add yate service for autostart

introduce /etc/yate, clone/reset on service start Fix config via git make yate systemd service create yate service user recreate the full config everytime decolour the log because of blob data make sure source is available before deleting config change yate-config repo fix yate deploy key fix yate-config not pulling
2024-11-17 21:41:16 +01:00
96 changed files with 377 additions and 2831 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -1,23 +0,0 @@
 root = true
 [*]
 end_of_line = lf
 insert_final_newline = true
 indent_style = space
 charset = utf-8
 [*.nix]
 indent_size = 2
 trim_trailing_whitespace = true
 [*.md]
 indent_size = 2
 trim_trailing_whitespace = false
 [*.json]
 indent_size = 2
 trim_trailing_whitespace = true
 [*.yaml]
 indent_size = 2
 trim_trailing_whitespace = true
--- a/.sops.yaml
+++ b/.sops.yaml
@ -16,9 +16,6 @@ keys:
  - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
  - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
  - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
  - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
  - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
  - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
 creation_rules:
  - path_regex: config/hosts/git/.*
    key_groups:
@ -100,54 +97,6 @@ creation_rules:
          - *admin_gpg_dante
        age:
          - *host_age_public_web_static
  - path_regex: config/hosts/mjolnir/.*
    key_groups:
      - pgp:
          - *admin_gpg_djerun
          - *admin_gpg_stb
          - *admin_gpg_jtbx
          - *admin_gpg_yuri
          - *admin_gpg_june
          - *admin_gpg_haegar
          - *admin_gpg_dario
          - *admin_gpg_echtnurich
          - *admin_gpg_max
          - *admin_gpg_c6ristian
          - *admin_gpg_dante
        age:
          - *host_age_mjolnir
  - path_regex: config/hosts/woodpecker/.*
    key_groups:
      - pgp:
          - *admin_gpg_djerun
          - *admin_gpg_stb
          - *admin_gpg_jtbx
          - *admin_gpg_yuri
          - *admin_gpg_june
          - *admin_gpg_haegar
          - *admin_gpg_dario
          - *admin_gpg_echtnurich
          - *admin_gpg_max
          - *admin_gpg_c6ristian
          - *admin_gpg_dante
        age:
          - *host_age_woodpecker
  - path_regex: config/hosts/penpot/.*
    key_groups:
      - pgp:
          - *admin_gpg_djerun
          - *admin_gpg_stb
          - *admin_gpg_jtbx
          - *admin_gpg_yuri
          - *admin_gpg_june
          - *admin_gpg_haegar
          - *admin_gpg_dario
          - *admin_gpg_echtnurich
          - *admin_gpg_max
          - *admin_gpg_c6ristian
          - *admin_gpg_dante
        age:
          - *host_age_penpot
  - path_regex: config/hosts/yate/.*
    key_groups:
      - pgp:
--- a/21
+++ b/21
@ -1,21 +0,0 @@
 MIT License
 Copyright (c) CCCHH
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/README.md
+++ b/README.md
@ -18,62 +18,3 @@ infra-rebuild switch git matrix
 By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
 However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
 This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
 ## Setting up secrets with sops-nix for a host
 1. Convert the hosts SSH host public key to an age public key.
   This can be done by connecting to the host and running:
   ```
   cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   ``` 
 2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
   It should be named something like: `host_age_hostname`
 3. Add a new creation rule for the hosts config directory.
   It should probably have all admin keys and the hosts age key. \
   You can use existing creation rules as a reference.
 4. Create a file containing the relevant secrets in the hosts config directory.
   This can be accomplished with a command similar to this:
   ```
   sops config/hosts/hostname/secrets.yaml
   ```
   Note: Nested keys don't seem to be compatible with sops-nix.
 5. Add the following entry to the modules of the hosts `nixosConfiguration`:
   ```nix
   sops-nix.nixosModules.sops
   ```
 6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
   ```nix
   { ... }:
   {
     sops = {
       defaultSopsFile = ./secrets.yaml;
     };
   }
   ```
 7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
 8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
   ```nix
   sops.secrets."forgejo_git_smtp_password" = {
     mode = "0440";
     owner = "forgejo";
     group = "forgejo";
     restartUnits = [ "forgejo.service" ];
   };
   ```
   This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
 ## Build NixOS Proxmox VE Template
 Build a new NixOS Proxmox VE Template for the thinkcccore's:
 ```shell
 nix build .#proxmox-nixos-template
 ```
 Build a new NixOS Proxmox VE Template for the chaosknoten:
 ```shell
 nix build .#proxmox-chaosknoten-nixos-template
 ```
 ## License
 This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
--- a/config/common/admin-environment.nix
+++ b/config/common/admin-environment.nix
@ -13,7 +13,6 @@
    git
    curl
    rsync
    ssh-to-age
    usbutils
    nix-tree
    # For kitty terminfo.
--- a/config/common/default-state-version.nix
+++ b/config/common/default-state-version.nix
@ -13,5 +13,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = lib.mkDefault "24.05";
+  system.stateVersion = lib.mkDefault "23.05";
 }
--- a/config/common/users.nix
+++ b/config/common/users.nix
@ -6,9 +6,14 @@
 # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
 # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
-{ config, pkgs, lib, authorizedKeysRepo, ... }:
+{ config, pkgs, lib, ... }:
 let
  authorizedKeysRepo = builtins.fetchGit {
    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
    ref = "trunk";
    rev = "da9d3ead9d97ce0fef7538638326264957e2f1b4";
  };
  authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
 {
--- a/config/extra/prometheus-exporter.nix
+++ b/config/extra/prometheus-exporter.nix
@ -1,8 +0,0 @@
 { ... }:
 {
  services.prometheus.exporters.node = {
    enable = true;
    openFirewall = true;
  };
 }
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, pkgs, ... }:
 {
  networking = {
@ -11,9 +11,10 @@
      ];
    };
    defaultGateway = "10.31.210.1";
-    nameservers = [ "10.31.210.1" ];
+    nameservers = [
      "10.31.210.1"
    ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "1E:EF:2D:92:81:DA";
    linkConfig.Name = "net0";
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, pkgs, ... }:
 {
  networking = {
@ -11,9 +11,10 @@
      ];
    };
    defaultGateway = "10.31.210.1";
-    nameservers = [ "10.31.210.1" ];
+    nameservers = [
      "10.31.210.1"
    ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "D2:10:33:B1:72:C3";
    linkConfig.Name = "net0";
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@ -21,8 +21,7 @@ let
  app = "dokuwiki";
  domain = "eh22.easterhegg.eu";
  dataDir = "/srv/www/${domain}";
-in
+in {
 {
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${app} ${app}"
  ];
@ -58,16 +57,16 @@ in
      ; Checked with NixOS 23.11 on 2024-05-02.
      extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
    '';
-    settings = {
+    extraConfig = ''
-      "listen.owner" = "${config.services.nginx.user}";
+      listen.owner = ${config.services.nginx.user};
-      "listen.group" = "${config.services.nginx.group}";
+      listen.group = ${config.services.nginx.group};
-      "pm" = "dynamic";
+      pm = dynamic
-      "pm.max_children" = 32;
+      pm.max_children = 32
-      "pm.start_servers" = 2;
+      pm.start_servers = 2
-      "pm.min_spare_servers" = 2;
+      pm.min_spare_servers = 2
-      "pm.max_spare_servers" = 4;
+      pm.max_spare_servers = 4
-      "pm.max_requests" = 500;
+      pm.max_requests = 500
-    };
+    '';
  };
  services.nginx = {
--- a/config/hosts/eh22-wiki/networking.nix
+++ b/config/hosts/eh22-wiki/networking.nix
@ -1,8 +1,10 @@
 # Sources for this configuration:
 # - https://nixos.wiki/wiki/Networking
 { ... }:
 {
-  networking = {
+  networking.interfaces.net0 = {
    interfaces.net0 = {
    ipv4.addresses = [
      {
        address = "172.31.17.159";
@ -10,10 +12,9 @@
      }
    ];
  };
-    defaultGateway = "172.31.17.129";
+  networking.defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
+  networking.search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:37:F0:AB";
--- a/config/hosts/esphome/default.nix
+++ b/config/hosts/esphome/default.nix
@ -3,7 +3,6 @@
  imports = [
    ./configuration.nix
    ./esphome.nix
    ./networking.nix
    ./nginx.nix
  ];
 }
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@ -1,29 +0,0 @@
 { ... }:
 {
  networking = {
    interfaces.net0 = {
      ipv4.addresses = [
        {
          address = "10.31.208.24";
          prefixLength = 23;
        }
      ];
      ipv6.addresses = [
        {
          address = "2a07:c480:0:1d0::66";
          prefixLength = 64;
        }
      ];
    };
    defaultGateway = "10.31.208.1";
    defaultGateway6 = "2a07:c480:0:1d0::1";
    nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
    search = [ "z9.ccchh.net" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/esphome/nginx.nix
+++ b/config/hosts/esphome/nginx.nix
@ -1,34 +1,35 @@
 { config, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
-      "esphome.ccchh.net" = {
+      "acme-esphome.ccchh.net" = {
        forceSSL = true;
        enableACME = true;
        serverName = "esphome.ccchh.net";
        listen = [
          {
            addr = "0.0.0.0";
            port = 31820;
          }
        ];
      };
      "esphome.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "esphome.ccchh.net";
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];
        locations."/" = {
@ -36,38 +37,9 @@
          proxyWebsockets = true;
        };
      };
      "esphome.z9.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "esphome.ccchh.net";
        serverName = "esphome.z9.ccchh.net";
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];
        globalRedirect = "esphome.ccchh.net";
        redirectCode = 307;
    };
  };
  };
  security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
 }
--- a/config/hosts/forgejo-actions-runner/networking.nix
+++ b/config/hosts/forgejo-actions-runner/networking.nix
@ -1,8 +1,7 @@
-{ ... }:
+{ config, pkgs, ... }:
 {
-  networking = {
+  networking.interfaces.net0 = {
    interfaces.net0 = {
    ipv4.addresses = [
      {
        address = "172.31.17.155";
@ -10,10 +9,9 @@
      }
    ];
  };
-    defaultGateway = "172.31.17.129";
+  networking.defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
+  networking.search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@ -12,6 +12,7 @@
 {
  services.forgejo = {
    enable = true;
    package = pkgs-unstable.forgejo;
    database.type = "postgres";
    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
@ -45,9 +46,6 @@
        DEFAULT_USER_VISIBILITY = "limited";
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        ENABLE_BASIC_AUTHENTICATION = false;
        ENABLE_NOTIFY_MAIL = true;
        AUTO_WATCH_NEW_REPOS = false;
        AUTO_WATCH_ON_CHANGES = false;
      };
      repo = {
        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
--- a/config/hosts/git/networking.nix
+++ b/config/hosts/git/networking.nix
@ -4,18 +4,19 @@
 { ... }:
 {
-  networking = {
+  networking.interfaces.net0 = {
    interfaces.net0 = {
    ipv4.addresses = [
      {
        address = "212.12.51.136";
        prefixLength = 28;
      }
        {
          address = "172.31.17.154";
          prefixLength = 25;
        }
    ];
  };
  networking.defaultGateway = "212.12.51.129";
  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
  networking.search = [ "hamburg.ccc.de" ];
  networking.interfaces.net0 = {
    ipv6.addresses = [
      {
        address = "2a00:14b0:f000:23:51:136::1";
@ -23,11 +24,7 @@
      }
    ];
  };
-    defaultGateway = "212.12.51.129";
+  networking.defaultGateway6 = "2a00:14b0:f000:23::1";
    defaultGateway6 = "2a00:14b0:f000:23::1";
    nameservers = [ "212.12.50.158" "192.76.134.90" ];
    search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "92:7B:E6:12:A4:FA";
--- a/config/hosts/git/nginx.nix
+++ b/config/hosts/git/nginx.nix
@ -34,10 +34,6 @@
        return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
      };
    };
    # Disable checking of client request body size to make container registry
    # image uploads work.
    clientMaxBodySize = "0";
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
--- a/config/hosts/hydra/configuration.nix
+++ b/config/hosts/hydra/configuration.nix
@ -1,9 +0,0 @@
 { ... }:
 {
  networking = {
    hostName = "hydra";
  };
  system.stateVersion = "24.05";
 }
--- a/config/hosts/hydra/default.nix
+++ b/config/hosts/hydra/default.nix
@ -1,11 +0,0 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./hydra.nix
    ./networking.nix
    ./nginx.nix
    ./nix.nix
  ];
 }
--- a/config/hosts/hydra/hydra.nix
+++ b/config/hosts/hydra/hydra.nix
@ -1,15 +0,0 @@
 { ... }:
 {
  services.hydra = {
    enable = true;
    listenHost = "localhost";
    port = 3000;
    hydraURL = "https://hydra.hamburg.ccc.de/";
    # E-Mail configuration requires some work/investigation still.
    notificationSender = "no-reply@hydra.hamburg.ccc.de";
    useSubstitutes = true;
    minimumDiskFree = 8;
    minimumDiskFreeEvaluator = 2;
  };
 }
--- a/config/hosts/hydra/networking.nix
+++ b/config/hosts/hydra/networking.nix
@ -1,22 +0,0 @@
 { ... }:
 {
  networking = {
    interfaces.net0 = {
      ipv4.addresses = [
        {
          address = "172.31.17.163";
          prefixLength = 25;
        }
      ];
    };
    defaultGateway = "172.31.17.129";
    nameservers = [ "212.12.50.158" "192.76.134.90" ];
    search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:45:7C:D6";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/hydra/nginx.nix
+++ b/config/hosts/hydra/nginx.nix
@ -1,58 +0,0 @@
 { config, pkgs, ... }:
 let
  domain = "hydra.hamburg.ccc.de";
 in
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "acme-${domain}" = {
        default = true;
        enableACME = true;
        serverName = "${domain}";
        listen = [
          {
            addr = "0.0.0.0";
            port = 31820;
          }
        ];
      };
      "${domain}" = {
        default = true;
        forceSSL = true;
        useACMEHost = "${domain}";
        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];
        locations."/" = {
          proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}";
        };
        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 172.31.17.140;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
  networking.firewall.allowedUDPPorts = [ 8443 ];
 }
--- a/config/hosts/hydra/nix.nix
+++ b/config/hosts/hydra/nix.nix
@ -1,10 +0,0 @@
 { ... }:
 {
  # Allow Hydra to fetch flake inputs.
  nix.settings.allowed-uris = [
    "github:"
    "https://github.com/"
    "https://git.hamburg.ccc.de/"
  ];
 }
--- a/config/hosts/matrix/networking.nix
+++ b/config/hosts/matrix/networking.nix
@ -1,8 +1,7 @@
 { ... }:
 {
-  networking = {
+  networking.interfaces.net0 = {
    interfaces.net0 = {
    ipv4.addresses = [
      {
        address = "172.31.17.150";
@ -10,10 +9,9 @@
      }
    ];
  };
-    defaultGateway = "172.31.17.129";
+  networking.defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
+  networking.search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "2A:A5:80:C3:8E:32";
--- a/config/hosts/mjolnir/configuration.nix
+++ b/config/hosts/mjolnir/configuration.nix
@ -1,9 +0,0 @@
 { ... }:
 {
  networking = {
    hostName = "mjolnir";
  };
  system.stateVersion = "24.05";
 }
--- a/config/hosts/mjolnir/default.nix
+++ b/config/hosts/mjolnir/default.nix
@ -1,10 +0,0 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./mjolnir.nix
    ./networking.nix
    ./sops.nix
  ];
 }
--- a/config/hosts/mjolnir/mjolnir.nix
+++ b/config/hosts/mjolnir/mjolnir.nix
@ -1,36 +0,0 @@
 # Sources for this configuration:
 # - https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md
 # - https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml
 { ... }:
 {
  # Allow deprecated, apparently somewhat insecure libolm to be able to update
  # the moderation bot.
  # The security issues aren't real world exploitable apparently:
  # https://matrix.org/blog/2024/08/libolm-deprecation/
  nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
  services.mjolnir = {
    enable = true;
    homeserverUrl = "https://matrix.hamburg.ccc.de";
    managementRoom = "#moderation-management:hamburg.ccc.de";
    settings = {
      verboseLogging = false;
    };
    pantalaimon = {
      enable = true;
      username = "moderation";
      passwordFile = "/run/secrets/matrix_moderation_user_password";
      options = {
        ssl = true;
      };
    };
  };
  sops.secrets."matrix_moderation_user_password" = {
    mode = "0440";
    owner = "mjolnir";
    group = "mjolnir";
    restartUnits = [ "mjolnir.service" ];
  };
 }
--- a/config/hosts/mjolnir/networking.nix
+++ b/config/hosts/mjolnir/networking.nix
@ -1,22 +0,0 @@
 { ... }:
 {
  networking = {
    interfaces.net0 = {
      ipv4.addresses = [
        {
          address = "172.31.17.161";
          prefixLength = 25;
        }
      ];
    };
    defaultGateway = "172.31.17.129";
    nameservers = [ "212.12.50.158" "192.76.134.90" ];
    search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:C9:F8:C5";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/mjolnir/secrets.yaml
+++ b/config/hosts/mjolnir/secrets.yaml
@ -1,233 +0,0 @@
 matrix_moderation_user_password: ENC[AES256_GCM,data:NXJrbRh0A+NQh6Jy9iVAfYhsGR1BSOSuk1LjmArSiVF6jnuJAP9f750cRP7bu7Ai8xgxTlhjAtv9ck6SqlJ6Vw==,iv:IN/siIPCFKE+Nfl/aogYRYAHVgEGhMtTbmEZKZWQYgM=,tag:xxlnl5GU+uusSeh1OvoU1g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEhUMThoY3Nuc253NnBX
            ZkplNmRzOGZFNWlQNDVpL08yRk5VTHZDUkZNCnIxMUJoUHJBYlJpbUViMW9GUmhR
            V1F6SWh2NjRGWk9RWjMycGZYZXFZbkkKLS0tIE5MNk0xekwxY0NYYm9mc1ZGZFlH
            NDN2dUpuQWFFMTZQRzFIS0ZieTRzQm8KUDRpPJwcWwePKMp6KQMnQLhqqyvuhgQh
            rXpKW5fjxyT0Sh2u3FM2ET/9U0TUfpBVYBJojAJBFs1ntI8kFmqSYg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-20T20:02:16Z"
    mac: ENC[AES256_GCM,data:5BhSo3YpF3QNqgGnx6YnymaEQB6pchMhokaJqk4rHg22xhbUAzOhWg4BQepT7vrCQlfOZIq4o//dGO+NQxqliiyyywrSYm3CBWD4xfZ9cdfinHC7Pc9lj6Dd4uPNxRjgTRNFuMyC+ATIABI2mHKpg+T2bxSalroIlvNr4vXWZo4=,iv:yPHJZ5PvI5zJlQIMRdbJ6eKGe1xN+teKF5GluD2pyK8=,tag:s4hO9RCdkHDsQ1W+KfXq7A==,type:str]
    pgp:
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAxK/JaB2/SdtAQ//Y/GVthqtuK7bY8Ne5CNfn/CD1RUTdX1+KwX1zy3YsgUC
            CGxhoFFy1UoXR3QB4Hxnk8R/vaFVHezCWKWY45MAuPtwM1VGwjVsuknrJnSs8k7/
            jrzVO9xXgTd26H6DLmPVfH1hKB0/lh84hwVgF5rlPS/P7l92LL0hDIIwZz3dB0kU
            d6jLa1Fajqd4MSdLWbZRBPcioC5v1Ip/SXYAJp7IGLDgXm5MN+MnAdybAFsl1K5p
            dCUmGqK5IjyPVP564TqL0ZEIXMxSSwex47in3cTYPaOO0L8P3kbKDNWxZQLaqZkn
            4RZC4/aBqlfD2STxMez/ksi6kCcPuC7UPRzuq4oH3kOcJHxwIN8Df+DZYA4PJKsl
            T9QDL1EylHBhsPIZCoxpmnGl3j+hVmONj2V1awlCaOagbgDlClEUEMyw7QCVVbtK
            CW4DOgVnnTxcUaLHep8BgHxKkYjIDIbDMmg315h2ekT86gGgZavL8IiFTWSLzSrK
            XChIjUdjpKZhanmSWpj4w8ZpdGOOjernL2EBWtSC23AibBZmQe9OB/QzMpLTdCvV
            9t9mMoSayP61oJylBtOKhDnEW0Xib0U7tqzwpaow2V+CU2dr27qie1jh5GqMaoJR
            qpu1KT3Z9eqpF3Dl8aI3dEovbmvDMVXErU3pmFu2zRJtm6TOXp4NNOYWCetUfxPU
            aAEJAhCFerTI/ow/LWkCQ78cCMFjgKrYabA3lHu11Mr/PiHirwJ/vCmsUMiOhdRw
            49lsyqJlO3IA79yW4exG5tYXvPgeJMTdz36fseUEKsewfrPEqMUa2T4onet2+GN6
            GALPdepytjg+
            =v+qv
            -----END PGP MESSAGE-----
          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQILA6EyPtWBEI+2AQ/2L7fbbhBH3BfgD7IbgtVn+nEhNJw5tWR2+0z1k72TIr9j
            rPAvV6NQY8oVV2+uNLa4fMl+ueqYTFd3/E4IsRXkmexjx+vos27LjDNSu6w0OPJU
            BSq5TFqZWYIPiWaivQz4+rt+vbxvpv4Lh3FAXlV9YubprJ4GRrlwyheve/l3F0BN
            3vCDLsfXijZjxaptb9nf7WiT9vvWrY0sD4g71ARZdWi7Lb+TgCxzbQMue+4VC0Zu
            y/AWIymVo13BD+apoYltVYYvkn7yz3REzsx3NN4bkJyoCAevr6UeO2fGvlT7b7eG
            F7CN/TusFlOqWV9M0VbiOGLfL7Q9tGAG3xDAyFh+yMQNadp0M3m9UiYUlHps5DRT
            CVsIPnPUr3V/oycRm3s+UeVyBg3rpdzWyNtETOjNY/AqVmRQ0toqZOm//ZOg609U
            6+EX1Oc/GosfNoHWJuFmfKJRhPpy2gXZX2rQuLWaVJUXzzKM5sbLnycCV03S24PU
            Fi7Z5lIu334QTLG8PV6agO5UprZb946qPmW+b/QnUol23XXcgh1GIgMV+lEK8+83
            UPT0aUkdtOTaKbWUg5xokx+0Ni9syJ4Nl7naQq57qOGiecMnBbeE3TYxaNOcjTBh
            CY0/hdcrZYH6VPeDye4yghSDF9WCaNUvzZNePGzdqKK3F9O/NmBSiYd/cToyDdJe
            AZMZCKxSw0/HyBqTRd3wC/VhC9uO2I4HWE3LuqBPUXYFWc4W1buJs+P8pFjqT5rZ
            puHPH8IxIeIiVNO5SFhdL8ecSu/nawakvih65aMGSa102e6B2HfP6tD4SmarmA==
            =tr5G
            -----END PGP MESSAGE-----
          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAz5uSgHG2iMJARAA02rGmKxyQkvxoXM1i2dLOiH6Gw/pUcdDxYSwKfdkNU3X
            zc0He4FNG8CAURVq5jARD066VecamkBmlr+rwFJlaeqDPEiITfkz7DEGO8pPxKG0
            GBnFVA9r/+OU351yLjHYB+72jvw1ey0PPHvKg6/sKjovssYvQLipUcktH33kPqVQ
            yJzuQWFMWA7Jn/wTa/TP/53o0e//Kw9df69J3BSmnw9F6rKHGsIXLBmyR9HpQsLR
            KAuClMzjPqHszCICND7vUDEzUvCcOVyizZAcRzWfDi/llwKGUanvEGUVXvyDXw/E
            Q/FyR+VJXCzRlhsFTTuavjy6nhDsRf/N8N0Vsd9euDXOPQ4wuPAgpvdi58CPBmzP
            8jU3xpFSXStYBIMt5u7t+UJT4IwdbjnClyIrSuyaV/7N5UQdYTv0fBy1mRrYLBAj
            VhlRDa1y79n22Kg8mvDqJ16rC3VypkkQ6DaPvyDwlrG8iRLG/xi3Zz8HHnXxAGAm
            SzliIolwEDHJZHI9ZE3YzpFJkB6UyOpXS1zMsDycupFvQ4jd2fQ0C7w5OaJHCkeQ
            3zTKgtufjJGo7R2Nf0bTWTfi85GU3jpMsOHCEcChgBVXcO32ZZ/zzmqtXa/u3m5v
            sjUstyBXEmG9eyIaiEtRAMAblwRsJPMszLaCUuBpzQw+mm9uTCsIaf5Xdud7GFzS
            XgH+whlmbv/UeUC7bo65uxrG8SgTVAaPZpcQ2dP3rXYs45zYmYGKJaZuW+Hrl+nZ
            pd6zT6rb6R8TMmXkNA1TjhvZ/A+ONlza1fH0dmsh7U9oqINXNFJU7Qm2r7imFvg=
            =ZIDr
            -----END PGP MESSAGE-----
          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAw5vwmoEJHQ1AQ//f51KkC9oViW/0EA0TLdWgXa76ZXMeu4b3UhWaQvYDT9+
            8wuWE+slGEWsRnFZ+pgWZoV3HIv2p+xisX2lmBvepOufaRh6cyNpQaZNl0kFtpBo
            ShQ66SmkorunYyM+OIh3ceI4PC7ca4KsRKB8nWkA935NWssFN9zMlkVW6GjqzTft
            2JVJFL8GRlhIRMhJwSzp8zZ3XiYD0sB/2y+ffCMAOSCnDVcDjANyiSds6MPxfPy0
            /kaNTXuUI7H50tHQP6vzJ3q1mRpAhUTIxubnmBTdvAQz/kaD0qPt55z+Q0xSXsLa
            yfb+Zd2g/2o+IFiCrwqcki5yX49Ol89l69JRyIWe1T2VtqBSUVIiiYreX5OnmWPQ
            OjJ1mAn9tpIlVSHzlaONtmJEmAJ+n55rP0itBMs1CrIBiQleLaCbSWqp6q3RfaJr
            gpXnfHQpsU7cKEDQeyvxmH8qgrSR9AVh/knyGOJy8LnJQ93aQpr3xr/2MiFPYiKz
            dcSrxHesrfx2Zl7bNB5OZ7VZTWFSunZQUnOn3F3+7yaaT9ePsvWsyTKBOSGUiA7s
            VMxT5+P8QM6UOC8KxJj/q1eAVrWvN7vYbCA25+SzbdTtr1RweOVHzNgqZH5/Q2ZY
            fguwHlCGg5Q7UKYKBk4QJFg6oClDgzBYCFL76K4aymtR7rxKl4sJxWoug84oP6DS
            XgEZvNS3xsY8Pxm0bAmor93Q08Mii1svnNZ74Eqmbo9GxBjHReIGKDDZ08SaPhbc
            NJxAP2C2sRUda2R4GvsNYmXHzGYfFTrfe+AXqEV42ZSD9vHDJMCiX9JrY/r4uSM=
            =+F4l
            -----END PGP MESSAGE-----
          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA4HMJd/cQYrVARAAq/cP9y/7kxSXDFOD/xhI/3RjGzIN5dyHlfrmEQWJ8J7z
            ov0VfBCJp6gFht37dGWuLtWi1qqWRgN+9hiBnkj2zONoph0SRGP9uNfadBSzYSD4
            wvlOFrWeM9cswnk4i0q8Go+qdCC6U0g1szjirdifF7I9KdqKpOFwXzjnzsPTF42o
            9oFCP32esOYv++DfTBgrSv8/STublJYABcs+lzjvURqBsFvdz7PBphH66++yxt7v
            bTTmu8O9WHC8/5QTfUzOBAfgyu4CwF3YLRZd81ERtzO/udNYgGO3bifofCfpv+nY
            MMyCbGxoiAfBWcAHhka+8nMnBj0as+ln220O99N6zH1rTmqqDxRQkEiYek1MqEU1
            f319u3KqB6STWmZvjlwQ5AhwSLCLT2VpIJX4CpMClWlLb3E2rpZ+B1uBRMQQ3fMe
            jSynatL2vXn3rKWzxIEIxA/BkVKQ8zXgOT9JyqyCZdHTvjEmWuQitILi7wKWJb7/
            qhTGEBoQbjIKP2Bpso286RKhS3erE0wqLeXXFb7e6bkEEHXa/jVHCZk8/qDcAAIB
            3eIb5SNnLxQwo07JlWdDPzCvqeC4fx5AWxXmHsKWI+91PA0jdNjcEPt2sxwAEQYq
            LWBW6BL22Hqo/VOBXhM1T5mFKomqySLSrxTYeWXtJLZwh0aHbm6RyGGMjHpCiU3S
            XgE8EQeKefLHoTixb1Rl/amIvtOUUcTtdqlyat9hhIdMl/7ZMesmNuD1ZsEzdCJd
            20/DgHzFE7WvZKrjt73GDETUjwLHZSl5fydQMgcNFgzU2mdV6nYNhF18gE/af74=
            =UA8K
            -----END PGP MESSAGE-----
          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAxjNhCKPP69fAQ//RVzQX4Ua5XZHTIe7ffYiqMxy/KoJdbCxpgjbdD0sx2ou
            zCB13t13UkLjLo5GkTE7kRGtyKOdhQ/7NUA7tOZ+rwWOq3NehOTLfU0wMkgT7tOh
            byWwNHrY9VHz3ndFnya5nNcnrqILA1rEn32PnioNyWcU6832jyUWvtRqwF+JRrKr
            yRJMvz4T8vmLwrxqarB1uqU0OVHXy8bq8d9/pVrAmk6+C/H5FINFlApD0dKYftd2
            phoTSA5WG8j1e0v5p4+r9cRHlYXFMinMMkpzD/JMyNB1WVZ9aGQxU7WiuYzuv1bh
            PKN/LEgfh3ypI8W960NHv/OMRjVs/VxA+G3ml3Lw6acRnaLr++MhF2G7ZBTx8rgi
            fjyF6m4XtacwIKYZ7SNt9eQewGI8VU30o8np33qb9KeOt7v8PrMH1G3X+bTLnJGw
            VjxjvaBaePmPplYYS7xaPuUnzFNabDXTE8XCQpdJMy26ef77gaWr6TQwXbRlZXrx
            S60EecMLwUj+daR0PkVBkCDxXkW8+0uPkt6EEn5rmPdMXoh4DUw+4A14t7yyUU50
            j3M9tv6DuYs/KhgZYfLe+6hVD7fY4lAs5Ge6QGLA/TljAatE3zpSZQK+b7C4HKJS
            3eRpcAt6CJFhXaCBwl4+gigrg3voX1ykh62oqY/4ecKbAiiVXLIrcflv9kx2Ht7S
            XgEDhoIRIvXoOUy6j/qjp/OFxwu5y6MpBX4vHxlpL36daL2yShMkCYyY3ajea4eX
            9k7B9fpRu3sjbDTNr1heffI+5n/HKc8j9a52hzu5eF0e+v+vKY32uk1jlUhZdj4=
            =R/pX
            -----END PGP MESSAGE-----
          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA1Hthzn+T1OoAQ/+OHZshi2zBfbVQ91WKLqei7bT4CZGiPxQsl7aogv8JkyL
            D8p+VgIReMvq4F5QFaIsA8yqMSnjxfIi5bFd9SKjuhOKvuQjyh1rSsFb0t8ESuYi
            fHBnVw4tDNfTEGQa9YhNJPTq60TwR4P2xYFEgc//AQqfs9XH0cTbvkFS9dkug092
            u4yJfB2aZEJa0Eh0AenUYzP13bFH0sJwL1hQop1v9gF44JeKHpRNd0Yixlp0Yucs
            Ccww+WaNFVQ4+zvyW7MnI8/D27/SQGRXXqQE6sOQlsg5SUzF2vIpYbIeuu1NR5WK
            v1ZB0DlWVuOshIB7M9WUCZcAS5cMAWKc1vvZ/K0l+6tNskZvGE4p/lv1bmZ5zfc3
            gT/2L6ENuoKW7RoF071SsG9Xn7VJync+iNTtg0m7Je7HRAZAGGc8vfIkrTXAmoIE
            QkGuog0R+EZxq9L1WMbppV/bnbBxiutFxwWOGTxzsn+DksVrVLvyI/EbHJvcEwzN
            hISPFmAiCEKzGAGfaO24F5Xcs+U6AgumS5V5kwY6zA/kZpJEdQm38rcC12ZpXR9C
            oHGs9ACtgf+g8H3/Ks5DL48FTbYuZADamVA5+pV97B7xCS8TxYChuFNPLwU2s52G
            liiZV9NevlFlbsXFZS/EWgR8b0aH9Nhjl5TAPOajBOu0Nm/83XEP9nbbbjJjGRHS
            XgHop/OMkJRuZZ35JQjUS6dIBzSivqplpr51wHbyilxbvOHdvuu6w9kqGY9VhuVt
            nCszg+IQ0SM8YFuu1M5UPO4txYQTHx8zO5SD/d8kh5HEu9fmTNyJXblRcyAzYZc=
            =TxDz
            -----END PGP MESSAGE-----
          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA46L6MuPqfJqAQ//co7jg6v5QUB7eHXJPMLxsgtbC/VYp7C7QqXQda5qhohW
            t0F9lysBybhIGoYuvfZGzNMYqqkVpFxzlOO2vFlcYFsQhjCpJrHBWYT4XOmIBR64
            6Az/iKqNLS+cG+rFIIuc8BqRk3r4lrM32dCqz0a+3qRkdmbff4yKuzg8FTPlv1RI
            O9SzRqfptcKDXItnQF+8CAziqcGyy4jL2wnl1Q2I2Pksr+Zw1eZVbFfHmCpG7A5C
            TVihozz51jeXlggDp9/NPJOQDsmV+KdpvNx2Eqj6PQ6aGWtyYv5YZG3X/eRKW90+
            qUOJxwpW5KGcROnuvQt1AggcXquOTLHFyJ85M8tpJcl+JYVZsIeNDo+LO8sbrCTA
            cjp/YSLOms+GullbGAwrJh4TYtwJE9sEKr9OAFUvd+AxVFWj08BqMe1eN5YBbwwB
            vNurVdvjE8jaTCmZgPPOIP5KXSrsG8bA02YlZ4MnzodYidIhTudJ8VB4NYCtNgOL
            G/x7h/KA5KYgDWEtr21z2oy0QkGijtrcNa02GpslirjufZ6TPGCbJjAeEsPbYBm7
            mDXm5+PzZpb1pbcSVNlVG5Ry73JrZxBpYCPGnxLs5yAmWOlNa/xcgDHBU+iXyVg0
            Wm8pHRAVNfbvL7NB8yeaxSDoTSE7/BsisL6tUHoV+bdlpVsTF26bQZBc/zhxiZrS
            XgGJ8ChRZbpi2qUzP4nA2jPkYtQ4cquA+ftDx4i+ZqVNtAhVSnTiBZoYu/21+BUB
            oxDa5m2vD0s0t0fGfmmIvpLZKZIF7NcwnCdNVQve/D3qNNa4T3YnXb8JTGH0PYc=
            =mu1s
            -----END PGP MESSAGE-----
          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA4EEKdYEzV0pAQ/8D4mAcC6vsHLkSryz1yIYoBqqtJnG62pITFEbafhVLR6V
            nWAw/zP9DqNj15MsrM67xaQxlMVgkVM7QTchgp0CjXsyZ/gWPgDl0NaC92Uj93Ov
            Gi2OpkfHQFaAW6JsAFl5NrF0ZBw/flx8X0l2klIxBV+ztpkLADEtXWsoGsmz5L4m
            n41icEp9+nb9nwy7p+Je0s4jZCBB0sVlbkX9i4IpMOgEhA0HcWemc940VJp3UyRg
            LkOs5C0J4Y4qjS12248y16gV/IhNaJ4PCPgVwSj1Xzz6VXauQosmWhnUbnqJbi3F
            KWEV0IJJO+dlj5VShzFDnkN2bM1GeyQx1S+FkNp+Mmm6JNrUK+CZL8fUYka06O0V
            DD/sg1Pyq8VawNG5RxwAWA5F1F1SIrJzF0T4HyIN1UFRCjWC466sdrBTQLtx472k
            NdBCvabHS/bx5miPKF5iglJYzz4biUdevc3EU7q4hwgMYM2oep3m2EsaTbKWzjnY
            PLB4d0bCsRlya0YfHaFX5f3xSNb/FzBcUlTHzX2asyB2DolMug1VqS3jCEkWGbk/
            vfNfR5yRuwkwNlJRqHbGIfH7fYEgwSTW+VW2iUdY7Dra7xjgTzqZgLi5W8QwKJqq
            1V5H4KlRQNYwloVJzQZCwoPcY+tBfTZ4LsDKtjyJzFY9vdTGGGqb9lAG7YBUdubS
            XgE72UuZvbPQZuI7uVKMEORGVssQjwZFhs4InR/Ixe03a7hb8fdRHfu/ueS/3KQx
            mRXVino/iVQ6M936mtibfeH9TpBpjqH8sBKNHv2hgnoap9QpkrVn1yWqrOcpht8=
            =+sXL
            -----END PGP MESSAGE-----
          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DQrf1tCqiJxoSAQdA/tIZCvQv0E4dHN5jBHsAGclKEeLFhyf4lIQx+xa+uwQw
            /VGCdNT8U13EawRC66KLXRrRgsNPpwUg15wAoTzQ8gW/tLpgvL5nsEYPfaowYwBD
            0l4BmNV4o4J+NHF7Tk1af2kx0pp6kF9eJynn6irr336tGzY004lZfZlqwgeOk+qN
            93XcSfdAOlIktfex1q1oTPrSpGIv32zsLPoRNVa50dO+IKu1tmYAxi9N9sQgbWa4
            =rnF9
            -----END PGP MESSAGE-----
          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
        - created_at: "2024-06-20T20:01:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAzdAjw8ldn6CAQ/9HNG41mTgq8VavF9DBX7+upnsmoDtwblck18l3rurJ1mo
            k2ki7tWwIxRyLLHtsUxJ9S55cmXuhhPJK8Kzc32SnY5irDkqK/4JZnDvofg+z68B
            8pQOunN1BQp50k8vd4Mha43re8s24iqrM+fj59uHM2YYsQYt9TCR/NvUopOdi6l2
            8OnKI2KdRvYhtzzCY3wmQKhG7p0hc8y8pP/0DmPW5IGQ6OP4zO+Qnc4EbVnA9Uhr
            tZ4sTNn0o80kfvILKANkAm81v86KdSRXdd3+1IpH1c7rTqm9o+DEm8nKnwWOF63O
            P0klsYLlfqiZyQ0AyS67RHPTw/y57mAyWVFbABDLtXQQHWcIkADMLKTJLpnhKkRn
            Cp94EXBBBwViAUBUzzskE4lgKXncl1h5ogLum8btU+cLky0qa8Hzie5QqszlErf8
            fci0AEHV8u+Kf5EARf1FiY6K2aVnFOJchdeL98qllwRu6f8zz7+bfLq1UXcGBlQS
            JnbAlXiL4vEBxQyW5awYYzpaMUTW1ejjujZUitdaUeIQJdv/IJvHe9y6/F0uukdt
            AMrDI7E+JKa6hLPe4g6H1hUzh6GcaHuNU9z2NSDfzxcOHkqALsCDLVDxsjPhahCc
            UZkSn8ebyqv7/jpTgWnsls0Fx8XqvKKJNoqXfK81oIvWlJsEwqSaBczkq9HQbO7S
            XgH2N8XPOJWmqDc+xS26eERNJ8ZlhYaODWwatgqt2si6EdBpVRZL4PXsOrOlI8Xi
            Uaag1/Uljqbk5mN18+CtSfSt0ded79d44B9zAbc70hgvkRrpcotDBnO8YQ9MxB0=
            =O0Sg
            -----END PGP MESSAGE-----
          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/config/hosts/mjolnir/sops.nix
+++ b/config/hosts/mjolnir/sops.nix
@ -1,7 +0,0 @@
 { ... }:
 {
  sops = {
    defaultSopsFile = ./secrets.yaml;
  };
 }
--- a/config/hosts/mqtt/configuration.nix
+++ b/config/hosts/mqtt/configuration.nix
@ -1,10 +0,0 @@
 { ... }:
 {
  networking = {
    hostName = "mqtt";
    domain = "z9.ccchh.net";
  };
  system.stateVersion = "23.11";
 }
--- a/config/hosts/mqtt/default.nix
+++ b/config/hosts/mqtt/default.nix
@ -1,9 +0,0 @@
 { pkgs, ... }:
 {
  imports = [
    ./configuration.nix
    ./networking.nix
    ./mosquitto.nix
  ];
 }
--- a/config/hosts/mqtt/mosquitto.nix
+++ b/config/hosts/mqtt/mosquitto.nix
@ -1,33 +0,0 @@
 # Sources for this configuration:
 # - https://search.nixos.org/options?sort=relevance&type=packages&query=services.mosquitto
 # - https://mosquitto.org/man/mosquitto-conf-5.html
 # - https://winkekatze24.de
 { ... }:
 {
  services.mosquitto = {
    enable = true;
    persistence = true;
    # set config for all listeners
    listeners = [{
      settings.allow_anonymous = true;
      omitPasswordAuth = true;
      acl = [ "topic readwrite #" ];
    }];
    bridges.winkekatz = {
      addresses = [
        { address = "mqtt.winkekatze24.de"; }
      ];
      topics = [
        "winkekatze/allcats/eye/set in 2"
        "winkekatze/allcats in 2"
        "+/status out 2 winkekatze/ \"\""
        "+/connected out 2 winkekatze/ \"\""
      ];
    };
  };
  networking.firewall.allowedTCPPorts = [ 1883 ];
 }
--- a/config/hosts/mqtt/networking.nix
+++ b/config/hosts/mqtt/networking.nix
@ -1,21 +0,0 @@
 { ... }:
 {
  networking = {
    interfaces.net0 = {
      ipv4.addresses = [
        {
          address = "10.31.208.14";
          prefixLength = 23;
        }
      ];
    };
    defaultGateway = "10.31.208.1";
    nameservers = [ "10.31.210.1" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:48:85:73";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@ -11,19 +11,9 @@
    enable = true;
    package = pkgs.netbox;
    secretKeyFile = "/run/secrets/netbox_secret_key";
    keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
    settings = {
      ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
      SESSION_COOKIE_SECURE = true;
      # CCCHH ID (Keycloak) integration.
      # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
      # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
      REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
      SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
      # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
      SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
      SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
      SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
    };
  };
@ -31,12 +21,6 @@
    mode = "0440";
    owner = "netbox";
    group = "netbox";
-    restartUnits = [ "netbox.service" "netbox-rq.service" ];
+    restartUnits = [ "netbox.service" ];
  };
  sops.secrets."netbox_keycloak_secret" = {
    mode = "0440";
    owner = "netbox";
    group = "netbox";
    restartUnits = [ "netbox.service" "netbox-rq.service" ];
  };
 }
--- a/config/hosts/netbox/networking.nix
+++ b/config/hosts/netbox/networking.nix
@ -1,8 +1,13 @@
-{ ... }:
+# Networking configuration for the host.
 # Sources for this configuration:
 # - https://nixos.org/manual/nixos/stable/#sec-networking
 # - https://nixos.wiki/wiki/Systemd-networkd
 # - https://wiki.archlinux.org/title/Systemd-networkd
 { config, pkgs, ... }:
 {
-  networking = {
+  networking.interfaces.net0 = {
    interfaces.net0 = {
    ipv4.addresses = [
      {
        address = "172.31.17.149";
@ -10,10 +15,9 @@
      }
    ];
  };
-    defaultGateway = "172.31.17.129";
+  networking.defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
+  networking.search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "62:ED:44:20:7C:C1";
--- a/config/hosts/netbox/secrets.yaml
+++ b/config/hosts/netbox/secrets.yaml
@ -1,5 +1,4 @@
 netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
 netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -15,8 +14,8 @@ sops:
            V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
            a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-08T23:54:23Z"
+    lastmodified: "2024-05-26T01:07:35Z"
-    mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
+    mac: ENC[AES256_GCM,data:0zWNPrUqpuC/qXOaTE8ayrTbnZdg9VA2NqxSNnV0bogqxVkg8zhbx8OKYfNQ0DswjxKNEnKsqjp62gA678VfRfGHJU5ZoHfAC7kBbrkDy+pMzS6LRwT+7n0C1AbaaG7hienGJQsx2gUUYqu7OSQuS722lXAw65deFvZGtL6lt8E=,iv:mOLkzF5pJFazmH9XX94Hjd04FcgSh0hY4juEO3vKNBc=,tag:lSk0lnVONQCmuO0KmxlL0Q==,type:str]
    pgp:
        - created_at: "2024-05-26T01:07:22Z"
          enc: |-
--- a/config/hosts/nix-box-june/networking.nix
+++ b/config/hosts/nix-box-june/networking.nix
@ -1,8 +1,9 @@
-{ ... }:
+# Networking configuration for the host.
 { config, pkgs, ... }:
 {
-  networking = {
+  networking.interfaces.net0 = {
    interfaces.net0 = {
    ipv4.addresses = [
      {
        address = "172.31.17.158";
@ -10,10 +11,9 @@
      }
    ];
  };
-    defaultGateway = "172.31.17.129";
+  networking.defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
+  networking.search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:6A:33:5F";
--- a/config/hosts/penpot/configuration.nix
+++ b/config/hosts/penpot/configuration.nix
@ -1,7 +0,0 @@
 { config, pkgs, ... }:
 {
  networking.hostName = "penpot";
  system.stateVersion = "24.05";
 }
--- a/config/hosts/penpot/default.nix
+++ b/config/hosts/penpot/default.nix
@ -1,11 +0,0 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./configuration.nix
    ./networking.nix
    ./nginx.nix
    ./penpot.nix
    ./sops.nix
  ];
 }
--- a/config/hosts/penpot/networking.nix
+++ b/config/hosts/penpot/networking.nix
@ -1,20 +0,0 @@
 { ... }:
 {
  networking.interfaces.net0 = {
    ipv4.addresses = [
      {
        address = "172.31.17.162";
        prefixLength = 25;
      }
    ];
  };
  networking.defaultGateway = "172.31.17.129";
  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
  networking.search = [ "hamburg.ccc.de" ];
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:26:1C:8A";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/penpot/nginx.nix
+++ b/config/hosts/penpot/nginx.nix
@ -1,63 +0,0 @@
 { config, pkgs, ... }:
 let
  domain = "design.hamburg.ccc.de";
 in
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "acme-${domain}" = {
        default = true;
        enableACME = true;
        serverName = "${domain}";
        listen = [
          {
            addr = "0.0.0.0";
            port = 31820;
          }
        ];
      };
      "${domain}" = {
        default = true;
        forceSSL = true;
        useACMEHost = "${domain}";
        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];
        locations."/" = {
          proxyPass = "http://127.0.0.1:9001";
        };
        locations."/ws/notifications" = {
          proxyPass = "http://127.0.0.1:9001";
          proxyWebsockets = true;
        };
        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 172.31.17.140;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
  networking.firewall.allowedUDPPorts = [ 8443 ];
 }
--- a/config/hosts/penpot/penpot.nix
+++ b/config/hosts/penpot/penpot.nix
@ -1,198 +0,0 @@
 # Sources used for this configuration:
 # - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
 # - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
 # - https://help.penpot.app/technical-guide/configuration/
 # - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
 # - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
 { config, pkgs, ... }:
 let
  # Flags for both frontend and backend.
  # https://help.penpot.app/technical-guide/configuration/#common
  # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
  commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
  penpotVersion = "2.1.3";
 in
 {
  virtualisation.docker.enable = true;
  virtualisation.oci-containers = {
    backend = "docker";
    containers = {
      "penpot-frontend" = {
        autoStart = true;
        image = "docker.io/penpotapp/frontend:${penpotVersion}";
        extraOptions = [ "--network=penpot" ];
        ports = [ "9001:80" ];
        volumes = [ "penpot_assets:/opt/data/assets" ];
        dependsOn = [
          "penpot-backend"
          "penpot-exporter"
        ];
        environment = {
          # https://help.penpot.app/technical-guide/configuration/#frontend
          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
          PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
        };
      };
      "penpot-backend" = {
        autoStart = true;
        image = "docker.io/penpotapp/backend:${penpotVersion}";
        extraOptions = [ "--network=penpot" ];
        volumes = [ "penpot_assets:/opt/data/assets" ];
        dependsOn = [
          "penpot-postgres"
          "penpot-redis"
        ];
        environment = {
          # https://help.penpot.app/technical-guide/configuration/#backend
          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
          PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
          # PENPOT_SECRET_KEY st via environmentFile.
          PENPOT_TELEMETRY_ENABLED = "false";
          # OpenID Connect configuration.
          # https://help.penpot.app/technical-guide/configuration/#openid-connect
          PENPOT_OIDC_CLIENT_ID = "penpot";
          PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
          # PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
          PENPOT_OIDC_ROLES = "user";
          PENPOT_OIDC_ROLES_ATTR = "roles";
          # Database configuration.
          # https://help.penpot.app/technical-guide/configuration/#database
          PENPOT_DATABASE_USERNAME = "penpot";
          # PENPOT_DATABASE_PASSWORD set via environmentFile.
          PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
          # Email configuration.
          # https://help.penpot.app/technical-guide/configuration/#email-(smtp)
          PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
          PENPOT_SMTP_PORT = "465";
          PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
          # PENPOT_SMTP_PASSWORD set via environmentFile.
          PENPOT_SMTP_SSL = "true";
          PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
          PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
          # Storage
          # https://help.penpot.app/technical-guide/configuration/#storage
          PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
          PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
          # Redis
          # https://help.penpot.app/technical-guide/configuration/#redis
          PENPOT_REDIS_URI = "redis://penpot-redis/0";
          PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
        };
        environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
      };
      "penpot-exporter" = {
        autoStart = true;
        image = "docker.io/penpotapp/exporter:${penpotVersion}";
        extraOptions = [ "--network=penpot" ];
        environment = {
          # https://help.penpot.app/technical-guide/configuration/#exporter
          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
          PENPOT_PUBLIC_URI = "http://penpot-frontend";
          PENPOT_REDIS_URI = "redis://penpot-redis/0";
        };
      };
      "penpot-postgres" = {
        autoStart = true;
        image = "docker.io/library/postgres:15";
        extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
        volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
        environment = {
          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
          POSTGRES_INITDB_ARGS = "--data-checksums";
          POSTGRES_DB = "penpot";
          POSTGRES_USER = "penpot";
          # POSTGRES_PASSWORD set via environmentFile.
        };
        environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
      };
      "penpot-redis" = {
        autoStart = true;
        image = "docker.io/library/redis:7";
        extraOptions = [ "--network=penpot" ];
      };
    };
  };
  # Docker networks.
  systemd.services."docker-network-penpot" = {
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
    };
    script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
    requiredBy = [
      "docker-penpot-frontend.service"
      "docker-penpot-backend.service"
      "docker-penpot-exporter.service"
      "docker-penpot-postgres.service"
      "docker-penpot-redis.service"
    ];
    before = [
      "docker-penpot-frontend.service"
      "docker-penpot-backend.service"
      "docker-penpot-exporter.service"
      "docker-penpot-postgres.service"
      "docker-penpot-redis.service"
    ];
  };
  # Pull docker images prior to starting container services, so that a container
  # service isn't considered up, if it actually is still just pulling the
  # relevant image.
  systemd.services."docker-images-penpot" = {
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
    '';
    requiredBy = [
      "docker-penpot-frontend.service"
      "docker-penpot-backend.service"
      "docker-penpot-exporter.service"
      "docker-penpot-postgres.service"
      "docker-penpot-redis.service"
    ];
    before = [
      "docker-penpot-frontend.service"
      "docker-penpot-backend.service"
      "docker-penpot-exporter.service"
      "docker-penpot-postgres.service"
      "docker-penpot-redis.service"
    ];
  };
  sops.secrets."penpot_backend_environment_file" = {
    mode = "0440";
    owner = "root";
    group = "root";
  };
  sops.secrets."penpot_postgres_environment_file" = {
    mode = "0440";
    owner = "root";
    group = "root";
  };
 }
--- a/config/hosts/penpot/secrets.yaml
+++ b/config/hosts/penpot/secrets.yaml
@ -1,234 +0,0 @@
 penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str]
 penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZVA5WE9JcDBOQVdPbGkz
            SnNkWEJvaUtGaWVOajd6SzJ6aGNxSXZQaVhnCmgwT01kNFRZa09Gd1o2ZURyZUJQ
            N0dwK21vUmk1N1duOVNtV2wrVmlyNDQKLS0tIEJtUENHdXhGcXhRRjM5VkhpdEVG
            Z3UzOGFFUDhwUndoQWtCdHlMenZETW8KI0FjoFG4E1fhOxYiCIxY2BnLOmGcpoyK
            EbDdNFQEMngwppEm9r1KzG/1cGMoIij2qpmK4Jz1Hzgk/6dZwvGxzw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-08-10T15:40:27Z"
    mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str]
    pgp:
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAxK/JaB2/SdtAQ/+JKe4fsuAKMJr6kuDt5vjv+hrXamWEwRLBfYPHHZHEUeK
            AQBs9fG9Ni7Qpelv8RIbxWyophgt2TCEqP2d+7EcGTgDZkdLxx5s2LJuCh+tEZwT
            bm0sPt+8eYY077MxA1ZtlBgkslMugvdnJaDckGc8xRPldUa7gRp0j3yaLULRxjA6
            T0nyALAqAaDa2uHgB7mTB3pXJYk4GxZpYbVc+wxAWXEDRLR/bpT18ywAcA6iSerd
            KGDzWKjgOr1TTJqUxsguqDjnVp1c+xRPirC9uENGqW8mxI7h1+4B//dJvuXV/cYh
            LKi0aDUTnma78mo2v9faUSJl23LkIehWZwbVG/+Mpkk3yxscLV124Vbwj56IFCzI
            AiJ7m2QVxY5eXoVLodw6Po2S62gkwg7H5Aw3J4pppNuIAIr/8mJBpJoBy6poTsG3
            QhbQdEdsF5ikoLu/OV/H7mp86zJt42Q+74xGjKYx/qvLq6SDmDA03kqk9N71URyu
            FRTEDysEkeAzreFFkxn3Q+K/cXvtv/2Knte1lmDTfpmhg4cFwsLPLPH37A2veaxJ
            JTyWDLHgrJ8NFgii3gLrwj+XLOZOwmCY0puJKtdAnPaaQiLfyqYfeLVlt7Se4MMJ
            8XaFWcaQHBxL9nRZnx7WkE9LfHIG0e+414hT0F/aER+8iKboIbt6rdEHpEMGDWnU
            aAEJAhD/TpW7E+yYjFVi/xSQ3kCAruHcm6x4BDTE7by0VeTLiRFW+culxiInOYiD
            kdp+dATm5f7IrQp/qemL02/Me5yqURZlZrDHra7AiCI+MVBJiCRIY/x6xZSew7PX
            HC+p9sB+PBFL
            =1qbt
            -----END PGP MESSAGE-----
          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA6EyPtWBEI+2AQ/+Ijn18W+K2je/hpolpY6HmQMTTRpQJZ8YtJ5G35o5WoVP
            hH+znQMrBBAtnTWeFBeIuIzk4CHjPS0yfnsE4/rP7/lSa177A2xaeiCb74F6k/Es
            MtDE/TApSlNdPFruN5nkd2I8jAWh1k37nS+/NUhszReR39NNmgA+aCSc2OK04aAz
            dpPXmaJ+d3zMr7eFoL2NyhNI3A/ZdVP3UmZCp12juckDRl8oeei4PBlw2T6ODJP4
            tY08I9EyK/5K4auhYJyvayl1RWwRuShFV732ZjztkawLw152W0Rrg75Qoukhs9mr
            TdyF0zcnVxAcOV4e5wRe13dDV6Ue7zeWFc9bb577thGzUm2Oue0u+oisty16qt9K
            0vw0tVSDtT/suodG8HpvSwGQ+/xcV7w8XCH8Yx28N9iO49VZCB1ZYXQBxTHVDl2b
            J/8AivaK4OOFvPWNr4u6oLaO9nz1aaX6Qsap5zn0Qa2Ls2SSBwWk2Fp/f1dq3KOy
            /jGR89ocuEuImVacr2G6zxPnbukfa4S8q/FUUDbswQUqmWMcDDq3dOQ1fFPRd7vy
            5a9u3P8LFW+ZPPHop3kgozgZ9pBGDOlw3nkjGjFl39lE33E+049gLE6I6+1+umG0
            EWkNI9y8X+HmHMthVuYapq23Ix09H6Wa452hZmEUxNgp33M8Zx+l3s6D7o7jfrjS
            XgElPJuUWyGKPoUY9mFaINyVqjOJGEtEOYRP7jvCpFWDq/xQ8jbJvvv7qBy8+i0b
            cpqRrMJrvMB2PSLeD6cNWymrNhKilLLFOcG9yaIEudDhiuv3L4/ub08QMroDmo8=
            =80AM
            -----END PGP MESSAGE-----
          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAz5uSgHG2iMJAQ//Vv7IVqc9ReeFgo8RWbYpl1W5atAHerZuUh0oYc4otGpb
            UseJ2JInyykcUeQWlOGvTK+eauBVNET0E/6jylCoWb8lzffhSMJ4FFpvpsoYjPG9
            Q8s3r8soOCYB0xscfhinZwJg5to+I2MSd8mppWIp4UCQhxv7MqQpbqEzNTfVP7YO
            QEUZ/lesVovLvxMzKc2YVWyZFSW2G6HK3LTaJIg8gy5ym/crlUB+awd2ZDePGk6F
            Y7DcKwL1EpCL+hoPWGF9PclYKrOBIZVznYQuwHAqG+Bxr9Ln/NmS/OoCrJDMN6gG
            2YMZ3Q7GQ82zZESxYA7g+ef9/lGCm7DIkt80or72x7eS6/OP7c1bjGFgKLQNyHFU
            Th6cOy/TzK8Sq2g1mWB2zyV3xk6mb9C0ETAFD5vvPGVC3Sb4549Y+epe1T3ZLFTA
            t09nUIpTC05PEdGsWs5Z5MDp8ZCsPZpipbVrWENesNOfaFYG+p7aM0LjgTqZcadD
            B/Foejayc3XYI0T/NoP43mAZ2nEOw2Bz9lBpwz0PeTfzyrhz9XlJ7Dw462XTFA3i
            voTHA5+DzGNPf6zC1fH9GcESmpC2nqXit8ZV+Y7Zb9/cAsx3E05S8ayxdBZUrOtJ
            JSWGOAfPuzGXgL6Ht3iKcmCxQ/pSi1aH0h+bYqlrxTvP9IMyNCrxmP6+YsXCv8XS
            XgE0NjzRMClq4/HhQ5X0ANGHWxbZJLAbm8yfgK5rnnmvi53RNJhRUHDnNca93brF
            n27gnVLKM+2FdwRjwNIznkbZV/iNM6zIfRWwmJs9gHRuX/J/XWzD1KjDsn2rmiQ=
            =bAYZ
            -----END PGP MESSAGE-----
          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAw5vwmoEJHQ1ARAAkdXjf9h4iyYtKPwR9V8hgIfpt3s3zMduuJN3u76ZHdfE
            87t5K8eL2yIVN2DeOqtXRG28Broy3LLwMlLOJhxVxS5LAOEjT4ScZyb9H7MLnDsp
            boW210SLkeQ5vTW9hgjAU9V6wbemxoiNPYTcBUsuirI8a+jpnALLY0jeOILBEmHQ
            c+wbeo+VnlTQkTKCFI7TwlG1JnRnv3DMATVkOjC2PXmXPNkhr04Ivvf0+yBELY/1
            hLirTfk/W6vFodPaoaRaeWjGJOo+FbqKLxr2xYzVu6SkF+i4CvDPb1x0t/laTpPA
            qC6KJ1wyVwG4k7ZBLgRcf5Scn1zgGFzZexUAhdIYp0tKPycphUQxEMOI8/OeBP1V
            68gBcilvv42zs+ed2RUK4j1e9YklxazZgaUhPfdrBrw/HiDJ8ILaq6LQQZSNrxZx
            koAV/qw8ylU7vkciyA8bGLOiWc/Ub9vkRSuEi5TMOhmT7bVZ+W/26bWgDcAMmCpa
            13H1uLXLuHnfDavdesh+RAxRgEavPTMz+HFbqhvkv8sy0RPCodyJv69J7dsS7a2C
            71Ub7jyZIQyRtTGGZH5EjMQVStBMccE2KrJRzZCKbCmQDofKb4M67caaHBnVrs7D
            vyx8V7JQGkNOWIgWFb23dtCtRiMzFaRk31mihFmFF2tSgg6XMqNmTp0pc3zQBarS
            XgFZKRlYE7H1tMUCDwyKB7G3r1jsxBlUSbH1J6XjUBWKkTD4iMHI/4YStvghLjm2
            0qqgKH/Njd9xBXc3x4Ut7kh8tFMMa07xF7/V0Pgwq+7J7EgckEfKHKA5vcQt17Q=
            =23io
            -----END PGP MESSAGE-----
          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA4HMJd/cQYrVAQ//RH/jOrYE9MD9IjkUfsQZ79rjEwDdtmsXs+gS/XUr0MpI
            f/aDyw/vfvD7ZgY86yqp68x0OQLIyRIx9O05FNB3giVN4YFvZpFblLotpMzCFa2d
            5xKLIQ1oviDSnE0kKpNM+QKITKjCxyke7MgW/laXvF0zMaVdPj0qo3Zn07MUKULs
            btxZgPhzwWLjveZGn+72QiBGTF0ce49TWoh6y/l7PDsXhojau2KP556hI3rp/nC0
            PunbLVRntpz+bOoyOk+xvKen+8b/Vwp+GYA2NBDbZSEY9H3YF5ugZBR/jUc8da7D
            9EBA35udmQVKtD2XZrIyfhETC1eqLXORo0JKld5oC03JPkqvV+QpMF+8JBjXe1Cy
            qI4pBmdhTJYFoJHpvMH7eC4CWgZZRMD5mB2nk1hYd9oIiYUPABfdeGxKiFnC8zHH
            cEY3jgGzetZTxnpk2mxZvFMMwFqyOJA2PnwMTv3IraARkFrLxGzUIG4uOjo+l2fp
            igOKsw9p46RR1gkuKF4u3yB3/1RloDyqGCU1/n4BCWy5/UkjSQpWKShZt3qMd2G2
            A6si2zgSHIQ+ubR7MPB3Q3U/Rnw7pSbTbdDc73pZ2SPZfUuJplPSDUvXICGlj8cO
            jO8s926qp4X9C4mi5um6EX5nLG+pfuKowIBdB2HWmxu2idwyrmNdlIgAcWcteazS
            XgF9W6THXau4lEmrBqWEiC0K/9NA0cDJqRdvj6wqZ/OIAo86q3yRlm8yY8U7D00j
            wNS8WSHq+EX0K9LpwQiHAJoxNXABEx/DbRqVeuLn2FaCocZigbvu3k/pePuOsK0=
            =ZLl2
            -----END PGP MESSAGE-----
          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAxjNhCKPP69fAQ//dCKpiens8kqp+I9HtwP2CQOVMLLAle1VYB7pJ5pfcyzI
            /3tAmwcxBmg+jhkFiqheBQYV2yNmBMHc5ulx+MxSDKd9mzCTavlGlE+intPjON8k
            sis68RnU5OFsnGVXSmJji1vN37cCY4jHkf2vYzz6HJ6FLPrda/W3ZfXI+ZnOCao5
            wGYrqPcYUj+7gnN1S42HM492oqeCNLcENDvegf8AxtBEgfp7UQ0V3ZC0wZEYhz0V
            p9bdivFoEZ3Zo0sJTWKj3Df3IA5T6c4dbSPj8r7IZ5iNDguKAjvegXujco7pow51
            fNNJB02hnYHLMRAbeRqaWyJ7qUQSWbQEgb8NuonspnXnajKc/OddgoTN91gTRgMb
            op2T3HOFv3lKZPA/xIeDZpIm6GqOW6eJLjqiLP39VGvvNRYg+zxhNg/ZBVkFuSAf
            U5uDPUyIAr10zdm7NqJKL8wKRbQzBg5OYovrXqSl96+KNenJqbMNv1N7kfSF6FuF
            x8joEDXIaBSwINE4oXD5SN7Z5L2SuuMJ2nvuXFmmXKerRlrBiGsBzUVMt1bGqKEU
            KoAAwbInZ9SprSxqJ1EkSVXpNGnFFNlbBB1j2u9BoGygOkVM4ZxIS19DBDLG0Tls
            Fq6GI5d3axcf7t024UmwcU9yaP1BzrV0bDvDg3X+Azuo5JqpT3pSUvqv+Sy1C3nS
            XgHK1C7XTOfcvmcxJ1f++xELwRkgNo1OqSG3cIZ8i1tKZFKTyYCiNHa/ajSr+wER
            4phM7Tdr6ubjLkqvDkMeXvtiGyUoAvbtLC0wqSaE8sEZ28eFGEAaECV/uOW81X0=
            =0jv9
            -----END PGP MESSAGE-----
          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA1Hthzn+T1OoAQ/9GTEI65w8icqppqTuvQD50vaR+lCY1NjWT0HekgvNuCLV
            4gL1cYv7tJ5UU6jOnREoScamWnUTYf/sLINIfa+FgvH+apswQeQCFrdCb8/61/Xc
            3hsJ8gwmguP1zJabKFI6/Yo3vPPa+kpj0Am6M7dUUxEKw4Lqy6Hc32O6ULNJOvdo
            56oqr6KoemrpU0TzqkKTpgAZaQjFfVzPWfC8moUL1pvxrHm7rqDPiYcl7fZP3JFD
            gQMZokH205u1elxiFxuQGtW8jbeBqCZUm1UorEgD2EJYEPfyphIaHaQnCpW8zXkI
            gt9QT3cqJpGJAobCPbh6vKPtbGPEqZOzOaCMFl07pkOSGPAVGMVfV+FdsfszPYY6
            Rqsk7zlCFv/iNFWKpkdfI66JLvhmgNwXRv+rkYzH3QrQikjLmAeTzyL69SPujgDK
            qXBRZiAPwEDScr2Qcum36jDVrT3jRfC1opzwpRxM2ompJ0F6caBPNVjY10BScl7Y
            RWVmkFrPL9MdEelFLscG17K+y5S/50sLcU+sGbMkmPsmizA0boK5XBXJz3cTadYy
            Asr2b4aWTqBS5iW1vbWIGJVrUUk3U1S4fFaSvsL3I6O0E+sOB3eEEpQZqpF9Genr
            hCE8GVE5yQWb3YYK0ZA7j4u+dwA+QfRIuQuMWFoRKp8oqEitjjix3je2R3u8/ILS
            XgFcAp8Jh+VbnQg/pq92u3dX6afGv6nENpMVPn73yob+sfE5xUFEfEzE1E1WCWdR
            HiLZVOgpVOYmo2s8/UW60hLNBULpqyf6ZTQsr7IqaGw4g+Ew116cwDawywRSJMg=
            =T0nI
            -----END PGP MESSAGE-----
          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA46L6MuPqfJqARAApsnPRzTCIkbKT6jaVHixgP6wyCjfVmvgb0NnMrN2Ygup
            pafb6GNWoFq9WdiSqwFIJPZlZxJFiIgSxplDI63Wj1MgfvQBEnKUQvnvR+UtnB22
            bGr9mIrq/wKgslhPLFB0qT81RK/GqJKvRNpI3trGmB1pBnDdb5jiFeDHStv41XrP
            hezAvmDGBKlM74fehu0pKOanIspyvFAjs31NULSHGJGzBxyM6OGcg/XLt9ea6bI5
            jHwu3+M/7nixjtaIdCtEFPv/Mdimq9p64+c6AvbEVikUH/omRebRFIRrJCotYENT
            ak6/2F+Fze2cof6pJPaq1KTF7LQHi1ZaQ/N+YNDsMJIYYuX3lVg/ClEjeo5k1HJ4
            Jc+ul2KF/dAh8UsJPIdhJDlxIPdnof7xBLax1xmOQTHpqsfhZe5BP/0KMeeXzG6s
            TlozMaCY0ok4JiQmiJcs+TjHX+uiiih6Wi756v7qwpCk5u3/BM+veHB/slD5Xezn
            KmuHzwcbaP1n5JlOtv1PLAPfqX9EDsAVr2xhYTBISZiIKXyfagUWzPNX6toYtBfV
            cQ/m9nfc5/STna7XGucnKkYFG5U2a+olIqCcbbNkN4NcW5ly0M5g1VW3oh02NO8r
            A/4aU8ECj+79XXx0XCuVojnkGdTT3SQex7bkV2stBpuc5xfESbuOMWXgK0qZrYrS
            XgEfX0ySVVrCxhtJgsQvZl0zrOwIttomV6hlQgo+n23HNPwjEf4nf1p2sje0uPvb
            bPC7u5y1eDdy5E0XyWkAg4hxPLg7yOj7ET84Bg9S3NE8cE0nM50qL0N6aCAb4II=
            =Is94
            -----END PGP MESSAGE-----
          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA4EEKdYEzV0pAQ/7Bx/s7WlB9TE30vyqVWw6H4DoZS8s03Z21tDAtrUEK+k5
            QtMPvAIE0SG4lXersM3L6VMmhvPQlwZf+zSzBnO0J5vacvMG8dch4/ZH7YTM0VX6
            T0Ix9ScamEI8J5Fr1LAeBoqtTa8n1/3N2ILBVPRTTX5Wu4lSUw/voeePXAYxSSMv
            9vzrxJNcRgzbd/8Fbo3i2vzn4GvrP1JzsprLrUMVFaek5khD0hRDJMM0IhBWFRRh
            L241zX/IBZDQVz0x1QVUBFmkoUjyNn94CTezTmGvqCXfkLRmcKzTZXd0dhORBPFa
            LygVSLdor0v5ru70rMds6YN5WvqbmG7KUY8M3gcVXutvID58vw6ZE83T8ZAYj9S5
            r9hXegeb2e03tCvSrHmQFf37+298/E8/kBrBQgoevnHmm3p0yN3ZbrWLIRhbx2iF
            NzL5s17PnGzmuSigoZERsN2Flx2fzUbtwVDP3AyLVpQ7NoqTZkJTcGQuvkYawnEa
            3RxUQySR+a7bED38wJ6zEpVg10ye7c8mVkzQnda1Qp3lnPZxz+1qg1n25I9hjNO6
            X1E8gtXx2EcwaoWcPO0W/sNBwE09SCM68KWSykwOLvZb5tq/HnhrwSisps5sAg9V
            Z1c0OCwgJvYoTY46rqk7scN9YkE16LDCtAzgppZerli179E/f/7O3d59CA1mCEXS
            XgHbdM2nxaBPCPgXXNRVq13R8JXiOokuxUZofwl6FaG8A6yc9z5F4Ygr/KKDeT0i
            YMBezxQtQ5uKY0jIx5g2r6aSdly3QPNKiFS/rxDCrmtaBqw+OvhvLrnCn6IaRVY=
            =XAoN
            -----END PGP MESSAGE-----
          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DQrf1tCqiJxoSAQdAFvRDMKG3Vjs98kRqcs4ep+bYoUcBHbMA7WgzI7CcaGQw
            FjdmSwvWaHJZQGEbGk4uDHKPHqXRD3HnD9d75Azu2HXnCA29aU2c0zn0PziIi7Aa
            0l4BbcavPKNBkZpJNgW0uII7xMYJWJ/9vStTxXG/WzNia6nk/Cv7PMJW7EwIeUga
            +PWB4yGfPXgqJGnJj0H1EdCVPrM/+f19GcFxNKKzkGaKTyVTW9NxntlsFl1vbmRx
            =YRc6
            -----END PGP MESSAGE-----
          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
        - created_at: "2024-08-09T01:28:41Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAzdAjw8ldn6CAQ/5ARLA8sAZHMwNhHJycVof+ZergR58hXCBjbIy5zgyAwYU
            IJ5OwhTpWqniZjt0b9pvlzU4JO1k73B1WrF7mAYEOKET32GPVatrQ64yInQbORSZ
            zNQgX3aQ8tEtyBsKAWqwqRjOaP6Plee6G0RCksJBAkjIZik0diTOBwi+ZhgYSRLE
            G1NAETqMKkLleYQbUWCFNveJOd/7pfhE4xhAEaSxL3dgXNPV2TOngvjCqMXvz0K2
            hEz6OYC8idpmAJv+S+HOaZbKV+giCopsPyFnbeu8jf1UpbsBRbHPnLOO6lLby2gf
            2P9MhwSeMjjCZFX/ys8vHQ2jUwXK8jfW3xfVie4hVJgh6vO+uHcomjnk2b+34SRk
            7ttoozLbMFxwrcP9trV0TgT2uzjFCe4fHccpY1VLTCX/O0eYtlhDhur0Wojp1z9v
            h5mcqySEtJfHXJbTXkgMA2+QSyUaTTfvZ6oJqX3yAoq5eIzC0CcF+IMa6NS1XkY0
            TNd3FEhwe7TvKGCy/3bJx6jMUnhT71r6KW/w7RVIHgdp1hfUS9JBhxVB+agQVyRv
            +HBmvWHqUdwnFzotGRzLU1g6soWa+fRVQQ80qAi1U8e+u9IX3EG0KoIXLjpkvXxK
            y520NcOdN4wR0xILPP/+47QDN+kM6lunm/EMgrff4YDE8J83qMhH2IP5s/tV023S
            XgH1hiB0U4SYt0Rp6OGDV+CjBCFaCkPPlync/SVuXddfLC1owGlY9L3jwu7j2PR7
            jy2jPPTWrOvT0wZKEh4k501LRb0n6LGqW6gDTgOnZKNg2iQ6jybv2HeyyExYllg=
            =1o5H
            -----END PGP MESSAGE-----
          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/config/hosts/penpot/sops.nix
+++ b/config/hosts/penpot/sops.nix
@ -1,7 +0,0 @@
 { ... }:
 {
  sops = {
    defaultSopsFile = ./secrets.yaml;
  };
 }
--- a/config/hosts/ptouch-print-server/networking.nix
+++ b/config/hosts/ptouch-print-server/networking.nix
@ -11,7 +11,9 @@
      ];
    };
    defaultGateway = "10.31.208.1";
-    nameservers = [ "10.31.208.1" ];
+    nameservers = [
      "10.31.208.1"
    ];
  };
  systemd.network.links."10-net0" = {
--- a/config/hosts/ptouch-print-server/printing.nix
+++ b/config/hosts/ptouch-print-server/printing.nix
@ -90,7 +90,9 @@ in
  # pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
  # PasswordAuthentication to have it not do that.
  services.openssh.settings.PasswordAuthentication = lib.mkForce true;
-  security.pam.services.sshd.allowNullPassword = true;
+  # The following doesn't need to be set in order for empty passwords to work
  # apparently:
  # security.pam.services.sshd.allowNullPassword = true;
  services.openssh.extraConfig = ''
    Match User print
      PubkeyAuthentication no
--- a/config/hosts/public-reverse-proxy/nginx.nix
+++ b/config/hosts/public-reverse-proxy/nginx.nix
@ -9,7 +9,6 @@
  services.nginx.streamConfig = ''
    map $ssl_preread_server_name $address {
        status.ccchh.net 10.31.206.15:8443;
        status.hamburg.ccc.de 10.31.206.15:8443;
    }
    # Listen on port 443 as a reverse proxy and use PROXY Protocol for the
--- a/config/hosts/public-web-static/networking.nix
+++ b/config/hosts/public-web-static/networking.nix
@ -1,8 +1,7 @@
 { ... }:
 {
-  networking = {
+  networking.interfaces.net0 = {
    interfaces.net0 = {
    ipv4.addresses = [
      {
        address = "172.31.17.151";
@ -10,10 +9,9 @@
      }
    ];
  };
-    defaultGateway = "172.31.17.129";
+  networking.defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
+  networking.search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "86:72:08:F6:C0:D6";
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@ -2,6 +2,26 @@
  "dynamic": {
    "sensors": {
      "temperature": [
        {
          "sensor_data": {
            "unit": "°C",
            "location": "Hauptraum",
            "description": "Sensor im Hauptraum"
          },
          "allowed_credentials": [
            "club-assistant"
          ]
        },
        {
          "sensor_data": {
            "unit": "°C",
            "location": "Loetschlauch",
            "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
          },
          "allowed_credentials": [
            "club-assistant"
          ]
        },
        {
          "sensor_data": {
            "unit": "°C",
@ -14,6 +34,26 @@
        }
      ],
      "humidity": [
        {
          "sensor_data": {
            "unit": "%",
            "location": "Hauptraum",
            "description": "Sensor im Hauptraum"
          },
          "allowed_credentials": [
            "club-assistant"
          ]
        },
        {
          "sensor_data": {
            "unit": "%",
            "location": "Loetschlauch",
            "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
          },
          "allowed_credentials": [
            "club-assistant"
          ]
        },
        {
          "sensor_data": {
            "unit": "%",
@ -25,13 +65,12 @@
          ]
        }
      ],
-      "ext_3d_printer_busy_state": [
+      "CO2": [
        {
          "sensor_data": {
-            "unit": "bool",
+            "unit": "ppm",
-            "location": "Loetschlauch",
+            "location": "Hauptraum",
-            "name": "mk4",
+            "description": "Sensor im Hauptraum (Typ: SCD41)"
            "description": "Prusa mk4 busy state"
          },
          "allowed_credentials": [
            "club-assistant"
@ -39,34 +78,9 @@
        },
        {
          "sensor_data": {
-            "unit": "bool",
+            "unit": "ppm",
            "location": "Loetschlauch",
-            "name": "mk3.5",
+            "description": "Sensor im Lötschlauch (Teil der Werkstatt, Typ: SCD41)"
            "description": "Prusa mk3.5 busy state"
          },
          "allowed_credentials": [
            "club-assistant"
          ]
        }
      ],
      "ext_3d_printer_minutes_remaining": [
        {
          "sensor_data": {
            "unit": "minutes_remaining",
            "location": "Loetschlauch",
            "name": "mk4",
            "description": "Prusa mk4 minutes remaining"
          },
          "allowed_credentials": [
            "club-assistant"
          ]
        },
        {
          "sensor_data": {
            "unit": "minutes_remaining",
            "location": "Loetschlauch",
            "name": "mk3.5",
            "description": "Prusa mk3.5 minutes remaining"
          },
          "allowed_credentials": [
            "club-assistant"
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@ -1,20 +1,19 @@
 { pkgs, ... }:
 let
-  version = "v0.1.0";
+  spaceapidSrc = builtins.fetchGit {
  spaceapidSrc = pkgs.fetchgit {
    url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
-    rev = version;
+    ref = "main";
-    hash = "sha256-2SDhliltzyydPPZdNn/htDydiK/SHQcYyG/dQ0EyFrY=";
+    rev = "17753f535c68157e80f30f50deb488133cc98258";
  };
  spaceapid = pkgs.buildGoModule rec {
    pname = "spaceapid";
-    inherit version;
+    version = "main";
    src = spaceapidSrc;
    ldflags = [
-      "-X main.version=${version}"
+      "-X main.version=${version}-${spaceapidSrc.rev}"
    ];
    # Since spaceapid doesn't have any dependencies, we can set this to null and
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@ -1,19 +1,10 @@
 { pkgs, ... }:
-let
+{
  domain = "c3cat.de";
  dataDir = "/var/www/${domain}";
  deployUser = "c3cat-website-deploy";
 in {
  security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
  services.nginx.virtualHosts = {
-    "acme-${domain}" = {
+    "acme-c3cat.de" = {
      enableACME = true;
-      serverName = "${domain}";
+      serverName = "c3cat.de";
      serverAliases = [
        "www.${domain}"
      ];
      listen = [
        {
@ -23,9 +14,9 @@ in {
      ];
    };
-    "$www.${domain}" = {
+    "c3cat.de" = {
      forceSSL = true;
-      useACMEHost = "${domain}";
+      useACMEHost = "c3cat.de";
      listen = [
        {
@ -37,7 +28,7 @@ in {
      ];
      locations."/" = {
-        return = "302 https://c3cat.de$request_uri";
+        return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
      };
      extraConfig = ''
@ -51,45 +42,5 @@ in {
        real_ip_header proxy_protocol;
      '';
    };
-
+  };
    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      root = "${dataDir}";
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];
  users.users."${deployUser}" = {
    isNormalUser = true;
    group = "${deployUser}";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
    ];
  };
  users.groups."${deployUser}" = { };
 }
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@ -5,13 +5,8 @@
    ./branding-resources.hamburg.ccc.de.nix
    ./c3cat.de.nix
    ./element.hamburg.ccc.de.nix
    ./hacker.tours.nix
    ./hackertours.hamburg.ccc.de.nix
    ./hamburg.ccc.de.nix
    ./spaceapi.hamburg.ccc.de.nix
    ./staging.c3cat.de.nix
    ./staging.hacker.tours.nix
    ./staging.hackertours.hamburg.ccc.de.nix
    ./staging.hamburg.ccc.de.nix
    ./www.hamburg.ccc.de.nix
    ./historic-easterhegg
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@ -1,10 +1,10 @@
 { pkgs, ... }:
 let
-  elementWebVersion = "1.11.84";
+  elementWebVersion = "1.11.59";
  element-web = pkgs.fetchzip {
    url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
+    sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18=";
  };
  elementSecurityHeaders = ''
    # Configuration best practices
--- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
@ -1,64 +0,0 @@
 { pkgs, ... }:
 let
  domain = "hacker.tours";
  dataDir = "/var/www/${domain}";
  deployUser = "hackertours-website-deploy";
 in
 {
  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
      serverName = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };
    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      root = "${dataDir}";
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
        error_page 404 /404.html;
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];
  users.users."${deployUser}" = {
    isNormalUser = true;
    group = "${deployUser}";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours"
    ];
  };
  users.groups."${deployUser}" = { };
 }
--- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@ -1,69 +0,0 @@
 { pkgs, ... }:
 let
  domain = "hackertours.hamburg.ccc.de";
  dataDir = "/var/www/${domain}";
  deployUser = "ht-ccchh-website-deploy";
 in
 {
  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
      serverName = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };
    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      root = "${dataDir}";
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
        error_page 404 /404.html;
        port_in_redirect off;
        rewrite ^/(de|en)/tours$ /$1/37c3 redirect;
        rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect;
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];
  users.users."${deployUser}" = {
    isNormalUser = true;
    group = "${deployUser}";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de"
    ];
  };
  users.groups."${deployUser}" = { };
 }
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@ -94,8 +94,6 @@
        real_ip_header proxy_protocol;
        error_page 404 /404.html;
        port_in_redirect off;
      '';
    };
  };
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@ -7,6 +7,5 @@
    ./eh07.nix
    ./eh09.nix
    ./eh11.nix
    ./eh20.nix
  ];
 }
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
@ -1,91 +0,0 @@
 { pkgs, ... }:
 let
  eh20 = pkgs.fetchgit {
    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website.git";
    rev = "026932ef2f1fb85c99269e0fb547589a25d3687c";
    hash = "sha256-YYxHhPYIioJgyHXNieoX6ibasHcNw/AFk+qCNSOxke4=";
  };
 in
 {
  security.acme.certs."eh20.easterhegg.eu".extraDomainNames = [
    "www.eh20.easterhegg.eu"
    "eh20.hamburg.ccc.de"
  ];
  services.nginx.virtualHosts = {
    "acme-eh20.easterhegg.eu" = {
      enableACME = true;
      serverName = "eh20.easterhegg.eu";
      serverAliases = [
        "www.eh20.easterhegg.eu"
        "eh20.hamburg.ccc.de"
      ];
      listen = [{
        addr = "0.0.0.0";
        port = 31820;
      }];
    };
    "www.eh20.easterhegg.eu" = {
      forceSSL = true;
      useACMEHost = "eh20.easterhegg.eu";
      serverAliases = [
        "eh20.hamburg.ccc.de"
      ];
      listen = [{
        addr = "0.0.0.0";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }];
      locations."/".return = "302 https://eh20.easterhegg.eu";
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
    "eh20.easterhegg.eu" = {
      forceSSL = true;
      useACMEHost = "eh20.easterhegg.eu";
      listen = [{
        addr = "0.0.0.0";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }];
      locations."/" = {
        index = "start.html";
        root = "${eh20}/wiki_siteexport";
      };
      # redirect doku.php?id=$pagename to /$pagename.html
      locations."/doku.php" = {
        return = "301 $scheme://$host/$arg_id.html";
      };
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };
 }
--- a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
@ -1,60 +0,0 @@
 { pkgs, ... }:
 let
  domain = "staging.c3cat.de";
  dataDir = "/var/www/${domain}";
  deployUser = "c3cat-website-deploy";
 in {
  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
      serverName = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };
    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      root = "${dataDir}";
      # Disallow *, since this is staging and doesn't need to be in any search
      # results.
      locations."/robots.txt" = {
        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
      };
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];
  # c3cat deploy user already defined in c3cat.de.nix.
 }
--- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
@ -1,61 +0,0 @@
 { pkgs, ... }:
 let
  domain = "staging.hacker.tours";
  dataDir = "/var/www/${domain}";
  deployUser = "hackertours-website-deploy";
 in
 {
  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
      serverName = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };
    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      root = "${dataDir}";
      # Disallow *, since this is staging and doesn't need to be in any search
      # results.
      locations."/robots.txt" = {
        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
      };
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];
  # Hackertours deploy user already defined in hacker.tours.nix.
 }
--- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@ -1,63 +0,0 @@
 { pkgs, ... }:
 let
  domain = "staging.hackertours.hamburg.ccc.de";
  dataDir = "/var/www/${domain}";
  deployUser = "ht-ccchh-website-deploy";
 in
 {
  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
      serverName = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };
    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      root = "${dataDir}";
      # Disallow *, since this is staging and doesn't need to be in any search
      # results.
      locations."/robots.txt" = {
        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
      };
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
        error_page 404 /404.html;
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];
  # Hackertours CCCHH deploy user already defined in hackertours.hamburg.ccc.de.nix.
 }
--- a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
@ -44,8 +44,6 @@
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
        port_in_redirect off;
      '';
    };
  };
--- a/config/hosts/status/configuration.nix
+++ b/config/hosts/status/configuration.nix
@ -1,10 +0,0 @@
 { ... }:
 {
  networking = {
    hostName = "status";
    domain = "z9.ccchh.net";
  };
  system.stateVersion = "24.05";
 }
--- a/config/hosts/status/default.nix
+++ b/config/hosts/status/default.nix
@ -1,10 +0,0 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./networking.nix
    ./nginx.nix
    ./uptime-kuma.nix
  ];
 }
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@ -1,29 +0,0 @@
 { ... }:
 {
  networking = {
    interfaces.net0 = {
      ipv4.addresses = [
        {
          address = "10.31.206.15";
          prefixLength = 23;
        }
      ];
      ipv6.addresses = [
        {
          address = "2a07:c480:0:1ce::f";
          prefixLength = 64;
        }
      ];
    };
    defaultGateway = "10.31.206.1";
    defaultGateway6 = "2a07:c480:0:1ce::1";
    nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
    search = [ "z9.ccchh.net" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:79:D3:E1";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/status/nginx.nix
+++ b/config/hosts/status/nginx.nix
@ -1,149 +0,0 @@
 # Sources for this configuration:
 # - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy
 { config, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "status.hamburg.ccc.de" = {
        forceSSL = true;
        enableACME = true;
        serverName = "status.hamburg.ccc.de";
        listen = [
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];
        locations."/" = {
          proxyPass = "http://localhost:3001";
          proxyWebsockets = true;
        };
      };
      "status-proxyprotocol.hamburg.ccc.de" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.hamburg.ccc.de";
        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];
        locations."/" = {
          proxyPass = "http://localhost:3001";
          proxyWebsockets = true;
        };
        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 10.31.206.11;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
      "status.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.ccchh.net";
        listen = [
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];
        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;
      };
      "status-proxyprotocol.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.ccchh.net";
        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];
        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;
        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 10.31.206.11;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
      "status.z9.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.z9.ccchh.net";
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];
        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;
      };
    };
  };
  security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [
    "status.ccchh.net"
    "status.z9.ccchh.net"
  ];
  networking.firewall.allowedTCPPorts = [ 80 443 8443 ];
 }
--- a/config/hosts/status/uptime-kuma.nix
+++ b/config/hosts/status/uptime-kuma.nix
@ -1,7 +0,0 @@
 { ... }:
 {
  services.uptime-kuma = {
    enable = true;
  };
 }
--- a/config/hosts/woodpecker/configuration.nix
+++ b/config/hosts/woodpecker/configuration.nix
@ -1,7 +0,0 @@
 { config, pkgs, ... }:
 {
  networking.hostName = "woodpecker";
  system.stateVersion = "24.05";
 }
--- a/config/hosts/woodpecker/default.nix
+++ b/config/hosts/woodpecker/default.nix
@ -1,11 +0,0 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./woodpecker-agent
    ./woodpecker-server
    ./configuration.nix
    ./networking.nix
    ./sops.nix
  ];
 }
--- a/config/hosts/woodpecker/networking.nix
+++ b/config/hosts/woodpecker/networking.nix
@ -1,22 +0,0 @@
 { ... }:
 {
  networking = {
    interfaces.net0 = {
      ipv4.addresses = [
        {
          address = "172.31.17.160";
          prefixLength = 25;
        }
      ];
    };
    defaultGateway = "172.31.17.129";
    nameservers = [ "212.12.50.158" "192.76.134.90" ];
    search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:5F:A9:B7";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/woodpecker/secrets.yaml
+++ b/config/hosts/woodpecker/secrets.yaml
@ -1,234 +0,0 @@
 woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
 woodpecker_agent_environment_file: ENC[AES256_GCM,data:rwp6TYYFJ/IZH+3pGhPxjdZMLoyPMr/W1RXm4IkUGn+SmIjHZcdFZ8nEhvOfnkfrXNPc2MR+X6NXUmVOcBjSCbcBjh9sC653UpKimt9I3/Ec,iv:X9JH7dmTayw8BaEsXYil3PrykCdd+/ANGHVfEyRvc7A=,tag:/ErkX1WnruanNgTTBUT6LA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQlN5NmlaUjR5dGJ3Y3BP
            bW4rWm1KaVFsbytwZDQ1QjV1d1VEOEZlSTJ3Cmgxc1BmMnBmWjRyNmNDWmpWcnJt
            Q3lBZUFOY3FtREFUYmhJNCtKcTUxY0kKLS0tIHhKbVVBYjN4WHRzdERNbkRQeHlS
            UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
            YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-22T15:55:25Z"
    mac: ENC[AES256_GCM,data:UmDbmxSRj8YfCkKEelQNMJ8mzbu5aQdB9yOr9JfUh5TB9r5Z5ttZ1wgJDJqHNtsII3JGXUvbgHbsmbPikkrj4Ege1rrgr4UttN1rtgeaAKlZIlqb9pOnV4//GJL8jbxCgFp2h2O80G05nAXG54DaY//4Y5hfTyPzgyDlGQ6jlhg=,iv:5e8lpFfGAJh8lTFcY4MlZG7PgnzM0UycsU0tB2KN+zQ=,tag:4xUEHg04wjDbhc9MOItzuQ==,type:str]
    pgp:
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAxK/JaB2/SdtAQ//QR84p3zGjW2CtPcPxlmdYui5nx8FV3MHog4R24s4RKNK
            y4n9993z8m3y2at4yIWDi4LBKrhm/6mSLBHfoxnuiptoaSXSWXfaXebXkYiinkyP
            GMvwegN6KkRZh4stJMD7W0g7w/trkNEAvPDoInqCnvT4NomrKIV+ZrZuCBLd1tXn
            JRd2tsH8yYzoZr/PJBBDTZtke/nbosb6drjgG6ow/eHyF++HxKNTWfjCiWn4AWSb
            c/E1VWsigYdBs8XSTbBkfSLr/b5FcXYb8tyy4gpGe9zOrxc7cW5diK5+x4bM8FHz
            85ShPA5S3PXXEnuifuk/ZK8+CEYWUS3MXUhuEFUo7F3Pt/Eb+5CtfTX6kvMe1xe9
            iqFAsRce/qm9Evns4ygZ4+LoI2ro2HFwgQ2fu1gi7PyZsDyW5eRL5P+vfxPUOxYY
            z9cXXo+U1NEzWMDEBWt4mgoW9URye6O3k+WLQmYbQIhDkftUYmvRrPYQvP282m4k
            NMucRIRUMkx7rpRQQP8yU6AlgZ1LsOmruV4XJYVxsTpSZq7YgTQP4kd3wMgBhwOV
            j3hGc9gI9Sq06SdyU0C8PuUHt+mZGkVnYIOTw6BXHgY1tK8X5XnWK4NJXL9bR0pY
            kfzDWLjD0hiiM3QYqieTbnDUiVTDGyf7Cop+EifYvy7um+CPjlYLLkDkEsWcy/HU
            aAEJAhDEzP5eiU1e01GSNbWL49ghD7DqZiYdo0F/BGMk6jQloM1HUDnkhgBhVSZo
            TjNPV3UFBxeRnT5DvouD6uJ8SDs42ARdb4F80vJVHknt0yBvGWfCQsXqKwuRDd1j
            zkj4zG7btJRv
            =sgSP
            -----END PGP MESSAGE-----
          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA6EyPtWBEI+2AQ//V6IIW3Hr3xuQWOWitDGn1bo+x95jePPpXNayKGJuaSMf
            00gaOyMpqP5hRd3lEQRyqHgPtmszlGrxq2y77CxnnZMbE6n+axwQQLoMzROBGyGF
            iqe6hNbNFZPjWv5BTAl3iOHWrw3x/TpgcNmSBDfctU+CZlMWzCMuXJw1bK57wQd4
            B6xcoBxidK55Ubc7GQ8mlAEuZ89fYorTRBfv2rBgUh8ZAAsUmn1jEz7HsQMMd2a8
            5V4TzicdzXO2cZ+0DqU8Xqt5U9C0IjGgZRPzDYkh7slkbyYomAIfCq+zN5ieecz9
            Mp8vvuMYfT66P+heNRZ7w/sgmGlarcmNKlOcXlakVYm5qVddPMx6M5Ovl4O5sABz
            V4O4NRehYx0XFbjzXr59LCzpusS9xQoh49288dLTFudOInHUYq6ss0TbGfFJMDYU
            mjHokzdG3ds8C9/lMR82X9rbyZDchUytHUwX4eGxUDMmhydFpgJko0bbozPbE2ll
            NTlWegCc1yrkSGn6U9EYKtibitJnIMdas5HapcErMH2vYILsJOl9ifG1GIsuWe1+
            ipPyZy7jqP7p18WCcDnUhgaGdQ67UjSLqX2zz0SZDcfI46SUeyeSelFVpTlmKriS
            4bW6hC1FSe+bLkPZ0y5aRLgL5ipK6jdlZepAj/DNXdKAtchLHcddF3rKdBdzsxrS
            XgFvvZPgj1JleYr+q/+ju4k1d4cE0HnQZIBnkAfKXZHwSPCw1d9vbeLipuRTJrEH
            2CpOjtiXl3S2ZcCS1ama9lgAqPBOOoH7jgHvoCzqfkBsi3/QlIpQs+C8ro4hXE8=
            =KZWk
            -----END PGP MESSAGE-----
          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAz5uSgHG2iMJARAA5+vcORn/YX2bHcAno9KCUGTzeiCP/DOoSePMdsCAmABj
            P8XoYJOyZoZgW3qgvtKZ4pLGB26FuJXC2y6Z3yyQ4Xj2PeBj1og9xM8p7GnF6T6n
            7wqALwJOamyer3A+OXx2Gc8kZ0ObqgBbbn5QTPnHzsRljC3Irgk+ZZE8ZRshoPmu
            6TEuMW0NT5INmijtPAxer/eaAor3KKxMTf+sqqr/VGNopAyFUCGZynlnjcei6X+T
            tVKh6zqr/eaTlnhoP2kr4u+wKcHvLV8an8sfsyIGL90O11LNcX8Sf4EyPDYSXOe7
            AXTFcvfw9+ALu3cbTVPN0aI2e8fCir2S00F8x28Ffc2xDSrXjWEDCXLuRNVXz5KA
            Mjq4afyQN6mtVZ6ZmtvaLQoG8D2f2sGzvrsBjaXwxPLHKPpUFZVBiiP0C08yokUR
            7FrYaOjnvQVALLxGJMAhMf02g2dYDFxMw18cY2a+bLrYUVd9EMbuFwCJNzmU0of7
            EpSvXrA0wTKddk+vL3JoJgIrOxz2IQbaC24NiCUzbyakhT+qDX/oXXILxL2x0GfR
            RaTL1inkTQO//ooAjlPeMA3OIDQo5CdoV4VlvSUgagYfDvMfDCAO04Xxvezh1uvz
            //4Jz13+LFoUgbtVUYiT4oqWyfTKOV0D8ILYWKZJtjJt4TeYpEfbQFEzIYyF3OHS
            XgE7aGyB0ArPBovSr55eQGmW+FaeG1VtH7TRLU367FyQmGep5O2SUxQXqFFiWyDy
            bseIYdRqNsmlgdXBnADdkVCFJtF4C/VA2DOk+wOO8XtQoMQ8zrIl+0Viq1s66OY=
            =xc00
            -----END PGP MESSAGE-----
          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAw5vwmoEJHQ1AQ//abtgoFEWd+zbeSbiwey8nCNQUSklHV9kbLuBK8+ipX/Q
            qjweWnnPVN6ODhgfXm93k1tSqeJjYqjqfxVsAEUiXC61UhvS6JBZuVUt4nRUWHk2
            cdu3eKlBx7Nhm6th1gZ+Wf7PcryT5fmJQP5a8VEM/nUuRjnAmG7RuSiWbNzBbTDx
            4jh4GTvlFkupxZvLsXYf2T+7qn0eHymdQI8+5WSHQH6kApBvINYoq1m55it5ilEp
            M0tYNFMzi10OjKVbNRQXuKhROzzYGtW8qWGtc33WBB5rvkRVelSDmleTbRywWjE0
            rNo7vj97SbmGdCHydzcEwPIBOd11ZgFWpamX/36ALeKCxgHgc3HsnjIkDsEffpoN
            SFHAhyYqXTDRqq5/HuBQBDBJLVVcIbqlJo3us47gI3rhojjSayzTBd5TnGOZt5N0
            rFOqoZ1i3vf3C5sjKivTzCJ/P3yFgD271hQjv49jSqXgSF8ZIvzaDr0xLiy+XnZ+
            EsUyqxZBKWy246BtyZ4qBvRjVKbezpxQFh6MzxccY+toUaG2v2I5muvFJRHe7qEA
            fT6XDl7W6aQ/RBL/Ij9OWYvCMWS27mzkLQi0uBH5gyA1t6Bg9O6+CjGpK6Mmd8fx
            1Q2Ml5ClzLnEq94FX3f2hpqLdSlwREPoBYULeJNr+WhayDvfRjuh5+MvN+wjbs/S
            XgGYwgGCrFmzXN1mWElNGc3+3sMEpiuvJp6Z1nRfr17YvIPUrtCU7zVHWR1lWFKU
            gjJacBX/Qw9Kly+5jADM0UorWkZxaby+q+j8rN43nPatjDlDRI+BrNta0l0ulOA=
            =2cbn
            -----END PGP MESSAGE-----
          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA4HMJd/cQYrVARAAu8l79uJlVLz++foLhk83zrPSZsX+1TQduJl06Kx2VrJ+
            dZX/0okzpHmHeZGhGH+e1Gv7MpyM4UxAGwE03NIk32p43LF/biad0zc4TB8yr9r6
            N3Sr/ZbaB0oYC/K4r1Sj8W1XWmuYZB8lc1dyfwhf96KIXGutvG22O5XI0pOA9yHL
            x4AWt8OHYsaWCt941M6pbFtBsJEl/TaKgYF7YNITvsfj/oG7cPESKLOkcJdmhN1r
            ADpJRcs6rVvMLWxUBjZICqZvDlwnXK5gCu30MmLs/oQbFmHjBRB01Ird+Mb5e6l4
            vrYC+zO3RG3dZ+VXJD0rBn+56nDMtiKISJCy4I4Vz/ekwx94cIci+BlD9/3YYix7
            HVgR6flBgInZEvaBxyj2e0G5i2gKvYTfea5+6bwPpszLUaYba/YLQQ2mSXcwWPsV
            ipuNSjJ8swK2OpOFTfzs7Ua1OZChCOhhduxiKCwASYrbncfexObsQfeobj3wrwXH
            N4M+h5ghm+y7UFKDW+gfN79WGfltWiMdy9vZNwwEYF0NE8jkwPfIt2dLvyU73MFU
            NivYWp6kUj+gbLkb3gLClAi4CyYqNQyBjbKEbt+470UIMZ44WWMEJy7bMwAVzLBk
            VxBHphqSuP04pgb5a+PHPApCZC6KEntnW1zX+DKrCn3/+NhoD6COhCvetWxq4f7S
            XgFop4XZPWYJb6ypqkFLbkHIg7tCbr/xae4HABncVj0BaS1Z7TBdMiGi8SQvHti5
            70rNGZIpQe/59DmBrLT06VdQRY5rt20bDoN+DaUrE2tc0k5h+uwI71TG4//Db2A=
            =m4ec
            -----END PGP MESSAGE-----
          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAxjNhCKPP69fAQ//Tz2g90bOkkY942MaLO5/k8MFMf4QEDMZAiw9tVZ39Rqf
            udMTcGyOX6zLzr+xxNX3gwn8X+bl0yw4Tg/FiyOzl9RjMZDxvzUaj1gYZI9kKPne
            aEmAYcP2mv+ITUDnApZonDZE5hUnLGAyfEZMU6ExF9XkU94dXFdU4nd+gF5XHzou
            STiNryBYaxWP1WMkW4SlZqdJiCfrkI0Z7iTF86QtXN5S8qLSIyjP3hIv5QxJg5Xo
            NwK5IXQhV/0ZHp1Wl8Xys2iUw3iuwPga7sBrMHdJ0PHVBg3Wg/bG7YtrfEAfUbcr
            UHt9rNGFZluuqNctvcvkSUjv5DISCgl8lSSbzC8DK/vT9o0DQYWvySNpVwXO3tqs
            9aCxKc8trCXrd9qePnO259Ni0ALRjyh/GHZipzhZo/mgyUWc5nAdTLM49MsmAKHc
            PnBBSntXnVHfFoFvgyBAmyISVuH/L5j8mezQ/37AevcTfuWemjDRGWIiIJZ73CyF
            tG6ida5En9QouMO18gKBBzfR/2s6tt60bEp4bE3j2rRgEhwblBfl1NtGSw2WGVVZ
            bU8KormLDT8aurMIp/Rd1pzAxDpEhDa13TV1IfRECOQvY35aBC59upt+XLwJ83ch
            Zgi5cRGtSoj1G9OziQGCtJjGqkZoFy7Htou6AyFUEln+2Px0EKGJC3yCUcOF0orS
            XgEtK2wEJNnJ84LctjrRM4ZSeb/8nycfWiR9riJi1lq6J+WSeiGME3cvhgObDTtG
            EwuAjG6vhwUdr3aovsENQhvHnQWID844CeBtB9jMHbFJy41vbt0rC0JJG/6RoRg=
            =5Ijl
            -----END PGP MESSAGE-----
          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA1Hthzn+T1OoAQ//dwisvTFgYUCFICbaNZ+8jttF4lTQ2fjdP6UHb0evav84
            PUYpqUfmMF1BUvxDx0rwzzP1OaSKuesxAG46i1Nha1Tq/LOURtzZtXPW4+xSHWge
            ifbcbGTBkACviKkRuVUqaQBAbzDnFIHtcQy7nbILmzM0aRwm1IC1WzKpPRBgzAy0
            o/UE4geZjPuNqkix4mcLz8sXvKMz11FE3QpZ44JqiRhmAITTDVo2ymhbvA6R2C1w
            AL0tjJwKRb0qfoBegyPbuUW399l3CCtEE7voW8AxZ3Y6EGO8DQ1i/MkR81zymFep
            PUDVYDmhqmh38Z79v5iKqnruzS+rOaitzMRqsUfOJfa4UoFkjO6tYdi5cOY8T4cD
            w0rgCpvWriaGKGHDuRIdu031GFyf26+SvOWEbiOhMv+h18Hj5P7uT+Is+VuEhHEo
            i7EYTqzsRwyIfybNkb0mBVluvXb4CpZRdRq5AzC49qu4IezvKoAT99KG1yf7XJvI
            Ijc/ZITFqCBxE7REA4JBDuivPHfML4CgxG+5PiBJ3JDdaP+xRuoVQQv5E55Y4YwF
            NM+NTNcvsTv2vKXJ8mmWLBn9xMxN32gmDyy7jW0elW46AQidIL6C+W2Zhxn6GNvc
            2faDhNQ3yV0A9mIsgQjdWeQemqhsiVU6Sg4Mmattm/b6plGCM1DIcJgMV2RRAobS
            XgGt7zD15Ju4S+fQqL7MVGGD3y5v0C5eLx78MScygpNQKS0vfTfTE2+wRCzCjZAG
            /6HU85E6ru1VeXc0TwQBrpX3Wi2ga/momalsCGoh3oHBd+jRqzwpRxojKLy65qU=
            =g4RA
            -----END PGP MESSAGE-----
          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA46L6MuPqfJqARAAmTOXbn+qa0wgjSvK3juGqVemxKvaD2zFG57ivYdC1Jdn
            PIVi5aBCvZ8KY/0W9k83LVcGUY1f8eRkCU8ohJU+rmRbiTvT0qo1hfLzxrqaNbke
            gN+YsYW8bgXioF6nHVWI158GvqNfmvRl4WyJzBQ41cAyMpdGXiIzUoCba3Y6f+1N
            muljMhgvEtWUddf4zheZX89xV+aLa9Mga6aQbwRcL451UcKxmE2nk4+00rMn7R7R
            vmsC677/RrKkI7RxubzCVFFlzaH+ZZ1Ott6ozKUWs2vCcB6vTzwwvmrJwmr760lC
            pozfNp/+WzLZOkA3rO2qAvIUc1DxYA6CgukrAAObCbvmcgMeLtVR29wwWs01qxI+
            cTxmH+btbiM0PL8+/sW2KlC19hfMmeryiJXxbUN30a3fMDJz1wVor54DsaqG9kIJ
            zIxGsQ6t8fzfaVfeQwoxODnTWqUClWCY4is251O4Gxw3C0oPWZvzoPvxljaPrYYY
            SE3dcktWmGoOxLj56lLfceKq0qAtYmJD4Q5k2GDYYU+8dwp95UTf0lbRwauMBROT
            OMe4r/emH4Z1LiG2/HLoM4QuV5VVQGSAqoE3c42YjjS9uh/aOtmeNNLehwS93F5E
            J/bXNY6VnHcALRGMZF60g5OxM3QUioNkGqcCWGjSaRPcKhwaXvvIaTCdz8apnBHS
            XgHeuszpU9/O1nCsNPF2vQUjcNxz+KsL39RwHCVJBVJskxd4HcJQUM7uArV1Fjbk
            fl4nQuueBrZ4tXzimRK2QOjgy8F2n/Kxpjlr4rXn+Pi9jyhx0Jq4Blu3wrR4LAg=
            =4Xvm
            -----END PGP MESSAGE-----
          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA4EEKdYEzV0pAQ//fo1yfBspyD2O84d8UCHWoUJTNYql2p26H/vC2BsVzAmL
            6nylQACeslISLlXbrW+ILPOFZ5x21THOFcJdvCGAQAkY+jC7Ry3D2gwsZi/RLFpP
            wbEgbzk9hcimmvuHW/NJtrqvXiTJy7GH7el5Zwqe6rtUkTW5IUtaOmZjn2fQBVoq
            9mMT86vOYlqgIISG1o5x4pciRd+fb3JPiPeJiLcyUBEXYqg2THlyYwwp2paFomYf
            a6Ls/pVT9ICSblFlnfILOexDpqhxcPH+V2nwlbSlOETq3ACcVIgufIRndTkGhDzi
            HS3GlD5nIb/ep12Gj+qOgKZBsbUdNIAVojNY2qlK2yQJpE5B1aDjmkAZUkk/LqF3
            76ZRBDzigU0jfYKh2iGDY3F8cWDsRqjqcTjVB9KF32+1SeUAO4NqDnDpMZgBh2i5
            rvDOJCJfTgo7DfPqWPyeFM58sow9EEglygASA/XTaDV+CmLzRlqxwlJwpbRrz3OV
            Mp1gewfGASLPS4xh6gtROac9DAuokmN5VgNg2g+emN8lUNJ/7V7u30TvCEfGP0j0
            1Sd6RrNn/ZDMJtOoE8gDua6njbOi9Zk/RN4Y4NKWcmiNZxz/Xi/8XU7F0yk0yEL1
            DUxYsCEHImib+lAESQ0fF4VMXx3DSXq2/Yt5z782ZvgNrGoGw3B9qVA5FyG5Bt3S
            XgGgfz/6fGZ0DEtTv3B8Rhqbm6TvwPFgIg+3WuQRXxf3rjjoX1AN0jcuz8OIIfGk
            o1GuRG0/sYg7P32ysgQMvS1F+rX2PR/myHsz4YMM10soG7OduHgXmiJ0eUq8EtM=
            =WLCQ
            -----END PGP MESSAGE-----
          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DQrf1tCqiJxoSAQdAUMjy8rV2Zy5nmeMOBsANIUVyhAvVBUF1yunc+EgVeVQw
            yd4hPHMnQSkasXmcMDS0y2gwixgTOeQbG5PaOr0FA7eGEItLlqwSxz3+GnuD/gEw
            0l4BFrUbimEX+/tfI8aymapMVYXFXWe4dUZw9foKN5HqkpPKhusozd9bqPPNKggZ
            09tvIJViKP/QufK0WyLYZGWrG+leogDX39GBtAU1SOllFqtq2G0X1qH+s88GVpaO
            =hxWV
            -----END PGP MESSAGE-----
          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
        - created_at: "2024-06-21T22:42:59Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAzdAjw8ldn6CAQ//SK6MVXhRsRxYV8jL9HrVTovc84kNFr24nbHHi5z6fuCA
            6ZjPr5Btx5Xxi716mEmdDBUSGfeJOOSt6hw4fCqj5ehnCeMLr9GvmJdZx9s2n88m
            h4Fzd1XF67NMbSAYMPrXpk5dlxBNsgmsAWTaEet9gqGWWYsrZHWPvae7z+GaJJzz
            h3dix5oVV3tM2OVP9hFhRtu9tv9a0sj5Eu6mz8UsDFwEPynlSDPKUQA0jFTXJnYo
            yT8UTPSZAUlwnU88JPIhHKCmU8nqUIgDURVNgK4BsuoKSAZ27ueSHr/4IzBiavVD
            6V1b1Ttt8usKFp21OCqfNuoiIeEipUdLMFSTjSXqOp38QTaqoDaCsAPc6j3HCvlV
            vMm1lbSKK+Llpk9WOmqvHQriL50lQGYpa2X/jS8FtlotKFm0uGJoJXZ5Ujc4Wmy9
            J79/cXLULGFCxdPsoxmd8wJFqz0eiVPHIBFB2Y8Tan+Mg44WeBuY8sAWGzYPp+kB
            sEOIQ5I9N1Gt+58i1hDTRlqO4I8ihusqKeRemJa954rlzz8YTmZL+JAD5gsMtzuH
            gMjnfBnNJKw3UmnHMMQm348CRB6SuF6rmjc7Xk1qsnie87HtYbM3dJYh7ixddr/a
            kTHy66zDX4j3e/y2JdEPQw8/WhhdGnyj6eDioQLNFfvApI7doi5C+XDCR08YxJnS
            XgG0kP/bfDBkwzzHkr3khuvdtmUEmsxGbR/3abyjLfvM+g3HM6Eqq0uDwuGgYinR
            DYfWUZTas5uWrgxAWYbBCbhPcevu7CsyJFsBtG4ExTXPSsP2c79+LwtmJjbLQqo=
            =9C2P
            -----END PGP MESSAGE-----
          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/config/hosts/woodpecker/sops.nix
+++ b/config/hosts/woodpecker/sops.nix
@ -1,7 +0,0 @@
 { ... }:
 {
  sops = {
    defaultSopsFile = ./secrets.yaml;
  };
 }
--- a/config/hosts/woodpecker/woodpecker-agent/default.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/default.nix
@ -1,8 +0,0 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./docker.nix
    ./woodpecker-agent.nix
  ];
 }
--- a/config/hosts/woodpecker/woodpecker-agent/docker.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/docker.nix
@ -1,12 +0,0 @@
 # Sources for this configuration:
 # - https://woodpecker-ci.org/docs/administration/deployment/nixos
 # - https://woodpecker-ci.org/docs/administration/backends/docker
 # - https://nixos.wiki/wiki/Docker
 { config, pkgs, ... }:
 {
  virtualisation.docker = {
    enable = true;
  };
 }
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@ -1,29 +0,0 @@
 # Sources for this configuration:
 # - https://woodpecker-ci.org/docs/administration/deployment/nixos
 # - https://woodpecker-ci.org/docs/administration/agent-config
 # - https://woodpecker-ci.org/docs/administration/backends/docker
 { config, pkgs, ... }:
 {
  services.woodpecker-agents.agents."docker" = {
    enable = true;
    package = pkgs.woodpecker-agent;
    extraGroups = [ "docker" ];
    environment = {
      WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
      WOODPECKER_MAX_WORKFLOWS = "4";
      WOODPECKER_BACKEND = "docker";
      # Set via enviornmentFile:
      # WOODPECKER_AGENT_SECRET
    };
    environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ];
  };
  sops.secrets."woodpecker_agent_environment_file" = {
    mode = "0440";
    owner = "root";
    group = "root";
    restartUnits = [ "woodpecker-agent-docker.service" ];
  };
 }
--- a/config/hosts/woodpecker/woodpecker-server/default.nix
+++ b/config/hosts/woodpecker/woodpecker-server/default.nix
@ -1,9 +0,0 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./nginx.nix
    ./postgresql.nix
    ./woodpecker-server.nix
  ];
 }
--- a/config/hosts/woodpecker/woodpecker-server/nginx.nix
+++ b/config/hosts/woodpecker/woodpecker-server/nginx.nix
@ -1,57 +0,0 @@
 # Sources for this configuration:
 # - https://woodpecker-ci.org/docs/administration/deployment/nixos
 # - https://woodpecker-ci.org/docs/administration/proxy
 { config, pkgs, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts."acme-woodpecker.hamburg.ccc.de" = {
      default = true;
      enableACME = true;
      serverName = "woodpecker.hamburg.ccc.de";
      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };
    virtualHosts."woodpecker.hamburg.ccc.de" = {
      default = true;
      forceSSL = true;
      useACMEHost = "woodpecker.hamburg.ccc.de";
      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      locations."/" = {
        proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}";
      };
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
  networking.firewall.allowedUDPPorts = [ 8443 ];
 }
--- a/config/hosts/woodpecker/woodpecker-server/postgresql.nix
+++ b/config/hosts/woodpecker/woodpecker-server/postgresql.nix
@ -1,18 +0,0 @@
 # Sources for this configuration:
 # - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069
 { config, pkgs, ... }:
 {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_15;
    ensureDatabases = [ "woodpecker-server" ];
    ensureUsers = [
      {
        name = "woodpecker-server";
        ensureDBOwnership = true;
      }
    ];
  };
 }
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@ -1,43 +0,0 @@
 # Sources for this configuration:
 # - https://woodpecker-ci.org/docs/administration/deployment/nixos
 # - https://woodpecker-ci.org/docs/administration/server-config
 # - https://woodpecker-ci.org/docs/administration/database
 # - https://woodpecker-ci.org/docs/administration/forges/forgejo
 # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 { config, pkgs, ... }:
 {
  services.woodpecker-server = {
    enable = true;
    package = pkgs.woodpecker-server;
    environment = {
      WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
      WOODPECKER_SERVER_ADDR = ":8001";
      WOODPECKER_GRPC_ADDR = ":9000";
      WOODPECKER_ADMIN = "june";
      WOODPECKER_OPEN = "true";
      WOODPECKER_ORGS = "CCCHH";
      WOODPECKER_DATABASE_DRIVER = "postgres";
      WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
      WOODPECKER_FORGEJO = "true";
      WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
      # Set via enviornmentFile:
      # WOODPECKER_FORGEJO_CLIENT
      # WOODPECKER_FORGEJO_SECRET
    };
    environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ];
  };
  systemd.services.woodpecker-server.serviceConfig = {
    User = "woodpecker-server";
    Group = "woodpecker-server";
  };
  sops.secrets."woodpecker_server_environment_file" = {
    mode = "0440";
    owner = "root";
    group = "root";
    restartUnits = [ "woodpecker-server.service" ];
  };
 }
--- a/config/hosts/yate/networking.nix
+++ b/config/hosts/yate/networking.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, pkgs, ... }:
 {
  networking = {
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@ -23,18 +23,6 @@
    },
    "nix-box-june": {
      "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
    },
    "mjolnir": {
      "targetHostname": "mjolnir-intern.hamburg.ccc.de"
    },
    "woodpecker": {
      "targetHostname": "woodpecker-intern.hamburg.ccc.de"
    },
    "penpot": {
      "targetHostname": "penpot-intern.hamburg.ccc.de"
    },
    "hydra": {
      "targetHostname": "hydra-intern.hamburg.ccc.de"
    }
  }
 }
--- a/flake.lock
+++ b/flake.lock
@ -1,26 +1,12 @@
 {
  "nodes": {
    "authorizedKeysRepo": {
      "flake": false,
      "locked": {
        "lastModified": 1731276342,
        "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
        "type": "tarball",
        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
      }
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1731200463,
+        "lastModified": 1712450863,
-        "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
+        "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "e04234d263750db01c78a412690363dc2226e68a",
+        "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
        "type": "github"
      },
      "original": {
@ -32,14 +18,16 @@
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1731546190,
+        "lastModified": 1716210724,
-        "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
+        "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
+        "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
        "type": "github"
      },
      "original": {
@ -50,41 +38,57 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731245184,
+        "lastModified": 1716408408,
-        "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+        "narHash": "sha256-e4pjcLqe1Dexz7enk/+ui0aVdcoSiWnrTGjk7KLtAPw=",
-        "owner": "NixOS",
+        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+        "rev": "dff68ababdd2c2616d03f26546ba632f5f09d3c6",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "owner": "nixos",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-23.11-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1731842749,
+        "lastModified": 1716061101,
-        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
+        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1716479278,
        "narHash": "sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
+        "rev": "2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05-small",
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "authorizedKeysRepo": "authorizedKeysRepo",
        "nixos-generators": "nixos-generators",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix"
      }
    },
@ -92,14 +96,15 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ]
+        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1731862312,
+        "lastModified": 1716400300,
-        "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
+        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
+        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -5,13 +5,14 @@
    # Use the NixOS small channels for nixpkgs.
    # https://nixos.org/manual/nixos/stable/#sec-upgrading
    # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11-small";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
    # Add nixos-generators as an input.
    # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
-      #inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Add sops-nix as an input for secret management.
@ -20,261 +21,206 @@
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    authorizedKeysRepo = {
      url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
      flake = false;
    };
  };
-  outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
+  outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
    let
      specialArgs = {
        inherit authorizedKeysRepo;
      };
      system = "x86_64-linux";
-    in
+      # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
-    {
+      shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
      overlays = {
        shairportSyncAirplay2 = final: prev: {
        shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
          # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
          configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
          buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
          # Use specific Shairport Sync and nqptp versions, since with those the
          # following error doesn't happen:
          # fatal error: The nqptp service on this system, which is required for
          # Shairport Sync to operate, does not seem to be initialised.
          #
          # Also use a more recent dev version to fix Pipewire stuttering issue.
          # See:
          # https://github.com/mikebrady/shairport-sync/issues/1736
          # https://github.com/mikebrady/shairport-sync/blob/a65ec2d7f1f380bbae196d7f8f1cd6a88ef5777b/RELEASENOTES-DEVELOPMENT.md#version-432-dev-51-g98679bbb
          src = final.fetchFromGitHub {
            owner = "mikebrady";
            repo = finalAttr.pname;
            rev = "98679bbb54f5aaeda859e34aa28425647b8d179e";
            hash = "sha256-k0kcgtWk2xlG34lP0ryEaqdskYMNM68YnIRLwFR3jaY=";
          };
        });
        nqptp = prev.nqptp.overrideAttrs (finalAttr: previousAttr: {
          # See Shairport Sync version note.
          src = final.fetchFromGitHub {
            owner = "mikebrady";
            repo = finalAttr.pname;
            rev = "1.2.4";
            hash = "sha256-roTNcr3v2kzE6vQ5plAVtlw1+2yJplltOYsGGibtoZo=";
          };
          # Custom install phase to avoid setcap.
          # See:
          # https://github.com/mikebrady/nqptp/blob/1.2.4/Makefile.am#L23
          installPhase = ''
            mkdir -p $out/bin
            cp nqptp $out/bin/
          '';
        });
      };
-      };
+      pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
-      nixosModules = {
+    in
-        common = ./config/common;
+    {
        proxmox-vm = ./config/proxmox-vm;
        prometheus-exporter = ./config/extra/prometheus-exporter.nix;
      };
      nixosConfigurations = {
-        audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
+        audio-hauptraum-kueche = nixpkgs-unstable.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
+            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
            ./config/hosts/audio-hauptraum-kueche
          ];
        };
-        audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
+        audio-hauptraum-tafel = nixpkgs-unstable.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
+            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
            ./config/hosts/audio-hauptraum-tafel
          ];
        };
        esphome = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            ./config/hosts/esphome
          ];
        };
        public-reverse-proxy = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            ./config/hosts/public-reverse-proxy
          ];
        };
        netbox = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/netbox
          ];
        };
        matrix = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/matrix
          ];
        };
        public-web-static = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/public-web-static
          ];
        };
        git = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/git
          ];
          specialArgs = {
            inherit pkgs-unstable;
          };
        };
        forgejo-actions-runner = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/forgejo-actions-runner
          ];
        };
        ptouch-print-server = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            ./config/hosts/ptouch-print-server
          ];
        };
        eh22-wiki = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            self.nixosModules.prometheus-exporter
            ./config/hosts/eh22-wiki
          ];
        };
        nix-box-june = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            self.nixosModules.prometheus-exporter
            ./config/hosts/nix-box-june
          ];
        };
        yate = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
+          inherit system;
          modules = [
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
            sops-nix.nixosModules.sops
            ./config/hosts/yate
          ];
        };
        mqtt = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
            ./config/hosts/mqtt
          ];
        };
        mjolnir = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/mjolnir
          ];
        };
        woodpecker = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/woodpecker
          ];
        };
        status = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
            sops-nix.nixosModules.sops
            ./config/hosts/status
          ];
        };
        penpot = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/penpot
          ];
        };
        hydra = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
            self.nixosModules.prometheus-exporter
            ./config/hosts/hydra
          ];
        };
      };
      packages.x86_64-linux = {
        proxmox-nixos-template = nixos-generators.nixosGenerate {
          inherit specialArgs;
          system = "x86_64-linux";
          modules = [
            ./config/nixos-generators/proxmox.nix
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
          ];
          format = "proxmox";
        };
        proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
          inherit specialArgs;
          system = "x86_64-linux";
          modules = [
            ./config/nixos-generators/proxmox-chaosknoten.nix
            ./config/proxmox-chaosknoten-additional-initial-config.nix
-            self.nixosModules.common
+            ./config/common
-            self.nixosModules.proxmox-vm
+            ./config/proxmox-vm
          ];
          format = "proxmox";
        };
      };
      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
      hydraJobs = {
        inherit (self) packages;
        nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations;
      };
    };
 }
--- a/modules/services/audio/default.nix
+++ b/modules/services/audio/default.nix
@ -12,6 +12,7 @@ in
  imports = [
    ./librespot.nix
    ./mpd.nix
    ./networking.nix
    ./pipewire.nix
    ./shairport-sync.nix
  ];
--- a/modules/services/audio/librespot.nix
+++ b/modules/services/audio/librespot.nix
@ -23,7 +23,7 @@ in
        After = [ "network-online.target" "pipewire.service" ];
      };
      serviceConfig = {
-        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache";
+        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --quiet";
        User = "librespot";
        Group = "librespot";
      };
@ -34,7 +34,7 @@ in
      users.librespot = {
        isSystemUser = true;
        group = "librespot";
-        extraGroups = [ "pipewire" "audio" ];
+        extraGroups = [ "pipewire" ];
      };
      groups.librespot = { };
    };
--- a/modules/services/audio/networking.nix
+++ b/modules/services/audio/networking.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.ccchh.services.audio;
 in
 {
  config = mkIf cfg.enable {
    # Disable IPv6, since Shairport-Sync doesn't work with IPv6. Unclear why.
    networking.enableIPv6 = false;
  };
 }
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@ -20,7 +20,7 @@ in
      arguments = "-o pw -v";
    };
-    users.users.shairport.extraGroups = [ "pipewire" "audio" ];
+    users.users.shairport.extraGroups = [ "pipewire" ];
    environment.etc.shairport-sync-config = {
      enable = true;