG1o5x4pciRd+fb3JPiPeJiLcyUBEXYqg2THlyYwwp2paFomYf
+            a6Ls/pVT9ICSblFlnfILOexDpqhxcPH+V2nwlbSlOETq3ACcVIgufIRndTkGhDzi
+            HS3GlD5nIb/ep12Gj+qOgKZBsbUdNIAVojNY2qlK2yQJpE5B1aDjmkAZUkk/LqF3
+            76ZRBDzigU0jfYKh2iGDY3F8cWDsRqjqcTjVB9KF32+1SeUAO4NqDnDpMZgBh2i5
+            rvDOJCJfTgo7DfPqWPyeFM58sow9EEglygASA/XTaDV+CmLzRlqxwlJwpbRrz3OV
+            Mp1gewfGASLPS4xh6gtROac9DAuokmN5VgNg2g+emN8lUNJ/7V7u30TvCEfGP0j0
+            1Sd6RrNn/ZDMJtOoE8gDua6njbOi9Zk/RN4Y4NKWcmiNZxz/Xi/8XU7F0yk0yEL1
+            DUxYsCEHImib+lAESQ0fF4VMXx3DSXq2/Yt5z782ZvgNrGoGw3B9qVA5FyG5Bt3S
+            XgGgfz/6fGZ0DEtTv3B8Rhqbm6TvwPFgIg+3WuQRXxf3rjjoX1AN0jcuz8OIIfGk
+            o1GuRG0/sYg7P32ysgQMvS1F+rX2PR/myHsz4YMM10soG7OduHgXmiJ0eUq8EtM=
+            =WLCQ
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAUMjy8rV2Zy5nmeMOBsANIUVyhAvVBUF1yunc+EgVeVQw
+            yd4hPHMnQSkasXmcMDS0y2gwixgTOeQbG5PaOr0FA7eGEItLlqwSxz3+GnuD/gEw
+            0l4BFrUbimEX+/tfI8aymapMVYXFXWe4dUZw9foKN5HqkpPKhusozd9bqPPNKggZ
+            09tvIJViKP/QufK0WyLYZGWrG+leogDX39GBtAU1SOllFqtq2G0X1qH+s88GVpaO
+            =hxWV
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ//SK6MVXhRsRxYV8jL9HrVTovc84kNFr24nbHHi5z6fuCA
+            6ZjPr5Btx5Xxi716mEmdDBUSGfeJOOSt6hw4fCqj5ehnCeMLr9GvmJdZx9s2n88m
+            h4Fzd1XF67NMbSAYMPrXpk5dlxBNsgmsAWTaEet9gqGWWYsrZHWPvae7z+GaJJzz
+            h3dix5oVV3tM2OVP9hFhRtu9tv9a0sj5Eu6mz8UsDFwEPynlSDPKUQA0jFTXJnYo
+            yT8UTPSZAUlwnU88JPIhHKCmU8nqUIgDURVNgK4BsuoKSAZ27ueSHr/4IzBiavVD
+            6V1b1Ttt8usKFp21OCqfNuoiIeEipUdLMFSTjSXqOp38QTaqoDaCsAPc6j3HCvlV
+            vMm1lbSKK+Llpk9WOmqvHQriL50lQGYpa2X/jS8FtlotKFm0uGJoJXZ5Ujc4Wmy9
+            J79/cXLULGFCxdPsoxmd8wJFqz0eiVPHIBFB2Y8Tan+Mg44WeBuY8sAWGzYPp+kB
+            sEOIQ5I9N1Gt+58i1hDTRlqO4I8ihusqKeRemJa954rlzz8YTmZL+JAD5gsMtzuH
+            gMjnfBnNJKw3UmnHMMQm348CRB6SuF6rmjc7Xk1qsnie87HtYbM3dJYh7ixddr/a
+            kTHy66zDX4j3e/y2JdEPQw8/WhhdGnyj6eDioQLNFfvApI7doi5C+XDCR08YxJnS
+            XgG0kP/bfDBkwzzHkr3khuvdtmUEmsxGbR/3abyjLfvM+g3HM6Eqq0uDwuGgYinR
+            DYfWUZTas5uWrgxAWYbBCbhPcevu7CsyJFsBtG4ExTXPSsP2c79+LwtmJjbLQqo=
+            =9C2P
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/woodpecker/sops.nix b/config/hosts/woodpecker/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/woodpecker/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix
new file mode 100644
index 0000000..1b51267
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/default.nix
@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./podman.nix
+    ./woodpecker-agent.nix
+  ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/podman.nix b/config/hosts/woodpecker/woodpecker-agent/podman.nix
new file mode 100644
index 0000000..08b0312
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/podman.nix
@@ -0,0 +1,13 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/backends/docker
+# - https://nixos.wiki/wiki/Podman
+
+{ config, pkgs, ... }:
+
+{
+  virtualisation.podman = {
+    enable = true;
+    defaultNetwork.settings.dns_enabled = true;
+  };
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
new file mode 100644
index 0000000..6ad5cbf
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -0,0 +1,27 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/agent-config
+# - https://woodpecker-ci.org/docs/administration/backends/docker
+
+{ config, pkgs, pkgs-unstable, ... }:
+
+{
+  services.woodpecker-agents.agents."podman" = {
+    enable = true;
+    # Since we use woodpecker-server from unstable, use the agent from unstable as well.
+    package = pkgs-unstable.woodpecker-agent;
+    extraGroups = [ "podman" ];
+    environment = {
+      WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
+      WOODPECKER_MAX_WORKFLOWS = "4";
+      WOODPECKER_BACKEND = "docker";
+      DOCKER_HOST = "unix:///run/podman/podman.sock";
+      # Set via enviornmentFile:
+      # WOODPECKER_AGENT_SECRET
+    };
+    environmentFile = [ "/run/secrets/woodpecker_agent_secret_environment_file" ];
+  };
+
+  # Remainder defined in ../woodpecker-server/woodpecker-server.nix
+  sops.secrets."woodpecker_agent_secret_environment_file".restartUnits = [ "woodpecker-agent-podman.service" ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/default.nix b/config/hosts/woodpecker/woodpecker-server/default.nix
new file mode 100644
index 0000000..a713746
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./nginx.nix
+    ./postgresql.nix
+    ./woodpecker-server.nix
+  ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/nginx.nix b/config/hosts/woodpecker/woodpecker-server/nginx.nix
new file mode 100644
index 0000000..962183c
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/nginx.nix
@@ -0,0 +1,57 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/proxy
+
+{ config, pkgs, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."acme-woodpecker.hamburg.ccc.de" = {
+      default = true;
+      enableACME = true;
+      serverName = "woodpecker.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    virtualHosts."woodpecker.hamburg.ccc.de" = {
+      default = true;
+      forceSSL = true;
+      useACMEHost = "woodpecker.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/" = {
+        proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/postgresql.nix b/config/hosts/woodpecker/woodpecker-server/postgresql.nix
new file mode 100644
index 0000000..e715650
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/postgresql.nix
@@ -0,0 +1,18 @@
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069
+
+{ config, pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15;
+    ensureDatabases = [ "woodpecker-server" ];
+    ensureUsers = [
+      {
+        name = "woodpecker-server";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
new file mode 100644
index 0000000..baff752
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -0,0 +1,56 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/server-config
+# - https://woodpecker-ci.org/docs/administration/database
+# - https://woodpecker-ci.org/docs/administration/forges/forgejo
+# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+
+{ config, pkgs, pkgs-unstable, ... }:
+
+{
+  services.woodpecker-server = {
+    enable = true;
+    # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
+    # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
+    package = pkgs-unstable.woodpecker-server;
+    environment = {
+      WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
+      WOODPECKER_SERVER_ADDR = ":8001";
+      WOODPECKER_GRPC_ADDR = ":9000";
+      WOODPECKER_ADMIN = "june";
+      WOODPECKER_OPEN = "true";
+      WOODPECKER_ORGS = "CCCHH";
+      WOODPECKER_DATABASE_DRIVER = "postgres";
+      WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
+      WOODPECKER_FORGEJO = "true";
+      WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+      # Set via enviornmentFile:
+      # WOODPECKER_FORGEJO_CLIENT
+      # WOODPECKER_FORGEJO_SECRET
+      # WOODPECKER_AGENT_SECRET
+    };
+    environmentFile = [
+      "/run/secrets/woodpecker_server_environment_file"
+      "/run/secrets/woodpecker_agent_secret_environment_file"
+    ];
+  };
+
+  systemd.services.woodpecker-server.serviceConfig = {
+    User = "woodpecker-server";
+    Group = "woodpecker-server";
+  };
+
+  sops.secrets."woodpecker_server_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "woodpecker-server.service" ];
+  };
+
+  sops.secrets."woodpecker_agent_secret_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "woodpecker-server.service" ];
+  };
+}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 94ff2f0..eb59412 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -26,6 +26,9 @@
     },
     "mjolnir": {
       "targetHostname": "mjolnir-intern.hamburg.ccc.de"
+    },
+    "woodpecker": {
+      "targetHostname": "woodpecker-intern.hamburg.ccc.de"
     }
   }
 }
diff --git a/flake.nix b/flake.nix
index 9ee17cf..f508b35 100644
--- a/flake.nix
+++ b/flake.nix
@@ -211,6 +211,19 @@
             ./config/hosts/mjolnir
           ];
         };
+
+        woodpecker = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            sops-nix.nixosModules.sops
+            ./config/hosts/woodpecker
+          ];
+          specialArgs = {
+            inherit pkgs-unstable;
+          };
+        };
       };
 
       packages.x86_64-linux = {

From 1aff46745a7a89b53bd52732e8f8eab7cbf33d0c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 16:07:01 +0200
Subject: [PATCH 067/170] Disable mjolnirs verbose logging to have it not spam
 the management room

---
 config/hosts/mjolnir/mjolnir.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/hosts/mjolnir/mjolnir.nix b/config/hosts/mjolnir/mjolnir.nix
index 49b196d..c9534f6 100644
--- a/config/hosts/mjolnir/mjolnir.nix
+++ b/config/hosts/mjolnir/mjolnir.nix
@@ -9,6 +9,9 @@
     enable = true;
     homeserverUrl = "https://matrix.hamburg.ccc.de";
     managementRoom = "#moderation-management:hamburg.ccc.de";
+    settings = {
+      verboseLogging = false;
+    };
     pantalaimon = {
       enable = true;
       username = "moderation";

From f5432bd682ba022bceb004402103669e75b203b3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 16:26:58 +0200
Subject: [PATCH 068/170] Use an agent token for Woodpecker agent to stop it
 from re-registering

With the shared system token, every time the Woodpecker host would
restart, a new Woodpecker agent registration would be created, because
the agent receives a unique ID on first connection using the system
token, which it couldn't store however, because it doesn't have a
writable config file in NixOS.
Use an agent token now, which doesn't require the agent to store a
unique ID in a wrtiable config, therefore not making it re-register.

Also see:
https://woodpecker-ci.org/docs/administration/agent-config#agent-registration
---
 config/hosts/woodpecker/secrets.yaml                |  6 +++---
 .../woodpecker-agent/woodpecker-agent.nix           | 10 +++++++---
 .../woodpecker-server/woodpecker-server.nix         | 13 +------------
 3 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml
index f7b11ce..6b960a7 100644
--- a/config/hosts/woodpecker/secrets.yaml
+++ b/config/hosts/woodpecker/secrets.yaml
@@ -1,5 +1,5 @@
 woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
-woodpecker_agent_secret_environment_file: ENC[AES256_GCM,data:iXsElY7/XhHYC3OAHZOY2TUzcL6dyjLkmuVgRUP1W/ZpTYsBuVbPZFX5WGGX1Pw33sPo1SAp6a8k+qqh0HeqyTxnjj/7T/HOE2DbdHoqF3EK/ryhtQVNNm4=,iv:6rrWRFxoZuXstWrKKo4siHqktcuZqrdjM4DwiFdDfJA=,tag:YvyIYFd/N1Z6tpO2O0ewrQ==,type:str]
+woodpecker_agent_environment_file: ENC[AES256_GCM,data:7K+Q59QM9ZIr/SE8VQ9jmshjVSeXGzk+h2T9oIDJASZrYppTFx2N68wsKyFm/Y1GDLY3QEELGXOCa7nSZcdMJTOJ9jj5u7HMw3e0CQGxMUGP,iv:vyDQO7uMxyHpK/cb739sktuAq3zv2MZ9xexAZHD0Of4=,tag:WzNn4iWGlO63aLeStsCdRA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +15,8 @@ sops:
             UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
             YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-22T00:01:07Z"
-    mac: ENC[AES256_GCM,data:3WLe5X+wMVRth2jnu3xVe209mk+HzFcwkj45N9L0UOgoc5zdBShvdEXcevX98HTldC4kU0IEZZowLHbiDxlIozu2lrkU+0avxzM8jWWcyqMJCLTcBoOHaqKX9EfQ9OvHh2HMz8hJ/AFD/LTDzpTYXpHqSnagt1SRGjUKGZuF3K0=,iv:CPpfAP+bInTtHPRBeVih9s2/YoBJKpwuDq5VUIOkoLs=,tag:0Exia5cJctV6f+mYVgDM/A==,type:str]
+    lastmodified: "2024-06-22T14:24:28Z"
+    mac: ENC[AES256_GCM,data:1MCBR0fU1wMwmTqLKi6ybFD5YX/yYFMO1JLUpB+ZB+PYH+lvYUwo7x52BNxDDETq+VtU13CJLIM0LleOWl0h0xP9vbMC/YMn+ffeWVBYC8mjqaKXYVyAW8ksXn+vDQ+ZP/RWGOJdaKIPLgIJiVF5hfkSo6smfH378cH72f5cmU4=,iv:BgKHSsElxULJ2EA+8/5w4J/hNLH2S+jNNRTXAl/96V4=,tag:z1HeWXA6Ryo0SacG9HARhw==,type:str]
     pgp:
         - created_at: "2024-06-21T22:42:59Z"
           enc: |-
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
index 6ad5cbf..7eac510 100644
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -19,9 +19,13 @@
       # Set via enviornmentFile:
       # WOODPECKER_AGENT_SECRET
     };
-    environmentFile = [ "/run/secrets/woodpecker_agent_secret_environment_file" ];
+    environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ];
   };
 
-  # Remainder defined in ../woodpecker-server/woodpecker-server.nix
-  sops.secrets."woodpecker_agent_secret_environment_file".restartUnits = [ "woodpecker-agent-podman.service" ];
+  sops.secrets."woodpecker_agent_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "woodpecker-agent-podman.service" ];
+  };
 }
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index baff752..464af13 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -27,12 +27,8 @@
       # Set via enviornmentFile:
       # WOODPECKER_FORGEJO_CLIENT
       # WOODPECKER_FORGEJO_SECRET
-      # WOODPECKER_AGENT_SECRET
     };
-    environmentFile = [
-      "/run/secrets/woodpecker_server_environment_file"
-      "/run/secrets/woodpecker_agent_secret_environment_file"
-    ];
+    environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ];
   };
 
   systemd.services.woodpecker-server.serviceConfig = {
@@ -46,11 +42,4 @@
     group = "root";
     restartUnits = [ "woodpecker-server.service" ];
   };
-
-  sops.secrets."woodpecker_agent_secret_environment_file" = {
-    mode = "0440";
-    owner = "root";
-    group = "root";
-    restartUnits = [ "woodpecker-server.service" ];
-  };
 }

From be7f6e49170287aec581a9948442ad86bba38e92 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 17:11:11 +0200
Subject: [PATCH 069/170] Fix clone step failing, because git.hamburg.ccc.de
 could not be resolved

---
 config/hosts/woodpecker/woodpecker-agent/podman.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/config/hosts/woodpecker/woodpecker-agent/podman.nix b/config/hosts/woodpecker/woodpecker-agent/podman.nix
index 08b0312..c76740b 100644
--- a/config/hosts/woodpecker/woodpecker-agent/podman.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/podman.nix
@@ -10,4 +10,11 @@
     enable = true;
     defaultNetwork.settings.dns_enabled = true;
   };
+
+  networking.firewall.interfaces."podman0" = {
+    # allowedUDPPorts = [ 53 ] gets already set by virtualisation.podman.defaultNetwork.settings.dns_enabled, but set it here explicitly anyway.
+    allowedUDPPorts = [ 53 ];
+    # For git.hamburg.ccc.de to resolve in the clone step for example, allowedTCPPorts also needs to be set to allow DNS.
+    allowedTCPPorts = [ 53 ];
+  };
 }

From 026e47d05560655ec0aaad9c660461dad757e9ab Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 18:06:39 +0200
Subject: [PATCH 070/170] Last commit didn't do, switching to Docker instead of
 podman does

---
 config/hosts/woodpecker/secrets.yaml          |  6 +++---
 .../woodpecker/woodpecker-agent/default.nix   |  2 +-
 .../woodpecker/woodpecker-agent/docker.nix    | 12 +++++++++++
 .../woodpecker/woodpecker-agent/podman.nix    | 20 -------------------
 .../woodpecker-agent/woodpecker-agent.nix     |  7 +++----
 5 files changed, 19 insertions(+), 28 deletions(-)
 create mode 100644 config/hosts/woodpecker/woodpecker-agent/docker.nix
 delete mode 100644 config/hosts/woodpecker/woodpecker-agent/podman.nix

diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml
index 6b960a7..091ca2e 100644
--- a/config/hosts/woodpecker/secrets.yaml
+++ b/config/hosts/woodpecker/secrets.yaml
@@ -1,5 +1,5 @@
 woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
-woodpecker_agent_environment_file: ENC[AES256_GCM,data:7K+Q59QM9ZIr/SE8VQ9jmshjVSeXGzk+h2T9oIDJASZrYppTFx2N68wsKyFm/Y1GDLY3QEELGXOCa7nSZcdMJTOJ9jj5u7HMw3e0CQGxMUGP,iv:vyDQO7uMxyHpK/cb739sktuAq3zv2MZ9xexAZHD0Of4=,tag:WzNn4iWGlO63aLeStsCdRA==,type:str]
+woodpecker_agent_environment_file: ENC[AES256_GCM,data:rwp6TYYFJ/IZH+3pGhPxjdZMLoyPMr/W1RXm4IkUGn+SmIjHZcdFZ8nEhvOfnkfrXNPc2MR+X6NXUmVOcBjSCbcBjh9sC653UpKimt9I3/Ec,iv:X9JH7dmTayw8BaEsXYil3PrykCdd+/ANGHVfEyRvc7A=,tag:/ErkX1WnruanNgTTBUT6LA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +15,8 @@ sops:
             UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
             YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-22T14:24:28Z"
-    mac: ENC[AES256_GCM,data:1MCBR0fU1wMwmTqLKi6ybFD5YX/yYFMO1JLUpB+ZB+PYH+lvYUwo7x52BNxDDETq+VtU13CJLIM0LleOWl0h0xP9vbMC/YMn+ffeWVBYC8mjqaKXYVyAW8ksXn+vDQ+ZP/RWGOJdaKIPLgIJiVF5hfkSo6smfH378cH72f5cmU4=,iv:BgKHSsElxULJ2EA+8/5w4J/hNLH2S+jNNRTXAl/96V4=,tag:z1HeWXA6Ryo0SacG9HARhw==,type:str]
+    lastmodified: "2024-06-22T15:55:25Z"
+    mac: ENC[AES256_GCM,data:UmDbmxSRj8YfCkKEelQNMJ8mzbu5aQdB9yOr9JfUh5TB9r5Z5ttZ1wgJDJqHNtsII3JGXUvbgHbsmbPikkrj4Ege1rrgr4UttN1rtgeaAKlZIlqb9pOnV4//GJL8jbxCgFp2h2O80G05nAXG54DaY//4Y5hfTyPzgyDlGQ6jlhg=,iv:5e8lpFfGAJh8lTFcY4MlZG7PgnzM0UycsU0tB2KN+zQ=,tag:4xUEHg04wjDbhc9MOItzuQ==,type:str]
     pgp:
         - created_at: "2024-06-21T22:42:59Z"
           enc: |-
diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix
index 1b51267..279d2bb 100644
--- a/config/hosts/woodpecker/woodpecker-agent/default.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/default.nix
@@ -2,7 +2,7 @@
 
 {
   imports = [
-    ./podman.nix
+    ./docker.nix
     ./woodpecker-agent.nix
   ];
 }
diff --git a/config/hosts/woodpecker/woodpecker-agent/docker.nix b/config/hosts/woodpecker/woodpecker-agent/docker.nix
new file mode 100644
index 0000000..af13f4c
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/docker.nix
@@ -0,0 +1,12 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/backends/docker
+# - https://nixos.wiki/wiki/Docker
+
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker = {
+    enable = true;
+  };
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/podman.nix b/config/hosts/woodpecker/woodpecker-agent/podman.nix
deleted file mode 100644
index c76740b..0000000
--- a/config/hosts/woodpecker/woodpecker-agent/podman.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-# Sources for this configuration:
-# - https://woodpecker-ci.org/docs/administration/deployment/nixos
-# - https://woodpecker-ci.org/docs/administration/backends/docker
-# - https://nixos.wiki/wiki/Podman
-
-{ config, pkgs, ... }:
-
-{
-  virtualisation.podman = {
-    enable = true;
-    defaultNetwork.settings.dns_enabled = true;
-  };
-
-  networking.firewall.interfaces."podman0" = {
-    # allowedUDPPorts = [ 53 ] gets already set by virtualisation.podman.defaultNetwork.settings.dns_enabled, but set it here explicitly anyway.
-    allowedUDPPorts = [ 53 ];
-    # For git.hamburg.ccc.de to resolve in the clone step for example, allowedTCPPorts also needs to be set to allow DNS.
-    allowedTCPPorts = [ 53 ];
-  };
-}
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
index 7eac510..dc89021 100644
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -6,16 +6,15 @@
 { config, pkgs, pkgs-unstable, ... }:
 
 {
-  services.woodpecker-agents.agents."podman" = {
+  services.woodpecker-agents.agents."docker" = {
     enable = true;
     # Since we use woodpecker-server from unstable, use the agent from unstable as well.
     package = pkgs-unstable.woodpecker-agent;
-    extraGroups = [ "podman" ];
+    extraGroups = [ "docker" ];
     environment = {
       WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
       WOODPECKER_MAX_WORKFLOWS = "4";
       WOODPECKER_BACKEND = "docker";
-      DOCKER_HOST = "unix:///run/podman/podman.sock";
       # Set via enviornmentFile:
       # WOODPECKER_AGENT_SECRET
     };
@@ -26,6 +25,6 @@
     mode = "0440";
     owner = "root";
     group = "root";
-    restartUnits = [ "woodpecker-agent-podman.service" ];
+    restartUnits = [ "woodpecker-agent-docker.service" ];
   };
 }

From 7058ec3582ddf80e97e98c281ba688c705e5ccf9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 30 Jun 2024 21:12:28 +0200
Subject: [PATCH 071/170] Make passwordless ssh for ptouch-print-server work
 again

Now (with NixOS 24.05) pam.services.sshd.allowNullPassword needs to be
set to true for passwordless ssh to work apparently.
---
 config/hosts/ptouch-print-server/printing.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/config/hosts/ptouch-print-server/printing.nix b/config/hosts/ptouch-print-server/printing.nix
index 5964f56..23cacca 100644
--- a/config/hosts/ptouch-print-server/printing.nix
+++ b/config/hosts/ptouch-print-server/printing.nix
@@ -90,9 +90,7 @@ in
   # pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
   # PasswordAuthentication to have it not do that.
   services.openssh.settings.PasswordAuthentication = lib.mkForce true;
-  # The following doesn't need to be set in order for empty passwords to work
-  # apparently:
-  # security.pam.services.sshd.allowNullPassword = true;
+  security.pam.services.sshd.allowNullPassword = true;
   services.openssh.extraConfig = ''
     Match User print
       PubkeyAuthentication no

From 9f5669222230b67a150a6ad0144641a653239d03 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 1 Jul 2024 15:31:10 +0200
Subject: [PATCH 072/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/35c20ba421dfa5059e20e0ef2343c875372bdcf3?narHash=sha256-WZ1gdKq/9u1Ns/oXuNsDm%2BW0salonVA0VY1amw8urJ4%3D' (2024-06-10)
  → 'github:nix-community/nixos-generators/f7a029d41e49ff0747888105e1ed4314dca8436f?narHash=sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A%3D' (2024-07-01)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/3c62b6a12571c9a7f65ab037173ee153d539905f?narHash=sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw%3D' (2024-04-07)
  → 'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6?narHash=sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY%3D' (2024-06-30)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/201ed88e66f7f34d5c74e46d2e4399cc4bea1501?narHash=sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0%2BnI%3D' (2024-06-21)
  → 'github:nixos/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e?narHash=sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw%3D' (2024-07-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/1c0bec249943cd3e03f876554b8af7d1e32a09e1?narHash=sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs%3D' (2024-06-21)
  → 'github:nixos/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc?narHash=sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t%2BJe1zc%3D' (2024-07-01)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/797ce4c1f45a85df6dd3d9abdc53f2691bea9251?narHash=sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg%3D' (2024-06-16)
  → 'github:Mic92/sops-nix/b5974d4331fb6c893e808977a2e1a6d34b3162d6?narHash=sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8%2BawNMyqs%3D' (2024-06-30)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/c884223af91820615a6146af1ae1fea25c107005?narHash=sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs%3D' (2024-06-15)
  → 'github:NixOS/nixpkgs/4a1e673523344f6ccc84b37f4413ad74ea19a119?narHash=sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo%3D' (2024-06-29)
---
 flake.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/flake.lock b/flake.lock
index a0b58e2..338fbe6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1712450863,
-        "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
+        "lastModified": 1719708727,
+        "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
+        "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718025593,
-        "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
+        "lastModified": 1719796208,
+        "narHash": "sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
+        "rev": "f7a029d41e49ff0747888105e1ed4314dca8436f",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1718955215,
-        "narHash": "sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0+nI=",
+        "lastModified": 1719825363,
+        "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "201ed88e66f7f34d5c74e46d2e4399cc4bea1501",
+        "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1718478900,
-        "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=",
+        "lastModified": 1719663039,
+        "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c884223af91820615a6146af1ae1fea25c107005",
+        "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1718954653,
-        "narHash": "sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs=",
+        "lastModified": 1719824438,
+        "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1c0bec249943cd3e03f876554b8af7d1e32a09e1",
+        "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1718506969,
-        "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=",
+        "lastModified": 1719716556,
+        "narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251",
+        "rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
         "type": "github"
       },
       "original": {

From 1185f9bb41a7acc77f7a71b1ef8f5e7209a45b73 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 15 Jul 2024 02:15:32 +0200
Subject: [PATCH 073/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/f7a029d41e49ff0747888105e1ed4314dca8436f?narHash=sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A%3D' (2024-07-01)
  → 'github:nix-community/nixos-generators/076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7?narHash=sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ%3D' (2024-07-13)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e?narHash=sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw%3D' (2024-07-01)
  → 'github:nixos/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc?narHash=sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t%2BJe1zc%3D' (2024-07-01)
  → 'github:nixos/nixpkgs/0af9d835c27984b3265145f8e3cbc6c153479196?narHash=sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70%3D' (2024-07-14)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/b5974d4331fb6c893e808977a2e1a6d34b3162d6?narHash=sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8%2BawNMyqs%3D' (2024-06-30)
  → 'github:Mic92/sops-nix/0703ba03fd9c1665f8ab68cc3487302475164617?narHash=sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY%3D' (2024-07-14)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/4a1e673523344f6ccc84b37f4413ad74ea19a119?narHash=sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo%3D' (2024-06-29)
  → 'github:NixOS/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
---
 flake.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index 338fbe6..f34afb0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719796208,
-        "narHash": "sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A=",
+        "lastModified": 1720859326,
+        "narHash": "sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "f7a029d41e49ff0747888105e1ed4314dca8436f",
+        "rev": "076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719825363,
-        "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=",
+        "lastModified": 1720915306,
+        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e",
+        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
         "type": "github"
       },
       "original": {
@@ -54,27 +54,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1719663039,
-        "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
+        "lastModified": 1720915306,
+        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
+        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1719824438,
-        "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=",
+        "lastModified": 1720977633,
+        "narHash": "sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc",
+        "rev": "0af9d835c27984b3265145f8e3cbc6c153479196",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1719716556,
-        "narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
+        "lastModified": 1720926522,
+        "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
+        "rev": "0703ba03fd9c1665f8ab68cc3487302475164617",
         "type": "github"
       },
       "original": {

From a271fddff8826d06663b7c94d218e73ca64379ce Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 15 Jul 2024 02:44:37 +0200
Subject: [PATCH 074/170] Switch from deprecated extraConfig to settings for
 phpfpm.pools.dokuwiki

---
 config/hosts/eh22-wiki/dokuwiki.nix | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
index 133e39a..c0eafaa 100644
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -57,16 +57,16 @@ in {
       ; Checked with NixOS 23.11 on 2024-05-02.
       extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
     '';
-    extraConfig = ''
-      listen.owner = ${config.services.nginx.user};
-      listen.group = ${config.services.nginx.group};
-      pm = dynamic
-      pm.max_children = 32
-      pm.start_servers = 2
-      pm.min_spare_servers = 2
-      pm.max_spare_servers = 4
-      pm.max_requests = 500
-    '';
+    settings = {
+      "listen.owner" = "${config.services.nginx.user}";
+      "listen.group" = "${config.services.nginx.group}";
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "pm.max_requests" = 500;
+    };
   };
 
   services.nginx = {

From 59b540c9e314720115986b7fdc2fe6c2298e5fee Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 21 Jul 2024 23:03:44 +0200
Subject: [PATCH 075/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
  → 'github:nixos/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/0af9d835c27984b3265145f8e3cbc6c153479196?narHash=sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70%3D' (2024-07-14)
  → 'github:nixos/nixpkgs/4cc8b29327bed3d52b40041f810f49734298af46?narHash=sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y%3D' (2024-07-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/0703ba03fd9c1665f8ab68cc3487302475164617?narHash=sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY%3D' (2024-07-14)
  → 'github:Mic92/sops-nix/909e8cfb60d83321d85c8d17209d733658a21c95?narHash=sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU%3D' (2024-07-21)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
  → 'github:NixOS/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index f34afb0..8c5f72b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1720915306,
-        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
+        "lastModified": 1721524707,
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1720915306,
-        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
+        "lastModified": 1721524707,
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1720977633,
-        "narHash": "sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70=",
+        "lastModified": 1721571961,
+        "narHash": "sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0af9d835c27984b3265145f8e3cbc6c153479196",
+        "rev": "4cc8b29327bed3d52b40041f810f49734298af46",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1720926522,
-        "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=",
+        "lastModified": 1721531171,
+        "narHash": "sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0703ba03fd9c1665f8ab68cc3487302475164617",
+        "rev": "909e8cfb60d83321d85c8d17209d733658a21c95",
         "type": "github"
       },
       "original": {

From a2102b064f508d8ac57a52030c8b51f8605e3619 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 27 Jul 2024 21:05:58 +0200
Subject: [PATCH 076/170] Fix container registry image uploads for git server

Do this by disabling checking of client request body size.
---
 config/hosts/git/nginx.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/hosts/git/nginx.nix b/config/hosts/git/nginx.nix
index 1dd0aad..ea1a2ac 100644
--- a/config/hosts/git/nginx.nix
+++ b/config/hosts/git/nginx.nix
@@ -34,6 +34,10 @@
         return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
       };
     };
+
+    # Disable checking of client request body size to make container registry
+    # image uploads work.
+    clientMaxBodySize = "0";
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];

From e88982d7c7e8769573192adacd6174a0be575c33 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 27 Jul 2024 22:24:54 +0200
Subject: [PATCH 077/170] Give esphome a static v6 and get cert directly via
 chal. served over v6

Give the host a static v4 as well.
Also let the nginx redirect from the hosts FQDN to the service domain.
---
 config/hosts/esphome/default.nix    |  1 +
 config/hosts/esphome/networking.nix | 30 ++++++++++++++++
 config/hosts/esphome/nginx.nix      | 56 +++++++++++++++++++++--------
 3 files changed, 73 insertions(+), 14 deletions(-)
 create mode 100644 config/hosts/esphome/networking.nix

diff --git a/config/hosts/esphome/default.nix b/config/hosts/esphome/default.nix
index cfe47bc..8d5150d 100644
--- a/config/hosts/esphome/default.nix
+++ b/config/hosts/esphome/default.nix
@@ -3,6 +3,7 @@
   imports = [
     ./configuration.nix
     ./esphome.nix
+    ./networking.nix
     ./nginx.nix
   ];
 }
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
new file mode 100644
index 0000000..6f65f93
--- /dev/null
+++ b/config/hosts/esphome/networking.nix
@@ -0,0 +1,30 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "10.31.208.24";
+        prefixLength = 23;
+      }
+    ];
+  };
+  networking.defaultGateway = "10.31.208.1";
+  networking.nameservers = [ "10.31.208.1" ];
+  networking.search = [ "z9.ccchh.net" ];
+
+  networking.interfaces.net0 = {
+    ipv6.addresses = [
+      {
+        address = "2a07:c480:0:1d0::66";
+        prefixLength = 64;
+      }
+    ];
+  };
+  networking.defaultGateway6 = "2a07:c480:0:1d0::1";
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/esphome/nginx.nix b/config/hosts/esphome/nginx.nix
index 3c5cfb9..2b154f0 100644
--- a/config/hosts/esphome/nginx.nix
+++ b/config/hosts/esphome/nginx.nix
@@ -1,35 +1,34 @@
 { config, ... }:
+
 {
   services.nginx = {
     enable = true;
 
     virtualHosts = {
-      "acme-esphome.ccchh.net" = {
-        enableACME = true;
-        serverName = "esphome.ccchh.net";
-
-        listen = [
-          {
-            addr = "0.0.0.0";
-            port = 31820;
-          }
-        ];
-      };
-
       "esphome.ccchh.net" = {
         forceSSL = true;
-        useACMEHost = "esphome.ccchh.net";
+        enableACME = true;
+        serverName = "esphome.ccchh.net";
 
         listen = [
           {
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "[::]";
+            port = 80;
+          }
           {
             addr = "0.0.0.0";
             port = 443;
             ssl = true;
           }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
         ];
 
         locations."/" = {
@@ -37,9 +36,38 @@
           proxyWebsockets = true;
         };
       };
+      "esphome.z9.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "esphome.ccchh.net";
+        serverName = "esphome.z9.ccchh.net";
 
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        globalRedirect = "esphome.ccchh.net";
+        redirectCode = 307;
+      };
     };
   };
+  security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
 
-  networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

From b30015fee1bd29a158fa777d13f21d4ac03d8de0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 30 Jul 2024 01:17:05 +0200
Subject: [PATCH 078/170] Clean up networking configs by making them all use
 the same layout

Also use the v6 gateway as a nameserver as well for the esphome host.
---
 .../audio-hauptraum-kueche/networking.nix     |  7 ++--
 .../audio-hauptraum-tafel/networking.nix      |  7 ++--
 config/hosts/eh22-wiki/networking.nix         | 25 ++++++------
 config/hosts/esphome/networking.nix           | 39 +++++++++----------
 .../forgejo-actions-runner/networking.nix     | 24 ++++++------
 config/hosts/git/networking.nix               | 39 +++++++++----------
 config/hosts/matrix/networking.nix            | 22 ++++++-----
 config/hosts/mjolnir/networking.nix           | 22 ++++++-----
 config/hosts/mqtt/networking.nix              | 33 ++++++++--------
 config/hosts/netbox/networking.nix            | 30 +++++++-------
 config/hosts/nix-box-june/networking.nix      | 26 ++++++-------
 .../hosts/ptouch-print-server/networking.nix  |  4 +-
 config/hosts/public-web-static/networking.nix | 22 ++++++-----
 config/hosts/woodpecker/networking.nix        | 25 ++++++------
 config/hosts/yate/networking.nix              |  2 +-
 15 files changed, 162 insertions(+), 165 deletions(-)

diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix
index ee01d0b..0118db4 100644
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {
@@ -11,10 +11,9 @@
       ];
     };
     defaultGateway = "10.31.210.1";
-    nameservers = [
-      "10.31.210.1"
-    ];
+    nameservers = [ "10.31.210.1" ];
   };
+
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "1E:EF:2D:92:81:DA";
     linkConfig.Name = "net0";
diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix
index 6052909..37185b7 100644
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {
@@ -11,10 +11,9 @@
       ];
     };
     defaultGateway = "10.31.210.1";
-    nameservers = [
-      "10.31.210.1"
-    ];
+    nameservers = [ "10.31.210.1" ];
   };
+
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "D2:10:33:B1:72:C3";
     linkConfig.Name = "net0";
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
index bddeabf..fba2da9 100644
--- a/config/hosts/eh22-wiki/networking.nix
+++ b/config/hosts/eh22-wiki/networking.nix
@@ -1,20 +1,19 @@
-# Sources for this configuration:
-# - https://nixos.wiki/wiki/Networking
-
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.159";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.159";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "BC:24:11:37:F0:AB";
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index 6f65f93..a2c64d3 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -1,27 +1,26 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "10.31.208.24";
-        prefixLength = 23;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.208.24";
+          prefixLength = 23;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2a07:c480:0:1d0::66";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "10.31.208.1";
+    defaultGateway6 = "2a07:c480:0:1d0::1";
+    nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
+    search = [ "z9.ccchh.net" ];
   };
-  networking.defaultGateway = "10.31.208.1";
-  networking.nameservers = [ "10.31.208.1" ];
-  networking.search = [ "z9.ccchh.net" ];
-
-  networking.interfaces.net0 = {
-    ipv6.addresses = [
-      {
-        address = "2a07:c480:0:1d0::66";
-        prefixLength = 64;
-      }
-    ];
-  };
-  networking.defaultGateway6 = "2a07:c480:0:1d0::1";
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix
index 7c5e178..8990224 100644
--- a/config/hosts/forgejo-actions-runner/networking.nix
+++ b/config/hosts/forgejo-actions-runner/networking.nix
@@ -1,17 +1,19 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.155";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.155";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix
index b73b953..688fff3 100644
--- a/config/hosts/git/networking.nix
+++ b/config/hosts/git/networking.nix
@@ -4,27 +4,26 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "212.12.51.136";
-        prefixLength = 28;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "212.12.51.136";
+          prefixLength = 28;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2a00:14b0:f000:23:51:136::1";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "212.12.51.129";
+    defaultGateway6 = "2a00:14b0:f000:23::1";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "212.12.51.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
-
-  networking.interfaces.net0 = {
-    ipv6.addresses = [
-      {
-        address = "2a00:14b0:f000:23:51:136::1";
-        prefixLength = 64;
-      }
-    ];
-  };
-  networking.defaultGateway6 = "2a00:14b0:f000:23::1";
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "92:7B:E6:12:A4:FA";
diff --git a/config/hosts/matrix/networking.nix b/config/hosts/matrix/networking.nix
index 370bbbd..5fa1aa1 100644
--- a/config/hosts/matrix/networking.nix
+++ b/config/hosts/matrix/networking.nix
@@ -1,17 +1,19 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.150";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.150";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "2A:A5:80:C3:8E:32";
diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix
index 04559f7..a441814 100644
--- a/config/hosts/mjolnir/networking.nix
+++ b/config/hosts/mjolnir/networking.nix
@@ -1,17 +1,19 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.161";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.161";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "BC:24:11:C9:F8:C5";
diff --git a/config/hosts/mqtt/networking.nix b/config/hosts/mqtt/networking.nix
index 5bd6616..7a34cbb 100644
--- a/config/hosts/mqtt/networking.nix
+++ b/config/hosts/mqtt/networking.nix
@@ -1,20 +1,21 @@
 { ... }:
 
 {
-    networking = {
-        interfaces.net0 = {
-            ipv4.addresses = [ {
-                address = "10.31.208.14";
-                prefixLength = 23;
-            } ];
-        };
-        defaultGateway = "10.31.208.1";
-        nameservers = [
-            "10.31.210.1"
-        ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.208.14";
+          prefixLength = 23;
+        }
+      ];
     };
-    systemd.network.links."10-net0" = {
-        matchConfig.MACAddress = "BC:24:11:48:85:73";
-        linkConfig.Name = "net0";
-    };
-}
\ No newline at end of file
+    defaultGateway = "10.31.208.1";
+    nameservers = [ "10.31.210.1" ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:48:85:73";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix
index dbfe9a6..a0abcfe 100644
--- a/config/hosts/netbox/networking.nix
+++ b/config/hosts/netbox/networking.nix
@@ -1,23 +1,19 @@
-# Networking configuration for the host.
-# Sources for this configuration:
-# - https://nixos.org/manual/nixos/stable/#sec-networking
-# - https://nixos.wiki/wiki/Systemd-networkd
-# - https://wiki.archlinux.org/title/Systemd-networkd
-
-{ config, pkgs, ... }:
+{ ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.149";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.149";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "62:ED:44:20:7C:C1";
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
index 073250b..2c1faee 100644
--- a/config/hosts/nix-box-june/networking.nix
+++ b/config/hosts/nix-box-june/networking.nix
@@ -1,19 +1,19 @@
-# Networking configuration for the host.
-
-{ config, pkgs, ... }:
+{ ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.158";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.158";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "BC:24:11:6A:33:5F";
diff --git a/config/hosts/ptouch-print-server/networking.nix b/config/hosts/ptouch-print-server/networking.nix
index 7c7cb62..83031a1 100644
--- a/config/hosts/ptouch-print-server/networking.nix
+++ b/config/hosts/ptouch-print-server/networking.nix
@@ -11,9 +11,7 @@
       ];
     };
     defaultGateway = "10.31.208.1";
-    nameservers = [
-      "10.31.208.1"
-    ];
+    nameservers = [ "10.31.208.1" ];
   };
 
   systemd.network.links."10-net0" = {
diff --git a/config/hosts/public-web-static/networking.nix b/config/hosts/public-web-static/networking.nix
index 34b36f3..cb22d40 100644
--- a/config/hosts/public-web-static/networking.nix
+++ b/config/hosts/public-web-static/networking.nix
@@ -1,17 +1,19 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.151";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.151";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "86:72:08:F6:C0:D6";
diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix
index 17fa56c..3301812 100644
--- a/config/hosts/woodpecker/networking.nix
+++ b/config/hosts/woodpecker/networking.nix
@@ -1,20 +1,19 @@
-# Sources for this configuration:
-# - https://nixos.wiki/wiki/Networking
-
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.160";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.160";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "BC:24:11:5F:A9:B7";
diff --git a/config/hosts/yate/networking.nix b/config/hosts/yate/networking.nix
index 225edd2..a06a019 100644
--- a/config/hosts/yate/networking.nix
+++ b/config/hosts/yate/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {

From 35e5fbc8a2349afecea9db8d8950a5c16097f41b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 30 Jul 2024 01:35:13 +0200
Subject: [PATCH 079/170] Add .editorconfig for ensuring some consistency

---
 .editorconfig | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .editorconfig

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..890d970
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,23 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+charset = utf-8
+
+[*.nix]
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.md]
+indent_size = 2
+trim_trailing_whitespace = false
+
+[*.json]
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.yaml]
+indent_size = 2
+trim_trailing_whitespace = true

From 028b5dc9e829a989a24a22109f17ee06137931d3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 4 Aug 2024 02:19:26 +0200
Subject: [PATCH 080/170] Configure Uptime-Kuma host

---
 config/hosts/public-reverse-proxy/nginx.nix |   1 +
 config/hosts/status/configuration.nix       |  10 ++
 config/hosts/status/default.nix             |  10 ++
 config/hosts/status/networking.nix          |  29 ++++
 config/hosts/status/nginx.nix               | 149 ++++++++++++++++++++
 config/hosts/status/uptime-kuma.nix         |   7 +
 flake.nix                                   |  10 ++
 7 files changed, 216 insertions(+)
 create mode 100644 config/hosts/status/configuration.nix
 create mode 100644 config/hosts/status/default.nix
 create mode 100644 config/hosts/status/networking.nix
 create mode 100644 config/hosts/status/nginx.nix
 create mode 100644 config/hosts/status/uptime-kuma.nix

diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix
index ff14adb..507b71a 100644
--- a/config/hosts/public-reverse-proxy/nginx.nix
+++ b/config/hosts/public-reverse-proxy/nginx.nix
@@ -9,6 +9,7 @@
   services.nginx.streamConfig = ''
     map $ssl_preread_server_name $address {
         status.ccchh.net 10.31.206.15:8443;
+        status.hamburg.ccc.de 10.31.206.15:8443;
     }
 
     # Listen on port 443 as a reverse proxy and use PROXY Protocol for the
diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix
new file mode 100644
index 0000000..c36dc63
--- /dev/null
+++ b/config/hosts/status/configuration.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  networking = {
+    hostName = "status";
+    domain = "z9.ccchh.net";
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix
new file mode 100644
index 0000000..d8644c5
--- /dev/null
+++ b/config/hosts/status/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./nginx.nix
+    ./uptime-kuma.nix
+  ];
+}
diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
new file mode 100644
index 0000000..e7f1932
--- /dev/null
+++ b/config/hosts/status/networking.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.206.15";
+          prefixLength = 23;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2a07:c480:0:1ce::f";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "10.31.206.1";
+    defaultGateway6 = "2a07:c480:0:1ce::1";
+    nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
+    search = [ "z9.ccchh.net" ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:79:D3:E1";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix
new file mode 100644
index 0000000..8eff61c
--- /dev/null
+++ b/config/hosts/status/nginx.nix
@@ -0,0 +1,149 @@
+# Sources for this configuration:
+# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy
+
+{ config, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "status.hamburg.ccc.de" = {
+        forceSSL = true;
+        enableACME = true;
+        serverName = "status.hamburg.ccc.de";
+
+        listen = [
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://localhost:3001";
+          proxyWebsockets = true;
+        };
+      };
+      "status-proxyprotocol.hamburg.ccc.de" = {
+        forceSSL = true;
+        useACMEHost = "status.hamburg.ccc.de";
+        serverName = "status.hamburg.ccc.de";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://localhost:3001";
+          proxyWebsockets = true;
+        };
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 10.31.206.11;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+      "status.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "status.hamburg.ccc.de";
+        serverName = "status.ccchh.net";
+
+        listen = [
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        globalRedirect = "status.hamburg.ccc.de";
+        redirectCode = 307;
+      };
+      "status-proxyprotocol.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "status.hamburg.ccc.de";
+        serverName = "status.ccchh.net";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        globalRedirect = "status.hamburg.ccc.de";
+        redirectCode = 307;
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 10.31.206.11;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+      "status.z9.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "status.hamburg.ccc.de";
+        serverName = "status.z9.ccchh.net";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        globalRedirect = "status.hamburg.ccc.de";
+        redirectCode = 307;
+      };
+    };
+  };
+
+  security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [
+    "status.ccchh.net"
+    "status.z9.ccchh.net"
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 8443 ];
+}
diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix
new file mode 100644
index 0000000..02411f2
--- /dev/null
+++ b/config/hosts/status/uptime-kuma.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  services.uptime-kuma = {
+    enable = true;
+  };
+}
diff --git a/flake.nix b/flake.nix
index f508b35..0eef08a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -224,6 +224,16 @@
             inherit pkgs-unstable;
           };
         };
+
+        status = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            sops-nix.nixosModules.sops
+            ./config/hosts/status
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 1ffc959ce30b53b6b9558cf7ad14d1a654ad9aea Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 4 Aug 2024 21:03:29 +0200
Subject: [PATCH 081/170] Update spaceapid to v0.1.0

---
 config/hosts/public-web-static/spaceapid.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 13de76b..3f1f8fe 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -1,19 +1,20 @@
 { pkgs, ... }:
 
 let
-  spaceapidSrc = builtins.fetchGit {
+  version = "v0.1.0";
+  spaceapidSrc = pkgs.fetchgit {
     url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
-    ref = "main";
-    rev = "17753f535c68157e80f30f50deb488133cc98258";
+    rev = version;
+    hash = "sha256-2SDhliltzyydPPZdNn/htDydiK/SHQcYyG/dQ0EyFrY=";
   };
   spaceapid = pkgs.buildGoModule rec {
     pname = "spaceapid";
-    version = "main";
+    inherit version;
 
     src = spaceapidSrc;
 
     ldflags = [
-      "-X main.version=${version}-${spaceapidSrc.rev}"
+      "-X main.version=${version}"
     ];
 
     # Since spaceapid doesn't have any dependencies, we can set this to null and

From faffcb7d5482f3d1079cd40cc76cfcdc5196b60b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 4 Aug 2024 21:05:43 +0200
Subject: [PATCH 082/170] spaceapi: remove inside sensors for privacy reasons

---
 .../spaceapid-config/ccchh-dynamic.json       | 62 -------------------
 1 file changed, 62 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index b2f9f8e..885d339 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -2,26 +2,6 @@
   "dynamic": {
     "sensors": {
       "temperature": [
-        {
-          "sensor_data": {
-            "unit": "°C",
-            "location": "Hauptraum",
-            "description": "Sensor im Hauptraum"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
-        {
-          "sensor_data": {
-            "unit": "°C",
-            "location": "Loetschlauch",
-            "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
         {
           "sensor_data": {
             "unit": "°C",
@@ -34,26 +14,6 @@
         }
       ],
       "humidity": [
-        {
-          "sensor_data": {
-            "unit": "%",
-            "location": "Hauptraum",
-            "description": "Sensor im Hauptraum"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
-        {
-          "sensor_data": {
-            "unit": "%",
-            "location": "Loetschlauch",
-            "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
         {
           "sensor_data": {
             "unit": "%",
@@ -64,28 +24,6 @@
             "club-assistant"
           ]
         }
-      ],
-      "CO2": [
-        {
-          "sensor_data": {
-            "unit": "ppm",
-            "location": "Hauptraum",
-            "description": "Sensor im Hauptraum (Typ: SCD41)"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
-        {
-          "sensor_data": {
-            "unit": "ppm",
-            "location": "Loetschlauch",
-            "description": "Sensor im Lötschlauch (Teil der Werkstatt, Typ: SCD41)"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        }
       ]
     },
     "state": {

From 178777007f70b791e8d466a58f20a83e8eb85bab Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 10 Aug 2024 22:38:05 +0200
Subject: [PATCH 083/170] penpot: configure penpot host using oci-containers

---
 .sops.yaml                            |  17 ++
 config/hosts/penpot/configuration.nix |   7 +
 config/hosts/penpot/default.nix       |  11 ++
 config/hosts/penpot/networking.nix    |  20 +++
 config/hosts/penpot/nginx.nix         |  63 +++++++
 config/hosts/penpot/penpot.nix        | 198 ++++++++++++++++++++++
 config/hosts/penpot/secrets.yaml      | 234 ++++++++++++++++++++++++++
 config/hosts/penpot/sops.nix          |   7 +
 deployment_configuration.json         |   3 +
 flake.nix                             |  10 ++
 10 files changed, 570 insertions(+)
 create mode 100644 config/hosts/penpot/configuration.nix
 create mode 100644 config/hosts/penpot/default.nix
 create mode 100644 config/hosts/penpot/networking.nix
 create mode 100644 config/hosts/penpot/nginx.nix
 create mode 100644 config/hosts/penpot/penpot.nix
 create mode 100644 config/hosts/penpot/secrets.yaml
 create mode 100644 config/hosts/penpot/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 52a8aa7..ec660ec 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -17,6 +17,7 @@ keys:
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
   - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
+  - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -130,6 +131,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_woodpecker
+  - path_regex: config/hosts/penpot/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_penpot
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/penpot/configuration.nix b/config/hosts/penpot/configuration.nix
new file mode 100644
index 0000000..4608e1c
--- /dev/null
+++ b/config/hosts/penpot/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "penpot";
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/penpot/default.nix b/config/hosts/penpot/default.nix
new file mode 100644
index 0000000..b6c8d81
--- /dev/null
+++ b/config/hosts/penpot/default.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./nginx.nix
+    ./penpot.nix
+    ./sops.nix
+  ];
+}
diff --git a/config/hosts/penpot/networking.nix b/config/hosts/penpot/networking.nix
new file mode 100644
index 0000000..a96f70b
--- /dev/null
+++ b/config/hosts/penpot/networking.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.162";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:26:1C:8A";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/penpot/nginx.nix b/config/hosts/penpot/nginx.nix
new file mode 100644
index 0000000..dc446f3
--- /dev/null
+++ b/config/hosts/penpot/nginx.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "design.hamburg.ccc.de";
+in
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "acme-${domain}" = {
+        default = true;
+        enableACME = true;
+        serverName = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 31820;
+          }
+        ];
+      };
+
+      "${domain}" = {
+        default = true;
+        forceSSL = true;
+        useACMEHost = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9001";
+        };
+
+        locations."/ws/notifications" = {
+          proxyPass = "http://127.0.0.1:9001";
+          proxyWebsockets = true;
+        };
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 172.31.17.140;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/penpot/penpot.nix b/config/hosts/penpot/penpot.nix
new file mode 100644
index 0000000..5567308
--- /dev/null
+++ b/config/hosts/penpot/penpot.nix
@@ -0,0 +1,198 @@
+# Sources used for this configuration:
+# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
+# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
+# - https://help.penpot.app/technical-guide/configuration/
+# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
+# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
+
+{ config, pkgs, ... }:
+
+let
+  # Flags for both frontend and backend.
+  # https://help.penpot.app/technical-guide/configuration/#common
+  # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
+  commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
+  penpotVersion = "2.1.2";
+in
+{
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers = {
+    backend = "docker";
+    containers = {
+      "penpot-frontend" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/frontend:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        ports = [ "9001:80" ];
+        volumes = [ "penpot_assets:/opt/data/assets" ];
+        dependsOn = [
+          "penpot-backend"
+          "penpot-exporter"
+        ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#frontend
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
+
+          PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
+        };
+      };
+
+      "penpot-backend" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/backend:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        volumes = [ "penpot_assets:/opt/data/assets" ];
+        dependsOn = [
+          "penpot-postgres"
+          "penpot-redis"
+        ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#backend
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
+
+          PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
+
+          # PENPOT_SECRET_KEY st via environmentFile.
+          PENPOT_TELEMETRY_ENABLED = "false";
+
+          # OpenID Connect configuration.
+          # https://help.penpot.app/technical-guide/configuration/#openid-connect
+          PENPOT_OIDC_CLIENT_ID = "penpot";
+          PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
+          # PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
+          PENPOT_OIDC_ROLES = "user";
+          PENPOT_OIDC_ROLES_ATTR = "roles";
+
+          # Database configuration.
+          # https://help.penpot.app/technical-guide/configuration/#database
+          PENPOT_DATABASE_USERNAME = "penpot";
+          # PENPOT_DATABASE_PASSWORD set via environmentFile.
+          PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
+
+          # Email configuration.
+          # https://help.penpot.app/technical-guide/configuration/#email-(smtp)
+          PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
+          PENPOT_SMTP_PORT = "465";
+          PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
+          # PENPOT_SMTP_PASSWORD set via environmentFile.
+          PENPOT_SMTP_SSL = "true";
+          PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
+          PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
+
+          # Storage
+          # https://help.penpot.app/technical-guide/configuration/#storage
+          PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
+          PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
+
+          # Redis
+          # https://help.penpot.app/technical-guide/configuration/#redis
+          PENPOT_REDIS_URI = "redis://penpot-redis/0";
+
+          PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
+        };
+        environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
+      };
+
+      "penpot-exporter" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/exporter:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#exporter
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
+          PENPOT_PUBLIC_URI = "http://penpot-frontend";
+          PENPOT_REDIS_URI = "redis://penpot-redis/0";
+        };
+      };
+
+      "penpot-postgres" = {
+        autoStart = true;
+        image = "docker.io/library/postgres:15";
+        extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
+        volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
+        environment = {
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
+
+          POSTGRES_INITDB_ARGS = "--data-checksums";
+          POSTGRES_DB = "penpot";
+          POSTGRES_USER = "penpot";
+          # POSTGRES_PASSWORD set via environmentFile.
+        };
+        environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
+      };
+
+      "penpot-redis" = {
+        autoStart = true;
+        image = "docker.io/library/redis:7";
+        extraOptions = [ "--network=penpot" ];
+      };
+    };
+  };
+
+  # Docker networks.
+  systemd.services."docker-network-penpot" = {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
+    };
+    script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
+    requiredBy = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+    before = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+  };
+
+  # Pull docker images prior to starting container services, so that a container
+  # service isn't considered up, if it actually is still just pulling the
+  # relevant image.
+  systemd.services."docker-images-penpot" = {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
+    '';
+    requiredBy = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+    before = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+  };
+
+  sops.secrets."penpot_backend_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+
+  sops.secrets."penpot_postgres_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+}
diff --git a/config/hosts/penpot/secrets.yaml b/config/hosts/penpot/secrets.yaml
new file mode 100644
index 0000000..855590c
--- /dev/null
+++ b/config/hosts/penpot/secrets.yaml
@@ -0,0 +1,234 @@
+penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str]
+penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZVA5WE9JcDBOQVdPbGkz
+            SnNkWEJvaUtGaWVOajd6SzJ6aGNxSXZQaVhnCmgwT01kNFRZa09Gd1o2ZURyZUJQ
+            N0dwK21vUmk1N1duOVNtV2wrVmlyNDQKLS0tIEJtUENHdXhGcXhRRjM5VkhpdEVG
+            Z3UzOGFFUDhwUndoQWtCdHlMenZETW8KI0FjoFG4E1fhOxYiCIxY2BnLOmGcpoyK
+            EbDdNFQEMngwppEm9r1KzG/1cGMoIij2qpmK4Jz1Hzgk/6dZwvGxzw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-10T15:40:27Z"
+    mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str]
+    pgp:
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ/+JKe4fsuAKMJr6kuDt5vjv+hrXamWEwRLBfYPHHZHEUeK
+            AQBs9fG9Ni7Qpelv8RIbxWyophgt2TCEqP2d+7EcGTgDZkdLxx5s2LJuCh+tEZwT
+            bm0sPt+8eYY077MxA1ZtlBgkslMugvdnJaDckGc8xRPldUa7gRp0j3yaLULRxjA6
+            T0nyALAqAaDa2uHgB7mTB3pXJYk4GxZpYbVc+wxAWXEDRLR/bpT18ywAcA6iSerd
+            KGDzWKjgOr1TTJqUxsguqDjnVp1c+xRPirC9uENGqW8mxI7h1+4B//dJvuXV/cYh
+            LKi0aDUTnma78mo2v9faUSJl23LkIehWZwbVG/+Mpkk3yxscLV124Vbwj56IFCzI
+            AiJ7m2QVxY5eXoVLodw6Po2S62gkwg7H5Aw3J4pppNuIAIr/8mJBpJoBy6poTsG3
+            QhbQdEdsF5ikoLu/OV/H7mp86zJt42Q+74xGjKYx/qvLq6SDmDA03kqk9N71URyu
+            FRTEDysEkeAzreFFkxn3Q+K/cXvtv/2Knte1lmDTfpmhg4cFwsLPLPH37A2veaxJ
+            JTyWDLHgrJ8NFgii3gLrwj+XLOZOwmCY0puJKtdAnPaaQiLfyqYfeLVlt7Se4MMJ
+            8XaFWcaQHBxL9nRZnx7WkE9LfHIG0e+414hT0F/aER+8iKboIbt6rdEHpEMGDWnU
+            aAEJAhD/TpW7E+yYjFVi/xSQ3kCAruHcm6x4BDTE7by0VeTLiRFW+culxiInOYiD
+            kdp+dATm5f7IrQp/qemL02/Me5yqURZlZrDHra7AiCI+MVBJiCRIY/x6xZSew7PX
+            HC+p9sB+PBFL
+            =1qbt
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ/+Ijn18W+K2je/hpolpY6HmQMTTRpQJZ8YtJ5G35o5WoVP
+            hH+znQMrBBAtnTWeFBeIuIzk4CHjPS0yfnsE4/rP7/lSa177A2xaeiCb74F6k/Es
+            MtDE/TApSlNdPFruN5nkd2I8jAWh1k37nS+/NUhszReR39NNmgA+aCSc2OK04aAz
+            dpPXmaJ+d3zMr7eFoL2NyhNI3A/ZdVP3UmZCp12juckDRl8oeei4PBlw2T6ODJP4
+            tY08I9EyK/5K4auhYJyvayl1RWwRuShFV732ZjztkawLw152W0Rrg75Qoukhs9mr
+            TdyF0zcnVxAcOV4e5wRe13dDV6Ue7zeWFc9bb577thGzUm2Oue0u+oisty16qt9K
+            0vw0tVSDtT/suodG8HpvSwGQ+/xcV7w8XCH8Yx28N9iO49VZCB1ZYXQBxTHVDl2b
+            J/8AivaK4OOFvPWNr4u6oLaO9nz1aaX6Qsap5zn0Qa2Ls2SSBwWk2Fp/f1dq3KOy
+            /jGR89ocuEuImVacr2G6zxPnbukfa4S8q/FUUDbswQUqmWMcDDq3dOQ1fFPRd7vy
+            5a9u3P8LFW+ZPPHop3kgozgZ9pBGDOlw3nkjGjFl39lE33E+049gLE6I6+1+umG0
+            EWkNI9y8X+HmHMthVuYapq23Ix09H6Wa452hZmEUxNgp33M8Zx+l3s6D7o7jfrjS
+            XgElPJuUWyGKPoUY9mFaINyVqjOJGEtEOYRP7jvCpFWDq/xQ8jbJvvv7qBy8+i0b
+            cpqRrMJrvMB2PSLeD6cNWymrNhKilLLFOcG9yaIEudDhiuv3L4/ub08QMroDmo8=
+            =80AM
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//Vv7IVqc9ReeFgo8RWbYpl1W5atAHerZuUh0oYc4otGpb
+            UseJ2JInyykcUeQWlOGvTK+eauBVNET0E/6jylCoWb8lzffhSMJ4FFpvpsoYjPG9
+            Q8s3r8soOCYB0xscfhinZwJg5to+I2MSd8mppWIp4UCQhxv7MqQpbqEzNTfVP7YO
+            QEUZ/lesVovLvxMzKc2YVWyZFSW2G6HK3LTaJIg8gy5ym/crlUB+awd2ZDePGk6F
+            Y7DcKwL1EpCL+hoPWGF9PclYKrOBIZVznYQuwHAqG+Bxr9Ln/NmS/OoCrJDMN6gG
+            2YMZ3Q7GQ82zZESxYA7g+ef9/lGCm7DIkt80or72x7eS6/OP7c1bjGFgKLQNyHFU
+            Th6cOy/TzK8Sq2g1mWB2zyV3xk6mb9C0ETAFD5vvPGVC3Sb4549Y+epe1T3ZLFTA
+            t09nUIpTC05PEdGsWs5Z5MDp8ZCsPZpipbVrWENesNOfaFYG+p7aM0LjgTqZcadD
+            B/Foejayc3XYI0T/NoP43mAZ2nEOw2Bz9lBpwz0PeTfzyrhz9XlJ7Dw462XTFA3i
+            voTHA5+DzGNPf6zC1fH9GcESmpC2nqXit8ZV+Y7Zb9/cAsx3E05S8ayxdBZUrOtJ
+            JSWGOAfPuzGXgL6Ht3iKcmCxQ/pSi1aH0h+bYqlrxTvP9IMyNCrxmP6+YsXCv8XS
+            XgE0NjzRMClq4/HhQ5X0ANGHWxbZJLAbm8yfgK5rnnmvi53RNJhRUHDnNca93brF
+            n27gnVLKM+2FdwRjwNIznkbZV/iNM6zIfRWwmJs9gHRuX/J/XWzD1KjDsn2rmiQ=
+            =bAYZ
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1ARAAkdXjf9h4iyYtKPwR9V8hgIfpt3s3zMduuJN3u76ZHdfE
+            87t5K8eL2yIVN2DeOqtXRG28Broy3LLwMlLOJhxVxS5LAOEjT4ScZyb9H7MLnDsp
+            boW210SLkeQ5vTW9hgjAU9V6wbemxoiNPYTcBUsuirI8a+jpnALLY0jeOILBEmHQ
+            c+wbeo+VnlTQkTKCFI7TwlG1JnRnv3DMATVkOjC2PXmXPNkhr04Ivvf0+yBELY/1
+            hLirTfk/W6vFodPaoaRaeWjGJOo+FbqKLxr2xYzVu6SkF+i4CvDPb1x0t/laTpPA
+            qC6KJ1wyVwG4k7ZBLgRcf5Scn1zgGFzZexUAhdIYp0tKPycphUQxEMOI8/OeBP1V
+            68gBcilvv42zs+ed2RUK4j1e9YklxazZgaUhPfdrBrw/HiDJ8ILaq6LQQZSNrxZx
+            koAV/qw8ylU7vkciyA8bGLOiWc/Ub9vkRSuEi5TMOhmT7bVZ+W/26bWgDcAMmCpa
+            13H1uLXLuHnfDavdesh+RAxRgEavPTMz+HFbqhvkv8sy0RPCodyJv69J7dsS7a2C
+            71Ub7jyZIQyRtTGGZH5EjMQVStBMccE2KrJRzZCKbCmQDofKb4M67caaHBnVrs7D
+            vyx8V7JQGkNOWIgWFb23dtCtRiMzFaRk31mihFmFF2tSgg6XMqNmTp0pc3zQBarS
+            XgFZKRlYE7H1tMUCDwyKB7G3r1jsxBlUSbH1J6XjUBWKkTD4iMHI/4YStvghLjm2
+            0qqgKH/Njd9xBXc3x4Ut7kh8tFMMa07xF7/V0Pgwq+7J7EgckEfKHKA5vcQt17Q=
+            =23io
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ//RH/jOrYE9MD9IjkUfsQZ79rjEwDdtmsXs+gS/XUr0MpI
+            f/aDyw/vfvD7ZgY86yqp68x0OQLIyRIx9O05FNB3giVN4YFvZpFblLotpMzCFa2d
+            5xKLIQ1oviDSnE0kKpNM+QKITKjCxyke7MgW/laXvF0zMaVdPj0qo3Zn07MUKULs
+            btxZgPhzwWLjveZGn+72QiBGTF0ce49TWoh6y/l7PDsXhojau2KP556hI3rp/nC0
+            PunbLVRntpz+bOoyOk+xvKen+8b/Vwp+GYA2NBDbZSEY9H3YF5ugZBR/jUc8da7D
+            9EBA35udmQVKtD2XZrIyfhETC1eqLXORo0JKld5oC03JPkqvV+QpMF+8JBjXe1Cy
+            qI4pBmdhTJYFoJHpvMH7eC4CWgZZRMD5mB2nk1hYd9oIiYUPABfdeGxKiFnC8zHH
+            cEY3jgGzetZTxnpk2mxZvFMMwFqyOJA2PnwMTv3IraARkFrLxGzUIG4uOjo+l2fp
+            igOKsw9p46RR1gkuKF4u3yB3/1RloDyqGCU1/n4BCWy5/UkjSQpWKShZt3qMd2G2
+            A6si2zgSHIQ+ubR7MPB3Q3U/Rnw7pSbTbdDc73pZ2SPZfUuJplPSDUvXICGlj8cO
+            jO8s926qp4X9C4mi5um6EX5nLG+pfuKowIBdB2HWmxu2idwyrmNdlIgAcWcteazS
+            XgF9W6THXau4lEmrBqWEiC0K/9NA0cDJqRdvj6wqZ/OIAo86q3yRlm8yY8U7D00j
+            wNS8WSHq+EX0K9LpwQiHAJoxNXABEx/DbRqVeuLn2FaCocZigbvu3k/pePuOsK0=
+            =ZLl2
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//dCKpiens8kqp+I9HtwP2CQOVMLLAle1VYB7pJ5pfcyzI
+            /3tAmwcxBmg+jhkFiqheBQYV2yNmBMHc5ulx+MxSDKd9mzCTavlGlE+intPjON8k
+            sis68RnU5OFsnGVXSmJji1vN37cCY4jHkf2vYzz6HJ6FLPrda/W3ZfXI+ZnOCao5
+            wGYrqPcYUj+7gnN1S42HM492oqeCNLcENDvegf8AxtBEgfp7UQ0V3ZC0wZEYhz0V
+            p9bdivFoEZ3Zo0sJTWKj3Df3IA5T6c4dbSPj8r7IZ5iNDguKAjvegXujco7pow51
+            fNNJB02hnYHLMRAbeRqaWyJ7qUQSWbQEgb8NuonspnXnajKc/OddgoTN91gTRgMb
+            op2T3HOFv3lKZPA/xIeDZpIm6GqOW6eJLjqiLP39VGvvNRYg+zxhNg/ZBVkFuSAf
+            U5uDPUyIAr10zdm7NqJKL8wKRbQzBg5OYovrXqSl96+KNenJqbMNv1N7kfSF6FuF
+            x8joEDXIaBSwINE4oXD5SN7Z5L2SuuMJ2nvuXFmmXKerRlrBiGsBzUVMt1bGqKEU
+            KoAAwbInZ9SprSxqJ1EkSVXpNGnFFNlbBB1j2u9BoGygOkVM4ZxIS19DBDLG0Tls
+            Fq6GI5d3axcf7t024UmwcU9yaP1BzrV0bDvDg3X+Azuo5JqpT3pSUvqv+Sy1C3nS
+            XgHK1C7XTOfcvmcxJ1f++xELwRkgNo1OqSG3cIZ8i1tKZFKTyYCiNHa/ajSr+wER
+            4phM7Tdr6ubjLkqvDkMeXvtiGyUoAvbtLC0wqSaE8sEZ28eFGEAaECV/uOW81X0=
+            =0jv9
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/9GTEI65w8icqppqTuvQD50vaR+lCY1NjWT0HekgvNuCLV
+            4gL1cYv7tJ5UU6jOnREoScamWnUTYf/sLINIfa+FgvH+apswQeQCFrdCb8/61/Xc
+            3hsJ8gwmguP1zJabKFI6/Yo3vPPa+kpj0Am6M7dUUxEKw4Lqy6Hc32O6ULNJOvdo
+            56oqr6KoemrpU0TzqkKTpgAZaQjFfVzPWfC8moUL1pvxrHm7rqDPiYcl7fZP3JFD
+            gQMZokH205u1elxiFxuQGtW8jbeBqCZUm1UorEgD2EJYEPfyphIaHaQnCpW8zXkI
+            gt9QT3cqJpGJAobCPbh6vKPtbGPEqZOzOaCMFl07pkOSGPAVGMVfV+FdsfszPYY6
+            Rqsk7zlCFv/iNFWKpkdfI66JLvhmgNwXRv+rkYzH3QrQikjLmAeTzyL69SPujgDK
+            qXBRZiAPwEDScr2Qcum36jDVrT3jRfC1opzwpRxM2ompJ0F6caBPNVjY10BScl7Y
+            RWVmkFrPL9MdEelFLscG17K+y5S/50sLcU+sGbMkmPsmizA0boK5XBXJz3cTadYy
+            Asr2b4aWTqBS5iW1vbWIGJVrUUk3U1S4fFaSvsL3I6O0E+sOB3eEEpQZqpF9Genr
+            hCE8GVE5yQWb3YYK0ZA7j4u+dwA+QfRIuQuMWFoRKp8oqEitjjix3je2R3u8/ILS
+            XgFcAp8Jh+VbnQg/pq92u3dX6afGv6nENpMVPn73yob+sfE5xUFEfEzE1E1WCWdR
+            HiLZVOgpVOYmo2s8/UW60hLNBULpqyf6ZTQsr7IqaGw4g+Ew116cwDawywRSJMg=
+            =T0nI
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAApsnPRzTCIkbKT6jaVHixgP6wyCjfVmvgb0NnMrN2Ygup
+            pafb6GNWoFq9WdiSqwFIJPZlZxJFiIgSxplDI63Wj1MgfvQBEnKUQvnvR+UtnB22
+            bGr9mIrq/wKgslhPLFB0qT81RK/GqJKvRNpI3trGmB1pBnDdb5jiFeDHStv41XrP
+            hezAvmDGBKlM74fehu0pKOanIspyvFAjs31NULSHGJGzBxyM6OGcg/XLt9ea6bI5
+            jHwu3+M/7nixjtaIdCtEFPv/Mdimq9p64+c6AvbEVikUH/omRebRFIRrJCotYENT
+            ak6/2F+Fze2cof6pJPaq1KTF7LQHi1ZaQ/N+YNDsMJIYYuX3lVg/ClEjeo5k1HJ4
+            Jc+ul2KF/dAh8UsJPIdhJDlxIPdnof7xBLax1xmOQTHpqsfhZe5BP/0KMeeXzG6s
+            TlozMaCY0ok4JiQmiJcs+TjHX+uiiih6Wi756v7qwpCk5u3/BM+veHB/slD5Xezn
+            KmuHzwcbaP1n5JlOtv1PLAPfqX9EDsAVr2xhYTBISZiIKXyfagUWzPNX6toYtBfV
+            cQ/m9nfc5/STna7XGucnKkYFG5U2a+olIqCcbbNkN4NcW5ly0M5g1VW3oh02NO8r
+            A/4aU8ECj+79XXx0XCuVojnkGdTT3SQex7bkV2stBpuc5xfESbuOMWXgK0qZrYrS
+            XgEfX0ySVVrCxhtJgsQvZl0zrOwIttomV6hlQgo+n23HNPwjEf4nf1p2sje0uPvb
+            bPC7u5y1eDdy5E0XyWkAg4hxPLg7yOj7ET84Bg9S3NE8cE0nM50qL0N6aCAb4II=
+            =Is94
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/7Bx/s7WlB9TE30vyqVWw6H4DoZS8s03Z21tDAtrUEK+k5
+            QtMPvAIE0SG4lXersM3L6VMmhvPQlwZf+zSzBnO0J5vacvMG8dch4/ZH7YTM0VX6
+            T0Ix9ScamEI8J5Fr1LAeBoqtTa8n1/3N2ILBVPRTTX5Wu4lSUw/voeePXAYxSSMv
+            9vzrxJNcRgzbd/8Fbo3i2vzn4GvrP1JzsprLrUMVFaek5khD0hRDJMM0IhBWFRRh
+            L241zX/IBZDQVz0x1QVUBFmkoUjyNn94CTezTmGvqCXfkLRmcKzTZXd0dhORBPFa
+            LygVSLdor0v5ru70rMds6YN5WvqbmG7KUY8M3gcVXutvID58vw6ZE83T8ZAYj9S5
+            r9hXegeb2e03tCvSrHmQFf37+298/E8/kBrBQgoevnHmm3p0yN3ZbrWLIRhbx2iF
+            NzL5s17PnGzmuSigoZERsN2Flx2fzUbtwVDP3AyLVpQ7NoqTZkJTcGQuvkYawnEa
+            3RxUQySR+a7bED38wJ6zEpVg10ye7c8mVkzQnda1Qp3lnPZxz+1qg1n25I9hjNO6
+            X1E8gtXx2EcwaoWcPO0W/sNBwE09SCM68KWSykwOLvZb5tq/HnhrwSisps5sAg9V
+            Z1c0OCwgJvYoTY46rqk7scN9YkE16LDCtAzgppZerli179E/f/7O3d59CA1mCEXS
+            XgHbdM2nxaBPCPgXXNRVq13R8JXiOokuxUZofwl6FaG8A6yc9z5F4Ygr/KKDeT0i
+            YMBezxQtQ5uKY0jIx5g2r6aSdly3QPNKiFS/rxDCrmtaBqw+OvhvLrnCn6IaRVY=
+            =XAoN
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAFvRDMKG3Vjs98kRqcs4ep+bYoUcBHbMA7WgzI7CcaGQw
+            FjdmSwvWaHJZQGEbGk4uDHKPHqXRD3HnD9d75Azu2HXnCA29aU2c0zn0PziIi7Aa
+            0l4BbcavPKNBkZpJNgW0uII7xMYJWJ/9vStTxXG/WzNia6nk/Cv7PMJW7EwIeUga
+            +PWB4yGfPXgqJGnJj0H1EdCVPrM/+f19GcFxNKKzkGaKTyVTW9NxntlsFl1vbmRx
+            =YRc6
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/5ARLA8sAZHMwNhHJycVof+ZergR58hXCBjbIy5zgyAwYU
+            IJ5OwhTpWqniZjt0b9pvlzU4JO1k73B1WrF7mAYEOKET32GPVatrQ64yInQbORSZ
+            zNQgX3aQ8tEtyBsKAWqwqRjOaP6Plee6G0RCksJBAkjIZik0diTOBwi+ZhgYSRLE
+            G1NAETqMKkLleYQbUWCFNveJOd/7pfhE4xhAEaSxL3dgXNPV2TOngvjCqMXvz0K2
+            hEz6OYC8idpmAJv+S+HOaZbKV+giCopsPyFnbeu8jf1UpbsBRbHPnLOO6lLby2gf
+            2P9MhwSeMjjCZFX/ys8vHQ2jUwXK8jfW3xfVie4hVJgh6vO+uHcomjnk2b+34SRk
+            7ttoozLbMFxwrcP9trV0TgT2uzjFCe4fHccpY1VLTCX/O0eYtlhDhur0Wojp1z9v
+            h5mcqySEtJfHXJbTXkgMA2+QSyUaTTfvZ6oJqX3yAoq5eIzC0CcF+IMa6NS1XkY0
+            TNd3FEhwe7TvKGCy/3bJx6jMUnhT71r6KW/w7RVIHgdp1hfUS9JBhxVB+agQVyRv
+            +HBmvWHqUdwnFzotGRzLU1g6soWa+fRVQQ80qAi1U8e+u9IX3EG0KoIXLjpkvXxK
+            y520NcOdN4wR0xILPP/+47QDN+kM6lunm/EMgrff4YDE8J83qMhH2IP5s/tV023S
+            XgH1hiB0U4SYt0Rp6OGDV+CjBCFaCkPPlync/SVuXddfLC1owGlY9L3jwu7j2PR7
+            jy2jPPTWrOvT0wZKEh4k501LRb0n6LGqW6gDTgOnZKNg2iQ6jybv2HeyyExYllg=
+            =1o5H
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/penpot/sops.nix b/config/hosts/penpot/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/penpot/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index eb59412..dd0f43d 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -29,6 +29,9 @@
     },
     "woodpecker": {
       "targetHostname": "woodpecker-intern.hamburg.ccc.de"
+    },
+    "penpot": {
+      "targetHostname": "penpot-intern.hamburg.ccc.de"
     }
   }
 }
diff --git a/flake.nix b/flake.nix
index 0eef08a..4e33852 100644
--- a/flake.nix
+++ b/flake.nix
@@ -234,6 +234,16 @@
             ./config/hosts/status
           ];
         };
+
+        penpot = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            sops-nix.nixosModules.sops
+            ./config/hosts/penpot
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 5bbc8aa03e028023ce1992885e492504c92609ca Mon Sep 17 00:00:00 2001
From: djerun <djerun@hamburg.ccc.de>
Date: Sun, 11 Aug 2024 19:46:53 +0200
Subject: [PATCH 084/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7?narHash=sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ%3D' (2024-07-13)
  → 'github:nix-community/nixos-generators/d6c5d29f58acc10ea82afff1de2b28f038f572bd?narHash=sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk%3D' (2024-08-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6?narHash=sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY%3D' (2024-06-30)
  → 'github:nix-community/nixpkgs.lib/8bebd4c74f368aacb047f0141db09ec6b339733c?narHash=sha256-do2Mfm3T6SR7a5A804RhjQ%2BJTsF5hk4JTPGjCTRM/m8%3D' (2024-08-04)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
  → 'github:nixos/nixpkgs/c306d09c1dc6492442ae4af0d1ba575869c41fc3?narHash=sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o%3D' (2024-08-10)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/4cc8b29327bed3d52b40041f810f49734298af46?narHash=sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y%3D' (2024-07-21)
  → 'github:nixos/nixpkgs/bef98989a27429e1cb9e3d9c25701ba2da742af2?narHash=sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y%3D' (2024-08-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/909e8cfb60d83321d85c8d17209d733658a21c95?narHash=sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU%3D' (2024-07-21)
  → 'github:Mic92/sops-nix/8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9?narHash=sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb%2BN4Ap4%3D' (2024-08-05)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8c5f72b..59d9cc4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1719708727,
-        "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=",
+        "lastModified": 1722732880,
+        "narHash": "sha256-do2Mfm3T6SR7a5A804RhjQ+JTsF5hk4JTPGjCTRM/m8=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6",
+        "rev": "8bebd4c74f368aacb047f0141db09ec6b339733c",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720859326,
-        "narHash": "sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ=",
+        "lastModified": 1723078345,
+        "narHash": "sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7",
+        "rev": "d6c5d29f58acc10ea82afff1de2b28f038f572bd",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1721524707,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "lastModified": 1723311493,
+        "narHash": "sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "c306d09c1dc6492442ae4af0d1ba575869c41fc3",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1721571961,
-        "narHash": "sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y=",
+        "lastModified": 1723316219,
+        "narHash": "sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4cc8b29327bed3d52b40041f810f49734298af46",
+        "rev": "bef98989a27429e1cb9e3d9c25701ba2da742af2",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1721531171,
-        "narHash": "sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU=",
+        "lastModified": 1722897572,
+        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "909e8cfb60d83321d85c8d17209d733658a21c95",
+        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
         "type": "github"
       },
       "original": {

From 9b751fa1edca02b5b8afaf8d2f2a0b0ce1ff7e17 Mon Sep 17 00:00:00 2001
From: dequis <dequis@dequis.org>
Date: Sat, 17 Aug 2024 00:15:27 +0200
Subject: [PATCH 085/170] spaceapid: add 3d printer state sensors (bool)

The schema only allows numeric values so I'm leaving the time to finish
field out of this for now.
---
 .../spaceapid-config/ccchh-dynamic.json       | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index 885d339..6f951f9 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -24,6 +24,30 @@
             "club-assistant"
           ]
         }
+      ],
+      "3d_printer_state": [
+        {
+          "sensor_data": {
+            "unit": "bool",
+            "location": "Loetschlauch",
+            "name": "mk4",
+            "description": "Prusa mk4 state"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        },
+        {
+          "sensor_data": {
+            "unit": "bool",
+            "location": "Loetschlauch",
+            "name": "mk3.5",
+            "description": "Prusa mk3.5 state"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        }
       ]
     },
     "state": {

From 0395484ea910c39e85bd6f9065c3f6998769d5fc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 19 Aug 2024 19:17:40 +0200
Subject: [PATCH 086/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d6c5d29f58acc10ea82afff1de2b28f038f572bd?narHash=sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk%3D' (2024-08-08)
  → 'github:nix-community/nixos-generators/5fd22603892e4ec5ac6085058ed658243143aacd?narHash=sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y%3D' (2024-08-19)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/8bebd4c74f368aacb047f0141db09ec6b339733c?narHash=sha256-do2Mfm3T6SR7a5A804RhjQ%2BJTsF5hk4JTPGjCTRM/m8%3D' (2024-08-04)
  → 'github:nix-community/nixpkgs.lib/531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251?narHash=sha256-QdSArN0xKESEOTcv%2B3kE6yu4B4WX9lupZ4%2BHtx3RXGg%3D' (2024-08-18)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c306d09c1dc6492442ae4af0d1ba575869c41fc3?narHash=sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o%3D' (2024-08-10)
  → 'github:nixos/nixpkgs/3f38e71a8e23a27569acbbfee0e83b76c86fa569?narHash=sha256-vAq%2BI0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY%3D' (2024-08-18)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/bef98989a27429e1cb9e3d9c25701ba2da742af2?narHash=sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y%3D' (2024-08-10)
  → 'github:nixos/nixpkgs/ed434d7889eddb68002d81bc25212f26ff8f2862?narHash=sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI%3D' (2024-08-19)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9?narHash=sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb%2BN4Ap4%3D' (2024-08-05)
  → 'github:Mic92/sops-nix/be0eec2d27563590194a9206f551a6f73d52fa34?narHash=sha256-N9IcHgj/p1%2B2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE%3D' (2024-08-12)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 59d9cc4..f9efcee 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1722732880,
-        "narHash": "sha256-do2Mfm3T6SR7a5A804RhjQ+JTsF5hk4JTPGjCTRM/m8=",
+        "lastModified": 1723942470,
+        "narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "8bebd4c74f368aacb047f0141db09ec6b339733c",
+        "rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723078345,
-        "narHash": "sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk=",
+        "lastModified": 1724028932,
+        "narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d6c5d29f58acc10ea82afff1de2b28f038f572bd",
+        "rev": "5fd22603892e4ec5ac6085058ed658243143aacd",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1723311493,
-        "narHash": "sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o=",
+        "lastModified": 1724013388,
+        "narHash": "sha256-vAq+I0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c306d09c1dc6492442ae4af0d1ba575869c41fc3",
+        "rev": "3f38e71a8e23a27569acbbfee0e83b76c86fa569",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1723316219,
-        "narHash": "sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y=",
+        "lastModified": 1724050343,
+        "narHash": "sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bef98989a27429e1cb9e3d9c25701ba2da742af2",
+        "rev": "ed434d7889eddb68002d81bc25212f26ff8f2862",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1722897572,
-        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
+        "lastModified": 1723501126,
+        "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
+        "rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
         "type": "github"
       },
       "original": {

From b26320f99945212d730c70ab1fbb5ed8ca506a68 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 27 Aug 2024 00:00:55 +0200
Subject: [PATCH 087/170] penpot: switch to stock penpot image and version
 2.1.3

Do that since it now has all the fixes applied we need.
---
 config/hosts/penpot/penpot.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/hosts/penpot/penpot.nix b/config/hosts/penpot/penpot.nix
index 5567308..0629d1f 100644
--- a/config/hosts/penpot/penpot.nix
+++ b/config/hosts/penpot/penpot.nix
@@ -12,7 +12,7 @@ let
   # https://help.penpot.app/technical-guide/configuration/#common
   # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
   commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
-  penpotVersion = "2.1.2";
+  penpotVersion = "2.1.3";
 in
 {
   virtualisation.docker.enable = true;
@@ -21,7 +21,7 @@ in
     containers = {
       "penpot-frontend" = {
         autoStart = true;
-        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/frontend:${penpotVersion}";
+        image = "docker.io/penpotapp/frontend:${penpotVersion}";
         extraOptions = [ "--network=penpot" ];
         ports = [ "9001:80" ];
         volumes = [ "penpot_assets:/opt/data/assets" ];
@@ -39,7 +39,7 @@ in
 
       "penpot-backend" = {
         autoStart = true;
-        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/backend:${penpotVersion}";
+        image = "docker.io/penpotapp/backend:${penpotVersion}";
         extraOptions = [ "--network=penpot" ];
         volumes = [ "penpot_assets:/opt/data/assets" ];
         dependsOn = [
@@ -95,7 +95,7 @@ in
 
       "penpot-exporter" = {
         autoStart = true;
-        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/exporter:${penpotVersion}";
+        image = "docker.io/penpotapp/exporter:${penpotVersion}";
         extraOptions = [ "--network=penpot" ];
         environment = {
           # https://help.penpot.app/technical-guide/configuration/#exporter

From 1b755b4eab420532bfeafd62eae6506179d0ddfc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 3 Sep 2024 15:38:18 +0200
Subject: [PATCH 088/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/5fd22603892e4ec5ac6085058ed658243143aacd?narHash=sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y%3D' (2024-08-19)
  → 'github:nix-community/nixos-generators/8e337ce40421c4f33e7535aeb988d8e30fe067eb?narHash=sha256-LI%2BgI4qeVTQaS0vW6tn49RG%2Bf8cH1KBALaligCeHLog%3D' (2024-09-02)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251?narHash=sha256-QdSArN0xKESEOTcv%2B3kE6yu4B4WX9lupZ4%2BHtx3RXGg%3D' (2024-08-18)
  → 'github:nix-community/nixpkgs.lib/7f0b9e4fbd91826cb9ce6babbc11c87903191051?narHash=sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc%2BUZDKYE%3D' (2024-09-01)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/3f38e71a8e23a27569acbbfee0e83b76c86fa569?narHash=sha256-vAq%2BI0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY%3D' (2024-08-18)
  → 'github:nixos/nixpkgs/3524b030c839db4ea4ba16737789c6fb8a1769c6?narHash=sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs%3D' (2024-09-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/ed434d7889eddb68002d81bc25212f26ff8f2862?narHash=sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI%3D' (2024-08-19)
  → 'github:nixos/nixpkgs/2830c7c930311397d94c0b86a359c865c081c875?narHash=sha256-/HTUg%2BkMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc%3D' (2024-09-03)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/be0eec2d27563590194a9206f551a6f73d52fa34?narHash=sha256-N9IcHgj/p1%2B2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE%3D' (2024-08-12)
  → 'github:Mic92/sops-nix/5db5921e40ae382d6716dce591ea23b0a39d96f7?narHash=sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07%2BQpERnzTS4%3D' (2024-09-01)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index f9efcee..c032a3f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1723942470,
-        "narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
+        "lastModified": 1725152544,
+        "narHash": "sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc+UZDKYE=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
+        "rev": "7f0b9e4fbd91826cb9ce6babbc11c87903191051",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1724028932,
-        "narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=",
+        "lastModified": 1725298144,
+        "narHash": "sha256-LI+gI4qeVTQaS0vW6tn49RG+f8cH1KBALaligCeHLog=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "5fd22603892e4ec5ac6085058ed658243143aacd",
+        "rev": "8e337ce40421c4f33e7535aeb988d8e30fe067eb",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1724013388,
-        "narHash": "sha256-vAq+I0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY=",
+        "lastModified": 1725198597,
+        "narHash": "sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3f38e71a8e23a27569acbbfee0e83b76c86fa569",
+        "rev": "3524b030c839db4ea4ba16737789c6fb8a1769c6",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1724050343,
-        "narHash": "sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI=",
+        "lastModified": 1725361206,
+        "narHash": "sha256-/HTUg+kMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ed434d7889eddb68002d81bc25212f26ff8f2862",
+        "rev": "2830c7c930311397d94c0b86a359c865c081c875",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1723501126,
-        "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
+        "lastModified": 1725201042,
+        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
+        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
         "type": "github"
       },
       "original": {

From cd8108fc9bc094acdd58bd5a05562c4bafd4a8cf Mon Sep 17 00:00:00 2001
From: djerun <djerun@hamburg.ccc.de>
Date: Mon, 23 Sep 2024 22:09:01 +0200
Subject: [PATCH 089/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/8e337ce40421c4f33e7535aeb988d8e30fe067eb?narHash=sha256-LI%2BgI4qeVTQaS0vW6tn49RG%2Bf8cH1KBALaligCeHLog%3D' (2024-09-02)
  → 'github:nix-community/nixos-generators/e8c1cd886cc17e31e424f915efd32e84d8af0ce9?narHash=sha256-t/%2Bz1Tf7hSaStU1pBYkY7i0/GkG%2BYIPSmfeRrK8eYUw%3D' (2024-09-23)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/7f0b9e4fbd91826cb9ce6babbc11c87903191051?narHash=sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc%2BUZDKYE%3D' (2024-09-01)
  → 'github:nix-community/nixpkgs.lib/575704ff85d3a41dc5bfef7b55380cbc7b87f3c2?narHash=sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k%3D' (2024-09-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/3524b030c839db4ea4ba16737789c6fb8a1769c6?narHash=sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs%3D' (2024-09-01)
  → 'github:nixos/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992?narHash=sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I%3D' (2024-09-23)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/2830c7c930311397d94c0b86a359c865c081c875?narHash=sha256-/HTUg%2BkMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc%3D' (2024-09-03)
  → 'github:nixos/nixpkgs/d266adc5a77ec8c10ed941c7251b2673004dbd62?narHash=sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4%3D' (2024-09-23)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/5db5921e40ae382d6716dce591ea23b0a39d96f7?narHash=sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07%2BQpERnzTS4%3D' (2024-09-01)
  → 'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8?narHash=sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4%3D' (2024-09-16)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
  → 'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05?narHash=sha256-vNv%2BaJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8%3D' (2024-09-08)
---
 flake.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/flake.lock b/flake.lock
index c032a3f..5caae01 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1725152544,
-        "narHash": "sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc+UZDKYE=",
+        "lastModified": 1726966855,
+        "narHash": "sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "7f0b9e4fbd91826cb9ce6babbc11c87903191051",
+        "rev": "575704ff85d3a41dc5bfef7b55380cbc7b87f3c2",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725298144,
-        "narHash": "sha256-LI+gI4qeVTQaS0vW6tn49RG+f8cH1KBALaligCeHLog=",
+        "lastModified": 1727053438,
+        "narHash": "sha256-t/+z1Tf7hSaStU1pBYkY7i0/GkG+YIPSmfeRrK8eYUw=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "8e337ce40421c4f33e7535aeb988d8e30fe067eb",
+        "rev": "e8c1cd886cc17e31e424f915efd32e84d8af0ce9",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1725198597,
-        "narHash": "sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs=",
+        "lastModified": 1727076372,
+        "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3524b030c839db4ea4ba16737789c6fb8a1769c6",
+        "rev": "7ca0f93c530406c1610defff0b9bf643333cf992",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1721524707,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "lastModified": 1725762081,
+        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1725361206,
-        "narHash": "sha256-/HTUg+kMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc=",
+        "lastModified": 1727104955,
+        "narHash": "sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2830c7c930311397d94c0b86a359c865c081c875",
+        "rev": "d266adc5a77ec8c10ed941c7251b2673004dbd62",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1725201042,
-        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
+        "lastModified": 1726524647,
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
         "type": "github"
       },
       "original": {

From 445bf05842a7ee3f36361eb7907c715d90bc4799 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 28 Sep 2024 05:00:31 +0200
Subject: [PATCH 090/170] public-web-static: host Easterhegg 20 website static
 export

---
 .../historic-easterhegg/default.nix           |  1 +
 .../virtualHosts/historic-easterhegg/eh20.nix | 86 +++++++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix

diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
index f9805cf..fe53d04 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -7,5 +7,6 @@
     ./eh07.nix
     ./eh09.nix
     ./eh11.nix
+    ./eh20.nix
   ];
 }
\ No newline at end of file
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
new file mode 100644
index 0000000..947791d
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
@@ -0,0 +1,86 @@
+{ pkgs, ... }:
+
+let
+  eh20 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website.git";
+    rev = "026932ef2f1fb85c99269e0fb547589a25d3687c";
+    hash = "sha256-YYxHhPYIioJgyHXNieoX6ibasHcNw/AFk+qCNSOxke4=";
+  };
+in
+{
+  security.acme.certs."eh20.easterhegg.eu".extraDomainNames = [
+    "www.eh20.easterhegg.eu"
+    "eh20.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh20.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh20.easterhegg.eu";
+      serverAliases = [
+        "www.eh20.easterhegg.eu"
+        "eh20.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "www.eh20.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh20.easterhegg.eu";
+      serverAliases = [
+        "eh20.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh20.easterhegg.eu";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh20.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh20.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "start.html";
+        root = "${eh20}/wiki_siteexport";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}

From 68f11ad9550bd13b6a05cb3a88fbf57ad231271a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 30 Sep 2024 23:20:06 +0200
Subject: [PATCH 091/170] mjolnir: allow use of deprecated, somewhat insecure
 libolm

Do this to be able to update the moderation bot and because the security
issues apparently aren't real world exploitable:
https://matrix.org/blog/2024/08/libolm-deprecation/
---
 config/hosts/mjolnir/mjolnir.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/mjolnir/mjolnir.nix b/config/hosts/mjolnir/mjolnir.nix
index c9534f6..91b184f 100644
--- a/config/hosts/mjolnir/mjolnir.nix
+++ b/config/hosts/mjolnir/mjolnir.nix
@@ -5,6 +5,11 @@
 { ... }:
 
 {
+  # Allow deprecated, apparently somewhat insecure libolm to be able to update
+  # the moderation bot.
+  # The security issues aren't real world exploitable apparently:
+  # https://matrix.org/blog/2024/08/libolm-deprecation/
+  nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
   services.mjolnir = {
     enable = true;
     homeserverUrl = "https://matrix.hamburg.ccc.de";

From c54b655b0e3edfc88dfaf290fc7ee0b7c593dc18 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 3 Oct 2024 16:09:42 +0200
Subject: [PATCH 092/170] all: setup prometheus node exporter for all hosts on
 Chaosknoten

Do that so we can have monitoring for them via prometheus, alertmanager
and grafana.
Also add a local ip for the git host for PVE firewalling.
---
 config/extra/prometheus-exporter.nix |  8 ++++++++
 config/hosts/git/networking.nix      |  4 ++++
 flake.nix                            | 10 ++++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 config/extra/prometheus-exporter.nix

diff --git a/config/extra/prometheus-exporter.nix b/config/extra/prometheus-exporter.nix
new file mode 100644
index 0000000..46477ed
--- /dev/null
+++ b/config/extra/prometheus-exporter.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    openFirewall = true;
+  };
+}
diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix
index 688fff3..34159f9 100644
--- a/config/hosts/git/networking.nix
+++ b/config/hosts/git/networking.nix
@@ -11,6 +11,10 @@
           address = "212.12.51.136";
           prefixLength = 28;
         }
+        {
+          address = "172.31.17.154";
+          prefixLength = 25;
+        }
       ];
       ipv6.addresses = [
         {
diff --git a/flake.nix b/flake.nix
index 4e33852..106daa5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -113,6 +113,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/netbox
           ];
         };
@@ -123,6 +124,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/matrix
           ];
         };
@@ -133,6 +135,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/public-web-static
           ];
         };
@@ -143,6 +146,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/git
           ];
         };
@@ -153,6 +157,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/forgejo-actions-runner
           ];
         };
@@ -171,6 +176,7 @@
           modules = [
             ./config/common
             ./config/proxmox-vm
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/eh22-wiki
           ];
         };
@@ -180,6 +186,7 @@
           modules = [
             ./config/common
             ./config/proxmox-vm
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/nix-box-june
           ];
         };
@@ -208,6 +215,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/mjolnir
           ];
         };
@@ -218,6 +226,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/woodpecker
           ];
           specialArgs = {
@@ -241,6 +250,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/penpot
           ];
         };

From 05b96b8fae4c2b8fab3194e9f1d49636a8570656 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 9 Oct 2024 02:18:46 +0200
Subject: [PATCH 093/170] netbox: integrate with CCCHH ID (Keycloak)

---
 config/hosts/netbox/netbox.nix   | 18 +++++++++++++++++-
 config/hosts/netbox/secrets.yaml |  5 +++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
index ff32349..e0f2df9 100644
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@@ -11,9 +11,19 @@
     enable = true;
     package = pkgs.netbox;
     secretKeyFile = "/run/secrets/netbox_secret_key";
+    keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
     settings = {
       ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
       SESSION_COOKIE_SECURE = true;
+      # CCCHH ID (Keycloak) integration.
+      # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
+      # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
+      REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
+      SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
+      # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
+      SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
+      SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
+      SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
     };
   };
 
@@ -21,6 +31,12 @@
     mode = "0440";
     owner = "netbox";
     group = "netbox";
-    restartUnits = [ "netbox.service" ];
+    restartUnits = [ "netbox.service" "netbox-rq.service" ];
+  };
+  sops.secrets."netbox_keycloak_secret" = {
+    mode = "0440";
+    owner = "netbox";
+    group = "netbox";
+    restartUnits = [ "netbox.service" "netbox-rq.service" ];
   };
 }
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
index 6f9e3e5..831a7a1 100644
--- a/config/hosts/netbox/secrets.yaml
+++ b/config/hosts/netbox/secrets.yaml
@@ -1,4 +1,5 @@
 netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
+netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,8 +15,8 @@ sops:
             V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
             a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-26T01:07:35Z"
-    mac: ENC[AES256_GCM,data:0zWNPrUqpuC/qXOaTE8ayrTbnZdg9VA2NqxSNnV0bogqxVkg8zhbx8OKYfNQ0DswjxKNEnKsqjp62gA678VfRfGHJU5ZoHfAC7kBbrkDy+pMzS6LRwT+7n0C1AbaaG7hienGJQsx2gUUYqu7OSQuS722lXAw65deFvZGtL6lt8E=,iv:mOLkzF5pJFazmH9XX94Hjd04FcgSh0hY4juEO3vKNBc=,tag:lSk0lnVONQCmuO0KmxlL0Q==,type:str]
+    lastmodified: "2024-10-08T23:54:23Z"
+    mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
     pgp:
         - created_at: "2024-05-26T01:07:22Z"
           enc: |-

From da8e2bbbf44ee77f34c9a239bb157b4650b08c7e Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Thu, 10 Oct 2024 20:50:20 +0200
Subject: [PATCH 094/170] Update element to 1.11.80

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 0d7792b..5f0792f 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.68";
+  elementWebVersion = "1.11.80";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-SsEvc+TWyJG6YPBcyQm9mqQVUegqIcspxSGuL3TzVeY=";
+    sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 804094aaeb676552379cb4b823ed76b21add63b7 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 12 Oct 2024 20:03:04 +0200
Subject: [PATCH 095/170] public-web-static: add hackertours.hamburg.ccc.de
 static web host

It can be deployed using a corresponding deploy key in the same manner
hacker.tours and hamburg.ccc.de can be deployed.
---
 .../virtualHosts/default.nix                  |  1 +
 .../hackertours.hamburg.ccc.de.nix            | 63 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index c78cf8b..814c29c 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -6,6 +6,7 @@
     ./c3cat.de.nix
     ./element.hamburg.ccc.de.nix
     ./hacker.tours.nix
+    ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.hacker.tours.nix
diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
new file mode 100644
index 0000000..14aed40
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@@ -0,0 +1,63 @@
+{ pkgs, ... }:
+
+let
+  domain = "hackertours.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "ht-ccchh-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}

From 2fe65b0513f7105eb4cdf3bcd7ddd0b80275ad3d Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 12 Oct 2024 22:14:42 +0200
Subject: [PATCH 096/170] public-web-static: add staging for
 hackertours.hamburg.ccc.de

---
 .../virtualHosts/default.nix                  |  1 +
 .../staging.hackertours.hamburg.ccc.de.nix    | 56 +++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 814c29c..dac4fa4 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -10,6 +10,7 @@
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.hacker.tours.nix
+    ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
     ./www.hamburg.ccc.de.nix
     ./historic-easterhegg
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
new file mode 100644
index 0000000..11b9e9b
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@@ -0,0 +1,56 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.hackertours.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "ht-ccchh-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # Hackertours CCCHH deploy user already defined in hackertours.hamburg.ccc.de.nix.
+}

From de2390c78d3b3b52729a8d1dc8c7367c45c3a009 Mon Sep 17 00:00:00 2001
From: Stefan Bethke <stb@lassitu.de>
Date: Sun, 13 Oct 2024 17:21:57 +0200
Subject: [PATCH 097/170] public-web-static: redirect old hackertours 37C3 urls
 to proper url

---
 .../virtualHosts/hackertours.hamburg.ccc.de.nix              | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
index 14aed40..2077ca7 100644
--- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@@ -44,6 +44,11 @@ in {
         real_ip_header proxy_protocol;
 
         error_page 404 /404.html;
+
+        port_in_redirect off;
+
+        rewrite ^/(de|en)/tours$ /$1/37c3 redirect;
+        rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect;
       '';
     };
   };

From ecdaa2d5f6ac726b26996f3f37b9818f7951b748 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 13 Oct 2024 22:09:20 +0200
Subject: [PATCH 098/170] public-web-static: redirect EH20
 doku.php?id=$pagename to new format

See:
https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website/issues/2#issuecomment-952
---
 .../virtualHosts/historic-easterhegg/eh20.nix                | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
index 947791d..afc93c1 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
@@ -71,6 +71,11 @@ in
         root = "${eh20}/wiki_siteexport";
       };
 
+      # redirect doku.php?id=$pagename to /$pagename.html
+      locations."/doku.php" = {
+        return = "301 $scheme://$host/$arg_id.html";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy

From 8165d2215973565f6e5aa13771b8aeaebb68053c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 21 Oct 2024 21:30:36 +0200
Subject: [PATCH 099/170] public-web-static: prevent staging ht ccchh from
 search machine indexing

---
 .../virtualHosts/staging.hackertours.hamburg.ccc.de.nix     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
index 11b9e9b..4b71d53 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@@ -33,6 +33,12 @@ in {
 
       root = "${dataDir}";
 
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy

From accd31173bc6eda4e4430e45b3f1e2aa37581ad0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 21 Oct 2024 21:35:10 +0200
Subject: [PATCH 100/170] public-web-static: turn off ports to prevent broken
 redirects to 8443

---
 config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix  | 2 ++
 .../public-web-static/virtualHosts/staging.hamburg.ccc.de.nix   | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index 1d8eef1..b70f74a 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -94,6 +94,8 @@
         real_ip_header proxy_protocol;
 
         error_page 404 /404.html;
+
+        port_in_redirect off;
       '';
     };
   };
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
index a36a099..f7e0752 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
@@ -44,6 +44,8 @@
         # Then tell the realip_module to get the addreses from the proxy protocol
         # header.
         real_ip_header proxy_protocol;
+
+        port_in_redirect off;
       '';
     };
   };

From 9d1521c485e786dd87aea0d4e703fe97813acc65 Mon Sep 17 00:00:00 2001
From: dequis <dequis@dequis.org>
Date: Sat, 17 Aug 2024 23:09:19 +0200
Subject: [PATCH 101/170] spaceapid: adjustments to 3d printer state sensors

- Prefix sensor names with ext_ as the spec says we should use that for
  extensions (this also improves attribute access for tools that don't
  like fields starting with a number)
- Rename printer state to printer busy state, to make it clearer.
- Add ext_3d_printer_minutes_remaining sensors
---
 .../spaceapid-config/ccchh-dynamic.json       | 30 +++++++++++++++++--
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index 6f951f9..2b1309f 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -25,13 +25,13 @@
           ]
         }
       ],
-      "3d_printer_state": [
+      "ext_3d_printer_busy_state": [
         {
           "sensor_data": {
             "unit": "bool",
             "location": "Loetschlauch",
             "name": "mk4",
-            "description": "Prusa mk4 state"
+            "description": "Prusa mk4 busy state"
           },
           "allowed_credentials": [
             "club-assistant"
@@ -42,7 +42,31 @@
             "unit": "bool",
             "location": "Loetschlauch",
             "name": "mk3.5",
-            "description": "Prusa mk3.5 state"
+            "description": "Prusa mk3.5 busy state"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        }
+      ],
+      "ext_3d_printer_minutes_remaining": [
+        {
+          "sensor_data": {
+            "unit": "minutes_remaining",
+            "location": "Loetschlauch",
+            "name": "mk4",
+            "description": "Prusa mk4 minutes remaining"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        },
+        {
+          "sensor_data": {
+            "unit": "minutes_remaining",
+            "location": "Loetschlauch",
+            "name": "mk3.5",
+            "description": "Prusa mk3.5 minutes remaining"
           },
           "allowed_credentials": [
             "club-assistant"

From fefff391b7e9d60aafc37682dbc723567d3eec4a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 29 Oct 2024 21:30:16 +0100
Subject: [PATCH 102/170] add hydraJobs for packages and nixosConfigurations

---
 flake.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index 106daa5..0b43bda 100644
--- a/flake.nix
+++ b/flake.nix
@@ -23,7 +23,7 @@
     };
   };
 
-  outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
       # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
@@ -280,5 +280,10 @@
       };
 
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
+
+      hydraJobs = {
+        inherit (self) packages;
+        nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations;
+      };
     };
 }

From ec64eebfd6c3b006b7ff5d5c3bda750cf04a5662 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 29 Oct 2024 23:17:31 +0100
Subject: [PATCH 103/170] common: use pkgs.fetchgit and git commit hash for
 authorized keys repo

Do this to be in line with other places, where resources get fetched
using git and to hopefully avoid errors such as:
Cannot find Git revision 'da9d3ead9d97ce0fef7538638326264957e2f1b4' in ref 'trunk' of repository 'ssh://forgejo@git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git'! Please make sure that the rev exists on the ref you've specified or add allRefs = true; to fetchGit.
This issue was discovered while trying to make the new hydra work.
---
 config/common/users.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index ab29904..59682c4 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -9,10 +9,10 @@
 { config, pkgs, lib, ... }:
 
 let
-  authorizedKeysRepo = builtins.fetchGit {
-    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
-    ref = "trunk";
-    rev = "da9d3ead9d97ce0fef7538638326264957e2f1b4";
+  authorizedKeysRepo = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
+    rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
+    hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 4f789adb21480b6dd1103c1f3e7cb3015c775b64 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 30 Oct 2024 01:44:12 +0100
Subject: [PATCH 104/170] hydra: configure hydra host

---
 config/hosts/hydra/configuration.nix |  9 +++++
 config/hosts/hydra/default.nix       | 11 ++++++
 config/hosts/hydra/hydra.nix         | 15 +++++++
 config/hosts/hydra/networking.nix    | 22 +++++++++++
 config/hosts/hydra/nginx.nix         | 58 ++++++++++++++++++++++++++++
 config/hosts/hydra/nix.nix           | 10 +++++
 deployment_configuration.json        |  3 ++
 flake.nix                            | 10 +++++
 8 files changed, 138 insertions(+)
 create mode 100644 config/hosts/hydra/configuration.nix
 create mode 100644 config/hosts/hydra/default.nix
 create mode 100644 config/hosts/hydra/hydra.nix
 create mode 100644 config/hosts/hydra/networking.nix
 create mode 100644 config/hosts/hydra/nginx.nix
 create mode 100644 config/hosts/hydra/nix.nix

diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix
new file mode 100644
index 0000000..a4c612e
--- /dev/null
+++ b/config/hosts/hydra/configuration.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  networking = {
+    hostName = "hydra";
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix
new file mode 100644
index 0000000..f621711
--- /dev/null
+++ b/config/hosts/hydra/default.nix
@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./hydra.nix
+    ./networking.nix
+    ./nginx.nix
+    ./nix.nix
+  ];
+}
diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix
new file mode 100644
index 0000000..f315710
--- /dev/null
+++ b/config/hosts/hydra/hydra.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  services.hydra = {
+    enable = true;
+    listenHost = "localhost";
+    port = 3000;
+    hydraURL = "https://hydra.hamburg.ccc.de/";
+    # E-Mail configuration requires some work/investigation still.
+    notificationSender = "no-reply@hydra.hamburg.ccc.de";
+    useSubstitutes = true;
+    minimumDiskFree = 8;
+    minimumDiskFreeEvaluator = 2;
+  };
+}
diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix
new file mode 100644
index 0000000..82cec55
--- /dev/null
+++ b/config/hosts/hydra/networking.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.163";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:45:7C:D6";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix
new file mode 100644
index 0000000..49ca2e1
--- /dev/null
+++ b/config/hosts/hydra/nginx.nix
@@ -0,0 +1,58 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "hydra.hamburg.ccc.de";
+in
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "acme-${domain}" = {
+        default = true;
+        enableACME = true;
+        serverName = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 31820;
+          }
+        ];
+      };
+
+      "${domain}" = {
+        default = true;
+        forceSSL = true;
+        useACMEHost = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}";
+        };
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 172.31.17.140;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix
new file mode 100644
index 0000000..b95e469
--- /dev/null
+++ b/config/hosts/hydra/nix.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  # Allow Hydra to fetch flake inputs.
+  nix.settings.allowed-uris = [
+    "github:"
+    "https://github.com/"
+    "https://git.hamburg.ccc.de/"
+  ];
+}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index dd0f43d..20b9f00 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -32,6 +32,9 @@
     },
     "penpot": {
       "targetHostname": "penpot-intern.hamburg.ccc.de"
+    },
+    "hydra": {
+      "targetHostname": "hydra-intern.hamburg.ccc.de"
     }
   }
 }
diff --git a/flake.nix b/flake.nix
index 0b43bda..a6d9a0a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -254,6 +254,16 @@
             ./config/hosts/penpot
           ];
         };
+
+        hydra = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/extra/prometheus-exporter.nix
+            ./config/hosts/hydra
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 9d9b8ede025afc838ee6122a728e6b83e5f8e140 Mon Sep 17 00:00:00 2001
From: djerun <djerun@hamburg.ccc.de>
Date: Sat, 2 Nov 2024 00:12:24 +0100
Subject: [PATCH 105/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/e8c1cd886cc17e31e424f915efd32e84d8af0ce9?narHash=sha256-t/%2Bz1Tf7hSaStU1pBYkY7i0/GkG%2BYIPSmfeRrK8eYUw%3D' (2024-09-23)
  → 'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565?narHash=sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg%3D' (2024-10-21)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/575704ff85d3a41dc5bfef7b55380cbc7b87f3c2?narHash=sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k%3D' (2024-09-22)
  → 'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e?narHash=sha256-hUP9oxmnOmNnKcDOf5Y55HQ%2BNnoT0%2BbLWHLQWLLw9Ks%3D' (2024-10-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992?narHash=sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I%3D' (2024-09-23)
  → 'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f?narHash=sha256-fLLUd2dO/Vnf96UDr8YPzerYi%2Bn99l3S5yIUDnmcPBE%3D' (2024-11-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/d266adc5a77ec8c10ed941c7251b2673004dbd62?narHash=sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4%3D' (2024-09-23)
  → 'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88?narHash=sha256-Hlv3rTPxnO%2BDpKRXw9yjzERLdk05h7%2BfEbZxWM2taCw%3D' (2024-11-01)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8?narHash=sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4%3D' (2024-09-16)
  → 'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56?narHash=sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN%2BompyW4GIJruLuw%3D' (2024-10-27)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05?narHash=sha256-vNv%2BaJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8%3D' (2024-09-08)
  → 'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950?narHash=sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk%3D' (2024-10-26)
---
 flake.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/flake.lock b/flake.lock
index 5caae01..24f50dd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1726966855,
-        "narHash": "sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k=",
+        "lastModified": 1729386149,
+        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "575704ff85d3a41dc5bfef7b55380cbc7b87f3c2",
+        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727053438,
-        "narHash": "sha256-t/+z1Tf7hSaStU1pBYkY7i0/GkG+YIPSmfeRrK8eYUw=",
+        "lastModified": 1729472750,
+        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "e8c1cd886cc17e31e424f915efd32e84d8af0ce9",
+        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1727076372,
-        "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=",
+        "lastModified": 1730428893,
+        "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7ca0f93c530406c1610defff0b9bf643333cf992",
+        "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1725762081,
-        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
+        "lastModified": 1729973466,
+        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
+        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1727104955,
-        "narHash": "sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4=",
+        "lastModified": 1730449684,
+        "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d266adc5a77ec8c10ed941c7251b2673004dbd62",
+        "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1726524647,
-        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
+        "lastModified": 1729999681,
+        "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
+        "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
         "type": "github"
       },
       "original": {

From 4fc8e31df086b34f5de37d41b5aa8396cf682207 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Sat, 2 Nov 2024 22:39:24 +0100
Subject: [PATCH 106/170] Remove version lock for shairport-sync

The current version in nixpkgs is newer than the one we are currently locking, the nqptp fix was also already in nixpkgs.

Co-authored-by: c6ristian <c6ristian@christian.moe>
---
 flake.nix                                 | 36 ++---------------------
 modules/services/audio/default.nix        |  1 -
 modules/services/audio/librespot.nix      |  4 +--
 modules/services/audio/networking.nix     | 16 ----------
 modules/services/audio/shairport-sync.nix |  2 +-
 5 files changed, 5 insertions(+), 54 deletions(-)
 delete mode 100644 modules/services/audio/networking.nix

diff --git a/flake.nix b/flake.nix
index a6d9a0a..b787f78 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,50 +26,18 @@
   outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
-      # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
       shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
         shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
           # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
           configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
           buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-          # Use specific Shairport Sync and nqptp versions, since with those the
-          # following error doesn't happen:
-          # fatal error: The nqptp service on this system, which is required for
-          # Shairport Sync to operate, does not seem to be initialised.
-          #
-          # Also use a more recent dev version to fix Pipewire stuttering issue.
-          # See:
-          # https://github.com/mikebrady/shairport-sync/issues/1736
-          # https://github.com/mikebrady/shairport-sync/blob/a65ec2d7f1f380bbae196d7f8f1cd6a88ef5777b/RELEASENOTES-DEVELOPMENT.md#version-432-dev-51-g98679bbb
-          src = final.fetchFromGitHub {
-            owner = "mikebrady";
-            repo = finalAttr.pname;
-            rev = "98679bbb54f5aaeda859e34aa28425647b8d179e";
-            hash = "sha256-k0kcgtWk2xlG34lP0ryEaqdskYMNM68YnIRLwFR3jaY=";
-          };
-        });
-        nqptp = prev.nqptp.overrideAttrs (finalAttr: previousAttr: {
-          # See Shairport Sync version note.
-          src = final.fetchFromGitHub {
-            owner = "mikebrady";
-            repo = finalAttr.pname;
-            rev = "1.2.4";
-            hash = "sha256-roTNcr3v2kzE6vQ5plAVtlw1+2yJplltOYsGGibtoZo=";
-          };
-          # Custom install phase to avoid setcap.
-          # See:
-          # https://github.com/mikebrady/nqptp/blob/1.2.4/Makefile.am#L23
-          installPhase = ''
-            mkdir -p $out/bin
-            cp nqptp $out/bin/
-          '';
         });
       };
       pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in
     {
       nixosConfigurations = {
-        audio-hauptraum-kueche = nixpkgs-unstable.lib.nixosSystem {
+        audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
             ./config/common
@@ -79,7 +47,7 @@
           ];
         };
 
-        audio-hauptraum-tafel = nixpkgs-unstable.lib.nixosSystem {
+        audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
             ./config/common
diff --git a/modules/services/audio/default.nix b/modules/services/audio/default.nix
index ccd7527..f9aa6b3 100644
--- a/modules/services/audio/default.nix
+++ b/modules/services/audio/default.nix
@@ -12,7 +12,6 @@ in
   imports = [
     ./librespot.nix
     ./mpd.nix
-    ./networking.nix
     ./pipewire.nix
     ./shairport-sync.nix
   ];
diff --git a/modules/services/audio/librespot.nix b/modules/services/audio/librespot.nix
index fa4e9ed..4c0fadb 100644
--- a/modules/services/audio/librespot.nix
+++ b/modules/services/audio/librespot.nix
@@ -23,7 +23,7 @@ in
         After = [ "network-online.target" "pipewire.service" ];
       };
       serviceConfig = {
-        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --quiet";
+        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache";
         User = "librespot";
         Group = "librespot";
       };
@@ -34,7 +34,7 @@ in
       users.librespot = {
         isSystemUser = true;
         group = "librespot";
-        extraGroups = [ "pipewire" ];
+        extraGroups = [ "pipewire" "audio" ];
       };
       groups.librespot = { };
     };
diff --git a/modules/services/audio/networking.nix b/modules/services/audio/networking.nix
deleted file mode 100644
index b0fbf22..0000000
--- a/modules/services/audio/networking.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let
-
-  cfg = config.ccchh.services.audio;
-
-in
-
-{
-  config = mkIf cfg.enable {
-    # Disable IPv6, since Shairport-Sync doesn't work with IPv6. Unclear why.
-    networking.enableIPv6 = false;
-  };
-}
diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix
index 1f04862..cbc58e7 100644
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@@ -20,7 +20,7 @@ in
       arguments = "-o pw -v";
     };
 
-    users.users.shairport.extraGroups = [ "pipewire" ];
+    users.users.shairport.extraGroups = [ "pipewire" "audio" ];
 
     environment.etc.shairport-sync-config = {
       enable = true;

From c8e7bd1ccfd1b23f8dce95b36a0ec7cab471cfc2 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 10 Nov 2024 19:26:26 +0100
Subject: [PATCH 107/170] git: enable sending of e-mails to watchers of
 repositories

---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index bb7099f..d7e7c1b 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -45,6 +45,7 @@
         DEFAULT_USER_VISIBILITY = "limited";
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
         ENABLE_BASIC_AUTHENTICATION = false;
+        ENABLE_NOTIFY_MAIL = true;
       };
       repo = {
         DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";

From 2ba371f8cd0a97e5f95765cc0b09dfe113638e0f Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 10 Nov 2024 19:38:05 +0100
Subject: [PATCH 108/170] git: disable making org users auto watch new repos on
 creation

Also explicitly disable making users auto watch repos after their first
commit to it.
---
 config/hosts/git/forgejo.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index d7e7c1b..a57a37f 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -46,6 +46,8 @@
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
         ENABLE_BASIC_AUTHENTICATION = false;
         ENABLE_NOTIFY_MAIL = true;
+        AUTO_WATCH_NEW_REPOS = false;
+        AUTO_WATCH_ON_CHANGES = false;
       };
       repo = {
         DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";

From ff1a12846afa1fc25cd9a98f3e31eceb954b2b09 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 11 Jun 2024 23:19:13 +0200
Subject: [PATCH 109/170] Add how to generate the NixOS Proxmox VE templates

---
 README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/README.md b/README.md
index b55e1f2..f7ae196 100644
--- a/README.md
+++ b/README.md
@@ -62,3 +62,14 @@ This is exactly what we're doing to set the default deployment user to `colmena-
    };
    ```
    This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
+
+## Build NixOS Proxmox VE Template
+
+Build a now NixOS Proxmox VE Template for the thinkcccore's
+```shell
+nix build .#proxmox-nixos-template
+```
+Build a now NixOS Proxmox VE Template for the chaosknoten
+```shell
+nix build .#proxmox-chaosknoten-nixos-template
+```
\ No newline at end of file

From 1fcd8c64215c2f59617e17d21e806ae15fcf823c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 22 Jun 2024 15:56:13 +0200
Subject: [PATCH 110/170] fix typo and writing improvement

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f7ae196..bd3a29a 100644
--- a/README.md
+++ b/README.md
@@ -65,11 +65,11 @@ This is exactly what we're doing to set the default deployment user to `colmena-
 
 ## Build NixOS Proxmox VE Template
 
-Build a now NixOS Proxmox VE Template for the thinkcccore's
+Build a new NixOS Proxmox VE Template for the thinkcccore's:
 ```shell
 nix build .#proxmox-nixos-template
 ```
-Build a now NixOS Proxmox VE Template for the chaosknoten
+Build a new NixOS Proxmox VE Template for the chaosknoten:
 ```shell
 nix build .#proxmox-chaosknoten-nixos-template
-```
\ No newline at end of file
+```

From afb4fc71cef9691a56fc1afc8eb80dbd289faf91 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 10 Nov 2024 23:10:50 +0100
Subject: [PATCH 111/170] Update infrastructure-authorized-keys rev

---
 config/common/users.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 59682c4..026929b 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -11,8 +11,8 @@
 let
   authorizedKeysRepo = pkgs.fetchgit {
     url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
-    rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
-    hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
+    rev = "686a6af22f6696f0c0595c56f463c078550049fc";
+    hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 33b2cbf5d098c87db3904740ad27c803055547ec Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 10 Nov 2024 23:14:58 +0100
Subject: [PATCH 112/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f' (2024-11-01)
  → 'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88' (2024-11-01)
  → 'github:nixos/nixpkgs/8aed22ecd71e5b67e5299efae8b9dc580dec711c' (2024-11-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56' (2024-10-27)
  → 'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950' (2024-10-26)
  → 'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c' (2024-11-03)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 24f50dd..58d521b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730428893,
-        "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
+        "lastModified": 1731133565,
+        "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
+        "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1729973466,
-        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1730449684,
-        "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
+        "lastModified": 1731265036,
+        "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
+        "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1729999681,
-        "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
+        "lastModified": 1731213149,
+        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
+        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
         "type": "github"
       },
       "original": {

From c84d9e7d0af00a8ca8adcf59616473bee14efc89 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Mon, 11 Nov 2024 02:43:08 +0100
Subject: [PATCH 113/170] Update element to 1.11.84

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 5f0792f..1836f25 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.80";
+  elementWebVersion = "1.11.84";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
+    sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From cf46da9df7a9036a8c600701042fe390c5c842d8 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 12 Nov 2024 23:06:01 +0100
Subject: [PATCH 114/170] public-web-static: make c3cat.de and www work as well
 as staging

---
 .../virtualHosts/c3cat.de.nix                 | 61 +++++++++++++++++--
 .../virtualHosts/default.nix                  |  1 +
 .../virtualHosts/staging.c3cat.de.nix         | 60 ++++++++++++++++++
 3 files changed, 116 insertions(+), 6 deletions(-)
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index f1ad527..91d3a40 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -1,10 +1,19 @@
 { pkgs, ... }:
 
-{
+let
+  domain = "c3cat.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "c3cat-website-deploy";
+in {
+  security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
+
   services.nginx.virtualHosts = {
-    "acme-c3cat.de" = {
+    "acme-${domain}" = {
       enableACME = true;
-      serverName = "c3cat.de";
+      serverName = "${domain}";
+      serverAliases = [
+        "www.${domain}"
+      ];
 
       listen = [
         {
@@ -14,9 +23,9 @@
       ];
     };
 
-    "c3cat.de" = {
+    "$www.${domain}" = {
       forceSSL = true;
-      useACMEHost = "c3cat.de";
+      useACMEHost = "${domain}";
 
       listen = [
         {
@@ -28,7 +37,7 @@
       ];
 
       locations."/" = {
-        return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
+        return = "302 https://c3cat.de$request_uri";
       };
 
       extraConfig = ''
@@ -42,5 +51,45 @@
         real_ip_header proxy_protocol;
       '';
     };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
   };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
 }
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index dac4fa4..c9d77ef 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -9,6 +9,7 @@
     ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
+    ./staging.c3cat.de.nix
     ./staging.hacker.tours.nix
     ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
new file mode 100644
index 0000000..c91d283
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.c3cat.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "c3cat-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # c3cat deploy user already defined in c3cat.de.nix.
+}

From d98aa099e1d42f5e3705b860463ddea95058fd55 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 10 Nov 2024 18:14:42 +0100
Subject: [PATCH 115/170] license this repo under the MIT license

All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(https://git.hamburg.ccc.de/CCCHH/nix-infra/pulls/12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.

Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467

MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/
---
 LICENSE   | 21 +++++++++++++++++++++
 README.md |  4 ++++
 2 files changed, 25 insertions(+)
 create mode 100644 LICENSE

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..37eee6c
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) CCCHH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
index bd3a29a..186f14a 100644
--- a/README.md
+++ b/README.md
@@ -73,3 +73,7 @@ Build a new NixOS Proxmox VE Template for the chaosknoten:
 ```shell
 nix build .#proxmox-chaosknoten-nixos-template
 ```
+
+## License
+
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).

From c25d6c6326fec50b815ff6ab46dc185a12180d5f Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 03:02:17 +0100
Subject: [PATCH 116/170] revert: useing pkgs.fetchGit for authorized keys

reverts the changes from ec64eebfd6c3b006b7ff5d5c3bda750cf04a5662
it brakes some of the flake process we use,
setting 'allow-import-from-derivation' doesn't seem like a good fix to me and doesn't work in all cases.
I couldn't find any other solution to fix it for now,
so we will revert it for now, until we have a better solution.
---
 config/common/users.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 026929b..400a106 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -9,10 +9,10 @@
 { config, pkgs, lib, ... }:
 
 let
-  authorizedKeysRepo = pkgs.fetchgit {
-    url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
+  authorizedKeysRepo = builtins.fetchGit {
+    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"; 
+    ref = "trunk";
     rev = "686a6af22f6696f0c0595c56f463c078550049fc";
-    hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 7d58a3db4a4ac864aab7717ea87b0db8c3ac5adc Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 00:02:41 +0100
Subject: [PATCH 117/170] move overlay to overlays output

---
 flake.nix | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/flake.nix b/flake.nix
index b787f78..7fd9b80 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,23 +26,25 @@
   outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
-      shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
-        shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
-          # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
-          configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
-          buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-        });
-      };
       pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in
     {
+      overlays = {
+        shairportSyncAirplay2 = final: prev: {
+          shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
+            # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
+            configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
+            buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
+          });
+        };
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
             ./config/common
             ./config/proxmox-vm
-            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
+            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
         };
@@ -52,7 +54,7 @@
           modules = [
             ./config/common
             ./config/proxmox-vm
-            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
+            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
         };

From 6c85b91efbfc0a5e46f06b8308575507c9bba20d Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:43:53 +0100
Subject: [PATCH 118/170] make use of nixosModules output

---
 flake.nix | 111 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 58 insertions(+), 53 deletions(-)

diff --git a/flake.nix b/flake.nix
index 7fd9b80..da7b32e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,12 +38,17 @@
           });
         };
       };
+      nixosModules = {
+        common = ./config/common;
+        proxmox-vm = ./config/proxmox-vm;
+        prometheus-exporter = ./config/extra/prometheus-exporter.nix;
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
@@ -52,8 +57,8 @@
         audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
@@ -62,8 +67,8 @@
         esphome = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/esphome
           ];
         };
@@ -71,8 +76,8 @@
         public-reverse-proxy = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/public-reverse-proxy
           ];
         };
@@ -80,10 +85,10 @@
         netbox = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/netbox
           ];
         };
@@ -91,10 +96,10 @@
         matrix = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/matrix
           ];
         };
@@ -102,10 +107,10 @@
         public-web-static = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/public-web-static
           ];
         };
@@ -113,10 +118,10 @@
         git = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/git
           ];
         };
@@ -124,10 +129,10 @@
         forgejo-actions-runner = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/forgejo-actions-runner
           ];
         };
@@ -135,8 +140,8 @@
         ptouch-print-server = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/ptouch-print-server
           ];
         };
@@ -144,9 +149,9 @@
         eh22-wiki = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
+            self.nixosModules.prometheus-exporter
             ./config/hosts/eh22-wiki
           ];
         };
@@ -154,9 +159,9 @@
         nix-box-june = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
+            self.nixosModules.prometheus-exporter
             ./config/hosts/nix-box-june
           ];
         };
@@ -164,8 +169,8 @@
         yate = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/yate
           ];
         };
@@ -173,8 +178,8 @@
         mqtt = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/mqtt
           ];
         };
@@ -182,10 +187,10 @@
         mjolnir = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/mjolnir
           ];
         };
@@ -193,10 +198,10 @@
         woodpecker = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/woodpecker
           ];
           specialArgs = {
@@ -207,8 +212,8 @@
         status = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
             ./config/hosts/status
           ];
@@ -217,10 +222,10 @@
         penpot = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/penpot
           ];
         };
@@ -228,9 +233,9 @@
         hydra = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
+            self.nixosModules.prometheus-exporter
             ./config/hosts/hydra
           ];
         };
@@ -241,8 +246,8 @@
           system = "x86_64-linux";
           modules = [
             ./config/nixos-generators/proxmox.nix
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
           ];
           format = "proxmox";
         };
@@ -252,8 +257,8 @@
           modules = [
             ./config/nixos-generators/proxmox-chaosknoten.nix
             ./config/proxmox-chaosknoten-additional-initial-config.nix
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
           ];
           format = "proxmox";
         };

From f7ebe660fe961a4ee7944aca10cf4ca3c50cd407 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:52:02 +0100
Subject: [PATCH 119/170] format files with `nix fmt`

---
 config/hosts/eh22-wiki/dokuwiki.nix           |  5 ++-
 config/hosts/mqtt/configuration.nix           | 12 ++---
 config/hosts/mqtt/default.nix                 | 12 ++---
 config/hosts/mqtt/mosquitto.nix               | 44 +++++++++----------
 config/hosts/nix-box-june/users.nix           |  2 +-
 .../virtualHosts/hacker.tours.nix             |  3 +-
 .../hackertours.hamburg.ccc.de.nix            |  3 +-
 .../historic-easterhegg/default.nix           |  4 +-
 .../virtualHosts/historic-easterhegg/eh03.nix |  4 +-
 .../virtualHosts/historic-easterhegg/eh05.nix |  8 ++--
 .../virtualHosts/historic-easterhegg/eh07.nix |  4 +-
 .../virtualHosts/historic-easterhegg/eh09.nix |  4 +-
 .../virtualHosts/historic-easterhegg/eh11.nix |  4 +-
 .../virtualHosts/staging.hacker.tours.nix     |  3 +-
 .../staging.hackertours.hamburg.ccc.de.nix    |  3 +-
 config/hosts/yate/service.nix                 |  8 ++--
 16 files changed, 64 insertions(+), 59 deletions(-)

diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
index c0eafaa..f9a7cbd 100644
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -21,7 +21,8 @@ let
   app = "dokuwiki";
   domain = "eh22.easterhegg.eu";
   dataDir = "/srv/www/${domain}";
-in {
+in
+{
   systemd.tmpfiles.rules = [
     "d ${dataDir} 0755 ${app} ${app}"
   ];
@@ -76,7 +77,7 @@ in {
       default = true;
       enableACME = true;
       serverName = "${domain}";
-      
+
       listen = [
         {
           addr = "0.0.0.0";
diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix
index 18d0184..793807d 100644
--- a/config/hosts/mqtt/configuration.nix
+++ b/config/hosts/mqtt/configuration.nix
@@ -1,10 +1,10 @@
 { ... }:
 
 {
-	networking = {
-        hostName = "mqtt";
-        domain = "z9.ccchh.net";
-	};
+  networking = {
+    hostName = "mqtt";
+    domain = "z9.ccchh.net";
+  };
 
-	system.stateVersion = "23.11";
-}
\ No newline at end of file
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix
index bb61c12..bc91d9f 100644
--- a/config/hosts/mqtt/default.nix
+++ b/config/hosts/mqtt/default.nix
@@ -1,9 +1,9 @@
 { pkgs, ... }:
 
 {
-	imports = [
-		./configuration.nix
-		./networking.nix
-		./mosquitto.nix
-	];
-}
\ No newline at end of file
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./mosquitto.nix
+  ];
+}
diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
index 672c05d..d093bd8 100644
--- a/config/hosts/mqtt/mosquitto.nix
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -5,29 +5,29 @@
 { ... }:
 
 {
-    services.mosquitto = {
-        enable = true;
-        persistence = true;
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
 
-        # set config for all listeners
-        listeners = [ {
-            settings.allow_anonymous = true;
-            omitPasswordAuth = true;
-            acl = ["topic readwrite #"];
-        } ];
+    # set config for all listeners
+    listeners = [{
+      settings.allow_anonymous = true;
+      omitPasswordAuth = true;
+      acl = [ "topic readwrite #" ];
+    }];
 
-        bridges.winkekatz = {
-            addresses = [
-                { address = "mqtt.winkekatze24.de"; }
-            ];
-            topics = [
-                "winkekatze/allcats/eye/set in 2"
-                "winkekatze/allcats in 2"
-                "+/status out 2 winkekatze/ \"\""
-                "+/connected out 2 winkekatze/ \"\""
-            ];
-        };
+    bridges.winkekatz = {
+      addresses = [
+        { address = "mqtt.winkekatze24.de"; }
+      ];
+      topics = [
+        "winkekatze/allcats/eye/set in 2"
+        "winkekatze/allcats in 2"
+        "+/status out 2 winkekatze/ \"\""
+        "+/connected out 2 winkekatze/ \"\""
+      ];
     };
+  };
 
-    networking.firewall.allowedTCPPorts = [ 1883 ];
-}
\ No newline at end of file
+  networking.firewall.allowedTCPPorts = [ 1883 ];
+}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
index 9f1b217..dfb333e 100644
--- a/config/hosts/nix-box-june/users.nix
+++ b/config/hosts/nix-box-june/users.nix
@@ -26,7 +26,7 @@
     };
     yuri = {
       isNormalUser = true;
-      openssh.authorizedKeys.keys = [ 
+      openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
       ];
diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
index 7eaa086..1ee6180 100644
--- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
@@ -4,7 +4,8 @@ let
   domain = "hacker.tours";
   dataDir = "/var/www/${domain}";
   deployUser = "hackertours-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
index 2077ca7..b0104b6 100644
--- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@@ -4,7 +4,8 @@ let
   domain = "hackertours.hamburg.ccc.de";
   dataDir = "/var/www/${domain}";
   deployUser = "ht-ccchh-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
index fe53d04..69d8855 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -1,4 +1,4 @@
-{...}:
+{ ... }:
 
 {
   imports = [
@@ -9,4 +9,4 @@
     ./eh11.nix
     ./eh20.nix
   ];
-}
\ No newline at end of file
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
index 60d4f21..2c5dd86 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
@@ -6,7 +6,7 @@ let
     rev = "74977c56486cd060566bf06678a936e801952f9e";
     hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
   };
-in 
+in
 {
   security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
     "eh2003.hamburg.ccc.de"
@@ -48,7 +48,7 @@ in
       }];
 
       locations."/".return = "302 https://eh03.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
index 7651666..37cb893 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
@@ -48,7 +48,7 @@ in
       }];
 
       locations."/".return = "302 https://eh05.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -60,7 +60,7 @@ in
         real_ip_header proxy_protocol;
       '';
     };
-    
+
     "eh05.easterhegg.eu" = {
       forceSSL = true;
       useACMEHost = "eh05.easterhegg.eu";
@@ -71,7 +71,7 @@ in
         ssl = true;
         proxyProtocol = true;
       }];
-      
+
       locations."/" = {
         index = "index.shtml";
         root = eh05;
@@ -80,7 +80,7 @@ in
           default_type text/html;
           # Enable SSI
           ssi on;
-        ''; 
+        '';
       };
 
       extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
index 40fe480..ebfa712 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
@@ -54,7 +54,7 @@ in
       }];
 
       locations."/".return = "302 https://eh07.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
           default_type text/html;
           # Enable SSI
           ssi on;
-        ''; 
+        '';
       };
 
       extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
index f7416ed..ea274af 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
@@ -54,7 +54,7 @@ in
       }];
 
       locations."/".return = "302 https://eh09.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
           default_type text/html;
           # Enable SSI
           ssi on;
-        ''; 
+        '';
       };
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
index c409641..39d7fad 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
@@ -54,7 +54,7 @@ in
       }];
 
       locations."/".return = "302 https://eh11.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
           default_type text/html;
           # Enable SSI
           ssi on;
-        ''; 
+        '';
       };
 
       extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
index 382f1b6..14ede9b 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
@@ -4,7 +4,8 @@ let
   domain = "staging.hacker.tours";
   dataDir = "/var/www/${domain}";
   deployUser = "hackertours-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
index 4b71d53..79ca38c 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@@ -4,7 +4,8 @@ let
   domain = "staging.hackertours.hamburg.ccc.de";
   dataDir = "/var/www/${domain}";
   deployUser = "ht-ccchh-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
index e426a31..e031d4d 100644
--- a/config/hosts/yate/service.nix
+++ b/config/hosts/yate/service.nix
@@ -6,16 +6,16 @@
     description = "Yate telehony engine";
     unitConfig = {
       Type = "simple";
-      After="network.target";
+      After = "network.target";
     };
     serviceConfig = {
       ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
-      Type="simple";
-      Restart="always";
+      Type = "simple";
+      Restart = "always";
       # ...
     };
     wantedBy = [ "default.target" ];
-    requiredBy = [ "network.target" ]; 
+    requiredBy = [ "network.target" ];
     # ...
   };
 }

From e404d4740f4e2c365db07d754e34cc5c8dfd61f0 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:56:55 +0100
Subject: [PATCH 120/170] remove nixpkgs-unstable

the current version of woodpecker-server in stable now has the features this was original used for, not other usages of unstable are in tree left so removing it.
---
 .../woodpecker-agent/woodpecker-agent.nix       |  5 ++---
 .../woodpecker-server/woodpecker-server.nix     |  6 ++----
 flake.lock                                      | 17 -----------------
 flake.nix                                       |  7 +------
 4 files changed, 5 insertions(+), 30 deletions(-)

diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
index dc89021..8c6847b 100644
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -3,13 +3,12 @@
 # - https://woodpecker-ci.org/docs/administration/agent-config
 # - https://woodpecker-ci.org/docs/administration/backends/docker
 
-{ config, pkgs, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
 
 {
   services.woodpecker-agents.agents."docker" = {
     enable = true;
-    # Since we use woodpecker-server from unstable, use the agent from unstable as well.
-    package = pkgs-unstable.woodpecker-agent;
+    package = pkgs.woodpecker-agent;
     extraGroups = [ "docker" ];
     environment = {
       WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index 464af13..2baafc5 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -5,14 +5,12 @@
 # - https://woodpecker-ci.org/docs/administration/forges/forgejo
 # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 
-{ config, pkgs, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
 
 {
   services.woodpecker-server = {
     enable = true;
-    # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
-    # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
-    package = pkgs-unstable.woodpecker-server;
+    package = pkgs.woodpecker-server;
     environment = {
       WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
       WOODPECKER_SERVER_ADDR = ":8001";
diff --git a/flake.lock b/flake.lock
index 58d521b..74a5396 100644
--- a/flake.lock
+++ b/flake.lock
@@ -68,27 +68,10 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1731265036,
-        "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix"
       }
     },
diff --git a/flake.nix b/flake.nix
index da7b32e..f575ac6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,7 +6,6 @@
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
@@ -23,10 +22,9 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
+  outputs = { self, nixpkgs, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
-      pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in
     {
       overlays = {
@@ -204,9 +202,6 @@
             self.nixosModules.prometheus-exporter
             ./config/hosts/woodpecker
           ];
-          specialArgs = {
-            inherit pkgs-unstable;
-          };
         };
 
         status = nixpkgs.lib.nixosSystem {

From 53e33a6641791d61d58c9bd007d4ea05d96e82a6 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 20:24:35 +0100
Subject: [PATCH 121/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565' (2024-10-21)
  → 'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101' (2024-11-14)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e' (2024-10-20)
  → 'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a' (2024-11-10)
• Updated input 'nixos-generators/nixpkgs':
    follows 'nixpkgs'
  → 'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
  → 'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682' (2024-11-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
  → 'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978' (2024-11-17)
• Removed input 'sops-nix/nixpkgs-stable'
---
 flake.lock | 65 ++++++++++++++++++++++++++----------------------------
 flake.nix  |  2 +-
 2 files changed, 32 insertions(+), 35 deletions(-)

diff --git a/flake.lock b/flake.lock
index 74a5396..a41bdb5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1729386149,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "lastModified": 1731200463,
+        "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "e04234d263750db01c78a412690363dc2226e68a",
         "type": "github"
       },
       "original": {
@@ -18,16 +18,14 @@
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
+        "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1729472750,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "lastModified": 1731546190,
+        "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
         "type": "github"
       },
       "original": {
@@ -38,11 +36,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731133565,
-        "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
+        "lastModified": 1731245184,
+        "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1731842749,
+        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
+        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
         "type": "github"
       },
       "original": {
@@ -52,26 +66,10 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730602179,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "nixos-generators": "nixos-generators",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix"
       }
     },
@@ -79,15 +77,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1731213149,
-        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
+        "lastModified": 1731862312,
+        "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
+        "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index f575ac6..5d1d5e3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
     nixos-generators = {
       url = "github:nix-community/nixos-generators";
-      inputs.nixpkgs.follows = "nixpkgs";
+      #inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # Add sops-nix as an input for secret management.

From 20033671089a3bc90e2cb4259b212c24a893de14 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Sun, 17 Nov 2024 20:29:04 +0100
Subject: [PATCH 122/170] move authorized keys to flake input

---
 config/common/users.nix |  7 +-----
 flake.lock              | 19 ++++++++++++++++
 flake.nix               | 50 ++++++++++++++++++++++++-----------------
 3 files changed, 50 insertions(+), 26 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 400a106..4ddef2a 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -6,14 +6,9 @@
 # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
 # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
 
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, authorizedKeysRepo, ... }:
 
 let
-  authorizedKeysRepo = builtins.fetchGit {
-    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"; 
-    ref = "trunk";
-    rev = "686a6af22f6696f0c0595c56f463c078550049fc";
-  };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
 {
diff --git a/flake.lock b/flake.lock
index a41bdb5..bd78ff8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "authorizedKeysRepo": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731276342,
+        "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
+        "ref": "trunk",
+        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+        "revCount": 17,
+        "type": "git",
+        "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+      },
+      "original": {
+        "ref": "trunk",
+        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+        "type": "git",
+        "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+      }
+    },
     "nixlib": {
       "locked": {
         "lastModified": 1731200463,
@@ -68,6 +86,7 @@
     },
     "root": {
       "inputs": {
+        "authorizedKeysRepo": "authorizedKeysRepo",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix"
diff --git a/flake.nix b/flake.nix
index 5d1d5e3..b7424db 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,10 +20,18 @@
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    authorizedKeysRepo = {
+      url = "git+https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+      flake = false;
+    };
   };
 
-  outputs = { self, nixpkgs, nixos-generators, sops-nix, ... }:
+  outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
     let
+      specialArgs = {
+        inherit authorizedKeysRepo;
+      };
       system = "x86_64-linux";
     in
     {
@@ -43,7 +51,7 @@
       };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -53,7 +61,7 @@
         };
 
         audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -63,7 +71,7 @@
         };
 
         esphome = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -72,7 +80,7 @@
         };
 
         public-reverse-proxy = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -81,7 +89,7 @@
         };
 
         netbox = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -92,7 +100,7 @@
         };
 
         matrix = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -103,7 +111,7 @@
         };
 
         public-web-static = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -114,7 +122,7 @@
         };
 
         git = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -125,7 +133,7 @@
         };
 
         forgejo-actions-runner = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -136,7 +144,7 @@
         };
 
         ptouch-print-server = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -145,7 +153,7 @@
         };
 
         eh22-wiki = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -155,7 +163,7 @@
         };
 
         nix-box-june = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -165,7 +173,7 @@
         };
 
         yate = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -174,7 +182,7 @@
         };
 
         mqtt = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -183,7 +191,7 @@
         };
 
         mjolnir = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -194,7 +202,7 @@
         };
 
         woodpecker = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -205,7 +213,7 @@
         };
 
         status = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -215,7 +223,7 @@
         };
 
         penpot = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -226,7 +234,7 @@
         };
 
         hydra = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -238,6 +246,7 @@
 
       packages.x86_64-linux = {
         proxmox-nixos-template = nixos-generators.nixosGenerate {
+          inherit specialArgs;
           system = "x86_64-linux";
           modules = [
             ./config/nixos-generators/proxmox.nix
@@ -248,6 +257,7 @@
         };
 
         proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
+          inherit specialArgs;
           system = "x86_64-linux";
           modules = [
             ./config/nixos-generators/proxmox-chaosknoten.nix

From ecd9fe4adf1c148dab447b3ad175754274687155 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 21:04:47 +0100
Subject: [PATCH 123/170] fix: use http clone url from forgejo

---
 flake.lock | 4 ++--
 flake.nix  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index bd78ff8..2d7ddf8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,13 +9,13 @@
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "revCount": 17,
         "type": "git",
-        "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
       },
       "original": {
         "ref": "trunk",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "git",
-        "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
       }
     },
     "nixlib": {
diff --git a/flake.nix b/flake.nix
index b7424db..273a82c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
     };
 
     authorizedKeysRepo = {
-      url = "git+https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+      url = "git+https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
       flake = false;
     };
   };

From e3c677ea9bcecf541e8e90b9bd27c27ef363c65d Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Sun, 17 Nov 2024 21:14:46 +0100
Subject: [PATCH 124/170] fix: use tar file

---
 flake.lock | 12 ++++--------
 flake.nix  |  2 +-
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 2d7ddf8..be287b5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,17 +5,13 @@
       "locked": {
         "lastModified": 1731276342,
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
-        "ref": "trunk",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
-        "revCount": 17,
-        "type": "git",
-        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
+        "type": "tarball",
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
       },
       "original": {
-        "ref": "trunk",
-        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
-        "type": "git",
-        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
+        "type": "tarball",
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       }
     },
     "nixlib": {
diff --git a/flake.nix b/flake.nix
index 273a82c..b7b74a4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
     };
 
     authorizedKeysRepo = {
-      url = "git+https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+      url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
       flake = false;
     };
   };

From c78c27862749e1ff3fe3b288330b4ab395c7be50 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 22:43:51 +0100
Subject: [PATCH 125/170] Set WOODPECKER_LIMIT_MEM to 6 GB for woodpecker

so pipelines don't get killed by OOM.
---
 config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index 2baafc5..1836b73 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -22,6 +22,7 @@
       WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
       WOODPECKER_FORGEJO = "true";
       WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+      WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
       # Set via enviornmentFile:
       # WOODPECKER_FORGEJO_CLIENT
       # WOODPECKER_FORGEJO_SECRET

From 67ab856b82f90ad45a62018ad8af1482f4162ce3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 8 Dec 2024 18:57:36 +0100
Subject: [PATCH 126/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101?narHash=sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8%2BErehqI%3D' (2024-11-14)
  → 'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e?narHash=sha256-bNXO%2BOGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8%3D' (2024-12-05)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a?narHash=sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg%3D' (2024-11-10)
  → 'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e?narHash=sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8%3D' (2024-12-01)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f?narHash=sha256-vmLS8%2Bx%2BgHRv1yzj3n%2BGTAEObwmhxmkkukB2DwtJRdU%3D' (2024-11-10)
  → 'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a?narHash=sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw%3D' (2024-12-02)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17)
  → 'github:nixos/nixpkgs/65d98ad2a50103eee5f72335bf69b7bae9d92612?narHash=sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII%3D' (2024-12-08)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978?narHash=sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM%3D' (2024-11-17)
  → 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02)
---
 flake.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index be287b5..9037a60 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1731200463,
-        "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
+        "lastModified": 1733015484,
+        "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e04234d263750db01c78a412690363dc2226e68a",
+        "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1731546190,
-        "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
+        "lastModified": 1733360821,
+        "narHash": "sha256-bNXO+OGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
+        "rev": "8cdaf8885c9c85d9d27b594dbe882406aadfe00e",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731245184,
-        "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+        "lastModified": 1733097829,
+        "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+        "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1731842749,
-        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
+        "lastModified": 1733647408,
+        "narHash": "sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
+        "rev": "65d98ad2a50103eee5f72335bf69b7bae9d92612",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731862312,
-        "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
+        "lastModified": 1733128155,
+        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
+        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
         "type": "github"
       },
       "original": {

From a039b3febf08f37f26fa590e8e0ada1c33e26850 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 8 Dec 2024 22:21:15 +0100
Subject: [PATCH 127/170] update nixpkgs to 24.11 (small)

Also use non-lts forgejo and adjust config for 24.11.
---
 config/hosts/git/forgejo.nix | 10 ++++++++--
 flake.lock                   |  8 ++++----
 flake.nix                    |  2 +-
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index a57a37f..665815d 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -7,13 +7,19 @@
 # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
 # - https://forgejo.org/docs/latest/admin/email-setup/
 
-{ pkgs-unstable, ... }:
+{ pkgs, ... }:
 
 {
   services.forgejo = {
     enable = true;
+    package = pkgs.forgejo;
     database.type = "postgres";
-    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
+
+    secrets = {
+      mailer = {
+        PASSWD = "/run/secrets/forgejo_git_smtp_password";
+      };
+    };
 
     settings = {
       DEFAULT = {
diff --git a/flake.lock b/flake.lock
index 9037a60..f6666c8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,16 +66,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1733647408,
-        "narHash": "sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII=",
+        "lastModified": 1733642008,
+        "narHash": "sha256-ijS1XixgnF1UW1wnsO5J7rw5li0n6SZCBQWCYSfJwXw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "65d98ad2a50103eee5f72335bf69b7bae9d92612",
+        "rev": "5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05-small",
+        "ref": "nixos-24.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index b7b74a4..9e66803 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake

From 8764841759382651691620c7c4ba607e02036b98 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Mon, 9 Dec 2024 21:21:17 +0100
Subject: [PATCH 128/170] shairport-sync: use airplay2 variant instead of
 custome overlay

---
 flake.nix                                 | 11 -----------
 modules/services/audio/shairport-sync.nix |  1 +
 2 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/flake.nix b/flake.nix
index 9e66803..dd85023 100644
--- a/flake.nix
+++ b/flake.nix
@@ -35,15 +35,6 @@
       system = "x86_64-linux";
     in
     {
-      overlays = {
-        shairportSyncAirplay2 = final: prev: {
-          shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
-            # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
-            configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
-            buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-          });
-        };
-      };
       nixosModules = {
         common = ./config/common;
         proxmox-vm = ./config/proxmox-vm;
@@ -55,7 +46,6 @@
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
         };
@@ -65,7 +55,6 @@
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
         };
diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix
index cbc58e7..43d1285 100644
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@@ -17,6 +17,7 @@ in
   config = mkIf cfg.enable {
     services.shairport-sync = {
       enable = true;
+      package = pkgs.shairport-sync-airplay2;
       arguments = "-o pw -v";
     };
 

From fa9c8e7ac1edfb47979cc7722c95ebf8243ff1d1 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 16 Dec 2024 22:50:00 +0100
Subject: [PATCH 129/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e' (2024-12-05)
  → 'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e' (2024-12-01)
  → 'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a' (2024-12-02)
  → 'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0' (2024-12-08)
  → 'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856' (2024-12-02)
  → 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12)
---
 flake.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index f6666c8..18512ce 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
       },
       "original": {
         "type": "tarball",
@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1733015484,
-        "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=",
+        "lastModified": 1734224914,
+        "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e",
+        "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1733360821,
-        "narHash": "sha256-bNXO+OGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8=",
+        "lastModified": 1734311693,
+        "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "8cdaf8885c9c85d9d27b594dbe882406aadfe00e",
+        "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733097829,
-        "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=",
+        "lastModified": 1734126203,
+        "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a",
+        "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1733642008,
-        "narHash": "sha256-ijS1XixgnF1UW1wnsO5J7rw5li0n6SZCBQWCYSfJwXw=",
+        "lastModified": 1734298236,
+        "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0",
+        "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733128155,
-        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
+        "lastModified": 1733965552,
+        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
+        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
         "type": "github"
       },
       "original": {

From d36ff73123b6cad8b07e5fc83cf619f1c57a7316 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Thu, 9 Jan 2025 21:44:31 +0100
Subject: [PATCH 130/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16)
  → 'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4' (2024-12-23)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15)
  → 'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c' (2024-12-22)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13)
  → 'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee' (2024-12-17)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15)
  → 'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6' (2025-01-09)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12)
  → 'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773' (2025-01-06)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 18512ce..4625fa3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1734224914,
-        "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=",
+        "lastModified": 1734829460,
+        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77",
+        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1734311693,
-        "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=",
+        "lastModified": 1734915500,
+        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb",
+        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734126203,
-        "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
+        "lastModified": 1734435836,
+        "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
+        "rev": "4989a246d7a390a859852baddb1013f825435cee",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1734298236,
-        "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
+        "lastModified": 1736408508,
+        "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
+        "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733965552,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "lastModified": 1736203741,
+        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
         "type": "github"
       },
       "original": {

From 5676b1a4680dbe706686f38902f5607ec33330ff Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 14 Jan 2025 20:49:14 +0100
Subject: [PATCH 131/170] netbox: configure and patch NetBox for OIDC group and
 role mapping

The custom pipeline code is licensed under the Creative Commons: CC
BY-SA 4.0 license.

See:
https://github.com/goauthentik/authentik/blob/main/LICENSE
https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
https://docs.goauthentik.io/integrations/services/netbox/
---
 README.md                                     |  3 +-
 config/hosts/netbox/netbox.nix                | 21 ++++++-
 flake.nix                                     |  8 +++
 ...oup_and_role_mapping_custom_pipeline.patch | 61 +++++++++++++++++++
 4 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch

diff --git a/README.md b/README.md
index 186f14a..def4e60 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,5 @@ nix build .#proxmox-chaosknoten-nixos-template
 
 ## License
 
-This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).  
+[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
index e0f2df9..f816016 100644
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@@ -9,7 +9,8 @@
 {
   services.netbox = {
     enable = true;
-    package = pkgs.netbox;
+    # Explicitly use the patched NetBox package.
+    package = pkgs.netbox_4_1;
     secretKeyFile = "/run/secrets/netbox_secret_key";
     keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
     settings = {
@@ -24,6 +25,24 @@
       SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
       SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
       SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
+      SOCIAL_AUTH_PIPELINE = [
+        # The default pipeline as can be found in:
+        # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
+        "social_core.pipeline.social_auth.social_details"
+        "social_core.pipeline.social_auth.social_uid"
+        "social_core.pipeline.social_auth.social_user"
+        "social_core.pipeline.user.get_username"
+        "social_core.pipeline.user.create_user"
+        "social_core.pipeline.social_auth.associate_user"
+        "netbox.authentication.user_default_groups_handler"
+        "social_core.pipeline.social_auth.load_extra_data"
+        "social_core.pipeline.user.user_details"
+        # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
+        # See: https://docs.goauthentik.io/integrations/services/netbox/
+        "netbox.custom_pipeline.add_groups"
+        "netbox.custom_pipeline.remove_groups"
+        "netbox.custom_pipeline.set_roles"
+      ];
     };
   };
 
diff --git a/flake.nix b/flake.nix
index dd85023..fb4ed26 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,6 +40,13 @@
         proxmox-vm = ./config/proxmox-vm;
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
+      overlays = {
+        netbox41OIDCMappingOverlay = final: prev: {
+          netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
+            patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
+          });
+        };
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
@@ -85,6 +92,7 @@
             sops-nix.nixosModules.sops
             self.nixosModules.prometheus-exporter
             ./config/hosts/netbox
+            { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
           ];
         };
 
diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
new file mode 100644
index 0000000..89f805a
--- /dev/null
+++ b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
@@ -0,0 +1,61 @@
+diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
+new file mode 100644
+index 000000000..470f388dc
+--- /dev/null
++++ b/netbox/netbox/custom_pipeline.py
+@@ -0,0 +1,55 @@
++# Licensed under Creative Commons: CC BY-SA 4.0 license.
++# https://github.com/goauthentik/authentik/blob/main/LICENSE
++# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
++# https://docs.goauthentik.io/integrations/services/netbox/
++from netbox.authentication import Group
++
++class AuthFailed(Exception):
++    pass
++
++def add_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        pass
++
++    # Add all groups from oAuth token
++    for group in groups:
++        group, created = Group.objects.get_or_create(name=group)
++        user.groups.add(group)
++
++def remove_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        # Remove all groups if no groups in oAuth token
++        user.groups.clear()
++        pass
++
++    # Get all groups of user
++    user_groups = [item.name for item in user.groups.all()]
++    # Get groups of user which are not part of oAuth token
++    delete_groups = list(set(user_groups) - set(groups))
++
++    # Delete non oAuth token groups
++    for delete_group in delete_groups:
++        group = Group.objects.get(name=delete_group)
++        user.groups.remove(group)
++
++
++def set_roles(response, user, backend, *args, **kwargs):
++    # Remove Roles temporary
++    user.is_superuser = False
++    user.is_staff = False
++    try:
++        groups = response['groups']
++    except KeyError:
++        # When no groups are set
++        # save the user without Roles
++        user.save()
++        pass
++
++    # Set roles is role (superuser or staff) is in groups
++    user.is_superuser = True if 'superusers' in groups else False
++    user.is_staff = True if 'staff' in groups else False
++    user.save()

From f5bc9024b1036fd3591e759f4bd8ee4d62e27572 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 14 Jan 2025 21:06:26 +0100
Subject: [PATCH 132/170] audio-hauptraum-*: move audio VMs to client network

Do this per request to hopefully improve mDNS discovery.
---
 config/hosts/audio-hauptraum-kueche/networking.nix | 6 +++---
 config/hosts/audio-hauptraum-tafel/networking.nix  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix
index 0118db4..6e1e7d8 100644
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@@ -5,13 +5,13 @@
     interfaces.net0 = {
       ipv4.addresses = [
         {
-          address = "10.31.210.10";
+          address = "172.31.200.14";
           prefixLength = 23;
         }
       ];
     };
-    defaultGateway = "10.31.210.1";
-    nameservers = [ "10.31.210.1" ];
+    defaultGateway = "172.31.200.1";
+    nameservers = [ "172.31.200.1" ];
   };
 
   systemd.network.links."10-net0" = {
diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix
index 37185b7..e357d38 100644
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@@ -5,13 +5,13 @@
     interfaces.net0 = {
       ipv4.addresses = [
         {
-          address = "10.31.210.13";
+          address = "172.31.200.15";
           prefixLength = 23;
         }
       ];
     };
-    defaultGateway = "10.31.210.1";
-    nameservers = [ "10.31.210.1" ];
+    defaultGateway = "172.31.200.1";
+    nameservers = [ "172.31.200.1" ];
   };
 
   systemd.network.links."10-net0" = {

From d55438f104683955be6f81e9a521a32347c48b5a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 19 Jan 2025 20:28:05 +0100
Subject: [PATCH 133/170] public-web-static: remove irc from spaceapi response
 as it's deprecated

---
 .../hosts/public-web-static/spaceapid-config/ccchh-response.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
index 9a5793e..b49b2da 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
@@ -14,7 +14,6 @@
     },
     "contact": {
       "phone": "+49 40 23830150",
-      "irc": "ircs://irc.hackint.org:6697/#ccchh",
       "mastodon": "@ccchh@chaos.social",
       "email": "mail@hamburg.ccc.de",
       "ml": "talk@hamburg.ccc.de",

From 2904ebee158b1c3f447dea79417f2635dbd5a4e5 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Sat, 8 Jun 2024 22:18:23 +0200
Subject: [PATCH 134/170] add yate service for autostart

introduce /etc/yate, clone/reset on service start

Fix config via git

make yate systemd service

create yate service user

recreate the full config everytime

decolour the log because of blob data

make sure source is available before deleting config

change yate-config repo

fix yate deploy key

fix yate-config not pulling
---
 .sops.yaml                          |  17 ++
 config/hosts/yate/configuration.nix |   2 +
 config/hosts/yate/default.nix       |   1 +
 config/hosts/yate/secrets.yaml      | 233 ++++++++++++++++++++++++++++
 config/hosts/yate/service.nix       |  39 ++++-
 config/hosts/yate/sops.nix          |   7 +
 config/hosts/yate/yate.nix          |  15 ++
 flake.nix                           |   1 +
 8 files changed, 309 insertions(+), 6 deletions(-)
 create mode 100644 config/hosts/yate/secrets.yaml
 create mode 100644 config/hosts/yate/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index ec660ec..dedf3c1 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -15,6 +15,7 @@ keys:
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+  - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
   - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
   - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
@@ -147,6 +148,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_penpot
+  - path_regex: config/hosts/yate/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_yate
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
index 6b4bb71..f350966 100644
--- a/config/hosts/yate/configuration.nix
+++ b/config/hosts/yate/configuration.nix
@@ -6,5 +6,7 @@
     domain = "z9.ccchh.net";
   };
 
+#  users.users.chaos.password = "yes";
+
   system.stateVersion = "23.11";
 }
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 5304abd..009e1a1 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -6,5 +6,6 @@
     ./networking.nix
     ./yate.nix
     ./service.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml
new file mode 100644
index 0000000..6235c17
--- /dev/null
+++ b/config/hosts/yate/secrets.yaml
@@ -0,0 +1,233 @@
+git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP
+        TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw
+        KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS
+        bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1
+        xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-08T18:35:07Z"
+  mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str]
+  pgp:
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg
+        do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL
+        r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0
+        cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl
+        Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa
+        JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi
+        ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk
+        YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa
+        QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy
+        aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg
+        GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U
+        ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ
+        ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ
+        et8Y1DEjVg==
+        =u7aP
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9
+        Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S
+        YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4
+        twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2
+        uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx
+        Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ
+        gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU
+        JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng
+        mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji
+        yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp
+        E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S
+        XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq
+        vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX
+        =advR
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz
+        7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec
+        ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa
+        RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty
+        y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE
+        L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8
+        glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ
+        B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl
+        L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl
+        o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO
+        Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS
+        XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb
+        fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy
+        =vqhH
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd
+        +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7
+        Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4
+        LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un
+        kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2
+        cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn
+        3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh
+        7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU
+        K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb
+        QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3
+        Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S
+        XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj
+        IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C
+        =hGXq
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg
+        YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi
+        LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ
+        +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG
+        SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io
+        5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq
+        1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1
+        1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll
+        CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U
+        pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF
+        EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS
+        XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7
+        uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9
+        =vZLC
+        -----END PGP MESSAGE-----
+      fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x
+        p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3
+        XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa
+        oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB
+        SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS
+        5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG
+        oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ
+        XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo
+        IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc
+        2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa
+        XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS
+        XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/
+        fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I
+        =SLD4
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp
+        8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+
+        0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19
+        sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB
+        NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI
+        K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX
+        4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9
+        SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0
+        TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva
+        7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR
+        oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S
+        XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t
+        LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII
+        =MQ9C
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF
+        XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe
+        5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/
+        Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc
+        abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di
+        +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk
+        nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7
+        BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf
+        T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76
+        VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm
+        jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS
+        XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY
+        6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ
+        =uyf4
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st
+        V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2
+        8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/
+        i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d
+        V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE
+        zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz
+        TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p
+        FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF
+        aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO
+        5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym
+        NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS
+        XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn
+        kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr
+        =7R+0
+        -----END PGP MESSAGE-----
+      fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw
+        cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13
+        0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi
+        I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww==
+        =0G+m
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX
+        KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l
+        MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy
+        p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k
+        YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs
+        yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O
+        oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv
+        3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre
+        FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF
+        3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm
+        k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS
+        XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh
+        B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI
+        =ZgbM
+        -----END PGP MESSAGE-----
+      fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
index e031d4d..9013060 100644
--- a/config/hosts/yate/service.nix
+++ b/config/hosts/yate/service.nix
@@ -1,21 +1,48 @@
 { config, pkgs, ... }:
 
 {
+#  systemd.managerEnvironment = {
+#    SYSTEMD_LOG_LEVEL = "debug";
+#  };
+
+  
+
+  sops.secrets."git_clone_key" = {
+    mode = "0600";
+    owner = "yate";
+    group = "yate-config";
+    restartUnits = [ "yate.service" ];
+};
+
   systemd.services.yate = {
     enable = true;
     description = "Yate telehony engine";
     unitConfig = {
-      Type = "simple";
-      After = "network.target";
+      After= "network-online.target";
     };
     serviceConfig = {
-      ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
-      Type = "simple";
-      Restart = "always";
+      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+      Type="simple";
+      Restart="always";
+      User="yate";
+      Group="yate-config";
+      StateDirectory = "yate";
+      StateDirectoryMode = "0775";
       # ...
     };
     wantedBy = [ "default.target" ];
-    requiredBy = [ "network.target" ];
+    requires = [ "network-online.target" ]; 
+    preStart = "echo \"\n\" >> /run/secrets/git_clone_key
+                sleep 5
+                SSH_SUCCESS=1
+                ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
+                if [ $SSH_SUCCESS = 1 ]; then
+                rm -rf /var/lib/yate/*
+                rm -rf /var/lib/yate/.*
+                env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+                ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+                fi";
+
     # ...
   };
 }
diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix
new file mode 100644
index 0000000..38b06f9
--- /dev/null
+++ b/config/hosts/yate/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
\ No newline at end of file
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index c4834bb..3f9b054 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -10,4 +10,19 @@
 
   # Just disable it for now.
   networking.firewall.enable = false;
+
+  users.users.yate = {
+    description = "yate service user";
+    group = "yate-config";
+    isNormalUser = true;
+  };
+
+
+  users.groups.yate-config = {};
+  users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"];
+
+  environment.etc.yate.user = "yate";
+  environment.etc.yate.group = "yate-config";
+  environment.etc.yate.mode = "symlink";
+  environment.etc.yate.source = "/var/lib/yate";
 }
diff --git a/flake.nix b/flake.nix
index fb4ed26..5ecee98 100644
--- a/flake.nix
+++ b/flake.nix
@@ -174,6 +174,7 @@
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/yate
           ];
         };

From 8045681bb5ab6896cf6fb30a30c47b507c29e589 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 19 Jan 2025 19:05:15 +0100
Subject: [PATCH 135/170] yate: clean up and nicely format nix configuration

---
 config/hosts/yate/configuration.nix |  4 +-
 config/hosts/yate/default.nix       |  3 +-
 config/hosts/yate/service.nix       | 48 ----------------------
 config/hosts/yate/yate.nix          | 64 ++++++++++++++++++++++++-----
 4 files changed, 55 insertions(+), 64 deletions(-)
 delete mode 100644 config/hosts/yate/service.nix

diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
index f350966..6b1fa99 100644
--- a/config/hosts/yate/configuration.nix
+++ b/config/hosts/yate/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {
@@ -6,7 +6,5 @@
     domain = "z9.ccchh.net";
   };
 
-#  users.users.chaos.password = "yes";
-
   system.stateVersion = "23.11";
 }
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 009e1a1..66738e8 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -1,11 +1,10 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   imports = [
     ./configuration.nix
     ./networking.nix
     ./yate.nix
-    ./service.nix
     ./sops.nix
   ];
 }
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
deleted file mode 100644
index 9013060..0000000
--- a/config/hosts/yate/service.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-#  systemd.managerEnvironment = {
-#    SYSTEMD_LOG_LEVEL = "debug";
-#  };
-
-  
-
-  sops.secrets."git_clone_key" = {
-    mode = "0600";
-    owner = "yate";
-    group = "yate-config";
-    restartUnits = [ "yate.service" ];
-};
-
-  systemd.services.yate = {
-    enable = true;
-    description = "Yate telehony engine";
-    unitConfig = {
-      After= "network-online.target";
-    };
-    serviceConfig = {
-      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
-      Type="simple";
-      Restart="always";
-      User="yate";
-      Group="yate-config";
-      StateDirectory = "yate";
-      StateDirectoryMode = "0775";
-      # ...
-    };
-    wantedBy = [ "default.target" ];
-    requires = [ "network-online.target" ]; 
-    preStart = "echo \"\n\" >> /run/secrets/git_clone_key
-                sleep 5
-                SSH_SUCCESS=1
-                ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
-                if [ $SSH_SUCCESS = 1 ]; then
-                rm -rf /var/lib/yate/*
-                rm -rf /var/lib/yate/.*
-                env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
-                ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
-                fi";
-
-    # ...
-  };
-}
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 3f9b054..d3ed2f9 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 
 {
   environment.systemPackages = [
@@ -11,18 +11,60 @@
   # Just disable it for now.
   networking.firewall.enable = false;
 
-  users.users.yate = {
-    description = "yate service user";
-    group = "yate-config";
-    isNormalUser = true;
+  users = {
+    users.yate = {
+      description = "yate service user";
+      group = "yate-config";
+      isNormalUser = true;
+    };
+
+    groups.yate-config = {
+      members = [ "colmema-deploy" "chaos" "root" "yate"];
+    };
   };
 
+  environment.etc.yate = {
+    user = "yate";
+    group = "yate-config";
+    mode = "symlink";
+    source = "/var/lib/yate";
+  };
 
-  users.groups.yate-config = {};
-  users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"];
+  sops.secrets."git_clone_key" = {
+    mode = "0600";
+    owner = "yate";
+    group = "yate-config";
+    restartUnits = [ "yate.service" ];
+  };
 
-  environment.etc.yate.user = "yate";
-  environment.etc.yate.group = "yate-config";
-  environment.etc.yate.mode = "symlink";
-  environment.etc.yate.source = "/var/lib/yate";
+  systemd.services.yate = {
+    enable = true;
+    description = "Yate telehony engine";
+    unitConfig = {
+      After= "network-online.target";
+    };
+    serviceConfig = {
+      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+      Type="simple";
+      Restart="always";
+      User="yate";
+      Group="yate-config";
+      StateDirectory = "yate";
+      StateDirectoryMode = "0775";
+    };
+    wantedBy = [ "default.target" ];
+    requires = [ "network-online.target" ];
+    preStart = ''
+      echo \"\n\" >> /run/secrets/git_clone_key
+      sleep 5
+      SSH_SUCCESS=1
+      ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
+      if [ $SSH_SUCCESS = 1 ]; then
+        rm -rf /var/lib/yate/*
+        rm -rf /var/lib/yate/.*
+        env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+        ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+      fi
+    '';
+  };
 }

From d57c47437ff20dcb3c0008ab666b927de1181121 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Thu, 23 Jan 2025 20:15:37 +0100
Subject: [PATCH 136/170] Add reload script for refreshing config during
 runtime

---
 config/hosts/yate/yate.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index d3ed2f9..d5e64f1 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -45,6 +45,11 @@
     };
     serviceConfig = {
       ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+      ExecReload= ''
+	${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
+	/usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
+	/usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main
+      '';
       Type="simple";
       Restart="always";
       User="yate";

From 73fa9d1e067e626fec76eb713342644f72647c65 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 24 Jan 2025 11:44:29 +0100
Subject: [PATCH 137/170] git: enable Git LFS

---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 665815d..85b13e6 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -14,6 +14,7 @@
     enable = true;
     package = pkgs.forgejo;
     database.type = "postgres";
+    lfs.enable = true;
 
     secrets = {
       mailer = {

From 4530608c9900901ece7f0c2448e4035369c8f15b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 24 Jan 2025 11:45:32 +0100
Subject: [PATCH 138/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4?narHash=sha256-A7CTIQ8SW0hfbhKlwK%2BvSsu4pD%2BOaelw3v6goX6go%2BU%3D' (2024-12-23)
  → 'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453?narHash=sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL%2BtIBm49vpepwL1MQ%3D' (2025-01-16)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c?narHash=sha256-dPhc%2Bf2wkmhMqMIfq%2BhColJdysgVxKP9ilZ5bR0NRZI%3D' (2024-12-22)
  → 'github:nix-community/nixpkgs.lib/1418bc28a52126761c02dd3d89b2d8ca0f521181?narHash=sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s%3D' (2025-01-12)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee?narHash=sha256-kMBQ5PRiFLagltK0sH%2B08aiNt3zGERC2297iB6vrvlU%3D' (2024-12-17)
  → 'github:NixOS/nixpkgs/2f9e2f85cb14a46410a1399aa9ea7ecf433e422e?narHash=sha256-FWlPMUzp0lkQBdhKlPqtQdqmp%2B/C%2B1MBiEytaYfrCTY%3D' (2025-01-12)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6?narHash=sha256-WIGZ3DPw5H%2BSPszUXVacK%2BKTh3sJZShP1vGtDwhquNM%3D' (2025-01-09)
  → 'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c?narHash=sha256-fY95Rp63NFzOwRFO6%2BRGi/UTyxgqmFmKtQ/DWg%2B6vsQ%3D' (2025-01-23)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773?narHash=sha256-eSjkBwBdQk%2BTZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4%3D' (2025-01-06)
  → 'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4?narHash=sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw%3D' (2025-01-20)
---
 flake.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index 4625fa3..259f97a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1734829460,
-        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1734915500,
-        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
+        "lastModified": 1737057290,
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734435836,
-        "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
+        "lastModified": 1736657626,
+        "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4989a246d7a390a859852baddb1013f825435cee",
+        "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1736408508,
-        "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=",
+        "lastModified": 1737665804,
+        "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6",
+        "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736203741,
-        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
+        "lastModified": 1737411508,
+        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
+        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
         "type": "github"
       },
       "original": {

From bb0af02e5c28952c9c9d937861007955ac25e490 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Fri, 24 Jan 2025 18:00:26 +0100
Subject: [PATCH 139/170] use nix option for ExecReload

---
 config/hosts/yate/yate.nix | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index d5e64f1..89f225e 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -45,11 +45,6 @@
     };
     serviceConfig = {
       ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
-      ExecReload= ''
-	${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
-	/usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
-	/usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main
-      '';
       Type="simple";
       Restart="always";
       User="yate";
@@ -61,15 +56,22 @@
     requires = [ "network-online.target" ];
     preStart = ''
       echo \"\n\" >> /run/secrets/git_clone_key
+      id
       sleep 5
       SSH_SUCCESS=1
       ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
       if [ $SSH_SUCCESS = 1 ]; then
         rm -rf /var/lib/yate/*
         rm -rf /var/lib/yate/.*
-        env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
-        ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+        env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+        ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate"
       fi
     '';
+    reload= ''
+      id
+      ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
+      /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
+      /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master
+    '';
   };
 }

From 5cf9cffa77b4e1e1179305b9ad7eca6d40cce177 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Fri, 24 Jan 2025 19:54:31 +0100
Subject: [PATCH 140/170] add more checks before config reinit

---
 config/hosts/yate/yate.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 89f225e..236e1f0 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -55,12 +55,13 @@
     wantedBy = [ "default.target" ];
     requires = [ "network-online.target" ];
     preStart = ''
-      echo \"\n\" >> /run/secrets/git_clone_key
-      id
+      echo "\n" >> /run/secrets/git_clone_key
       sleep 5
+      id
+      echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git"
       SSH_SUCCESS=1
       ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
-      if [ $SSH_SUCCESS = 1 ]; then
+      if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then
         rm -rf /var/lib/yate/*
         rm -rf /var/lib/yate/.*
         env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate

From 934f29a84a32d8770faf6a657ee7519960cd0ed7 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 4 Feb 2025 21:31:09 +0100
Subject: [PATCH 141/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c' (2025-01-23)
  → 'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8' (2025-02-04)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4' (2025-01-20)
  → 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7' (2025-01-31)
---
 flake.lock | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 259f97a..7f1207b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
       },
       "original": {
         "type": "tarball",
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1737665804,
-        "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=",
+        "lastModified": 1738663689,
+        "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c",
+        "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737411508,
-        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
+        "lastModified": 1738291974,
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
         "type": "github"
       },
       "original": {

From a665aa15f4001151eb7590c83c877bf30be55b7b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 10 Feb 2025 23:43:05 +0100
Subject: [PATCH 142/170] eh22-wiki: remove because of migration to
 ansible-infra

---
 config/hosts/eh22-wiki/configuration.nix |   7 -
 config/hosts/eh22-wiki/default.nix       |   9 --
 config/hosts/eh22-wiki/dokuwiki.nix      | 166 -----------------------
 config/hosts/eh22-wiki/networking.nix    |  22 ---
 flake.nix                                |  10 --
 5 files changed, 214 deletions(-)
 delete mode 100644 config/hosts/eh22-wiki/configuration.nix
 delete mode 100644 config/hosts/eh22-wiki/default.nix
 delete mode 100644 config/hosts/eh22-wiki/dokuwiki.nix
 delete mode 100644 config/hosts/eh22-wiki/networking.nix

diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix
deleted file mode 100644
index ff45e49..0000000
--- a/config/hosts/eh22-wiki/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "eh22-wiki";
-
-  system.stateVersion = "23.11";
-}
diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix
deleted file mode 100644
index 2d90c6b..0000000
--- a/config/hosts/eh22-wiki/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./configuration.nix
-    ./dokuwiki.nix
-    ./networking.nix
-  ];
-}
diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
deleted file mode 100644
index f9a7cbd..0000000
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ /dev/null
@@ -1,166 +0,0 @@
-# Sources for this configuration:
-# - https://www.dokuwiki.org/dokuwiki
-# - https://www.dokuwiki.org/install
-# - https://www.dokuwiki.org/requirements
-# - https://www.dokuwiki.org/install:php
-# - https://www.dokuwiki.org/security
-# - https://www.dokuwiki.org/config:xsendfile
-# - https://www.dokuwiki.org/install:nginx
-# - https://www.dokuwiki.org/faq:uploadsize
-# - https://nixos.wiki/wiki/Phpfpm
-# - https://wiki.archlinux.org/title/Nginx#FastCGI
-# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
-# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
-# - https://www.php.net/manual/en/install.fpm.php
-# - https://www.php.net/manual/en/install.fpm.configuration.php
-
-{ config, pkgs, ... }:
-
-let
-  # This is also used for user and group names.
-  app = "dokuwiki";
-  domain = "eh22.easterhegg.eu";
-  dataDir = "/srv/www/${domain}";
-in
-{
-  systemd.tmpfiles.rules = [
-    "d ${dataDir} 0755 ${app} ${app}"
-  ];
-
-  services.phpfpm.pools."${app}" = {
-    user = "${app}";
-    group = "${app}";
-    phpOptions = ''
-      short_open_tag = Off
-      open_basedir =
-      output_buffering = Off
-      output_handler =
-      zlib.output_compression = Off
-      implicit_flush = Off
-      allow_call_time_pass_reference = Off
-      max_execution_time = 30
-      max_input_time = 60
-      max_input_vars = 10000
-      memory_limit = 128M
-      error_reporting = E_ALL & ~E_NOTICE
-      display_errors = Off
-      display_startup_errors = Off
-      log_errors = On
-      ; error_log should be handled by NixOS.
-      variables_order = "EGPCS"
-      register_argc_argv = Off
-      file_uploads = On
-      upload_max_filesize = 20M
-      post_max_size = 20M
-      session.use_cookies = 1
-      ; Checked the default NixOS PHP extensions and the only one missing from
-      ; DokuWikis list of PHP extensions was bz2, so add that.
-      ; Checked with NixOS 23.11 on 2024-05-02.
-      extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
-    '';
-    settings = {
-      "listen.owner" = "${config.services.nginx.user}";
-      "listen.group" = "${config.services.nginx.group}";
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 4;
-      "pm.max_requests" = 500;
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-
-    virtualHosts."acme-${domain}" = {
-      default = true;
-      enableACME = true;
-      serverName = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 31820;
-        }
-      ];
-    };
-
-    virtualHosts."${domain}" = {
-      default = true;
-      forceSSL = true;
-      useACMEHost = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 8443;
-          ssl = true;
-          proxyProtocol = true;
-        }
-      ];
-
-      root = "${dataDir}";
-
-      locations = {
-        "~ /(conf|bin|inc|vendor)/" = {
-          extraConfig = "deny all;";
-        };
-
-        "~ /install.php" = {
-          extraConfig = "deny all;";
-        };
-
-        "~ ^/data/" = {
-          extraConfig = "internal;";
-        };
-
-        "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
-          extraConfig = "expires 31d;";
-        };
-
-        "/" = {
-          index = "doku.php";
-          extraConfig = "try_files $uri $uri/ @dokuwiki;";
-        };
-
-        "@dokuwiki" = {
-          extraConfig = ''
-            # Rewrites "doku.php/" out of the URLs if the userwrite setting is
-            # set to .htaccess in the DokuWiki config page.
-            rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
-            rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
-            rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
-            rewrite ^/(.*) /doku.php?id=$1&$args last;
-          '';
-        };
-
-        "~ \\.php$" = {
-          extraConfig = ''
-            try_files $uri $uri/ /doku.php;
-            include ${config.services.nginx.package}/conf/fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param REDIRECT_STATUS 200;
-            fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
-          '';
-        };
-      };
-
-      extraConfig = ''
-        # Set maximum file upload size to 20MB (same as upload_max_filesize and
-        # post_max_size in the phpOptions).
-        client_max_body_size 20M;
-        client_body_buffer_size 128k;
-      '';
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
-  networking.firewall.allowedUDPPorts = [ 8443 ];
-
-  users.users."${app}" = {
-    isSystemUser = true;
-    group = "${app}";
-  };
-  users.groups."${app}" = { };
-}
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
deleted file mode 100644
index fba2da9..0000000
--- a/config/hosts/eh22-wiki/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
-  networking = {
-    interfaces.net0 = {
-      ipv4.addresses = [
-        {
-          address = "172.31.17.159";
-          prefixLength = 25;
-        }
-      ];
-    };
-    defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
-  };
-
-  systemd.network.links."10-net0" = {
-    matchConfig.MACAddress = "BC:24:11:37:F0:AB";
-    linkConfig.Name = "net0";
-  };
-}
diff --git a/flake.nix b/flake.nix
index 5ecee98..347294b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -149,16 +149,6 @@
           ];
         };
 
-        eh22-wiki = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
-          modules = [
-            self.nixosModules.common
-            self.nixosModules.proxmox-vm
-            self.nixosModules.prometheus-exporter
-            ./config/hosts/eh22-wiki
-          ];
-        };
-
         nix-box-june = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [

From fe5e6cebdc0f0df330b0541c1756cdfc859f1bec Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:02:31 +0100
Subject: [PATCH 143/170] netbox: remove because of migration to ansible-infra

---
 .sops.yaml                                    |  17 --
 config/hosts/netbox/configuration.nix         |   7 -
 config/hosts/netbox/default.nix               |  12 -
 config/hosts/netbox/netbox.nix                |  61 -----
 config/hosts/netbox/networking.nix            |  22 --
 config/hosts/netbox/nginx.nix                 |  67 -----
 config/hosts/netbox/postgresql.nix            |   7 -
 config/hosts/netbox/secrets.yaml              | 234 ------------------
 config/hosts/netbox/sops.nix                  |   7 -
 deployment_configuration.json                 |   3 -
 flake.nix                                     |  19 --
 ...oup_and_role_mapping_custom_pipeline.patch |  61 -----
 12 files changed, 517 deletions(-)
 delete mode 100644 config/hosts/netbox/configuration.nix
 delete mode 100644 config/hosts/netbox/default.nix
 delete mode 100644 config/hosts/netbox/netbox.nix
 delete mode 100644 config/hosts/netbox/networking.nix
 delete mode 100644 config/hosts/netbox/nginx.nix
 delete mode 100644 config/hosts/netbox/postgresql.nix
 delete mode 100644 config/hosts/netbox/secrets.yaml
 delete mode 100644 config/hosts/netbox/sops.nix
 delete mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch

diff --git a/.sops.yaml b/.sops.yaml
index dedf3c1..9a6ae2d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,7 +13,6 @@ keys:
   - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
   - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
-  - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
   - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
@@ -68,22 +67,6 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_matrix
-  - path_regex: config/hosts/netbox/.*
-    key_groups:
-      - pgp:
-          - *admin_gpg_djerun
-          - *admin_gpg_stb
-          - *admin_gpg_jtbx
-          - *admin_gpg_yuri
-          - *admin_gpg_june
-          - *admin_gpg_haegar
-          - *admin_gpg_dario
-          - *admin_gpg_echtnurich
-          - *admin_gpg_max
-          - *admin_gpg_c6ristian
-          - *admin_gpg_dante
-        age:
-          - *host_age_netbox
   - path_regex: config/hosts/public-web-static/.*
     key_groups:
       - pgp:
diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix
deleted file mode 100644
index 50a584e..0000000
--- a/config/hosts/netbox/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  networking.hostName = "netbox";
-
-  system.stateVersion = "23.05";
-}
diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix
deleted file mode 100644
index 6ef3469..0000000
--- a/config/hosts/netbox/default.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./configuration.nix
-    ./netbox.nix
-    ./networking.nix
-    ./nginx.nix
-    ./postgresql.nix
-    ./sops.nix
-  ];
-}
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
deleted file mode 100644
index f816016..0000000
--- a/config/hosts/netbox/netbox.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-# Sources for this configuration:
-# - https://docs.netbox.dev/en/stable/configuration/
-# - https://colmena.cli.rs/unstable/features/keys.html
-# - https://colmena.cli.rs/unstable/reference/deployment.html
-# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix
-
-{ config, pkgs, ... }:
-
-{
-  services.netbox = {
-    enable = true;
-    # Explicitly use the patched NetBox package.
-    package = pkgs.netbox_4_1;
-    secretKeyFile = "/run/secrets/netbox_secret_key";
-    keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
-    settings = {
-      ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
-      SESSION_COOKIE_SECURE = true;
-      # CCCHH ID (Keycloak) integration.
-      # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
-      # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
-      REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
-      SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
-      # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
-      SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
-      SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
-      SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
-      SOCIAL_AUTH_PIPELINE = [
-        # The default pipeline as can be found in:
-        # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
-        "social_core.pipeline.social_auth.social_details"
-        "social_core.pipeline.social_auth.social_uid"
-        "social_core.pipeline.social_auth.social_user"
-        "social_core.pipeline.user.get_username"
-        "social_core.pipeline.user.create_user"
-        "social_core.pipeline.social_auth.associate_user"
-        "netbox.authentication.user_default_groups_handler"
-        "social_core.pipeline.social_auth.load_extra_data"
-        "social_core.pipeline.user.user_details"
-        # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
-        # See: https://docs.goauthentik.io/integrations/services/netbox/
-        "netbox.custom_pipeline.add_groups"
-        "netbox.custom_pipeline.remove_groups"
-        "netbox.custom_pipeline.set_roles"
-      ];
-    };
-  };
-
-  sops.secrets."netbox_secret_key" = {
-    mode = "0440";
-    owner = "netbox";
-    group = "netbox";
-    restartUnits = [ "netbox.service" "netbox-rq.service" ];
-  };
-  sops.secrets."netbox_keycloak_secret" = {
-    mode = "0440";
-    owner = "netbox";
-    group = "netbox";
-    restartUnits = [ "netbox.service" "netbox-rq.service" ];
-  };
-}
diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix
deleted file mode 100644
index a0abcfe..0000000
--- a/config/hosts/netbox/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
-  networking = {
-    interfaces.net0 = {
-      ipv4.addresses = [
-        {
-          address = "172.31.17.149";
-          prefixLength = 25;
-        }
-      ];
-    };
-    defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
-  };
-
-  systemd.network.links."10-net0" = {
-    matchConfig.MACAddress = "62:ED:44:20:7C:C1";
-    linkConfig.Name = "net0";
-  };
-}
diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix
deleted file mode 100644
index 2673cdc..0000000
--- a/config/hosts/netbox/nginx.nix
+++ /dev/null
@@ -1,67 +0,0 @@
-# Sources for this configuration:
-# - https://nixos.org/manual/nixos/stable/#module-security-acme
-# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix
-# - https://docs.netbox.dev/en/stable/installation/5-http-server/
-# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf
-
-{ config, pkgs, ... }:
-
-{
-  services.nginx = {
-    enable = true;
-    # So nginx can access the Netbox static files.
-    user = "netbox";
-
-    virtualHosts."acme-netbox.hamburg.ccc.de" = {
-      default = true;
-      enableACME = true;
-      serverName = "netbox.hamburg.ccc.de";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 31820;
-        }
-      ];
-    };
-
-    virtualHosts."netbox.hamburg.ccc.de" = {
-      default = true;
-      forceSSL = true;
-      useACMEHost = "netbox.hamburg.ccc.de";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 8443;
-          ssl = true;
-          proxyProtocol = true;
-        }
-      ];
-
-      locations."/static/" = {
-        alias = "${config.services.netbox.dataDir}/static/";
-      };
-
-      locations."/" = {
-        proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
-      };
-
-      extraConfig = ''
-        # Make use of the ngx_http_realip_module to set the $remote_addr and
-        # $remote_port to the client address and client port, when using proxy
-        # protocol.
-        # First set our proxy protocol proxy as trusted.
-        set_real_ip_from 172.31.17.140;
-        # Then tell the realip_module to get the addreses from the proxy protocol
-        # header.
-        real_ip_header proxy_protocol;
-
-        client_max_body_size 25m;
-      '';
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
-  networking.firewall.allowedUDPPorts = [ 8443 ];
-}
diff --git a/config/hosts/netbox/postgresql.nix b/config/hosts/netbox/postgresql.nix
deleted file mode 100644
index 5f49f30..0000000
--- a/config/hosts/netbox/postgresql.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ pkgs, config, ... }:
-
-{
-  services.postgresql = {
-    package = pkgs.postgresql_15;
-  };
-}
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
deleted file mode 100644
index 831a7a1..0000000
--- a/config/hosts/netbox/secrets.yaml
+++ /dev/null
@@ -1,234 +0,0 @@
-netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
-netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
-            c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
-            dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
-            V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
-            a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-08T23:54:23Z"
-    mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
-    pgp:
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
-            UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
-            YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
-            e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
-            fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
-            29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
-            g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
-            Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
-            2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
-            ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
-            7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
-            aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
-            Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
-            6PA24RxtGxVm
-            =ES/O
-            -----END PGP MESSAGE-----
-          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
-            kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
-            UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
-            t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
-            2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
-            MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
-            PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
-            Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
-            W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
-            Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
-            NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
-            XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
-            zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
-            =zG3F
-            -----END PGP MESSAGE-----
-          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
-            wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
-            o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
-            yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
-            y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
-            vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
-            OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
-            xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
-            +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
-            9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
-            9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
-            XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
-            CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
-            =PqbF
-            -----END PGP MESSAGE-----
-          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
-            eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
-            5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
-            /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
-            E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
-            aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
-            U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
-            5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
-            vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
-            Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
-            PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
-            XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
-            9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
-            =o7cj
-            -----END PGP MESSAGE-----
-          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
-            QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
-            2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
-            NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
-            vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
-            PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
-            FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
-            n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
-            nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
-            TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
-            ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
-            XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
-            fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
-            =4agQ
-            -----END PGP MESSAGE-----
-          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
-            H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
-            JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
-            ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
-            blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
-            fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
-            APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
-            H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
-            dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
-            VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
-            FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
-            XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
-            Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
-            =x1QX
-            -----END PGP MESSAGE-----
-          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
-            RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
-            I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
-            GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
-            Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
-            arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
-            dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
-            cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
-            6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
-            jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
-            rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
-            XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
-            pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
-            =FXTF
-            -----END PGP MESSAGE-----
-          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
-            /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
-            FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
-            wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
-            3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
-            Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
-            6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
-            wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
-            wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
-            7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
-            N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
-            XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
-            z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
-            =7WGw
-            -----END PGP MESSAGE-----
-          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
-            nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
-            3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
-            07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
-            fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
-            24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
-            QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
-            BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
-            3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
-            zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
-            RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
-            XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
-            yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
-            =pFkW
-            -----END PGP MESSAGE-----
-          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
-            kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
-            0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
-            5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
-            =Lvnj
-            -----END PGP MESSAGE-----
-          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
-            77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
-            XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
-            4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
-            T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
-            k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
-            QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
-            9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
-            U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
-            kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
-            1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
-            XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
-            02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
-            =WqHP
-            -----END PGP MESSAGE-----
-          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/config/hosts/netbox/sops.nix b/config/hosts/netbox/sops.nix
deleted file mode 100644
index b4548ed..0000000
--- a/config/hosts/netbox/sops.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  sops = {
-    defaultSopsFile = ./secrets.yaml;
-  };
-}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 20b9f00..6ac5254 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -3,9 +3,6 @@
     "targetUser": "colmena-deploy"
   },
   "hosts": {
-    "netbox": {
-      "targetHostname": "netbox-intern.hamburg.ccc.de"
-    },
     "matrix": {
       "targetHostname": "matrix-intern.hamburg.ccc.de"
     },
diff --git a/flake.nix b/flake.nix
index 347294b..7c7cfe0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,13 +40,6 @@
         proxmox-vm = ./config/proxmox-vm;
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
-      overlays = {
-        netbox41OIDCMappingOverlay = final: prev: {
-          netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
-            patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
-          });
-        };
-      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
@@ -84,18 +77,6 @@
           ];
         };
 
-        netbox = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
-          modules = [
-            self.nixosModules.common
-            self.nixosModules.proxmox-vm
-            sops-nix.nixosModules.sops
-            self.nixosModules.prometheus-exporter
-            ./config/hosts/netbox
-            { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
-          ];
-        };
-
         matrix = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [
diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
deleted file mode 100644
index 89f805a..0000000
--- a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
-new file mode 100644
-index 000000000..470f388dc
---- /dev/null
-+++ b/netbox/netbox/custom_pipeline.py
-@@ -0,0 +1,55 @@
-+# Licensed under Creative Commons: CC BY-SA 4.0 license.
-+# https://github.com/goauthentik/authentik/blob/main/LICENSE
-+# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
-+# https://docs.goauthentik.io/integrations/services/netbox/
-+from netbox.authentication import Group
-+
-+class AuthFailed(Exception):
-+    pass
-+
-+def add_groups(response, user, backend, *args, **kwargs):
-+    try:
-+        groups = response['groups']
-+    except KeyError:
-+        pass
-+
-+    # Add all groups from oAuth token
-+    for group in groups:
-+        group, created = Group.objects.get_or_create(name=group)
-+        user.groups.add(group)
-+
-+def remove_groups(response, user, backend, *args, **kwargs):
-+    try:
-+        groups = response['groups']
-+    except KeyError:
-+        # Remove all groups if no groups in oAuth token
-+        user.groups.clear()
-+        pass
-+
-+    # Get all groups of user
-+    user_groups = [item.name for item in user.groups.all()]
-+    # Get groups of user which are not part of oAuth token
-+    delete_groups = list(set(user_groups) - set(groups))
-+
-+    # Delete non oAuth token groups
-+    for delete_group in delete_groups:
-+        group = Group.objects.get(name=delete_group)
-+        user.groups.remove(group)
-+
-+
-+def set_roles(response, user, backend, *args, **kwargs):
-+    # Remove Roles temporary
-+    user.is_superuser = False
-+    user.is_staff = False
-+    try:
-+        groups = response['groups']
-+    except KeyError:
-+        # When no groups are set
-+        # save the user without Roles
-+        user.save()
-+        pass
-+
-+    # Set roles is role (superuser or staff) is in groups
-+    user.is_superuser = True if 'superusers' in groups else False
-+    user.is_staff = True if 'staff' in groups else False
-+    user.save()

From 02328a8ba8d00b5e97b192475fe99c3a85f22c5c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:03:14 +0100
Subject: [PATCH 144/170] eh22-wiki: remove leftover deployment configuration

---
 deployment_configuration.json | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/deployment_configuration.json b/deployment_configuration.json
index 6ac5254..cc2fb6d 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -15,9 +15,6 @@
     "forgejo-actions-runner": {
       "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
     },
-    "eh22-wiki": {
-      "targetHostname": "eh22-wiki-intern.hamburg.ccc.de"
-    },
     "nix-box-june": {
       "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
     },

From fd2414ec91a2acc7823158976499004ce744547e Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:04:58 +0100
Subject: [PATCH 145/170] nix-box-june: remove nix-box-june as its being
 decommissioned

nix-infra is built back in general, so remove nix-box-june as well.
---
 config/hosts/nix-box-june/configuration.nix   |  7 ---
 config/hosts/nix-box-june/default.nix         | 10 ----
 .../hosts/nix-box-june/emulated-systems.nix   |  5 --
 config/hosts/nix-box-june/networking.nix      | 22 -------
 config/hosts/nix-box-june/users.nix           | 59 -------------------
 deployment_configuration.json                 |  3 -
 flake.nix                                     | 10 ----
 7 files changed, 116 deletions(-)
 delete mode 100644 config/hosts/nix-box-june/configuration.nix
 delete mode 100644 config/hosts/nix-box-june/default.nix
 delete mode 100644 config/hosts/nix-box-june/emulated-systems.nix
 delete mode 100644 config/hosts/nix-box-june/networking.nix
 delete mode 100644 config/hosts/nix-box-june/users.nix

diff --git a/config/hosts/nix-box-june/configuration.nix b/config/hosts/nix-box-june/configuration.nix
deleted file mode 100644
index 7dddcc1..0000000
--- a/config/hosts/nix-box-june/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  networking.hostName = "nix-box-june";
-
-  system.stateVersion = "23.11";
-}
diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix
deleted file mode 100644
index 489fd67..0000000
--- a/config/hosts/nix-box-june/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./configuration.nix
-    ./emulated-systems.nix
-    ./networking.nix
-    ./users.nix
-  ];
-}
diff --git a/config/hosts/nix-box-june/emulated-systems.nix b/config/hosts/nix-box-june/emulated-systems.nix
deleted file mode 100644
index b6065dd..0000000
--- a/config/hosts/nix-box-june/emulated-systems.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-}
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
deleted file mode 100644
index 2c1faee..0000000
--- a/config/hosts/nix-box-june/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
-  networking = {
-    interfaces.net0 = {
-      ipv4.addresses = [
-        {
-          address = "172.31.17.158";
-          prefixLength = 25;
-        }
-      ];
-    };
-    defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
-  };
-
-  systemd.network.links."10-net0" = {
-    matchConfig.MACAddress = "BC:24:11:6A:33:5F";
-    linkConfig.Name = "net0";
-  };
-}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
deleted file mode 100644
index dfb333e..0000000
--- a/config/hosts/nix-box-june/users.nix
+++ /dev/null
@@ -1,59 +0,0 @@
-{ lib, ... }:
-
-{
-  users.users = {
-    chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
-    colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
-
-    djerun = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
-      ];
-    };
-    june = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
-    };
-    jtbx = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
-    };
-    dario = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
-    };
-    yuri = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
-      ];
-    };
-    max = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
-    };
-    haegar = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
-    };
-    stb = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
-    };
-    hansenerd = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
-    };
-    echtnurich = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
-    };
-    c6ristian = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
-    };
-  };
-}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index cc2fb6d..9c2f99a 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -15,9 +15,6 @@
     "forgejo-actions-runner": {
       "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
     },
-    "nix-box-june": {
-      "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
-    },
     "mjolnir": {
       "targetHostname": "mjolnir-intern.hamburg.ccc.de"
     },
diff --git a/flake.nix b/flake.nix
index 7c7cfe0..d7bda34 100644
--- a/flake.nix
+++ b/flake.nix
@@ -130,16 +130,6 @@
           ];
         };
 
-        nix-box-june = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
-          modules = [
-            self.nixosModules.common
-            self.nixosModules.proxmox-vm
-            self.nixosModules.prometheus-exporter
-            ./config/hosts/nix-box-june
-          ];
-        };
-
         yate = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [

From dabaf18dc32ccc3322c0e836543f81857caa0a44 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 02:52:22 +0100
Subject: [PATCH 146/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8?narHash=sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE%3D' (2025-02-04)
  → 'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791?narHash=sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE%3D' (2025-02-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7?narHash=sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320%3D' (2025-01-31)
  → 'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975?narHash=sha256-7JAGezJ0Dn5qIyA2%2BT4Dt/xQgAbhCglh6lzCekTVMeU%3D' (2025-02-11)
---
 flake.lock | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7f1207b..d6bc2dc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1738663689,
-        "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=",
+        "lastModified": 1739758141,
+        "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8",
+        "rev": "c618e28f70257593de75a7044438efc1c1fc0791",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1738291974,
-        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
+        "lastModified": 1739262228,
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
         "type": "github"
       },
       "original": {

From 7c13dd1e35618b860a122c078462d03df005ec6a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 19 Feb 2025 21:56:23 +0100
Subject: [PATCH 147/170] git: disable internal login, to force login via SSO

---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 85b13e6..89f83c9 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -49,6 +49,7 @@
       };
       service = {
         ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        ENABLE_INTERNAL_SIGNIN = false;
         DEFAULT_USER_VISIBILITY = "limited";
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
         ENABLE_BASIC_AUTHENTICATION = false;

From 535cc518dada1e5c7a3b2ac0aa73d595db0b0ccd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matthias=20K=C3=BChlke?= <mad@unserver.de>
Date: Fri, 28 Feb 2025 23:25:59 +0100
Subject: [PATCH 148/170] MQTT: Make cats accessible from winkekatze24.de

---
 config/hosts/mqtt/mosquitto.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
index d093bd8..9bc02b0 100644
--- a/config/hosts/mqtt/mosquitto.nix
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -23,6 +23,7 @@
       topics = [
         "winkekatze/allcats/eye/set in 2"
         "winkekatze/allcats in 2"
+        "+/command in 2 winkekatze/ \"\""
         "+/status out 2 winkekatze/ \"\""
         "+/connected out 2 winkekatze/ \"\""
       ];

From 3fc170389d73312e1ff5477e237a64646d6b2182 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 2 Mar 2025 22:00:19 +0100
Subject: [PATCH 149/170] Update to new IPv6 prefix

---
 config/hosts/esphome/networking.nix | 6 +++---
 config/hosts/status/networking.nix  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index a2c64d3..32c38f2 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -11,14 +11,14 @@
       ];
       ipv6.addresses = [
         {
-          address = "2a07:c480:0:1d0::66";
+          address = "2a07:c481:1:2::66";
           prefixLength = 64;
         }
       ];
     };
     defaultGateway = "10.31.208.1";
-    defaultGateway6 = "2a07:c480:0:1d0::1";
-    nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
+    defaultGateway6 = "2a07:c481:1:2::66";
+    nameservers = [ "10.31.208.1" "2a07:c481:1:2::66" ];
     search = [ "z9.ccchh.net" ];
   };
 
diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
index e7f1932..0a16795 100644
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@@ -11,14 +11,14 @@
       ];
       ipv6.addresses = [
         {
-          address = "2a07:c480:0:1ce::f";
+          address = "2a07:c481:1:1::a";
           prefixLength = 64;
         }
       ];
     };
     defaultGateway = "10.31.206.1";
-    defaultGateway6 = "2a07:c480:0:1ce::1";
-    nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
+    defaultGateway6 = "2a07:c481:1:1::1";
+    nameservers = [ "10.31.206.1" "2a07:c481:1:1::1" ];
     search = [ "z9.ccchh.net" ];
   };
 

From be351c6ded795a0ea819d80d548fdab1005e62ce Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 14 Mar 2025 20:25:19 +0100
Subject: [PATCH 150/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453' (2025-01-16)
  → 'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791' (2025-02-17)
  → 'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975' (2025-02-11)
  → 'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13)
---
 flake.lock | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/flake.lock b/flake.lock
index d6bc2dc..ef7bc8d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
       },
       "original": {
         "type": "tarball",
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1737057290,
-        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
+        "lastModified": 1740947705,
+        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
+        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1739758141,
-        "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=",
+        "lastModified": 1741969460,
+        "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c618e28f70257593de75a7044438efc1c1fc0791",
+        "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739262228,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "lastModified": 1741861888,
+        "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f",
         "type": "github"
       },
       "original": {

From 15f69c20a4514c3f4249613cd4ab0c819a6d7819 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 14 Mar 2025 20:33:29 +0100
Subject: [PATCH 151/170] bump element version

---
 .../virtualHosts/element.hamburg.ccc.de.nix                 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 1836f25..3c85954 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.84";
+  elementWebVersion = "1.11.95";
   element-web = pkgs.fetchzip {
-    url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
+    url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
+    sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 341d839265a7d26cb90ce61a8354831d23a6de4e Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 14 Apr 2025 20:47:51 +0200
Subject: [PATCH 152/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02)
  → 'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11' (2025-03-21)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14)
  → 'github:nixos/nixpkgs/260f6989b03d130d64d521445892dd47f8ea545a' (2025-04-13)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13)
  → 'github:Mic92/sops-nix/7e147a1ae90f0d4a374938cdc3df3cdaecb9d388' (2025-04-13)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index ef7bc8d..214f589 100644
--- a/flake.lock
+++ b/flake.lock
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1740947705,
-        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
+        "lastModified": 1742568034,
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1741969460,
-        "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
+        "lastModified": 1744568866,
+        "narHash": "sha256-9I7fRg0vp1oGagbkUszgP6zPjG18qY1HQtdvkJwp5Jo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
+        "rev": "260f6989b03d130d64d521445892dd47f8ea545a",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741861888,
-        "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=",
+        "lastModified": 1744518500,
+        "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f",
+        "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
         "type": "github"
       },
       "original": {

From e61fbec5efd76e393f5b06c24c3ab1bfadf33759 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 14 Apr 2025 21:28:59 +0200
Subject: [PATCH 153/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/260f6989b03d130d64d521445892dd47f8ea545a' (2025-04-13)
  → 'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d' (2025-04-12)
---
 flake.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 214f589..3e957bb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,16 +66,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1744568866,
-        "narHash": "sha256-9I7fRg0vp1oGagbkUszgP6zPjG18qY1HQtdvkJwp5Jo=",
+        "lastModified": 1744440957,
+        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "260f6989b03d130d64d521445892dd47f8ea545a",
+        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.11-small",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }

From aee3f4b385a7e955268e9585f95b0e750ee00c88 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 19 Apr 2025 15:01:59 +0200
Subject: [PATCH 154/170] c3cat fix

---
 config/hosts/public-web-static/virtualHosts/c3cat.de.nix | 8 ++++++++
 flake.lock                                               | 6 +++---
 flake.nix                                                | 2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index 91d3a40..ff59fab 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -40,6 +40,10 @@ in {
         return = "302 https://c3cat.de$request_uri";
       };
 
+      locations."/manuals/eh22-rgb-ears" = {
+        return = "307 https://www.c3cat.de/rgb-ears.html";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -67,6 +71,10 @@ in {
 
       root = "${dataDir}";
 
+      locations."/manuals/eh22-rgb-ears" = {
+        return = "307 https://c3cat.de/rgb-ears.html";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
diff --git a/flake.lock b/flake.lock
index 3e957bb..00e5e12 100644
--- a/flake.lock
+++ b/flake.lock
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744518500,
-        "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
+        "lastModified": 1744669848,
+        "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
+        "rev": "61154300d945f0b147b30d24ddcafa159148026a",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index d7bda34..2c34373 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake

From 2c3b7854891e6e940c7eacfc83e5a759aa368af3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 23 Apr 2025 19:04:21 +0200
Subject: [PATCH 155/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d?narHash=sha256-FHlSkNqFmPxPJvy%2B6fNLaNeWnF1lZSgqVCl/eWaJRc4%3D' (2025-04-12)
  → 'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3?narHash=sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo%3D' (2025-04-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/61154300d945f0b147b30d24ddcafa159148026a?narHash=sha256-pXyanHLUzLNd3MX9vsWG%2B6Z2hTU8niyphWstYEP3/GU%3D' (2025-04-14)
  → 'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c?narHash=sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA%3D' (2025-04-22)
---
 flake.lock | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 00e5e12..7591512 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1744440957,
-        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "lastModified": 1745279238,
+        "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744669848,
-        "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
+        "lastModified": 1745310711,
+        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "61154300d945f0b147b30d24ddcafa159148026a",
+        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
         "type": "github"
       },
       "original": {

From 2395748e7a0ab46910c98d62e8297ad51bc628e9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 28 Apr 2025 20:50:42 +0200
Subject: [PATCH 156/170] esphome: set new v6 address

---
 config/hosts/esphome/networking.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index 32c38f2..8a84112 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -11,14 +11,14 @@
       ];
       ipv6.addresses = [
         {
-          address = "2a07:c481:1:2::66";
+          address = "2a07:c481:1:d0::66";
           prefixLength = 64;
         }
       ];
     };
     defaultGateway = "10.31.208.1";
-    defaultGateway6 = "2a07:c481:1:2::66";
-    nameservers = [ "10.31.208.1" "2a07:c481:1:2::66" ];
+    defaultGateway6 = "2a07:c481:1:d0::1";
+    nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ];
     search = [ "z9.ccchh.net" ];
   };
 

From f2a174750777b40dc55803f0f06853b1472ab1ff Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 28 Apr 2025 21:46:00 +0200
Subject: [PATCH 157/170] status: set new v6 address

---
 config/hosts/status/networking.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
index 0a16795..0bff4b5 100644
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@@ -11,14 +11,14 @@
       ];
       ipv6.addresses = [
         {
-          address = "2a07:c481:1:1::a";
+          address = "2a07:c481:1:ce::a";
           prefixLength = 64;
         }
       ];
     };
     defaultGateway = "10.31.206.1";
-    defaultGateway6 = "2a07:c481:1:1::1";
-    nameservers = [ "10.31.206.1" "2a07:c481:1:1::1" ];
+    defaultGateway6 = "2a07:c481:1:ce::1";
+    nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ];
     search = [ "z9.ccchh.net" ];
   };
 

From 3803d6038e7d044a4ea50d72772e188e9f374318 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 20 May 2025 19:39:46 +0200
Subject: [PATCH 158/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D&rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6' (2025-04-28)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11' (2025-03-21)
  → 'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3' (2025-04-21)
  → 'github:nixos/nixpkgs/9b5ac7ad45298d58640540d0323ca217f32a6762' (2025-05-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c' (2025-04-22)
  → 'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18)
---
 flake.lock | 28 ++++++++++++++--------------
 flake.nix  |  2 +-
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7591512..57a29de 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,15 +3,15 @@
     "authorizedKeysRepo": {
       "flake": false,
       "locked": {
-        "lastModified": 1731276342,
-        "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
-        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+        "lastModified": 1745870473,
+        "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=",
+        "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6"
       },
       "original": {
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"
       }
     },
     "nixlib": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1742568034,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1745279238,
-        "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=",
+        "lastModified": 1747485343,
+        "narHash": "sha256-YbsZyuRE1tobO9sv0PUwg81QryYo3L1F3R3rF9bcG38=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3",
+        "rev": "9b5ac7ad45298d58640540d0323ca217f32a6762",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745310711,
-        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 2c34373..a95ee8e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
     };
 
     authorizedKeysRepo = {
-      url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
+      url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz";
       flake = false;
     };
   };

From bb9653657e59fb664d3f6f0807f8227f353843c7 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 2 Jun 2025 19:43:15 +0200
Subject: [PATCH 159/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/9b5ac7ad45298d58640540d0323ca217f32a6762' (2025-05-17)
  → 'github:nixos/nixpkgs/78add7b7abb61689e34fc23070a8f55e1d26185b' (2025-05-28)
• Added input 'nixpkgs-25-05':
    'github:nixos/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346' (2025-05-31)
---
 flake.lock | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 57a29de..c3f607b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -64,13 +64,29 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs-25-05": {
       "locked": {
-        "lastModified": 1747485343,
-        "narHash": "sha256-YbsZyuRE1tobO9sv0PUwg81QryYo3L1F3R3rF9bcG38=",
+        "lastModified": 1748708770,
+        "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9b5ac7ad45298d58640540d0323ca217f32a6762",
+        "rev": "a59eb7800787c926045d51b70982ae285faa2346",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1748421225,
+        "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b",
         "type": "github"
       },
       "original": {
@@ -85,6 +101,7 @@
         "authorizedKeysRepo": "authorizedKeysRepo",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs_2",
+        "nixpkgs-25-05": "nixpkgs-25-05",
         "sops-nix": "sops-nix"
       }
     },

From 8440b4e1ea3b8a1f6b2292e74c410ca1c5411bba Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 2 Jun 2025 19:45:08 +0200
Subject: [PATCH 160/170] woodpecker nixos25.05

---
 flake.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/flake.nix b/flake.nix
index a95ee8e..728fb5e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -7,6 +7,8 @@
     # https://github.com/NixOS/nixpkgs
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
 
+    nixpkgs-25-05.url = "github:nixos/nixpkgs/nixos-25.05";
+
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
     nixos-generators = {
@@ -27,7 +29,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
+  outputs = { self, nixpkgs, nixpkgs-25-05, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
     let
       specialArgs = {
         inherit authorizedKeysRepo;
@@ -160,7 +162,7 @@
           ];
         };
 
-        woodpecker = nixpkgs.lib.nixosSystem {
+        woodpecker = nixpkgs-25-05.lib.nixosSystem {
           inherit system specialArgs;
           modules = [
             self.nixosModules.common

From 2fda28ca5dce464d806019b7bb6e1fb238668a7c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 14 Jun 2025 17:32:27 +0200
Subject: [PATCH 161/170] Upgrade to NixOS 25.05

---
 flake.lock | 25 ++++---------------------
 flake.nix  |  8 +++-----
 2 files changed, 7 insertions(+), 26 deletions(-)

diff --git a/flake.lock b/flake.lock
index c3f607b..d8bfc27 100644
--- a/flake.lock
+++ b/flake.lock
@@ -64,13 +64,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-25-05": {
+    "nixpkgs_2": {
       "locked": {
-        "lastModified": 1748708770,
-        "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=",
+        "lastModified": 1749727998,
+        "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a59eb7800787c926045d51b70982ae285faa2346",
+        "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd",
         "type": "github"
       },
       "original": {
@@ -80,28 +80,11 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1748421225,
-        "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "authorizedKeysRepo": "authorizedKeysRepo",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs_2",
-        "nixpkgs-25-05": "nixpkgs-25-05",
         "sops-nix": "sops-nix"
       }
     },
diff --git a/flake.nix b/flake.nix
index 728fb5e..53bf4ca 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,9 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
-
-    nixpkgs-25-05.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
@@ -29,7 +27,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-25-05, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
+  outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
     let
       specialArgs = {
         inherit authorizedKeysRepo;
@@ -162,7 +160,7 @@
           ];
         };
 
-        woodpecker = nixpkgs-25-05.lib.nixosSystem {
+        woodpecker = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [
             self.nixosModules.common

From 7d7e45750f419098ce5673454d8bea09a8130f0c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 24 Jun 2025 22:36:36 +0200
Subject: [PATCH 162/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/fd487183437963a59ba763c0cc4f27e3447dd6dd' (2025-06-12)
  → 'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18)
  → 'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17)
---
 flake.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/flake.lock b/flake.lock
index d8bfc27..d14aa58 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1749727998,
-        "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=",
+        "lastModified": 1750622754,
+        "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd",
+        "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "lastModified": 1750119275,
+        "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
         "type": "github"
       },
       "original": {

From f541a5dd6aaabffc94f22bce00f532ea339f985c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 18 Jul 2025 21:33:30 +0200
Subject: [PATCH 163/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19)
  → 'github:nix-community/nixos-generators/032decf9db65efed428afd2fa39d80f7089085eb' (2025-07-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22)
  → 'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e' (2025-07-15)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17)
  → 'github:Mic92/sops-nix/2c8def626f54708a9c38a5861866660395bb3461' (2025-07-15)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index d14aa58..2ab41bb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1747663185,
-        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
+        "lastModified": 1751903740,
+        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
+        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1750622754,
-        "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=",
+        "lastModified": 1752620740,
+        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1",
+        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750119275,
-        "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
+        "lastModified": 1752544651,
+        "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
+        "rev": "2c8def626f54708a9c38a5861866660395bb3461",
         "type": "github"
       },
       "original": {

From 0383e604a42d9f03a4270c84e6da4b7ad5689aaa Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 19 Jul 2025 20:59:07 +0200
Subject: [PATCH 164/170] element update

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 3c85954..d0da920 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.95";
+  elementWebVersion = "1.11.106";
   element-web = pkgs.fetchzip {
     url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc=";
+    sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From a0d0d24d91dfad6c33f286f43785778a801c1a1c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 20 Jul 2025 20:35:02 +0200
Subject: [PATCH 165/170] sops updatekeys junes new key

---
 .sops.yaml | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 9a6ae2d..cc9178f 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,7 +3,7 @@ keys:
   - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
   - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
   - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
-  - &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+  - &admin_gpg_june 057870A2C72CD82566A3EC983695F4FCBCAE4912
   - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
   - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
   - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
@@ -32,7 +32,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_git
   - path_regex: config/hosts/forgejo-actions-runner/.*
@@ -48,7 +47,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_forgejo_actions_runner
   - path_regex: config/hosts/matrix/.*
@@ -64,7 +62,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_matrix
   - path_regex: config/hosts/public-web-static/.*
@@ -80,7 +77,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_public_web_static
   - path_regex: config/hosts/mjolnir/.*
@@ -96,7 +92,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_mjolnir
   - path_regex: config/hosts/woodpecker/.*
@@ -112,7 +107,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_woodpecker
   - path_regex: config/hosts/penpot/.*
@@ -128,7 +122,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_penpot
   - path_regex: config/hosts/yate/.*
@@ -144,7 +137,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_yate
   - key_groups:
@@ -159,7 +151,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
 stores:
   yaml:
     indent: 2

From 44c1b795979ae71710a2c202cb97af2f4720df5b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 23 Jul 2025 20:53:55 +0200
Subject: [PATCH 166/170] Add cryptoparty-hamburg.de static web host and a
 staging environment

Also redirect cryptoparty.hamburg.ccc.de there.
---
 .../virtualHosts/cryptoparty-hamburg.de.nix   | 97 +++++++++++++++++++
 .../virtualHosts/default.nix                  |  2 +
 .../staging.cryptoparty-hamburg.de.nix        | 94 ++++++++++++++++++
 3 files changed, 193 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
new file mode 100644
index 0000000..37d95b9
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
@@ -0,0 +1,97 @@
+{ ... }:
+
+let
+  domain = "cryptoparty-hamburg.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "cryptoparty-website-deploy";
+in
+{
+  security.acme.certs."${domain}".extraDomainNames = [
+    "cryptoparty.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "cryptoparty.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/".return = "302 https://${domain}$request_uri";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+
+        port_in_redirect off;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz+Lxi9scblM/SKJq4nl64UwvVn8SuF2xmzOuyQrzR+ deploy key for cryptoparty-hamburg.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index c9d77ef..59e69e6 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -4,12 +4,14 @@
   imports = [
     ./branding-resources.hamburg.ccc.de.nix
     ./c3cat.de.nix
+    ./cryptoparty-hamburg.de.nix
     ./element.hamburg.ccc.de.nix
     ./hacker.tours.nix
     ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.c3cat.de.nix
+    ./staging.cryptoparty-hamburg.de.nix
     ./staging.hacker.tours.nix
     ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
diff --git a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix
new file mode 100644
index 0000000..6733dad
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix
@@ -0,0 +1,94 @@
+{ ... }:
+
+let
+  domain = "staging.cryptoparty-hamburg.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "cryptoparty-website-deploy";
+in
+{
+  security.acme.certs."${domain}".extraDomainNames = [
+    "staging.cryptoparty.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "staging.cryptoparty.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/".return = "302 https://${domain}$request_uri";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        port_in_redirect off;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # Cryptoparty website deploy user already defined in cryptoparty-hamburg.de.nix.
+}

From 071eb88afa67740f792a6e7fb7612509ef596acb Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 24 Jul 2025 02:15:19 +0200
Subject: [PATCH 167/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D&rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6' (2025-04-28)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D' (2025-04-28)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e?narHash=sha256-f3pO%2B9lg66mV7IMmmIqG4PL3223TYMlnlw%2Bpnpelbss%3D' (2025-07-15)
  → 'github:nixos/nixpkgs/92c2e04a475523e723c67ef872d8037379073681?narHash=sha256-yLuz5cz5Z%2Bsn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c%3D' (2025-07-21)
---
 flake.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 2ab41bb..559f116 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=",
         "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1752620740,
-        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
+        "lastModified": 1753115646,
+        "narHash": "sha256-yLuz5cz5Z+sn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
+        "rev": "92c2e04a475523e723c67ef872d8037379073681",
         "type": "github"
       },
       "original": {

From df365e67f98be2882280e79aff4834e6158e1ab8 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 11 Aug 2025 04:18:41 +0200
Subject: [PATCH 168/170] audio: fix librespot playback and use avahi for mDNS

Fix librespot playback by building the dev branch and applying the
changes from librespot PR 1528
(https://github.com/librespot-org/librespot/pull/1528) fixing librespot
issue 1527 (https://github.com/librespot-org/librespot/issues/1527).

Also make librespot use Avahi, since shairport-sync already uses that.
---
 README.md                                     |   2 +-
 flake.nix                                     |  24 ++
 modules/services/audio/librespot.nix          |   6 +-
 .../librespot_PR1528_conflicts_resolved.patch | 223 ++++++++++++++++++
 4 files changed, 251 insertions(+), 4 deletions(-)
 create mode 100644 patches/librespot_PR1528_conflicts_resolved.patch

diff --git a/README.md b/README.md
index def4e60..34690bd 100644
--- a/README.md
+++ b/README.md
@@ -77,4 +77,4 @@ nix build .#proxmox-chaosknoten-nixos-template
 ## License
 
 This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).  
-[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.
+[`librespot_PR1528_conflicts_resolved.patch`](patches/librespot_PR1528_conflicts_resolved.patch) is a modified version of [librespot PR 1528](https://github.com/librespot-org/librespot/pull/1528) and is licensed under the [MIT license](https://github.com/librespot-org/librespot/blob/dev/LICENSE).
diff --git a/flake.nix b/flake.nix
index 53bf4ca..39183bf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,6 +40,29 @@
         proxmox-vm = ./config/proxmox-vm;
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
+      overlays = {
+        librespotFixOverlay = final: prev: {
+          librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec {
+            # Build dev branch.
+            name = "${prevAttr.pname}-${version}";
+            version = "dev";
+            src = prev.fetchFromGitHub {
+              owner = "librespot-org";
+              repo = "librespot";
+              rev = "dev";
+              sha256 = "sha256-s9JpIbqXiVXMlhEuIuKio+rD1rM3kc7bAT0+8+5s35w=";
+            };
+            cargoDeps = final.rustPlatform.fetchCargoVendor {
+              inherit src;
+              hash = "sha256-Lujz2revTAok9B0hzdl8NVQ5XMRY9ACJzoQHIkIgKMg=";
+            };
+            # Fix librespot failing with "Unable to load audio item: Error { kind: Unavailable, error: StatusCode(500) }".
+            patches = (prevAttr.patches or []) ++ [
+              ./patches/librespot_PR1528_conflicts_resolved.patch
+            ];
+          });
+        };
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
@@ -56,6 +79,7 @@
             self.nixosModules.common
             self.nixosModules.proxmox-vm
             ./config/hosts/audio-hauptraum-tafel
+            { nixpkgs.overlays = [ self.overlays.librespotFixOverlay ]; }
           ];
         };
 
diff --git a/modules/services/audio/librespot.nix b/modules/services/audio/librespot.nix
index 4c0fadb..3be5c86 100644
--- a/modules/services/audio/librespot.nix
+++ b/modules/services/audio/librespot.nix
@@ -19,11 +19,11 @@ in
       enable = true;
       description = "Spotify Connect Receiver Using librespot";
       unitConfig = {
-        Requires = [ "network-online.target" "pipewire.service" ];
-        After = [ "network-online.target" "pipewire.service" ];
+        Requires = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ];
+        After = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ];
       };
       serviceConfig = {
-        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache";
+        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --zeroconf-backend avahi";
         User = "librespot";
         Group = "librespot";
       };
diff --git a/patches/librespot_PR1528_conflicts_resolved.patch b/patches/librespot_PR1528_conflicts_resolved.patch
new file mode 100644
index 0000000..f97a38a
--- /dev/null
+++ b/patches/librespot_PR1528_conflicts_resolved.patch
@@ -0,0 +1,223 @@
+From c4c968e594edcfce231682db5563f7186da7c6f0 Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Thu, 7 Aug 2025 12:22:56 +0200
+Subject: [PATCH 1/5] spclient: Specify base url for metadata requests
+
+This fixes #1527
+---
+ core/src/spclient.rs | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/core/src/spclient.rs b/core/src/spclient.rs
+index 87a6098..56c4287 100644
+--- a/core/src/spclient.rs
++++ b/core/src/spclient.rs
+@@ -55,6 +55,7 @@ const CONNECTION_ID: HeaderName = HeaderName::from_static("x-spotify-connection-
+ const NO_METRICS_AND_SALT: RequestOptions = RequestOptions {
+     metrics: false,
+     salt: false,
++    base_url: None,
+ };
+ 
+ #[derive(Debug, Error)]
+@@ -86,6 +87,7 @@ impl Default for RequestStrategy {
+ pub struct RequestOptions {
+     metrics: bool,
+     salt: bool,
++    base_url: Option<String>,
+ }
+ 
+ impl Default for RequestOptions {
+@@ -93,6 +95,7 @@ impl Default for RequestOptions {
+         Self {
+             metrics: true,
+             salt: true,
++            base_url: None,
+         }
+     }
+ }
+@@ -449,7 +452,10 @@ impl SpClient {
+ 
+             // Reconnection logic: retrieve the endpoint every iteration, so we can try
+             // another access point when we are experiencing network issues (see below).
+-            let mut url = self.base_url().await?;
++            let mut url = match &options.base_url {
++                Some(base_url) => base_url.clone(),
++                None => self.base_url().await?,
++            };
+             url.push_str(endpoint);
+ 
+             // Add metrics. There is also an optional `partner` key with a value like
+@@ -566,7 +572,12 @@ impl SpClient {
+ 
+     pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult {
+         let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?);
+-        self.request(&Method::GET, &endpoint, None, None).await
++        let options = RequestOptions {
++            base_url: Some(String::from("https://spclient.wg.spotify.com")),
++            ..Default::default()
++        };
++        self.request_with_options(&Method::GET, &endpoint, None, None, &options)
++            .await
+     }
+ 
+     pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult {
+-- 
+2.49.0
+
+
+From 2b72f3fbdf6519321feeaaecc1ea6e1bb042074e Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Thu, 7 Aug 2025 13:51:55 +0200
+Subject: [PATCH 2/5] spclient: Change RequestOptions to &str
+
+This will allocate less strings and makes it possible to have const
+request option values.
+
+Also document why the metadata base url workaround is needed.
+---
+ core/src/spclient.rs | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/core/src/spclient.rs b/core/src/spclient.rs
+index 56c4287..11bcef4 100644
+--- a/core/src/spclient.rs
++++ b/core/src/spclient.rs
+@@ -87,7 +87,7 @@ impl Default for RequestStrategy {
+ pub struct RequestOptions {
+     metrics: bool,
+     salt: bool,
+-    base_url: Option<String>,
++    base_url: Option<&'static str>,
+ }
+ 
+ impl Default for RequestOptions {
+@@ -453,7 +453,7 @@ impl SpClient {
+             // Reconnection logic: retrieve the endpoint every iteration, so we can try
+             // another access point when we are experiencing network issues (see below).
+             let mut url = match &options.base_url {
+-                Some(base_url) => base_url.clone(),
++                Some(base_url) => base_url.to_owned().to_string(),
+                 None => self.base_url().await?,
+             };
+             url.push_str(endpoint);
+@@ -572,8 +572,11 @@ impl SpClient {
+ 
+     pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult {
+         let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?);
++        // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com.
++        // Otherwise, the API will respond with 500 Internal Server Error responses.
++        // Context: https://github.com/librespot-org/librespot/issues/1527
+         let options = RequestOptions {
+-            base_url: Some(String::from("https://spclient.wg.spotify.com")),
++            base_url: Some("https://spclient.wg.spotify.com"),
+             ..Default::default()
+         };
+         self.request_with_options(&Method::GET, &endpoint, None, None, &options)
+-- 
+2.49.0
+
+
+From 73ed5c50849bb660834cd0d7aaa7110c01397055 Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Sat, 9 Aug 2025 09:28:51 +0200
+Subject: [PATCH 3/5] spclient: Make const request options for get_metadata
+
+---
+ core/src/spclient.rs | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/spclient.rs b/core/src/spclient.rs
+index 11bcef4..cbcf092 100644
+--- a/core/src/spclient.rs
++++ b/core/src/spclient.rs
+@@ -58,6 +58,12 @@ const NO_METRICS_AND_SALT: RequestOptions = RequestOptions {
+     base_url: None,
+ };
+ 
++const SPCLIENT_FALLBACK_ENDPOINT: RequestOptions = RequestOptions {
++    metrics: true,
++    salt: true,
++    base_url: Some("https://spclient.wg.spotify.com"),
++};
++
+ #[derive(Debug, Error)]
+ pub enum SpClientError {
+     #[error("missing attribute {0}")]
+@@ -575,12 +581,14 @@ impl SpClient {
+         // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com.
+         // Otherwise, the API will respond with 500 Internal Server Error responses.
+         // Context: https://github.com/librespot-org/librespot/issues/1527
+-        let options = RequestOptions {
+-            base_url: Some("https://spclient.wg.spotify.com"),
+-            ..Default::default()
+-        };
+-        self.request_with_options(&Method::GET, &endpoint, None, None, &options)
+-            .await
++        self.request_with_options(
++            &Method::GET,
++            &endpoint,
++            None,
++            None,
++            &SPCLIENT_FALLBACK_ENDPOINT,
++        )
++        .await
+     }
+ 
+     pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult {
+-- 
+2.49.0
+
+
+From 6adca21fdf64bd8026a2d6df04c42dd2b1239358 Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Sat, 9 Aug 2025 09:40:20 +0200
+Subject: [PATCH 4/5] spclient: Simplify base url init
+
+---
+ core/src/spclient.rs | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/src/spclient.rs b/core/src/spclient.rs
+index cbcf092..272975d 100644
+--- a/core/src/spclient.rs
++++ b/core/src/spclient.rs
+@@ -458,8 +458,8 @@ impl SpClient {
+ 
+             // Reconnection logic: retrieve the endpoint every iteration, so we can try
+             // another access point when we are experiencing network issues (see below).
+-            let mut url = match &options.base_url {
+-                Some(base_url) => base_url.to_owned().to_string(),
++            let mut url = match options.base_url {
++                Some(base_url) => base_url.to_string(),
+                 None => self.base_url().await?,
+             };
+             url.push_str(endpoint);
+-- 
+2.49.0
+
+
+From 0b5b1eb6c73a9291057b3856939f416113fdd8bb Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Sat, 9 Aug 2025 10:14:02 +0200
+Subject: [PATCH 5/5] Update CHANGELOG.md
+
+---
+ CHANGELOG.md | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/CHANGELOG.md b/CHANGELOG.md
+index 560de2b..b62e9f8 100644
+--- a/CHANGELOG.md
++++ b/CHANGELOG.md
+@@ -51,6 +51,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
+ - [connect] Correctly apply playing/paused state when transferring playback
+ - [player] Saturate invalid seek positions to track duration
+ - [audio] Fall back to other URLs in case of a failure when downloading from CDN
++- [core] Metadata requests failing with 500 Internal Server Error
+ 
+ ### Deprecated
+ 
+-- 
+2.49.0
+

From c7ae6a7ee30ea3a67acc1f253eb737a306fb5daa Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 11 Aug 2025 20:09:05 +0200
Subject: [PATCH 169/170] bump element web to 1.11.109

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index d0da920..9e919e2 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.106";
+  elementWebVersion = "1.11.109";
   element-web = pkgs.fetchzip {
     url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo=";
+    sha256 = "sha256-eKPClYJxUhCJznI1+dv9w2h0CoSKgZsBZCsuM3KH5ag=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 0c0457793ff759c5b6f376dcbc074a5072d1a561 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 12 Aug 2025 01:11:31 +0200
Subject: [PATCH 170/170] bump Matrix Synapse to version 1.135.2

---
 flake.nix | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/flake.nix b/flake.nix
index 39183bf..e8a53a9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -41,6 +41,22 @@
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
       overlays = {
+        matrixSynapseFix = final: prev: {
+          matrix-synapse-unwrapped = prev.matrix-synapse-unwrapped.overrideAttrs (finalAttrs: prevAttrs: rec {
+            version = "1.135.2";
+            src = prev.fetchFromGitHub {
+              owner = "element-hq";
+              repo = "synapse";
+              rev = "v${version}";
+              hash = "sha256-4HAA9Xq4C3DHxz0BgqBitfM4wZwPSEu+IO/OPfHzLVw=";
+            };
+            cargoDeps = final.rustPlatform.fetchCargoVendor {
+              inherit src;
+              hash = "sha256-4J92s6cSgsEIYQpbU6OOLI/USIJX2Gc7UdEHgWQgmXc=";
+            };
+            patches = [];
+          });
+        };
         librespotFixOverlay = final: prev: {
           librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec {
             # Build dev branch.
@@ -109,6 +125,7 @@
             sops-nix.nixosModules.sops
             self.nixosModules.prometheus-exporter
             ./config/hosts/matrix
+            { nixpkgs.overlays = [ self.overlays.matrixSynapseFix ]; }
           ];
         };