eh22-wiki: remove because of migration to ansible-infra

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    '686a6af22f.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → '686a6af22f.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c' (2025-01-23)
  → 'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8' (2025-02-04)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4' (2025-01-20)
  → 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7' (2025-01-31)

.sops.yaml

@@ -15,6 +15,7 @@ keys:
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+  - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
   - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
   - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
@@ -147,6 +148,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_penpot
+  - path_regex: config/hosts/yate/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_yate
   - key_groups:
       - pgp:
           - *admin_gpg_djerun

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) CCCHH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -73,3 +73,8 @@ Build a new NixOS Proxmox VE Template for the chaosknoten:
 ```shell
 nix build .#proxmox-chaosknoten-nixos-template
 ```
+
+## License
+
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).  
+[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.

config/common/users.nix

@@ -6,14 +6,9 @@
 # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
 # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
 
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, authorizedKeysRepo, ... }:
 
 let
-  authorizedKeysRepo = pkgs.fetchgit {
-    url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
-    rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
-    hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
-  };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
 {

config/hosts/audio-hauptraum-kueche/networking.nix

@@ -5,13 +5,13 @@
     interfaces.net0 = {
       ipv4.addresses = [
         {
-          address = "10.31.210.10";
+          address = "172.31.200.14";
           prefixLength = 23;
         }
       ];
     };
-    defaultGateway = "10.31.210.1";
+    defaultGateway = "172.31.200.1";
-    nameservers = [ "10.31.210.1" ];
+    nameservers = [ "172.31.200.1" ];
   };
 
   systemd.network.links."10-net0" = {

config/hosts/audio-hauptraum-tafel/networking.nix

@@ -5,13 +5,13 @@
     interfaces.net0 = {
       ipv4.addresses = [
         {
-          address = "10.31.210.13";
+          address = "172.31.200.15";
           prefixLength = 23;
         }
       ];
     };
-    defaultGateway = "10.31.210.1";
+    defaultGateway = "172.31.200.1";
-    nameservers = [ "10.31.210.1" ];
+    nameservers = [ "172.31.200.1" ];
   };
 
   systemd.network.links."10-net0" = {

config/hosts/eh22-wiki/configuration.nix

@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "eh22-wiki";
-
-  system.stateVersion = "23.11";
-}

config/hosts/eh22-wiki/default.nix

@@ -1,9 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./configuration.nix
-    ./dokuwiki.nix
-    ./networking.nix
-  ];
-}

config/hosts/eh22-wiki/dokuwiki.nix

@@ -1,165 +0,0 @@
-# Sources for this configuration:
-# - https://www.dokuwiki.org/dokuwiki
-# - https://www.dokuwiki.org/install
-# - https://www.dokuwiki.org/requirements
-# - https://www.dokuwiki.org/install:php
-# - https://www.dokuwiki.org/security
-# - https://www.dokuwiki.org/config:xsendfile
-# - https://www.dokuwiki.org/install:nginx
-# - https://www.dokuwiki.org/faq:uploadsize
-# - https://nixos.wiki/wiki/Phpfpm
-# - https://wiki.archlinux.org/title/Nginx#FastCGI
-# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
-# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
-# - https://www.php.net/manual/en/install.fpm.php
-# - https://www.php.net/manual/en/install.fpm.configuration.php
-
-{ config, pkgs, ... }:
-
-let
-  # This is also used for user and group names.
-  app = "dokuwiki";
-  domain = "eh22.easterhegg.eu";
-  dataDir = "/srv/www/${domain}";
-in {
-  systemd.tmpfiles.rules = [
-    "d ${dataDir} 0755 ${app} ${app}"
-  ];
-
-  services.phpfpm.pools."${app}" = {
-    user = "${app}";
-    group = "${app}";
-    phpOptions = ''
-      short_open_tag = Off
-      open_basedir =
-      output_buffering = Off
-      output_handler =
-      zlib.output_compression = Off
-      implicit_flush = Off
-      allow_call_time_pass_reference = Off
-      max_execution_time = 30
-      max_input_time = 60
-      max_input_vars = 10000
-      memory_limit = 128M
-      error_reporting = E_ALL & ~E_NOTICE
-      display_errors = Off
-      display_startup_errors = Off
-      log_errors = On
-      ; error_log should be handled by NixOS.
-      variables_order = "EGPCS"
-      register_argc_argv = Off
-      file_uploads = On
-      upload_max_filesize = 20M
-      post_max_size = 20M
-      session.use_cookies = 1
-      ; Checked the default NixOS PHP extensions and the only one missing from
-      ; DokuWikis list of PHP extensions was bz2, so add that.
-      ; Checked with NixOS 23.11 on 2024-05-02.
-      extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
-    '';
-    settings = {
-      "listen.owner" = "${config.services.nginx.user}";
-      "listen.group" = "${config.services.nginx.group}";
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 4;
-      "pm.max_requests" = 500;
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-
-    virtualHosts."acme-${domain}" = {
-      default = true;
-      enableACME = true;
-      serverName = "${domain}";
-      
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 31820;
-        }
-      ];
-    };
-
-    virtualHosts."${domain}" = {
-      default = true;
-      forceSSL = true;
-      useACMEHost = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 8443;
-          ssl = true;
-          proxyProtocol = true;
-        }
-      ];
-
-      root = "${dataDir}";
-
-      locations = {
-        "~ /(conf|bin|inc|vendor)/" = {
-          extraConfig = "deny all;";
-        };
-
-        "~ /install.php" = {
-          extraConfig = "deny all;";
-        };
-
-        "~ ^/data/" = {
-          extraConfig = "internal;";
-        };
-
-        "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
-          extraConfig = "expires 31d;";
-        };
-
-        "/" = {
-          index = "doku.php";
-          extraConfig = "try_files $uri $uri/ @dokuwiki;";
-        };
-
-        "@dokuwiki" = {
-          extraConfig = ''
-            # Rewrites "doku.php/" out of the URLs if the userwrite setting is
-            # set to .htaccess in the DokuWiki config page.
-            rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
-            rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
-            rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
-            rewrite ^/(.*) /doku.php?id=$1&$args last;
-          '';
-        };
-
-        "~ \\.php$" = {
-          extraConfig = ''
-            try_files $uri $uri/ /doku.php;
-            include ${config.services.nginx.package}/conf/fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param REDIRECT_STATUS 200;
-            fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
-          '';
-        };
-      };
-
-      extraConfig = ''
-        # Set maximum file upload size to 20MB (same as upload_max_filesize and
-        # post_max_size in the phpOptions).
-        client_max_body_size 20M;
-        client_body_buffer_size 128k;
-      '';
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
-  networking.firewall.allowedUDPPorts = [ 8443 ];
-
-  users.users."${app}" = {
-    isSystemUser = true;
-    group = "${app}";
-  };
-  users.groups."${app}" = { };
-}

config/hosts/eh22-wiki/networking.nix

@@ -1,22 +0,0 @@
-{ ... }:
-
-{
-  networking = {
-    interfaces.net0 = {
-      ipv4.addresses = [
-        {
-          address = "172.31.17.159";
-          prefixLength = 25;
-        }
-      ];
-    };
-    defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
-  };
-
-  systemd.network.links."10-net0" = {
-    matchConfig.MACAddress = "BC:24:11:37:F0:AB";
-    linkConfig.Name = "net0";
-  };
-}

config/hosts/git/forgejo.nix

@@ -7,13 +7,20 @@
 # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
 # - https://forgejo.org/docs/latest/admin/email-setup/
 
-{ pkgs-unstable, ... }:
+{ pkgs, ... }:
 
 {
   services.forgejo = {
     enable = true;
+    package = pkgs.forgejo;
     database.type = "postgres";
-    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
+    lfs.enable = true;
+
+    secrets = {
+      mailer = {
+        PASSWD = "/run/secrets/forgejo_git_smtp_password";
+      };
+    };
 
     settings = {
       DEFAULT = {

config/hosts/mqtt/mosquitto.nix

@@ -10,11 +10,11 @@
     persistence = true;
 
     # set config for all listeners
-        listeners = [ {
+    listeners = [{
       settings.allow_anonymous = true;
       omitPasswordAuth = true;
-            acl = ["topic readwrite #"];
+      acl = [ "topic readwrite #" ];
-        } ];
+    }];
 
     bridges.winkekatz = {
       addresses = [

config/hosts/netbox/netbox.nix

@@ -9,7 +9,8 @@
 {
   services.netbox = {
     enable = true;
-    package = pkgs.netbox;
+    # Explicitly use the patched NetBox package.
+    package = pkgs.netbox_4_1;
     secretKeyFile = "/run/secrets/netbox_secret_key";
     keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
     settings = {
@@ -24,6 +25,24 @@
       SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
       SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
       SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
+      SOCIAL_AUTH_PIPELINE = [
+        # The default pipeline as can be found in:
+        # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
+        "social_core.pipeline.social_auth.social_details"
+        "social_core.pipeline.social_auth.social_uid"
+        "social_core.pipeline.social_auth.social_user"
+        "social_core.pipeline.user.get_username"
+        "social_core.pipeline.user.create_user"
+        "social_core.pipeline.social_auth.associate_user"
+        "netbox.authentication.user_default_groups_handler"
+        "social_core.pipeline.social_auth.load_extra_data"
+        "social_core.pipeline.user.user_details"
+        # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
+        # See: https://docs.goauthentik.io/integrations/services/netbox/
+        "netbox.custom_pipeline.add_groups"
+        "netbox.custom_pipeline.remove_groups"
+        "netbox.custom_pipeline.set_roles"
+      ];
     };
   };
 

config/hosts/public-web-static/spaceapid-config/ccchh-response.json

@@ -14,7 +14,6 @@
     },
     "contact": {
       "phone": "+49 40 23830150",
-      "irc": "ircs://irc.hackint.org:6697/#ccchh",
       "mastodon": "@ccchh@chaos.social",
       "email": "mail@hamburg.ccc.de",
       "ml": "talk@hamburg.ccc.de",
@@ -27,7 +26,7 @@
       },
       "calendar": {
         "type": "ical",
-        "url": "https://cloud.hamburg.ccc.de/remote.php/dav/public-calendars/QJAdExziSnNJEz5g/?export"
+        "url": "webcal://cloud.hamburg.ccc.de/remote.php/dav/public-calendars/QJAdExziSnNJEz5g/?export"
       }
     },
     "links": [

config/hosts/public-web-static/virtualHosts/c3cat.de.nix

@@ -1,10 +1,19 @@
 { pkgs, ... }:
 
-{
+let
+  domain = "c3cat.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "c3cat-website-deploy";
+in {
+  security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
+
   services.nginx.virtualHosts = {
-    "acme-c3cat.de" = {
+    "acme-${domain}" = {
       enableACME = true;
-      serverName = "c3cat.de";
+      serverName = "${domain}";
+      serverAliases = [
+        "www.${domain}"
+      ];
 
       listen = [
         {
@@ -14,9 +23,9 @@
       ];
     };
 
-    "c3cat.de" = {
+    "$www.${domain}" = {
       forceSSL = true;
-      useACMEHost = "c3cat.de";
+      useACMEHost = "${domain}";
 
       listen = [
         {
@@ -28,7 +37,7 @@
       ];
 
       locations."/" = {
-        return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
+        return = "302 https://c3cat.de$request_uri";
       };
 
       extraConfig = ''
@@ -42,5 +51,45 @@
         real_ip_header proxy_protocol;
       '';
     };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
     };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
 }

config/hosts/public-web-static/virtualHosts/default.nix

@@ -9,6 +9,7 @@
     ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
+    ./staging.c3cat.de.nix
     ./staging.hacker.tours.nix
     ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix

config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix

@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.80";
+  elementWebVersion = "1.11.84";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
+    sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

config/hosts/public-web-static/virtualHosts/hacker.tours.nix

@@ -4,7 +4,8 @@ let
   domain = "hacker.tours";
   dataDir = "/var/www/${domain}";
   deployUser = "hackertours-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;

config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix

@@ -4,7 +4,8 @@ let
   domain = "hackertours.hamburg.ccc.de";
   dataDir = "/var/www/${domain}";
   deployUser = "ht-ccchh-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;

config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix

@@ -1,4 +1,4 @@
-{...}:
+{ ... }:
 
 {
   imports = [

config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix

@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.c3cat.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "c3cat-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # c3cat deploy user already defined in c3cat.de.nix.
+}

config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix

@@ -4,7 +4,8 @@ let
   domain = "staging.hacker.tours";
   dataDir = "/var/www/${domain}";
   deployUser = "hackertours-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;

config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix

@@ -4,7 +4,8 @@ let
   domain = "staging.hackertours.hamburg.ccc.de";
   dataDir = "/var/www/${domain}";
   deployUser = "ht-ccchh-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;

config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix

@@ -3,13 +3,12 @@
 # - https://woodpecker-ci.org/docs/administration/agent-config
 # - https://woodpecker-ci.org/docs/administration/backends/docker
 
-{ config, pkgs, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
 
 {
   services.woodpecker-agents.agents."docker" = {
     enable = true;
-    # Since we use woodpecker-server from unstable, use the agent from unstable as well.
+    package = pkgs.woodpecker-agent;
-    package = pkgs-unstable.woodpecker-agent;
     extraGroups = [ "docker" ];
     environment = {
       WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";

config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix

@@ -5,14 +5,12 @@
 # - https://woodpecker-ci.org/docs/administration/forges/forgejo
 # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 
-{ config, pkgs, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
 
 {
   services.woodpecker-server = {
     enable = true;
-    # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
+    package = pkgs.woodpecker-server;
-    # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
-    package = pkgs-unstable.woodpecker-server;
     environment = {
       WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
       WOODPECKER_SERVER_ADDR = ":8001";
@@ -24,6 +22,7 @@
       WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
       WOODPECKER_FORGEJO = "true";
       WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+      WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
       # Set via enviornmentFile:
       # WOODPECKER_FORGEJO_CLIENT
       # WOODPECKER_FORGEJO_SECRET

config/hosts/yate/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {

config/hosts/yate/default.nix

@@ -1,10 +1,10 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   imports = [
     ./configuration.nix
     ./networking.nix
     ./yate.nix
-    ./service.nix
+    ./sops.nix
   ];
 }

config/hosts/yate/secrets.yaml

@@ -0,0 +1,233 @@
+git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP
+        TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw
+        KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS
+        bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1
+        xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-08T18:35:07Z"
+  mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str]
+  pgp:
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg
+        do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL
+        r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0
+        cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl
+        Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa
+        JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi
+        ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk
+        YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa
+        QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy
+        aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg
+        GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U
+        ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ
+        ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ
+        et8Y1DEjVg==
+        =u7aP
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9
+        Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S
+        YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4
+        twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2
+        uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx
+        Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ
+        gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU
+        JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng
+        mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji
+        yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp
+        E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S
+        XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq
+        vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX
+        =advR
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz
+        7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec
+        ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa
+        RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty
+        y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE
+        L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8
+        glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ
+        B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl
+        L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl
+        o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO
+        Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS
+        XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb
+        fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy
+        =vqhH
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd
+        +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7
+        Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4
+        LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un
+        kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2
+        cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn
+        3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh
+        7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU
+        K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb
+        QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3
+        Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S
+        XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj
+        IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C
+        =hGXq
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg
+        YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi
+        LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ
+        +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG
+        SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io
+        5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq
+        1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1
+        1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll
+        CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U
+        pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF
+        EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS
+        XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7
+        uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9
+        =vZLC
+        -----END PGP MESSAGE-----
+      fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x
+        p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3
+        XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa
+        oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB
+        SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS
+        5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG
+        oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ
+        XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo
+        IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc
+        2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa
+        XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS
+        XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/
+        fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I
+        =SLD4
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp
+        8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+
+        0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19
+        sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB
+        NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI
+        K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX
+        4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9
+        SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0
+        TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva
+        7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR
+        oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S
+        XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t
+        LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII
+        =MQ9C
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF
+        XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe
+        5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/
+        Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc
+        abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di
+        +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk
+        nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7
+        BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf
+        T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76
+        VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm
+        jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS
+        XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY
+        6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ
+        =uyf4
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st
+        V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2
+        8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/
+        i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d
+        V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE
+        zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz
+        TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p
+        FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF
+        aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO
+        5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym
+        NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS
+        XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn
+        kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr
+        =7R+0
+        -----END PGP MESSAGE-----
+      fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw
+        cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13
+        0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi
+        I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww==
+        =0G+m
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX
+        KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l
+        MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy
+        p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k
+        YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs
+        yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O
+        oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv
+        3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre
+        FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF
+        3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm
+        k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS
+        XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh
+        B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI
+        =ZgbM
+        -----END PGP MESSAGE-----
+      fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0

config/hosts/yate/service.nix

@@ -1,21 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  systemd.services.yate = {
-    enable = true;
-    description = "Yate telehony engine";
-    unitConfig = {
-      Type = "simple";
-      After="network.target";
-    };
-    serviceConfig = {
-      ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
-      Type="simple";
-      Restart="always";
-      # ...
-    };
-    wantedBy = [ "default.target" ];
-    requiredBy = [ "network.target" ]; 
-    # ...
-  };
-}

config/hosts/yate/sops.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}

config/hosts/yate/yate.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 
 {
   environment.systemPackages = [
@@ -10,4 +10,69 @@
 
   # Just disable it for now.
   networking.firewall.enable = false;
+
+  users = {
+    users.yate = {
+      description = "yate service user";
+      group = "yate-config";
+      isNormalUser = true;
+    };
+
+    groups.yate-config = {
+      members = [ "colmema-deploy" "chaos" "root" "yate"];
+    };
+  };
+
+  environment.etc.yate = {
+    user = "yate";
+    group = "yate-config";
+    mode = "symlink";
+    source = "/var/lib/yate";
+  };
+
+  sops.secrets."git_clone_key" = {
+    mode = "0600";
+    owner = "yate";
+    group = "yate-config";
+    restartUnits = [ "yate.service" ];
+  };
+
+  systemd.services.yate = {
+    enable = true;
+    description = "Yate telehony engine";
+    unitConfig = {
+      After= "network-online.target";
+    };
+    serviceConfig = {
+      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+      Type="simple";
+      Restart="always";
+      User="yate";
+      Group="yate-config";
+      StateDirectory = "yate";
+      StateDirectoryMode = "0775";
+    };
+    wantedBy = [ "default.target" ];
+    requires = [ "network-online.target" ];
+    preStart = ''
+      echo "\n" >> /run/secrets/git_clone_key
+      sleep 5
+      id
+      echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git"
+      SSH_SUCCESS=1
+      ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
+      if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then
+        rm -rf /var/lib/yate/*
+        rm -rf /var/lib/yate/.*
+        env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+        ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate"
+      fi
+    '';
+    reload= ''
+      id
+      ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
+      /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
+      /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master
+    '';
+  };
 }

flake.lock

@@ -1,12 +1,26 @@
 {
   "nodes": {
+    "authorizedKeysRepo": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731276342,
+        "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
+        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+        "type": "tarball",
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+      }
+    },
     "nixlib": {
       "locked": {
-        "lastModified": 1729386149,
+        "lastModified": 1736643958,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -18,16 +32,14 @@
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs"
-          "nixpkgs"
-        ]
       },
       "locked": {
-        "lastModified": 1729472750,
+        "lastModified": 1737057290,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
         "type": "github"
       },
       "original": {
@@ -38,57 +50,41 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730428893,
+        "lastModified": 1736657626,
-        "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
+        "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-24.05-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1729973466,
-        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
+        "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-24.05",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs_2": {
       "locked": {
-        "lastModified": 1730449684,
+        "lastModified": 1738663689,
-        "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
+        "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
+        "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable-small",
+        "ref": "nixos-24.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "root": {
       "inputs": {
+        "authorizedKeysRepo": "authorizedKeysRepo",
         "nixos-generators": "nixos-generators",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix"
       }
     },
@@ -96,15 +92,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
+        ]
-        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1729999681,
+        "lastModified": 1738291974,
-        "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,14 +5,13 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
     nixos-generators = {
       url = "github:nix-community/nixos-generators";
-      inputs.nixpkgs.follows = "nixpkgs";
+      #inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # Add sops-nix as an input for secret management.
@@ -21,214 +20,213 @@
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    authorizedKeysRepo = {
+      url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
+      flake = false;
+    };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
+  outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
     let
-      system = "x86_64-linux";
+      specialArgs = {
-      shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
+        inherit authorizedKeysRepo;
-        shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
-          # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
-          configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
-          buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-        });
       };
-      pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
+      system = "x86_64-linux";
     in
     {
+      nixosModules = {
+        common = ./config/common;
+        proxmox-vm = ./config/proxmox-vm;
+        prometheus-exporter = ./config/extra/prometheus-exporter.nix;
+      };
+      overlays = {
+        netbox41OIDCMappingOverlay = final: prev: {
+          netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
+            patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
+          });
+        };
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
         };
 
         audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
         };
 
         esphome = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             ./config/hosts/esphome
           ];
         };
 
         public-reverse-proxy = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             ./config/hosts/public-reverse-proxy
           ];
         };
 
         netbox = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/netbox
+            { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
           ];
         };
 
         matrix = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/matrix
           ];
         };
 
         public-web-static = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/public-web-static
           ];
         };
 
         git = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/git
           ];
         };
 
         forgejo-actions-runner = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/forgejo-actions-runner
           ];
         };
 
         ptouch-print-server = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             ./config/hosts/ptouch-print-server
           ];
         };
 
-        eh22-wiki = nixpkgs.lib.nixosSystem {
-          inherit system;
-          modules = [
-            ./config/common
-            ./config/proxmox-vm
-            ./config/extra/prometheus-exporter.nix
-            ./config/hosts/eh22-wiki
-          ];
-        };
-
         nix-box-june = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/nix-box-june
           ];
         };
 
         yate = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/yate
           ];
         };
 
         mqtt = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             ./config/hosts/mqtt
           ];
         };
 
         mjolnir = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/mjolnir
           ];
         };
 
         woodpecker = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/woodpecker
           ];
-          specialArgs = {
-            inherit pkgs-unstable;
-          };
         };
 
         status = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
             ./config/hosts/status
           ];
         };
 
         penpot = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/penpot
           ];
         };
 
         hydra = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/hydra
           ];
         };
@@ -236,22 +234,24 @@
 
       packages.x86_64-linux = {
         proxmox-nixos-template = nixos-generators.nixosGenerate {
+          inherit specialArgs;
           system = "x86_64-linux";
           modules = [
             ./config/nixos-generators/proxmox.nix
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
           ];
           format = "proxmox";
         };
 
         proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
+          inherit specialArgs;
           system = "x86_64-linux";
           modules = [
             ./config/nixos-generators/proxmox-chaosknoten.nix
             ./config/proxmox-chaosknoten-additional-initial-config.nix
-            ./config/common
+            self.nixosModules.common
-            ./config/proxmox-vm
+            self.nixosModules.proxmox-vm
           ];
           format = "proxmox";
         };

modules/services/audio/shairport-sync.nix

@@ -17,6 +17,7 @@ in
   config = mkIf cfg.enable {
     services.shairport-sync = {
       enable = true;
+      package = pkgs.shairport-sync-airplay2;
       arguments = "-o pw -v";
     };
 

patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch

@@ -0,0 +1,61 @@
+diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
+new file mode 100644
+index 000000000..470f388dc
+--- /dev/null
++++ b/netbox/netbox/custom_pipeline.py
+@@ -0,0 +1,55 @@
++# Licensed under Creative Commons: CC BY-SA 4.0 license.
++# https://github.com/goauthentik/authentik/blob/main/LICENSE
++# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
++# https://docs.goauthentik.io/integrations/services/netbox/
++from netbox.authentication import Group
++
++class AuthFailed(Exception):
++    pass
++
++def add_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        pass
++
++    # Add all groups from oAuth token
++    for group in groups:
++        group, created = Group.objects.get_or_create(name=group)
++        user.groups.add(group)
++
++def remove_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        # Remove all groups if no groups in oAuth token
++        user.groups.clear()
++        pass
++
++    # Get all groups of user
++    user_groups = [item.name for item in user.groups.all()]
++    # Get groups of user which are not part of oAuth token
++    delete_groups = list(set(user_groups) - set(groups))
++
++    # Delete non oAuth token groups
++    for delete_group in delete_groups:
++        group = Group.objects.get(name=delete_group)
++        user.groups.remove(group)
++
++
++def set_roles(response, user, backend, *args, **kwargs):
++    # Remove Roles temporary
++    user.is_superuser = False
++    user.is_staff = False
++    try:
++        groups = response['groups']
++    except KeyError:
++        # When no groups are set
++        # save the user without Roles
++        user.save()
++        pass
++
++    # Set roles is role (superuser or staff) is in groups
++    user.is_superuser = True if 'superusers' in groups else False
++    user.is_staff = True if 'staff' in groups else False
++    user.save()