From b5ec5fd763b70347fc698492f39c797b34a793b1 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 16 Jan 2024 02:33:13 +0100
Subject: [PATCH 001/170] Update spaceapid

---
 config/hosts/public-web-static/spaceapid.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index f3aa25b1..0a87c4f3 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -4,7 +4,7 @@ let
   spaceapidSrc = builtins.fetchGit {
     url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
     ref = "main";
-    rev = "cf9678d7126e1951f9e4aabaa30d7350eb76973b";
+    rev = "bbeb0d0e2b4538faed275b9891fb55149bc3a2f8";
   };
   spaceapid = pkgs.buildGoModule {
     pname = "spaceapid";

From 7cef911b6159bff46fd4239240e17de5200aa645 Mon Sep 17 00:00:00 2001
From: Bennett Wetters <contact@bendo.org>
Date: Tue, 16 Jan 2024 02:46:09 +0100
Subject: [PATCH 002/170] Set -ldflags for spaceapid to set version string

Co-authored-by: June <june@jsts.xyz>
---
 config/hosts/public-web-static/spaceapid.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 0a87c4f3..8c9cb875 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -6,11 +6,15 @@ let
     ref = "main";
     rev = "bbeb0d0e2b4538faed275b9891fb55149bc3a2f8";
   };
-  spaceapid = pkgs.buildGoModule {
+  spaceapid = pkgs.buildGoModule rec {
     pname = "spaceapid";
     version = "main";
 
     src = spaceapidSrc;
+    
+    ldflags = [
+      "-X main.version=${version}-${spaceapidSrc.rev}"
+    ];
 
     # Since spaceapid doesn't have any dependencies, we can set this to null and
     # use the nonexistend vendored dependencies.

From 8faf83158f9e5de20ac405ac2bb107264a6ebe89 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 16 Jan 2024 20:35:56 +0100
Subject: [PATCH 003/170] Disable HTTP Basic authentication and set default
 repo units for Forgejo

---
 config/hosts/git/forgejo.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index f9075525..342a06a2 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -43,6 +43,10 @@
         ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
         DEFAULT_USER_VISIBILITY = "limited";
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        ENABLE_BASIC_AUTHENTICATION = false;
+      };
+      repo = {
+        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
       };
       mailer = {
         ENABLED = true;

From 4970f5905227bbc3c707378f20226302117d0c58 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 18 Jan 2024 05:02:47 +0100
Subject: [PATCH 004/170] Enable Forgejo Actions for our Forgejo

---
 config/hosts/git/forgejo.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 342a06a2..a6e6b818 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -48,6 +48,9 @@
       repo = {
         DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
       };
+      actions = {
+        ENABLED = true;
+      };
       mailer = {
         ENABLED = true;
         FROM = "no-reply@git.hamburg.ccc.de";

From 85c059c75c6e4e2e96c591af4295a4c56b8db6bf Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 18 Jan 2024 05:03:21 +0100
Subject: [PATCH 005/170] Configure new forgejo-actions-runner host

Configure it to host a forgejo-actions-runner capable of handling CI
workloads running on Docker.
---
 .../forgejo-actions-runner/configuration.nix  |  7 +++++
 .../hosts/forgejo-actions-runner/default.nix  | 10 +++++++
 .../hosts/forgejo-actions-runner/docker.nix   | 13 ++++++++
 .../forgejo-actions-runner.nix                | 30 +++++++++++++++++++
 .../forgejo-actions-runner/networking.nix     | 20 +++++++++++++
 flake.nix                                     | 14 +++++++++
 6 files changed, 94 insertions(+)
 create mode 100644 config/hosts/forgejo-actions-runner/configuration.nix
 create mode 100644 config/hosts/forgejo-actions-runner/default.nix
 create mode 100644 config/hosts/forgejo-actions-runner/docker.nix
 create mode 100644 config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
 create mode 100644 config/hosts/forgejo-actions-runner/networking.nix

diff --git a/config/hosts/forgejo-actions-runner/configuration.nix b/config/hosts/forgejo-actions-runner/configuration.nix
new file mode 100644
index 00000000..d2a52daa
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "forgejo-actions-runner";
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/forgejo-actions-runner/default.nix b/config/hosts/forgejo-actions-runner/default.nix
new file mode 100644
index 00000000..6a01b204
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./docker.nix
+    ./forgejo-actions-runner.nix
+    ./networking.nix
+  ];
+}
diff --git a/config/hosts/forgejo-actions-runner/docker.nix b/config/hosts/forgejo-actions-runner/docker.nix
new file mode 100644
index 00000000..b626e9f9
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/docker.nix
@@ -0,0 +1,13 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Docker
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker = {
+    enable = true;
+    autoPrune = {
+      enable = true;
+      dates = "weekly";
+    };
+  };
+}
diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
new file mode 100644
index 00000000..b2efcbe9
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
@@ -0,0 +1,30 @@
+# Sources for this configuration:
+# - https://forgejo.org/docs/latest/admin/actions/
+# - https://forgejo.org/docs/latest/user/actions/
+# - https://docs.gitea.com/next/usage/actions/act-runner
+
+{ config, pkgs, ... }:
+
+{
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.ccchh-forgejo-global-docker = {
+      enable = true;
+      name = "Global Docker Forgejo Actions Runner";
+      url = "https://git.hamburg.ccc.de/";
+      tokenFile = "/secrets/registration-token.secret";
+      labels = [ "docker:docker://node:current-bookworm" ];
+    };
+  };
+
+  deployment.keys = {
+    "registration-token.secret" = {
+      keyCommand = [ "pass" "noc/services/forgejo-actions-runner/registration_token" ];
+      destDir = "/secrets";
+      user = "gitea-runner";
+      group = "gitea-runner";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+  };
+}
diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix
new file mode 100644
index 00000000..7c5e1781
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/networking.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.155";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/flake.nix b/flake.nix
index 086c0761..6bc74ee6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -178,6 +178,20 @@
           ./config/hosts/git
         ];
       };
+
+      forgejo-actions-runner = {
+        deployment = {
+          targetHost = "forgejo-actions-runner-intern.hamburg.ccc.de";
+          targetPort = 22;
+          targetUser = "colmena-deploy";
+          tags = [ "chaosknoten" ];
+        };
+        imports = [
+          ./config/common
+          ./config/proxmox-vm
+          ./config/hosts/forgejo-actions-runner
+        ];
+      };
     };
 
     packages.x86_64-linux = {

From f6567bffb238f506d2dff1488ab3bef072af4642 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 20 Jan 2024 21:34:09 +0100
Subject: [PATCH 006/170] Use Forgejo 1.21 from NixOS unstable to make Actions
 work properly

1.21 has scheduled Actions for example, which we need.
---
 config/hosts/git/forgejo.nix | 3 ++-
 flake.nix                    | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index a6e6b818..22be46bd 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -7,11 +7,12 @@
 # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
 # - https://forgejo.org/docs/latest/admin/email-setup/
 
-{ ... }:
+{ pkgs-unstable, ... }:
 
 {
   services.forgejo = {
     enable = true;
+    package = pkgs-unstable.forgejo;
     database.type = "postgres";
     mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret";
 
diff --git a/flake.nix b/flake.nix
index 6bc74ee6..63ecb990 100644
--- a/flake.nix
+++ b/flake.nix
@@ -57,6 +57,7 @@
           '';
         });
       };
+      pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in {
     colmena = {
       meta = {
@@ -65,6 +66,9 @@
           audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
           audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
         };
+        nodeSpecialArgs = {
+          git = { inherit pkgs-unstable; };
+        };
       };
 
       audio-hauptraum-kueche = {

From 598e11064150df05c8a8d7b7f60ba9ff3746dcbd Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 20 Jan 2024 21:39:22 +0100
Subject: [PATCH 007/170] Don't keep artifacts for so long

Keep them for 30 days instead of the default 90.
---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 22be46bd..cd8477a7 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -51,6 +51,7 @@
       };
       actions = {
         ENABLED = true;
+        ARTIFACT_RETENTION_DAYS = 30;
       };
       mailer = {
         ENABLED = true;

From aa25b300e3c98fcd5703c5f24357805a46f1bfeb Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 21 Jan 2024 03:54:01 +0100
Subject: [PATCH 008/170] Fix temperature unit in spaceapid response

See:
https://github.com/SpaceApi/directory/pull/247#pullrequestreview-1825757336
https://git.hamburg.ccc.de/CCCHH/spaceapid/pulls/26
https://spaceapi.io/docs/#schema-key-sensors-temperature-unit
---
 .../public-web-static/spaceapid-config/ccchh-dynamic.json   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index f7688ff9..1872a539 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -4,7 +4,7 @@
       "temperature": [
         {
           "sensor_data": {
-            "unit": "C",
+            "unit": "°C",
             "location": "Hauptraum",
             "description": "Sensor im Hauptraum"
           },
@@ -14,7 +14,7 @@
         },
         {
           "sensor_data": {
-            "unit": "C",
+            "unit": "°C",
             "location": "Loetschlauch",
             "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
           },
@@ -24,7 +24,7 @@
         },
         {
           "sensor_data": {
-            "unit": "C",
+            "unit": "°C",
             "location": "Innenhof",
             "description": "Sensor im Innenhof (erreichbar durch das Flurfenster)"
           },

From 7fd115ca2295966f9c9b31fbcf8bc4c33fa3a066 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 21 Jan 2024 04:55:57 +0100
Subject: [PATCH 009/170] Use new infrastructure-authorized-keys url and latest
 commit

---
 config/common/users.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 54970ec3..06170bc0 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -10,9 +10,9 @@
 
 let
   authorizedKeysRepo = builtins.fetchGit {
-    url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git";
+    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
     ref = "trunk";
-    rev = "6dbf11113603a4f6c12f781c2dc7a8980e65a131";
+    rev = "0db6df46b68c07edbefe2a5f9ce4002fb6462980";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 12c38aac8bcf4607764012a5219b0302ee2da8ef Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 02:05:48 +0100
Subject: [PATCH 010/170] Add CO2 sensors to spaceapid response

---
 .../spaceapid-config/ccchh-dynamic.json       | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index 1872a539..b2f9f8e2 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -64,6 +64,28 @@
             "club-assistant"
           ]
         }
+      ],
+      "CO2": [
+        {
+          "sensor_data": {
+            "unit": "ppm",
+            "location": "Hauptraum",
+            "description": "Sensor im Hauptraum (Typ: SCD41)"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        },
+        {
+          "sensor_data": {
+            "unit": "ppm",
+            "location": "Loetschlauch",
+            "description": "Sensor im Lötschlauch (Teil der Werkstatt, Typ: SCD41)"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        }
       ]
     },
     "state": {

From 485ed0fec2e892944845dd125a4cd3342f4ca8cc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 17:59:01 +0100
Subject: [PATCH 011/170] Use opensearch for code and issue search

---
 config/hosts/git/default.nix    |  1 +
 config/hosts/git/forgejo.nix    |  7 +++++++
 config/hosts/git/opensearch.nix | 12 ++++++++++++
 3 files changed, 20 insertions(+)
 create mode 100644 config/hosts/git/opensearch.nix

diff --git a/config/hosts/git/default.nix b/config/hosts/git/default.nix
index e2f517bc..0f4664e4 100644
--- a/config/hosts/git/default.nix
+++ b/config/hosts/git/default.nix
@@ -6,6 +6,7 @@
     ./forgejo.nix
     ./networking.nix
     ./nginx.nix
+    ./opensearch.nix
     ./redis.nix
   ];
 }
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index cd8477a7..d571fb6f 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -66,6 +66,13 @@
         ADAPTER = "redis";
         HOST = "redis+socket:///run/redis-forgejo/redis.sock";
       };
+      indexer = {
+        ISSUE_INDEXER_TYPE = "elasticsearch";
+        ISSUE_INDEXER_CONN_STR = "http://127.0.0.1:9200";
+        REPO_INDEXER_ENABLED = true;
+        REPO_INDEXER_TYPE = "elasticsearch";
+        REPO_INDEXER_CONN_STR = "http://127.0.0.1:9200";
+      };
     };
   };
 
diff --git a/config/hosts/git/opensearch.nix b/config/hosts/git/opensearch.nix
new file mode 100644
index 00000000..1dc44903
--- /dev/null
+++ b/config/hosts/git/opensearch.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  services.opensearch = {
+    enable = true;
+  };
+
+  systemd.services.forgejo = {
+    after = [ "opensearch.service" ];
+    requires = [ "opensearch.service" ];
+  };
+}

From 394f4fe562673be980c32371b8653a230262b8ea Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 23:08:38 +0100
Subject: [PATCH 012/170] Deploy new website under hamburg.ccc.de

Make next.hamburg.ccc.de hamburg.ccc.de and add redirects to handle URLs
of the old website deployment properly.
Also redirect the old spaceapi endpoint to the new one.

Add staging.hamburg.ccc.de for hosting upcoming changes (PRs).
Also give it a robots.txt, since its contents don't need to show up in
search engines.

Add www.hamburg.ccc.de and let it redirect to hamburg.ccc.de.
---
 .../virtualHosts/default.nix                  |  4 +-
 .../virtualHosts/hamburg.ccc.de.nix           | 87 +++++++++++++++++++
 ....ccc.de.nix => staging.hamburg.ccc.de.nix} | 18 ++--
 .../virtualHosts/www.hamburg.ccc.de.nix       | 46 ++++++++++
 4 files changed, 148 insertions(+), 7 deletions(-)
 create mode 100644 config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
 rename config/hosts/public-web-static/virtualHosts/{next.hamburg.ccc.de.nix => staging.hamburg.ccc.de.nix} (69%)
 create mode 100644 config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 5036faf7..e22165fd 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -5,7 +5,9 @@
     ./branding-resources.hamburg.ccc.de.nix
     ./c3cat.de.nix
     ./element.hamburg.ccc.de.nix
-    ./next.hamburg.ccc.de.nix
+    ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
+    ./staging.hamburg.ccc.de.nix
+    ./www.hamburg.ccc.de.nix
   ];
 }
diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
new file mode 100644
index 00000000..a318fec8
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -0,0 +1,87 @@
+{ pkgs, ... }:
+
+{
+  services.nginx.virtualHosts = {
+    "acme-hamburg.ccc.de" = {
+      enableACME = true;
+      serverName = "hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "/var/www/hamburg.ccc.de/";
+
+      # Redirect the old spaceapi endpoint to the new one.
+      locations."/dooris/status.json" = {
+        return = "302 https://spaceapi.hamburg.ccc.de/";
+      };
+
+      # Redirect pages starting with 4 digits for redirecting the old blog
+      # article URLs.
+      # We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we
+      # just match the first 4 digits for simplicity.
+      locations."~ \"^/[\\d]{4}\"" = {
+        return = "302 https://$host/blog$request_uri";
+      };
+
+      # Redirect pages, which previously lived on the old website, to their
+      # successors in the wiki.
+      locations."/club/satzung" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:satzung";
+      };
+      locations."/club/hausordnung" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:hausordnung";
+      };
+      locations."/club/vertrauenspersonen" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:vertrauenspersonen";
+      };
+      locations."/club/beitragsordnung" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:beitragsordnung";
+      };
+      locations."/club/mitgliedschaft" = {
+        return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:foemi-formular";
+      };
+      locations."/club/geschichte" = {
+        return = "302 https://wiki.hamburg.ccc.de/club:geschichte";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  users.users.ccchh-website-deploy = {
+    isNormalUser = true;
+    group = "ccchh-website-deploy";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key"
+    ];
+  };
+  users.groups.ccchh-website-deploy = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
similarity index 69%
rename from config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix
rename to config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
index a0dff81d..a36a0993 100644
--- a/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
@@ -2,9 +2,9 @@
 
 {
   services.nginx.virtualHosts = {
-    "acme-next.hamburg.ccc.de" = {
+    "acme-staging.hamburg.ccc.de" = {
       enableACME = true;
-      serverName = "next.hamburg.ccc.de";
+      serverName = "staging.hamburg.ccc.de";
 
       listen = [
         {
@@ -14,9 +14,9 @@
       ];
     };
 
-    "next.hamburg.ccc.de" = {
+    "staging.hamburg.ccc.de" = {
       forceSSL = true;
-      useACMEHost = "next.hamburg.ccc.de";
+      useACMEHost = "staging.hamburg.ccc.de";
 
       listen = [
         {
@@ -27,7 +27,13 @@
         }
       ];
 
-      root = "/var/www/next.hamburg.ccc.de/";
+      root = "/var/www/staging.hamburg.ccc.de/";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
 
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
@@ -46,7 +52,7 @@
     isNormalUser = true;
     group = "ccchh-website-deploy";
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb next.hamburg.ccc.de deployment key"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key"
     ];
   };
   users.groups.ccchh-website-deploy = { };
diff --git a/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix
new file mode 100644
index 00000000..a29fbd27
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix
@@ -0,0 +1,46 @@
+{ pkgs, ... }:
+
+{
+  services.nginx.virtualHosts = {
+    "acme-www.hamburg.ccc.de" = {
+      enableACME = true;
+      serverName = "www.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "www.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "www.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/" = {
+        return = "302 https://hamburg.ccc.de$request_uri";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}

From 1dd8651bda7ddde8d145143470b53900a7f5e947 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 23:15:03 +0100
Subject: [PATCH 013/170] Update wiki links to point to wiki.hamburg.ccc.de

---
 .../public-web-static/spaceapid-config/ccchh-response.json      | 2 +-
 config/hosts/public-web-static/virtualHosts/c3cat.de.nix        | 2 +-
 .../virtualHosts/element-web-config/config.json                 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
index 47d11aab..3127d20e 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
@@ -33,7 +33,7 @@
     "links": [
       {
         "name": "Wiki",
-        "url": "https://wiki.ccchh.net"
+        "url": "https://wiki.hamburg.ccc.de"
       },
       {
         "name": "Git (Forgejo)",
diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index 9533e938..f1ad5273 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -28,7 +28,7 @@
       ];
 
       locations."/" = {
-        return = "302 https://wiki.ccchh.net/club:c3cat:start";
+        return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
       };
 
       extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/element-web-config/config.json b/config/hosts/public-web-static/virtualHosts/element-web-config/config.json
index 393c2156..19cfdf02 100644
--- a/config/hosts/public-web-static/virtualHosts/element-web-config/config.json
+++ b/config/hosts/public-web-static/virtualHosts/element-web-config/config.json
@@ -49,7 +49,7 @@
         "auth_header_logo_url": "https://branding-resources.hamburg.ccc.de/logo/ccchh-logo-no-background.png",
         "auth_footer_links": [
             { "text": "Website", "url": "https://hamburg.ccc.de/" },
-            { "text": "Wiki", "url": "https://wiki.ccchh.net/" },
+            { "text": "Wiki", "url": "https://wiki.hamburg.ccc.de/" },
             { "text": "Status", "url": "https://status.ccchh.net/status/main" }
         ]
     }

From 6bb4577a33af2d4d1641ee57088932fb6640c680 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 23:15:57 +0100
Subject: [PATCH 014/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/246219bc21b943c6f6812bb7744218ba0df08600' (2023-12-04)
  → 'github:nix-community/nixos-generators/ed8ab00e8d92076a7cac1b428881b4d5304bb771' (2024-01-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/76fc2dd7efd18cb4251db2f35ab6655ee746e961' (2024-01-12)
  → 'github:nixos/nixpkgs/a1aa4980b64eb5fbfa652da57ed4de92e92be630' (2024-01-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/391d29cb04fe2ca9a4744c10d6b8a7783f6b0f6d' (2024-01-12)
  → 'github:nixos/nixpkgs/8cccce637e19577815de54c5ecc3132dff965aee' (2024-01-22)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 51cd067d..fdcf157c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701689616,
-        "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=",
+        "lastModified": 1705931262,
+        "narHash": "sha256-JU8Dn3FeLlpC2aCXDbVH+E9koZYw/r1LW+fofWq87mE=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "246219bc21b943c6f6812bb7744218ba0df08600",
+        "rev": "ed8ab00e8d92076a7cac1b428881b4d5304bb771",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1705044370,
-        "narHash": "sha256-QmzSiphBSOCvhzMNUzhtZT/HpK4VyXqWEYRRPNtIfMQ=",
+        "lastModified": 1705864497,
+        "narHash": "sha256-GVjAt3eHgSGp76Nx6/BXkl38w25FyLbS5Y3hn+BvLk0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "76fc2dd7efd18cb4251db2f35ab6655ee746e961",
+        "rev": "a1aa4980b64eb5fbfa652da57ed4de92e92be630",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1705069489,
-        "narHash": "sha256-kXk4DUZS5uEdowgcv5PWVJ1s37xZKPvhpD/CFNdWMbs=",
+        "lastModified": 1705891108,
+        "narHash": "sha256-PQ0Df5BzByg+0gPE1goa9WYVXSoEP6gtjblrbYC8WOI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "391d29cb04fe2ca9a4744c10d6b8a7783f6b0f6d",
+        "rev": "8cccce637e19577815de54c5ecc3132dff965aee",
         "type": "github"
       },
       "original": {

From c83f1faaa7552f894774ce85a3887125141defb4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 23:32:00 +0100
Subject: [PATCH 015/170] Use custom 404 page for hamburg.ccc.de

---
 config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index a318fec8..0f43a9d3 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -72,6 +72,8 @@
         # Then tell the realip_module to get the addreses from the proxy protocol
         # header.
         real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
       '';
     };
   };

From 7ce5c934df9dac3024735d1e4f55b3eec81b93d5 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 23 Jan 2024 19:57:20 +0100
Subject: [PATCH 016/170] Redirect old feed location to new one for CCCHH
 website

---
 .../hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index 0f43a9d3..bb78b63f 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -63,6 +63,11 @@
         return = "302 https://wiki.hamburg.ccc.de/club:geschichte";
       };
 
+      # Redirect old feed location.
+      locations."/feed.xml" = {
+        return = "302 https://$host/blog/index.xml";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy

From a0e92ff92a3b73a6af9cf014239e7bbae6160120 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 23 Jan 2024 23:24:20 +0100
Subject: [PATCH 017/170] Give Git an IPv6

---
 config/hosts/git/networking.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix
index 088d7eaa..b73b9539 100644
--- a/config/hosts/git/networking.nix
+++ b/config/hosts/git/networking.nix
@@ -1,3 +1,6 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Networking
+
 { ... }:
 
 {
@@ -13,6 +16,16 @@
   networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
   networking.search = [ "hamburg.ccc.de" ];
 
+  networking.interfaces.net0 = {
+    ipv6.addresses = [
+      {
+        address = "2a00:14b0:f000:23:51:136::1";
+        prefixLength = 64;
+      }
+    ];
+  };
+  networking.defaultGateway6 = "2a00:14b0:f000:23::1";
+
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "92:7B:E6:12:A4:FA";
     linkConfig.Name = "net0";

From e18b840d20475e6b4224091c8939ef81703e0551 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 24 Jan 2024 20:17:59 +0100
Subject: [PATCH 018/170] Enable offline mode for Forgejo to disable use of CDN
 and Gravatar

---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index d571fb6f..103881c8 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -28,6 +28,7 @@
         ROOT_URL = "https://git.hamburg.ccc.de/";
         # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
         # Doesn't need to be set.
+        OFFLINE_MODE = true;
       };
       admin = {
         DISABLE_REGULAR_ORG_CREATION = false;

From 4c0decea4a89cadde8b7cd8258e5048a3ae99223 Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sun, 28 Jan 2024 05:05:53 +0100
Subject: [PATCH 019/170] Update element-web to 1.11.55

---
 .../virtualHosts/element.hamburg.ccc.de.nix                  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index a72703ae..da11e0f4 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,9 +1,10 @@
 { pkgs, ... }:
 
 let
+  elementWebVersion = "1.11.55";
   element-web = pkgs.fetchzip {
-    url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
-    sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
+    url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
+    sha256 = "sha256-lM1P23MTqAgrw3vjNSzDswmn0n8SRY6dBD0aELmoqsQ=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 2ae1ad36043f331a27b57c5a936cf0eb2ed7d14a Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sun, 28 Jan 2024 21:59:08 +0100
Subject: [PATCH 020/170] Configure matrix server .well-known delegation

---
 .../virtualHosts/hamburg.ccc.de.nix                 | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index bb78b63f..aac7fa28 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -34,6 +34,19 @@
         return = "302 https://spaceapi.hamburg.ccc.de/";
       };
 
+    locations."/.well-known/matrix/server" = {
+      return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
+      extraConfig = ''
+        add_header Content-Type application/json;
+      '';
+    };
+    locations."/.well-known/matrix/client" = {
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
       # Redirect pages starting with 4 digits for redirecting the old blog
       # article URLs.
       # We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we

From d8d02368700bb4b10502704f1bba02492839d8e2 Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sun, 28 Jan 2024 22:03:15 +0100
Subject: [PATCH 021/170] Fix indentation

---
 .../virtualHosts/hamburg.ccc.de.nix           | 28 ++++++++++---------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index aac7fa28..1d8eef1b 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -34,19 +34,21 @@
         return = "302 https://spaceapi.hamburg.ccc.de/";
       };
 
-    locations."/.well-known/matrix/server" = {
-      return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
-      extraConfig = ''
-        add_header Content-Type application/json;
-      '';
-    };
-    locations."/.well-known/matrix/client" = {
-      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
-      extraConfig = ''
-        default_type application/json;
-        add_header Access-Control-Allow-Origin *;
-      '';
-    };
+      # Add .well-known/matrix stuff for Matrix to work.
+      locations."/.well-known/matrix/server" = {
+        return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
+        extraConfig = ''
+          add_header Content-Type application/json;
+        '';
+      };
+      locations."/.well-known/matrix/client" = {
+        return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin *;
+        '';
+      };
+
       # Redirect pages starting with 4 digits for redirecting the old blog
       # article URLs.
       # We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we

From 85951e2e59213f600bb07154f492cb976776a6d4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 4 Feb 2024 00:21:47 +0100
Subject: [PATCH 022/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/ed8ab00e8d92076a7cac1b428881b4d5304bb771' (2024-01-22)
  → 'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/a1aa4980b64eb5fbfa652da57ed4de92e92be630' (2024-01-21)
  → 'github:nixos/nixpkgs/ac0524b807cb04a3e792c0bcc9e853e9a1547aa1' (2024-02-02)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/8cccce637e19577815de54c5ecc3132dff965aee' (2024-01-22)
  → 'github:nixos/nixpkgs/4f301350dacb4eb0a93578ef3b07c8a996c777e7' (2024-02-03)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index fdcf157c..47917b68 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705931262,
-        "narHash": "sha256-JU8Dn3FeLlpC2aCXDbVH+E9koZYw/r1LW+fofWq87mE=",
+        "lastModified": 1706085261,
+        "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "ed8ab00e8d92076a7cac1b428881b4d5304bb771",
+        "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1705864497,
-        "narHash": "sha256-GVjAt3eHgSGp76Nx6/BXkl38w25FyLbS5Y3hn+BvLk0=",
+        "lastModified": 1706905405,
+        "narHash": "sha256-Jts2FPpB58OXRxIk6Lq1w3O2RelpmJ9fEkgTaVJT6nM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a1aa4980b64eb5fbfa652da57ed4de92e92be630",
+        "rev": "ac0524b807cb04a3e792c0bcc9e853e9a1547aa1",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1705891108,
-        "narHash": "sha256-PQ0Df5BzByg+0gPE1goa9WYVXSoEP6gtjblrbYC8WOI=",
+        "lastModified": 1706941790,
+        "narHash": "sha256-V4apg6WJS6hc1VhHuUpaLt0r/ulu/hvFruP6NKdEdfo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8cccce637e19577815de54c5ecc3132dff965aee",
+        "rev": "4f301350dacb4eb0a93578ef3b07c8a996c777e7",
         "type": "github"
       },
       "original": {

From c0142ad1a59392090fc5c15ae7cf5c384843708a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 24 Feb 2024 15:51:03 +0100
Subject: [PATCH 023/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24)
  → 'github:nix-community/nixos-generators/f4631dee1a0fd56c0db89860e83e3588a28c7631' (2024-02-22)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/f5af57d3ef9947a70ac86e42695231ac1ad00c25' (2023-09-03)
  → 'github:nix-community/nixpkgs.lib/e623008d8a46517470e6365505f1a3ce171fa46a' (2024-02-18)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/ac0524b807cb04a3e792c0bcc9e853e9a1547aa1' (2024-02-02)
  → 'github:nixos/nixpkgs/79032939bc8d409bcc16121c4ad694ca862895e4' (2024-02-24)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/4f301350dacb4eb0a93578ef3b07c8a996c777e7' (2024-02-03)
  → 'github:nixos/nixpkgs/5ab08ad057499977d489f1b378e79d166a684e6c' (2024-02-24)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 47917b68..da0b6f6f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1693701915,
-        "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
+        "lastModified": 1708217146,
+        "narHash": "sha256-nGfEv7k78slqIR5E0zzWSx214d/4/ZPKDkObLJqVLVw=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
+        "rev": "e623008d8a46517470e6365505f1a3ce171fa46a",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706085261,
-        "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=",
+        "lastModified": 1708563055,
+        "narHash": "sha256-FaojUZNu+YPFi3eCI7mL4kxPKQ51DoySa7mqmllUOuc=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132",
+        "rev": "f4631dee1a0fd56c0db89860e83e3588a28c7631",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706905405,
-        "narHash": "sha256-Jts2FPpB58OXRxIk6Lq1w3O2RelpmJ9fEkgTaVJT6nM=",
+        "lastModified": 1708760845,
+        "narHash": "sha256-xkSxjVuYLQGvteX4CCuC4c5daBwMKIDAvp0Mvvg2spE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ac0524b807cb04a3e792c0bcc9e853e9a1547aa1",
+        "rev": "79032939bc8d409bcc16121c4ad694ca862895e4",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1706941790,
-        "narHash": "sha256-V4apg6WJS6hc1VhHuUpaLt0r/ulu/hvFruP6NKdEdfo=",
+        "lastModified": 1708765437,
+        "narHash": "sha256-pFAbQn7RR2lMRpyNhyAogUp7c4reB4uM4fnnbIvUw4k=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4f301350dacb4eb0a93578ef3b07c8a996c777e7",
+        "rev": "5ab08ad057499977d489f1b378e79d166a684e6c",
         "type": "github"
       },
       "original": {

From 7ab1563c88d97acdf374fd6743d584ca1a7177d9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 2 Mar 2024 15:40:55 +0100
Subject: [PATCH 024/170] Add entry to public-reverse-proxy for acme challenge
 for light-werkstatt

---
 config/hosts/public-reverse-proxy/nginx.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix
index f23e7a96..ff14adbb 100644
--- a/config/hosts/public-reverse-proxy/nginx.nix
+++ b/config/hosts/public-reverse-proxy/nginx.nix
@@ -26,6 +26,7 @@
         club-assistant.ccchh.net 10.31.208.10;
         netbox.ccchh.net 10.31.208.29:31820;
         light.ccchh.net 10.31.208.23;
+        light-werkstatt.ccchh.net 10.31.208.23;
         thinkcccore0.ccchh.net 10.31.242.3;
         thinkcccore1.ccchh.net 10.31.242.4;
         thinkcccore2.ccchh.net 10.31.242.5;

From a5a994f87f26cd23d4e2a31695e08c8199205b2f Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sat, 2 Mar 2024 17:22:15 +0100
Subject: [PATCH 025/170] Bump element-web to 1.11.59

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index da11e0f4..8a6c6292 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.55";
+  elementWebVersion = "1.11.59";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-lM1P23MTqAgrw3vjNSzDswmn0n8SRY6dBD0aELmoqsQ=";
+    sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 71e1684f762845c5efa69033bd0e28c2c39cacea Mon Sep 17 00:00:00 2001
From: Julian Schacher <julian@jsts.xyz>
Date: Wed, 6 Mar 2024 22:50:26 +0100
Subject: [PATCH 026/170] Add a formatter, which can be used by running "nix
 fmt"

Use nixpkgs-fmt because what it does closely aligns to this repos
already established conventions and it doesn't do weird stuff.

Also see:
https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-fmt.html
https://github.com/nix-community/nixpkgs-fmt
---
 flake.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/flake.nix b/flake.nix
index 63ecb990..8768c794 100644
--- a/flake.nix
+++ b/flake.nix
@@ -220,5 +220,7 @@
         format = "proxmox";
       };
     };
+    
+    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
   };
 }

From 1ad6ac9dc0b711a1169a1bea56f86140c4362542 Mon Sep 17 00:00:00 2001
From: Julian Schacher <julian@jsts.xyz>
Date: Wed, 6 Mar 2024 22:50:32 +0100
Subject: [PATCH 027/170] Run "nix fmt" to format this entire flake

---
 config/common/nix.nix                        |   2 +-
 config/common/users.nix                      |  34 +-
 config/hosts/esphome/nginx.nix               |   2 +-
 config/hosts/matrix/matrix-synapse.nix       |   2 +-
 config/hosts/matrix/nginx.nix                |   2 +-
 config/hosts/matrix/postgresql.nix           |   2 +-
 config/hosts/public-web-static/spaceapid.nix |   2 +-
 flake.nix                                    | 315 ++++++++++---------
 8 files changed, 181 insertions(+), 180 deletions(-)

diff --git a/config/common/nix.nix b/config/common/nix.nix
index f19f681c..1b253d65 100644
--- a/config/common/nix.nix
+++ b/config/common/nix.nix
@@ -1,4 +1,4 @@
-{ ... }: 
+{ ... }:
 
 {
   nix = {
diff --git a/config/common/users.nix b/config/common/users.nix
index 06170bc0..c36e20a9 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -16,24 +16,24 @@ let
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
-  {
-    users.mutableUsers = false;
+{
+  users.mutableUsers = false;
 
-    users.users.chaos = {
-      isNormalUser = true;
-      description = "Chaos";
-      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = authorizedKeys;
-    };
+  users.users.chaos = {
+    isNormalUser = true;
+    description = "Chaos";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = authorizedKeys;
+  };
 
-    users.users.colmena-deploy = {
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = authorizedKeys;
-    };
+  users.users.colmena-deploy = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = authorizedKeys;
+  };
 
-    nix.settings.trusted-users = [ "colmena-deploy" ];
+  nix.settings.trusted-users = [ "colmena-deploy" ];
 
-    # Since our user doesn't have a password, allow passwordless sudo for wheel.
-    security.sudo.wheelNeedsPassword = false;
-  }
+  # Since our user doesn't have a password, allow passwordless sudo for wheel.
+  security.sudo.wheelNeedsPassword = false;
+}
diff --git a/config/hosts/esphome/nginx.nix b/config/hosts/esphome/nginx.nix
index ed939720..3c5cfb92 100644
--- a/config/hosts/esphome/nginx.nix
+++ b/config/hosts/esphome/nginx.nix
@@ -40,6 +40,6 @@
 
     };
   };
-  
+
   networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
 }
diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix
index e574a599..bcc097df 100644
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@@ -39,7 +39,7 @@
 
       media_store_path = "/mnt/data/synapse_media_store";
       max_upload_size = "500M";
-      
+
       admin_contact = "mailto:yuri+ccchh@nekover.se";
     };
 
diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix
index 03dba976..74d4291f 100644
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@@ -60,6 +60,6 @@
       '';
     };
   };
-  
+
   networking.firewall.allowedTCPPorts = [ 8443 8448 31820 ];
 }
diff --git a/config/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix
index a241efd5..62b600e3 100644
--- a/config/hosts/matrix/postgresql.nix
+++ b/config/hosts/matrix/postgresql.nix
@@ -4,7 +4,7 @@
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_15;
-    
+
     initialScript = pkgs.writeText "synapse-init.sql" ''
       CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
       CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 8c9cb875..d2a25b65 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -11,7 +11,7 @@ let
     version = "main";
 
     src = spaceapidSrc;
-    
+
     ldflags = [
       "-X main.version=${version}-${spaceapidSrc.rev}"
     ];
diff --git a/flake.nix b/flake.nix
index 8768c794..f66397d4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -58,169 +58,170 @@
         });
       };
       pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
-    in {
-    colmena = {
-      meta = {
-        nixpkgs = nixpkgs.legacyPackages."x86_64-linux";
-        nodeNixpkgs = {
-          audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
-          audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
+    in
+    {
+      colmena = {
+        meta = {
+          nixpkgs = nixpkgs.legacyPackages."x86_64-linux";
+          nodeNixpkgs = {
+            audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
+            audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
+          };
+          nodeSpecialArgs = {
+            git = { inherit pkgs-unstable; };
+          };
         };
-        nodeSpecialArgs = {
-          git = { inherit pkgs-unstable; };
+
+        audio-hauptraum-kueche = {
+          deployment = {
+            targetHost = "audio-hauptraum-kueche.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/audio-hauptraum-kueche
+          ];
+        };
+
+        audio-hauptraum-tafel = {
+          deployment = {
+            targetHost = "audio-hauptraum-tafel.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/audio-hauptraum-tafel
+          ];
+        };
+
+        esphome = {
+          deployment = {
+            targetHost = "esphome.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/esphome
+          ];
+        };
+
+        public-reverse-proxy = {
+          deployment = {
+            targetHost = "public-reverse-proxy.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/public-reverse-proxy
+          ];
+        };
+
+        netbox = {
+          deployment = {
+            targetHost = "netbox-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/netbox
+          ];
+        };
+
+        matrix = {
+          deployment = {
+            targetHost = "matrix-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/matrix
+          ];
+        };
+
+        public-web-static = {
+          deployment = {
+            targetHost = "public-web-static-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/public-web-static
+          ];
+        };
+
+        git = {
+          deployment = {
+            targetHost = "git.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/git
+          ];
+        };
+
+        forgejo-actions-runner = {
+          deployment = {
+            targetHost = "forgejo-actions-runner-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/forgejo-actions-runner
+          ];
         };
       };
 
-      audio-hauptraum-kueche = {
-        deployment = {
-          targetHost = "audio-hauptraum-kueche.z9.ccchh.net";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
+      packages.x86_64-linux = {
+        proxmox-nixos-template = nixos-generators.nixosGenerate {
+          system = "x86_64-linux";
+          modules = [
+            ./config/nixos-generators/proxmox.nix
+            ./config/common
+            ./config/proxmox-vm
+          ];
+          format = "proxmox";
+        };
+
+        proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
+          system = "x86_64-linux";
+          modules = [
+            ./config/nixos-generators/proxmox-chaosknoten.nix
+            ./config/proxmox-chaosknoten-additional-initial-config.nix
+            ./config/common
+            ./config/proxmox-vm
+          ];
+          format = "proxmox";
         };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/audio-hauptraum-kueche
-        ];
       };
 
-      audio-hauptraum-tafel = {
-        deployment = {
-          targetHost = "audio-hauptraum-tafel.z9.ccchh.net";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/audio-hauptraum-tafel
-        ];
-      };
-
-      esphome = {
-        deployment = {
-          targetHost = "esphome.z9.ccchh.net";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/esphome
-        ];
-      };
-
-      public-reverse-proxy = {
-        deployment = {
-          targetHost = "public-reverse-proxy.z9.ccchh.net";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/public-reverse-proxy
-        ];
-      };
-
-      netbox = {
-        deployment = {
-          targetHost = "netbox-intern.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/netbox
-        ];
-      };
-
-      matrix = {
-        deployment = {
-          targetHost = "matrix-intern.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [ 
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/matrix
-        ];
-      };
-
-      public-web-static = {
-        deployment = {
-          targetHost = "public-web-static-intern.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/public-web-static
-        ];
-      };
-
-      git = {
-        deployment = {
-          targetHost = "git.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/git
-        ];
-      };
-
-      forgejo-actions-runner = {
-        deployment = {
-          targetHost = "forgejo-actions-runner-intern.hamburg.ccc.de";
-          targetPort = 22;
-          targetUser = "colmena-deploy";
-          tags = [ "chaosknoten" ];
-        };
-        imports = [
-          ./config/common
-          ./config/proxmox-vm
-          ./config/hosts/forgejo-actions-runner
-        ];
-      };
+      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
     };
-
-    packages.x86_64-linux = {
-      proxmox-nixos-template = nixos-generators.nixosGenerate {
-        system = "x86_64-linux";
-        modules = [
-          ./config/nixos-generators/proxmox.nix
-          ./config/common
-          ./config/proxmox-vm
-        ];
-        format = "proxmox";
-      };
-
-      proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
-        system = "x86_64-linux";
-        modules = [
-          ./config/nixos-generators/proxmox-chaosknoten.nix
-          ./config/proxmox-chaosknoten-additional-initial-config.nix
-          ./config/common
-          ./config/proxmox-vm
-        ];
-        format = "proxmox";
-      };
-    };
-    
-    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
-  };
 }

From fc5b5bb9b71bd67f6f063cf8ab8c3972f69d03ad Mon Sep 17 00:00:00 2001
From: Julian Schacher <julian@jsts.xyz>
Date: Sun, 10 Mar 2024 03:58:41 +0100
Subject: [PATCH 028/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/f4631dee1a0fd56c0db89860e83e3588a28c7631' (2024-02-22)
  → 'github:nix-community/nixos-generators/bef32a05496d9480b02be586fa7827748b9e597b' (2024-03-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/e623008d8a46517470e6365505f1a3ce171fa46a' (2024-02-18)
  → 'github:nix-community/nixpkgs.lib/7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c' (2024-03-03)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/79032939bc8d409bcc16121c4ad694ca862895e4' (2024-02-24)
  → 'github:nixos/nixpkgs/fcaa81ed3c273237217330cf342ef1873b77c80a' (2024-03-09)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/5ab08ad057499977d489f1b378e79d166a684e6c' (2024-02-24)
  → 'github:nixos/nixpkgs/e389a1133d14925b942e0ad76ce75f32637db20d' (2024-03-09)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index da0b6f6f..50f72f65 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1708217146,
-        "narHash": "sha256-nGfEv7k78slqIR5E0zzWSx214d/4/ZPKDkObLJqVLVw=",
+        "lastModified": 1709426687,
+        "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e623008d8a46517470e6365505f1a3ce171fa46a",
+        "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708563055,
-        "narHash": "sha256-FaojUZNu+YPFi3eCI7mL4kxPKQ51DoySa7mqmllUOuc=",
+        "lastModified": 1709887845,
+        "narHash": "sha256-803UIoB8+vGkm/VK/g55aBAAOf/ncTGvxXyjTF4ydm0=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "f4631dee1a0fd56c0db89860e83e3588a28c7631",
+        "rev": "bef32a05496d9480b02be586fa7827748b9e597b",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1708760845,
-        "narHash": "sha256-xkSxjVuYLQGvteX4CCuC4c5daBwMKIDAvp0Mvvg2spE=",
+        "lastModified": 1709953752,
+        "narHash": "sha256-LW84B4vM1cn7E6cDNQn2LndT9iJXI1dRE5fwbNFbQa8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "79032939bc8d409bcc16121c4ad694ca862895e4",
+        "rev": "fcaa81ed3c273237217330cf342ef1873b77c80a",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1708765437,
-        "narHash": "sha256-pFAbQn7RR2lMRpyNhyAogUp7c4reB4uM4fnnbIvUw4k=",
+        "lastModified": 1709987164,
+        "narHash": "sha256-W3KoCToX0gnwpZARkRteYd8Ns0Kie3C4u057YepUP5I=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5ab08ad057499977d489f1b378e79d166a684e6c",
+        "rev": "e389a1133d14925b942e0ad76ce75f32637db20d",
         "type": "github"
       },
       "original": {

From 6a0218c132b0bb92c241461c647491655199e199 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 19 Feb 2024 00:28:51 +0100
Subject: [PATCH 029/170] Serve old easterhegg pages from public-web-static.

The old easterhegg pages from 2003, 2005, 2007, 2009, 2011 are served on the
easterhegg.eu domain and all old subdomains under hamburg.ccc.de
redirect to the corresponding pages under easterhegg.eu
---
 .../virtualHosts/default.nix                  |   1 +
 .../historic-easterhegg/default.nix           |  11 ++
 .../virtualHosts/historic-easterhegg/eh03.nix | 101 +++++++++++++++++
 .../virtualHosts/historic-easterhegg/eh05.nix | 100 +++++++++++++++++
 .../virtualHosts/historic-easterhegg/eh07.nix | 106 ++++++++++++++++++
 .../virtualHosts/historic-easterhegg/eh09.nix | 105 +++++++++++++++++
 .../virtualHosts/historic-easterhegg/eh11.nix | 106 ++++++++++++++++++
 7 files changed, 530 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index e22165fd..3678a965 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -9,5 +9,6 @@
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
     ./www.hamburg.ccc.de.nix
+    ./historic-easterhegg
   ];
 }
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
new file mode 100644
index 00000000..f9805cf3
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -0,0 +1,11 @@
+{...}:
+
+{
+  imports = [
+    ./eh03.nix
+    ./eh05.nix
+    ./eh07.nix
+    ./eh09.nix
+    ./eh11.nix
+  ];
+}
\ No newline at end of file
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
new file mode 100644
index 00000000..60d4f21e
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
@@ -0,0 +1,101 @@
+{ pkgs, ... }:
+
+let
+  eh03 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2003-website.git";
+    rev = "74977c56486cd060566bf06678a936e801952f9e";
+    hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
+  };
+in 
+{
+  security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
+    "eh2003.hamburg.ccc.de"
+    "www.eh2003.hamburg.ccc.de"
+    "easterhegg2003.hamburg.ccc.de"
+    "www.easterhegg2003.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh03.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh03.easterhegg.eu";
+      serverAliases = [
+        "eh2003.hamburg.ccc.de"
+        "www.eh2003.hamburg.ccc.de"
+        "easterhegg2003.hamburg.ccc.de"
+        "www.easterhegg2003.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2003.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh03.easterhegg.eu";
+      serverAliases = [
+        "eh2003.hamburg.ccc.de"
+        "www.eh2003.hamburg.ccc.de"
+        "www.easterhegg2003.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh03.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh03.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh03.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "index.html";
+        root = eh03;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        '';
+      };
+
+      extraConfig = ''
+        set $chosen_lang "de";
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
new file mode 100644
index 00000000..7651666d
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
@@ -0,0 +1,100 @@
+{ pkgs, ... }:
+
+let
+  eh05 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2005-website.git";
+    rev = "f1455aee35b6462ab5c46f3d52c47e0b200c1315";
+    hash = "sha256-lA4fxO05K39nosSYNfKUtSCrK+dja1yWKILqRklSNy8=";
+  };
+in
+{
+  security.acme.certs."eh05.easterhegg.eu".extraDomainNames = [
+    "eh2005.hamburg.ccc.de"
+    "www.eh2005.hamburg.ccc.de"
+    "easterhegg2005.hamburg.ccc.de"
+    "www.easterhegg2005.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh05.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh05.easterhegg.eu";
+      serverAliases = [
+        "eh2005.hamburg.ccc.de"
+        "www.eh2005.hamburg.ccc.de"
+        "easterhegg2005.hamburg.ccc.de"
+        "www.easterhegg2005.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2005.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh05.easterhegg.eu";
+      serverAliases = [
+        "eh2005.hamburg.ccc.de"
+        "www.eh2005.hamburg.ccc.de"
+        "www.easterhegg2005.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh05.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+    
+    "eh05.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh05.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+      
+      locations."/" = {
+        index = "index.shtml";
+        root = eh05;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        ''; 
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
new file mode 100644
index 00000000..40fe4805
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
@@ -0,0 +1,106 @@
+{ pkgs, ... }:
+
+let
+  eh07 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2007-website.git";
+    rev = "0bb06fd2654814ddda28469a1bf9e50a9814dd9a";
+    hash = "sha256-jMpDxgxbL3ipG3HLJo0ISTdWfYYrd2EfwpmoiWV0qCM=";
+  };
+in
+{
+  security.acme.certs."eh07.easterhegg.eu".extraDomainNames = [
+    "eh2007.hamburg.ccc.de"
+    "www.eh2007.hamburg.ccc.de"
+    "eh07.hamburg.ccc.de"
+    "www.eh07.hamburg.ccc.de"
+    "easterhegg2007.hamburg.ccc.de"
+    "www.easterhegg2007.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh07.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh07.easterhegg.eu";
+      serverAliases = [
+        "eh2007.hamburg.ccc.de"
+        "www.eh2007.hamburg.ccc.de"
+        "eh07.hamburg.ccc.de"
+        "www.eh07.hamburg.ccc.de"
+        "easterhegg2007.hamburg.ccc.de"
+        "www.easterhegg2007.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2007.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh07.easterhegg.eu";
+      serverAliases = [
+        "eh2007.hamburg.ccc.de"
+        "www.eh2007.hamburg.ccc.de"
+        "eh07.hamburg.ccc.de"
+        "www.eh07.hamburg.ccc.de"
+        "www.easterhegg2007.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh07.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh07.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh07.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "index.shtml";
+        root = eh07;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        ''; 
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
new file mode 100644
index 00000000..f7416ed8
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
@@ -0,0 +1,105 @@
+{ pkgs, ... }:
+
+let
+  eh09 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2009-website.git";
+    rev = "6d4a50c5ab23870072f0b33dd0171b0c56d6cab5";
+    hash = "sha256-kPJOrKseJD/scRxhYFa249DT1cYmeCjnK50Bt0IJZK8=";
+  };
+in
+{
+  security.acme.certs."eh09.easterhegg.eu".extraDomainNames = [
+    "eh2009.hamburg.ccc.de"
+    "www.eh2009.hamburg.ccc.de"
+    "eh09.hamburg.ccc.de"
+    "www.eh09.hamburg.ccc.de"
+    "easterhegg2009.hamburg.ccc.de"
+    "www.easterhegg2009.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh09.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh09.easterhegg.eu";
+      serverAliases = [
+        "eh2009.hamburg.ccc.de"
+        "www.eh2009.hamburg.ccc.de"
+        "eh09.hamburg.ccc.de"
+        "www.eh09.hamburg.ccc.de"
+        "easterhegg2009.hamburg.ccc.de"
+        "www.easterhegg2009.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2009.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh09.easterhegg.eu";
+      serverAliases = [
+        "eh2009.hamburg.ccc.de"
+        "www.eh2009.hamburg.ccc.de"
+        "eh09.hamburg.ccc.de"
+        "www.eh09.hamburg.ccc.de"
+        "www.easterhegg2009.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh09.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh09.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh09.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "index.shtml";
+        root = eh09;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        ''; 
+      };
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
new file mode 100644
index 00000000..c409641d
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
@@ -0,0 +1,106 @@
+{ pkgs, ... }:
+
+let
+  eh11 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2011-website.git";
+    rev = "c20540af71d4a0bd1fa12f49962b92d04293415b";
+    hash = "sha256-9hhtfU8fp2HOThcyQ4R7kuGQBjZktqMtiiYQhOas2QA=";
+  };
+in
+{
+  security.acme.certs."eh11.easterhegg.eu".extraDomainNames = [
+    "eh2011.hamburg.ccc.de"
+    "www.eh2011.hamburg.ccc.de"
+    "eh11.hamburg.ccc.de"
+    "www.eh11.hamburg.ccc.de"
+    "easterhegg2011.hamburg.ccc.de"
+    "www.easterhegg2011.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh11.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh11.easterhegg.eu";
+      serverAliases = [
+        "eh2011.hamburg.ccc.de"
+        "www.eh2011.hamburg.ccc.de"
+        "eh11.hamburg.ccc.de"
+        "www.eh11.hamburg.ccc.de"
+        "easterhegg2011.hamburg.ccc.de"
+        "www.easterhegg2011.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "easterhegg2011.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "eh11.easterhegg.eu";
+      serverAliases = [
+        "eh2011.hamburg.ccc.de"
+        "www.eh2011.hamburg.ccc.de"
+        "eh11.hamburg.ccc.de"
+        "www.eh11.hamburg.ccc.de"
+        "www.easterhegg2011.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh11.easterhegg.eu";
+      
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh11.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh11.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "index.shtml";
+        root = eh11;
+        extraConfig = ''
+          # Set default_type to html 
+          default_type text/html;
+          # Enable SSI
+          ssi on;
+        ''; 
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+        # Enable SSI
+        ssi on;
+      '';
+    };
+  };
+}

From c97f169b776fefad29c5432cc3325e2259896ec0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 14 Apr 2024 18:46:51 +0200
Subject: [PATCH 030/170] Add print server for label printer to have it easily
 usable via SSH

Add and configure a print server for the Brother P-touch QL 500 label
printer, so that it can be easily used via SSH.

Do the following to make that work:
- Configure the print server host.
- Package printer-driver-ptouch to have a working driver for the label
  printer.
- Configure CUPS.
- Add a script "forcecommand-lpr-wrapper", which works together with the
  ForceCommand sshd_config option and wraps lpr to provide an easy
  interface to use the Brother QL 500 label printer via SSH.
- Add a print user and configure SSH to have the
  "forcecommand-lpr-wrapper" script accessible without a password using
  the print user via SSH.
---
 .../ptouch-print-server/configuration.nix     |   7 ++
 config/hosts/ptouch-print-server/default.nix  |   9 ++
 .../forcecommand-lpr-wrapper.py               |  84 ++++++++++++++
 .../forcecommand-lpr-wrapper/setup.py         |   7 ++
 .../hosts/ptouch-print-server/networking.nix  |  23 ++++
 config/hosts/ptouch-print-server/printing.nix | 104 ++++++++++++++++++
 flake.nix                                     |  14 +++
 7 files changed, 248 insertions(+)
 create mode 100644 config/hosts/ptouch-print-server/configuration.nix
 create mode 100644 config/hosts/ptouch-print-server/default.nix
 create mode 100644 config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py
 create mode 100644 config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py
 create mode 100644 config/hosts/ptouch-print-server/networking.nix
 create mode 100644 config/hosts/ptouch-print-server/printing.nix

diff --git a/config/hosts/ptouch-print-server/configuration.nix b/config/hosts/ptouch-print-server/configuration.nix
new file mode 100644
index 00000000..1bb1448d
--- /dev/null
+++ b/config/hosts/ptouch-print-server/configuration.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  networking.hostName = "ptouch-print-server";
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/ptouch-print-server/default.nix b/config/hosts/ptouch-print-server/default.nix
new file mode 100644
index 00000000..248bae64
--- /dev/null
+++ b/config/hosts/ptouch-print-server/default.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./printing.nix
+  ];
+}
diff --git a/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py
new file mode 100644
index 00000000..d42469c7
--- /dev/null
+++ b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py
@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+
+# A script for usage with the ForceCommand sshd_config option.
+# It calls lpr with some standard arguments, but also parses
+# SSH_ORIGINAL_COMMAND to potentially provide a different set of arguments to
+# lpr.
+#
+# This wrapper is written for interacting with the Brother QL 500 label printer.
+#
+# The following options can be provided as an SSH command and this script will
+# then pass them to the lpr call: <MediaType> <PageSize>
+# - MediaType can be one of:
+#   - Labels
+#   - Tape (this is the default)
+# - PageSize can be one of:
+#   - 12mm
+#   - 12mm-circular
+#   - 17x54mm
+#   - 17x87mm
+#   - 23x23mm
+#   - 24mm-circular
+#   - 29mm
+#   - 29x90mm
+#   - 38mm
+#   - 38x90mm
+#   - 50mm
+#   - 54mm
+#   - 58mm-circular
+#   - 62mm
+#   - 62x29mm
+#   - 62x100mm
+#   - Custom.WIDTHxHEIGHT (with WIDTH and HEIGHT needing to be either one to
+#     three digits)
+#   - label-wide (this being a convenience alias for Custom.62x35mm and it also
+#     being the default)
+#   - label-item (this being a convenience alias for 38x90mm)
+# 
+# So using these options in a complete setup would look like this for example:
+# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net labels label-item
+# This being equivalent to:
+# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net Labels 38x90mm
+#
+# The options are case-insensitive.
+#
+# The options are derived from: lpoptions -p Brother-QL-500 -l
+
+import os, re, subprocess
+
+mediaType = "Tape"
+pageSize = "Custom.62x35mm"
+
+def parseGivenOptions():
+    givenOptionsString = os.environ["SSH_ORIGINAL_COMMAND"]
+    givenOptionsIterator = iter(givenOptionsString.split(" "))
+
+    givenMediaType = next(givenOptionsIterator, "")
+    givenPageSize = next(givenOptionsIterator, "")
+
+    global mediaType
+    if givenMediaType.lower() == "labels":
+        mediaType = "Labels"
+    elif givenMediaType.lower() == "tape":
+        mediaType = "Tape"
+
+    global pageSize
+    pageSizeRegex = re.compile(r"^((12mm(-circular)?)|(24mm-circular)|(58mm-circular)|(((17x(54|87))|(23x23)|((29|38)(x90)?)|(62x(29|100))|50|54|62)mm))$", re.ASCII | re.IGNORECASE)
+    pageSizeMatch = pageSizeRegex.match(givenPageSize)
+    pageSizeCustomRegex = re.compile(r"^custom\.(\d{1,3})x(\d{1,3})$", re.ASCII | re.IGNORECASE)
+    pageSizeCustomMatch = pageSizeCustomRegex.match(givenPageSize)
+    if givenPageSize.lower() == "label-wide":
+        pageSize = "Custom.62x35mm"
+    elif givenPageSize.lower() == "label-item":
+        pageSize = "38x90mm"
+    elif pageSizeMatch:
+        pageSize = givenPageSize.lower()
+    elif pageSizeCustomMatch:
+        width = pageSizeCustomMatch.group(1)
+        height = pageSizeCustomMatch.group(2)
+        pageSize = "Custom.{}x{}".format(width, height)
+
+if "SSH_ORIGINAL_COMMAND" in os.environ:
+    parseGivenOptions()
+
+subprocess.run(["lpr", "-P", "Brother-QL-500", "-o", "MediaType={}".format(mediaType), "-o", "PageSize={}".format(pageSize)])
diff --git a/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py
new file mode 100644
index 00000000..ef2b1703
--- /dev/null
+++ b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py
@@ -0,0 +1,7 @@
+from distutils.core import setup
+
+setup(
+    name = "forcecommand-lpr-wrapper",
+    version = "0.0.1",
+    scripts = ["./forcecommand-lpr-wrapper.py"]
+)
diff --git a/config/hosts/ptouch-print-server/networking.nix b/config/hosts/ptouch-print-server/networking.nix
new file mode 100644
index 00000000..7c7cb62e
--- /dev/null
+++ b/config/hosts/ptouch-print-server/networking.nix
@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.208.13";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "10.31.208.1";
+    nameservers = [
+      "10.31.208.1"
+    ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:F2:CF:8F";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/ptouch-print-server/printing.nix b/config/hosts/ptouch-print-server/printing.nix
new file mode 100644
index 00000000..5964f562
--- /dev/null
+++ b/config/hosts/ptouch-print-server/printing.nix
@@ -0,0 +1,104 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Printing
+
+{ pkgs, lib, ... }:
+
+let
+  # https://github.com/philpem/printer-driver-ptouch
+  printer-driver-ptouch = pkgs.stdenv.mkDerivation rec {
+    pname = "printer-driver-ptouch";
+    version = "1.7";
+
+    src = pkgs.fetchgit {
+      url = "https://github.com/philpem/printer-driver-ptouch";
+      rev = "v${version}";
+      hash = "sha256-3ZotSHn7lERp53hAzx47Ct/k565rEoensCcltwX/Xls=";
+    };
+
+    nativeBuildInputs = [
+      pkgs.autoreconfHook
+      pkgs.perl
+    ];
+
+    buildInputs = [
+      pkgs.cups
+      pkgs.libpng
+      pkgs.perlPackages.XMLLibXML
+      pkgs.foomatic-db-engine
+    ];
+
+    patches = [
+      # Add this patch to have the package actually build sucessfully.
+      # https://github.com/philpem/printer-driver-ptouch/pull/35
+      (pkgs.fetchpatch {
+        name = "fix-brother-ql-600.xml.patch";
+        url = "https://patch-diff.githubusercontent.com/raw/philpem/printer-driver-ptouch/pull/35.patch";
+        hash = "sha256-y5bHKFeRXx8Wdl1++l4QNGgiY41LY5uzrRdOlaZyF9I=";
+      })
+    ];
+
+    # Used the following as a reference on how to generate the ppd files.
+    # https://salsa.debian.org/printing-team/ptouch-driver/-/blob/4ba5d2c490ea1230374aa4b0bf711bf77f1ab0c7/debian/rules#L34
+    postInstall = ''
+      mkdir -p $out/share/cups
+      FOOMATICDB=$out/share/foomatic ${pkgs.foomatic-db-engine}/bin/foomatic-compiledb -t ppd -d $out/share/cups/model
+      rm -r $out/share/foomatic
+    '';
+
+    postPatch = ''
+      patchShebangs --build foomaticalize
+    '';
+  };
+  forcecommand-lpr-wrapper = pkgs.python3Packages.buildPythonApplication {
+    name = "forcecommand-lpr-wrapper";
+    src = ./forcecommand-lpr-wrapper;
+
+    propagatedBuildInputs = [
+      pkgs.cups
+    ];
+  };
+in
+{
+  services.printing = {
+    enable = true;
+    drivers = [ printer-driver-ptouch ];
+    stateless = true;
+  };
+
+  hardware.printers = {
+    ensurePrinters = [
+      {
+        name = "Brother-QL-500";
+        location = "Z9";
+        deviceUri = "usb://Brother/QL-500?serial=J8Z249208";
+        model = "Brother-QL-500-ptouch-ql.ppd";
+        ppdOptions = {
+          PageSize = "Custom.62x35mm";
+        };
+      }
+    ];
+    ensureDefaultPrinter = "Brother-QL-500";
+  };
+
+  users.users.print = {
+    isNormalUser = true;
+    description = "User for printing via SSH.";
+    password = "";
+  };
+
+  # PasswordAuthentication being set to false just puts "auth required
+  # pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
+  # PasswordAuthentication to have it not do that.
+  services.openssh.settings.PasswordAuthentication = lib.mkForce true;
+  # The following doesn't need to be set in order for empty passwords to work
+  # apparently:
+  # security.pam.services.sshd.allowNullPassword = true;
+  services.openssh.extraConfig = ''
+    Match User print
+      PubkeyAuthentication no
+      AuthenticationMethods none
+      PermitEmptyPasswords yes
+      ForceCommand ${forcecommand-lpr-wrapper}/bin/forcecommand-lpr-wrapper.py 
+    Match User *
+  '';
+}
diff --git a/flake.nix b/flake.nix
index f66397d4..5360d1f1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -197,6 +197,20 @@
             ./config/hosts/forgejo-actions-runner
           ];
         };
+
+        ptouch-print-server = {
+          deployment = {
+            targetHost = "ptouch-print-server.z9.ccchh.net";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "thinkcccluster" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/ptouch-print-server
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From b229494eac326c992ea01bac7277467e91831a72 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 14 Apr 2024 18:50:13 +0200
Subject: [PATCH 031/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/bef32a05496d9480b02be586fa7827748b9e597b?narHash=sha256-803UIoB8%2BvGkm/VK/g55aBAAOf/ncTGvxXyjTF4ydm0%3D' (2024-03-08)
  → 'github:nix-community/nixos-generators/d942db8df8ee860556a38754f15b8d03bf7e6933?narHash=sha256-yYlxv1sg/TNl6hghjAe0ct%2B/p5PwXiT1mpuaExjhR88%3D' (2024-04-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c?narHash=sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA%3D' (2024-03-03)
  → 'github:nix-community/nixpkgs.lib/3c62b6a12571c9a7f65ab037173ee153d539905f?narHash=sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw%3D' (2024-04-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/fcaa81ed3c273237217330cf342ef1873b77c80a?narHash=sha256-LW84B4vM1cn7E6cDNQn2LndT9iJXI1dRE5fwbNFbQa8%3D' (2024-03-09)
  → 'github:nixos/nixpkgs/6ec8515bc79f396159a67b2ed8012b2e988d9dc6?narHash=sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U%2BGs%3D' (2024-04-14)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/e389a1133d14925b942e0ad76ce75f32637db20d?narHash=sha256-W3KoCToX0gnwpZARkRteYd8Ns0Kie3C4u057YepUP5I%3D' (2024-03-09)
  → 'github:nixos/nixpkgs/bc59f72803cf40fb50f05cb73068d85b5ce21297?narHash=sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU%3D' (2024-04-14)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 50f72f65..733defa0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1709426687,
-        "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=",
+        "lastModified": 1712450863,
+        "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c",
+        "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709887845,
-        "narHash": "sha256-803UIoB8+vGkm/VK/g55aBAAOf/ncTGvxXyjTF4ydm0=",
+        "lastModified": 1712537332,
+        "narHash": "sha256-yYlxv1sg/TNl6hghjAe0ct+/p5PwXiT1mpuaExjhR88=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "bef32a05496d9480b02be586fa7827748b9e597b",
+        "rev": "d942db8df8ee860556a38754f15b8d03bf7e6933",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709953752,
-        "narHash": "sha256-LW84B4vM1cn7E6cDNQn2LndT9iJXI1dRE5fwbNFbQa8=",
+        "lastModified": 1713088269,
+        "narHash": "sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U+Gs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fcaa81ed3c273237217330cf342ef1873b77c80a",
+        "rev": "6ec8515bc79f396159a67b2ed8012b2e988d9dc6",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1709987164,
-        "narHash": "sha256-W3KoCToX0gnwpZARkRteYd8Ns0Kie3C4u057YepUP5I=",
+        "lastModified": 1713064665,
+        "narHash": "sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e389a1133d14925b942e0ad76ce75f32637db20d",
+        "rev": "bc59f72803cf40fb50f05cb73068d85b5ce21297",
         "type": "github"
       },
       "original": {

From bc6af32a36cbc0d176c39533f5f9117608461505 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 15 Apr 2024 17:07:50 +0200
Subject: [PATCH 032/170] Update spaceapid to latest commit and use correct
 logo URL

---
 .../public-web-static/spaceapid-config/ccchh-response.json      | 2 +-
 config/hosts/public-web-static/spaceapid.nix                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
index 3127d20e..9a5793e2 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
@@ -4,7 +4,7 @@
       "14"
     ],
     "space": "CCCHH",
-    "logo": "https://next.hamburg.ccc.de/images/logo.svg",
+    "logo": "https://hamburg.ccc.de/images/logo.svg",
     "ext_ccc": "erfa",
     "url": "https://hamburg.ccc.de/",
     "location": {
diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index d2a25b65..86d40bbc 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -4,7 +4,7 @@ let
   spaceapidSrc = builtins.fetchGit {
     url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
     ref = "main";
-    rev = "bbeb0d0e2b4538faed275b9891fb55149bc3a2f8";
+    rev = "17753f535c68157e80f30f50deb488133cc98258";
   };
   spaceapid = pkgs.buildGoModule rec {
     pname = "spaceapid";

From 856c4ac696a305dc11eac5d65a4011ebcc4440a7 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Apr 2024 21:13:11 +0200
Subject: [PATCH 033/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d942db8df8ee860556a38754f15b8d03bf7e6933?narHash=sha256-yYlxv1sg/TNl6hghjAe0ct%2B/p5PwXiT1mpuaExjhR88%3D' (2024-04-08)
  → 'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e?narHash=sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE%2B9ytRWxsA5aWtmyI%3D' (2024-04-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/6ec8515bc79f396159a67b2ed8012b2e988d9dc6?narHash=sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U%2BGs%3D' (2024-04-14)
  → 'github:nixos/nixpkgs/d4df7c26d03e94dbdabbd350cb89c9565cae07bb?narHash=sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI%3D' (2024-04-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/bc59f72803cf40fb50f05cb73068d85b5ce21297?narHash=sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU%3D' (2024-04-14)
  → 'github:nixos/nixpkgs/de52a47e961d45f6a8c7f9f086c60ff89ecdddaf?narHash=sha256-HLpr4EgxIRB1UJCpupvF%2BAi8pFa93BJh8anPJ68FwOI%3D' (2024-04-22)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 733defa0..02b98360 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712537332,
-        "narHash": "sha256-yYlxv1sg/TNl6hghjAe0ct+/p5PwXiT1mpuaExjhR88=",
+        "lastModified": 1713783234,
+        "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d942db8df8ee860556a38754f15b8d03bf7e6933",
+        "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713088269,
-        "narHash": "sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U+Gs=",
+        "lastModified": 1713787398,
+        "narHash": "sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6ec8515bc79f396159a67b2ed8012b2e988d9dc6",
+        "rev": "d4df7c26d03e94dbdabbd350cb89c9565cae07bb",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1713064665,
-        "narHash": "sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU=",
+        "lastModified": 1713761662,
+        "narHash": "sha256-HLpr4EgxIRB1UJCpupvF+Ai8pFa93BJh8anPJ68FwOI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bc59f72803cf40fb50f05cb73068d85b5ce21297",
+        "rev": "de52a47e961d45f6a8c7f9f086c60ff89ecdddaf",
         "type": "github"
       },
       "original": {

From 14bbdea9dcb6b708c9dbe0b8d81a62d5814a4d9f Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 23 Apr 2024 19:12:16 +0200
Subject: [PATCH 034/170] Add MPD to audio service module

---
 config/hosts/audio-hauptraum-kueche/audio.nix |  1 +
 config/hosts/audio-hauptraum-tafel/audio.nix  |  1 +
 modules/services/audio/default.nix            |  1 +
 modules/services/audio/mpd.nix                | 33 +++++++++++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 modules/services/audio/mpd.nix

diff --git a/config/hosts/audio-hauptraum-kueche/audio.nix b/config/hosts/audio-hauptraum-kueche/audio.nix
index aa49f2f6..2a75d8a9 100644
--- a/config/hosts/audio-hauptraum-kueche/audio.nix
+++ b/config/hosts/audio-hauptraum-kueche/audio.nix
@@ -8,6 +8,7 @@
     enable = true;
     name = "Audio Hauptraum Küche";
   };
+  services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
 
   users.users.chaos.extraGroups = [ "pipewire" ];
 }
diff --git a/config/hosts/audio-hauptraum-tafel/audio.nix b/config/hosts/audio-hauptraum-tafel/audio.nix
index 33897205..f090fd9f 100644
--- a/config/hosts/audio-hauptraum-tafel/audio.nix
+++ b/config/hosts/audio-hauptraum-tafel/audio.nix
@@ -8,6 +8,7 @@
     enable = true;
     name = "Audio Hauptraum Tafel";
   };
+  services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
 
   users.users.chaos.extraGroups = [ "pipewire" ];
 }
diff --git a/modules/services/audio/default.nix b/modules/services/audio/default.nix
index 6e8a43b6..ccd75270 100644
--- a/modules/services/audio/default.nix
+++ b/modules/services/audio/default.nix
@@ -11,6 +11,7 @@ in
 {
   imports = [
     ./librespot.nix
+    ./mpd.nix
     ./networking.nix
     ./pipewire.nix
     ./shairport-sync.nix
diff --git a/modules/services/audio/mpd.nix b/modules/services/audio/mpd.nix
new file mode 100644
index 00000000..30ce12ee
--- /dev/null
+++ b/modules/services/audio/mpd.nix
@@ -0,0 +1,33 @@
+# Links & Resources:
+# - https://mpd.readthedocs.io/en/stable/user.html
+
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+
+  cfg = config.ccchh.services.audio;
+
+in
+
+{
+  config = mkIf cfg.enable {
+    services.mpd = {
+      enable = true;
+      network.listenAddress = "any";
+      extraConfig = ''
+        audio_output {
+          type "pipewire"
+          name "Pipewire"
+        }
+      '';
+    };
+
+    users.users.mpd.extraGroups = [ "pipewire" ];
+
+    networking.firewall = {
+      allowedTCPPorts = [ 6600 ];
+    };
+  };
+}

From c96486aa9107a74de3487a4a3fd20e95574665b4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 27 Apr 2024 23:28:31 +0200
Subject: [PATCH 035/170] Let MPD mix the audio itself to work around PW/WP
 restore bug

jtbx discovered that MPD is using the Pipewire stream volume for volume
control, but that when Pipewire/Wireplumber restores the stream volumes
on restart, it wrongly assigns the MPD stream volume to the Shaireport
Sync stream as well.
Work around that bug by making MPD mix itself and not through
Pipewire/Wireplumber.
---
 modules/services/audio/mpd.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/services/audio/mpd.nix b/modules/services/audio/mpd.nix
index 30ce12ee..4c149afd 100644
--- a/modules/services/audio/mpd.nix
+++ b/modules/services/audio/mpd.nix
@@ -20,6 +20,7 @@ in
         audio_output {
           type "pipewire"
           name "Pipewire"
+          mixer_type "software"
         }
       '';
     };

From c378fc64c6c122819ba385eb7357b1dc28b512f6 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 28 Apr 2024 19:51:45 +0200
Subject: [PATCH 036/170] Deploy shairport-sync with more verbosity for easier
 debugging

---
 modules/services/audio/shairport-sync.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix
index adf59113..1f04862d 100644
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@@ -17,7 +17,7 @@ in
   config = mkIf cfg.enable {
     services.shairport-sync = {
       enable = true;
-      arguments = "-o pw";
+      arguments = "-o pw -v";
     };
 
     users.users.shairport.extraGroups = [ "pipewire" ];

From 320f4afb4a748074581d480f81f9e8751bb41f61 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 14 May 2024 03:46:01 +0200
Subject: [PATCH 037/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d4df7c26d03e94dbdabbd350cb89c9565cae07bb?narHash=sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI%3D' (2024-04-22)
  → 'github:nixos/nixpkgs/8a4282c38b6cbea9f0989c0eafc6ce1837a26442?narHash=sha256-t1t39%2B9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968%3D' (2024-05-13)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/de52a47e961d45f6a8c7f9f086c60ff89ecdddaf?narHash=sha256-HLpr4EgxIRB1UJCpupvF%2BAi8pFa93BJh8anPJ68FwOI%3D' (2024-04-22)
  → 'github:nixos/nixpkgs/7ed944be63682d0c5bc37e66f3c997390d0bbd8e?narHash=sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw%3D' (2024-05-13)
---
 flake.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/flake.lock b/flake.lock
index 02b98360..77cd85be 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713787398,
-        "narHash": "sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI=",
+        "lastModified": 1715615524,
+        "narHash": "sha256-t1t39+9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d4df7c26d03e94dbdabbd350cb89c9565cae07bb",
+        "rev": "8a4282c38b6cbea9f0989c0eafc6ce1837a26442",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1713761662,
-        "narHash": "sha256-HLpr4EgxIRB1UJCpupvF+Ai8pFa93BJh8anPJ68FwOI=",
+        "lastModified": 1715616897,
+        "narHash": "sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "de52a47e961d45f6a8c7f9f086c60ff89ecdddaf",
+        "rev": "7ed944be63682d0c5bc37e66f3c997390d0bbd8e",
         "type": "github"
       },
       "original": {

From 475ab8cc6687a0e8c5e67671295eb2d9e48f5cd7 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 17 May 2024 20:42:48 +0200
Subject: [PATCH 038/170] Configure EH22 Wiki

---
 config/hosts/eh22-wiki/configuration.nix |   7 +
 config/hosts/eh22-wiki/default.nix       |   9 ++
 config/hosts/eh22-wiki/dokuwiki.nix      | 165 +++++++++++++++++++++++
 config/hosts/eh22-wiki/networking.nix    |  23 ++++
 flake.nix                                |  14 ++
 5 files changed, 218 insertions(+)
 create mode 100644 config/hosts/eh22-wiki/configuration.nix
 create mode 100644 config/hosts/eh22-wiki/default.nix
 create mode 100644 config/hosts/eh22-wiki/dokuwiki.nix
 create mode 100644 config/hosts/eh22-wiki/networking.nix

diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix
new file mode 100644
index 00000000..ff45e491
--- /dev/null
+++ b/config/hosts/eh22-wiki/configuration.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  networking.hostName = "eh22-wiki";
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix
new file mode 100644
index 00000000..2d90c6b1
--- /dev/null
+++ b/config/hosts/eh22-wiki/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./dokuwiki.nix
+    ./networking.nix
+  ];
+}
diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
new file mode 100644
index 00000000..133e39ad
--- /dev/null
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -0,0 +1,165 @@
+# Sources for this configuration:
+# - https://www.dokuwiki.org/dokuwiki
+# - https://www.dokuwiki.org/install
+# - https://www.dokuwiki.org/requirements
+# - https://www.dokuwiki.org/install:php
+# - https://www.dokuwiki.org/security
+# - https://www.dokuwiki.org/config:xsendfile
+# - https://www.dokuwiki.org/install:nginx
+# - https://www.dokuwiki.org/faq:uploadsize
+# - https://nixos.wiki/wiki/Phpfpm
+# - https://wiki.archlinux.org/title/Nginx#FastCGI
+# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
+# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
+# - https://www.php.net/manual/en/install.fpm.php
+# - https://www.php.net/manual/en/install.fpm.configuration.php
+
+{ config, pkgs, ... }:
+
+let
+  # This is also used for user and group names.
+  app = "dokuwiki";
+  domain = "eh22.easterhegg.eu";
+  dataDir = "/srv/www/${domain}";
+in {
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${app} ${app}"
+  ];
+
+  services.phpfpm.pools."${app}" = {
+    user = "${app}";
+    group = "${app}";
+    phpOptions = ''
+      short_open_tag = Off
+      open_basedir =
+      output_buffering = Off
+      output_handler =
+      zlib.output_compression = Off
+      implicit_flush = Off
+      allow_call_time_pass_reference = Off
+      max_execution_time = 30
+      max_input_time = 60
+      max_input_vars = 10000
+      memory_limit = 128M
+      error_reporting = E_ALL & ~E_NOTICE
+      display_errors = Off
+      display_startup_errors = Off
+      log_errors = On
+      ; error_log should be handled by NixOS.
+      variables_order = "EGPCS"
+      register_argc_argv = Off
+      file_uploads = On
+      upload_max_filesize = 20M
+      post_max_size = 20M
+      session.use_cookies = 1
+      ; Checked the default NixOS PHP extensions and the only one missing from
+      ; DokuWikis list of PHP extensions was bz2, so add that.
+      ; Checked with NixOS 23.11 on 2024-05-02.
+      extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
+    '';
+    extraConfig = ''
+      listen.owner = ${config.services.nginx.user};
+      listen.group = ${config.services.nginx.group};
+      pm = dynamic
+      pm.max_children = 32
+      pm.start_servers = 2
+      pm.min_spare_servers = 2
+      pm.max_spare_servers = 4
+      pm.max_requests = 500
+    '';
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."acme-${domain}" = {
+      default = true;
+      enableACME = true;
+      serverName = "${domain}";
+      
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    virtualHosts."${domain}" = {
+      default = true;
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      locations = {
+        "~ /(conf|bin|inc|vendor)/" = {
+          extraConfig = "deny all;";
+        };
+
+        "~ /install.php" = {
+          extraConfig = "deny all;";
+        };
+
+        "~ ^/data/" = {
+          extraConfig = "internal;";
+        };
+
+        "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
+          extraConfig = "expires 31d;";
+        };
+
+        "/" = {
+          index = "doku.php";
+          extraConfig = "try_files $uri $uri/ @dokuwiki;";
+        };
+
+        "@dokuwiki" = {
+          extraConfig = ''
+            # Rewrites "doku.php/" out of the URLs if the userwrite setting is
+            # set to .htaccess in the DokuWiki config page.
+            rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
+            rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
+            rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
+            rewrite ^/(.*) /doku.php?id=$1&$args last;
+          '';
+        };
+
+        "~ \\.php$" = {
+          extraConfig = ''
+            try_files $uri $uri/ /doku.php;
+            include ${config.services.nginx.package}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param REDIRECT_STATUS 200;
+            fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
+          '';
+        };
+      };
+
+      extraConfig = ''
+        # Set maximum file upload size to 20MB (same as upload_max_filesize and
+        # post_max_size in the phpOptions).
+        client_max_body_size 20M;
+        client_body_buffer_size 128k;
+      '';
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+
+  users.users."${app}" = {
+    isSystemUser = true;
+    group = "${app}";
+  };
+  users.groups."${app}" = { };
+}
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
new file mode 100644
index 00000000..44d478ac
--- /dev/null
+++ b/config/hosts/eh22-wiki/networking.nix
@@ -0,0 +1,23 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Networking
+
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.156";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:37:F0:AB";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/flake.nix b/flake.nix
index 5360d1f1..d7d7fc94 100644
--- a/flake.nix
+++ b/flake.nix
@@ -211,6 +211,20 @@
             ./config/hosts/ptouch-print-server
           ];
         };
+
+        eh22-wiki = {
+          deployment = {
+            targetHost = "eh22-wiki-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+            tags = [ "chaosknoten" ];
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/eh22-wiki
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From ca816ba50bec6d701c81355e5e958d086bfa51ef Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 23 May 2024 21:25:22 +0200
Subject: [PATCH 039/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e?narHash=sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE%2B9ytRWxsA5aWtmyI%3D' (2024-04-22)
  → 'github:nix-community/nixos-generators/d14b286322c7f4f897ca4b1726ce38cb68596c94?narHash=sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J%2Bve1w%3D' (2024-05-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/8a4282c38b6cbea9f0989c0eafc6ce1837a26442?narHash=sha256-t1t39%2B9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968%3D' (2024-05-13)
  → 'github:nixos/nixpkgs/dff68ababdd2c2616d03f26546ba632f5f09d3c6?narHash=sha256-e4pjcLqe1Dexz7enk/%2Bui0aVdcoSiWnrTGjk7KLtAPw%3D' (2024-05-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/7ed944be63682d0c5bc37e66f3c997390d0bbd8e?narHash=sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw%3D' (2024-05-13)
  → 'github:nixos/nixpkgs/2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4?narHash=sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q%3D' (2024-05-23)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 77cd85be..be7c1a65 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713783234,
-        "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=",
+        "lastModified": 1716210724,
+        "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e",
+        "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1715615524,
-        "narHash": "sha256-t1t39+9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968=",
+        "lastModified": 1716408408,
+        "narHash": "sha256-e4pjcLqe1Dexz7enk/+ui0aVdcoSiWnrTGjk7KLtAPw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8a4282c38b6cbea9f0989c0eafc6ce1837a26442",
+        "rev": "dff68ababdd2c2616d03f26546ba632f5f09d3c6",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1715616897,
-        "narHash": "sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw=",
+        "lastModified": 1716479278,
+        "narHash": "sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7ed944be63682d0c5bc37e66f3c997390d0bbd8e",
+        "rev": "2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4",
         "type": "github"
       },
       "original": {

From eab352303329fbe56e84763679f1f9e45cbe28c0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 23 May 2024 22:25:32 +0200
Subject: [PATCH 040/170] Make MPD be put into pause mode instead of start.
 playback after startup

---
 modules/services/audio/mpd.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/services/audio/mpd.nix b/modules/services/audio/mpd.nix
index 4c149afd..048e9798 100644
--- a/modules/services/audio/mpd.nix
+++ b/modules/services/audio/mpd.nix
@@ -22,6 +22,7 @@ in
           name "Pipewire"
           mixer_type "software"
         }
+        restore_paused "yes"
       '';
     };
 

From 88e3da11a6d344567002accbdb99ce57c7e8fdc9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 25 May 2024 16:47:34 +0200
Subject: [PATCH 041/170] Introduce sops and sops-nix for secret management

Use the GPG keys used for the password-store noc directory for the admin
keys.
Switch the git hosts secret management from colmena to sops-nix.

https://github.com/getsops/sops
https://github.com/Mic92/sops-nix
---
 .sops.yaml                    |  46 +++++++
 config/hosts/git/default.nix  |   1 +
 config/hosts/git/forgejo.nix  |  16 +--
 config/hosts/git/secrets.yaml | 233 ++++++++++++++++++++++++++++++++++
 config/hosts/git/sops.nix     |   7 +
 flake.lock                    |  40 +++++-
 flake.nix                     |  10 +-
 7 files changed, 341 insertions(+), 12 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 config/hosts/git/secrets.yaml
 create mode 100644 config/hosts/git/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 00000000..26086a97
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,46 @@
+keys:
+  - &admin_gpg_djerun EF643F59E008414882232C78FFA8331EEB7D6B70
+  - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+  - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+  - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
+  - &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+  - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+  - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+  - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+  - &admin_gpg_max 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+  - &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
+  - &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+  - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
+creation_rules:
+  - path_regex: config/hosts/git/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_git
+  - key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+stores:
+  yaml:
+    indent: 2
diff --git a/config/hosts/git/default.nix b/config/hosts/git/default.nix
index 0f4664e4..d3494e6d 100644
--- a/config/hosts/git/default.nix
+++ b/config/hosts/git/default.nix
@@ -8,5 +8,6 @@
     ./nginx.nix
     ./opensearch.nix
     ./redis.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 103881c8..ced70db7 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -14,7 +14,7 @@
     enable = true;
     package = pkgs-unstable.forgejo;
     database.type = "postgres";
-    mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret";
+    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
 
     settings = {
       DEFAULT = {
@@ -77,14 +77,10 @@
     };
   };
 
-  deployment.keys = {
-    "forgejo-git-smtp-password.secret" = {
-      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ];
-      destDir = "/secrets";
-      user = "forgejo";
-      group = "forgejo";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."forgejo_git_smtp_password" = {
+    mode = "0440";
+    owner = "forgejo";
+    group = "forgejo";
+    restartUnits = [ "forgejo.service" ];
   };
 }
diff --git a/config/hosts/git/secrets.yaml b/config/hosts/git/secrets.yaml
new file mode 100644
index 00000000..85e2ccd0
--- /dev/null
+++ b/config/hosts/git/secrets.yaml
@@ -0,0 +1,233 @@
+forgejo_git_smtp_password: ENC[AES256_GCM,data:ZRj5GpQKRlTxdu5CfbJirRGAKPCLAIG1F0V5USz5m5D49V3lu5uLomxHapmEwb0yYoE7e7ZLYK4VQUoQgpUnSw==,iv:K7+9E2gi8cdYu0lX/HgWitLxnxARywIwh5glEL0uOsM=,tag:s9UC8e+E5E3vM6cTKW7Vqw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZFhrMlF1YnV6bHlJZFp1
+            SExjNXk0aTE3U2pBd0lHODlkZW9La1M2cHhjCjd1VTdKWkE2ZWxoMWFjREsvLzdS
+            K3lSSkRMZ3lLZ0tSaDZMRkt4MXBMeXcKLS0tIDFlVjNXcktpbHdJc2hraGNrNGJh
+            UHlJWFN4NW1tNWFCU2EyNjkveXZML3cKrKk1w3IBAgdmicuFyGOaU26fwpULAcy9
+            eZPlcbRPUPHoRhy9GhNTAcXXDQzimKL39XZGAd0U29Kt9AvWAf8Qpg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-25T14:17:29Z"
+    mac: ENC[AES256_GCM,data:JeqYsVtogbB4oMWNEpLsF6zxsgUoAt7UzRUL2JzxDUtXDUndW/AxJxVxQaipYvblA3q2MzRyQN+j9khavlL02DR/ANtZFLQmH3OREV7M9eHmeeCa4Lm5D7gFYmqWkULJ7yEJsKz5AaiJTWlWgCcBITB901H3Z12dsz2a1+4WrUc=,iv:5Xm5Rjw8PS7hkTcRD1kj5XS5uiOgsPwXYeaMqUReB7E=,tag:2Y5R1/Why1TQd+ZYTF0qDA==,type:str]
+    pgp:
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ/+Pw0v8i3ZGw4QNjAu9NX6ZJ5hvBHJgtcOWch3ZHlIAuxs
+            rNoPYhuKaYZL6QJcPTjP8AHVkFIEp+mVbXnsS3PCNUxPnwBS3DfAk+b9OmIJ5U8i
+            H0VYv4FpdAblyq59GPYx5cBaKUxAagATqlYmMh8b530DYBGcoAHPtzhCaZj+aJI9
+            ybakmmNfSqtdhJoWwRaRekqhbZ++wmS7axeefawuicXpdlNxhypEMKBUpGA847cH
+            lI4hw1/+KvyN/BT1q66vQanYpM8NNFLyyamT6HeBxQ1lP6gfb/T0a805qnaCXaZY
+            z2Ui6XJL/lbUWzG/0xnSJIFiQc7hIqMGIz+EHyYep5NBu/hiIUK1RpIFL4ClEOh3
+            kfVlWC16ys3fGHlFOTTBc3yJPGtyPjd5lGGfFmawwnegPH2wdNIt5tjrA7+vwKRE
+            f+RFNzvfc11o8rhGnbGd4ZGNgexuhxVaRGDSNqO0aixprSurcOa21Z1U76tvnJGq
+            IoeFtZf5KutqqLIyLoK0JM0YkSb92S/BHkIKpUO9fsKLRdQdnvm++8NRLJ/jXLVz
+            lZZnLxMC7QvKMyxE7J8GKye7nQa6S6CkEcqUsgXSMaxB3GMe9MiGWS9nqh16tHDX
+            p9YR9FVj8BUKWsTbIPKkomIaoxhRJvW6cakVcM7RG0rySVjGxrc2oAvYgjpVmmDU
+            aAEJAhAxPM/qlV+JghqnmnjP9Kn6KTIvGV2NGvX5YbY4k/NgL/sZ7VLsGZldemiu
+            1ogKtLzjRnvtruPhXBXPv3Ivw+a4ie7YBPsyyyh4RFfnZq7abAwBVDZDVXPA2GUS
+            9JOUdkYe2Q1T
+            =1km6
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2ARAAiyKB1LVhFUxkC/bKs7TmtXGbA+2xWwrtt9gUACD+GNlT
+            P0jQJ4N7x0xpvgo+ELNx4Owq4EXFYH8bI27zUxW9FmJu672uFVIpud4nZX+2AfFs
+            +Iy7VBp95kfS77Mc9VClJTJEaLMZOvciqlY58p1FB6C4pNwOuEhMvZ7athLVLlEz
+            hOrKkJAAtnjWXOFLBkq7BKCBVsxSLOUXMBgmK1Fr4dTJPifiXIIbO2BdNXanzMpv
+            8ANtENZ4JpqBHDW/DGoACkAh/hqu8p4B4TBC3L7szvFktsxy93w3i59CDXUroKXO
+            cG//41R5OH/EguctfO84qUWCe+eqA2D2ZuWIqSD6Aa4izQE+aTl+WDx/oxKuQcJB
+            UgKiLm/HXI7w1Zp7v2oRUt4BFr2EXHicsEkV+ztCGDMMPw0zBA3EE4fMFDmM9BXh
+            Y6bOT1cV/TQ1IgWvH6gMe4qdJscqYEfNMJNl6kZzylUSLBxK0YAfqxSnvV6lZ2D7
+            82KLl0TRZOiCWO0EMcRuN2L8AasrO4PaBGI/kbU2dCr8q4ku3qTjW7b77d6pVW29
+            Gh2eV+goXcdnk9tJt4hPcmz3vYIFJL8Pbmy5mSO0BetFdFVFnIhBuQzrXwe+Iq7z
+            nQ2L1eeDT0WI4PMEIz+YM0QVCMM52d0fK+JeiVz8H/bO7NcPCYTylcK68BA6QaLS
+            XgEP7Vp6aB2qQPbLYI1CfNrjiHLyCHXBJwyWGR3sSFB6LmvHsfx3tsHWdKxyrz3E
+            9AM9WvP+taIpK0F7OjDBcadaMo3Bzl74WVEtznaEmu9Vex7HxNXIMXXBHMj5RAU=
+            =CbYz
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//RSjkwW/PxItmHjB0luZ8pP6sMP5iTrgvwie04F3y1gu6
+            mIdAvh8QgCn/5Q/IqKZo7zdUzTQhyuq03DNUzuKyB/Sel6klohnW0QXes8Jt3vUe
+            W9bFFmIaFTk4mDc/tD5Vleph0ruNMXHlQRO4ia5wcYpVw0LtT3pKM5XApNl/9UKT
+            UFZ9/Fvad2a/p277Ai/N5dPUwM535s8H3Kkz473BvoS4Az7cjVnyxKHhguNQH9pw
+            n6hgXEjvyzDrzWvJwrX1T84KvCsPh0idAA9W5YfMU/4loL4RJUqvjkUvn2ErsPrl
+            gNoPTRY+BiivW2HV2uWRkiOyKTwVLdgs/oawZX7LB4aIaI9b5y8rcmHV4fKP8OEh
+            3q7LB5HU1peGmd6agwu1/ejbIc3+4WytVfoqHDI7MJ7jPE3iyfAxaZm1x5PFbVhA
+            7zmYs6tXs891l3ZJps84I/S1uSHjxJbMuGh954RHMmPHCrnLosS8yeNLEO2AHpQi
+            m2FFxbXCRFx7Xd8SvW2lAaKfeU+x36yUYCf7APaQeb59QLTnustIle6i4XQl070m
+            7GK/Hj2uanq6TEhAKWJlyVAucw4gruCfrjC7extPyY4pC4yXVUpM0jqJO37yCw+F
+            k64syU8yhR6whTmOPA/c2JsYoGKbV22NYRj6WIK9cIyiL34ellZVO9Ccsz6QGgHS
+            XgHve1EpLmsR1h1OKCKyUJNnNjvOnehZwyjCFwqT/DrIS1NUgoOaFr7As50YMfhU
+            ymMhQyDGYjjMHdmGoqmgPMOrJf/MJIECdzx/K/0e+eKM1RsC5XpwZnwKme+cVJc=
+            =5GW+
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ//djObFBa/PnDRF/Q9ngtQy6VmuyUfErLqj9x1OOojB0g6
+            yMCvqH9zrN4JT82rb2xqvjbqEtZGq/35B2GccMXBifJy5JQj3SHOyTEPuoVr+yVK
+            4fzZ9k6vEUYl7FicEZABud8uasfoIGC/jn7EpYgP4v49RtXsESF0aTCnrcwqg03E
+            /cVJW4ovtIQM6UiE/BQPIdbUNPgVrwbDSxilNQrShvJvu3jVfCkdXuyOqlhF/lnH
+            weR/P1dNRhtNzZKLFYHNJRiJA3RuS+h2BFxG1pKhBfMfI/s46g74GkP/R+SEX3o1
+            l83P18t0br2pqqEE/qGHeLQ8PvEsTVHzxAzX8Qgx6qJQQfCDm2jDb6FlsxX6HT0y
+            TC3leI5q0u1A7Oj6nEl7p70/NjW2+W+cXWw4hmwMMnV0xNXsOBBDqk3sA9rJ8Mwx
+            oO6CuLqsWMsO0jGWptLebIzGnwMvaSWMGTMRgweW4gKNzcmiOXUrv5OT4ImJxgwt
+            7rFFPGcrVWUzBdGtTquLryAN1Gf1Co59ndG2SS0LKxVnY1sYspwd1FINpJA6x+99
+            kX4zJlK5qA8wcqkgj5WhTTXIQGLKD+R58pGjizEJzDt4aMB536uZa86ntP4bd1/5
+            Q4zjzwF0aIMWX9FdaCilFMjWjT+iMOl6m2dI3EBcUuTzqL8JTKbBxQ9z+Hc+yELS
+            XgHe79QN5IUbyoH/Fi7jNA7XEUwI6WIrhZ8TWF4nS3HgZkVfsZ/oK1DFBdVcZ5Zd
+            /rJaKqgeQLCxoRFroI1vZYsBRKInRs+7yziK8YtbFhmX0azW5G0NiUtsYXBOguU=
+            =YSsr
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ//byQSYLjXciKE2ryqYXiz3/OgDd0pIVr9HZLlxwUFJFMR
+            DLuxWPK+SxUj6F81mi4A9xq9CmTa3jMEVkGgblvjGoWjtEKKgJrdllMCvo5Q/Gcu
+            CLbMPXGfs/eDEjqEbX1rAdzR31TcFl9FI6bGUIXxGE21DeLIDCgInl5gNzVL+Ser
+            M5OAxpQCqe23wUMPya16XTzpaxug+mertfyOxC3XUk2A23y/8gey0pjAnaDTPIhD
+            q35ni2gA1eigiitJv2IWxIfbZ7rFuwmb9qi+vpBeqMTNLBBbhKgbSg4PUl6usFeC
+            65uRvNJOeMeXfwpPgMlphtz7pABg4ihW7tusVe//Utrph7QJs8bsiokXA/RYtTQO
+            uMK8oYdre9c4FboINGL4hznzUi02ZRiMh2Hf+V4cf4VK+YoBKsRYfO79lHytFHPF
+            6XCv9hh6qLuzTCHlUrAfOYbXbduS5mMLcfX6OYay4lYTEpx3dKBZz34wtg3TtMpP
+            eDuafUXNOfpx/E+4ZtB5X8Y99ax+3resPv9IQMTNOHQJ/vPa4JT8Avkrv/q4wIsJ
+            yMOixzR2bIPjetZbY4ykOwJxL2b0F/Bm5yu0rVHQp9+lYqrypjAzt5vhbdAMkDZD
+            CPxhEU/Kq7DC4fSE6ysTGEBBW+s4i7lwqvfds6RqHbQXL/0jginU4zSxZuZ26xvS
+            XgFinTWqnia1WkhfAZsH+UobDK92lKDiQRtM/xhWkNCB/WZQB4Q4EpJJeXIidTse
+            xQpG0tREIIuS75dJ6nD+Kh2CkOnalSVVvb3VVN8Ft9PEPLf76mE+x9Zk4Mu0vOc=
+            =BDOC
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ/+P1WAWxpVnCVQpoHmEFNnK8x1ZeDN9IyYvFFpFRbRJ4f5
+            naL0ROxP/E19LGtD/bGbdBfVU4nNXdiXbGYtAlvAybAky9/8a8AJ97n2KVULR3xX
+            JnsXIjavi57MB3ty+Nop4Fgmv4p4AAsPOzDQtc07Uj5xzxrK9ARtv7w7UyJooOiG
+            Sp692SFChyskAjTVHWU9WKomqsqZY7XvbHJPQT6Y+wUbAjx9iAhpv0CEJcxX/irF
+            D3SkUD1tCJ0NHlzCZ0ORLdhDos+FNCASbhYZiCyUJn1mBfW6PcHmNevzaqSQQaoM
+            hd3vOxx5MFO81K3GtE/r1RA0waY/7knBHk0cBuscBOLhs6MC6i6mMfY711WoiOTj
+            Y9xCjAIYdOeK22fceg0Wk/FMtivFbgddpk+jOrAR6Wh6n2qJZDJFdxFpcaSF2fHj
+            dBZuJ/q5vRedjdLYFnL2uTejAKkQLthqL3F4m2Fzyr5wk80eGRYqQHDtSlwagVLD
+            ZoTLCtGp8qnSLF6Z+nnS9lmsf+X0286wAmRtxHsrTTGm2CDhBmvQjNeq086Bdhp4
+            z6S3WlgX5oMbTS3hD0BIr4euKIUT3CZcbyXzicuS4iwYOq1iaQEMGvXJ2TKkaOsI
+            9W2CPSySkIzp/z5Cpet4Z2JFBcO4QwgCvScm3yK53ZXkRoSwkUWBiWUO8GihgWzS
+            XgEGOQGCaBNxYr/B1ePYUTxZG7gz3qe3QzzrYebHUmYlEFcC1BkyD0CfWZy59oM6
+            mHL30p7LuuoQbO0VocvsnxR8ObQhXsncc+EyZx03zyeDSIbOFqs1sSQ/w+K1708=
+            =dnme
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/+IDsMHXF8Xpm7Mz8EuZ6OjINDfe1aVJqkq6dislIuniSn
+            z62K3gIlYKVCkPC4uQ5KAQBC6mCv/IYmy82OFmexeaHO1uYhLiM5z+5efxkbChK6
+            jxKYudsVe0l0vd7JpJVCO+GSw/jelALUhwtrr/A5URNQ+fQZrTAd5SE9bFEFf0P7
+            exTBlw6Cus5671R+s7G7OGbKgx47Kf4CDzMizYruRBvjwDPkKOAPAGnoNApjl598
+            m2uR4PmlqUJ0z/aFcBtcs1au05vGmVvckSMz8BiqpGsmlbZEVIQRiXqsZ5A7X88B
+            D6Nx0nb0t4WM1EV1UUbSLPFwwcVkOSHHfs8SGk3gaStCNWunkrPGQStUFBmU1TpL
+            2exHEKopll2gQ+XKfvE+mPF0cqd8dq2SfZpLZgp80pKieuHXN/DJhEHoBSELixDe
+            zRXB5/s6Gr2Hlgd3lfp910UndiycP5ROJZbEwJ6O0x8QRxeIqbpk4eXiIK/4lxiK
+            ENepdeFSk8/DS/yEMc4M1kWxxm0rkQO/dxn3SvYV49eNFvkRMWkWimMrSbaIUKNM
+            k8KSLYr6JuoKP0v3NZHGcBZUGd8KuDi8R0A9KZtqz0pHyRIh/Ox+to+Gmlw7EP0r
+            ARPQOBQBUjcxqW6BRJ31onE24AxZN0b3pAAPMt7Z7KXmveHGGqolU1peZfeATKrS
+            XgHJDBQkCm1SOX89yw0O0DVZ43z0b9UqyP157R4JgdyEleNsMbPl+KDPCPx6vAnm
+            iGrsjpWeKMwA3s2biSYUb8T00KD48vH1nidc+XEjfQ/fBDJIsR8Ku7YMZtzKmNY=
+            =xEYv
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAkAuIMiq8rw37IFlLlVv1tzQbGMmWjNhQndBAlwA/dAaf
+            zk8dNuKA8wlmAFv6uwbmfOzvdiwunoYq8cgIRdaP7ieNPRppHIm+pbojWKOvXoZZ
+            6b2+ILacE6JBHpk5o+KbrILrnn1ciyfhGq6CX9gCi9+vvQkZk3+WexgaHEOfFL6x
+            zCp5jVEIbVeDMZIxVbDDVHMiXBy2qmpYrSDMnky05/szu9BBJodcsqZFAqgumVf2
+            kBFFvnzdhJgKWBfJ2H2CfVOWx3CUhLXidqJyFgzs338aGhSNO4jGKvOn1Yx/PLlg
+            LSRphptnmzM83BS4ev9/ejvYiWbxorKSBTPZBqehpKFtPdNNUqbWMpq/lmAn3yLu
+            S+yAVAklCHSDtKEdS9YHAFqycgxvj1VNxLx1DI2mNPyUBoOgzfdD1NiUDQp2s3j4
+            EX8EsH1+b1eKk93751yLKMaSfLjU6lnd2d/h++WIt5tDx71XvIJ91yV3NJVr2wIo
+            MVIUJFh16+zQOWvc6rKCQh8U5cu3AVcB8EfoRrn5fCNh6tu7Aw/fHxz/l/U0vzId
+            cWFZCYFrg4i3T5w3U+ZV5kgoMQaRDh6T8yVXZQTzKSi5qAQW/qeGn6h2zHWARznC
+            J3IJ6M9pX6zibz1ao9oc0ePhU3Vy2vNFdFcpGgLe3gl10BM7GbU7rrmAlHFgG4nS
+            XgHhWFZtUAcYwEuhuOVDfmN4J/QNWlzl20RML92pf0UNCx1VHrStAbA64MqyvE4V
+            Dgallu5Dr+u5SHLgAaNj9HfgAGuDLPCXGrCoYK8KLUR8fIYwkuO13FN2A0YnHOY=
+            =IKCU
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pARAAomxJSaPmNrFFIiqfWzwdemWBUK4oujqRSvfRmnK3fg7s
+            p+Q/eV8/jYqxPk1q/P9thQSu9gq3OXLkgT2TlMwcsFBG1+xnksu3Xcqr47ON7N9H
+            J5K6a0KPX07O9fuP6VZtn4cDatLq6ag7RYLp2D7v68eRMi1Kyc3W3mZyz2AlbrUO
+            7T/tOqQzD1Zb/vwIy0Vfn8w2KMCPBi3TxlfSdohPsZWehrIAAKZHDRp2931iKPXQ
+            0gDwjTd0sEdXwi+sfXxq00988R4uXIjJhBd+ZFOxIHg9yEcXSW02eUauVwETuLzv
+            2ohAB/LOKQx59mVyE9gFxtMM7oo3vb5zWcnX9pHG+N0UE/RU2C+aR8a3KCOtysk9
+            cHwBLT6Iv3zijeJCeKG7IvSgsp/WW71rqDZCMphs5cFZdzEola+lRXNPIpz6YJ/t
+            qyTFbu4BG76LZyRRTg+i35NhS/GiQCUMyZoUxW0mLgjDsbYS55FQdFP3xaH5BaPg
+            81UrfF3hV1Vrwe6DHbSEYe3qutk3p4NMruHvIIJJLwimIe3i6+MP3/N+ACLV1wBl
+            caNH/e7H4KStDwuNFb3BjXEXHBLPgnnbdkTSTHZFtmEA0o2avrM/EzVDvvVxTCT2
+            e9pbfNCAoXCNo6nstaWRPKjwP8u5HN7RCxjufpZnySt0H/5Ux4qy2v/01i7OARrS
+            XgE58F0/szyLPmsigEpWhFPIunfIF6esq+4u9OVyqBicYFZHfUddyqTLl64swDHk
+            r7vxwxH/A8QMGj2GSmQez25MDU/NBTBTotEzRSyxvqZFTxn7IOxKDblSYPhEfCY=
+            =Tf91
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAhuqKLIrt0ortv8L+5ex4c8h3ZbiIDTLSGhML7jbMAUww
+            ntvI7quM3pEBFfdBT4BuPCrgka9gA9KRKGRwxYX3uSe5jPtgnH8GI1+gImeyWIu5
+            0l4BEMzlg3LOwADrDONa9xStlwAIlxgH53bqmCVQ2t6zHkxAcSGeHLn2y+aCh6wI
+            9oicvnC69DuQLkMwBFMEMUNiQwwGH8EMfQRacoFAEtH5YqiwBT1qxsnOC8ALfZ+9
+            =1uoR
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-25T14:42:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/7BfqXXAGvvQVGeGJDi3+XhvZ0wKQvfS4UmjP7FFa4gm26
+            4W1eS5hM007yxpjOH7NAsVbWpej8jYA6dDfeuo7P34owws61F7LQLa0X61mC1qOZ
+            IXx4n4kdYSV/CyqJa8HrDe56B0dpou01vjbVZ383Pbf8+VzxaKeJ2X2y3ioRijZJ
+            +T+rCkDHx4neOrrUkutOTJhiezQaeOnFWPEAbNRVfdLAM9jFuuG0uKtnd7hkXf0W
+            8sv7z1xEYN8VF3bE70IGuyZtiTeXwhbTD0gq5kze8LldMLwBIxsrTd/xrH/Oc5Od
+            nY8vvdiLMlAwBrI4z+JI12Hi+b1nglldk3Hu34KaV7jG8DjgBGBy8yolqvKo0cT/
+            9T4aAe9eLANvyHpYfA1CkcFW4CHWOBRS79rC2HcHM1tQ8+coq+jxrzlYEBRwQcpE
+            2jBcP7mnIGPm1csIhB6u/UUKVMqlnZ57MdKHwwXja1vzxfnRNBqFdzq5uZEyU+OQ
+            dDJmURqxK4zCdhk+De7Nm/wR8J7xtIJLUszu2lDJ6SWQEsut2cNUVUvmd5XV1BWV
+            kZaIFKADZI9qcbivci6fpCEH1/qoU5jIZJ+zvOEOZLsIJXBw1M1/fgfSZ8Aosl2t
+            RpikITTF0S1HL2QLbWoogdgBp6X+6xjpoWIhHVi5lqm5CX8HTRwqrJL+hPi0GW3S
+            XgGQv0OqaxGfD6lwyVjokWvCSEoEfK0e7se+ZyJifwAlarGaLvG0PU/iW5cVUolV
+            QT3TwrxD94ZB412nL2+4/QPCT/ZtOXcO+9dhLiSLneHrNrSReByIAOE1s1ZU8MM=
+            =XvKN
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/git/sops.nix b/config/hosts/git/sops.nix
new file mode 100644
index 00000000..b4548edb
--- /dev/null
+++ b/config/hosts/git/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/flake.lock b/flake.lock
index be7c1a65..9d527039 100644
--- a/flake.lock
+++ b/flake.lock
@@ -52,6 +52,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1716061101,
+        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1716479278,
@@ -72,7 +88,29 @@
       "inputs": {
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1716400300,
+        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index d7d7fc94..b2887bff 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,9 +14,16 @@
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # Add sops-nix as an input for secret management.
+    # See here: https://github.com/Mic92/sops-nix?tab=readme-ov-file#flakes-current-recommendation
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, ... }:
+  outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
       shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
@@ -180,6 +187,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/git
           ];
         };

From 361ccac69f10aca35029f504a0a05e48e1fa4e8e Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 02:50:08 +0200
Subject: [PATCH 042/170] Switch the forgejo-actions-runners secret mngmt from
 colmena to sops-nix

---
 .sops.yaml                                    |  17 ++
 .../hosts/forgejo-actions-runner/default.nix  |   1 +
 .../forgejo-actions-runner.nix                |  16 +-
 .../hosts/forgejo-actions-runner/secrets.yaml | 233 ++++++++++++++++++
 config/hosts/forgejo-actions-runner/sops.nix  |   7 +
 flake.nix                                     |   1 +
 6 files changed, 265 insertions(+), 10 deletions(-)
 create mode 100644 config/hosts/forgejo-actions-runner/secrets.yaml
 create mode 100644 config/hosts/forgejo-actions-runner/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 26086a97..47f0075c 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,6 +11,7 @@ keys:
   - &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
   - &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
   - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
+  - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -28,6 +29,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_git
+  - path_regex: config/hosts/forgejo-actions-runner/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_forgejo_actions_runner
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/forgejo-actions-runner/default.nix b/config/hosts/forgejo-actions-runner/default.nix
index 6a01b204..f5a8dddb 100644
--- a/config/hosts/forgejo-actions-runner/default.nix
+++ b/config/hosts/forgejo-actions-runner/default.nix
@@ -6,5 +6,6 @@
     ./docker.nix
     ./forgejo-actions-runner.nix
     ./networking.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
index b2efcbe9..4b4d4dcb 100644
--- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
+++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
@@ -12,19 +12,15 @@
       enable = true;
       name = "Global Docker Forgejo Actions Runner";
       url = "https://git.hamburg.ccc.de/";
-      tokenFile = "/secrets/registration-token.secret";
+      tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
       labels = [ "docker:docker://node:current-bookworm" ];
     };
   };
 
-  deployment.keys = {
-    "registration-token.secret" = {
-      keyCommand = [ "pass" "noc/services/forgejo-actions-runner/registration_token" ];
-      destDir = "/secrets";
-      user = "gitea-runner";
-      group = "gitea-runner";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."forgejo_actions_runner_registration_token" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ];
   };
 }
diff --git a/config/hosts/forgejo-actions-runner/secrets.yaml b/config/hosts/forgejo-actions-runner/secrets.yaml
new file mode 100644
index 00000000..456230a8
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/secrets.yaml
@@ -0,0 +1,233 @@
+forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZEFkeThaUkhoVlVXV1V0
+            eXBja2hueWJzZm5RNVdaNTdKNGp6OC9mVmt3Cit6S2tBQjNGb0N0RkdDdWtpR1Vv
+            REd5WjJrTnJYR0lGRkFGU2RXTjZkdncKLS0tIHJoV3I0YTNkcHdZQWZySVNyVm4y
+            TGR6Sm9uZ0ZQeEFNK1lJRE82eUluclUKL4mGDJkQ3mQu+7Xc2KflVqLUjbr/5a16
+            VlYUplTqUCYXtkzq/3RKZV/pM4RVYBDHvuSzVr4hXBSxW5j93dhezA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T00:29:52Z"
+    mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str]
+    pgp:
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtARAAoDySYGJ2Xf27El8y/UTYOUaM51stw95ZfnU7JtKfPNyM
+            Ct+xymnyxAwR2OJ7oDluxwEItdPufp/Mr96zkw+TfrqI5lowTiH4YGtDsbioiScN
+            qxiZgHN4qVZcRHwzgmLcDa6GSIg6rEcDcBygakprmoI4Qeqp3Bioii0/OMuLeleN
+            igauRUzroFLIlS0QCgI5PaUSIPtSMxgKiEc5yM91EBh6w93RaoQmG0k9TWpfLmgo
+            ZVB164SYCCW45vts6T7WQ8cE7Pxkkti+rrOrjaDfB4ape1u4gS6xKc4dFJ+nWcE8
+            5l6MXoDLRd69VWRN6P+G5YGQzB5QRicNnuwk6H2q7CwIqZyi7ZqaCIZfcpvuUzCJ
+            OGJQInCFFVSdLj/3WFyXk+wemmZPna5xFxFb6WVwfSU1ikM/umrZ5yBly+mvDGzs
+            l+8YGcsZ9D//qjVIsWbiRwhGgeA3eU6f7SwdZdX/zOFy8bP85xwDcbwdOSkhifAA
+            l3Ud3rswmAnzSYAw5wK9tcSxS+G4JeCPU1iKABifugLohgME09Z31ljvyqWPBRe/
+            Rct5zvcQV2yjMbToudXafvRUb9nU+uJuWUEUe8xFSrAC1ijA3mBYfIrGNvD2eVCY
+            MTYK1ugKA9X7Sgls3vQ0A7fLHeR6C3+zhl7SzGHUZC3bh5+oXTq6cuXD8DjCwV/U
+            ZgEJAhAkZc7MICSMkACItUHxyyEMbBYNpIJ6P7GQA6ErhLcV1VpKWo6abJVVES36
+            j97RpaD1tL3OyGPfiivMkk650MkPrgpMKR0hasl770B8jkjVPyDV9mSn+sc7N+tK
+            D7IbDW18mA==
+            =EhAw
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2ARAArCPbAnHJrNpP4B755wKuDEzwVMsqCR+gumSX/XcuQJMI
+            O3/34FJOI+++S/+z94y4O+A7XPsG4xr+UpDIGdGFAsOQBrbxyqD7c0BIToJgq6iG
+            22j7y6N6OZFo0g8hGkUVSMeAZXCkg/t70e2POeHeEwnlsNX3cRuFWC54KxfVwr4w
+            UjlQmjV26+r1uZd3DKj/+eMi5E63XTsgUhAlJqixpHt3PEKZ5UNtnCAbYXqF2FOF
+            qqNyB5X1M2ncee+RGzLqnXaQTSEdKmlEwteVlXWtsqBs4gICOz+6ehfA+gk6r+si
+            Hv5dW5W7OjHsZfRfLxaF05vBUqQ+M5FdYl0hBFZzco3zuNQ+c9om+c/3Fd+B0tZC
+            0pUs4JiNa/chjuSCiJ0ZJE8kh7xCmmjIrFqsvWi4ZiTk2GWPEeuPq91TC/azfQea
+            ZV/Ozh09wAMGnGYUY0OqH7BIGsV6mEFKy/oEpwvoPuI1sNLiMig3ZAMHcIdqYzta
+            S16/JVmVirTnOTCL7p0CZLtiQuQH158gn9F2T7WCfX/XA8ifVSAyjWnYL3+rJUr1
+            zuhndbJTXD+5K9RKVM+FXC+G5VRzmWKNN9riijtLFhPKuOqDwPDst81XGsO23gGn
+            QIFGGEfQ8vuC9lmF8jDPHZfgUWy3kMVaLW+ti7y5IWhWEJASYVXF2JknKeOw2zjS
+            XAE4hG6ck97ZiT9V5bKC/fk/Ep/GWPnQTMdISinbak9hZigPPQ3KCyf4WZoJ1+sE
+            r+rk9v7NO1N5rnVQokL+kO/sBCV/t9XrHuFDx16cZrSHpHubQUi9daxc6EQ1
+            =7d/s
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//QF80EGvpode+J0kDjrrFKdSXREPhfCtFU+EpmE+f+aGO
+            mMPZ0SEuBX4g+5K8u0IdeWR2weqYqY0O9Ar2m18YlpniSWFBZqzmW+/yk7vmDzqr
+            l9pV/SdRomGrKyXk9JehkLm5vwUrj/xlPAU0DQEKIPLZ/MMRh7bIfL5Fdujc9cLD
+            nybCqSXccYy59SDqVku5Q6A9FTTzLL8uFf5D3mthp/FgWpxIEQIau8G16PZm0aSJ
+            cBu2eZ3XDjmgIQLG+TMrW77lp/2AhFe23RtK4y5aZjzGhzO+Ax3Cn7pZI9zTGW6X
+            iF/ePoR+AQeXMWfwIujGR5Zy4NvdNKSfniFrjgXpsWSMjCp8pKTOlhkknL3gE+HU
+            etQDmPPCYvaVUwITpmrEAswTNPw0xekXGUe1HgETfhWAGw8zAEYRlOqw3Jt9mMX2
+            QczfXc2sA5Z4TcylESIUcpTAFQVMVMB9bZM762tZu3bM9qg6qybNVJBk9UPpi0RW
+            ZFbXA6lkOnJLG5/m/Ie4UDoxXxtOOqkFzjV57GEBy/HtYuC15LeyOuAgDp0Ta57L
+            0f/ufET/T3z5qBE8GN2zSTO7gGnFAEQ+028ZB0vGVR9C0JdCwVBMlGglC6NiaKqP
+            xPDLPdBqrCczUQyIJ4f7JJaFCfndLszuchb7IzCy95I7nMmATREpP06uRbnuRU3S
+            XAHno1TtKtfy/+T536cmGhke9gNLZXBjSg+W9ndHPo7r115Ytap5nlQqhM84qOyE
+            bhKZlipM9hkhfeT/6X2NzYL48/hsxJ7nh2sbmJQ0d/2DtmXT2gRGkbYq/f9+
+            =tuO+
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ/+IK+UPsLOltPFjdvN21ICHY4De1c6qqMrrDAskqeDWZet
+            9eoal403d0fY6E03o1Acq3XlTzR4srWLp9qo+soAhruZ3+W5M/6zBaq/f2XF4fu2
+            U+bjVplM5U/pHTtGb05nHJ+UN7dgq2OJkURAe7aLSwLLScxTH9cggHAo6wpsaUTQ
+            Uujbo508P5/Vt0efbnyNbk54M/UMH0s93YmWSuxu4XvyUPaVFcjXkh61Tfc8vY+v
+            l5P1qDEjQrRjSE11/xzqAmZ5x58cMK1Q9yB+cy5Lw6K+rFT+5r1jdJem5NBsIRFP
+            eJjmTj/rzehujAciA1EOCF16ZsVIG6HFb3SLcNoRRL3DDgQIHgjHT38qbKrobjGr
+            Ww2Trekg17t2C48+qa/fGZO8dSz+/97gfAMMA2DdWHPlZxVCraucZMG0p9CkNxcO
+            kEtpD5hYJE456MqJQJoF2x2m+/SylJntfeKstKDhD5MZevTkNhD3MRE/8XPW/abE
+            byO8hxz7g76l2OKSjJdOUkYTDsjr23qKAuYq3/tENOMC+Z0eTKjQbzyLdSitQkM4
+            eOxRMm1qJZM7Y27kYLZcLadkewuBgmXqpDePcH6lHuLZp6S9o9LmrzvAsG79RjGs
+            wWiITzj4oG7ROT1Np9h9iCrfKiQ3fM/5/4zJvFvGm62DaeqNSwVT9NSLodrpj/XS
+            XAF3ozQWD5ib0d/yUKcwZZcbbJyn7HyaCn/95zxOMu+C4K0qhJLZeMyOYQOj2pfb
+            T7EnwyXB5vdL3JJlhVmnFCTMFv/RjhNOJX4qbDnV1sqTj5fFMgcbA067BLEQ
+            =TU7Q
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ/8C0go1iw89B1ibjbrJTxnmYD6iep01wAwZjHNm9/cC3BV
+            yFRj/D7d84gO2YX2hZxnjlnFQYRsNez7HpsjZvUmp6FN9LpJNDp2NvukebtS5v86
+            hrcqODTdHNa+/ffHIhUoXVSjw5kwpQNT0JI6PR3EyV7kjCGkFAFMzHbaNRbdup5O
+            vC5cD6Ty+aihB/E0st7/KUw2PH7bMiJ+lAlx53Z4v7xZYSxS0vFXRDAJRYd6Bt2t
+            LvHO68aRMF7czDB0JoV8BOSohSvv+ZXBqe2zCZwl8kUZoW3n9eym8iF7yZ+itT2M
+            OdLTOg6SIhhtxcm7qFRHsOsBMjmT+MuzQVNGKDQ6Gga6NiiboyuURso64L7F0SbA
+            3MnHeYoTm39hUs50xqWXdFfi8G3d/SfYcxYghJJx+SwlTd1ZhdSDxQ1uJtUi7ccK
+            8pHwIVCdkOF1hvko3w0/B9kHmnlWKBUF1wN8QHTmlViCOo4vIpepowzN4fLlpTug
+            VtyW08lbdMWqq17OcTUK3O7Z6hDDUaIKV8vGvjxrJ7wJp3kok5cI7jXOYEPjxfSr
+            ZjJpcdrAuJTZjSIsFFopGXFbUkI8bqRpo75lDuK2fA6x38WQqedwNo6YTXvtMn0V
+            bhYLeEt5VeRSohGWNsdGvpjB6BtPhKoD6hK+aQAeOhhxyuF2cH4o0/lFZSkDo0/S
+            XAFiYzGNuu1nJulLjaAGGeoiom42N+MEmQvlIfG7AR/XgMSXs5d0JH/COJkL3V6W
+            zyhAGxTzEmDYmddbhelxXn38obOnsAJU92GXwLg+PXT7ZkFHrCfg9jEvgwmT
+            =98Lv
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ/+M0Y24jgYhl4VEAT8ymoiCiNIsqGuk4yIXO6LrTIsNGlc
+            6YwkJu9Gj52AH8XKdvLuBGtWstjVoVrBOFyTtS2vzW01Eh+sFKfm3tF8CywjSMZ+
+            Xg/v+rtbj7s0EZ2JeE0DOk2X1zg26HsNd4X0HkIqTAm89gNVSTMWGGhDbTBSxtFx
+            ain5e14rUMM5qeIZg4IEMlY0mEbpGC7AqV1LKclN8pp2e0/6AS4fxamoMtPOhwld
+            /feF4/9AwZ04HIwF0ucbrDDkoZrW7YaYZPapxBTCMU0alkX4c+WTBMKTWICC1DkZ
+            lVF1zmLm2rhxebM0AaIw+eT2MymaecTcVrEHdhbtCGbfIL0sram2Qw0ZfeYDxIas
+            5W2z0a+qSQtlaCZfq/kc3UBQpRgv0Vrc0CBoZJhFmhfsH0F7uPE5rThqeT1w6TMd
+            bc6Y09Yorfyio+ZhbB8BJ5fzlolEo8opSZLm1K3YAik5Tw7toIvZqeXZoS6DfZhk
+            o7K/uUJTDKHuscxRLAfFKqBoZOBuf7d+ski5arMcjMqOYvmGKCn2pzs0TuO0ZaDG
+            gKbvSz2a6KyUSU822W0l2HSfM36HxxH7bDdJ12iqbBtWPcob+KcKrLowpbzzHpMT
+            o23ct/g5qpKpEvH+AkXQ9nOO9VKXx7voQyFM0gS0LXZGJcXeeeVbttcD28Td7WvS
+            XAFWumenh3Yc2VUSF4PUICL4g7o/4sLPjHhctlNHQ4+iaF6beZljWD/lwFkKxbqt
+            oHFjNx+ajtTxQpzpBQgqO6twKwLjND4lQ1yRlXp3mGm3U0BI7QUCRp+D+RcK
+            =N//k
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoARAAtsPz8vCvZ84eAoI3bZwP69V1coDW0SgSVqAi0XDfsRbo
+            LJIU//nkp4pKjUMoBgc++TdLa94/mqeFVhXozAW2T7nFhYOOK2HoVl+JqvgvTGVy
+            ZhGEWTud++inzjSAKAEll6x89dYE07DLtbLNaLs8w3X/cSDF9fZekmTvyaks9AwQ
+            oI+RXPK1ao3Nvgw0pkvRzFze7HJansA25+Ojcr3wnhP3qtKqfHjbXRs5Qu46fB3b
+            mz3SPNcN/JihodKBhZ0suCk+HZx69EXbBV8i9EDBOX+2Azxn3aCGh0jlDAyCMMNp
+            CWiDuYduzYFV0mF5vAGQC8ifrQZDOjvJR1qqJ2115c2bB9cP0asTS7ZoJEEqfkz1
+            mGLHsOhhuP/DkHhX2B61nDl0LQ+eoc1ZdZEcDV0hrKptiFlxmPySlOXD1LpOU+uk
+            JFBot/Sc9GEZzaInyNSmSvd2Y6SiNOl9t7QAwIPwmGYGY3iNDPD6RRl/CQb7raLG
+            rfNH04BYltboG7HQeEqiEEijn7xctTSNp1O3EKrcdEpg/sAlQzarCOmEUvLXWeBj
+            YhPRH6Z3+PMyn7m2Jb8VFO3hAX4zfb7eJcXhsKHBhfYIXViyuuzJNBoXYnorqSRK
+            n5OobCGQAhxeLHOrG2J059HbfUgGtfD/4MJNiGxuCGmXJc5oSJVRhy3d11ttGIzS
+            XAGuD/Vw5GUqWVZKNp/k2Kfuxauqu6jDPI534dLf35qaROkvbWz2bbfwPx4hxtkE
+            dZCVWILFq/BbXXiCVEMeJf6FrXcB2rJETBgknQWtxRP18Q7Rb4a2jybv5TDk
+            =ATJq
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqAQ//WVgNIjTv+F0kaoyM5stNqV7lDHPNF3jKVLOZBV1d8wbL
+            NhHnNRiadls8SwazCHgds/ahoaUTv+4IF9hvmyLvksN6iEN5/YnyHa1nFDBC8kow
+            pzA97WD6/bo5SjCk5oqLHjbR7ApKAYHOnI/XDum3QyWUV3KzO5wQQBAVki736l6q
+            ccUVeYLgjcnlTSlz42TcNnPw5DbudAizU4DRu4KyqQX1hBJEYA9lLDvFxvjrSidb
+            TzGWzyY0ERkrgrW73K9il9xqGsnyDZLvHPZ3f+nwEuNjM+ITxliZrsfxmqbWZ29f
+            sid5Z8Z9lZ88jIC2VR4+XW1q3LAe4WPhp3MjvhELfKLUWTRp3zRN6kabxuBtJcuC
+            0s212dm2ctKbkTaDbn7Q0NyJ2CLX+5IMjWs/i1NoLAyjre6hFmie2Ldx0RGwxrJp
+            wCA7EiZ02UJcLQw4QT3o/2Pxg8Spi+eGmqxSmMV/PDJ1gSdUv85gPobdDcotky6n
+            ng3I3G1o2XRUKnfDwv//4mFbDHXsCPXs7fMLwsSYZi5Cp49NhfbCbQHeusCdchLY
+            dA0Eik9ckUDH6ihyEN8DyVcZyspxoIFONFqly21rNECcKy1i2HxTsq5SbkZmmUS5
+            XiNQTGoLsx0CKI78oAXNfgY3wdpi02Xykkctjga4U2L/u8Wg7dVRgUFmq64rJfDS
+            XAGHB1X4194RVvPcpYP6tScEDnmQCs55wsiEuWPUyvclwb/aO8y5K1o6Uz5IW7/o
+            8lfAj6gHs775Z5xZE3FD8O1NkXVOyLmzkH2bJbkZAQ+JVfQS2UKshMtnQgz7
+            =dG/+
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/9He59UueuO4GXg4uBxLASQiaGKS/F1pPfTU9W4E1f+C4k
+            Dw8hwiLIZWRDsj0huYd+klyg2VJnjmPf0tB8qj5nrHo0bTKH0oJpiDpX8Bi/8j7d
+            WBNyS8LmUrSub3TdM3Ob1muUt/nHvgGQmWKt3dH+Jkc/um0B/+Og3Yka/JcKRF0Q
+            IAYkzVFlPdh95IhPEJ0Lo7zyN1FU0UwlyMasjB8Xae7VoyDhtgwur60gTktNIuyU
+            tAvLPKSSyu//Uz9olGW8RKw5//5A/EYNlP8WrVV0crDNBGegTlX68EsZlZQp1uXc
+            GK0ZB0OtphMUJiF9dUXNfzbGz02l3voLs5DUIpE+EAyEDu7hZEDgU8e9oTJRv05f
+            TumOjDlgSrhALyewO1ig92fU407JxxwW9aNl8gFv2Ph9lEbSaQWpo/VAHA178x/p
+            j5caXUUh5qUFGYhtOoHB9KtxL9X+F7Z5FjHmHxFQBtLrxP/olmQ/5jjbiz5sgf8A
+            iW7bRu2tBmiT5TrMcDxFSf3d+v5o0kOngwPl+8e9NC681uXuddI9g4s76f7KrpuE
+            bb483XW0CZUdpt8eFXAvk6CJ97gi9H9iZBrqhMKjGnWbE6e0683PE8WNTwCafoYz
+            mCelVHHjX1Qsk8Zg/vI0EBEHkeigCiev9O85dUVbCxHVniBkvIF4ZNo9n7NRnAbS
+            XAHQ23ARYRtF676DYWSH50sHJ5v98BTKn+Ca1QWMRCb2kyqUSfn+XzgyP9Sv2nqx
+            dT8DO2oTOraOaFS2+j9N3wRjbocVRuTV2EPwdgPVPg9IakNaO3qBUwEnNM+b
+            =EzwG
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAy+TLSybMtug+TfJVBd4WJP4q5V6Qf0yPtgj4YUF4YCsw
+            rUctAxIueheQq5uqoPm3bTeLUYeticEVf090hr0613uh+l5DZcD/vqoHUK5dx7Zs
+            0lwBTi6sRElMIJiXplIvCMyYAOne/QZG3WaLx+LqqaNlNKPz8OVPhbokC++VNpwz
+            l5GE8Cv1ZoEDxbjLWurS772NiIumo+lAnjQMAxhHo4lVPXTxZZCqx3/98agyKQ==
+            =oiZp
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-26T00:28:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CARAAvnyyMeBLfWLFU6dBK2lNAzJy/gHb674YQbCe4W/w9Cjl
+            2pbiw1Hhpe0P7d7MGy2mB3Hi7cLygklFZADkHnrOoRIaJ8KqJELsNSHjapIE4+jW
+            8NWIcRSyZzOQFeKGFPNCJgyYd68clNmiLNlIAI/Xuxf4xSb3BLkBDRx1cIoug5gZ
+            pn7RrWYDPgrUyn9YfAJDr5OJsBcJD70sdi1TmCK6X6UCGZpNUI22yqS40LX6aCvj
+            WzZ6gd+nyjLlHXBBSG8R2lywPdoEVo4Y0pWvd5oK85Xl80gtlXSpFBfEg+EWbLCa
+            EkiAXthSAWwgBfjV0UCM+Qd5aiwNb8Q9j90AqPhIAawnsGWRrSL40finvJOdf4lW
+            f8R8Xk38RovBlHii1u0iw9O3Efur0UJ+aEntIEjaoND6K+32oJI56CWev0ARgR9N
+            ECROL+57Z1121S4QfDGp3LuClgAJDPB/LTL9ly39jOVaPZ7Ym+8qe45C0nkO3SDI
+            nyIkv+GA/gz9EuClfShc4N3T+XPjSe+wz7gt9hACpSai+Muea+2ruUpa9Kn8hasi
+            1zq7qR+3+ueJc5+8P6xIyCKxBTneBM2VNlh2e0GZlCxqCrx5Vt0spr4fijM/JvEo
+            +/2oIRv75NtF9zAwk7foSbyw8WQCReW61hLr9rVnYMoCkhYhlEIEGBZiq/94SHzS
+            XAEUZMZIyLdgzXVIoP8GVEqCErVYT5qCpo8Ett/v8efm27ucV797SrRibqiFEwIo
+            SsEKMoULNyHXQfnuKviNnuG1ril/azjsAtiucJvTdol7pY2nRWeYXIVecX0G
+            =Dlro
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/forgejo-actions-runner/sops.nix b/config/hosts/forgejo-actions-runner/sops.nix
new file mode 100644
index 00000000..b4548edb
--- /dev/null
+++ b/config/hosts/forgejo-actions-runner/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/flake.nix b/flake.nix
index b2887bff..fc4fe7d2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -202,6 +202,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/forgejo-actions-runner
           ];
         };

From 154edc19727ad1a02625da219214d03c78928c4f Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 02:58:15 +0200
Subject: [PATCH 043/170] Switch the matrix hosts secret management from
 colmena to sops-nix

---
 .sops.yaml                             |  17 ++
 config/hosts/matrix/default.nix        |   1 +
 config/hosts/matrix/matrix-synapse.nix |  16 +-
 config/hosts/matrix/secrets.yaml       | 233 +++++++++++++++++++++++++
 config/hosts/matrix/sops.nix           |   7 +
 flake.nix                              |   1 +
 6 files changed, 265 insertions(+), 10 deletions(-)
 create mode 100644 config/hosts/matrix/secrets.yaml
 create mode 100644 config/hosts/matrix/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 47f0075c..47c61979 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -12,6 +12,7 @@ keys:
   - &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
   - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
   - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
+  - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -45,6 +46,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_forgejo_actions_runner
+  - path_regex: config/hosts/matrix/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_matrix
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix
index c0a77033..1c1f783e 100644
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
@@ -7,5 +7,6 @@
     ./postgresql.nix
     ./matrix-synapse.nix
     ./nginx.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix
index bcc097df..dd92a5cd 100644
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@@ -44,20 +44,16 @@
     };
 
     extraConfigFiles = [
-      "/secrets/matrix-registration-shared-secret.secret"
+      "/run/secrets/matrix_registration_shared_secret"
     ];
   };
 
   systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ];
 
-  deployment.keys = {
-    "matrix-registration-shared-secret.secret" = {
-      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ];
-      destDir = "/secrets";
-      user = "matrix-synapse";
-      group = "matrix-synapse";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."matrix_registration_shared_secret" = {
+    mode = "0440";
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    restartUnits = [ "matrix-synapse.service" ];
   };
 }
diff --git a/config/hosts/matrix/secrets.yaml b/config/hosts/matrix/secrets.yaml
new file mode 100644
index 00000000..26253ce1
--- /dev/null
+++ b/config/hosts/matrix/secrets.yaml
@@ -0,0 +1,233 @@
+matrix_registration_shared_secret: ENC[AES256_GCM,data:5fKfTqwoUreSIPbua5t1lYZFRnQQjNzFvrIBVIBfKWu20kH4BhlDboL/zYnhWLELq/KykX/EUvijoZxxTnUiN7T8H3L6fKOCQKacZkIwKfg/JjqLVnXIaY0JOwg=,iv:Cazhdo7YR0zSgiyQoHLsk2e4dWGSoSfEtOuMA1LEJcg=,tag:KsbnGvEyRbzbIXuAayQk5A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZzNVUm1keldaNExycVNM
+            OEV5SUZQNC9uSW8zMVNZOHQrMUQrNm01Tmg0ClF4Wm9uSzRTL055ZnlHUlplUHFO
+            QmhXQU5yMFJDMytyMjFiaWFXa1RuR3cKLS0tIDM2d014TTRySXVtOEJieVRxdlVp
+            NG95TjFjUjZFMXh2STIyakxqbUJnRlUKQ64ahDiNJ4nPUQ5pLH4Jb5yidNrK11dT
+            YSg9QNr++FTdYaQ/TXmYTg0d4kF3yb/xyG1vZMcpZP6+omwN73DSfg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T00:55:05Z"
+    mac: ENC[AES256_GCM,data:ix01bcc6i1dTxoYkXbnEbLgMC1bcplI/hZhyO1mFzPAyjfn8h2d4AHUS9CG8UnIDYGky8Wx3BqrC6MmWMtt829m8bS6t83JTPxOEm1pFEa41sUkW9NYuNPL4LQ8X2BzwteQaI8nfscIuwOZ0nK5CmArZneuUookQEszAGX2R0Mw=,iv:mZlEG2pPfKLgZ+6k9iN+NexRzlibYi1HzqBzbrVFj3w=,tag:PIXA+vyOSaZdU0CaI+03/A==,type:str]
+    pgp:
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ//Zi8QfQ8Ahr8WyEeaJIvXBRGUzmyg84aboRweI9D/MeJ2
+            CnVm91xr74HylD6sAXbGcTnwTtWChrrgSJ7vGBj5t2UOuW9zpKFl/pgs7o4jzwoc
+            C2Kmgug7S/chaQJsfKTkAs0t/MTHO+DZru+O/pT90zgdQEig/19i1smnrseBuAiU
+            zow7lc9mwBTIEsTlkYoIr1+Ihoiizv/q9oeMvfaZr8hKV4wYTp1Cx9xCgXxVcv+X
+            SpzIqqTT/lm87znJcSWCQY9fTRrhAQu4RdhXzEIxTODljmFhQcx/Nug82EAc1Xjh
+            B7qMIsblbabJyrBUk5BypvDHJiso8qLd/6/i/rRztzK1q3vtT37XPKk8KIJz84cy
+            ZDqAGDWj8jWDctwac0xTAFKVr/5oF4TGIf1Ydwv7+GMOeXvn2ZInmiMGUKxdGhwW
+            vg2azqqatmRQxI+kHUHz+FBiQSTgKIkVplg8daCIhQVK4r4CkOU5dPvDjw7FLahV
+            LN7XVNVCZw7p9yACd5KkjWX2E7bfpHr/EADOr5epc/EZwOmblFmGPzFPNR/IfF+E
+            QJrw2bTDuMGZRzvn+6CozZOnOFpSrYtzbUHTvdt+iskHS1jD237NOvPe4j2Od401
+            c2LjekRPo9BpkrufIlDQrgjflH6RGHOLdgqPE9j2zIOfmKjdIYiQlIIjNlh/xeDU
+            aAEJAhCoQ0WS+mj/YL0Y7lu2/GEf5FxjkOwa0o6SOd7iR17zrTwRkBdSfsSUAiu1
+            pw4vkDFzgvwR+80vYfZcnYyCGOQKMYcn0PLtmnQfy/LUUGW+B1/kxqSHZDDhCuWr
+            o287s9GBxBoQ
+            =BImL
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ//VYKib9HvGAxzknrRfI15qFSHdvRxWDiR0M8Jo7JWTOCJ
+            e0BGytT/dkYAKXeZvLX4W/65jQ4GhBMi20NSnyfqsWt/ENoLc3v9mXX3JleBRceX
+            8Gyz7tlqjg+pVW7lUtotz4vM6TeKBJUT6tHm5K0OiQBeAtjitphIkmakw4wrS0+Y
+            +3Y7dOpktefQDSWVDPtbDOImcMFS6EYn5JCPG9xOhsX7XoK7/wCmZuSF3p/q6/CV
+            3NgTK0W2L68CiUye+ajrtn4545f3jnQXiu+JkZGcHdKsHaexW6dzpTsSgsSc1S+t
+            NlhEty6Q7kXXylG3OAtoEhsA3PP2Av2o0oaIpn1Syd5czHvmV7M+QT1M9HU6U96l
+            Nwio5cSX7faMrlGfaBNY681kVtOiOSFDMvDes8oPEqrqKEDkIiIQwMnh68iCTXzX
+            jRj+dpCLLfrHdo1+oB1JI151eB3ofUPbvTSdz/pASJ9gkFJBgGCl89atxZ7BDNQZ
+            oCbk0NxorDG4RBA2mliITnctqAe8ZcpBrOJoGO8oJ6u4fH2SNNuoc5A+7tMEHCqb
+            2E06TYmUASROR87g0yZdtffK6+ZlLZzzNI4riTUGaGUu3wXDh1ZbXB1CwF5LJ67d
+            4P3gJApHJ+ZDrJGnWr/4Tx0NlvPJgJ9bKNT6F45ZZcQzq6bt+RUh6RC1Axvdns7S
+            XgE7EN6IttIGME/AAeNdGh6O/1XnE2CEiqwqTePb9kgwIufoJWLarnz19qcbnMp6
+            mfHNrJlF5FSVuipVtgCYgfWDos7ft1qDqvgRSD1awmdFIk/2ct3wjXKxyB52Vxg=
+            =5zOY
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//cBAsMfpoC02vbVtRPf02VS4NIVu2lM1JdB/IcPo0BHSF
+            PHNaVh3bl2a3cqbfMvNG9nquFVpDgtAXcSaIvozlsWgMuBIukfYKgeoFNh4fhyy1
+            Wgcl26wZj15Tpu4rYHK27CmXBHVusQUyTZVx2CUZwoSdtI2zveWqs7+Qvfhdjb6r
+            Yt1bDr+Zkrd+AxUuU5Njlp2eGOcuxINGLln2lh8jrdSytOzKll+G/nI8yBdk1Vql
+            P7iTQ4hHlCzs6HBsgeA7mpkJMP/h0Ts18DQ9sOYCi1SB8JR1eOqZWUu/1nSAk/hV
+            ntHk3+FnOta4wx7VqYNjRi2JROpvi935JBu0UqwGkVVMdqQNB33/qnJdzcdcfoa1
+            3o5UtsQNuFZW/SgJ3uiPYshIZZGujH3j05aKZV2yULyBRfP7j4KrIq+3dQLlW4J6
+            TihPL1Y3aqVvlU0rGOjjKeBL/nTEbEQtbkyCcIrW6WjdWvUYtTeIGnBJt+ExkyH2
+            cmuoch5XjiwMrXDnIFzOqeKbLsIZIAatFOzP0jsy66w2VAeNY9AyXCJI4cTqE6py
+            RVc1QK6+ynhrQ/zJ5XKJD4ATequVJidshC8ci900KBW/1R3XLm7zGQtw3gj5QQ6M
+            lMfA3bPS3H/DzFHq9NWbQ7Lfkm8N5W8ZSQwBKum9o1uWJC/79lFkyfgf4JqDjDzS
+            XgFfOjk/KKVSrS7P/3V6YHfQscFuq+Tiepr3LCNt8o+0IbNJbsr1Zg+sutuMFhrq
+            2lblr+MKkvUpYBhUYYen/PULpr8c6QZYiVX14xJQqFzYk4U/4WoFZm/8dXuAQ8s=
+            =z9Gs
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ/+JcEj7POTdpKoqBO0W8sxpvNafGlxWBmGF9nVMKsCe6r0
+            +z2iyj0TF2ffRe822djXoG0Kod4Gf1Ihg+u/EKGgoL41CRt3DhszervSesm/pHJU
+            9+IMJYj7Wz64GekkIVkYgcLkJr7AeIYM47W9kr5XGWCI4ogQLHJEVgrwFMWVsynV
+            meIBjn8ntS1aI9xZQC0EePlBekD6zvwQHOyEkar1MD4NaMqLKf+9x7IAErY0msXz
+            czBfBVZY74q0Aq27YqfUcl2QkksxfLsti3WrB4Nb2YIqzGJ6bED9TsqRhy9CQRBf
+            TSN+jh9Snit8NgLMAD2eyBgGUcQbwvyW2OHEYWpDXqsMbGmXQ21wygBAN0vfSCyx
+            v9m2+DSJ0jG9icBj31JqZcztI5fRsaForxIRmuT6EwGHc0YfuJwk8LWW1YOTRhYq
+            KbOMzGZnB1aNI9i7jVYHgraU1vB6u6R3hU2hOJq0zzqP7w/XuSitzb4+EzwuFkw8
+            zVRNJ406ZYJvMhZp8NQ878WkJRqsV3C++LevnLkHLNfMOfDcD+nltmctVXf99Fc6
+            ebc7FQj6jOsUlbNQMxnqOZ/6fV9WesjPgCsUMJFxC7/5/5th8CU5VJHYOwwMUEMS
+            +zbwM41MxUeknII7dc22MHUXxMocVkhlmGPYNc+jRv85nuDwbYqMa9Ht4JychK7S
+            XgEZyWSvHupNW3XMwspeyYZMS3pSDO+2YExopgpP6c9Uq1TgvkHo2L66SXj/E4EA
+            RaUR/bY7EoEdNTrqWlHpuLyRihgqHLHzlRsdJZYBinaIfwmKzvINRiQbGjqhKLs=
+            =mbJg
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ//Vo1ZEeqpfN2gJUEKHZs6L3dXmRSd5RedwTxivQSDUZaw
+            CS5CQgBHd6H8ly5Phc2+QrXSjn6sJubDPaCAVmWKOf4WTMOATgdbp7eNEKlX06iT
+            igr5UuptY04tM6AauuXNLatD9F/2p545VkLUYVNQriVMgXjrSd2MWo7/J3P7G7lA
+            xupGHMQ/L3gwU2A50sJUtAc1/SW6h9RMNwHjx6FVRvQtdWUdAoRYCT+r2fICKs1m
+            MKYOUzOA4CW3uURM2NZEFrVdmES0izv0vNAQqx0lVxAL/qhqwsGqTAZkXryef39J
+            WkIpqwQWWutvwmpVu07yBllfWU5XzoxaH+ye64p7+3SyrRwdrZc7IVW8NM9NSAru
+            +2lio54b/dp1Sh7GGV2Y3hNMmGuPOym/PEOLVG99mkfZaPDG+Ui6enV1Ol+dFRaJ
+            9VqSa1zIo5N1QdW4iy/Rke7oMlTINcJDCA/KgYeLXK5IRz/iv6q1QyzhR+dNH/pu
+            JzxDSru/ZSTP+oMXZ1AgGf9UDUy258A7oDRt/ECN2c3oggj+Oh/HfnPXfD+9Mlzq
+            c/FGIRDQE7lLQoHqBaEgp9pejepAAocCci3UMgAO3ZTgIlXwJyE7fWZKrbATIqEX
+            GYr/tLNIyb1df4Cg2Pp+kS0i5+KnPqcbPkN+IhJq1BA3qG0rzFJiQtIR5Yn7BxXS
+            XgEVc+mwjUlUnQuVxFzfyZSlVh8tipwLZck6aG3IrLn/9WSHMY22GDOprsy3bMta
+            OOy9KLyPgZIdPr1v4BmX77x+2Z5EeijAEswFgfPvSPEuWKSiqkXvaVDy9w+U8kM=
+            =0phM
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fARAAleXLoRXh1RP5u4Hk4zsVpSbbhKKW8dypXDBVMa4trCi/
+            Xq5Z7XM/Nip1iBCUHoLRaJdi2MlM2aDfVFo+PEx4JagpjxFjzqW21WUa5vqct9Fy
+            UVgdsssSVq8hNrMvlxDJwYVYfyQIOUqKyzDMbXOGh6AaOHaZsNsWtOBDJRqHMSXy
+            ULXMH9xxHmheDDV/ZnlOl4fOBJT+qC/F02Yo92Q7rMHWMcNs5NITGN3DDYrQqs6i
+            uHopbwuTpRMggnHldaMM2l2n4eCBiKxxz0dGit7FlpFL0kgsZROGBkQUyAZdkkwQ
+            LKnaqgodCv9t/6VZNATp8+iJP7ji5IvXeW6WQOztb8+h8JV3j8pHdadNzgXxH4av
+            LVnqAABQMhay9jEGlPzgQFT7zDbaAiUd3bSLz1i02Dyi/FYCIylHFEmBErr5RBsn
+            lqbG/vAxJPKOkiDL31nkjugd09UeFYNp2WqO1DpeoYQoMltFD26TvUnbOAQo+v/y
+            xxl7hhCTzbd6kF1VxSCNtv0LhDdirq0+eiFN89E+5ijLjhmpg23S2E90etuRgjuF
+            b050aoEJyXosRqgXVl0qkOEnXgQDbAXrEobbbRixrIQRHmNN1NjRCudzJjxs+p39
+            tucfUPZJO5np8ITgE7XCt82IYxW7b3HO2kejJAluIfUxOkdBgORKuc79vEaP+rrS
+            XgGAqi7CdzN/lfoLononCBOhce9XgdgpbpQRohO+jLp+abqmbnEzI1ZnzxpWXo8Z
+            taWKvUIySWbN8bWhmiIky9TyUXEfRVKe9I0MUC3Q94NAnlnj+dNXXr3mS/AxNcQ=
+            =ZYXj
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoARAAsBC/uAbTVpBWv3dmzvVglih0Zlnumbz6wcDbeDTVP3r+
+            XiUyiDFE/Hdnm5J0be2jSj7s5RIXj8Gb5BkXPoytAkGF6NMtHjZJLmeo7NciQ6Bo
+            wDf5IXCmv/PbyuydqkHJEztsSMWoCQbGQo+dMeWoAY+WKt+dQGyGmoB8BbeUjuH+
+            lgKlUk3W1INTV74Qz6avuEQpwc+6hvb1w3Vb5kdzgRjplLUB4w45wP+79HE8Ub3V
+            7PhhEQMza/CIyYqHEGQ8fKzd+tuX/naYXnbfTCu64eyKCz2fQZOMdqKNA49aMWGC
+            vo8K38Nd8haQ+tcJvT9Vuis3n5X0Qdzpk/8u+M2XM4UQLHSaKSQRnJLpslumLJGK
+            fI2ErQJoD/TR+vvwrKXmCOEeiFjs0GC8zQEVP6Qa1JE7Fr8iKIEtYYXmGK0Q5Sku
+            5eUkrzJC9Lh4rBvGXLX1PZefBVxnnlBMNk0Cae7vGnKKKuARE4aYgRkIhzIp0GuG
+            pdwSir1iTVMKtfrkpJ7BqPANKxApbLzYHBi9rFWJboA7HAXe/E73HD4Ov0tIs1La
+            9rwRiJ0LYUixsngf6YvtGuj0ZiuTe0t+VhYzg9sYOcBWW8z/AAuZ3FQoBWLdOFPA
+            GBVI2KV+vr5h4dy7+yCqPxpqhkKe5ObCdwksBrl9tiaPVoQuN6Zv63kLlCtkP7jS
+            XgFYwBL4tKcCPfG+9J61T3LqItNLmzrT56LMN6LIz3pvRtASRbSRRnqKuuPgAL9g
+            IeFHe8lblLErRwKz+iNre6wwQCEfwbVf5NPF+rLh3nfEIZzCf/CF3qrxBpdYzwQ=
+            =P+bx
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAtl2tC6rlB5O8+4t+b7ZEo4GU578OHN06nJKxxFQHG5zn
+            mkcANcm5gVDSRAOecM2FyZe4ns18rH4OCvp+uegEQyMVN/XNUEj4/+bGzgXX0NZf
+            AazE5s2+0i2NETv9bhPjJB0RR+U47PEgx9vKf4EnvL9MAfWyPbGwzR6HdXXDEE/I
+            c3GNaIOY7YWBgXEuX5LnZbON5hQhbFADY/BRhP1S0d7Wzff6sYgtJhbtaTQFSX2p
+            j2+pTA3D+tI2h9VvKnZw3n1t8Jc9apP81KNFCURpNpdR8Jh8KQ0aSEcYWTusjah9
+            QOX8RmsnFnvWKTN+gU6tffcSbu/r76gmXyUCF47mWvn89ETVA8azp/66zfLTTTvO
+            CmFVx8+2X1TK04SIKa+MQcpAuS5cTHH6bw7N8u1YfX6O8mbHX/ZH7NJi/Bhxmube
+            Cau4DtdZ8mX4yz0EjUF62skJoaYYUl3UBrkGXl5A4NXK75ZHlBHT9Cn4YQYIPP1b
+            5MAnTsy6UtsGVBZPf6O/kvkA2gAQNjtOjQ2nB1FF6fjqEFFopzmLnAgGvW7lWkeo
+            lTbrylmv6SrrvX/0wN5Dsayni2iRb7pisEAFs7JAythm463PDrzaRmLoPBNBmJz9
+            l88QlYWDQaet4QbJ1AnEaOu5K03coEy6CTzJYqgkTWdLuFC4tUyKsD3P/1EANonS
+            XgG1y8ifC6F27sgwQribg28RPRvwoiRSGszAXCAeIwo834NQLIvswid5C4VCvPje
+            XG4X8m9pipP+BoXF8UuX7naRFnIGfXBOVH9N+1+SoTeZtXRX4GIWUGcRtk4nrJQ=
+            =FQZ1
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/+MLPIERHeZTiyNPEUc6YnWYcfW3Zgnsnc7EzfFn7NJla7
+            HpD82Y14w1gpQrUiPu7wdjzh7xeOQ3fnk2819g4wEXU32M5rCUay9XUWqWFnzpMZ
+            /Gy0tdwE9TgwrSQ6GDNd6JO93hLNByq1QqhsIkKEL640Wv6doLVfQW07O59hDrPd
+            AQ3UxWnohbNbD333yXa3kjfYcNugjtERM2wZ6qqZoXp58SG2RE0A2wMV77H0jOQj
+            Rx0arENCNBS5XZlIJW6v+I1Ak1wYnW5vAlVRMcUXo8vJNu93WaZ906EnmVCQ0cYn
+            LeNVH2ajcuOud/uiVntwdYKMr85rMBl9eOlsPP3dHqbhsrXn/+Oqagh7YUwEvJ8g
+            LK1krKc4Jlj9a5J6dPl0lCsEAv6vGaVCICJkNnd0JikTViu7DhajImfGrSLrA6y+
+            81hx/TTKqisAL1xBwOOu+LbwlhFZrkrTQaKnueswKzwrS3utxSX7OIepui7Ib7JK
+            h5R5VDq1bTCbRvo/rRpCaOt1KI6g4ZX+o5TI/60TUcGvzLRRAv7jZZ05PKhcfRuJ
+            4ZrKoRu2qKVxA6+kcOfy4Gi5MgkI4Keue4tgJsYJ+LCP8tV7+Jntxf4XXVMLoFCH
+            jQDe3vIHOxNKqlPUEnLlVmv+g3K9Y7N5uBLuk3xkVYrxWRhBmY6e0WtTVEF/lWjS
+            XgFWqfLHx/JAJgIU2tiO9oLkJWcdHuXAHNYDvTKP+a8WLcJDZdS8X1feqOpWYbaH
+            zVbYkg4MGJqO7K9f3jlCtyszh3Kpu5CFbfXA0MZ3M2eRoJTv91iWViIWY7UP3VI=
+            =vsm4
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdANu3CeUuv/SDkBQG+aROPeiWBauWaQBDUm6UdXAhEBXUw
+            Tuj49QiBBCQ440R3SBkHOzOOUUTMPkWo/wESnJm+EPla800tb9B8rOvUj7PnkbiY
+            0l4Boe0q5XPHSysz9eIQ7zRwSKoClgd+zi/GOtcsvxkLWlISoBzAVOVEvk55OeKb
+            7J70fuIMl5rZPPFBzbF9gjnCHxAtfSyze5774nPfFI/zoQo3WaDfL/9viRhP7Eqb
+            =i8o+
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-26T00:53:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/+N5yVnEm3ejyw10aDPkLjJoUIoxZl0Nof6pGZxdWYgiF5
+            VrEsLv9vYQD8Wp7/nXuI2HW7OoA+vTG9KBZt2Tw9R0iPIMXpEf0fewPSBZ2n10lk
+            KJPvkMP4w2OV1AfGT+PrRPLaX8/2E4p6dE8BPviWEh9HptYKodhs9lRlcq2C3Kjh
+            sE88eJOSA+fQpASVZLNHKYn1UrXXENRTHE4tw3+OIpE2KSxHvIv7sI8LuXZb8Jxy
+            OpmUP+v9fmhsPJYIlP7SAvITMgZdMHceH7SDgOZn0kVU0inr7MJ+FCcNQkQOl7aP
+            jMp2B7qSXOdC2NHUmdYvzeUx6B8O9Bn19VM5LGte9n1RBnknw6TQfQO+fkQTjUyl
+            3FhVqQAxrutOBjud5xn7H0Grj+7oqRI51LLUjLQdOzpEi4hul9Of3FfGnKxjOxUf
+            yVBHqZzFco5rcN2fzMgWytjuSED0AE8UPS/tcd01oXXEsTj4YBSKWox0gZuyn9B1
+            mspU7vr9I39igceGVE6LJQ4EBnpR8xC7v5CDFpEbCr1qt4VlaH4nUgfN2tEGtOGW
+            2mmrX2nGC1r1VRm0K+ACRW4htDsOsBzSxQttVJ/5IWkP5fqegcwIajjo18VXz8IH
+            BtZdJKzXuhQLG0B+sXndOAgACWkVQw4F2hD5CYRpiFtungAqUbtSDbeb43x7ICjS
+            XgFrmwLxkGfZYKOPehbp8L9glbHpfHYE4CopRHPtUkhLTNWTqzEyE7YQYYVu9Cui
+            E9Q3v2/+2swn6nKOQtB1Adu8ItCqu8Om+d3IJQvKVS24k4+fKPWa7/ccmkXz7OU=
+            =w7hs
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/matrix/sops.nix b/config/hosts/matrix/sops.nix
new file mode 100644
index 00000000..b4548edb
--- /dev/null
+++ b/config/hosts/matrix/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/flake.nix b/flake.nix
index fc4fe7d2..7bb4e774 100644
--- a/flake.nix
+++ b/flake.nix
@@ -159,6 +159,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/matrix
           ];
         };

From dc439abefefa1f14d581d6aa6a65422ce224fab8 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 03:14:31 +0200
Subject: [PATCH 044/170] Switch the netbox hosts secret management from
 colmena to sops-nix

---
 .sops.yaml                       |  17 +++
 config/hosts/netbox/default.nix  |   1 +
 config/hosts/netbox/netbox.nix   |  14 +-
 config/hosts/netbox/secrets.yaml | 233 +++++++++++++++++++++++++++++++
 config/hosts/netbox/sops.nix     |   7 +
 flake.nix                        |   1 +
 6 files changed, 264 insertions(+), 9 deletions(-)
 create mode 100644 config/hosts/netbox/secrets.yaml
 create mode 100644 config/hosts/netbox/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 47c61979..2e7e3767 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,6 +13,7 @@ keys:
   - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
   - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
+  - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -62,6 +63,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_matrix
+  - path_regex: config/hosts/netbox/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_netbox
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix
index d4a02cf0..6ef34697 100644
--- a/config/hosts/netbox/default.nix
+++ b/config/hosts/netbox/default.nix
@@ -7,5 +7,6 @@
     ./networking.nix
     ./nginx.nix
     ./postgresql.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
index 9c072332..ff323494 100644
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@@ -10,21 +10,17 @@
   services.netbox = {
     enable = true;
     package = pkgs.netbox;
-    secretKeyFile = "/secrets/netbox-secret-key.secret";
+    secretKeyFile = "/run/secrets/netbox_secret_key";
     settings = {
       ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
       SESSION_COOKIE_SECURE = true;
     };
   };
 
-  deployment.keys."netbox-secret-key.secret" = {
-    keyCommand = [ "env" "pass" "noc/vm-secrets/z9/netbox/netbox_secret_key" ];
-
-    destDir = "/secrets";
-    user = "netbox";
+  sops.secrets."netbox_secret_key" = {
+    mode = "0440";
+    owner = "netbox";
     group = "netbox";
-    permissions = "0440";
-
-    uploadAt = "pre-activation";
+    restartUnits = [ "netbox.service" ];
   };
 }
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
new file mode 100644
index 00000000..6f9e3e52
--- /dev/null
+++ b/config/hosts/netbox/secrets.yaml
@@ -0,0 +1,233 @@
+netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
+            c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
+            dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
+            V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
+            a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T01:07:35Z"
+    mac: ENC[AES256_GCM,data:0zWNPrUqpuC/qXOaTE8ayrTbnZdg9VA2NqxSNnV0bogqxVkg8zhbx8OKYfNQ0DswjxKNEnKsqjp62gA678VfRfGHJU5ZoHfAC7kBbrkDy+pMzS6LRwT+7n0C1AbaaG7hienGJQsx2gUUYqu7OSQuS722lXAw65deFvZGtL6lt8E=,iv:mOLkzF5pJFazmH9XX94Hjd04FcgSh0hY4juEO3vKNBc=,tag:lSk0lnVONQCmuO0KmxlL0Q==,type:str]
+    pgp:
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
+            UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
+            YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
+            e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
+            fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
+            29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
+            g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
+            Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
+            2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
+            ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
+            7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
+            aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
+            Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
+            6PA24RxtGxVm
+            =ES/O
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
+            kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
+            UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
+            t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
+            2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
+            MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
+            PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
+            Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
+            W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
+            Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
+            NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
+            XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
+            zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
+            =zG3F
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
+            wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
+            o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
+            yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
+            y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
+            vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
+            OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
+            xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
+            +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
+            9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
+            9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
+            XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
+            CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
+            =PqbF
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
+            eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
+            5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
+            /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
+            E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
+            aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
+            U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
+            5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
+            vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
+            Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
+            PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
+            XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
+            9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
+            =o7cj
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
+            QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
+            2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
+            NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
+            vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
+            PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
+            FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
+            n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
+            nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
+            TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
+            ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
+            XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
+            fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
+            =4agQ
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
+            H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
+            JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
+            ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
+            blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
+            fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
+            APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
+            H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
+            dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
+            VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
+            FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
+            XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
+            Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
+            =x1QX
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
+            RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
+            I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
+            GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
+            Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
+            arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
+            dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
+            cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
+            6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
+            jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
+            rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
+            XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
+            pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
+            =FXTF
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
+            /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
+            FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
+            wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
+            3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
+            Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
+            6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
+            wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
+            wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
+            7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
+            N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
+            XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
+            z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
+            =7WGw
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
+            nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
+            3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
+            07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
+            fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
+            24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
+            QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
+            BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
+            3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
+            zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
+            RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
+            XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
+            yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
+            =pFkW
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
+            kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
+            0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
+            5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
+            =Lvnj
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-26T01:07:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
+            77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
+            XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
+            4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
+            T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
+            k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
+            QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
+            9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
+            U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
+            kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
+            1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
+            XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
+            02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
+            =WqHP
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/netbox/sops.nix b/config/hosts/netbox/sops.nix
new file mode 100644
index 00000000..b4548edb
--- /dev/null
+++ b/config/hosts/netbox/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/flake.nix b/flake.nix
index 7bb4e774..72b89c01 100644
--- a/flake.nix
+++ b/flake.nix
@@ -145,6 +145,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/netbox
           ];
         };

From 3aae597752440e2b8971da507cc6932759c624fd Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 03:49:43 +0200
Subject: [PATCH 045/170] Switch the public-web-static hosts secret mngmt from
 colmena to sops-nix

---
 .sops.yaml                                   |  17 ++
 config/hosts/public-web-static/default.nix   |   1 +
 config/hosts/public-web-static/secrets.yaml  | 233 +++++++++++++++++++
 config/hosts/public-web-static/sops.nix      |   7 +
 config/hosts/public-web-static/spaceapid.nix |  16 +-
 flake.nix                                    |   1 +
 6 files changed, 265 insertions(+), 10 deletions(-)
 create mode 100644 config/hosts/public-web-static/secrets.yaml
 create mode 100644 config/hosts/public-web-static/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 2e7e3767..c42474ee 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -14,6 +14,7 @@ keys:
   - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
+  - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -79,6 +80,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_netbox
+  - path_regex: config/hosts/public-web-static/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_public_web_static
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/public-web-static/default.nix b/config/hosts/public-web-static/default.nix
index 60487fec..9ef00e46 100644
--- a/config/hosts/public-web-static/default.nix
+++ b/config/hosts/public-web-static/default.nix
@@ -6,6 +6,7 @@
     ./networking.nix
     ./nginx.nix
     ./virtualHosts
+    ./sops.nix
     ./spaceapid.nix
   ];
 }
diff --git a/config/hosts/public-web-static/secrets.yaml b/config/hosts/public-web-static/secrets.yaml
new file mode 100644
index 00000000..5802514a
--- /dev/null
+++ b/config/hosts/public-web-static/secrets.yaml
@@ -0,0 +1,233 @@
+spaceapid_config_ccchh_credentials: ENC[AES256_GCM,data:5IClrKKMO/AztQuGabrnoRFItYNeEmVWGeafomVO94pL1RKzL1sCxBxnmzvJFPb/8Y+6FXMh+Mim4DP8B2RaJMLpmqCv+76N/5+527SZ6gn9i2Klg6q0kD9RzJv40qHq/NYLCa24tpcZDt7eB0EOgqLsKUmtX2LrQjjnN3NzjAevJGKQ5ypnb7xygjft2KrpvlR1hMnZ0XpSLDTNR1AmImxE24JtDaJKzwXbptr2IZvm1UFkNslxdqHPjN+N8+MSSLhqHy/FdcY2ADvsTX1jtjnjkb+9E30QOeCiFPKSmWtSGiQ9sPcQna1yr717Vk0EiNSAWDQ2fMZyJUgBXG6w3wiZbxfJmxvshLPs5KguF9NHER+Seps1QiE0p16c0IS/0Y24UYrK2GyUIcSReGufjxUFGTJHFSsNANac34H/RTs7BkoZ,iv:8WzTRaXVeH5GKmigMVTLVBnhy6nXZnTZHLAYHcqDs2s=,tag:jTdgz0gmruMWWDBQ3h70vw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclhsVmM1TTVCY1ljcmxz
+            TkNMQnhUMGsvWlQyTkZtQ1RDTjhoYVBhOWlFCk9ERUdvaTNBQ1QwamtleTJPbUo4
+            dkpYYjVSR1J0UkJML3RtUlRXNEsvTFUKLS0tIHNTdEFGL01vYStRaVVmWFZySWZM
+            MzEvb2IvZUZwSTgrL282VU9WUVpGNEUKFg1INcr/YbkmV6/F/4hWbTXj3PCscAMY
+            dlr4Pii9Tbhn39yOXyzt3DF+XivkdMsG7fQTHSYdvzMAnvEJ1CLOtA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T01:21:16Z"
+    mac: ENC[AES256_GCM,data:ENLJIlcUXLEt+vXp/F2YATUZrc9ZjaE4AWwvG280etdsufEw/vGAWBhG2KT+CkcZLaJ4ctVvNlJEqU/pRzae+m/43SV3GNAG+jjT2VmNm0NyNYN27bpsj4tq11D27LPn7CkfBUB0gnmGJXVKalxhFkHBf+eq3ted8dPIv9YNRt8=,iv:Yfz7scjN3qDY9lV1SYOqrejiEwf4dVSPJhiFRJyFPio=,tag:SOw4Nhx6wwYIisRJl0SSRA==,type:str]
+    pgp:
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtARAAkz8cMmtau9sLQQFafUnjIkuq8UWKn9TFcAfjAWDjnLTx
+            WAP4RQE56FXzVCo3DXWvucOjOlVNR9Y86x99eXaMLgYLtJfOTZOCbn2nSIDxQI1S
+            XNHAPEXEH/UXEoQ2lffIjR+VfSOpJlwD6acfVEu13NZMvxlO9/51EOvAAo+qKa0L
+            EwMczgDh8QsYohBV13UIxC3Et1Hsj0Guawrx4M6pzL4OvXGUKkpDfw4NCx9to0XK
+            3L4k+DHur3KhpZJg4QhrM1O1XJeb8RdlkCBMCrcteXkzKMQotVeee6Avr7kfti9s
+            R0hYuVswmiRJP+dxkQx1n84nnFkakY85LOxXIv7Mo3CT5xV/n/teUgZhyU+97aK0
+            Soq68sBMBqo8v3Izrfi1wp5iF7nnjbkMBzkDVFsRkA7bqYlEpTqZenzTzdEhm/Kt
+            e+A1mY+hcWI5Gr3kkz8+LGOXgBHHjXjVslK5+KmOxzcpm77IBIQCXaTViUwTJPbW
+            kmrDT9MSiS+bpTHS6NPLgRz21FltbCL4d0QD7bCiMnLjdeYwfRzT+if/yR6YIGMb
+            1I2odrB2Qf42CXHZooB/fV5OO5ziUXBpos3HZLxIvCUjOHyCYnoL1s4M3A6Zjf3v
+            0rZvSOy0UNwYwSbxRe5G9Z2xfFddFCTE5dp0cPV2RUEVMVlNU/kgpsMtxCFwIN/U
+            ZgEJAhDOqBVfz4bsqSMs4t2I4Vys7oeOfYJveNT88qc/PNPqjXgEoWSWp2DZdSvV
+            dNHaoVQHHRyZbRxfIwe0q+xoNjv6H5NafDIMnRk0gWl0gCSJQpCIQ9j1IQrXUoPq
+            cArG8aqHSA==
+            =rUJB
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ/+PCUJ7JMkGZ37gSURfBI/fM9Ow1oRp1MH8mHiflICRsio
+            RJhrcuThlqWHYYSFE1OlQhha8Uu+s6oaps153LKS7ZH1dzomqr5H8LfuKsaO6GDg
+            QyuiSGGAfudtyQ5ILN1CHjO8ifh/4469J7P/SyKkQ2AhZGQePbGkrR4kqGhj5axn
+            fY3Ar8HreWssm30k797x6zSs0z3BDS5vUd8JZjpt2E1nmbVTX5dLcDud06UwE3ae
+            B6lC+T/lxwp4LptskgsaBiikPTYspPAL8M1yG5XxKvvQlU8a9Lta7jOoXWnJ0kYE
+            mLoSRFBxsQsrpir4msR3oEXS7H30gkCT5j8bLdON+vbbK3d6nE5v3SXkOZhJKm8P
+            Zhk70lkj1HWe1uh5XRRAjn5YDelnipuml6dQMUJdxw8YrUmnVXjL+AGT0p0gcf3S
+            kMU6FZfELOmdR1zqCt1HicVQDmQJA2wct2+2hXRRQ91M/FAxCILOA/mqq6jZNrw1
+            uz1Sa43IlI5lz/ts9bIhR8rZj/Iuq18tRgmKdLhxtuJyZKcN1v1CDiIgNOvlc67x
+            ydVbVHygWVs95WZyya/PjF1+K5Tuq+VkfHMIJz3cW5xDy4PwYS8GsTqG6r8gEYbx
+            Qn2NC3h2gtrJ76/Qo8xs+8KCbQAUgST/uSJRK8peyhvqJXSrbhFBvq7ewvJbroHS
+            XAHl1yNdyWNwC9t2G9twEd9c2FjLuyXGhrincAcQ0gdH1jhKHY7/LoBiVIRMBJDe
+            kDD+RjcCB9jXRGln/l4teKs5TeCKzpaJiONEcecl2tSqjSaOzNE8rJh0kihH
+            =Edso
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJARAAzGzj3TJVDsnArDe7GziE2avL5WHkHFUJNoQcEBqNhfTU
+            PNu8RKSpKelWeOFEFzgr3Q1imapoR1+UXzTC1dP0QL+6sEWiqImxrbHygpm9tPSp
+            HvLMIvAvS0zPjX9q7HFgsw2fm489To0tuEK0oTFcayatAAijpWBl63KyslFbk5f+
+            tHSnaYTeRZq9QkRZlNGI3uJgMXyrHnmoyUUIb5wdKKQ2tpt1nR5okh307kU6fwqb
+            vT5ylRSTEZ0eWDyQbb0hThJkQS2j8QnsBN/xabDN8QGTFORrPDDobW3iro22SKJv
+            iVyh1yAm7QiA9yTdqcB8J1QuYvnP4RzSoCSNCAK0gZ+DklPUGC9DIEK4VTdmUaWs
+            cJM/dZw861D8Jnavf2RToEa4binehYHvi/+TNv7vBE+2xe9cp2Y3UZq891gHKbmr
+            OdlaIUv5yvU6dJfV/aib33PoGxcim1jGmRnDDu+aYv215WqoUxfNniib/HcNFb9M
+            JT70R4Ixo6Hnp9DyvSh+wGKPGg2WRuwrspbAjFucwMdBuY4a3XoBE4QE8QhFjLWc
+            2JTegdfx4yKovY9raJ1U5LxYWkErpfdvPgYOpn2xIvhHBy9Y9F8RgnI5CIyQ2haO
+            KL82cNunEeljvluG+vH5bhbWNOjWKcRXfy474+KOBGSu8UJsZJr3s8n6RSAjmN7S
+            XAE8nvvN86y/RxvwxG0qUX3tEjVZwvipqrzxeAcY2lEX1zFpW8HyHzqWlnpN2LlG
+            pfqdqn6A6wocTpuaKhCWNc34Ws4uJ+XJd59nrNP6j/4Wl6SenxcJef7bgqru
+            =X/V9
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1ARAApyVhDae44C6aOlE8j+oAmoPWBiTc0j6VGAwo7y6OzRVx
+            p6W/l/ALDRd2eVfttzTtS/J3EZ85gQEt1RTOVTR/vTTL1j+XzNF6adPuC2+uJBAb
+            FFhiReuD9YGyT7aW84qmfI797kKFfdkjIUiUr62iGr+kJ/urC9JK2mNSnhKJVTct
+            lP0HA0vrUlEHzU1LACUWw2FylyOpO+248Nxx+SXgP8ol3kQk0hAGtEq3+p7ViQdl
+            K9fYMM5bxlNGmMav6WVaR8ipyjf7Q6jrwOrtNymVlxKoWfzuQy8o0ACsn2PADeG9
+            QZsKAmbp33S1hVYdTeXajTlPwtHhNewkxIQdahP2Ni1netzV6I8kp3HHoGO1XN0i
+            TtHlqZnd9/aJb5Uvuqsz4Ei+nHL0WGS7UJYKphWfw58MaYGkJ9xwEZVxoEWY9+ZQ
+            prQrXbIwbt6XJnuDnlgO/XZQs76/h/SAK9JQoXV13mC00SwcNqB9iav7S9+d5U3H
+            QOerfUDzEOjE9AehSmeruaNIdqr/V54dY9eQFGQ5hrM30JTycWdhxl0TZkAYsT+d
+            qd79FKXceBSodL00kg4OUS1pGwI7w6pe7RsQZ0hl9O8X8JXsRebe8Ardyh5oGe+W
+            yiKKGj0xi63MdzVm8r6FH4HoWPnmfTq5gcI8urUB/157aU8jlJen3TM4i4bwydzS
+            XAEldvNa4/1McnNpPAWGDNPGObSg71kAIR/opGGkS8atywKgkNSCUJ6wAJhyksqd
+            FVdrCl5Mt3GSgk5uVWeYfDuuIxM/aZ8WMjxjtxQMyOnkXQYmQD+D6dgkqiTb
+            =q5Tx
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ/8Dc0JtpbZLDLway7kk2YWhLvjTmBRzIZCAaa9WSEuDVWg
+            u1koIDIaeAi1Y7xNUbDeEACMo1gT23mRG7Dy6QSqi+6DUY4f4v7/UCwqyJdwAb0V
+            ig6ENedYzYoCKZ3t/kqeeZmKnQehj2hzmIci1avzQjUmsI+u1YGJOZGDCPK9W1CA
+            nkZ69BlsI7ZWwkaO7J9KKd8wLp1/XVcSnRjYxvowOHmUyDd1Mlm/I+umcqWZU9De
+            hXc9/4cPkUk+h5c4M9XeFFqxorOozMK0dyEBjFw7Dd7BMyPfyh5OnxPazp/aqgz3
+            T6SxedaTv0kH8U8dNkPkGc5NYv+D8gfZb7kLdzDglGvcHwL3HTwq7JUCFVvzCD9y
+            PN5XvFYIzwd1cxAbozhzX54almMFgvd8d1v+03ioEjxOJbAqMXRTgd8C5xUbFvH8
+            SJ8v4YsN5XksT6AME3MyZAZgWgbDqdQDAtUvP2cWlBFFJz4+43+71sec4AK9bqph
+            mG/aTXDHAQ+JjLUGH+hul87F+mIa5WspbSYJ0hky1Sz7JBr1153X1xutFMiIqafL
+            GwfUzkDqIY2AKZPocqyRthLUkSaf2axLdWMi3VfErzD8fu9XhpM7xY/sI1S7sCBs
+            HGfjBTF2zTvyNo4cS5SPW1QXGrGoAy6cpxJDkuOQMq/YvW2kIeO4Wv+as3TUtLzS
+            XAFxzoYXYbes+SGlxaRYY62CONNdFpvF66q8IgDN1/QNC0j8g0gE0bNc14KOamxr
+            Qg43kRmxOVlB+zbpY5lYI4YL7XbFusFGM9dKJVg9g390nRgDnD4yBZXfqkq/
+            =rthq
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ/5AXvpR4o2fsfev/U/qdJ5Zz8jKwGpZ+xAhEEL8E64+f/P
+            Y542Oqig04emeGgvZat+jnc3ihKa+Z6k1ysSd4cod/yDUAy4NVtYzTsTziDekmaF
+            A1nEkbZoBrwXHQVGnO0PtFttqa0JEr5LcFlYgF8NIQRTQSQQgKp8p3llUFZYx+Pb
+            vuhOtWbZMFtl+yq0p03nDP3mrj32nPyyLIngvj82jMRQmw0em+Zw1JAwIIg3svWq
+            bp6F9a++PP2Pboc/piEGT3BIq/41gjKoIwz9m+p0NoSIcDRgmIIxflS9vzG/APC9
+            E4lVM/U/px0OmLcrmlBTjQ7HwHhVEVEYjZiByeHCm5UjSYWF6yHcmyLp9etD3GsR
+            pPwFsmc2PWFiEWrM0aV+3EPGkSV1Kwkvd7v34sRqAsGkb8HO5KxtfIQMccMqwMRG
+            kwBUgLcVuft9H6k2N+MHY6yidr4LLopGfd2FZ8BkQGNy9kIVNdZw9v+6R5HkVpoD
+            cY0NpzwvX21M9CPuMoXzjwXLnoKHHt9sWoxL7L0XIjyTkvKmETFqvKIY7cPFU837
+            4uxnsPhVESL3UfXrIk3maCgIZfFFL60eglVHdSLUy9XvAIXkLrLzqZLTW0LVYsuY
+            ZAlqUkkqZ4jjrF9OlmHsjgn5znOiMlW35bcKppC+MonrNXCJHjCdGmpj1v0cc4nS
+            XAE0EBSF6XDG2rxXETyWzKJurkfveD1njjcRwYeBiBRZEXKKqWuICLIgR5h/WBQI
+            KPv2k2RhxjH6Zk6FWgc6EWhIWUM/6+zN24m5VnAgMg+DRp8d1mO6t4ZaS+WU
+            =p4B8
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ//Z0+gyWwynvznK8WbrU9aP583JpI53BilDDl+dJ34P28f
+            Kd2wr/l/Aw6QZ43kp0JGA3ZMB9SbWKy56L6MXPcDXHM42ojRCN1Z3am6NZEx4M+K
+            cstyV9qHZp/bUQjlUna3eZBlehHgRM0tRCKn/83Gi08nNK15wRlfZR5tg0aNbdXT
+            4ymxyUfA3+n8k4K/rZlBxJ59UESUcuUJCb/oPiUCrS7lXJwA8f85F5/M9t7D1xwO
+            2AfkoYl5b2NU48JrICY7SQp+xYg0jwEB2nAC/Gpmk9FGxCMIeFIT4MfpGmMah0t6
+            +2qDWQFQ86TEoAHVTqcW77Qmw7WLjNm8oLh0FWYb8VxaRo2B2jnbTtC0cosLWyl2
+            TrOwSYfzOOclQQchbmoK1JQb5+dUV+qUN4BO4MuI0mSXk85QFys3CY9a9X2pRXSh
+            SW7uMCj3SQ784uoYDBNprIYv4qsfzTEgCxrG9Ev/h35JyuNUr/oKGVsVfsLETJC/
+            Leepo2FjQIzr9qe52AVcUe9JH++jrPOgUM6JQEHHz+jp+N9arsuTGakxu/5saNjT
+            +E7WtWdBM5mtr82DDoTKsKLEUJKsMKFpQovFjvz5tgCAsoMhFP5oem2gbfOVi2+A
+            uQjQH+xJow4OMjb58Qx7fILcky6XYDTNWn9hlf2zrXmtEnhkSwf6U/Gyo71qCtDS
+            XAHIEr8bpFS9ndb1tchTO8mcDANnKLWttuqs/UdN/W0nl895hIP7C6esi7vLF1gM
+            OfYLVy+X8FyS5hpjd9rcEd5jj7XBMJ4kHaW7QLMGWHYS2zLjGOhYHS4rt7nk
+            =hag6
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAi01+TuUHgBT2UH75pacaptBmEYedNUkzqhUn98AA1yr5
+            PtYV1NGNP/rq7LDXP367yXhCslrwr+1BO7qnfAsEsEFr6InAyhOyZmAs18u5ilwc
+            RxW5EXrANm8SQLODBPH3/gxltpW7vzfayxdTOTNyCUH0x22eKfYknawOfpaMevAm
+            95nhILE05Unqd4FSoQId+Zw6djuMdSdQ6iAANKmvRpgs1Y8RNb9P/JG1TmbVvqQm
+            dbx5hfoLuNnLR4q0r64tGej0iVeBljSjUDrxusjMkhwgiinFTTz8oNoLoOuPjPMm
+            MymkjV1m6HzdwB9JMU7kMcHDEsqhXiKcxZ5mPDQJIXSG7TTuIZndRsln2ske9ibm
+            uZusIC7y1868R409UWhjGXjxsoFzqOKpOCo8tFoZSdE250E6o7U8PKOgSUxRAQlb
+            va7LUhP10ODZof5jM9xUDorrcamT1kbnmz4SlYDIOSliR0ofsmX0ObyxZmL3CZhN
+            /iC5BVv9D14U7iU0PsKZl0XUOP+urJwSZSCid0zq8rjUXdqy0YH81eBG9Y360ZHB
+            AlfhfeaYindnJYkPpZe1XWyI0yaKOjrKgdz8/vuDTZWyNseKAcofA7cgjUHtIUvu
+            uMPhFk+RHd0xZnk3yrlTnEOht8MiAZxVFPk3NK/P7W3D3r0li5D5f7+2ph8RsI/S
+            XAFXDSRXTIDsHCWPjvTAftTKbS8dq4A28yFHJg8+Ber+RxBbOWH7NpBIgmO2SNAJ
+            9CkU9neCROJuNBY9h0Xl4Yp7g6XNOeFeWdgxqJgZWhoKYSR0W8ILzQD45PXj
+            =ALYc
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/+L9uVnDe2jK1unhCFjKv0YhHobPNSQAhXaYoIiw2qTJ/q
+            ntduHgPFvLjQdeGT6EsfS+vxGcsLtS2FlG8woiLzX0iyc9sB0AmcwwKdG2FwyemY
+            +ZPE8BfjVKrGq0oiYASIceYxTfdp1kNX2aTIpuBzm36ccHQb/RSzUhEeZjyN4xtO
+            c6j8HJ6TANoh4eBG+X4LDVGFQPMToozqw/2hX5HPn+EDqP6Egprf/6hAetX4VcCk
+            csbP2AB2wl75U8Q8xSmlNUj/CTz4wpOpNj5tjsADP/ZlkH6EUcGIPk3+BC6ovy54
+            zoydEnTi6uy+gMAZDLP2bRdSgjW887TIh3qPsZiyG0SEygC3B+Fb1EY/NIL7Yh5R
+            mJDdMbrAb9rBSXYS1ptLvq2QSjbyIpVK2n+PLtycySsaktsAEopotlwxlbf/QSBv
+            FCRgws0djwZ4+qtXJ/D1pMNSHD4sdRxGANPdqNJem7S4fHmegtlVWNphDP8V2bUa
+            krGYBc0pn/cTusEJgkccp898ghJQ7bjKxD41qtIkfceB8FnaKgdxBrNfIrucaMjb
+            xv0NLk5NLTCbv/ES5R6Pb4MDKEBpInUp6gygcbaDybyn5lu/jT+6pYFp8Sq0F81B
+            +Vk7+iz9MsV8Yz9dHJnqIiypZREF1KRPWpenNAK9XGdy5SxezfBS7Zz1VShYgoPS
+            XAGKmeK4A1VarYym4wSb/AXhT6HXLBM6VWB6OFvz3sXR02sAUI7GXuZOjY2raezt
+            Usn+dhqFnRUHgUqgtLYGXlgyXiSjUTGQnh4c18n/mkbApUKcTdX2VigoivLo
+            =Xjqf
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAEZMgepQuERqKK4S8uiXmIYIRdeN5swy6S4hmzdL3yj8w
+            E45ScSNMVsvKD3pQq8EqxTFPb5pQ+2LfpP8gbbhYoDomGDm4tcbr8pyH3AXXoFwl
+            0lwBFFDJa1GSmHSgnJqrIaqmOZJgBE5t3IEIiDQksVjV7KTwPMwoU+wx42AAU/dS
+            hjxQwPAfpwO9mH6FN4JC8OTVSU1VfWLCO4e8HroG44c2gOxFfnflaMjaXuIsDA==
+            =kkiD
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-05-26T01:20:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ//Z5yRTQUt73bYUIrnaBPwQCLB4lmlutSICdQvdlQFcqDZ
+            Tw0kBNBS+4dEhxlYuEmCJgM6H+2KEH+6/M5IdFErlTz8Ly0R73adlSMu0R+os/6i
+            clLQQAwWIyFVuRaaNxSDdJ06sl4+hZyGZlbpo9kYBjslTUpJC4urvc+6xlRnlIuf
+            gae9+Zmh1K9+BpUH5svExyTERwWQI1HzvcqSc+tsEYugNvJitBHTyfpFN8xjtbns
+            h1aDXgKo4riFHzlZHftWfaLdot8++0jgluc7fCNXfnNVYf+nREIP49A/bkDFH4Re
+            Lwhq1iQte48KE0JKiaXDsAwLSanNYOfEZo5LSAFYAaEGJ6gUwnyoRgH+2T9FiWoJ
+            Z3myWbrm0SUr8Za2k1AA1FGz8tmGppxGZp3llyqaY/hbP84myfnfpvis6IUAzyfl
+            xMZOGs0Q3VlOJRAYXOWS64oM6cvCg9rJiOsPMr75P+9nWhz+Ur/X8hPTPr4ku/D1
+            ewUhDd406/a7aAGe7m6RyRnVCK2mybuKKYt3BGu0usYvKcPIMUYq+g2zqt6/fQ5r
+            gS2c+uuvMqM6o9dxkRxZWt99o8E29cGH51yl9IdrXsr7F/EyymjBENQxbDApp9mG
+            DHokBg9QdRvwRyyC2YBttgob8QrkZTI4xE7oRFaq9wuZqhjv6VGZXO0jauIRYV7S
+            XAFidvRJ2EMZlPeVpDkosbXLsux2q4v0ECXy1ciRRYJn50vLN8Fqk2fKg4aKkqeV
+            riCQgu8aliCMtTRTa+/NQoTpXbqD9XaPz8hf9betygs+6y3zVyBn7k7WQqmj
+            =yfan
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/public-web-static/sops.nix b/config/hosts/public-web-static/sops.nix
new file mode 100644
index 00000000..b4548edb
--- /dev/null
+++ b/config/hosts/public-web-static/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 86d40bbc..13de76b5 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -38,7 +38,7 @@ in
       After = [ "network.target" "network-online.target" ];
     };
     serviceConfig = {
-      ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/secrets/spaceapid-config-ccchh-credentials.secret";
+      ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/run/secrets/spaceapid_config_ccchh_credentials";
       User = "spaceapi";
       Group = "spaceapi";
       Restart = "on-failure";
@@ -47,14 +47,10 @@ in
     wantedBy = [ "multi-user.target" ];
   };
 
-  deployment.keys = {
-    "spaceapid-config-ccchh-credentials.secret" = {
-      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/public-web-static/spaceapid-config-ccchh-credentials" ];
-      destDir = "/secrets";
-      user = "spaceapi";
-      group = "spaceapi";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."spaceapid_config_ccchh_credentials" = {
+    mode = "0440";
+    owner = "spaceapi";
+    group = "spaceapi";
+    restartUnits = [ "spaceapid.service" ];
   };
 }
diff --git a/flake.nix b/flake.nix
index 72b89c01..ec4d55f0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -175,6 +175,7 @@
           imports = [
             ./config/common
             ./config/proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/public-web-static
           ];
         };

From 7c7da0db052ca7638ce5f7ff926d2250699fd703 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 14:39:28 +0200
Subject: [PATCH 046/170] Add a nix box managed by June

Every admin can login as its own user with the keys listed here:
https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/src/branch/trunk/authorized_keys
---
 config/hosts/nix-box-june/configuration.nix |  7 +++
 config/hosts/nix-box-june/default.nix       |  9 ++++
 config/hosts/nix-box-june/networking.nix    | 22 ++++++++
 config/hosts/nix-box-june/users.nix         | 59 +++++++++++++++++++++
 flake.nix                                   | 13 +++++
 5 files changed, 110 insertions(+)
 create mode 100644 config/hosts/nix-box-june/configuration.nix
 create mode 100644 config/hosts/nix-box-june/default.nix
 create mode 100644 config/hosts/nix-box-june/networking.nix
 create mode 100644 config/hosts/nix-box-june/users.nix

diff --git a/config/hosts/nix-box-june/configuration.nix b/config/hosts/nix-box-june/configuration.nix
new file mode 100644
index 00000000..7dddcc1b
--- /dev/null
+++ b/config/hosts/nix-box-june/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "nix-box-june";
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix
new file mode 100644
index 00000000..cb947657
--- /dev/null
+++ b/config/hosts/nix-box-june/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./users.nix
+  ];
+}
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
new file mode 100644
index 00000000..073250bc
--- /dev/null
+++ b/config/hosts/nix-box-june/networking.nix
@@ -0,0 +1,22 @@
+# Networking configuration for the host.
+
+{ config, pkgs, ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.158";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:6A:33:5F";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
new file mode 100644
index 00000000..9f1b217a
--- /dev/null
+++ b/config/hosts/nix-box-june/users.nix
@@ -0,0 +1,59 @@
+{ lib, ... }:
+
+{
+  users.users = {
+    chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+    colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+
+    djerun = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
+      ];
+    };
+    june = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+    };
+    jtbx = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
+    };
+    dario = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
+    };
+    yuri = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ 
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
+      ];
+    };
+    max = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
+    };
+    haegar = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
+    };
+    stb = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
+    };
+    hansenerd = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
+    };
+    echtnurich = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
+    };
+    c6ristian = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index ec4d55f0..8f762791 100644
--- a/flake.nix
+++ b/flake.nix
@@ -237,6 +237,19 @@
             ./config/hosts/eh22-wiki
           ];
         };
+
+        nix-box-june = {
+          deployment = {
+            targetHost = "nix-box-june-intern.hamburg.ccc.de";
+            targetPort = 22;
+            targetUser = "colmena-deploy";
+          };
+          imports = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/nix-box-june
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 58ec317b0295cc68fb78de2b6cfd2d736d64edc4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 18:00:20 +0200
Subject: [PATCH 047/170] Use IP address for eh22-wiki, which isn't already in
 use

---
 config/hosts/eh22-wiki/networking.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
index 44d478ac..bddeabfb 100644
--- a/config/hosts/eh22-wiki/networking.nix
+++ b/config/hosts/eh22-wiki/networking.nix
@@ -7,7 +7,7 @@
   networking.interfaces.net0 = {
     ipv4.addresses = [
       {
-        address = "172.31.17.156";
+        address = "172.31.17.159";
         prefixLength = 25;
       }
     ];

From a7541eefa8fc17ccd72bccd84a0831fea8d18bef Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 26 May 2024 18:32:55 +0200
Subject: [PATCH 048/170] Add tools and other stuff for a more comf. admin
 enviorn. on the hosts

---
 config/common/admin-environment.nix | 21 +++++++++++++++++++++
 config/common/default.nix           |  1 +
 2 files changed, 22 insertions(+)
 create mode 100644 config/common/admin-environment.nix

diff --git a/config/common/admin-environment.nix b/config/common/admin-environment.nix
new file mode 100644
index 00000000..80fc2bff
--- /dev/null
+++ b/config/common/admin-environment.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    vim
+    joe
+    nano
+    htop
+    btop
+    ripgrep
+    fd
+    tmux
+    git
+    curl
+    rsync
+    usbutils
+    nix-tree
+    # For kitty terminfo.
+    kitty
+  ];
+}
diff --git a/config/common/default.nix b/config/common/default.nix
index 76bece15..5457e4eb 100644
--- a/config/common/default.nix
+++ b/config/common/default.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./acme.nix
+    ./admin-environment.nix
     ./default-host-platform.nix
     ./default-state-version.nix
     ./localization.nix

From 41f04732c2f9bbb6b30f8564a0dabb2d1e2565c1 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 27 May 2024 01:43:53 +0200
Subject: [PATCH 049/170] Switch from colmena to standard nixosConfigurations

Those can then be deployed using for example nixos-rebuild or bij.
Also ensure all hosts have an fqdn, where possible, in order for bij to
be able to work with them more easily. Tho not really, since for actual
deployment one still needs to set the target manually to set usage of
the colmena-deploy user.

https://git.clerie.de/clerie/bij
---
 .../audio-hauptraum-kueche/configuration.nix  |   1 +
 .../audio-hauptraum-tafel/configuration.nix   |   1 +
 config/hosts/esphome/configuration.nix        |   1 +
 .../ptouch-print-server/configuration.nix     |   5 +-
 .../public-reverse-proxy/configuration.nix    |   5 +-
 flake.nix                                     | 150 +++++-------------
 6 files changed, 54 insertions(+), 109 deletions(-)

diff --git a/config/hosts/audio-hauptraum-kueche/configuration.nix b/config/hosts/audio-hauptraum-kueche/configuration.nix
index afab4403..93a6b532 100644
--- a/config/hosts/audio-hauptraum-kueche/configuration.nix
+++ b/config/hosts/audio-hauptraum-kueche/configuration.nix
@@ -2,6 +2,7 @@
 {
   networking = {
     hostName = "audio-hauptraum-kueche";
+    domain = "z9.ccchh.net";
   };
 
   system.stateVersion = "23.05";
diff --git a/config/hosts/audio-hauptraum-tafel/configuration.nix b/config/hosts/audio-hauptraum-tafel/configuration.nix
index d7b128c9..2f14d0c5 100644
--- a/config/hosts/audio-hauptraum-tafel/configuration.nix
+++ b/config/hosts/audio-hauptraum-tafel/configuration.nix
@@ -2,6 +2,7 @@
 {
   networking = {
     hostName = "audio-hauptraum-tafel";
+    domain = "z9.ccchh.net";
   };
 
   system.stateVersion = "23.05";
diff --git a/config/hosts/esphome/configuration.nix b/config/hosts/esphome/configuration.nix
index fc13d897..0ef1dce2 100644
--- a/config/hosts/esphome/configuration.nix
+++ b/config/hosts/esphome/configuration.nix
@@ -2,6 +2,7 @@
 {
   networking = {
     hostName = "esphome";
+    domain = "z9.ccchh.net";
   };
 
   system.stateVersion = "23.05";
diff --git a/config/hosts/ptouch-print-server/configuration.nix b/config/hosts/ptouch-print-server/configuration.nix
index 1bb1448d..33f96819 100644
--- a/config/hosts/ptouch-print-server/configuration.nix
+++ b/config/hosts/ptouch-print-server/configuration.nix
@@ -1,7 +1,10 @@
 { ... }:
 
 {
-  networking.hostName = "ptouch-print-server";
+  networking = {
+    hostName = "ptouch-print-server";
+    domain = "z9.ccchh.net";
+  };
 
   system.stateVersion = "23.11";
 }
diff --git a/config/hosts/public-reverse-proxy/configuration.nix b/config/hosts/public-reverse-proxy/configuration.nix
index 31aa8e83..a80f5163 100644
--- a/config/hosts/public-reverse-proxy/configuration.nix
+++ b/config/hosts/public-reverse-proxy/configuration.nix
@@ -1,7 +1,10 @@
 { config, pkgs, ... }:
 
 {
-  networking.hostName = "public-reverse-proxy";
+  networking = {
+    hostName = "public-reverse-proxy";
+    domain = "z9.ccchh.net";
+  };
 
   system.stateVersion = "23.05";
 }
diff --git a/flake.nix b/flake.nix
index 8f762791..dd478201 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,7 @@
 
   outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
+      system = "x86_64-linux";
       # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
       shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
         shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
@@ -67,82 +68,48 @@
       pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in
     {
-      colmena = {
-        meta = {
-          nixpkgs = nixpkgs.legacyPackages."x86_64-linux";
-          nodeNixpkgs = {
-            audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
-            audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
-          };
-          nodeSpecialArgs = {
-            git = { inherit pkgs-unstable; };
-          };
-        };
-
-        audio-hauptraum-kueche = {
-          deployment = {
-            targetHost = "audio-hauptraum-kueche.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+      nixosConfigurations = {
+        audio-hauptraum-kueche = nixpkgs-unstable.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
+            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
         };
 
-        audio-hauptraum-tafel = {
-          deployment = {
-            targetHost = "audio-hauptraum-tafel.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+        audio-hauptraum-tafel = nixpkgs-unstable.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
+            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
         };
 
-        esphome = {
-          deployment = {
-            targetHost = "esphome.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+        esphome = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/esphome
           ];
         };
 
-        public-reverse-proxy = {
-          deployment = {
-            targetHost = "public-reverse-proxy.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+        public-reverse-proxy = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/public-reverse-proxy
           ];
         };
 
-        netbox = {
-          deployment = {
-            targetHost = "netbox-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        netbox = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
@@ -150,14 +117,9 @@
           ];
         };
 
-        matrix = {
-          deployment = {
-            targetHost = "matrix-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        matrix = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
@@ -165,14 +127,9 @@
           ];
         };
 
-        public-web-static = {
-          deployment = {
-            targetHost = "public-web-static-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        public-web-static = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
@@ -180,29 +137,22 @@
           ];
         };
 
-        git = {
-          deployment = {
-            targetHost = "git.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        git = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
             ./config/hosts/git
           ];
+          specialArgs = {
+            inherit pkgs-unstable;
+          };
         };
 
-        forgejo-actions-runner = {
-          deployment = {
-            targetHost = "forgejo-actions-runner-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        forgejo-actions-runner = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
@@ -210,41 +160,27 @@
           ];
         };
 
-        ptouch-print-server = {
-          deployment = {
-            targetHost = "ptouch-print-server.z9.ccchh.net";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "thinkcccluster" ];
-          };
-          imports = [
+        ptouch-print-server = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/ptouch-print-server
           ];
         };
 
-        eh22-wiki = {
-          deployment = {
-            targetHost = "eh22-wiki-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-            tags = [ "chaosknoten" ];
-          };
-          imports = [
+        eh22-wiki = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/eh22-wiki
           ];
         };
 
-        nix-box-june = {
-          deployment = {
-            targetHost = "nix-box-june-intern.hamburg.ccc.de";
-            targetPort = 22;
-            targetUser = "colmena-deploy";
-          };
-          imports = [
+        nix-box-june = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
             ./config/common
             ./config/proxmox-vm
             ./config/hosts/nix-box-june

From 9d7f9d0ec82445b47d44ef46d9bee5fde6cb6b25 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 6 Jun 2024 20:17:00 +0200
Subject: [PATCH 050/170] Emulate aarch64-linux on nix-box-june to be able to
 build aarch64 pkgs

---
 config/hosts/nix-box-june/default.nix          | 1 +
 config/hosts/nix-box-june/emulated-systems.nix | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 config/hosts/nix-box-june/emulated-systems.nix

diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix
index cb947657..489fd67f 100644
--- a/config/hosts/nix-box-june/default.nix
+++ b/config/hosts/nix-box-june/default.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./configuration.nix
+    ./emulated-systems.nix
     ./networking.nix
     ./users.nix
   ];
diff --git a/config/hosts/nix-box-june/emulated-systems.nix b/config/hosts/nix-box-june/emulated-systems.nix
new file mode 100644
index 00000000..b6065ddf
--- /dev/null
+++ b/config/hosts/nix-box-june/emulated-systems.nix
@@ -0,0 +1,5 @@
+{ config, pkgs, ... }:
+
+{
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+}

From 46e43e51aaca3865ed1eaaff86b3307d00b645cb Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 8 Jun 2024 19:57:40 +0200
Subject: [PATCH 051/170] Add deployment_configuration to make deployment using
 infra-rebuild work

Also document usage of infra-rebuild and its configuration file.
---
 README.md                     | 20 ++++++++++++++++++++
 deployment_configuration.json | 28 ++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 README.md
 create mode 100644 deployment_configuration.json

diff --git a/README.md b/README.md
new file mode 100644
index 00000000..fff8bbf1
--- /dev/null
+++ b/README.md
@@ -0,0 +1,20 @@
+# nix-infra
+
+nix infrastructure configuration for CCCHH.
+
+For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \
+To easily get a shell with `infra-rebuild` going, use the following command:
+
+```
+nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
+```
+
+After that you can simply run the following to deploy e.g. the git and matrix hosts:
+
+```
+infra-rebuild switch git matrix
+```
+
+By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
+However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
+This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
diff --git a/deployment_configuration.json b/deployment_configuration.json
new file mode 100644
index 00000000..2cc3215d
--- /dev/null
+++ b/deployment_configuration.json
@@ -0,0 +1,28 @@
+{
+  "default": {
+    "targetUser": "colmena-deploy"
+  },
+  "hosts": {
+    "netbox": {
+      "targetHostname": "netbox-intern.hamburg.ccc.de"
+    },
+    "matrix": {
+      "targetHostname": "matrix-intern.hamburg.ccc.de"
+    },
+    "public-web-static": {
+      "targetHostname": "public-web-static-intern.hamburg.ccc.de"
+    },
+    "git": {
+      "targetHostname": "git.hamburg.ccc.de"
+    },
+    "forgejo-actions-runner": {
+      "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
+    },
+    "eh22-wiki": {
+      "targetHostname": "eh22-wiki-intern.hamburg.ccc.de"
+    },
+    "nix-box-june": {
+      "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
+    }
+  }
+}

From ef1710b09fdf739fc240e020ad9d295099a24206 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 8 Jun 2024 20:18:59 +0200
Subject: [PATCH 052/170] Configure basic yate host

---
 config/hosts/yate/configuration.nix | 10 ++++++++++
 config/hosts/yate/default.nix       |  9 +++++++++
 config/hosts/yate/networking.nix    | 23 +++++++++++++++++++++++
 config/hosts/yate/yate.nix          | 10 ++++++++++
 flake.nix                           |  9 +++++++++
 5 files changed, 61 insertions(+)
 create mode 100644 config/hosts/yate/configuration.nix
 create mode 100644 config/hosts/yate/default.nix
 create mode 100644 config/hosts/yate/networking.nix
 create mode 100644 config/hosts/yate/yate.nix

diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
new file mode 100644
index 00000000..6b4bb71d
--- /dev/null
+++ b/config/hosts/yate/configuration.nix
@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+  networking = {
+    hostName = "yate";
+    domain = "z9.ccchh.net";
+  };
+
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
new file mode 100644
index 00000000..62851d82
--- /dev/null
+++ b/config/hosts/yate/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./yate.nix
+  ];
+}
diff --git a/config/hosts/yate/networking.nix b/config/hosts/yate/networking.nix
new file mode 100644
index 00000000..225edd28
--- /dev/null
+++ b/config/hosts/yate/networking.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.208.12";
+          prefixLength = 23;
+        }
+      ];
+    };
+    defaultGateway = "10.31.208.1";
+    nameservers = [
+      "10.31.210.1"
+    ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:73:3E:F7";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
new file mode 100644
index 00000000..7d4f8be4
--- /dev/null
+++ b/config/hosts/yate/yate.nix
@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = [
+    pkgs.yate
+  ];
+
+  # Just disable it for now.
+  networking.firewall.enable = false;
+}
diff --git a/flake.nix b/flake.nix
index dd478201..8a8ebf7b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -186,6 +186,15 @@
             ./config/hosts/nix-box-june
           ];
         };
+
+        yate = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/yate
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 579b63fe8999418852a6d87b5e7926fe3c187903 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 8 Jun 2024 21:39:24 +0200
Subject: [PATCH 053/170] Update authorizedKeysRepo rev in common/users.nix

to add echtnurich secondary device key
---
 config/common/users.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index c36e20a9..ab299043 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -12,7 +12,7 @@ let
   authorizedKeysRepo = builtins.fetchGit {
     url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
     ref = "trunk";
-    rev = "0db6df46b68c07edbefe2a5f9ce4002fb6462980";
+    rev = "da9d3ead9d97ce0fef7538638326264957e2f1b4";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 06e52eed74eff22659c8b972e0d4bbc4b9eeb9de Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 9 Jun 2024 21:08:52 +0200
Subject: [PATCH 054/170] Document how to use sops and sops-nix

---
 README.md | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/README.md b/README.md
index fff8bbf1..c89b5493 100644
--- a/README.md
+++ b/README.md
@@ -18,3 +18,46 @@ infra-rebuild switch git matrix
 By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
 However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
 This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
+
+## Setting up secrets with sops-nix for a host
+
+1. Convert the hosts SSH host public key to an age public key.
+   This can be done by connecting to the host and running:
+   ```
+   cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
+   ``` 
+2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
+   It should be named something like: `host_age_hostname`
+3. Add a new creation rule for the hosts config directory.
+   It should probably have all admin keys and the hosts age key. \
+   You can use existing creation rules as a reference.
+4. Create a file containing the relevant secrets in the hosts config directory.
+   This can be accomplished with a command similar to this:
+   ```
+   sops config/hosts/hostname/secrets.yaml
+   ```
+   Note: Nested keys don't seem to be compatible with sops-nix.
+5. Add the following entry to the modules of the hosts `nixosConfiguration`:
+   ```
+   sops-nix.nixosModules.sops
+   ```
+6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
+   ```
+   { ... }:
+
+   {
+     sops = {
+       defaultSopsFile = ./secrets.yaml;
+     };
+   }
+   ```
+7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
+8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
+   ```
+   sops.secrets."forgejo_git_smtp_password" = {
+     mode = "0440";
+     owner = "forgejo";
+     group = "forgejo";
+     restartUnits = [ "forgejo.service" ];
+   };
+   ```

From bc98327cda900346961236b050243abe7c39af33 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 9 Jun 2024 21:09:37 +0200
Subject: [PATCH 055/170] Add ssh-to-age to the admin tooling

---
 config/common/admin-environment.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/common/admin-environment.nix b/config/common/admin-environment.nix
index 80fc2bff..5af74542 100644
--- a/config/common/admin-environment.nix
+++ b/config/common/admin-environment.nix
@@ -13,6 +13,7 @@
     git
     curl
     rsync
+    ssh-to-age
     usbutils
     nix-tree
     # For kitty terminfo.

From 22eff9248873b91bcffdd5a0732a8f607ce1be90 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Sat, 8 Jun 2024 22:18:23 +0200
Subject: [PATCH 056/170] add yate service for autostart

---
 config/hosts/yate/default.nix |  1 +
 config/hosts/yate/service.nix | 21 +++++++++++++++++++++
 config/hosts/yate/yate.nix    |  3 +++
 3 files changed, 25 insertions(+)
 create mode 100644 config/hosts/yate/service.nix

diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 62851d82..5304abd5 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -5,5 +5,6 @@
     ./configuration.nix
     ./networking.nix
     ./yate.nix
+    ./service.nix
   ];
 }
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
new file mode 100644
index 00000000..e426a310
--- /dev/null
+++ b/config/hosts/yate/service.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  systemd.services.yate = {
+    enable = true;
+    description = "Yate telehony engine";
+    unitConfig = {
+      Type = "simple";
+      After="network.target";
+    };
+    serviceConfig = {
+      ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
+      Type="simple";
+      Restart="always";
+      # ...
+    };
+    wantedBy = [ "default.target" ];
+    requiredBy = [ "network.target" ]; 
+    # ...
+  };
+}
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 7d4f8be4..c4834bbd 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -3,6 +3,9 @@
 {
   environment.systemPackages = [
     pkgs.yate
+    pkgs.git
+    pkgs.tcpdump
+    pkgs.tmux
   ];
 
   # Just disable it for now.

From d08007fd1cef3c13dd6e692d939d3be4fc7e2e27 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 9 Jun 2024 21:15:14 +0200
Subject: [PATCH 057/170] Document where a secret is then actually available on
 the host

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index c89b5493..52a25e61 100644
--- a/README.md
+++ b/README.md
@@ -61,3 +61,4 @@ This is exactly what we're doing to set the default deployment user to `colmena-
      restartUnits = [ "forgejo.service" ];
    };
    ```
+   This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.

From bb2f1e12526d0de0e1bf93a9a2e5d7896d49d070 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 9 Jun 2024 21:24:42 +0200
Subject: [PATCH 058/170] Mark nix code blocks as containing nix code for
 syntax highlighting

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 52a25e61..b55e1f2f 100644
--- a/README.md
+++ b/README.md
@@ -38,11 +38,11 @@ This is exactly what we're doing to set the default deployment user to `colmena-
    ```
    Note: Nested keys don't seem to be compatible with sops-nix.
 5. Add the following entry to the modules of the hosts `nixosConfiguration`:
-   ```
+   ```nix
    sops-nix.nixosModules.sops
    ```
 6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
-   ```
+   ```nix
    { ... }:
 
    {
@@ -53,7 +53,7 @@ This is exactly what we're doing to set the default deployment user to `colmena-
    ```
 7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
 8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
-   ```
+   ```nix
    sops.secrets."forgejo_git_smtp_password" = {
      mode = "0440";
      owner = "forgejo";

From 8a2d406d4e2f2ffe14ff8756fbf5d63c3e145933 Mon Sep 17 00:00:00 2001
From: fi <fi@nekover.se>
Date: Sun, 9 Jun 2024 22:51:42 +0200
Subject: [PATCH 059/170] Bump element-web to 1.11.68

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 8a6c6292..0d7792b2 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.59";
+  elementWebVersion = "1.11.68";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18=";
+    sha256 = "sha256-SsEvc+TWyJG6YPBcyQm9mqQVUegqIcspxSGuL3TzVeY=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From b30952a049f9b809cfc764260bbf00d87806afa1 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 10 Jun 2024 15:38:48 +0200
Subject: [PATCH 060/170] Add mqtt server (mosquitto)

The config was based on the exsisting mosquitto setup.
---
 config/hosts/mqtt/configuration.nix | 10 +++++++++
 config/hosts/mqtt/default.nix       |  9 ++++++++
 config/hosts/mqtt/mosquitto.nix     | 33 +++++++++++++++++++++++++++++
 config/hosts/mqtt/networking.nix    | 20 +++++++++++++++++
 flake.nix                           |  9 ++++++++
 5 files changed, 81 insertions(+)
 create mode 100644 config/hosts/mqtt/configuration.nix
 create mode 100644 config/hosts/mqtt/default.nix
 create mode 100644 config/hosts/mqtt/mosquitto.nix
 create mode 100644 config/hosts/mqtt/networking.nix

diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix
new file mode 100644
index 00000000..18d01849
--- /dev/null
+++ b/config/hosts/mqtt/configuration.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+	networking = {
+        hostName = "mqtt";
+        domain = "z9.ccchh.net";
+	};
+
+	system.stateVersion = "23.11";
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix
new file mode 100644
index 00000000..bb61c12e
--- /dev/null
+++ b/config/hosts/mqtt/default.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+	imports = [
+		./configuration.nix
+		./networking.nix
+		./mosquitto.nix
+	];
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
new file mode 100644
index 00000000..672c05da
--- /dev/null
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -0,0 +1,33 @@
+# Sources for this configuration:
+# - https://search.nixos.org/options?sort=relevance&type=packages&query=services.mosquitto
+# - https://mosquitto.org/man/mosquitto-conf-5.html
+# - https://winkekatze24.de
+{ ... }:
+
+{
+    services.mosquitto = {
+        enable = true;
+        persistence = true;
+
+        # set config for all listeners
+        listeners = [ {
+            settings.allow_anonymous = true;
+            omitPasswordAuth = true;
+            acl = ["topic readwrite #"];
+        } ];
+
+        bridges.winkekatz = {
+            addresses = [
+                { address = "mqtt.winkekatze24.de"; }
+            ];
+            topics = [
+                "winkekatze/allcats/eye/set in 2"
+                "winkekatze/allcats in 2"
+                "+/status out 2 winkekatze/ \"\""
+                "+/connected out 2 winkekatze/ \"\""
+            ];
+        };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 1883 ];
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/networking.nix b/config/hosts/mqtt/networking.nix
new file mode 100644
index 00000000..5bd66169
--- /dev/null
+++ b/config/hosts/mqtt/networking.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+    networking = {
+        interfaces.net0 = {
+            ipv4.addresses = [ {
+                address = "10.31.208.14";
+                prefixLength = 23;
+            } ];
+        };
+        defaultGateway = "10.31.208.1";
+        nameservers = [
+            "10.31.210.1"
+        ];
+    };
+    systemd.network.links."10-net0" = {
+        matchConfig.MACAddress = "BC:24:11:48:85:73";
+        linkConfig.Name = "net0";
+    };
+}
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index 8a8ebf7b..22bcdd77 100644
--- a/flake.nix
+++ b/flake.nix
@@ -195,6 +195,15 @@
             ./config/hosts/yate
           ];
         };
+
+        mqtt = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/hosts/mqtt
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 6411ae8b80bfd2d1d0aa59082c75ef61648451c3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 13 Jun 2024 22:53:06 +0200
Subject: [PATCH 061/170] Add hacker.tours and a staging env. similar to the
 CCCHH website one

---
 .../virtualHosts/default.nix                  |  2 +
 .../virtualHosts/hacker.tours.nix             | 63 +++++++++++++++++++
 .../virtualHosts/staging.hacker.tours.nix     | 60 ++++++++++++++++++
 3 files changed, 125 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/hacker.tours.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 3678a965..c78cf8b7 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -5,8 +5,10 @@
     ./branding-resources.hamburg.ccc.de.nix
     ./c3cat.de.nix
     ./element.hamburg.ccc.de.nix
+    ./hacker.tours.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
+    ./staging.hacker.tours.nix
     ./staging.hamburg.ccc.de.nix
     ./www.hamburg.ccc.de.nix
     ./historic-easterhegg
diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
new file mode 100644
index 00000000..7eaa0866
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
@@ -0,0 +1,63 @@
+{ pkgs, ... }:
+
+let
+  domain = "hacker.tours";
+  dataDir = "/var/www/${domain}";
+  deployUser = "hackertours-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
new file mode 100644
index 00000000..382f1b6c
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.hacker.tours";
+  dataDir = "/var/www/${domain}";
+  deployUser = "hackertours-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # Hackertours deploy user already defined in hacker.tours.nix.
+}

From 33599951ef0cb9f16eafe011318c5db75c6818bc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 17 Jun 2024 20:59:03 +0200
Subject: [PATCH 062/170] Upgrade to NixOS 24.05

Also bump the default state version to 24.05.

See the release notes of the 24.05 release for more information:
https://nixos.org/manual/nixos/stable/release-notes#sec-release-24.05
---
 config/common/default-state-version.nix | 2 +-
 flake.lock                              | 8 ++++----
 flake.nix                               | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/common/default-state-version.nix b/config/common/default-state-version.nix
index 090e729e..a3343c78 100644
--- a/config/common/default-state-version.nix
+++ b/config/common/default-state-version.nix
@@ -13,5 +13,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = lib.mkDefault "23.05";
+  system.stateVersion = lib.mkDefault "24.05";
 }
diff --git a/flake.lock b/flake.lock
index 9d527039..4e5ec23f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,16 +38,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1716408408,
-        "narHash": "sha256-e4pjcLqe1Dexz7enk/+ui0aVdcoSiWnrTGjk7KLtAPw=",
+        "lastModified": 1718543618,
+        "narHash": "sha256-/VAxV/4lvtOtq4Zxq0MrqTGj7g8aSR/eJQDXB37ozvs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "dff68ababdd2c2616d03f26546ba632f5f09d3c6",
+        "rev": "de0ae76b011bf0000d58ab71821199ce310128b2",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-23.11-small",
+        "ref": "nixos-24.05-small",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index 22bcdd77..26bd5211 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
 
     # Add nixos-generators as an input.

From f3f5d5a6116fda1e69182a2ed3a342b06dc328fc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 20 Jun 2024 04:12:42 +0200
Subject: [PATCH 063/170] Use forgejo package from stable (24.05) instead of
 from unstable

---
 config/hosts/git/forgejo.nix | 1 -
 flake.nix                    | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index ced70db7..bb7099f0 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -12,7 +12,6 @@
 {
   services.forgejo = {
     enable = true;
-    package = pkgs-unstable.forgejo;
     database.type = "postgres";
     mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
 
diff --git a/flake.nix b/flake.nix
index 26bd5211..eb9d2364 100644
--- a/flake.nix
+++ b/flake.nix
@@ -145,9 +145,6 @@
             sops-nix.nixosModules.sops
             ./config/hosts/git
           ];
-          specialArgs = {
-            inherit pkgs-unstable;
-          };
         };
 
         forgejo-actions-runner = nixpkgs.lib.nixosSystem {

From 3059843e1ab07ede862dd630c1e0e3badf41b281 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 20 Jun 2024 23:45:44 +0200
Subject: [PATCH 064/170] Add mjolnir host running mjolnir for Matrix
 moderation

Also see:
https://wiki.hamburg.ccc.de/infrastructure:services:mjolnir
---
 .sops.yaml                             |  17 ++
 config/hosts/mjolnir/configuration.nix |   9 +
 config/hosts/mjolnir/default.nix       |  10 ++
 config/hosts/mjolnir/mjolnir.nix       |  28 +++
 config/hosts/mjolnir/networking.nix    |  20 +++
 config/hosts/mjolnir/secrets.yaml      | 233 +++++++++++++++++++++++++
 config/hosts/mjolnir/sops.nix          |   7 +
 deployment_configuration.json          |   3 +
 flake.nix                              |  10 ++
 9 files changed, 337 insertions(+)
 create mode 100644 config/hosts/mjolnir/configuration.nix
 create mode 100644 config/hosts/mjolnir/default.nix
 create mode 100644 config/hosts/mjolnir/mjolnir.nix
 create mode 100644 config/hosts/mjolnir/networking.nix
 create mode 100644 config/hosts/mjolnir/secrets.yaml
 create mode 100644 config/hosts/mjolnir/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index c42474ee..1705da9e 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -15,6 +15,7 @@ keys:
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+  - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -96,6 +97,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_public_web_static
+  - path_regex: config/hosts/mjolnir/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_mjolnir
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/mjolnir/configuration.nix b/config/hosts/mjolnir/configuration.nix
new file mode 100644
index 00000000..869c3ded
--- /dev/null
+++ b/config/hosts/mjolnir/configuration.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  networking = {
+    hostName = "mjolnir";
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/mjolnir/default.nix b/config/hosts/mjolnir/default.nix
new file mode 100644
index 00000000..7dca51b1
--- /dev/null
+++ b/config/hosts/mjolnir/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./mjolnir.nix
+    ./networking.nix
+    ./sops.nix
+  ];
+}
diff --git a/config/hosts/mjolnir/mjolnir.nix b/config/hosts/mjolnir/mjolnir.nix
new file mode 100644
index 00000000..49b196d1
--- /dev/null
+++ b/config/hosts/mjolnir/mjolnir.nix
@@ -0,0 +1,28 @@
+# Sources for this configuration:
+# - https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md
+# - https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml
+
+{ ... }:
+
+{
+  services.mjolnir = {
+    enable = true;
+    homeserverUrl = "https://matrix.hamburg.ccc.de";
+    managementRoom = "#moderation-management:hamburg.ccc.de";
+    pantalaimon = {
+      enable = true;
+      username = "moderation";
+      passwordFile = "/run/secrets/matrix_moderation_user_password";
+      options = {
+        ssl = true;
+      };
+    };
+  };
+
+  sops.secrets."matrix_moderation_user_password" = {
+    mode = "0440";
+    owner = "mjolnir";
+    group = "mjolnir";
+    restartUnits = [ "mjolnir.service" ];
+  };
+}
diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix
new file mode 100644
index 00000000..04559f77
--- /dev/null
+++ b/config/hosts/mjolnir/networking.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.161";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:C9:F8:C5";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/mjolnir/secrets.yaml b/config/hosts/mjolnir/secrets.yaml
new file mode 100644
index 00000000..0aaa2f79
--- /dev/null
+++ b/config/hosts/mjolnir/secrets.yaml
@@ -0,0 +1,233 @@
+matrix_moderation_user_password: ENC[AES256_GCM,data:NXJrbRh0A+NQh6Jy9iVAfYhsGR1BSOSuk1LjmArSiVF6jnuJAP9f750cRP7bu7Ai8xgxTlhjAtv9ck6SqlJ6Vw==,iv:IN/siIPCFKE+Nfl/aogYRYAHVgEGhMtTbmEZKZWQYgM=,tag:xxlnl5GU+uusSeh1OvoU1g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEhUMThoY3Nuc253NnBX
+            ZkplNmRzOGZFNWlQNDVpL08yRk5VTHZDUkZNCnIxMUJoUHJBYlJpbUViMW9GUmhR
+            V1F6SWh2NjRGWk9RWjMycGZYZXFZbkkKLS0tIE5MNk0xekwxY0NYYm9mc1ZGZFlH
+            NDN2dUpuQWFFMTZQRzFIS0ZieTRzQm8KUDRpPJwcWwePKMp6KQMnQLhqqyvuhgQh
+            rXpKW5fjxyT0Sh2u3FM2ET/9U0TUfpBVYBJojAJBFs1ntI8kFmqSYg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-20T20:02:16Z"
+    mac: ENC[AES256_GCM,data:5BhSo3YpF3QNqgGnx6YnymaEQB6pchMhokaJqk4rHg22xhbUAzOhWg4BQepT7vrCQlfOZIq4o//dGO+NQxqliiyyywrSYm3CBWD4xfZ9cdfinHC7Pc9lj6Dd4uPNxRjgTRNFuMyC+ATIABI2mHKpg+T2bxSalroIlvNr4vXWZo4=,iv:yPHJZ5PvI5zJlQIMRdbJ6eKGe1xN+teKF5GluD2pyK8=,tag:s4hO9RCdkHDsQ1W+KfXq7A==,type:str]
+    pgp:
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ//Y/GVthqtuK7bY8Ne5CNfn/CD1RUTdX1+KwX1zy3YsgUC
+            CGxhoFFy1UoXR3QB4Hxnk8R/vaFVHezCWKWY45MAuPtwM1VGwjVsuknrJnSs8k7/
+            jrzVO9xXgTd26H6DLmPVfH1hKB0/lh84hwVgF5rlPS/P7l92LL0hDIIwZz3dB0kU
+            d6jLa1Fajqd4MSdLWbZRBPcioC5v1Ip/SXYAJp7IGLDgXm5MN+MnAdybAFsl1K5p
+            dCUmGqK5IjyPVP564TqL0ZEIXMxSSwex47in3cTYPaOO0L8P3kbKDNWxZQLaqZkn
+            4RZC4/aBqlfD2STxMez/ksi6kCcPuC7UPRzuq4oH3kOcJHxwIN8Df+DZYA4PJKsl
+            T9QDL1EylHBhsPIZCoxpmnGl3j+hVmONj2V1awlCaOagbgDlClEUEMyw7QCVVbtK
+            CW4DOgVnnTxcUaLHep8BgHxKkYjIDIbDMmg315h2ekT86gGgZavL8IiFTWSLzSrK
+            XChIjUdjpKZhanmSWpj4w8ZpdGOOjernL2EBWtSC23AibBZmQe9OB/QzMpLTdCvV
+            9t9mMoSayP61oJylBtOKhDnEW0Xib0U7tqzwpaow2V+CU2dr27qie1jh5GqMaoJR
+            qpu1KT3Z9eqpF3Dl8aI3dEovbmvDMVXErU3pmFu2zRJtm6TOXp4NNOYWCetUfxPU
+            aAEJAhCFerTI/ow/LWkCQ78cCMFjgKrYabA3lHu11Mr/PiHirwJ/vCmsUMiOhdRw
+            49lsyqJlO3IA79yW4exG5tYXvPgeJMTdz36fseUEKsewfrPEqMUa2T4onet2+GN6
+            GALPdepytjg+
+            =v+qv
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQILA6EyPtWBEI+2AQ/2L7fbbhBH3BfgD7IbgtVn+nEhNJw5tWR2+0z1k72TIr9j
+            rPAvV6NQY8oVV2+uNLa4fMl+ueqYTFd3/E4IsRXkmexjx+vos27LjDNSu6w0OPJU
+            BSq5TFqZWYIPiWaivQz4+rt+vbxvpv4Lh3FAXlV9YubprJ4GRrlwyheve/l3F0BN
+            3vCDLsfXijZjxaptb9nf7WiT9vvWrY0sD4g71ARZdWi7Lb+TgCxzbQMue+4VC0Zu
+            y/AWIymVo13BD+apoYltVYYvkn7yz3REzsx3NN4bkJyoCAevr6UeO2fGvlT7b7eG
+            F7CN/TusFlOqWV9M0VbiOGLfL7Q9tGAG3xDAyFh+yMQNadp0M3m9UiYUlHps5DRT
+            CVsIPnPUr3V/oycRm3s+UeVyBg3rpdzWyNtETOjNY/AqVmRQ0toqZOm//ZOg609U
+            6+EX1Oc/GosfNoHWJuFmfKJRhPpy2gXZX2rQuLWaVJUXzzKM5sbLnycCV03S24PU
+            Fi7Z5lIu334QTLG8PV6agO5UprZb946qPmW+b/QnUol23XXcgh1GIgMV+lEK8+83
+            UPT0aUkdtOTaKbWUg5xokx+0Ni9syJ4Nl7naQq57qOGiecMnBbeE3TYxaNOcjTBh
+            CY0/hdcrZYH6VPeDye4yghSDF9WCaNUvzZNePGzdqKK3F9O/NmBSiYd/cToyDdJe
+            AZMZCKxSw0/HyBqTRd3wC/VhC9uO2I4HWE3LuqBPUXYFWc4W1buJs+P8pFjqT5rZ
+            puHPH8IxIeIiVNO5SFhdL8ecSu/nawakvih65aMGSa102e6B2HfP6tD4SmarmA==
+            =tr5G
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJARAA02rGmKxyQkvxoXM1i2dLOiH6Gw/pUcdDxYSwKfdkNU3X
+            zc0He4FNG8CAURVq5jARD066VecamkBmlr+rwFJlaeqDPEiITfkz7DEGO8pPxKG0
+            GBnFVA9r/+OU351yLjHYB+72jvw1ey0PPHvKg6/sKjovssYvQLipUcktH33kPqVQ
+            yJzuQWFMWA7Jn/wTa/TP/53o0e//Kw9df69J3BSmnw9F6rKHGsIXLBmyR9HpQsLR
+            KAuClMzjPqHszCICND7vUDEzUvCcOVyizZAcRzWfDi/llwKGUanvEGUVXvyDXw/E
+            Q/FyR+VJXCzRlhsFTTuavjy6nhDsRf/N8N0Vsd9euDXOPQ4wuPAgpvdi58CPBmzP
+            8jU3xpFSXStYBIMt5u7t+UJT4IwdbjnClyIrSuyaV/7N5UQdYTv0fBy1mRrYLBAj
+            VhlRDa1y79n22Kg8mvDqJ16rC3VypkkQ6DaPvyDwlrG8iRLG/xi3Zz8HHnXxAGAm
+            SzliIolwEDHJZHI9ZE3YzpFJkB6UyOpXS1zMsDycupFvQ4jd2fQ0C7w5OaJHCkeQ
+            3zTKgtufjJGo7R2Nf0bTWTfi85GU3jpMsOHCEcChgBVXcO32ZZ/zzmqtXa/u3m5v
+            sjUstyBXEmG9eyIaiEtRAMAblwRsJPMszLaCUuBpzQw+mm9uTCsIaf5Xdud7GFzS
+            XgH+whlmbv/UeUC7bo65uxrG8SgTVAaPZpcQ2dP3rXYs45zYmYGKJaZuW+Hrl+nZ
+            pd6zT6rb6R8TMmXkNA1TjhvZ/A+ONlza1fH0dmsh7U9oqINXNFJU7Qm2r7imFvg=
+            =ZIDr
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ//f51KkC9oViW/0EA0TLdWgXa76ZXMeu4b3UhWaQvYDT9+
+            8wuWE+slGEWsRnFZ+pgWZoV3HIv2p+xisX2lmBvepOufaRh6cyNpQaZNl0kFtpBo
+            ShQ66SmkorunYyM+OIh3ceI4PC7ca4KsRKB8nWkA935NWssFN9zMlkVW6GjqzTft
+            2JVJFL8GRlhIRMhJwSzp8zZ3XiYD0sB/2y+ffCMAOSCnDVcDjANyiSds6MPxfPy0
+            /kaNTXuUI7H50tHQP6vzJ3q1mRpAhUTIxubnmBTdvAQz/kaD0qPt55z+Q0xSXsLa
+            yfb+Zd2g/2o+IFiCrwqcki5yX49Ol89l69JRyIWe1T2VtqBSUVIiiYreX5OnmWPQ
+            OjJ1mAn9tpIlVSHzlaONtmJEmAJ+n55rP0itBMs1CrIBiQleLaCbSWqp6q3RfaJr
+            gpXnfHQpsU7cKEDQeyvxmH8qgrSR9AVh/knyGOJy8LnJQ93aQpr3xr/2MiFPYiKz
+            dcSrxHesrfx2Zl7bNB5OZ7VZTWFSunZQUnOn3F3+7yaaT9ePsvWsyTKBOSGUiA7s
+            VMxT5+P8QM6UOC8KxJj/q1eAVrWvN7vYbCA25+SzbdTtr1RweOVHzNgqZH5/Q2ZY
+            fguwHlCGg5Q7UKYKBk4QJFg6oClDgzBYCFL76K4aymtR7rxKl4sJxWoug84oP6DS
+            XgEZvNS3xsY8Pxm0bAmor93Q08Mii1svnNZ74Eqmbo9GxBjHReIGKDDZ08SaPhbc
+            NJxAP2C2sRUda2R4GvsNYmXHzGYfFTrfe+AXqEV42ZSD9vHDJMCiX9JrY/r4uSM=
+            =+F4l
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVARAAq/cP9y/7kxSXDFOD/xhI/3RjGzIN5dyHlfrmEQWJ8J7z
+            ov0VfBCJp6gFht37dGWuLtWi1qqWRgN+9hiBnkj2zONoph0SRGP9uNfadBSzYSD4
+            wvlOFrWeM9cswnk4i0q8Go+qdCC6U0g1szjirdifF7I9KdqKpOFwXzjnzsPTF42o
+            9oFCP32esOYv++DfTBgrSv8/STublJYABcs+lzjvURqBsFvdz7PBphH66++yxt7v
+            bTTmu8O9WHC8/5QTfUzOBAfgyu4CwF3YLRZd81ERtzO/udNYgGO3bifofCfpv+nY
+            MMyCbGxoiAfBWcAHhka+8nMnBj0as+ln220O99N6zH1rTmqqDxRQkEiYek1MqEU1
+            f319u3KqB6STWmZvjlwQ5AhwSLCLT2VpIJX4CpMClWlLb3E2rpZ+B1uBRMQQ3fMe
+            jSynatL2vXn3rKWzxIEIxA/BkVKQ8zXgOT9JyqyCZdHTvjEmWuQitILi7wKWJb7/
+            qhTGEBoQbjIKP2Bpso286RKhS3erE0wqLeXXFb7e6bkEEHXa/jVHCZk8/qDcAAIB
+            3eIb5SNnLxQwo07JlWdDPzCvqeC4fx5AWxXmHsKWI+91PA0jdNjcEPt2sxwAEQYq
+            LWBW6BL22Hqo/VOBXhM1T5mFKomqySLSrxTYeWXtJLZwh0aHbm6RyGGMjHpCiU3S
+            XgE8EQeKefLHoTixb1Rl/amIvtOUUcTtdqlyat9hhIdMl/7ZMesmNuD1ZsEzdCJd
+            20/DgHzFE7WvZKrjt73GDETUjwLHZSl5fydQMgcNFgzU2mdV6nYNhF18gE/af74=
+            =UA8K
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//RVzQX4Ua5XZHTIe7ffYiqMxy/KoJdbCxpgjbdD0sx2ou
+            zCB13t13UkLjLo5GkTE7kRGtyKOdhQ/7NUA7tOZ+rwWOq3NehOTLfU0wMkgT7tOh
+            byWwNHrY9VHz3ndFnya5nNcnrqILA1rEn32PnioNyWcU6832jyUWvtRqwF+JRrKr
+            yRJMvz4T8vmLwrxqarB1uqU0OVHXy8bq8d9/pVrAmk6+C/H5FINFlApD0dKYftd2
+            phoTSA5WG8j1e0v5p4+r9cRHlYXFMinMMkpzD/JMyNB1WVZ9aGQxU7WiuYzuv1bh
+            PKN/LEgfh3ypI8W960NHv/OMRjVs/VxA+G3ml3Lw6acRnaLr++MhF2G7ZBTx8rgi
+            fjyF6m4XtacwIKYZ7SNt9eQewGI8VU30o8np33qb9KeOt7v8PrMH1G3X+bTLnJGw
+            VjxjvaBaePmPplYYS7xaPuUnzFNabDXTE8XCQpdJMy26ef77gaWr6TQwXbRlZXrx
+            S60EecMLwUj+daR0PkVBkCDxXkW8+0uPkt6EEn5rmPdMXoh4DUw+4A14t7yyUU50
+            j3M9tv6DuYs/KhgZYfLe+6hVD7fY4lAs5Ge6QGLA/TljAatE3zpSZQK+b7C4HKJS
+            3eRpcAt6CJFhXaCBwl4+gigrg3voX1ykh62oqY/4ecKbAiiVXLIrcflv9kx2Ht7S
+            XgEDhoIRIvXoOUy6j/qjp/OFxwu5y6MpBX4vHxlpL36daL2yShMkCYyY3ajea4eX
+            9k7B9fpRu3sjbDTNr1heffI+5n/HKc8j9a52hzu5eF0e+v+vKY32uk1jlUhZdj4=
+            =R/pX
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/+OHZshi2zBfbVQ91WKLqei7bT4CZGiPxQsl7aogv8JkyL
+            D8p+VgIReMvq4F5QFaIsA8yqMSnjxfIi5bFd9SKjuhOKvuQjyh1rSsFb0t8ESuYi
+            fHBnVw4tDNfTEGQa9YhNJPTq60TwR4P2xYFEgc//AQqfs9XH0cTbvkFS9dkug092
+            u4yJfB2aZEJa0Eh0AenUYzP13bFH0sJwL1hQop1v9gF44JeKHpRNd0Yixlp0Yucs
+            Ccww+WaNFVQ4+zvyW7MnI8/D27/SQGRXXqQE6sOQlsg5SUzF2vIpYbIeuu1NR5WK
+            v1ZB0DlWVuOshIB7M9WUCZcAS5cMAWKc1vvZ/K0l+6tNskZvGE4p/lv1bmZ5zfc3
+            gT/2L6ENuoKW7RoF071SsG9Xn7VJync+iNTtg0m7Je7HRAZAGGc8vfIkrTXAmoIE
+            QkGuog0R+EZxq9L1WMbppV/bnbBxiutFxwWOGTxzsn+DksVrVLvyI/EbHJvcEwzN
+            hISPFmAiCEKzGAGfaO24F5Xcs+U6AgumS5V5kwY6zA/kZpJEdQm38rcC12ZpXR9C
+            oHGs9ACtgf+g8H3/Ks5DL48FTbYuZADamVA5+pV97B7xCS8TxYChuFNPLwU2s52G
+            liiZV9NevlFlbsXFZS/EWgR8b0aH9Nhjl5TAPOajBOu0Nm/83XEP9nbbbjJjGRHS
+            XgHop/OMkJRuZZ35JQjUS6dIBzSivqplpr51wHbyilxbvOHdvuu6w9kqGY9VhuVt
+            nCszg+IQ0SM8YFuu1M5UPO4txYQTHx8zO5SD/d8kh5HEu9fmTNyJXblRcyAzYZc=
+            =TxDz
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqAQ//co7jg6v5QUB7eHXJPMLxsgtbC/VYp7C7QqXQda5qhohW
+            t0F9lysBybhIGoYuvfZGzNMYqqkVpFxzlOO2vFlcYFsQhjCpJrHBWYT4XOmIBR64
+            6Az/iKqNLS+cG+rFIIuc8BqRk3r4lrM32dCqz0a+3qRkdmbff4yKuzg8FTPlv1RI
+            O9SzRqfptcKDXItnQF+8CAziqcGyy4jL2wnl1Q2I2Pksr+Zw1eZVbFfHmCpG7A5C
+            TVihozz51jeXlggDp9/NPJOQDsmV+KdpvNx2Eqj6PQ6aGWtyYv5YZG3X/eRKW90+
+            qUOJxwpW5KGcROnuvQt1AggcXquOTLHFyJ85M8tpJcl+JYVZsIeNDo+LO8sbrCTA
+            cjp/YSLOms+GullbGAwrJh4TYtwJE9sEKr9OAFUvd+AxVFWj08BqMe1eN5YBbwwB
+            vNurVdvjE8jaTCmZgPPOIP5KXSrsG8bA02YlZ4MnzodYidIhTudJ8VB4NYCtNgOL
+            G/x7h/KA5KYgDWEtr21z2oy0QkGijtrcNa02GpslirjufZ6TPGCbJjAeEsPbYBm7
+            mDXm5+PzZpb1pbcSVNlVG5Ry73JrZxBpYCPGnxLs5yAmWOlNa/xcgDHBU+iXyVg0
+            Wm8pHRAVNfbvL7NB8yeaxSDoTSE7/BsisL6tUHoV+bdlpVsTF26bQZBc/zhxiZrS
+            XgGJ8ChRZbpi2qUzP4nA2jPkYtQ4cquA+ftDx4i+ZqVNtAhVSnTiBZoYu/21+BUB
+            oxDa5m2vD0s0t0fGfmmIvpLZKZIF7NcwnCdNVQve/D3qNNa4T3YnXb8JTGH0PYc=
+            =mu1s
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/8D4mAcC6vsHLkSryz1yIYoBqqtJnG62pITFEbafhVLR6V
+            nWAw/zP9DqNj15MsrM67xaQxlMVgkVM7QTchgp0CjXsyZ/gWPgDl0NaC92Uj93Ov
+            Gi2OpkfHQFaAW6JsAFl5NrF0ZBw/flx8X0l2klIxBV+ztpkLADEtXWsoGsmz5L4m
+            n41icEp9+nb9nwy7p+Je0s4jZCBB0sVlbkX9i4IpMOgEhA0HcWemc940VJp3UyRg
+            LkOs5C0J4Y4qjS12248y16gV/IhNaJ4PCPgVwSj1Xzz6VXauQosmWhnUbnqJbi3F
+            KWEV0IJJO+dlj5VShzFDnkN2bM1GeyQx1S+FkNp+Mmm6JNrUK+CZL8fUYka06O0V
+            DD/sg1Pyq8VawNG5RxwAWA5F1F1SIrJzF0T4HyIN1UFRCjWC466sdrBTQLtx472k
+            NdBCvabHS/bx5miPKF5iglJYzz4biUdevc3EU7q4hwgMYM2oep3m2EsaTbKWzjnY
+            PLB4d0bCsRlya0YfHaFX5f3xSNb/FzBcUlTHzX2asyB2DolMug1VqS3jCEkWGbk/
+            vfNfR5yRuwkwNlJRqHbGIfH7fYEgwSTW+VW2iUdY7Dra7xjgTzqZgLi5W8QwKJqq
+            1V5H4KlRQNYwloVJzQZCwoPcY+tBfTZ4LsDKtjyJzFY9vdTGGGqb9lAG7YBUdubS
+            XgE72UuZvbPQZuI7uVKMEORGVssQjwZFhs4InR/Ixe03a7hb8fdRHfu/ueS/3KQx
+            mRXVino/iVQ6M936mtibfeH9TpBpjqH8sBKNHv2hgnoap9QpkrVn1yWqrOcpht8=
+            =+sXL
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdA/tIZCvQv0E4dHN5jBHsAGclKEeLFhyf4lIQx+xa+uwQw
+            /VGCdNT8U13EawRC66KLXRrRgsNPpwUg15wAoTzQ8gW/tLpgvL5nsEYPfaowYwBD
+            0l4BmNV4o4J+NHF7Tk1af2kx0pp6kF9eJynn6irr336tGzY004lZfZlqwgeOk+qN
+            93XcSfdAOlIktfex1q1oTPrSpGIv32zsLPoRNVa50dO+IKu1tmYAxi9N9sQgbWa4
+            =rnF9
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-06-20T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/9HNG41mTgq8VavF9DBX7+upnsmoDtwblck18l3rurJ1mo
+            k2ki7tWwIxRyLLHtsUxJ9S55cmXuhhPJK8Kzc32SnY5irDkqK/4JZnDvofg+z68B
+            8pQOunN1BQp50k8vd4Mha43re8s24iqrM+fj59uHM2YYsQYt9TCR/NvUopOdi6l2
+            8OnKI2KdRvYhtzzCY3wmQKhG7p0hc8y8pP/0DmPW5IGQ6OP4zO+Qnc4EbVnA9Uhr
+            tZ4sTNn0o80kfvILKANkAm81v86KdSRXdd3+1IpH1c7rTqm9o+DEm8nKnwWOF63O
+            P0klsYLlfqiZyQ0AyS67RHPTw/y57mAyWVFbABDLtXQQHWcIkADMLKTJLpnhKkRn
+            Cp94EXBBBwViAUBUzzskE4lgKXncl1h5ogLum8btU+cLky0qa8Hzie5QqszlErf8
+            fci0AEHV8u+Kf5EARf1FiY6K2aVnFOJchdeL98qllwRu6f8zz7+bfLq1UXcGBlQS
+            JnbAlXiL4vEBxQyW5awYYzpaMUTW1ejjujZUitdaUeIQJdv/IJvHe9y6/F0uukdt
+            AMrDI7E+JKa6hLPe4g6H1hUzh6GcaHuNU9z2NSDfzxcOHkqALsCDLVDxsjPhahCc
+            UZkSn8ebyqv7/jpTgWnsls0Fx8XqvKKJNoqXfK81oIvWlJsEwqSaBczkq9HQbO7S
+            XgH2N8XPOJWmqDc+xS26eERNJ8ZlhYaODWwatgqt2si6EdBpVRZL4PXsOrOlI8Xi
+            Uaag1/Uljqbk5mN18+CtSfSt0ded79d44B9zAbc70hgvkRrpcotDBnO8YQ9MxB0=
+            =O0Sg
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/mjolnir/sops.nix b/config/hosts/mjolnir/sops.nix
new file mode 100644
index 00000000..b4548edb
--- /dev/null
+++ b/config/hosts/mjolnir/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 2cc3215d..94ff2f00 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -23,6 +23,9 @@
     },
     "nix-box-june": {
       "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
+    },
+    "mjolnir": {
+      "targetHostname": "mjolnir-intern.hamburg.ccc.de"
     }
   }
 }
diff --git a/flake.nix b/flake.nix
index eb9d2364..9ee17cf6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -201,6 +201,16 @@
             ./config/hosts/mqtt
           ];
         };
+
+        mjolnir = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            sops-nix.nixosModules.sops
+            ./config/hosts/mjolnir
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From dfcb961fd3ce6a84abd7176bb5b4c4fe3fde5ef3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 02:55:54 +0200
Subject: [PATCH 065/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d14b286322c7f4f897ca4b1726ce38cb68596c94?narHash=sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J%2Bve1w%3D' (2024-05-20)
  → 'github:nix-community/nixos-generators/35c20ba421dfa5059e20e0ef2343c875372bdcf3?narHash=sha256-WZ1gdKq/9u1Ns/oXuNsDm%2BW0salonVA0VY1amw8urJ4%3D' (2024-06-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/de0ae76b011bf0000d58ab71821199ce310128b2?narHash=sha256-/VAxV/4lvtOtq4Zxq0MrqTGj7g8aSR/eJQDXB37ozvs%3D' (2024-06-16)
  → 'github:nixos/nixpkgs/201ed88e66f7f34d5c74e46d2e4399cc4bea1501?narHash=sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0%2BnI%3D' (2024-06-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4?narHash=sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q%3D' (2024-05-23)
  → 'github:nixos/nixpkgs/1c0bec249943cd3e03f876554b8af7d1e32a09e1?narHash=sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs%3D' (2024-06-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/b549832718b8946e875c016a4785d204fcfc2e53?narHash=sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb%2BcyGsqOKa4c%3D' (2024-05-22)
  → 'github:Mic92/sops-nix/797ce4c1f45a85df6dd3d9abdc53f2691bea9251?narHash=sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg%3D' (2024-06-16)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/e7cc61784ddf51c81487637b3031a6dd2d6673a2?narHash=sha256-H0eCta7ahEgloGIwE/ihkyGstOGu%2BkQwAiHvwVoXaA0%3D' (2024-05-18)
  → 'github:NixOS/nixpkgs/c884223af91820615a6146af1ae1fea25c107005?narHash=sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs%3D' (2024-06-15)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 4e5ec23f..a0b58e21 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716210724,
-        "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
+        "lastModified": 1718025593,
+        "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
+        "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1718543618,
-        "narHash": "sha256-/VAxV/4lvtOtq4Zxq0MrqTGj7g8aSR/eJQDXB37ozvs=",
+        "lastModified": 1718955215,
+        "narHash": "sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0+nI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "de0ae76b011bf0000d58ab71821199ce310128b2",
+        "rev": "201ed88e66f7f34d5c74e46d2e4399cc4bea1501",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1716061101,
-        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "lastModified": 1718478900,
+        "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "rev": "c884223af91820615a6146af1ae1fea25c107005",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1716479278,
-        "narHash": "sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q=",
+        "lastModified": 1718954653,
+        "narHash": "sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4",
+        "rev": "1c0bec249943cd3e03f876554b8af7d1e32a09e1",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1716400300,
-        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "lastModified": 1718506969,
+        "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251",
         "type": "github"
       },
       "original": {

From df17b25009018aed5d337dd61b284f9b5f7c0c96 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 04:20:38 +0200
Subject: [PATCH 066/170] Add woodpecker host running a woodpecker-server and
 -agent for CI

---
 .sops.yaml                                    |  17 ++
 config/hosts/woodpecker/configuration.nix     |   7 +
 config/hosts/woodpecker/default.nix           |  11 +
 config/hosts/woodpecker/networking.nix        |  23 ++
 config/hosts/woodpecker/secrets.yaml          | 234 ++++++++++++++++++
 config/hosts/woodpecker/sops.nix              |   7 +
 .../woodpecker/woodpecker-agent/default.nix   |   8 +
 .../woodpecker/woodpecker-agent/podman.nix    |  13 +
 .../woodpecker-agent/woodpecker-agent.nix     |  27 ++
 .../woodpecker/woodpecker-server/default.nix  |   9 +
 .../woodpecker/woodpecker-server/nginx.nix    |  57 +++++
 .../woodpecker-server/postgresql.nix          |  18 ++
 .../woodpecker-server/woodpecker-server.nix   |  56 +++++
 deployment_configuration.json                 |   3 +
 flake.nix                                     |  13 +
 15 files changed, 503 insertions(+)
 create mode 100644 config/hosts/woodpecker/configuration.nix
 create mode 100644 config/hosts/woodpecker/default.nix
 create mode 100644 config/hosts/woodpecker/networking.nix
 create mode 100644 config/hosts/woodpecker/secrets.yaml
 create mode 100644 config/hosts/woodpecker/sops.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-agent/default.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-agent/podman.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-server/default.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-server/nginx.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-server/postgresql.nix
 create mode 100644 config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix

diff --git a/.sops.yaml b/.sops.yaml
index 1705da9e..52a8aa70 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -16,6 +16,7 @@ keys:
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
+  - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -113,6 +114,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_mjolnir
+  - path_regex: config/hosts/woodpecker/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_woodpecker
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/woodpecker/configuration.nix b/config/hosts/woodpecker/configuration.nix
new file mode 100644
index 00000000..45e228e2
--- /dev/null
+++ b/config/hosts/woodpecker/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "woodpecker";
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/woodpecker/default.nix b/config/hosts/woodpecker/default.nix
new file mode 100644
index 00000000..1db0c8cf
--- /dev/null
+++ b/config/hosts/woodpecker/default.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./woodpecker-agent
+    ./woodpecker-server
+    ./configuration.nix
+    ./networking.nix
+    ./sops.nix
+  ];
+}
diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix
new file mode 100644
index 00000000..17fa56c9
--- /dev/null
+++ b/config/hosts/woodpecker/networking.nix
@@ -0,0 +1,23 @@
+# Sources for this configuration:
+# - https://nixos.wiki/wiki/Networking
+
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.160";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:5F:A9:B7";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml
new file mode 100644
index 00000000..f7b11cec
--- /dev/null
+++ b/config/hosts/woodpecker/secrets.yaml
@@ -0,0 +1,234 @@
+woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
+woodpecker_agent_secret_environment_file: ENC[AES256_GCM,data:iXsElY7/XhHYC3OAHZOY2TUzcL6dyjLkmuVgRUP1W/ZpTYsBuVbPZFX5WGGX1Pw33sPo1SAp6a8k+qqh0HeqyTxnjj/7T/HOE2DbdHoqF3EK/ryhtQVNNm4=,iv:6rrWRFxoZuXstWrKKo4siHqktcuZqrdjM4DwiFdDfJA=,tag:YvyIYFd/N1Z6tpO2O0ewrQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQlN5NmlaUjR5dGJ3Y3BP
+            bW4rWm1KaVFsbytwZDQ1QjV1d1VEOEZlSTJ3Cmgxc1BmMnBmWjRyNmNDWmpWcnJt
+            Q3lBZUFOY3FtREFUYmhJNCtKcTUxY0kKLS0tIHhKbVVBYjN4WHRzdERNbkRQeHlS
+            UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
+            YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-22T00:01:07Z"
+    mac: ENC[AES256_GCM,data:3WLe5X+wMVRth2jnu3xVe209mk+HzFcwkj45N9L0UOgoc5zdBShvdEXcevX98HTldC4kU0IEZZowLHbiDxlIozu2lrkU+0avxzM8jWWcyqMJCLTcBoOHaqKX9EfQ9OvHh2HMz8hJ/AFD/LTDzpTYXpHqSnagt1SRGjUKGZuF3K0=,iv:CPpfAP+bInTtHPRBeVih9s2/YoBJKpwuDq5VUIOkoLs=,tag:0Exia5cJctV6f+mYVgDM/A==,type:str]
+    pgp:
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ//QR84p3zGjW2CtPcPxlmdYui5nx8FV3MHog4R24s4RKNK
+            y4n9993z8m3y2at4yIWDi4LBKrhm/6mSLBHfoxnuiptoaSXSWXfaXebXkYiinkyP
+            GMvwegN6KkRZh4stJMD7W0g7w/trkNEAvPDoInqCnvT4NomrKIV+ZrZuCBLd1tXn
+            JRd2tsH8yYzoZr/PJBBDTZtke/nbosb6drjgG6ow/eHyF++HxKNTWfjCiWn4AWSb
+            c/E1VWsigYdBs8XSTbBkfSLr/b5FcXYb8tyy4gpGe9zOrxc7cW5diK5+x4bM8FHz
+            85ShPA5S3PXXEnuifuk/ZK8+CEYWUS3MXUhuEFUo7F3Pt/Eb+5CtfTX6kvMe1xe9
+            iqFAsRce/qm9Evns4ygZ4+LoI2ro2HFwgQ2fu1gi7PyZsDyW5eRL5P+vfxPUOxYY
+            z9cXXo+U1NEzWMDEBWt4mgoW9URye6O3k+WLQmYbQIhDkftUYmvRrPYQvP282m4k
+            NMucRIRUMkx7rpRQQP8yU6AlgZ1LsOmruV4XJYVxsTpSZq7YgTQP4kd3wMgBhwOV
+            j3hGc9gI9Sq06SdyU0C8PuUHt+mZGkVnYIOTw6BXHgY1tK8X5XnWK4NJXL9bR0pY
+            kfzDWLjD0hiiM3QYqieTbnDUiVTDGyf7Cop+EifYvy7um+CPjlYLLkDkEsWcy/HU
+            aAEJAhDEzP5eiU1e01GSNbWL49ghD7DqZiYdo0F/BGMk6jQloM1HUDnkhgBhVSZo
+            TjNPV3UFBxeRnT5DvouD6uJ8SDs42ARdb4F80vJVHknt0yBvGWfCQsXqKwuRDd1j
+            zkj4zG7btJRv
+            =sgSP
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ//V6IIW3Hr3xuQWOWitDGn1bo+x95jePPpXNayKGJuaSMf
+            00gaOyMpqP5hRd3lEQRyqHgPtmszlGrxq2y77CxnnZMbE6n+axwQQLoMzROBGyGF
+            iqe6hNbNFZPjWv5BTAl3iOHWrw3x/TpgcNmSBDfctU+CZlMWzCMuXJw1bK57wQd4
+            B6xcoBxidK55Ubc7GQ8mlAEuZ89fYorTRBfv2rBgUh8ZAAsUmn1jEz7HsQMMd2a8
+            5V4TzicdzXO2cZ+0DqU8Xqt5U9C0IjGgZRPzDYkh7slkbyYomAIfCq+zN5ieecz9
+            Mp8vvuMYfT66P+heNRZ7w/sgmGlarcmNKlOcXlakVYm5qVddPMx6M5Ovl4O5sABz
+            V4O4NRehYx0XFbjzXr59LCzpusS9xQoh49288dLTFudOInHUYq6ss0TbGfFJMDYU
+            mjHokzdG3ds8C9/lMR82X9rbyZDchUytHUwX4eGxUDMmhydFpgJko0bbozPbE2ll
+            NTlWegCc1yrkSGn6U9EYKtibitJnIMdas5HapcErMH2vYILsJOl9ifG1GIsuWe1+
+            ipPyZy7jqP7p18WCcDnUhgaGdQ67UjSLqX2zz0SZDcfI46SUeyeSelFVpTlmKriS
+            4bW6hC1FSe+bLkPZ0y5aRLgL5ipK6jdlZepAj/DNXdKAtchLHcddF3rKdBdzsxrS
+            XgFvvZPgj1JleYr+q/+ju4k1d4cE0HnQZIBnkAfKXZHwSPCw1d9vbeLipuRTJrEH
+            2CpOjtiXl3S2ZcCS1ama9lgAqPBOOoH7jgHvoCzqfkBsi3/QlIpQs+C8ro4hXE8=
+            =KZWk
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJARAA5+vcORn/YX2bHcAno9KCUGTzeiCP/DOoSePMdsCAmABj
+            P8XoYJOyZoZgW3qgvtKZ4pLGB26FuJXC2y6Z3yyQ4Xj2PeBj1og9xM8p7GnF6T6n
+            7wqALwJOamyer3A+OXx2Gc8kZ0ObqgBbbn5QTPnHzsRljC3Irgk+ZZE8ZRshoPmu
+            6TEuMW0NT5INmijtPAxer/eaAor3KKxMTf+sqqr/VGNopAyFUCGZynlnjcei6X+T
+            tVKh6zqr/eaTlnhoP2kr4u+wKcHvLV8an8sfsyIGL90O11LNcX8Sf4EyPDYSXOe7
+            AXTFcvfw9+ALu3cbTVPN0aI2e8fCir2S00F8x28Ffc2xDSrXjWEDCXLuRNVXz5KA
+            Mjq4afyQN6mtVZ6ZmtvaLQoG8D2f2sGzvrsBjaXwxPLHKPpUFZVBiiP0C08yokUR
+            7FrYaOjnvQVALLxGJMAhMf02g2dYDFxMw18cY2a+bLrYUVd9EMbuFwCJNzmU0of7
+            EpSvXrA0wTKddk+vL3JoJgIrOxz2IQbaC24NiCUzbyakhT+qDX/oXXILxL2x0GfR
+            RaTL1inkTQO//ooAjlPeMA3OIDQo5CdoV4VlvSUgagYfDvMfDCAO04Xxvezh1uvz
+            //4Jz13+LFoUgbtVUYiT4oqWyfTKOV0D8ILYWKZJtjJt4TeYpEfbQFEzIYyF3OHS
+            XgE7aGyB0ArPBovSr55eQGmW+FaeG1VtH7TRLU367FyQmGep5O2SUxQXqFFiWyDy
+            bseIYdRqNsmlgdXBnADdkVCFJtF4C/VA2DOk+wOO8XtQoMQ8zrIl+0Viq1s66OY=
+            =xc00
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1AQ//abtgoFEWd+zbeSbiwey8nCNQUSklHV9kbLuBK8+ipX/Q
+            qjweWnnPVN6ODhgfXm93k1tSqeJjYqjqfxVsAEUiXC61UhvS6JBZuVUt4nRUWHk2
+            cdu3eKlBx7Nhm6th1gZ+Wf7PcryT5fmJQP5a8VEM/nUuRjnAmG7RuSiWbNzBbTDx
+            4jh4GTvlFkupxZvLsXYf2T+7qn0eHymdQI8+5WSHQH6kApBvINYoq1m55it5ilEp
+            M0tYNFMzi10OjKVbNRQXuKhROzzYGtW8qWGtc33WBB5rvkRVelSDmleTbRywWjE0
+            rNo7vj97SbmGdCHydzcEwPIBOd11ZgFWpamX/36ALeKCxgHgc3HsnjIkDsEffpoN
+            SFHAhyYqXTDRqq5/HuBQBDBJLVVcIbqlJo3us47gI3rhojjSayzTBd5TnGOZt5N0
+            rFOqoZ1i3vf3C5sjKivTzCJ/P3yFgD271hQjv49jSqXgSF8ZIvzaDr0xLiy+XnZ+
+            EsUyqxZBKWy246BtyZ4qBvRjVKbezpxQFh6MzxccY+toUaG2v2I5muvFJRHe7qEA
+            fT6XDl7W6aQ/RBL/Ij9OWYvCMWS27mzkLQi0uBH5gyA1t6Bg9O6+CjGpK6Mmd8fx
+            1Q2Ml5ClzLnEq94FX3f2hpqLdSlwREPoBYULeJNr+WhayDvfRjuh5+MvN+wjbs/S
+            XgGYwgGCrFmzXN1mWElNGc3+3sMEpiuvJp6Z1nRfr17YvIPUrtCU7zVHWR1lWFKU
+            gjJacBX/Qw9Kly+5jADM0UorWkZxaby+q+j8rN43nPatjDlDRI+BrNta0l0ulOA=
+            =2cbn
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVARAAu8l79uJlVLz++foLhk83zrPSZsX+1TQduJl06Kx2VrJ+
+            dZX/0okzpHmHeZGhGH+e1Gv7MpyM4UxAGwE03NIk32p43LF/biad0zc4TB8yr9r6
+            N3Sr/ZbaB0oYC/K4r1Sj8W1XWmuYZB8lc1dyfwhf96KIXGutvG22O5XI0pOA9yHL
+            x4AWt8OHYsaWCt941M6pbFtBsJEl/TaKgYF7YNITvsfj/oG7cPESKLOkcJdmhN1r
+            ADpJRcs6rVvMLWxUBjZICqZvDlwnXK5gCu30MmLs/oQbFmHjBRB01Ird+Mb5e6l4
+            vrYC+zO3RG3dZ+VXJD0rBn+56nDMtiKISJCy4I4Vz/ekwx94cIci+BlD9/3YYix7
+            HVgR6flBgInZEvaBxyj2e0G5i2gKvYTfea5+6bwPpszLUaYba/YLQQ2mSXcwWPsV
+            ipuNSjJ8swK2OpOFTfzs7Ua1OZChCOhhduxiKCwASYrbncfexObsQfeobj3wrwXH
+            N4M+h5ghm+y7UFKDW+gfN79WGfltWiMdy9vZNwwEYF0NE8jkwPfIt2dLvyU73MFU
+            NivYWp6kUj+gbLkb3gLClAi4CyYqNQyBjbKEbt+470UIMZ44WWMEJy7bMwAVzLBk
+            VxBHphqSuP04pgb5a+PHPApCZC6KEntnW1zX+DKrCn3/+NhoD6COhCvetWxq4f7S
+            XgFop4XZPWYJb6ypqkFLbkHIg7tCbr/xae4HABncVj0BaS1Z7TBdMiGi8SQvHti5
+            70rNGZIpQe/59DmBrLT06VdQRY5rt20bDoN+DaUrE2tc0k5h+uwI71TG4//Db2A=
+            =m4ec
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//Tz2g90bOkkY942MaLO5/k8MFMf4QEDMZAiw9tVZ39Rqf
+            udMTcGyOX6zLzr+xxNX3gwn8X+bl0yw4Tg/FiyOzl9RjMZDxvzUaj1gYZI9kKPne
+            aEmAYcP2mv+ITUDnApZonDZE5hUnLGAyfEZMU6ExF9XkU94dXFdU4nd+gF5XHzou
+            STiNryBYaxWP1WMkW4SlZqdJiCfrkI0Z7iTF86QtXN5S8qLSIyjP3hIv5QxJg5Xo
+            NwK5IXQhV/0ZHp1Wl8Xys2iUw3iuwPga7sBrMHdJ0PHVBg3Wg/bG7YtrfEAfUbcr
+            UHt9rNGFZluuqNctvcvkSUjv5DISCgl8lSSbzC8DK/vT9o0DQYWvySNpVwXO3tqs
+            9aCxKc8trCXrd9qePnO259Ni0ALRjyh/GHZipzhZo/mgyUWc5nAdTLM49MsmAKHc
+            PnBBSntXnVHfFoFvgyBAmyISVuH/L5j8mezQ/37AevcTfuWemjDRGWIiIJZ73CyF
+            tG6ida5En9QouMO18gKBBzfR/2s6tt60bEp4bE3j2rRgEhwblBfl1NtGSw2WGVVZ
+            bU8KormLDT8aurMIp/Rd1pzAxDpEhDa13TV1IfRECOQvY35aBC59upt+XLwJ83ch
+            Zgi5cRGtSoj1G9OziQGCtJjGqkZoFy7Htou6AyFUEln+2Px0EKGJC3yCUcOF0orS
+            XgEtK2wEJNnJ84LctjrRM4ZSeb/8nycfWiR9riJi1lq6J+WSeiGME3cvhgObDTtG
+            EwuAjG6vhwUdr3aovsENQhvHnQWID844CeBtB9jMHbFJy41vbt0rC0JJG/6RoRg=
+            =5Ijl
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ//dwisvTFgYUCFICbaNZ+8jttF4lTQ2fjdP6UHb0evav84
+            PUYpqUfmMF1BUvxDx0rwzzP1OaSKuesxAG46i1Nha1Tq/LOURtzZtXPW4+xSHWge
+            ifbcbGTBkACviKkRuVUqaQBAbzDnFIHtcQy7nbILmzM0aRwm1IC1WzKpPRBgzAy0
+            o/UE4geZjPuNqkix4mcLz8sXvKMz11FE3QpZ44JqiRhmAITTDVo2ymhbvA6R2C1w
+            AL0tjJwKRb0qfoBegyPbuUW399l3CCtEE7voW8AxZ3Y6EGO8DQ1i/MkR81zymFep
+            PUDVYDmhqmh38Z79v5iKqnruzS+rOaitzMRqsUfOJfa4UoFkjO6tYdi5cOY8T4cD
+            w0rgCpvWriaGKGHDuRIdu031GFyf26+SvOWEbiOhMv+h18Hj5P7uT+Is+VuEhHEo
+            i7EYTqzsRwyIfybNkb0mBVluvXb4CpZRdRq5AzC49qu4IezvKoAT99KG1yf7XJvI
+            Ijc/ZITFqCBxE7REA4JBDuivPHfML4CgxG+5PiBJ3JDdaP+xRuoVQQv5E55Y4YwF
+            NM+NTNcvsTv2vKXJ8mmWLBn9xMxN32gmDyy7jW0elW46AQidIL6C+W2Zhxn6GNvc
+            2faDhNQ3yV0A9mIsgQjdWeQemqhsiVU6Sg4Mmattm/b6plGCM1DIcJgMV2RRAobS
+            XgGt7zD15Ju4S+fQqL7MVGGD3y5v0C5eLx78MScygpNQKS0vfTfTE2+wRCzCjZAG
+            /6HU85E6ru1VeXc0TwQBrpX3Wi2ga/momalsCGoh3oHBd+jRqzwpRxojKLy65qU=
+            =g4RA
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAAmTOXbn+qa0wgjSvK3juGqVemxKvaD2zFG57ivYdC1Jdn
+            PIVi5aBCvZ8KY/0W9k83LVcGUY1f8eRkCU8ohJU+rmRbiTvT0qo1hfLzxrqaNbke
+            gN+YsYW8bgXioF6nHVWI158GvqNfmvRl4WyJzBQ41cAyMpdGXiIzUoCba3Y6f+1N
+            muljMhgvEtWUddf4zheZX89xV+aLa9Mga6aQbwRcL451UcKxmE2nk4+00rMn7R7R
+            vmsC677/RrKkI7RxubzCVFFlzaH+ZZ1Ott6ozKUWs2vCcB6vTzwwvmrJwmr760lC
+            pozfNp/+WzLZOkA3rO2qAvIUc1DxYA6CgukrAAObCbvmcgMeLtVR29wwWs01qxI+
+            cTxmH+btbiM0PL8+/sW2KlC19hfMmeryiJXxbUN30a3fMDJz1wVor54DsaqG9kIJ
+            zIxGsQ6t8fzfaVfeQwoxODnTWqUClWCY4is251O4Gxw3C0oPWZvzoPvxljaPrYYY
+            SE3dcktWmGoOxLj56lLfceKq0qAtYmJD4Q5k2GDYYU+8dwp95UTf0lbRwauMBROT
+            OMe4r/emH4Z1LiG2/HLoM4QuV5VVQGSAqoE3c42YjjS9uh/aOtmeNNLehwS93F5E
+            J/bXNY6VnHcALRGMZF60g5OxM3QUioNkGqcCWGjSaRPcKhwaXvvIaTCdz8apnBHS
+            XgHeuszpU9/O1nCsNPF2vQUjcNxz+KsL39RwHCVJBVJskxd4HcJQUM7uArV1Fjbk
+            fl4nQuueBrZ4tXzimRK2QOjgy8F2n/Kxpjlr4rXn+Pi9jyhx0Jq4Blu3wrR4LAg=
+            =4Xvm
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ//fo1yfBspyD2O84d8UCHWoUJTNYql2p26H/vC2BsVzAmL
+            6nylQACeslISLlXbrW+ILPOFZ5x21THOFcJdvCGAQAkY+jC7Ry3D2gwsZi/RLFpP
+            wbEgbzk9hcimmvuHW/NJtrqvXiTJy7GH7el5Zwqe6rtUkTW5IUtaOmZjn2fQBVoq
+            9mMT86vOYlqgIISG1o5x4pciRd+fb3JPiPeJiLcyUBEXYqg2THlyYwwp2paFomYf
+            a6Ls/pVT9ICSblFlnfILOexDpqhxcPH+V2nwlbSlOETq3ACcVIgufIRndTkGhDzi
+            HS3GlD5nIb/ep12Gj+qOgKZBsbUdNIAVojNY2qlK2yQJpE5B1aDjmkAZUkk/LqF3
+            76ZRBDzigU0jfYKh2iGDY3F8cWDsRqjqcTjVB9KF32+1SeUAO4NqDnDpMZgBh2i5
+            rvDOJCJfTgo7DfPqWPyeFM58sow9EEglygASA/XTaDV+CmLzRlqxwlJwpbRrz3OV
+            Mp1gewfGASLPS4xh6gtROac9DAuokmN5VgNg2g+emN8lUNJ/7V7u30TvCEfGP0j0
+            1Sd6RrNn/ZDMJtOoE8gDua6njbOi9Zk/RN4Y4NKWcmiNZxz/Xi/8XU7F0yk0yEL1
+            DUxYsCEHImib+lAESQ0fF4VMXx3DSXq2/Yt5z782ZvgNrGoGw3B9qVA5FyG5Bt3S
+            XgGgfz/6fGZ0DEtTv3B8Rhqbm6TvwPFgIg+3WuQRXxf3rjjoX1AN0jcuz8OIIfGk
+            o1GuRG0/sYg7P32ysgQMvS1F+rX2PR/myHsz4YMM10soG7OduHgXmiJ0eUq8EtM=
+            =WLCQ
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAUMjy8rV2Zy5nmeMOBsANIUVyhAvVBUF1yunc+EgVeVQw
+            yd4hPHMnQSkasXmcMDS0y2gwixgTOeQbG5PaOr0FA7eGEItLlqwSxz3+GnuD/gEw
+            0l4BFrUbimEX+/tfI8aymapMVYXFXWe4dUZw9foKN5HqkpPKhusozd9bqPPNKggZ
+            09tvIJViKP/QufK0WyLYZGWrG+leogDX39GBtAU1SOllFqtq2G0X1qH+s88GVpaO
+            =hxWV
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-06-21T22:42:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ//SK6MVXhRsRxYV8jL9HrVTovc84kNFr24nbHHi5z6fuCA
+            6ZjPr5Btx5Xxi716mEmdDBUSGfeJOOSt6hw4fCqj5ehnCeMLr9GvmJdZx9s2n88m
+            h4Fzd1XF67NMbSAYMPrXpk5dlxBNsgmsAWTaEet9gqGWWYsrZHWPvae7z+GaJJzz
+            h3dix5oVV3tM2OVP9hFhRtu9tv9a0sj5Eu6mz8UsDFwEPynlSDPKUQA0jFTXJnYo
+            yT8UTPSZAUlwnU88JPIhHKCmU8nqUIgDURVNgK4BsuoKSAZ27ueSHr/4IzBiavVD
+            6V1b1Ttt8usKFp21OCqfNuoiIeEipUdLMFSTjSXqOp38QTaqoDaCsAPc6j3HCvlV
+            vMm1lbSKK+Llpk9WOmqvHQriL50lQGYpa2X/jS8FtlotKFm0uGJoJXZ5Ujc4Wmy9
+            J79/cXLULGFCxdPsoxmd8wJFqz0eiVPHIBFB2Y8Tan+Mg44WeBuY8sAWGzYPp+kB
+            sEOIQ5I9N1Gt+58i1hDTRlqO4I8ihusqKeRemJa954rlzz8YTmZL+JAD5gsMtzuH
+            gMjnfBnNJKw3UmnHMMQm348CRB6SuF6rmjc7Xk1qsnie87HtYbM3dJYh7ixddr/a
+            kTHy66zDX4j3e/y2JdEPQw8/WhhdGnyj6eDioQLNFfvApI7doi5C+XDCR08YxJnS
+            XgG0kP/bfDBkwzzHkr3khuvdtmUEmsxGbR/3abyjLfvM+g3HM6Eqq0uDwuGgYinR
+            DYfWUZTas5uWrgxAWYbBCbhPcevu7CsyJFsBtG4ExTXPSsP2c79+LwtmJjbLQqo=
+            =9C2P
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/woodpecker/sops.nix b/config/hosts/woodpecker/sops.nix
new file mode 100644
index 00000000..b4548edb
--- /dev/null
+++ b/config/hosts/woodpecker/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix
new file mode 100644
index 00000000..1b51267d
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/default.nix
@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./podman.nix
+    ./woodpecker-agent.nix
+  ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/podman.nix b/config/hosts/woodpecker/woodpecker-agent/podman.nix
new file mode 100644
index 00000000..08b03125
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/podman.nix
@@ -0,0 +1,13 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/backends/docker
+# - https://nixos.wiki/wiki/Podman
+
+{ config, pkgs, ... }:
+
+{
+  virtualisation.podman = {
+    enable = true;
+    defaultNetwork.settings.dns_enabled = true;
+  };
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
new file mode 100644
index 00000000..6ad5cbfb
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -0,0 +1,27 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/agent-config
+# - https://woodpecker-ci.org/docs/administration/backends/docker
+
+{ config, pkgs, pkgs-unstable, ... }:
+
+{
+  services.woodpecker-agents.agents."podman" = {
+    enable = true;
+    # Since we use woodpecker-server from unstable, use the agent from unstable as well.
+    package = pkgs-unstable.woodpecker-agent;
+    extraGroups = [ "podman" ];
+    environment = {
+      WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
+      WOODPECKER_MAX_WORKFLOWS = "4";
+      WOODPECKER_BACKEND = "docker";
+      DOCKER_HOST = "unix:///run/podman/podman.sock";
+      # Set via enviornmentFile:
+      # WOODPECKER_AGENT_SECRET
+    };
+    environmentFile = [ "/run/secrets/woodpecker_agent_secret_environment_file" ];
+  };
+
+  # Remainder defined in ../woodpecker-server/woodpecker-server.nix
+  sops.secrets."woodpecker_agent_secret_environment_file".restartUnits = [ "woodpecker-agent-podman.service" ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/default.nix b/config/hosts/woodpecker/woodpecker-server/default.nix
new file mode 100644
index 00000000..a713746d
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./nginx.nix
+    ./postgresql.nix
+    ./woodpecker-server.nix
+  ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/nginx.nix b/config/hosts/woodpecker/woodpecker-server/nginx.nix
new file mode 100644
index 00000000..962183c5
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/nginx.nix
@@ -0,0 +1,57 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/proxy
+
+{ config, pkgs, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."acme-woodpecker.hamburg.ccc.de" = {
+      default = true;
+      enableACME = true;
+      serverName = "woodpecker.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    virtualHosts."woodpecker.hamburg.ccc.de" = {
+      default = true;
+      forceSSL = true;
+      useACMEHost = "woodpecker.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/" = {
+        proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/postgresql.nix b/config/hosts/woodpecker/woodpecker-server/postgresql.nix
new file mode 100644
index 00000000..e715650c
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/postgresql.nix
@@ -0,0 +1,18 @@
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069
+
+{ config, pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15;
+    ensureDatabases = [ "woodpecker-server" ];
+    ensureUsers = [
+      {
+        name = "woodpecker-server";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
new file mode 100644
index 00000000..baff7528
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -0,0 +1,56 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/server-config
+# - https://woodpecker-ci.org/docs/administration/database
+# - https://woodpecker-ci.org/docs/administration/forges/forgejo
+# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+
+{ config, pkgs, pkgs-unstable, ... }:
+
+{
+  services.woodpecker-server = {
+    enable = true;
+    # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
+    # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
+    package = pkgs-unstable.woodpecker-server;
+    environment = {
+      WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
+      WOODPECKER_SERVER_ADDR = ":8001";
+      WOODPECKER_GRPC_ADDR = ":9000";
+      WOODPECKER_ADMIN = "june";
+      WOODPECKER_OPEN = "true";
+      WOODPECKER_ORGS = "CCCHH";
+      WOODPECKER_DATABASE_DRIVER = "postgres";
+      WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
+      WOODPECKER_FORGEJO = "true";
+      WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+      # Set via enviornmentFile:
+      # WOODPECKER_FORGEJO_CLIENT
+      # WOODPECKER_FORGEJO_SECRET
+      # WOODPECKER_AGENT_SECRET
+    };
+    environmentFile = [
+      "/run/secrets/woodpecker_server_environment_file"
+      "/run/secrets/woodpecker_agent_secret_environment_file"
+    ];
+  };
+
+  systemd.services.woodpecker-server.serviceConfig = {
+    User = "woodpecker-server";
+    Group = "woodpecker-server";
+  };
+
+  sops.secrets."woodpecker_server_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "woodpecker-server.service" ];
+  };
+
+  sops.secrets."woodpecker_agent_secret_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "woodpecker-server.service" ];
+  };
+}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 94ff2f00..eb594120 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -26,6 +26,9 @@
     },
     "mjolnir": {
       "targetHostname": "mjolnir-intern.hamburg.ccc.de"
+    },
+    "woodpecker": {
+      "targetHostname": "woodpecker-intern.hamburg.ccc.de"
     }
   }
 }
diff --git a/flake.nix b/flake.nix
index 9ee17cf6..f508b35e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -211,6 +211,19 @@
             ./config/hosts/mjolnir
           ];
         };
+
+        woodpecker = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            sops-nix.nixosModules.sops
+            ./config/hosts/woodpecker
+          ];
+          specialArgs = {
+            inherit pkgs-unstable;
+          };
+        };
       };
 
       packages.x86_64-linux = {

From 1aff46745a7a89b53bd52732e8f8eab7cbf33d0c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 16:07:01 +0200
Subject: [PATCH 067/170] Disable mjolnirs verbose logging to have it not spam
 the management room

---
 config/hosts/mjolnir/mjolnir.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/hosts/mjolnir/mjolnir.nix b/config/hosts/mjolnir/mjolnir.nix
index 49b196d1..c9534f63 100644
--- a/config/hosts/mjolnir/mjolnir.nix
+++ b/config/hosts/mjolnir/mjolnir.nix
@@ -9,6 +9,9 @@
     enable = true;
     homeserverUrl = "https://matrix.hamburg.ccc.de";
     managementRoom = "#moderation-management:hamburg.ccc.de";
+    settings = {
+      verboseLogging = false;
+    };
     pantalaimon = {
       enable = true;
       username = "moderation";

From f5432bd682ba022bceb004402103669e75b203b3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 16:26:58 +0200
Subject: [PATCH 068/170] Use an agent token for Woodpecker agent to stop it
 from re-registering

With the shared system token, every time the Woodpecker host would
restart, a new Woodpecker agent registration would be created, because
the agent receives a unique ID on first connection using the system
token, which it couldn't store however, because it doesn't have a
writable config file in NixOS.
Use an agent token now, which doesn't require the agent to store a
unique ID in a wrtiable config, therefore not making it re-register.

Also see:
https://woodpecker-ci.org/docs/administration/agent-config#agent-registration
---
 config/hosts/woodpecker/secrets.yaml                |  6 +++---
 .../woodpecker-agent/woodpecker-agent.nix           | 10 +++++++---
 .../woodpecker-server/woodpecker-server.nix         | 13 +------------
 3 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml
index f7b11cec..6b960a7b 100644
--- a/config/hosts/woodpecker/secrets.yaml
+++ b/config/hosts/woodpecker/secrets.yaml
@@ -1,5 +1,5 @@
 woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
-woodpecker_agent_secret_environment_file: ENC[AES256_GCM,data:iXsElY7/XhHYC3OAHZOY2TUzcL6dyjLkmuVgRUP1W/ZpTYsBuVbPZFX5WGGX1Pw33sPo1SAp6a8k+qqh0HeqyTxnjj/7T/HOE2DbdHoqF3EK/ryhtQVNNm4=,iv:6rrWRFxoZuXstWrKKo4siHqktcuZqrdjM4DwiFdDfJA=,tag:YvyIYFd/N1Z6tpO2O0ewrQ==,type:str]
+woodpecker_agent_environment_file: ENC[AES256_GCM,data:7K+Q59QM9ZIr/SE8VQ9jmshjVSeXGzk+h2T9oIDJASZrYppTFx2N68wsKyFm/Y1GDLY3QEELGXOCa7nSZcdMJTOJ9jj5u7HMw3e0CQGxMUGP,iv:vyDQO7uMxyHpK/cb739sktuAq3zv2MZ9xexAZHD0Of4=,tag:WzNn4iWGlO63aLeStsCdRA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +15,8 @@ sops:
             UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
             YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-22T00:01:07Z"
-    mac: ENC[AES256_GCM,data:3WLe5X+wMVRth2jnu3xVe209mk+HzFcwkj45N9L0UOgoc5zdBShvdEXcevX98HTldC4kU0IEZZowLHbiDxlIozu2lrkU+0avxzM8jWWcyqMJCLTcBoOHaqKX9EfQ9OvHh2HMz8hJ/AFD/LTDzpTYXpHqSnagt1SRGjUKGZuF3K0=,iv:CPpfAP+bInTtHPRBeVih9s2/YoBJKpwuDq5VUIOkoLs=,tag:0Exia5cJctV6f+mYVgDM/A==,type:str]
+    lastmodified: "2024-06-22T14:24:28Z"
+    mac: ENC[AES256_GCM,data:1MCBR0fU1wMwmTqLKi6ybFD5YX/yYFMO1JLUpB+ZB+PYH+lvYUwo7x52BNxDDETq+VtU13CJLIM0LleOWl0h0xP9vbMC/YMn+ffeWVBYC8mjqaKXYVyAW8ksXn+vDQ+ZP/RWGOJdaKIPLgIJiVF5hfkSo6smfH378cH72f5cmU4=,iv:BgKHSsElxULJ2EA+8/5w4J/hNLH2S+jNNRTXAl/96V4=,tag:z1HeWXA6Ryo0SacG9HARhw==,type:str]
     pgp:
         - created_at: "2024-06-21T22:42:59Z"
           enc: |-
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
index 6ad5cbfb..7eac510a 100644
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -19,9 +19,13 @@
       # Set via enviornmentFile:
       # WOODPECKER_AGENT_SECRET
     };
-    environmentFile = [ "/run/secrets/woodpecker_agent_secret_environment_file" ];
+    environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ];
   };
 
-  # Remainder defined in ../woodpecker-server/woodpecker-server.nix
-  sops.secrets."woodpecker_agent_secret_environment_file".restartUnits = [ "woodpecker-agent-podman.service" ];
+  sops.secrets."woodpecker_agent_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "woodpecker-agent-podman.service" ];
+  };
 }
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index baff7528..464af131 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -27,12 +27,8 @@
       # Set via enviornmentFile:
       # WOODPECKER_FORGEJO_CLIENT
       # WOODPECKER_FORGEJO_SECRET
-      # WOODPECKER_AGENT_SECRET
     };
-    environmentFile = [
-      "/run/secrets/woodpecker_server_environment_file"
-      "/run/secrets/woodpecker_agent_secret_environment_file"
-    ];
+    environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ];
   };
 
   systemd.services.woodpecker-server.serviceConfig = {
@@ -46,11 +42,4 @@
     group = "root";
     restartUnits = [ "woodpecker-server.service" ];
   };
-
-  sops.secrets."woodpecker_agent_secret_environment_file" = {
-    mode = "0440";
-    owner = "root";
-    group = "root";
-    restartUnits = [ "woodpecker-server.service" ];
-  };
 }

From be7f6e49170287aec581a9948442ad86bba38e92 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 17:11:11 +0200
Subject: [PATCH 069/170] Fix clone step failing, because git.hamburg.ccc.de
 could not be resolved

---
 config/hosts/woodpecker/woodpecker-agent/podman.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/config/hosts/woodpecker/woodpecker-agent/podman.nix b/config/hosts/woodpecker/woodpecker-agent/podman.nix
index 08b03125..c76740be 100644
--- a/config/hosts/woodpecker/woodpecker-agent/podman.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/podman.nix
@@ -10,4 +10,11 @@
     enable = true;
     defaultNetwork.settings.dns_enabled = true;
   };
+
+  networking.firewall.interfaces."podman0" = {
+    # allowedUDPPorts = [ 53 ] gets already set by virtualisation.podman.defaultNetwork.settings.dns_enabled, but set it here explicitly anyway.
+    allowedUDPPorts = [ 53 ];
+    # For git.hamburg.ccc.de to resolve in the clone step for example, allowedTCPPorts also needs to be set to allow DNS.
+    allowedTCPPorts = [ 53 ];
+  };
 }

From 026e47d05560655ec0aaad9c660461dad757e9ab Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 22 Jun 2024 18:06:39 +0200
Subject: [PATCH 070/170] Last commit didn't do, switching to Docker instead of
 podman does

---
 config/hosts/woodpecker/secrets.yaml          |  6 +++---
 .../woodpecker/woodpecker-agent/default.nix   |  2 +-
 .../woodpecker/woodpecker-agent/docker.nix    | 12 +++++++++++
 .../woodpecker/woodpecker-agent/podman.nix    | 20 -------------------
 .../woodpecker-agent/woodpecker-agent.nix     |  7 +++----
 5 files changed, 19 insertions(+), 28 deletions(-)
 create mode 100644 config/hosts/woodpecker/woodpecker-agent/docker.nix
 delete mode 100644 config/hosts/woodpecker/woodpecker-agent/podman.nix

diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml
index 6b960a7b..091ca2e5 100644
--- a/config/hosts/woodpecker/secrets.yaml
+++ b/config/hosts/woodpecker/secrets.yaml
@@ -1,5 +1,5 @@
 woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
-woodpecker_agent_environment_file: ENC[AES256_GCM,data:7K+Q59QM9ZIr/SE8VQ9jmshjVSeXGzk+h2T9oIDJASZrYppTFx2N68wsKyFm/Y1GDLY3QEELGXOCa7nSZcdMJTOJ9jj5u7HMw3e0CQGxMUGP,iv:vyDQO7uMxyHpK/cb739sktuAq3zv2MZ9xexAZHD0Of4=,tag:WzNn4iWGlO63aLeStsCdRA==,type:str]
+woodpecker_agent_environment_file: ENC[AES256_GCM,data:rwp6TYYFJ/IZH+3pGhPxjdZMLoyPMr/W1RXm4IkUGn+SmIjHZcdFZ8nEhvOfnkfrXNPc2MR+X6NXUmVOcBjSCbcBjh9sC653UpKimt9I3/Ec,iv:X9JH7dmTayw8BaEsXYil3PrykCdd+/ANGHVfEyRvc7A=,tag:/ErkX1WnruanNgTTBUT6LA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +15,8 @@ sops:
             UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
             YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-22T14:24:28Z"
-    mac: ENC[AES256_GCM,data:1MCBR0fU1wMwmTqLKi6ybFD5YX/yYFMO1JLUpB+ZB+PYH+lvYUwo7x52BNxDDETq+VtU13CJLIM0LleOWl0h0xP9vbMC/YMn+ffeWVBYC8mjqaKXYVyAW8ksXn+vDQ+ZP/RWGOJdaKIPLgIJiVF5hfkSo6smfH378cH72f5cmU4=,iv:BgKHSsElxULJ2EA+8/5w4J/hNLH2S+jNNRTXAl/96V4=,tag:z1HeWXA6Ryo0SacG9HARhw==,type:str]
+    lastmodified: "2024-06-22T15:55:25Z"
+    mac: ENC[AES256_GCM,data:UmDbmxSRj8YfCkKEelQNMJ8mzbu5aQdB9yOr9JfUh5TB9r5Z5ttZ1wgJDJqHNtsII3JGXUvbgHbsmbPikkrj4Ege1rrgr4UttN1rtgeaAKlZIlqb9pOnV4//GJL8jbxCgFp2h2O80G05nAXG54DaY//4Y5hfTyPzgyDlGQ6jlhg=,iv:5e8lpFfGAJh8lTFcY4MlZG7PgnzM0UycsU0tB2KN+zQ=,tag:4xUEHg04wjDbhc9MOItzuQ==,type:str]
     pgp:
         - created_at: "2024-06-21T22:42:59Z"
           enc: |-
diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix
index 1b51267d..279d2bb8 100644
--- a/config/hosts/woodpecker/woodpecker-agent/default.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/default.nix
@@ -2,7 +2,7 @@
 
 {
   imports = [
-    ./podman.nix
+    ./docker.nix
     ./woodpecker-agent.nix
   ];
 }
diff --git a/config/hosts/woodpecker/woodpecker-agent/docker.nix b/config/hosts/woodpecker/woodpecker-agent/docker.nix
new file mode 100644
index 00000000..af13f4c4
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/docker.nix
@@ -0,0 +1,12 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/backends/docker
+# - https://nixos.wiki/wiki/Docker
+
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker = {
+    enable = true;
+  };
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/podman.nix b/config/hosts/woodpecker/woodpecker-agent/podman.nix
deleted file mode 100644
index c76740be..00000000
--- a/config/hosts/woodpecker/woodpecker-agent/podman.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-# Sources for this configuration:
-# - https://woodpecker-ci.org/docs/administration/deployment/nixos
-# - https://woodpecker-ci.org/docs/administration/backends/docker
-# - https://nixos.wiki/wiki/Podman
-
-{ config, pkgs, ... }:
-
-{
-  virtualisation.podman = {
-    enable = true;
-    defaultNetwork.settings.dns_enabled = true;
-  };
-
-  networking.firewall.interfaces."podman0" = {
-    # allowedUDPPorts = [ 53 ] gets already set by virtualisation.podman.defaultNetwork.settings.dns_enabled, but set it here explicitly anyway.
-    allowedUDPPorts = [ 53 ];
-    # For git.hamburg.ccc.de to resolve in the clone step for example, allowedTCPPorts also needs to be set to allow DNS.
-    allowedTCPPorts = [ 53 ];
-  };
-}
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
index 7eac510a..dc89021c 100644
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -6,16 +6,15 @@
 { config, pkgs, pkgs-unstable, ... }:
 
 {
-  services.woodpecker-agents.agents."podman" = {
+  services.woodpecker-agents.agents."docker" = {
     enable = true;
     # Since we use woodpecker-server from unstable, use the agent from unstable as well.
     package = pkgs-unstable.woodpecker-agent;
-    extraGroups = [ "podman" ];
+    extraGroups = [ "docker" ];
     environment = {
       WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
       WOODPECKER_MAX_WORKFLOWS = "4";
       WOODPECKER_BACKEND = "docker";
-      DOCKER_HOST = "unix:///run/podman/podman.sock";
       # Set via enviornmentFile:
       # WOODPECKER_AGENT_SECRET
     };
@@ -26,6 +25,6 @@
     mode = "0440";
     owner = "root";
     group = "root";
-    restartUnits = [ "woodpecker-agent-podman.service" ];
+    restartUnits = [ "woodpecker-agent-docker.service" ];
   };
 }

From 7058ec3582ddf80e97e98c281ba688c705e5ccf9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 30 Jun 2024 21:12:28 +0200
Subject: [PATCH 071/170] Make passwordless ssh for ptouch-print-server work
 again

Now (with NixOS 24.05) pam.services.sshd.allowNullPassword needs to be
set to true for passwordless ssh to work apparently.
---
 config/hosts/ptouch-print-server/printing.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/config/hosts/ptouch-print-server/printing.nix b/config/hosts/ptouch-print-server/printing.nix
index 5964f562..23cacca3 100644
--- a/config/hosts/ptouch-print-server/printing.nix
+++ b/config/hosts/ptouch-print-server/printing.nix
@@ -90,9 +90,7 @@ in
   # pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
   # PasswordAuthentication to have it not do that.
   services.openssh.settings.PasswordAuthentication = lib.mkForce true;
-  # The following doesn't need to be set in order for empty passwords to work
-  # apparently:
-  # security.pam.services.sshd.allowNullPassword = true;
+  security.pam.services.sshd.allowNullPassword = true;
   services.openssh.extraConfig = ''
     Match User print
       PubkeyAuthentication no

From 9f5669222230b67a150a6ad0144641a653239d03 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 1 Jul 2024 15:31:10 +0200
Subject: [PATCH 072/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/35c20ba421dfa5059e20e0ef2343c875372bdcf3?narHash=sha256-WZ1gdKq/9u1Ns/oXuNsDm%2BW0salonVA0VY1amw8urJ4%3D' (2024-06-10)
  → 'github:nix-community/nixos-generators/f7a029d41e49ff0747888105e1ed4314dca8436f?narHash=sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A%3D' (2024-07-01)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/3c62b6a12571c9a7f65ab037173ee153d539905f?narHash=sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw%3D' (2024-04-07)
  → 'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6?narHash=sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY%3D' (2024-06-30)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/201ed88e66f7f34d5c74e46d2e4399cc4bea1501?narHash=sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0%2BnI%3D' (2024-06-21)
  → 'github:nixos/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e?narHash=sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw%3D' (2024-07-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/1c0bec249943cd3e03f876554b8af7d1e32a09e1?narHash=sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs%3D' (2024-06-21)
  → 'github:nixos/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc?narHash=sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t%2BJe1zc%3D' (2024-07-01)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/797ce4c1f45a85df6dd3d9abdc53f2691bea9251?narHash=sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg%3D' (2024-06-16)
  → 'github:Mic92/sops-nix/b5974d4331fb6c893e808977a2e1a6d34b3162d6?narHash=sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8%2BawNMyqs%3D' (2024-06-30)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/c884223af91820615a6146af1ae1fea25c107005?narHash=sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs%3D' (2024-06-15)
  → 'github:NixOS/nixpkgs/4a1e673523344f6ccc84b37f4413ad74ea19a119?narHash=sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo%3D' (2024-06-29)
---
 flake.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/flake.lock b/flake.lock
index a0b58e21..338fbe66 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1712450863,
-        "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
+        "lastModified": 1719708727,
+        "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
+        "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718025593,
-        "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
+        "lastModified": 1719796208,
+        "narHash": "sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
+        "rev": "f7a029d41e49ff0747888105e1ed4314dca8436f",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1718955215,
-        "narHash": "sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0+nI=",
+        "lastModified": 1719825363,
+        "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "201ed88e66f7f34d5c74e46d2e4399cc4bea1501",
+        "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1718478900,
-        "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=",
+        "lastModified": 1719663039,
+        "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c884223af91820615a6146af1ae1fea25c107005",
+        "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1718954653,
-        "narHash": "sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs=",
+        "lastModified": 1719824438,
+        "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1c0bec249943cd3e03f876554b8af7d1e32a09e1",
+        "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1718506969,
-        "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=",
+        "lastModified": 1719716556,
+        "narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251",
+        "rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
         "type": "github"
       },
       "original": {

From 1185f9bb41a7acc77f7a71b1ef8f5e7209a45b73 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 15 Jul 2024 02:15:32 +0200
Subject: [PATCH 073/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/f7a029d41e49ff0747888105e1ed4314dca8436f?narHash=sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A%3D' (2024-07-01)
  → 'github:nix-community/nixos-generators/076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7?narHash=sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ%3D' (2024-07-13)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e?narHash=sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw%3D' (2024-07-01)
  → 'github:nixos/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc?narHash=sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t%2BJe1zc%3D' (2024-07-01)
  → 'github:nixos/nixpkgs/0af9d835c27984b3265145f8e3cbc6c153479196?narHash=sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70%3D' (2024-07-14)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/b5974d4331fb6c893e808977a2e1a6d34b3162d6?narHash=sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8%2BawNMyqs%3D' (2024-06-30)
  → 'github:Mic92/sops-nix/0703ba03fd9c1665f8ab68cc3487302475164617?narHash=sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY%3D' (2024-07-14)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/4a1e673523344f6ccc84b37f4413ad74ea19a119?narHash=sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo%3D' (2024-06-29)
  → 'github:NixOS/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
---
 flake.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index 338fbe66..f34afb07 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719796208,
-        "narHash": "sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A=",
+        "lastModified": 1720859326,
+        "narHash": "sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "f7a029d41e49ff0747888105e1ed4314dca8436f",
+        "rev": "076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719825363,
-        "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=",
+        "lastModified": 1720915306,
+        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e",
+        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
         "type": "github"
       },
       "original": {
@@ -54,27 +54,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1719663039,
-        "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
+        "lastModified": 1720915306,
+        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
+        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1719824438,
-        "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=",
+        "lastModified": 1720977633,
+        "narHash": "sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc",
+        "rev": "0af9d835c27984b3265145f8e3cbc6c153479196",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1719716556,
-        "narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
+        "lastModified": 1720926522,
+        "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
+        "rev": "0703ba03fd9c1665f8ab68cc3487302475164617",
         "type": "github"
       },
       "original": {

From a271fddff8826d06663b7c94d218e73ca64379ce Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 15 Jul 2024 02:44:37 +0200
Subject: [PATCH 074/170] Switch from deprecated extraConfig to settings for
 phpfpm.pools.dokuwiki

---
 config/hosts/eh22-wiki/dokuwiki.nix | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
index 133e39ad..c0eafaae 100644
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -57,16 +57,16 @@ in {
       ; Checked with NixOS 23.11 on 2024-05-02.
       extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
     '';
-    extraConfig = ''
-      listen.owner = ${config.services.nginx.user};
-      listen.group = ${config.services.nginx.group};
-      pm = dynamic
-      pm.max_children = 32
-      pm.start_servers = 2
-      pm.min_spare_servers = 2
-      pm.max_spare_servers = 4
-      pm.max_requests = 500
-    '';
+    settings = {
+      "listen.owner" = "${config.services.nginx.user}";
+      "listen.group" = "${config.services.nginx.group}";
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "pm.max_requests" = 500;
+    };
   };
 
   services.nginx = {

From 59b540c9e314720115986b7fdc2fe6c2298e5fee Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 21 Jul 2024 23:03:44 +0200
Subject: [PATCH 075/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
  → 'github:nixos/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/0af9d835c27984b3265145f8e3cbc6c153479196?narHash=sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70%3D' (2024-07-14)
  → 'github:nixos/nixpkgs/4cc8b29327bed3d52b40041f810f49734298af46?narHash=sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y%3D' (2024-07-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/0703ba03fd9c1665f8ab68cc3487302475164617?narHash=sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY%3D' (2024-07-14)
  → 'github:Mic92/sops-nix/909e8cfb60d83321d85c8d17209d733658a21c95?narHash=sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU%3D' (2024-07-21)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
  → 'github:NixOS/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index f34afb07..8c5f72b0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1720915306,
-        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
+        "lastModified": 1721524707,
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1720915306,
-        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
+        "lastModified": 1721524707,
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1720977633,
-        "narHash": "sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70=",
+        "lastModified": 1721571961,
+        "narHash": "sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0af9d835c27984b3265145f8e3cbc6c153479196",
+        "rev": "4cc8b29327bed3d52b40041f810f49734298af46",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1720926522,
-        "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=",
+        "lastModified": 1721531171,
+        "narHash": "sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0703ba03fd9c1665f8ab68cc3487302475164617",
+        "rev": "909e8cfb60d83321d85c8d17209d733658a21c95",
         "type": "github"
       },
       "original": {

From a2102b064f508d8ac57a52030c8b51f8605e3619 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 27 Jul 2024 21:05:58 +0200
Subject: [PATCH 076/170] Fix container registry image uploads for git server

Do this by disabling checking of client request body size.
---
 config/hosts/git/nginx.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/hosts/git/nginx.nix b/config/hosts/git/nginx.nix
index 1dd0aadb..ea1a2ac6 100644
--- a/config/hosts/git/nginx.nix
+++ b/config/hosts/git/nginx.nix
@@ -34,6 +34,10 @@
         return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
       };
     };
+
+    # Disable checking of client request body size to make container registry
+    # image uploads work.
+    clientMaxBodySize = "0";
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];

From e88982d7c7e8769573192adacd6174a0be575c33 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 27 Jul 2024 22:24:54 +0200
Subject: [PATCH 077/170] Give esphome a static v6 and get cert directly via
 chal. served over v6

Give the host a static v4 as well.
Also let the nginx redirect from the hosts FQDN to the service domain.
---
 config/hosts/esphome/default.nix    |  1 +
 config/hosts/esphome/networking.nix | 30 ++++++++++++++++
 config/hosts/esphome/nginx.nix      | 56 +++++++++++++++++++++--------
 3 files changed, 73 insertions(+), 14 deletions(-)
 create mode 100644 config/hosts/esphome/networking.nix

diff --git a/config/hosts/esphome/default.nix b/config/hosts/esphome/default.nix
index cfe47bcf..8d5150dd 100644
--- a/config/hosts/esphome/default.nix
+++ b/config/hosts/esphome/default.nix
@@ -3,6 +3,7 @@
   imports = [
     ./configuration.nix
     ./esphome.nix
+    ./networking.nix
     ./nginx.nix
   ];
 }
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
new file mode 100644
index 00000000..6f65f931
--- /dev/null
+++ b/config/hosts/esphome/networking.nix
@@ -0,0 +1,30 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "10.31.208.24";
+        prefixLength = 23;
+      }
+    ];
+  };
+  networking.defaultGateway = "10.31.208.1";
+  networking.nameservers = [ "10.31.208.1" ];
+  networking.search = [ "z9.ccchh.net" ];
+
+  networking.interfaces.net0 = {
+    ipv6.addresses = [
+      {
+        address = "2a07:c480:0:1d0::66";
+        prefixLength = 64;
+      }
+    ];
+  };
+  networking.defaultGateway6 = "2a07:c480:0:1d0::1";
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/esphome/nginx.nix b/config/hosts/esphome/nginx.nix
index 3c5cfb92..2b154f0e 100644
--- a/config/hosts/esphome/nginx.nix
+++ b/config/hosts/esphome/nginx.nix
@@ -1,35 +1,34 @@
 { config, ... }:
+
 {
   services.nginx = {
     enable = true;
 
     virtualHosts = {
-      "acme-esphome.ccchh.net" = {
-        enableACME = true;
-        serverName = "esphome.ccchh.net";
-
-        listen = [
-          {
-            addr = "0.0.0.0";
-            port = 31820;
-          }
-        ];
-      };
-
       "esphome.ccchh.net" = {
         forceSSL = true;
-        useACMEHost = "esphome.ccchh.net";
+        enableACME = true;
+        serverName = "esphome.ccchh.net";
 
         listen = [
           {
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "[::]";
+            port = 80;
+          }
           {
             addr = "0.0.0.0";
             port = 443;
             ssl = true;
           }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
         ];
 
         locations."/" = {
@@ -37,9 +36,38 @@
           proxyWebsockets = true;
         };
       };
+      "esphome.z9.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "esphome.ccchh.net";
+        serverName = "esphome.z9.ccchh.net";
 
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        globalRedirect = "esphome.ccchh.net";
+        redirectCode = 307;
+      };
     };
   };
+  security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
 
-  networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

From b30015fee1bd29a158fa777d13f21d4ac03d8de0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 30 Jul 2024 01:17:05 +0200
Subject: [PATCH 078/170] Clean up networking configs by making them all use
 the same layout

Also use the v6 gateway as a nameserver as well for the esphome host.
---
 .../audio-hauptraum-kueche/networking.nix     |  7 ++--
 .../audio-hauptraum-tafel/networking.nix      |  7 ++--
 config/hosts/eh22-wiki/networking.nix         | 25 ++++++------
 config/hosts/esphome/networking.nix           | 39 +++++++++----------
 .../forgejo-actions-runner/networking.nix     | 24 ++++++------
 config/hosts/git/networking.nix               | 39 +++++++++----------
 config/hosts/matrix/networking.nix            | 22 ++++++-----
 config/hosts/mjolnir/networking.nix           | 22 ++++++-----
 config/hosts/mqtt/networking.nix              | 33 ++++++++--------
 config/hosts/netbox/networking.nix            | 30 +++++++-------
 config/hosts/nix-box-june/networking.nix      | 26 ++++++-------
 .../hosts/ptouch-print-server/networking.nix  |  4 +-
 config/hosts/public-web-static/networking.nix | 22 ++++++-----
 config/hosts/woodpecker/networking.nix        | 25 ++++++------
 config/hosts/yate/networking.nix              |  2 +-
 15 files changed, 162 insertions(+), 165 deletions(-)

diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix
index ee01d0b8..0118db4c 100644
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {
@@ -11,10 +11,9 @@
       ];
     };
     defaultGateway = "10.31.210.1";
-    nameservers = [
-      "10.31.210.1"
-    ];
+    nameservers = [ "10.31.210.1" ];
   };
+
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "1E:EF:2D:92:81:DA";
     linkConfig.Name = "net0";
diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix
index 60529090..37185b7c 100644
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {
@@ -11,10 +11,9 @@
       ];
     };
     defaultGateway = "10.31.210.1";
-    nameservers = [
-      "10.31.210.1"
-    ];
+    nameservers = [ "10.31.210.1" ];
   };
+
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "D2:10:33:B1:72:C3";
     linkConfig.Name = "net0";
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
index bddeabfb..fba2da9e 100644
--- a/config/hosts/eh22-wiki/networking.nix
+++ b/config/hosts/eh22-wiki/networking.nix
@@ -1,20 +1,19 @@
-# Sources for this configuration:
-# - https://nixos.wiki/wiki/Networking
-
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.159";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.159";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "BC:24:11:37:F0:AB";
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index 6f65f931..a2c64d32 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -1,27 +1,26 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "10.31.208.24";
-        prefixLength = 23;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.208.24";
+          prefixLength = 23;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2a07:c480:0:1d0::66";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "10.31.208.1";
+    defaultGateway6 = "2a07:c480:0:1d0::1";
+    nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
+    search = [ "z9.ccchh.net" ];
   };
-  networking.defaultGateway = "10.31.208.1";
-  networking.nameservers = [ "10.31.208.1" ];
-  networking.search = [ "z9.ccchh.net" ];
-
-  networking.interfaces.net0 = {
-    ipv6.addresses = [
-      {
-        address = "2a07:c480:0:1d0::66";
-        prefixLength = 64;
-      }
-    ];
-  };
-  networking.defaultGateway6 = "2a07:c480:0:1d0::1";
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix
index 7c5e1781..89902249 100644
--- a/config/hosts/forgejo-actions-runner/networking.nix
+++ b/config/hosts/forgejo-actions-runner/networking.nix
@@ -1,17 +1,19 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.155";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.155";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix
index b73b9539..688fff3d 100644
--- a/config/hosts/git/networking.nix
+++ b/config/hosts/git/networking.nix
@@ -4,27 +4,26 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "212.12.51.136";
-        prefixLength = 28;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "212.12.51.136";
+          prefixLength = 28;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2a00:14b0:f000:23:51:136::1";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "212.12.51.129";
+    defaultGateway6 = "2a00:14b0:f000:23::1";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "212.12.51.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
-
-  networking.interfaces.net0 = {
-    ipv6.addresses = [
-      {
-        address = "2a00:14b0:f000:23:51:136::1";
-        prefixLength = 64;
-      }
-    ];
-  };
-  networking.defaultGateway6 = "2a00:14b0:f000:23::1";
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "92:7B:E6:12:A4:FA";
diff --git a/config/hosts/matrix/networking.nix b/config/hosts/matrix/networking.nix
index 370bbbde..5fa1aa1e 100644
--- a/config/hosts/matrix/networking.nix
+++ b/config/hosts/matrix/networking.nix
@@ -1,17 +1,19 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.150";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.150";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "2A:A5:80:C3:8E:32";
diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix
index 04559f77..a441814d 100644
--- a/config/hosts/mjolnir/networking.nix
+++ b/config/hosts/mjolnir/networking.nix
@@ -1,17 +1,19 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.161";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.161";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "BC:24:11:C9:F8:C5";
diff --git a/config/hosts/mqtt/networking.nix b/config/hosts/mqtt/networking.nix
index 5bd66169..7a34cbb3 100644
--- a/config/hosts/mqtt/networking.nix
+++ b/config/hosts/mqtt/networking.nix
@@ -1,20 +1,21 @@
 { ... }:
 
 {
-    networking = {
-        interfaces.net0 = {
-            ipv4.addresses = [ {
-                address = "10.31.208.14";
-                prefixLength = 23;
-            } ];
-        };
-        defaultGateway = "10.31.208.1";
-        nameservers = [
-            "10.31.210.1"
-        ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.208.14";
+          prefixLength = 23;
+        }
+      ];
     };
-    systemd.network.links."10-net0" = {
-        matchConfig.MACAddress = "BC:24:11:48:85:73";
-        linkConfig.Name = "net0";
-    };
-}
\ No newline at end of file
+    defaultGateway = "10.31.208.1";
+    nameservers = [ "10.31.210.1" ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:48:85:73";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix
index dbfe9a66..a0abcfe3 100644
--- a/config/hosts/netbox/networking.nix
+++ b/config/hosts/netbox/networking.nix
@@ -1,23 +1,19 @@
-# Networking configuration for the host.
-# Sources for this configuration:
-# - https://nixos.org/manual/nixos/stable/#sec-networking
-# - https://nixos.wiki/wiki/Systemd-networkd
-# - https://wiki.archlinux.org/title/Systemd-networkd
-
-{ config, pkgs, ... }:
+{ ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.149";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.149";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "62:ED:44:20:7C:C1";
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
index 073250bc..2c1faee0 100644
--- a/config/hosts/nix-box-june/networking.nix
+++ b/config/hosts/nix-box-june/networking.nix
@@ -1,19 +1,19 @@
-# Networking configuration for the host.
-
-{ config, pkgs, ... }:
+{ ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.158";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.158";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "BC:24:11:6A:33:5F";
diff --git a/config/hosts/ptouch-print-server/networking.nix b/config/hosts/ptouch-print-server/networking.nix
index 7c7cb62e..83031a10 100644
--- a/config/hosts/ptouch-print-server/networking.nix
+++ b/config/hosts/ptouch-print-server/networking.nix
@@ -11,9 +11,7 @@
       ];
     };
     defaultGateway = "10.31.208.1";
-    nameservers = [
-      "10.31.208.1"
-    ];
+    nameservers = [ "10.31.208.1" ];
   };
 
   systemd.network.links."10-net0" = {
diff --git a/config/hosts/public-web-static/networking.nix b/config/hosts/public-web-static/networking.nix
index 34b36f3c..cb22d400 100644
--- a/config/hosts/public-web-static/networking.nix
+++ b/config/hosts/public-web-static/networking.nix
@@ -1,17 +1,19 @@
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.151";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.151";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "86:72:08:F6:C0:D6";
diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix
index 17fa56c9..3301812c 100644
--- a/config/hosts/woodpecker/networking.nix
+++ b/config/hosts/woodpecker/networking.nix
@@ -1,20 +1,19 @@
-# Sources for this configuration:
-# - https://nixos.wiki/wiki/Networking
-
 { ... }:
 
 {
-  networking.interfaces.net0 = {
-    ipv4.addresses = [
-      {
-        address = "172.31.17.160";
-        prefixLength = 25;
-      }
-    ];
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.160";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
   };
-  networking.defaultGateway = "172.31.17.129";
-  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
-  networking.search = [ "hamburg.ccc.de" ];
 
   systemd.network.links."10-net0" = {
     matchConfig.MACAddress = "BC:24:11:5F:A9:B7";
diff --git a/config/hosts/yate/networking.nix b/config/hosts/yate/networking.nix
index 225edd28..a06a019c 100644
--- a/config/hosts/yate/networking.nix
+++ b/config/hosts/yate/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {

From 35e5fbc8a2349afecea9db8d8950a5c16097f41b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 30 Jul 2024 01:35:13 +0200
Subject: [PATCH 079/170] Add .editorconfig for ensuring some consistency

---
 .editorconfig | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .editorconfig

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 00000000..890d9701
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,23 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+charset = utf-8
+
+[*.nix]
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.md]
+indent_size = 2
+trim_trailing_whitespace = false
+
+[*.json]
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.yaml]
+indent_size = 2
+trim_trailing_whitespace = true

From 028b5dc9e829a989a24a22109f17ee06137931d3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 4 Aug 2024 02:19:26 +0200
Subject: [PATCH 080/170] Configure Uptime-Kuma host

---
 config/hosts/public-reverse-proxy/nginx.nix |   1 +
 config/hosts/status/configuration.nix       |  10 ++
 config/hosts/status/default.nix             |  10 ++
 config/hosts/status/networking.nix          |  29 ++++
 config/hosts/status/nginx.nix               | 149 ++++++++++++++++++++
 config/hosts/status/uptime-kuma.nix         |   7 +
 flake.nix                                   |  10 ++
 7 files changed, 216 insertions(+)
 create mode 100644 config/hosts/status/configuration.nix
 create mode 100644 config/hosts/status/default.nix
 create mode 100644 config/hosts/status/networking.nix
 create mode 100644 config/hosts/status/nginx.nix
 create mode 100644 config/hosts/status/uptime-kuma.nix

diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix
index ff14adbb..507b71a9 100644
--- a/config/hosts/public-reverse-proxy/nginx.nix
+++ b/config/hosts/public-reverse-proxy/nginx.nix
@@ -9,6 +9,7 @@
   services.nginx.streamConfig = ''
     map $ssl_preread_server_name $address {
         status.ccchh.net 10.31.206.15:8443;
+        status.hamburg.ccc.de 10.31.206.15:8443;
     }
 
     # Listen on port 443 as a reverse proxy and use PROXY Protocol for the
diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix
new file mode 100644
index 00000000..c36dc639
--- /dev/null
+++ b/config/hosts/status/configuration.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  networking = {
+    hostName = "status";
+    domain = "z9.ccchh.net";
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix
new file mode 100644
index 00000000..d8644c59
--- /dev/null
+++ b/config/hosts/status/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./nginx.nix
+    ./uptime-kuma.nix
+  ];
+}
diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
new file mode 100644
index 00000000..e7f1932e
--- /dev/null
+++ b/config/hosts/status/networking.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "10.31.206.15";
+          prefixLength = 23;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2a07:c480:0:1ce::f";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "10.31.206.1";
+    defaultGateway6 = "2a07:c480:0:1ce::1";
+    nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
+    search = [ "z9.ccchh.net" ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:79:D3:E1";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix
new file mode 100644
index 00000000..8eff61cc
--- /dev/null
+++ b/config/hosts/status/nginx.nix
@@ -0,0 +1,149 @@
+# Sources for this configuration:
+# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy
+
+{ config, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "status.hamburg.ccc.de" = {
+        forceSSL = true;
+        enableACME = true;
+        serverName = "status.hamburg.ccc.de";
+
+        listen = [
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://localhost:3001";
+          proxyWebsockets = true;
+        };
+      };
+      "status-proxyprotocol.hamburg.ccc.de" = {
+        forceSSL = true;
+        useACMEHost = "status.hamburg.ccc.de";
+        serverName = "status.hamburg.ccc.de";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://localhost:3001";
+          proxyWebsockets = true;
+        };
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 10.31.206.11;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+      "status.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "status.hamburg.ccc.de";
+        serverName = "status.ccchh.net";
+
+        listen = [
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        globalRedirect = "status.hamburg.ccc.de";
+        redirectCode = 307;
+      };
+      "status-proxyprotocol.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "status.hamburg.ccc.de";
+        serverName = "status.ccchh.net";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        globalRedirect = "status.hamburg.ccc.de";
+        redirectCode = 307;
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 10.31.206.11;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+      "status.z9.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "status.hamburg.ccc.de";
+        serverName = "status.z9.ccchh.net";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        globalRedirect = "status.hamburg.ccc.de";
+        redirectCode = 307;
+      };
+    };
+  };
+
+  security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [
+    "status.ccchh.net"
+    "status.z9.ccchh.net"
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 8443 ];
+}
diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix
new file mode 100644
index 00000000..02411f28
--- /dev/null
+++ b/config/hosts/status/uptime-kuma.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  services.uptime-kuma = {
+    enable = true;
+  };
+}
diff --git a/flake.nix b/flake.nix
index f508b35e..0eef08a1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -224,6 +224,16 @@
             inherit pkgs-unstable;
           };
         };
+
+        status = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            sops-nix.nixosModules.sops
+            ./config/hosts/status
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 1ffc959ce30b53b6b9558cf7ad14d1a654ad9aea Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 4 Aug 2024 21:03:29 +0200
Subject: [PATCH 081/170] Update spaceapid to v0.1.0

---
 config/hosts/public-web-static/spaceapid.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 13de76b5..3f1f8fef 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -1,19 +1,20 @@
 { pkgs, ... }:
 
 let
-  spaceapidSrc = builtins.fetchGit {
+  version = "v0.1.0";
+  spaceapidSrc = pkgs.fetchgit {
     url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
-    ref = "main";
-    rev = "17753f535c68157e80f30f50deb488133cc98258";
+    rev = version;
+    hash = "sha256-2SDhliltzyydPPZdNn/htDydiK/SHQcYyG/dQ0EyFrY=";
   };
   spaceapid = pkgs.buildGoModule rec {
     pname = "spaceapid";
-    version = "main";
+    inherit version;
 
     src = spaceapidSrc;
 
     ldflags = [
-      "-X main.version=${version}-${spaceapidSrc.rev}"
+      "-X main.version=${version}"
     ];
 
     # Since spaceapid doesn't have any dependencies, we can set this to null and

From faffcb7d5482f3d1079cd40cc76cfcdc5196b60b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 4 Aug 2024 21:05:43 +0200
Subject: [PATCH 082/170] spaceapi: remove inside sensors for privacy reasons

---
 .../spaceapid-config/ccchh-dynamic.json       | 62 -------------------
 1 file changed, 62 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index b2f9f8e2..885d339e 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -2,26 +2,6 @@
   "dynamic": {
     "sensors": {
       "temperature": [
-        {
-          "sensor_data": {
-            "unit": "°C",
-            "location": "Hauptraum",
-            "description": "Sensor im Hauptraum"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
-        {
-          "sensor_data": {
-            "unit": "°C",
-            "location": "Loetschlauch",
-            "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
         {
           "sensor_data": {
             "unit": "°C",
@@ -34,26 +14,6 @@
         }
       ],
       "humidity": [
-        {
-          "sensor_data": {
-            "unit": "%",
-            "location": "Hauptraum",
-            "description": "Sensor im Hauptraum"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
-        {
-          "sensor_data": {
-            "unit": "%",
-            "location": "Loetschlauch",
-            "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
         {
           "sensor_data": {
             "unit": "%",
@@ -64,28 +24,6 @@
             "club-assistant"
           ]
         }
-      ],
-      "CO2": [
-        {
-          "sensor_data": {
-            "unit": "ppm",
-            "location": "Hauptraum",
-            "description": "Sensor im Hauptraum (Typ: SCD41)"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        },
-        {
-          "sensor_data": {
-            "unit": "ppm",
-            "location": "Loetschlauch",
-            "description": "Sensor im Lötschlauch (Teil der Werkstatt, Typ: SCD41)"
-          },
-          "allowed_credentials": [
-            "club-assistant"
-          ]
-        }
       ]
     },
     "state": {

From 178777007f70b791e8d466a58f20a83e8eb85bab Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 10 Aug 2024 22:38:05 +0200
Subject: [PATCH 083/170] penpot: configure penpot host using oci-containers

---
 .sops.yaml                            |  17 ++
 config/hosts/penpot/configuration.nix |   7 +
 config/hosts/penpot/default.nix       |  11 ++
 config/hosts/penpot/networking.nix    |  20 +++
 config/hosts/penpot/nginx.nix         |  63 +++++++
 config/hosts/penpot/penpot.nix        | 198 ++++++++++++++++++++++
 config/hosts/penpot/secrets.yaml      | 234 ++++++++++++++++++++++++++
 config/hosts/penpot/sops.nix          |   7 +
 deployment_configuration.json         |   3 +
 flake.nix                             |  10 ++
 10 files changed, 570 insertions(+)
 create mode 100644 config/hosts/penpot/configuration.nix
 create mode 100644 config/hosts/penpot/default.nix
 create mode 100644 config/hosts/penpot/networking.nix
 create mode 100644 config/hosts/penpot/nginx.nix
 create mode 100644 config/hosts/penpot/penpot.nix
 create mode 100644 config/hosts/penpot/secrets.yaml
 create mode 100644 config/hosts/penpot/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 52a8aa70..ec660ecd 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -17,6 +17,7 @@ keys:
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
   - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
+  - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
 creation_rules:
   - path_regex: config/hosts/git/.*
     key_groups:
@@ -130,6 +131,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_woodpecker
+  - path_regex: config/hosts/penpot/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_penpot
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/penpot/configuration.nix b/config/hosts/penpot/configuration.nix
new file mode 100644
index 00000000..4608e1c0
--- /dev/null
+++ b/config/hosts/penpot/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "penpot";
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/penpot/default.nix b/config/hosts/penpot/default.nix
new file mode 100644
index 00000000..b6c8d817
--- /dev/null
+++ b/config/hosts/penpot/default.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./nginx.nix
+    ./penpot.nix
+    ./sops.nix
+  ];
+}
diff --git a/config/hosts/penpot/networking.nix b/config/hosts/penpot/networking.nix
new file mode 100644
index 00000000..a96f70bd
--- /dev/null
+++ b/config/hosts/penpot/networking.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.162";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:26:1C:8A";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/penpot/nginx.nix b/config/hosts/penpot/nginx.nix
new file mode 100644
index 00000000..dc446f36
--- /dev/null
+++ b/config/hosts/penpot/nginx.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "design.hamburg.ccc.de";
+in
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "acme-${domain}" = {
+        default = true;
+        enableACME = true;
+        serverName = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 31820;
+          }
+        ];
+      };
+
+      "${domain}" = {
+        default = true;
+        forceSSL = true;
+        useACMEHost = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9001";
+        };
+
+        locations."/ws/notifications" = {
+          proxyPass = "http://127.0.0.1:9001";
+          proxyWebsockets = true;
+        };
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 172.31.17.140;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/penpot/penpot.nix b/config/hosts/penpot/penpot.nix
new file mode 100644
index 00000000..55673082
--- /dev/null
+++ b/config/hosts/penpot/penpot.nix
@@ -0,0 +1,198 @@
+# Sources used for this configuration:
+# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
+# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
+# - https://help.penpot.app/technical-guide/configuration/
+# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
+# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
+
+{ config, pkgs, ... }:
+
+let
+  # Flags for both frontend and backend.
+  # https://help.penpot.app/technical-guide/configuration/#common
+  # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
+  commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
+  penpotVersion = "2.1.2";
+in
+{
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers = {
+    backend = "docker";
+    containers = {
+      "penpot-frontend" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/frontend:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        ports = [ "9001:80" ];
+        volumes = [ "penpot_assets:/opt/data/assets" ];
+        dependsOn = [
+          "penpot-backend"
+          "penpot-exporter"
+        ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#frontend
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
+
+          PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
+        };
+      };
+
+      "penpot-backend" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/backend:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        volumes = [ "penpot_assets:/opt/data/assets" ];
+        dependsOn = [
+          "penpot-postgres"
+          "penpot-redis"
+        ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#backend
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
+
+          PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
+
+          # PENPOT_SECRET_KEY st via environmentFile.
+          PENPOT_TELEMETRY_ENABLED = "false";
+
+          # OpenID Connect configuration.
+          # https://help.penpot.app/technical-guide/configuration/#openid-connect
+          PENPOT_OIDC_CLIENT_ID = "penpot";
+          PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
+          # PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
+          PENPOT_OIDC_ROLES = "user";
+          PENPOT_OIDC_ROLES_ATTR = "roles";
+
+          # Database configuration.
+          # https://help.penpot.app/technical-guide/configuration/#database
+          PENPOT_DATABASE_USERNAME = "penpot";
+          # PENPOT_DATABASE_PASSWORD set via environmentFile.
+          PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
+
+          # Email configuration.
+          # https://help.penpot.app/technical-guide/configuration/#email-(smtp)
+          PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
+          PENPOT_SMTP_PORT = "465";
+          PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
+          # PENPOT_SMTP_PASSWORD set via environmentFile.
+          PENPOT_SMTP_SSL = "true";
+          PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
+          PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
+
+          # Storage
+          # https://help.penpot.app/technical-guide/configuration/#storage
+          PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
+          PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
+
+          # Redis
+          # https://help.penpot.app/technical-guide/configuration/#redis
+          PENPOT_REDIS_URI = "redis://penpot-redis/0";
+
+          PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
+        };
+        environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
+      };
+
+      "penpot-exporter" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/exporter:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#exporter
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
+          PENPOT_PUBLIC_URI = "http://penpot-frontend";
+          PENPOT_REDIS_URI = "redis://penpot-redis/0";
+        };
+      };
+
+      "penpot-postgres" = {
+        autoStart = true;
+        image = "docker.io/library/postgres:15";
+        extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
+        volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
+        environment = {
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
+
+          POSTGRES_INITDB_ARGS = "--data-checksums";
+          POSTGRES_DB = "penpot";
+          POSTGRES_USER = "penpot";
+          # POSTGRES_PASSWORD set via environmentFile.
+        };
+        environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
+      };
+
+      "penpot-redis" = {
+        autoStart = true;
+        image = "docker.io/library/redis:7";
+        extraOptions = [ "--network=penpot" ];
+      };
+    };
+  };
+
+  # Docker networks.
+  systemd.services."docker-network-penpot" = {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
+    };
+    script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
+    requiredBy = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+    before = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+  };
+
+  # Pull docker images prior to starting container services, so that a container
+  # service isn't considered up, if it actually is still just pulling the
+  # relevant image.
+  systemd.services."docker-images-penpot" = {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
+    '';
+    requiredBy = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+    before = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+  };
+
+  sops.secrets."penpot_backend_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+
+  sops.secrets."penpot_postgres_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+}
diff --git a/config/hosts/penpot/secrets.yaml b/config/hosts/penpot/secrets.yaml
new file mode 100644
index 00000000..855590ce
--- /dev/null
+++ b/config/hosts/penpot/secrets.yaml
@@ -0,0 +1,234 @@
+penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str]
+penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZVA5WE9JcDBOQVdPbGkz
+            SnNkWEJvaUtGaWVOajd6SzJ6aGNxSXZQaVhnCmgwT01kNFRZa09Gd1o2ZURyZUJQ
+            N0dwK21vUmk1N1duOVNtV2wrVmlyNDQKLS0tIEJtUENHdXhGcXhRRjM5VkhpdEVG
+            Z3UzOGFFUDhwUndoQWtCdHlMenZETW8KI0FjoFG4E1fhOxYiCIxY2BnLOmGcpoyK
+            EbDdNFQEMngwppEm9r1KzG/1cGMoIij2qpmK4Jz1Hzgk/6dZwvGxzw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-10T15:40:27Z"
+    mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str]
+    pgp:
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ/+JKe4fsuAKMJr6kuDt5vjv+hrXamWEwRLBfYPHHZHEUeK
+            AQBs9fG9Ni7Qpelv8RIbxWyophgt2TCEqP2d+7EcGTgDZkdLxx5s2LJuCh+tEZwT
+            bm0sPt+8eYY077MxA1ZtlBgkslMugvdnJaDckGc8xRPldUa7gRp0j3yaLULRxjA6
+            T0nyALAqAaDa2uHgB7mTB3pXJYk4GxZpYbVc+wxAWXEDRLR/bpT18ywAcA6iSerd
+            KGDzWKjgOr1TTJqUxsguqDjnVp1c+xRPirC9uENGqW8mxI7h1+4B//dJvuXV/cYh
+            LKi0aDUTnma78mo2v9faUSJl23LkIehWZwbVG/+Mpkk3yxscLV124Vbwj56IFCzI
+            AiJ7m2QVxY5eXoVLodw6Po2S62gkwg7H5Aw3J4pppNuIAIr/8mJBpJoBy6poTsG3
+            QhbQdEdsF5ikoLu/OV/H7mp86zJt42Q+74xGjKYx/qvLq6SDmDA03kqk9N71URyu
+            FRTEDysEkeAzreFFkxn3Q+K/cXvtv/2Knte1lmDTfpmhg4cFwsLPLPH37A2veaxJ
+            JTyWDLHgrJ8NFgii3gLrwj+XLOZOwmCY0puJKtdAnPaaQiLfyqYfeLVlt7Se4MMJ
+            8XaFWcaQHBxL9nRZnx7WkE9LfHIG0e+414hT0F/aER+8iKboIbt6rdEHpEMGDWnU
+            aAEJAhD/TpW7E+yYjFVi/xSQ3kCAruHcm6x4BDTE7by0VeTLiRFW+culxiInOYiD
+            kdp+dATm5f7IrQp/qemL02/Me5yqURZlZrDHra7AiCI+MVBJiCRIY/x6xZSew7PX
+            HC+p9sB+PBFL
+            =1qbt
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ/+Ijn18W+K2je/hpolpY6HmQMTTRpQJZ8YtJ5G35o5WoVP
+            hH+znQMrBBAtnTWeFBeIuIzk4CHjPS0yfnsE4/rP7/lSa177A2xaeiCb74F6k/Es
+            MtDE/TApSlNdPFruN5nkd2I8jAWh1k37nS+/NUhszReR39NNmgA+aCSc2OK04aAz
+            dpPXmaJ+d3zMr7eFoL2NyhNI3A/ZdVP3UmZCp12juckDRl8oeei4PBlw2T6ODJP4
+            tY08I9EyK/5K4auhYJyvayl1RWwRuShFV732ZjztkawLw152W0Rrg75Qoukhs9mr
+            TdyF0zcnVxAcOV4e5wRe13dDV6Ue7zeWFc9bb577thGzUm2Oue0u+oisty16qt9K
+            0vw0tVSDtT/suodG8HpvSwGQ+/xcV7w8XCH8Yx28N9iO49VZCB1ZYXQBxTHVDl2b
+            J/8AivaK4OOFvPWNr4u6oLaO9nz1aaX6Qsap5zn0Qa2Ls2SSBwWk2Fp/f1dq3KOy
+            /jGR89ocuEuImVacr2G6zxPnbukfa4S8q/FUUDbswQUqmWMcDDq3dOQ1fFPRd7vy
+            5a9u3P8LFW+ZPPHop3kgozgZ9pBGDOlw3nkjGjFl39lE33E+049gLE6I6+1+umG0
+            EWkNI9y8X+HmHMthVuYapq23Ix09H6Wa452hZmEUxNgp33M8Zx+l3s6D7o7jfrjS
+            XgElPJuUWyGKPoUY9mFaINyVqjOJGEtEOYRP7jvCpFWDq/xQ8jbJvvv7qBy8+i0b
+            cpqRrMJrvMB2PSLeD6cNWymrNhKilLLFOcG9yaIEudDhiuv3L4/ub08QMroDmo8=
+            =80AM
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//Vv7IVqc9ReeFgo8RWbYpl1W5atAHerZuUh0oYc4otGpb
+            UseJ2JInyykcUeQWlOGvTK+eauBVNET0E/6jylCoWb8lzffhSMJ4FFpvpsoYjPG9
+            Q8s3r8soOCYB0xscfhinZwJg5to+I2MSd8mppWIp4UCQhxv7MqQpbqEzNTfVP7YO
+            QEUZ/lesVovLvxMzKc2YVWyZFSW2G6HK3LTaJIg8gy5ym/crlUB+awd2ZDePGk6F
+            Y7DcKwL1EpCL+hoPWGF9PclYKrOBIZVznYQuwHAqG+Bxr9Ln/NmS/OoCrJDMN6gG
+            2YMZ3Q7GQ82zZESxYA7g+ef9/lGCm7DIkt80or72x7eS6/OP7c1bjGFgKLQNyHFU
+            Th6cOy/TzK8Sq2g1mWB2zyV3xk6mb9C0ETAFD5vvPGVC3Sb4549Y+epe1T3ZLFTA
+            t09nUIpTC05PEdGsWs5Z5MDp8ZCsPZpipbVrWENesNOfaFYG+p7aM0LjgTqZcadD
+            B/Foejayc3XYI0T/NoP43mAZ2nEOw2Bz9lBpwz0PeTfzyrhz9XlJ7Dw462XTFA3i
+            voTHA5+DzGNPf6zC1fH9GcESmpC2nqXit8ZV+Y7Zb9/cAsx3E05S8ayxdBZUrOtJ
+            JSWGOAfPuzGXgL6Ht3iKcmCxQ/pSi1aH0h+bYqlrxTvP9IMyNCrxmP6+YsXCv8XS
+            XgE0NjzRMClq4/HhQ5X0ANGHWxbZJLAbm8yfgK5rnnmvi53RNJhRUHDnNca93brF
+            n27gnVLKM+2FdwRjwNIznkbZV/iNM6zIfRWwmJs9gHRuX/J/XWzD1KjDsn2rmiQ=
+            =bAYZ
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1ARAAkdXjf9h4iyYtKPwR9V8hgIfpt3s3zMduuJN3u76ZHdfE
+            87t5K8eL2yIVN2DeOqtXRG28Broy3LLwMlLOJhxVxS5LAOEjT4ScZyb9H7MLnDsp
+            boW210SLkeQ5vTW9hgjAU9V6wbemxoiNPYTcBUsuirI8a+jpnALLY0jeOILBEmHQ
+            c+wbeo+VnlTQkTKCFI7TwlG1JnRnv3DMATVkOjC2PXmXPNkhr04Ivvf0+yBELY/1
+            hLirTfk/W6vFodPaoaRaeWjGJOo+FbqKLxr2xYzVu6SkF+i4CvDPb1x0t/laTpPA
+            qC6KJ1wyVwG4k7ZBLgRcf5Scn1zgGFzZexUAhdIYp0tKPycphUQxEMOI8/OeBP1V
+            68gBcilvv42zs+ed2RUK4j1e9YklxazZgaUhPfdrBrw/HiDJ8ILaq6LQQZSNrxZx
+            koAV/qw8ylU7vkciyA8bGLOiWc/Ub9vkRSuEi5TMOhmT7bVZ+W/26bWgDcAMmCpa
+            13H1uLXLuHnfDavdesh+RAxRgEavPTMz+HFbqhvkv8sy0RPCodyJv69J7dsS7a2C
+            71Ub7jyZIQyRtTGGZH5EjMQVStBMccE2KrJRzZCKbCmQDofKb4M67caaHBnVrs7D
+            vyx8V7JQGkNOWIgWFb23dtCtRiMzFaRk31mihFmFF2tSgg6XMqNmTp0pc3zQBarS
+            XgFZKRlYE7H1tMUCDwyKB7G3r1jsxBlUSbH1J6XjUBWKkTD4iMHI/4YStvghLjm2
+            0qqgKH/Njd9xBXc3x4Ut7kh8tFMMa07xF7/V0Pgwq+7J7EgckEfKHKA5vcQt17Q=
+            =23io
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ//RH/jOrYE9MD9IjkUfsQZ79rjEwDdtmsXs+gS/XUr0MpI
+            f/aDyw/vfvD7ZgY86yqp68x0OQLIyRIx9O05FNB3giVN4YFvZpFblLotpMzCFa2d
+            5xKLIQ1oviDSnE0kKpNM+QKITKjCxyke7MgW/laXvF0zMaVdPj0qo3Zn07MUKULs
+            btxZgPhzwWLjveZGn+72QiBGTF0ce49TWoh6y/l7PDsXhojau2KP556hI3rp/nC0
+            PunbLVRntpz+bOoyOk+xvKen+8b/Vwp+GYA2NBDbZSEY9H3YF5ugZBR/jUc8da7D
+            9EBA35udmQVKtD2XZrIyfhETC1eqLXORo0JKld5oC03JPkqvV+QpMF+8JBjXe1Cy
+            qI4pBmdhTJYFoJHpvMH7eC4CWgZZRMD5mB2nk1hYd9oIiYUPABfdeGxKiFnC8zHH
+            cEY3jgGzetZTxnpk2mxZvFMMwFqyOJA2PnwMTv3IraARkFrLxGzUIG4uOjo+l2fp
+            igOKsw9p46RR1gkuKF4u3yB3/1RloDyqGCU1/n4BCWy5/UkjSQpWKShZt3qMd2G2
+            A6si2zgSHIQ+ubR7MPB3Q3U/Rnw7pSbTbdDc73pZ2SPZfUuJplPSDUvXICGlj8cO
+            jO8s926qp4X9C4mi5um6EX5nLG+pfuKowIBdB2HWmxu2idwyrmNdlIgAcWcteazS
+            XgF9W6THXau4lEmrBqWEiC0K/9NA0cDJqRdvj6wqZ/OIAo86q3yRlm8yY8U7D00j
+            wNS8WSHq+EX0K9LpwQiHAJoxNXABEx/DbRqVeuLn2FaCocZigbvu3k/pePuOsK0=
+            =ZLl2
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//dCKpiens8kqp+I9HtwP2CQOVMLLAle1VYB7pJ5pfcyzI
+            /3tAmwcxBmg+jhkFiqheBQYV2yNmBMHc5ulx+MxSDKd9mzCTavlGlE+intPjON8k
+            sis68RnU5OFsnGVXSmJji1vN37cCY4jHkf2vYzz6HJ6FLPrda/W3ZfXI+ZnOCao5
+            wGYrqPcYUj+7gnN1S42HM492oqeCNLcENDvegf8AxtBEgfp7UQ0V3ZC0wZEYhz0V
+            p9bdivFoEZ3Zo0sJTWKj3Df3IA5T6c4dbSPj8r7IZ5iNDguKAjvegXujco7pow51
+            fNNJB02hnYHLMRAbeRqaWyJ7qUQSWbQEgb8NuonspnXnajKc/OddgoTN91gTRgMb
+            op2T3HOFv3lKZPA/xIeDZpIm6GqOW6eJLjqiLP39VGvvNRYg+zxhNg/ZBVkFuSAf
+            U5uDPUyIAr10zdm7NqJKL8wKRbQzBg5OYovrXqSl96+KNenJqbMNv1N7kfSF6FuF
+            x8joEDXIaBSwINE4oXD5SN7Z5L2SuuMJ2nvuXFmmXKerRlrBiGsBzUVMt1bGqKEU
+            KoAAwbInZ9SprSxqJ1EkSVXpNGnFFNlbBB1j2u9BoGygOkVM4ZxIS19DBDLG0Tls
+            Fq6GI5d3axcf7t024UmwcU9yaP1BzrV0bDvDg3X+Azuo5JqpT3pSUvqv+Sy1C3nS
+            XgHK1C7XTOfcvmcxJ1f++xELwRkgNo1OqSG3cIZ8i1tKZFKTyYCiNHa/ajSr+wER
+            4phM7Tdr6ubjLkqvDkMeXvtiGyUoAvbtLC0wqSaE8sEZ28eFGEAaECV/uOW81X0=
+            =0jv9
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/9GTEI65w8icqppqTuvQD50vaR+lCY1NjWT0HekgvNuCLV
+            4gL1cYv7tJ5UU6jOnREoScamWnUTYf/sLINIfa+FgvH+apswQeQCFrdCb8/61/Xc
+            3hsJ8gwmguP1zJabKFI6/Yo3vPPa+kpj0Am6M7dUUxEKw4Lqy6Hc32O6ULNJOvdo
+            56oqr6KoemrpU0TzqkKTpgAZaQjFfVzPWfC8moUL1pvxrHm7rqDPiYcl7fZP3JFD
+            gQMZokH205u1elxiFxuQGtW8jbeBqCZUm1UorEgD2EJYEPfyphIaHaQnCpW8zXkI
+            gt9QT3cqJpGJAobCPbh6vKPtbGPEqZOzOaCMFl07pkOSGPAVGMVfV+FdsfszPYY6
+            Rqsk7zlCFv/iNFWKpkdfI66JLvhmgNwXRv+rkYzH3QrQikjLmAeTzyL69SPujgDK
+            qXBRZiAPwEDScr2Qcum36jDVrT3jRfC1opzwpRxM2ompJ0F6caBPNVjY10BScl7Y
+            RWVmkFrPL9MdEelFLscG17K+y5S/50sLcU+sGbMkmPsmizA0boK5XBXJz3cTadYy
+            Asr2b4aWTqBS5iW1vbWIGJVrUUk3U1S4fFaSvsL3I6O0E+sOB3eEEpQZqpF9Genr
+            hCE8GVE5yQWb3YYK0ZA7j4u+dwA+QfRIuQuMWFoRKp8oqEitjjix3je2R3u8/ILS
+            XgFcAp8Jh+VbnQg/pq92u3dX6afGv6nENpMVPn73yob+sfE5xUFEfEzE1E1WCWdR
+            HiLZVOgpVOYmo2s8/UW60hLNBULpqyf6ZTQsr7IqaGw4g+Ew116cwDawywRSJMg=
+            =T0nI
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAApsnPRzTCIkbKT6jaVHixgP6wyCjfVmvgb0NnMrN2Ygup
+            pafb6GNWoFq9WdiSqwFIJPZlZxJFiIgSxplDI63Wj1MgfvQBEnKUQvnvR+UtnB22
+            bGr9mIrq/wKgslhPLFB0qT81RK/GqJKvRNpI3trGmB1pBnDdb5jiFeDHStv41XrP
+            hezAvmDGBKlM74fehu0pKOanIspyvFAjs31NULSHGJGzBxyM6OGcg/XLt9ea6bI5
+            jHwu3+M/7nixjtaIdCtEFPv/Mdimq9p64+c6AvbEVikUH/omRebRFIRrJCotYENT
+            ak6/2F+Fze2cof6pJPaq1KTF7LQHi1ZaQ/N+YNDsMJIYYuX3lVg/ClEjeo5k1HJ4
+            Jc+ul2KF/dAh8UsJPIdhJDlxIPdnof7xBLax1xmOQTHpqsfhZe5BP/0KMeeXzG6s
+            TlozMaCY0ok4JiQmiJcs+TjHX+uiiih6Wi756v7qwpCk5u3/BM+veHB/slD5Xezn
+            KmuHzwcbaP1n5JlOtv1PLAPfqX9EDsAVr2xhYTBISZiIKXyfagUWzPNX6toYtBfV
+            cQ/m9nfc5/STna7XGucnKkYFG5U2a+olIqCcbbNkN4NcW5ly0M5g1VW3oh02NO8r
+            A/4aU8ECj+79XXx0XCuVojnkGdTT3SQex7bkV2stBpuc5xfESbuOMWXgK0qZrYrS
+            XgEfX0ySVVrCxhtJgsQvZl0zrOwIttomV6hlQgo+n23HNPwjEf4nf1p2sje0uPvb
+            bPC7u5y1eDdy5E0XyWkAg4hxPLg7yOj7ET84Bg9S3NE8cE0nM50qL0N6aCAb4II=
+            =Is94
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/7Bx/s7WlB9TE30vyqVWw6H4DoZS8s03Z21tDAtrUEK+k5
+            QtMPvAIE0SG4lXersM3L6VMmhvPQlwZf+zSzBnO0J5vacvMG8dch4/ZH7YTM0VX6
+            T0Ix9ScamEI8J5Fr1LAeBoqtTa8n1/3N2ILBVPRTTX5Wu4lSUw/voeePXAYxSSMv
+            9vzrxJNcRgzbd/8Fbo3i2vzn4GvrP1JzsprLrUMVFaek5khD0hRDJMM0IhBWFRRh
+            L241zX/IBZDQVz0x1QVUBFmkoUjyNn94CTezTmGvqCXfkLRmcKzTZXd0dhORBPFa
+            LygVSLdor0v5ru70rMds6YN5WvqbmG7KUY8M3gcVXutvID58vw6ZE83T8ZAYj9S5
+            r9hXegeb2e03tCvSrHmQFf37+298/E8/kBrBQgoevnHmm3p0yN3ZbrWLIRhbx2iF
+            NzL5s17PnGzmuSigoZERsN2Flx2fzUbtwVDP3AyLVpQ7NoqTZkJTcGQuvkYawnEa
+            3RxUQySR+a7bED38wJ6zEpVg10ye7c8mVkzQnda1Qp3lnPZxz+1qg1n25I9hjNO6
+            X1E8gtXx2EcwaoWcPO0W/sNBwE09SCM68KWSykwOLvZb5tq/HnhrwSisps5sAg9V
+            Z1c0OCwgJvYoTY46rqk7scN9YkE16LDCtAzgppZerli179E/f/7O3d59CA1mCEXS
+            XgHbdM2nxaBPCPgXXNRVq13R8JXiOokuxUZofwl6FaG8A6yc9z5F4Ygr/KKDeT0i
+            YMBezxQtQ5uKY0jIx5g2r6aSdly3QPNKiFS/rxDCrmtaBqw+OvhvLrnCn6IaRVY=
+            =XAoN
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAFvRDMKG3Vjs98kRqcs4ep+bYoUcBHbMA7WgzI7CcaGQw
+            FjdmSwvWaHJZQGEbGk4uDHKPHqXRD3HnD9d75Azu2HXnCA29aU2c0zn0PziIi7Aa
+            0l4BbcavPKNBkZpJNgW0uII7xMYJWJ/9vStTxXG/WzNia6nk/Cv7PMJW7EwIeUga
+            +PWB4yGfPXgqJGnJj0H1EdCVPrM/+f19GcFxNKKzkGaKTyVTW9NxntlsFl1vbmRx
+            =YRc6
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/5ARLA8sAZHMwNhHJycVof+ZergR58hXCBjbIy5zgyAwYU
+            IJ5OwhTpWqniZjt0b9pvlzU4JO1k73B1WrF7mAYEOKET32GPVatrQ64yInQbORSZ
+            zNQgX3aQ8tEtyBsKAWqwqRjOaP6Plee6G0RCksJBAkjIZik0diTOBwi+ZhgYSRLE
+            G1NAETqMKkLleYQbUWCFNveJOd/7pfhE4xhAEaSxL3dgXNPV2TOngvjCqMXvz0K2
+            hEz6OYC8idpmAJv+S+HOaZbKV+giCopsPyFnbeu8jf1UpbsBRbHPnLOO6lLby2gf
+            2P9MhwSeMjjCZFX/ys8vHQ2jUwXK8jfW3xfVie4hVJgh6vO+uHcomjnk2b+34SRk
+            7ttoozLbMFxwrcP9trV0TgT2uzjFCe4fHccpY1VLTCX/O0eYtlhDhur0Wojp1z9v
+            h5mcqySEtJfHXJbTXkgMA2+QSyUaTTfvZ6oJqX3yAoq5eIzC0CcF+IMa6NS1XkY0
+            TNd3FEhwe7TvKGCy/3bJx6jMUnhT71r6KW/w7RVIHgdp1hfUS9JBhxVB+agQVyRv
+            +HBmvWHqUdwnFzotGRzLU1g6soWa+fRVQQ80qAi1U8e+u9IX3EG0KoIXLjpkvXxK
+            y520NcOdN4wR0xILPP/+47QDN+kM6lunm/EMgrff4YDE8J83qMhH2IP5s/tV023S
+            XgH1hiB0U4SYt0Rp6OGDV+CjBCFaCkPPlync/SVuXddfLC1owGlY9L3jwu7j2PR7
+            jy2jPPTWrOvT0wZKEh4k501LRb0n6LGqW6gDTgOnZKNg2iQ6jybv2HeyyExYllg=
+            =1o5H
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/config/hosts/penpot/sops.nix b/config/hosts/penpot/sops.nix
new file mode 100644
index 00000000..b4548edb
--- /dev/null
+++ b/config/hosts/penpot/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index eb594120..dd0f43df 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -29,6 +29,9 @@
     },
     "woodpecker": {
       "targetHostname": "woodpecker-intern.hamburg.ccc.de"
+    },
+    "penpot": {
+      "targetHostname": "penpot-intern.hamburg.ccc.de"
     }
   }
 }
diff --git a/flake.nix b/flake.nix
index 0eef08a1..4e338529 100644
--- a/flake.nix
+++ b/flake.nix
@@ -234,6 +234,16 @@
             ./config/hosts/status
           ];
         };
+
+        penpot = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            sops-nix.nixosModules.sops
+            ./config/hosts/penpot
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 5bbc8aa03e028023ce1992885e492504c92609ca Mon Sep 17 00:00:00 2001
From: djerun <djerun@hamburg.ccc.de>
Date: Sun, 11 Aug 2024 19:46:53 +0200
Subject: [PATCH 084/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7?narHash=sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ%3D' (2024-07-13)
  → 'github:nix-community/nixos-generators/d6c5d29f58acc10ea82afff1de2b28f038f572bd?narHash=sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk%3D' (2024-08-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6?narHash=sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY%3D' (2024-06-30)
  → 'github:nix-community/nixpkgs.lib/8bebd4c74f368aacb047f0141db09ec6b339733c?narHash=sha256-do2Mfm3T6SR7a5A804RhjQ%2BJTsF5hk4JTPGjCTRM/m8%3D' (2024-08-04)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
  → 'github:nixos/nixpkgs/c306d09c1dc6492442ae4af0d1ba575869c41fc3?narHash=sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o%3D' (2024-08-10)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/4cc8b29327bed3d52b40041f810f49734298af46?narHash=sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y%3D' (2024-07-21)
  → 'github:nixos/nixpkgs/bef98989a27429e1cb9e3d9c25701ba2da742af2?narHash=sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y%3D' (2024-08-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/909e8cfb60d83321d85c8d17209d733658a21c95?narHash=sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU%3D' (2024-07-21)
  → 'github:Mic92/sops-nix/8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9?narHash=sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb%2BN4Ap4%3D' (2024-08-05)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8c5f72b0..59d9cc47 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1719708727,
-        "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=",
+        "lastModified": 1722732880,
+        "narHash": "sha256-do2Mfm3T6SR7a5A804RhjQ+JTsF5hk4JTPGjCTRM/m8=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6",
+        "rev": "8bebd4c74f368aacb047f0141db09ec6b339733c",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720859326,
-        "narHash": "sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ=",
+        "lastModified": 1723078345,
+        "narHash": "sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7",
+        "rev": "d6c5d29f58acc10ea82afff1de2b28f038f572bd",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1721524707,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "lastModified": 1723311493,
+        "narHash": "sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "c306d09c1dc6492442ae4af0d1ba575869c41fc3",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1721571961,
-        "narHash": "sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y=",
+        "lastModified": 1723316219,
+        "narHash": "sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4cc8b29327bed3d52b40041f810f49734298af46",
+        "rev": "bef98989a27429e1cb9e3d9c25701ba2da742af2",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1721531171,
-        "narHash": "sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU=",
+        "lastModified": 1722897572,
+        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "909e8cfb60d83321d85c8d17209d733658a21c95",
+        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
         "type": "github"
       },
       "original": {

From 9b751fa1edca02b5b8afaf8d2f2a0b0ce1ff7e17 Mon Sep 17 00:00:00 2001
From: dequis <dequis@dequis.org>
Date: Sat, 17 Aug 2024 00:15:27 +0200
Subject: [PATCH 085/170] spaceapid: add 3d printer state sensors (bool)

The schema only allows numeric values so I'm leaving the time to finish
field out of this for now.
---
 .../spaceapid-config/ccchh-dynamic.json       | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index 885d339e..6f951f95 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -24,6 +24,30 @@
             "club-assistant"
           ]
         }
+      ],
+      "3d_printer_state": [
+        {
+          "sensor_data": {
+            "unit": "bool",
+            "location": "Loetschlauch",
+            "name": "mk4",
+            "description": "Prusa mk4 state"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        },
+        {
+          "sensor_data": {
+            "unit": "bool",
+            "location": "Loetschlauch",
+            "name": "mk3.5",
+            "description": "Prusa mk3.5 state"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        }
       ]
     },
     "state": {

From 0395484ea910c39e85bd6f9065c3f6998769d5fc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 19 Aug 2024 19:17:40 +0200
Subject: [PATCH 086/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d6c5d29f58acc10ea82afff1de2b28f038f572bd?narHash=sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk%3D' (2024-08-08)
  → 'github:nix-community/nixos-generators/5fd22603892e4ec5ac6085058ed658243143aacd?narHash=sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y%3D' (2024-08-19)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/8bebd4c74f368aacb047f0141db09ec6b339733c?narHash=sha256-do2Mfm3T6SR7a5A804RhjQ%2BJTsF5hk4JTPGjCTRM/m8%3D' (2024-08-04)
  → 'github:nix-community/nixpkgs.lib/531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251?narHash=sha256-QdSArN0xKESEOTcv%2B3kE6yu4B4WX9lupZ4%2BHtx3RXGg%3D' (2024-08-18)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c306d09c1dc6492442ae4af0d1ba575869c41fc3?narHash=sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o%3D' (2024-08-10)
  → 'github:nixos/nixpkgs/3f38e71a8e23a27569acbbfee0e83b76c86fa569?narHash=sha256-vAq%2BI0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY%3D' (2024-08-18)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/bef98989a27429e1cb9e3d9c25701ba2da742af2?narHash=sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y%3D' (2024-08-10)
  → 'github:nixos/nixpkgs/ed434d7889eddb68002d81bc25212f26ff8f2862?narHash=sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI%3D' (2024-08-19)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9?narHash=sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb%2BN4Ap4%3D' (2024-08-05)
  → 'github:Mic92/sops-nix/be0eec2d27563590194a9206f551a6f73d52fa34?narHash=sha256-N9IcHgj/p1%2B2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE%3D' (2024-08-12)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 59d9cc47..f9efceee 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1722732880,
-        "narHash": "sha256-do2Mfm3T6SR7a5A804RhjQ+JTsF5hk4JTPGjCTRM/m8=",
+        "lastModified": 1723942470,
+        "narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "8bebd4c74f368aacb047f0141db09ec6b339733c",
+        "rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723078345,
-        "narHash": "sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk=",
+        "lastModified": 1724028932,
+        "narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d6c5d29f58acc10ea82afff1de2b28f038f572bd",
+        "rev": "5fd22603892e4ec5ac6085058ed658243143aacd",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1723311493,
-        "narHash": "sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o=",
+        "lastModified": 1724013388,
+        "narHash": "sha256-vAq+I0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c306d09c1dc6492442ae4af0d1ba575869c41fc3",
+        "rev": "3f38e71a8e23a27569acbbfee0e83b76c86fa569",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1723316219,
-        "narHash": "sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y=",
+        "lastModified": 1724050343,
+        "narHash": "sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bef98989a27429e1cb9e3d9c25701ba2da742af2",
+        "rev": "ed434d7889eddb68002d81bc25212f26ff8f2862",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1722897572,
-        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
+        "lastModified": 1723501126,
+        "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
+        "rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
         "type": "github"
       },
       "original": {

From b26320f99945212d730c70ab1fbb5ed8ca506a68 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 27 Aug 2024 00:00:55 +0200
Subject: [PATCH 087/170] penpot: switch to stock penpot image and version
 2.1.3

Do that since it now has all the fixes applied we need.
---
 config/hosts/penpot/penpot.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/hosts/penpot/penpot.nix b/config/hosts/penpot/penpot.nix
index 55673082..0629d1fd 100644
--- a/config/hosts/penpot/penpot.nix
+++ b/config/hosts/penpot/penpot.nix
@@ -12,7 +12,7 @@ let
   # https://help.penpot.app/technical-guide/configuration/#common
   # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
   commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
-  penpotVersion = "2.1.2";
+  penpotVersion = "2.1.3";
 in
 {
   virtualisation.docker.enable = true;
@@ -21,7 +21,7 @@ in
     containers = {
       "penpot-frontend" = {
         autoStart = true;
-        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/frontend:${penpotVersion}";
+        image = "docker.io/penpotapp/frontend:${penpotVersion}";
         extraOptions = [ "--network=penpot" ];
         ports = [ "9001:80" ];
         volumes = [ "penpot_assets:/opt/data/assets" ];
@@ -39,7 +39,7 @@ in
 
       "penpot-backend" = {
         autoStart = true;
-        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/backend:${penpotVersion}";
+        image = "docker.io/penpotapp/backend:${penpotVersion}";
         extraOptions = [ "--network=penpot" ];
         volumes = [ "penpot_assets:/opt/data/assets" ];
         dependsOn = [
@@ -95,7 +95,7 @@ in
 
       "penpot-exporter" = {
         autoStart = true;
-        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/exporter:${penpotVersion}";
+        image = "docker.io/penpotapp/exporter:${penpotVersion}";
         extraOptions = [ "--network=penpot" ];
         environment = {
           # https://help.penpot.app/technical-guide/configuration/#exporter

From 1b755b4eab420532bfeafd62eae6506179d0ddfc Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 3 Sep 2024 15:38:18 +0200
Subject: [PATCH 088/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/5fd22603892e4ec5ac6085058ed658243143aacd?narHash=sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y%3D' (2024-08-19)
  → 'github:nix-community/nixos-generators/8e337ce40421c4f33e7535aeb988d8e30fe067eb?narHash=sha256-LI%2BgI4qeVTQaS0vW6tn49RG%2Bf8cH1KBALaligCeHLog%3D' (2024-09-02)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251?narHash=sha256-QdSArN0xKESEOTcv%2B3kE6yu4B4WX9lupZ4%2BHtx3RXGg%3D' (2024-08-18)
  → 'github:nix-community/nixpkgs.lib/7f0b9e4fbd91826cb9ce6babbc11c87903191051?narHash=sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc%2BUZDKYE%3D' (2024-09-01)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/3f38e71a8e23a27569acbbfee0e83b76c86fa569?narHash=sha256-vAq%2BI0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY%3D' (2024-08-18)
  → 'github:nixos/nixpkgs/3524b030c839db4ea4ba16737789c6fb8a1769c6?narHash=sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs%3D' (2024-09-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/ed434d7889eddb68002d81bc25212f26ff8f2862?narHash=sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI%3D' (2024-08-19)
  → 'github:nixos/nixpkgs/2830c7c930311397d94c0b86a359c865c081c875?narHash=sha256-/HTUg%2BkMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc%3D' (2024-09-03)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/be0eec2d27563590194a9206f551a6f73d52fa34?narHash=sha256-N9IcHgj/p1%2B2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE%3D' (2024-08-12)
  → 'github:Mic92/sops-nix/5db5921e40ae382d6716dce591ea23b0a39d96f7?narHash=sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07%2BQpERnzTS4%3D' (2024-09-01)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index f9efceee..c032a3fa 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1723942470,
-        "narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
+        "lastModified": 1725152544,
+        "narHash": "sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc+UZDKYE=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
+        "rev": "7f0b9e4fbd91826cb9ce6babbc11c87903191051",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1724028932,
-        "narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=",
+        "lastModified": 1725298144,
+        "narHash": "sha256-LI+gI4qeVTQaS0vW6tn49RG+f8cH1KBALaligCeHLog=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "5fd22603892e4ec5ac6085058ed658243143aacd",
+        "rev": "8e337ce40421c4f33e7535aeb988d8e30fe067eb",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1724013388,
-        "narHash": "sha256-vAq+I0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY=",
+        "lastModified": 1725198597,
+        "narHash": "sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3f38e71a8e23a27569acbbfee0e83b76c86fa569",
+        "rev": "3524b030c839db4ea4ba16737789c6fb8a1769c6",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1724050343,
-        "narHash": "sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI=",
+        "lastModified": 1725361206,
+        "narHash": "sha256-/HTUg+kMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ed434d7889eddb68002d81bc25212f26ff8f2862",
+        "rev": "2830c7c930311397d94c0b86a359c865c081c875",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1723501126,
-        "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
+        "lastModified": 1725201042,
+        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
+        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
         "type": "github"
       },
       "original": {

From cd8108fc9bc094acdd58bd5a05562c4bafd4a8cf Mon Sep 17 00:00:00 2001
From: djerun <djerun@hamburg.ccc.de>
Date: Mon, 23 Sep 2024 22:09:01 +0200
Subject: [PATCH 089/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/8e337ce40421c4f33e7535aeb988d8e30fe067eb?narHash=sha256-LI%2BgI4qeVTQaS0vW6tn49RG%2Bf8cH1KBALaligCeHLog%3D' (2024-09-02)
  → 'github:nix-community/nixos-generators/e8c1cd886cc17e31e424f915efd32e84d8af0ce9?narHash=sha256-t/%2Bz1Tf7hSaStU1pBYkY7i0/GkG%2BYIPSmfeRrK8eYUw%3D' (2024-09-23)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/7f0b9e4fbd91826cb9ce6babbc11c87903191051?narHash=sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc%2BUZDKYE%3D' (2024-09-01)
  → 'github:nix-community/nixpkgs.lib/575704ff85d3a41dc5bfef7b55380cbc7b87f3c2?narHash=sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k%3D' (2024-09-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/3524b030c839db4ea4ba16737789c6fb8a1769c6?narHash=sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs%3D' (2024-09-01)
  → 'github:nixos/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992?narHash=sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I%3D' (2024-09-23)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/2830c7c930311397d94c0b86a359c865c081c875?narHash=sha256-/HTUg%2BkMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc%3D' (2024-09-03)
  → 'github:nixos/nixpkgs/d266adc5a77ec8c10ed941c7251b2673004dbd62?narHash=sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4%3D' (2024-09-23)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/5db5921e40ae382d6716dce591ea23b0a39d96f7?narHash=sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07%2BQpERnzTS4%3D' (2024-09-01)
  → 'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8?narHash=sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4%3D' (2024-09-16)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
  → 'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05?narHash=sha256-vNv%2BaJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8%3D' (2024-09-08)
---
 flake.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/flake.lock b/flake.lock
index c032a3fa..5caae010 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1725152544,
-        "narHash": "sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc+UZDKYE=",
+        "lastModified": 1726966855,
+        "narHash": "sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "7f0b9e4fbd91826cb9ce6babbc11c87903191051",
+        "rev": "575704ff85d3a41dc5bfef7b55380cbc7b87f3c2",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725298144,
-        "narHash": "sha256-LI+gI4qeVTQaS0vW6tn49RG+f8cH1KBALaligCeHLog=",
+        "lastModified": 1727053438,
+        "narHash": "sha256-t/+z1Tf7hSaStU1pBYkY7i0/GkG+YIPSmfeRrK8eYUw=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "8e337ce40421c4f33e7535aeb988d8e30fe067eb",
+        "rev": "e8c1cd886cc17e31e424f915efd32e84d8af0ce9",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1725198597,
-        "narHash": "sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs=",
+        "lastModified": 1727076372,
+        "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3524b030c839db4ea4ba16737789c6fb8a1769c6",
+        "rev": "7ca0f93c530406c1610defff0b9bf643333cf992",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1721524707,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "lastModified": 1725762081,
+        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1725361206,
-        "narHash": "sha256-/HTUg+kMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc=",
+        "lastModified": 1727104955,
+        "narHash": "sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2830c7c930311397d94c0b86a359c865c081c875",
+        "rev": "d266adc5a77ec8c10ed941c7251b2673004dbd62",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1725201042,
-        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
+        "lastModified": 1726524647,
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
         "type": "github"
       },
       "original": {

From 445bf05842a7ee3f36361eb7907c715d90bc4799 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 28 Sep 2024 05:00:31 +0200
Subject: [PATCH 090/170] public-web-static: host Easterhegg 20 website static
 export

---
 .../historic-easterhegg/default.nix           |  1 +
 .../virtualHosts/historic-easterhegg/eh20.nix | 86 +++++++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix

diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
index f9805cf3..fe53d046 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -7,5 +7,6 @@
     ./eh07.nix
     ./eh09.nix
     ./eh11.nix
+    ./eh20.nix
   ];
 }
\ No newline at end of file
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
new file mode 100644
index 00000000..947791de
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
@@ -0,0 +1,86 @@
+{ pkgs, ... }:
+
+let
+  eh20 = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website.git";
+    rev = "026932ef2f1fb85c99269e0fb547589a25d3687c";
+    hash = "sha256-YYxHhPYIioJgyHXNieoX6ibasHcNw/AFk+qCNSOxke4=";
+  };
+in
+{
+  security.acme.certs."eh20.easterhegg.eu".extraDomainNames = [
+    "www.eh20.easterhegg.eu"
+    "eh20.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-eh20.easterhegg.eu" = {
+      enableACME = true;
+      serverName = "eh20.easterhegg.eu";
+      serverAliases = [
+        "www.eh20.easterhegg.eu"
+        "eh20.hamburg.ccc.de"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 31820;
+      }];
+    };
+
+    "www.eh20.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh20.easterhegg.eu";
+      serverAliases = [
+        "eh20.hamburg.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://eh20.easterhegg.eu";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "eh20.easterhegg.eu" = {
+      forceSSL = true;
+      useACMEHost = "eh20.easterhegg.eu";
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/" = {
+        index = "start.html";
+        root = "${eh20}/wiki_siteexport";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}

From 68f11ad9550bd13b6a05cb3a88fbf57ad231271a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 30 Sep 2024 23:20:06 +0200
Subject: [PATCH 091/170] mjolnir: allow use of deprecated, somewhat insecure
 libolm

Do this to be able to update the moderation bot and because the security
issues apparently aren't real world exploitable:
https://matrix.org/blog/2024/08/libolm-deprecation/
---
 config/hosts/mjolnir/mjolnir.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/mjolnir/mjolnir.nix b/config/hosts/mjolnir/mjolnir.nix
index c9534f63..91b184ff 100644
--- a/config/hosts/mjolnir/mjolnir.nix
+++ b/config/hosts/mjolnir/mjolnir.nix
@@ -5,6 +5,11 @@
 { ... }:
 
 {
+  # Allow deprecated, apparently somewhat insecure libolm to be able to update
+  # the moderation bot.
+  # The security issues aren't real world exploitable apparently:
+  # https://matrix.org/blog/2024/08/libolm-deprecation/
+  nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
   services.mjolnir = {
     enable = true;
     homeserverUrl = "https://matrix.hamburg.ccc.de";

From c54b655b0e3edfc88dfaf290fc7ee0b7c593dc18 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 3 Oct 2024 16:09:42 +0200
Subject: [PATCH 092/170] all: setup prometheus node exporter for all hosts on
 Chaosknoten

Do that so we can have monitoring for them via prometheus, alertmanager
and grafana.
Also add a local ip for the git host for PVE firewalling.
---
 config/extra/prometheus-exporter.nix |  8 ++++++++
 config/hosts/git/networking.nix      |  4 ++++
 flake.nix                            | 10 ++++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 config/extra/prometheus-exporter.nix

diff --git a/config/extra/prometheus-exporter.nix b/config/extra/prometheus-exporter.nix
new file mode 100644
index 00000000..46477ed7
--- /dev/null
+++ b/config/extra/prometheus-exporter.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    openFirewall = true;
+  };
+}
diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix
index 688fff3d..34159f9b 100644
--- a/config/hosts/git/networking.nix
+++ b/config/hosts/git/networking.nix
@@ -11,6 +11,10 @@
           address = "212.12.51.136";
           prefixLength = 28;
         }
+        {
+          address = "172.31.17.154";
+          prefixLength = 25;
+        }
       ];
       ipv6.addresses = [
         {
diff --git a/flake.nix b/flake.nix
index 4e338529..106daa5b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -113,6 +113,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/netbox
           ];
         };
@@ -123,6 +124,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/matrix
           ];
         };
@@ -133,6 +135,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/public-web-static
           ];
         };
@@ -143,6 +146,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/git
           ];
         };
@@ -153,6 +157,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/forgejo-actions-runner
           ];
         };
@@ -171,6 +176,7 @@
           modules = [
             ./config/common
             ./config/proxmox-vm
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/eh22-wiki
           ];
         };
@@ -180,6 +186,7 @@
           modules = [
             ./config/common
             ./config/proxmox-vm
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/nix-box-june
           ];
         };
@@ -208,6 +215,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/mjolnir
           ];
         };
@@ -218,6 +226,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/woodpecker
           ];
           specialArgs = {
@@ -241,6 +250,7 @@
             ./config/common
             ./config/proxmox-vm
             sops-nix.nixosModules.sops
+            ./config/extra/prometheus-exporter.nix
             ./config/hosts/penpot
           ];
         };

From 05b96b8fae4c2b8fab3194e9f1d49636a8570656 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 9 Oct 2024 02:18:46 +0200
Subject: [PATCH 093/170] netbox: integrate with CCCHH ID (Keycloak)

---
 config/hosts/netbox/netbox.nix   | 18 +++++++++++++++++-
 config/hosts/netbox/secrets.yaml |  5 +++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
index ff323494..e0f2df94 100644
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@@ -11,9 +11,19 @@
     enable = true;
     package = pkgs.netbox;
     secretKeyFile = "/run/secrets/netbox_secret_key";
+    keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
     settings = {
       ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
       SESSION_COOKIE_SECURE = true;
+      # CCCHH ID (Keycloak) integration.
+      # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
+      # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
+      REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
+      SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
+      # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
+      SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
+      SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
+      SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
     };
   };
 
@@ -21,6 +31,12 @@
     mode = "0440";
     owner = "netbox";
     group = "netbox";
-    restartUnits = [ "netbox.service" ];
+    restartUnits = [ "netbox.service" "netbox-rq.service" ];
+  };
+  sops.secrets."netbox_keycloak_secret" = {
+    mode = "0440";
+    owner = "netbox";
+    group = "netbox";
+    restartUnits = [ "netbox.service" "netbox-rq.service" ];
   };
 }
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
index 6f9e3e52..831a7a18 100644
--- a/config/hosts/netbox/secrets.yaml
+++ b/config/hosts/netbox/secrets.yaml
@@ -1,4 +1,5 @@
 netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
+netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,8 +15,8 @@ sops:
             V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
             a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-26T01:07:35Z"
-    mac: ENC[AES256_GCM,data:0zWNPrUqpuC/qXOaTE8ayrTbnZdg9VA2NqxSNnV0bogqxVkg8zhbx8OKYfNQ0DswjxKNEnKsqjp62gA678VfRfGHJU5ZoHfAC7kBbrkDy+pMzS6LRwT+7n0C1AbaaG7hienGJQsx2gUUYqu7OSQuS722lXAw65deFvZGtL6lt8E=,iv:mOLkzF5pJFazmH9XX94Hjd04FcgSh0hY4juEO3vKNBc=,tag:lSk0lnVONQCmuO0KmxlL0Q==,type:str]
+    lastmodified: "2024-10-08T23:54:23Z"
+    mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
     pgp:
         - created_at: "2024-05-26T01:07:22Z"
           enc: |-

From da8e2bbbf44ee77f34c9a239bb157b4650b08c7e Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Thu, 10 Oct 2024 20:50:20 +0200
Subject: [PATCH 094/170] Update element to 1.11.80

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 0d7792b2..5f0792fa 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.68";
+  elementWebVersion = "1.11.80";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-SsEvc+TWyJG6YPBcyQm9mqQVUegqIcspxSGuL3TzVeY=";
+    sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 804094aaeb676552379cb4b823ed76b21add63b7 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 12 Oct 2024 20:03:04 +0200
Subject: [PATCH 095/170] public-web-static: add hackertours.hamburg.ccc.de
 static web host

It can be deployed using a corresponding deploy key in the same manner
hacker.tours and hamburg.ccc.de can be deployed.
---
 .../virtualHosts/default.nix                  |  1 +
 .../hackertours.hamburg.ccc.de.nix            | 63 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index c78cf8b7..814c29c1 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -6,6 +6,7 @@
     ./c3cat.de.nix
     ./element.hamburg.ccc.de.nix
     ./hacker.tours.nix
+    ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.hacker.tours.nix
diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
new file mode 100644
index 00000000..14aed402
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@@ -0,0 +1,63 @@
+{ pkgs, ... }:
+
+let
+  domain = "hackertours.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "ht-ccchh-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}

From 2fe65b0513f7105eb4cdf3bcd7ddd0b80275ad3d Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 12 Oct 2024 22:14:42 +0200
Subject: [PATCH 096/170] public-web-static: add staging for
 hackertours.hamburg.ccc.de

---
 .../virtualHosts/default.nix                  |  1 +
 .../staging.hackertours.hamburg.ccc.de.nix    | 56 +++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 814c29c1..dac4fa4b 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -10,6 +10,7 @@
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.hacker.tours.nix
+    ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
     ./www.hamburg.ccc.de.nix
     ./historic-easterhegg
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
new file mode 100644
index 00000000..11b9e9bc
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@@ -0,0 +1,56 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.hackertours.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "ht-ccchh-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # Hackertours CCCHH deploy user already defined in hackertours.hamburg.ccc.de.nix.
+}

From de2390c78d3b3b52729a8d1dc8c7367c45c3a009 Mon Sep 17 00:00:00 2001
From: Stefan Bethke <stb@lassitu.de>
Date: Sun, 13 Oct 2024 17:21:57 +0200
Subject: [PATCH 097/170] public-web-static: redirect old hackertours 37C3 urls
 to proper url

---
 .../virtualHosts/hackertours.hamburg.ccc.de.nix              | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
index 14aed402..2077ca73 100644
--- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@@ -44,6 +44,11 @@ in {
         real_ip_header proxy_protocol;
 
         error_page 404 /404.html;
+
+        port_in_redirect off;
+
+        rewrite ^/(de|en)/tours$ /$1/37c3 redirect;
+        rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect;
       '';
     };
   };

From ecdaa2d5f6ac726b26996f3f37b9818f7951b748 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 13 Oct 2024 22:09:20 +0200
Subject: [PATCH 098/170] public-web-static: redirect EH20
 doku.php?id=$pagename to new format

See:
https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website/issues/2#issuecomment-952
---
 .../virtualHosts/historic-easterhegg/eh20.nix                | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
index 947791de..afc93c10 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
@@ -71,6 +71,11 @@ in
         root = "${eh20}/wiki_siteexport";
       };
 
+      # redirect doku.php?id=$pagename to /$pagename.html
+      locations."/doku.php" = {
+        return = "301 $scheme://$host/$arg_id.html";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy

From 8165d2215973565f6e5aa13771b8aeaebb68053c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 21 Oct 2024 21:30:36 +0200
Subject: [PATCH 099/170] public-web-static: prevent staging ht ccchh from
 search machine indexing

---
 .../virtualHosts/staging.hackertours.hamburg.ccc.de.nix     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
index 11b9e9bc..4b71d531 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@@ -33,6 +33,12 @@ in {
 
       root = "${dataDir}";
 
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy

From accd31173bc6eda4e4430e45b3f1e2aa37581ad0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 21 Oct 2024 21:35:10 +0200
Subject: [PATCH 100/170] public-web-static: turn off ports to prevent broken
 redirects to 8443

---
 config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix  | 2 ++
 .../public-web-static/virtualHosts/staging.hamburg.ccc.de.nix   | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
index 1d8eef1b..b70f74a1 100644
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@@ -94,6 +94,8 @@
         real_ip_header proxy_protocol;
 
         error_page 404 /404.html;
+
+        port_in_redirect off;
       '';
     };
   };
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
index a36a0993..f7e07524 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
@@ -44,6 +44,8 @@
         # Then tell the realip_module to get the addreses from the proxy protocol
         # header.
         real_ip_header proxy_protocol;
+
+        port_in_redirect off;
       '';
     };
   };

From 9d1521c485e786dd87aea0d4e703fe97813acc65 Mon Sep 17 00:00:00 2001
From: dequis <dequis@dequis.org>
Date: Sat, 17 Aug 2024 23:09:19 +0200
Subject: [PATCH 101/170] spaceapid: adjustments to 3d printer state sensors

- Prefix sensor names with ext_ as the spec says we should use that for
  extensions (this also improves attribute access for tools that don't
  like fields starting with a number)
- Rename printer state to printer busy state, to make it clearer.
- Add ext_3d_printer_minutes_remaining sensors
---
 .../spaceapid-config/ccchh-dynamic.json       | 30 +++++++++++++++++--
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index 6f951f95..2b1309fe 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -25,13 +25,13 @@
           ]
         }
       ],
-      "3d_printer_state": [
+      "ext_3d_printer_busy_state": [
         {
           "sensor_data": {
             "unit": "bool",
             "location": "Loetschlauch",
             "name": "mk4",
-            "description": "Prusa mk4 state"
+            "description": "Prusa mk4 busy state"
           },
           "allowed_credentials": [
             "club-assistant"
@@ -42,7 +42,31 @@
             "unit": "bool",
             "location": "Loetschlauch",
             "name": "mk3.5",
-            "description": "Prusa mk3.5 state"
+            "description": "Prusa mk3.5 busy state"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        }
+      ],
+      "ext_3d_printer_minutes_remaining": [
+        {
+          "sensor_data": {
+            "unit": "minutes_remaining",
+            "location": "Loetschlauch",
+            "name": "mk4",
+            "description": "Prusa mk4 minutes remaining"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        },
+        {
+          "sensor_data": {
+            "unit": "minutes_remaining",
+            "location": "Loetschlauch",
+            "name": "mk3.5",
+            "description": "Prusa mk3.5 minutes remaining"
           },
           "allowed_credentials": [
             "club-assistant"

From fefff391b7e9d60aafc37682dbc723567d3eec4a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 29 Oct 2024 21:30:16 +0100
Subject: [PATCH 102/170] add hydraJobs for packages and nixosConfigurations

---
 flake.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index 106daa5b..0b43bda1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -23,7 +23,7 @@
     };
   };
 
-  outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
       # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
@@ -280,5 +280,10 @@
       };
 
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
+
+      hydraJobs = {
+        inherit (self) packages;
+        nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations;
+      };
     };
 }

From ec64eebfd6c3b006b7ff5d5c3bda750cf04a5662 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 29 Oct 2024 23:17:31 +0100
Subject: [PATCH 103/170] common: use pkgs.fetchgit and git commit hash for
 authorized keys repo

Do this to be in line with other places, where resources get fetched
using git and to hopefully avoid errors such as:
Cannot find Git revision 'da9d3ead9d97ce0fef7538638326264957e2f1b4' in ref 'trunk' of repository 'ssh://forgejo@git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git'! Please make sure that the rev exists on the ref you've specified or add allRefs = true; to fetchGit.
This issue was discovered while trying to make the new hydra work.
---
 config/common/users.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index ab299043..59682c4e 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -9,10 +9,10 @@
 { config, pkgs, lib, ... }:
 
 let
-  authorizedKeysRepo = builtins.fetchGit {
-    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
-    ref = "trunk";
-    rev = "da9d3ead9d97ce0fef7538638326264957e2f1b4";
+  authorizedKeysRepo = pkgs.fetchgit {
+    url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
+    rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
+    hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 4f789adb21480b6dd1103c1f3e7cb3015c775b64 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 30 Oct 2024 01:44:12 +0100
Subject: [PATCH 104/170] hydra: configure hydra host

---
 config/hosts/hydra/configuration.nix |  9 +++++
 config/hosts/hydra/default.nix       | 11 ++++++
 config/hosts/hydra/hydra.nix         | 15 +++++++
 config/hosts/hydra/networking.nix    | 22 +++++++++++
 config/hosts/hydra/nginx.nix         | 58 ++++++++++++++++++++++++++++
 config/hosts/hydra/nix.nix           | 10 +++++
 deployment_configuration.json        |  3 ++
 flake.nix                            | 10 +++++
 8 files changed, 138 insertions(+)
 create mode 100644 config/hosts/hydra/configuration.nix
 create mode 100644 config/hosts/hydra/default.nix
 create mode 100644 config/hosts/hydra/hydra.nix
 create mode 100644 config/hosts/hydra/networking.nix
 create mode 100644 config/hosts/hydra/nginx.nix
 create mode 100644 config/hosts/hydra/nix.nix

diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix
new file mode 100644
index 00000000..a4c612e0
--- /dev/null
+++ b/config/hosts/hydra/configuration.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  networking = {
+    hostName = "hydra";
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix
new file mode 100644
index 00000000..f6217118
--- /dev/null
+++ b/config/hosts/hydra/default.nix
@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./hydra.nix
+    ./networking.nix
+    ./nginx.nix
+    ./nix.nix
+  ];
+}
diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix
new file mode 100644
index 00000000..f3157106
--- /dev/null
+++ b/config/hosts/hydra/hydra.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  services.hydra = {
+    enable = true;
+    listenHost = "localhost";
+    port = 3000;
+    hydraURL = "https://hydra.hamburg.ccc.de/";
+    # E-Mail configuration requires some work/investigation still.
+    notificationSender = "no-reply@hydra.hamburg.ccc.de";
+    useSubstitutes = true;
+    minimumDiskFree = 8;
+    minimumDiskFreeEvaluator = 2;
+  };
+}
diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix
new file mode 100644
index 00000000..82cec555
--- /dev/null
+++ b/config/hosts/hydra/networking.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.163";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:45:7C:D6";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix
new file mode 100644
index 00000000..49ca2e1b
--- /dev/null
+++ b/config/hosts/hydra/nginx.nix
@@ -0,0 +1,58 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "hydra.hamburg.ccc.de";
+in
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "acme-${domain}" = {
+        default = true;
+        enableACME = true;
+        serverName = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 31820;
+          }
+        ];
+      };
+
+      "${domain}" = {
+        default = true;
+        forceSSL = true;
+        useACMEHost = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}";
+        };
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 172.31.17.140;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix
new file mode 100644
index 00000000..b95e4697
--- /dev/null
+++ b/config/hosts/hydra/nix.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  # Allow Hydra to fetch flake inputs.
+  nix.settings.allowed-uris = [
+    "github:"
+    "https://github.com/"
+    "https://git.hamburg.ccc.de/"
+  ];
+}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index dd0f43df..20b9f00b 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -32,6 +32,9 @@
     },
     "penpot": {
       "targetHostname": "penpot-intern.hamburg.ccc.de"
+    },
+    "hydra": {
+      "targetHostname": "hydra-intern.hamburg.ccc.de"
     }
   }
 }
diff --git a/flake.nix b/flake.nix
index 0b43bda1..a6d9a0a1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -254,6 +254,16 @@
             ./config/hosts/penpot
           ];
         };
+
+        hydra = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/extra/prometheus-exporter.nix
+            ./config/hosts/hydra
+          ];
+        };
       };
 
       packages.x86_64-linux = {

From 9d9b8ede025afc838ee6122a728e6b83e5f8e140 Mon Sep 17 00:00:00 2001
From: djerun <djerun@hamburg.ccc.de>
Date: Sat, 2 Nov 2024 00:12:24 +0100
Subject: [PATCH 105/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/e8c1cd886cc17e31e424f915efd32e84d8af0ce9?narHash=sha256-t/%2Bz1Tf7hSaStU1pBYkY7i0/GkG%2BYIPSmfeRrK8eYUw%3D' (2024-09-23)
  → 'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565?narHash=sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg%3D' (2024-10-21)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/575704ff85d3a41dc5bfef7b55380cbc7b87f3c2?narHash=sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k%3D' (2024-09-22)
  → 'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e?narHash=sha256-hUP9oxmnOmNnKcDOf5Y55HQ%2BNnoT0%2BbLWHLQWLLw9Ks%3D' (2024-10-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992?narHash=sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I%3D' (2024-09-23)
  → 'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f?narHash=sha256-fLLUd2dO/Vnf96UDr8YPzerYi%2Bn99l3S5yIUDnmcPBE%3D' (2024-11-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/d266adc5a77ec8c10ed941c7251b2673004dbd62?narHash=sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4%3D' (2024-09-23)
  → 'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88?narHash=sha256-Hlv3rTPxnO%2BDpKRXw9yjzERLdk05h7%2BfEbZxWM2taCw%3D' (2024-11-01)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8?narHash=sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4%3D' (2024-09-16)
  → 'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56?narHash=sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN%2BompyW4GIJruLuw%3D' (2024-10-27)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05?narHash=sha256-vNv%2BaJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8%3D' (2024-09-08)
  → 'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950?narHash=sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk%3D' (2024-10-26)
---
 flake.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/flake.lock b/flake.lock
index 5caae010..24f50ddb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1726966855,
-        "narHash": "sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k=",
+        "lastModified": 1729386149,
+        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "575704ff85d3a41dc5bfef7b55380cbc7b87f3c2",
+        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727053438,
-        "narHash": "sha256-t/+z1Tf7hSaStU1pBYkY7i0/GkG+YIPSmfeRrK8eYUw=",
+        "lastModified": 1729472750,
+        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "e8c1cd886cc17e31e424f915efd32e84d8af0ce9",
+        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1727076372,
-        "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=",
+        "lastModified": 1730428893,
+        "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7ca0f93c530406c1610defff0b9bf643333cf992",
+        "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1725762081,
-        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
+        "lastModified": 1729973466,
+        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
+        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1727104955,
-        "narHash": "sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4=",
+        "lastModified": 1730449684,
+        "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d266adc5a77ec8c10ed941c7251b2673004dbd62",
+        "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1726524647,
-        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
+        "lastModified": 1729999681,
+        "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
+        "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
         "type": "github"
       },
       "original": {

From 4fc8e31df086b34f5de37d41b5aa8396cf682207 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Sat, 2 Nov 2024 22:39:24 +0100
Subject: [PATCH 106/170] Remove version lock for shairport-sync

The current version in nixpkgs is newer than the one we are currently locking, the nqptp fix was also already in nixpkgs.

Co-authored-by: c6ristian <c6ristian@christian.moe>
---
 flake.nix                                 | 36 ++---------------------
 modules/services/audio/default.nix        |  1 -
 modules/services/audio/librespot.nix      |  4 +--
 modules/services/audio/networking.nix     | 16 ----------
 modules/services/audio/shairport-sync.nix |  2 +-
 5 files changed, 5 insertions(+), 54 deletions(-)
 delete mode 100644 modules/services/audio/networking.nix

diff --git a/flake.nix b/flake.nix
index a6d9a0a1..b787f78f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,50 +26,18 @@
   outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
-      # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
       shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
         shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
           # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
           configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
           buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-          # Use specific Shairport Sync and nqptp versions, since with those the
-          # following error doesn't happen:
-          # fatal error: The nqptp service on this system, which is required for
-          # Shairport Sync to operate, does not seem to be initialised.
-          #
-          # Also use a more recent dev version to fix Pipewire stuttering issue.
-          # See:
-          # https://github.com/mikebrady/shairport-sync/issues/1736
-          # https://github.com/mikebrady/shairport-sync/blob/a65ec2d7f1f380bbae196d7f8f1cd6a88ef5777b/RELEASENOTES-DEVELOPMENT.md#version-432-dev-51-g98679bbb
-          src = final.fetchFromGitHub {
-            owner = "mikebrady";
-            repo = finalAttr.pname;
-            rev = "98679bbb54f5aaeda859e34aa28425647b8d179e";
-            hash = "sha256-k0kcgtWk2xlG34lP0ryEaqdskYMNM68YnIRLwFR3jaY=";
-          };
-        });
-        nqptp = prev.nqptp.overrideAttrs (finalAttr: previousAttr: {
-          # See Shairport Sync version note.
-          src = final.fetchFromGitHub {
-            owner = "mikebrady";
-            repo = finalAttr.pname;
-            rev = "1.2.4";
-            hash = "sha256-roTNcr3v2kzE6vQ5plAVtlw1+2yJplltOYsGGibtoZo=";
-          };
-          # Custom install phase to avoid setcap.
-          # See:
-          # https://github.com/mikebrady/nqptp/blob/1.2.4/Makefile.am#L23
-          installPhase = ''
-            mkdir -p $out/bin
-            cp nqptp $out/bin/
-          '';
         });
       };
       pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in
     {
       nixosConfigurations = {
-        audio-hauptraum-kueche = nixpkgs-unstable.lib.nixosSystem {
+        audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
             ./config/common
@@ -79,7 +47,7 @@
           ];
         };
 
-        audio-hauptraum-tafel = nixpkgs-unstable.lib.nixosSystem {
+        audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
             ./config/common
diff --git a/modules/services/audio/default.nix b/modules/services/audio/default.nix
index ccd75270..f9aa6b3c 100644
--- a/modules/services/audio/default.nix
+++ b/modules/services/audio/default.nix
@@ -12,7 +12,6 @@ in
   imports = [
     ./librespot.nix
     ./mpd.nix
-    ./networking.nix
     ./pipewire.nix
     ./shairport-sync.nix
   ];
diff --git a/modules/services/audio/librespot.nix b/modules/services/audio/librespot.nix
index fa4e9edb..4c0fadbf 100644
--- a/modules/services/audio/librespot.nix
+++ b/modules/services/audio/librespot.nix
@@ -23,7 +23,7 @@ in
         After = [ "network-online.target" "pipewire.service" ];
       };
       serviceConfig = {
-        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --quiet";
+        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache";
         User = "librespot";
         Group = "librespot";
       };
@@ -34,7 +34,7 @@ in
       users.librespot = {
         isSystemUser = true;
         group = "librespot";
-        extraGroups = [ "pipewire" ];
+        extraGroups = [ "pipewire" "audio" ];
       };
       groups.librespot = { };
     };
diff --git a/modules/services/audio/networking.nix b/modules/services/audio/networking.nix
deleted file mode 100644
index b0fbf22c..00000000
--- a/modules/services/audio/networking.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let
-
-  cfg = config.ccchh.services.audio;
-
-in
-
-{
-  config = mkIf cfg.enable {
-    # Disable IPv6, since Shairport-Sync doesn't work with IPv6. Unclear why.
-    networking.enableIPv6 = false;
-  };
-}
diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix
index 1f04862d..cbc58e79 100644
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@@ -20,7 +20,7 @@ in
       arguments = "-o pw -v";
     };
 
-    users.users.shairport.extraGroups = [ "pipewire" ];
+    users.users.shairport.extraGroups = [ "pipewire" "audio" ];
 
     environment.etc.shairport-sync-config = {
       enable = true;

From c8e7bd1ccfd1b23f8dce95b36a0ec7cab471cfc2 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 10 Nov 2024 19:26:26 +0100
Subject: [PATCH 107/170] git: enable sending of e-mails to watchers of
 repositories

---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index bb7099f0..d7e7c1b2 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -45,6 +45,7 @@
         DEFAULT_USER_VISIBILITY = "limited";
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
         ENABLE_BASIC_AUTHENTICATION = false;
+        ENABLE_NOTIFY_MAIL = true;
       };
       repo = {
         DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";

From 2ba371f8cd0a97e5f95765cc0b09dfe113638e0f Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 10 Nov 2024 19:38:05 +0100
Subject: [PATCH 108/170] git: disable making org users auto watch new repos on
 creation

Also explicitly disable making users auto watch repos after their first
commit to it.
---
 config/hosts/git/forgejo.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index d7e7c1b2..a57a37f6 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -46,6 +46,8 @@
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
         ENABLE_BASIC_AUTHENTICATION = false;
         ENABLE_NOTIFY_MAIL = true;
+        AUTO_WATCH_NEW_REPOS = false;
+        AUTO_WATCH_ON_CHANGES = false;
       };
       repo = {
         DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";

From ff1a12846afa1fc25cd9a98f3e31eceb954b2b09 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 11 Jun 2024 23:19:13 +0200
Subject: [PATCH 109/170] Add how to generate the NixOS Proxmox VE templates

---
 README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/README.md b/README.md
index b55e1f2f..f7ae1966 100644
--- a/README.md
+++ b/README.md
@@ -62,3 +62,14 @@ This is exactly what we're doing to set the default deployment user to `colmena-
    };
    ```
    This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
+
+## Build NixOS Proxmox VE Template
+
+Build a now NixOS Proxmox VE Template for the thinkcccore's
+```shell
+nix build .#proxmox-nixos-template
+```
+Build a now NixOS Proxmox VE Template for the chaosknoten
+```shell
+nix build .#proxmox-chaosknoten-nixos-template
+```
\ No newline at end of file

From 1fcd8c64215c2f59617e17d21e806ae15fcf823c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 22 Jun 2024 15:56:13 +0200
Subject: [PATCH 110/170] fix typo and writing improvement

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f7ae1966..bd3a29a4 100644
--- a/README.md
+++ b/README.md
@@ -65,11 +65,11 @@ This is exactly what we're doing to set the default deployment user to `colmena-
 
 ## Build NixOS Proxmox VE Template
 
-Build a now NixOS Proxmox VE Template for the thinkcccore's
+Build a new NixOS Proxmox VE Template for the thinkcccore's:
 ```shell
 nix build .#proxmox-nixos-template
 ```
-Build a now NixOS Proxmox VE Template for the chaosknoten
+Build a new NixOS Proxmox VE Template for the chaosknoten:
 ```shell
 nix build .#proxmox-chaosknoten-nixos-template
-```
\ No newline at end of file
+```

From afb4fc71cef9691a56fc1afc8eb80dbd289faf91 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 10 Nov 2024 23:10:50 +0100
Subject: [PATCH 111/170] Update infrastructure-authorized-keys rev

---
 config/common/users.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 59682c4e..026929bd 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -11,8 +11,8 @@
 let
   authorizedKeysRepo = pkgs.fetchgit {
     url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
-    rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
-    hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
+    rev = "686a6af22f6696f0c0595c56f463c078550049fc";
+    hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 33b2cbf5d098c87db3904740ad27c803055547ec Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 10 Nov 2024 23:14:58 +0100
Subject: [PATCH 112/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f' (2024-11-01)
  → 'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88' (2024-11-01)
  → 'github:nixos/nixpkgs/8aed22ecd71e5b67e5299efae8b9dc580dec711c' (2024-11-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56' (2024-10-27)
  → 'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950' (2024-10-26)
  → 'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c' (2024-11-03)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 24f50ddb..58d521bf 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730428893,
-        "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
+        "lastModified": 1731133565,
+        "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
+        "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1729973466,
-        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1730449684,
-        "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
+        "lastModified": 1731265036,
+        "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
+        "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1729999681,
-        "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
+        "lastModified": 1731213149,
+        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
+        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
         "type": "github"
       },
       "original": {

From c84d9e7d0af00a8ca8adcf59616473bee14efc89 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Mon, 11 Nov 2024 02:43:08 +0100
Subject: [PATCH 113/170] Update element to 1.11.84

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 5f0792fa..1836f259 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.80";
+  elementWebVersion = "1.11.84";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
+    sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From cf46da9df7a9036a8c600701042fe390c5c842d8 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 12 Nov 2024 23:06:01 +0100
Subject: [PATCH 114/170] public-web-static: make c3cat.de and www work as well
 as staging

---
 .../virtualHosts/c3cat.de.nix                 | 61 +++++++++++++++++--
 .../virtualHosts/default.nix                  |  1 +
 .../virtualHosts/staging.c3cat.de.nix         | 60 ++++++++++++++++++
 3 files changed, 116 insertions(+), 6 deletions(-)
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index f1ad5273..91d3a40f 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -1,10 +1,19 @@
 { pkgs, ... }:
 
-{
+let
+  domain = "c3cat.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "c3cat-website-deploy";
+in {
+  security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
+
   services.nginx.virtualHosts = {
-    "acme-c3cat.de" = {
+    "acme-${domain}" = {
       enableACME = true;
-      serverName = "c3cat.de";
+      serverName = "${domain}";
+      serverAliases = [
+        "www.${domain}"
+      ];
 
       listen = [
         {
@@ -14,9 +23,9 @@
       ];
     };
 
-    "c3cat.de" = {
+    "$www.${domain}" = {
       forceSSL = true;
-      useACMEHost = "c3cat.de";
+      useACMEHost = "${domain}";
 
       listen = [
         {
@@ -28,7 +37,7 @@
       ];
 
       locations."/" = {
-        return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
+        return = "302 https://c3cat.de$request_uri";
       };
 
       extraConfig = ''
@@ -42,5 +51,45 @@
         real_ip_header proxy_protocol;
       '';
     };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
   };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
 }
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index dac4fa4b..c9d77ef9 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -9,6 +9,7 @@
     ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
+    ./staging.c3cat.de.nix
     ./staging.hacker.tours.nix
     ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
new file mode 100644
index 00000000..c91d2837
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.c3cat.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "c3cat-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # c3cat deploy user already defined in c3cat.de.nix.
+}

From d98aa099e1d42f5e3705b860463ddea95058fd55 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 10 Nov 2024 18:14:42 +0100
Subject: [PATCH 115/170] license this repo under the MIT license

All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(https://git.hamburg.ccc.de/CCCHH/nix-infra/pulls/12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.

Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467

MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/
---
 LICENSE   | 21 +++++++++++++++++++++
 README.md |  4 ++++
 2 files changed, 25 insertions(+)
 create mode 100644 LICENSE

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 00000000..37eee6c4
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) CCCHH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
index bd3a29a4..186f14af 100644
--- a/README.md
+++ b/README.md
@@ -73,3 +73,7 @@ Build a new NixOS Proxmox VE Template for the chaosknoten:
 ```shell
 nix build .#proxmox-chaosknoten-nixos-template
 ```
+
+## License
+
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).

From c25d6c6326fec50b815ff6ab46dc185a12180d5f Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 03:02:17 +0100
Subject: [PATCH 116/170] revert: useing pkgs.fetchGit for authorized keys

reverts the changes from ec64eebfd6c3b006b7ff5d5c3bda750cf04a5662
it brakes some of the flake process we use,
setting 'allow-import-from-derivation' doesn't seem like a good fix to me and doesn't work in all cases.
I couldn't find any other solution to fix it for now,
so we will revert it for now, until we have a better solution.
---
 config/common/users.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 026929bd..400a1065 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -9,10 +9,10 @@
 { config, pkgs, lib, ... }:
 
 let
-  authorizedKeysRepo = pkgs.fetchgit {
-    url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
+  authorizedKeysRepo = builtins.fetchGit {
+    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"; 
+    ref = "trunk";
     rev = "686a6af22f6696f0c0595c56f463c078550049fc";
-    hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

From 7d58a3db4a4ac864aab7717ea87b0db8c3ac5adc Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 00:02:41 +0100
Subject: [PATCH 117/170] move overlay to overlays output

---
 flake.nix | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/flake.nix b/flake.nix
index b787f78f..7fd9b805 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,23 +26,25 @@
   outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
-      shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
-        shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
-          # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
-          configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
-          buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-        });
-      };
       pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in
     {
+      overlays = {
+        shairportSyncAirplay2 = final: prev: {
+          shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
+            # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
+            configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
+            buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
+          });
+        };
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
             ./config/common
             ./config/proxmox-vm
-            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
+            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
         };
@@ -52,7 +54,7 @@
           modules = [
             ./config/common
             ./config/proxmox-vm
-            { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
+            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
         };

From 6c85b91efbfc0a5e46f06b8308575507c9bba20d Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:43:53 +0100
Subject: [PATCH 118/170] make use of nixosModules output

---
 flake.nix | 111 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 58 insertions(+), 53 deletions(-)

diff --git a/flake.nix b/flake.nix
index 7fd9b805..da7b32e3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,12 +38,17 @@
           });
         };
       };
+      nixosModules = {
+        common = ./config/common;
+        proxmox-vm = ./config/proxmox-vm;
+        prometheus-exporter = ./config/extra/prometheus-exporter.nix;
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
@@ -52,8 +57,8 @@
         audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
@@ -62,8 +67,8 @@
         esphome = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/esphome
           ];
         };
@@ -71,8 +76,8 @@
         public-reverse-proxy = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/public-reverse-proxy
           ];
         };
@@ -80,10 +85,10 @@
         netbox = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/netbox
           ];
         };
@@ -91,10 +96,10 @@
         matrix = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/matrix
           ];
         };
@@ -102,10 +107,10 @@
         public-web-static = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/public-web-static
           ];
         };
@@ -113,10 +118,10 @@
         git = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/git
           ];
         };
@@ -124,10 +129,10 @@
         forgejo-actions-runner = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/forgejo-actions-runner
           ];
         };
@@ -135,8 +140,8 @@
         ptouch-print-server = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/ptouch-print-server
           ];
         };
@@ -144,9 +149,9 @@
         eh22-wiki = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
+            self.nixosModules.prometheus-exporter
             ./config/hosts/eh22-wiki
           ];
         };
@@ -154,9 +159,9 @@
         nix-box-june = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
+            self.nixosModules.prometheus-exporter
             ./config/hosts/nix-box-june
           ];
         };
@@ -164,8 +169,8 @@
         yate = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/yate
           ];
         };
@@ -173,8 +178,8 @@
         mqtt = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             ./config/hosts/mqtt
           ];
         };
@@ -182,10 +187,10 @@
         mjolnir = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/mjolnir
           ];
         };
@@ -193,10 +198,10 @@
         woodpecker = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/woodpecker
           ];
           specialArgs = {
@@ -207,8 +212,8 @@
         status = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
             ./config/hosts/status
           ];
@@ -217,10 +222,10 @@
         penpot = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
             sops-nix.nixosModules.sops
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.prometheus-exporter
             ./config/hosts/penpot
           ];
         };
@@ -228,9 +233,9 @@
         hydra = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            ./config/common
-            ./config/proxmox-vm
-            ./config/extra/prometheus-exporter.nix
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
+            self.nixosModules.prometheus-exporter
             ./config/hosts/hydra
           ];
         };
@@ -241,8 +246,8 @@
           system = "x86_64-linux";
           modules = [
             ./config/nixos-generators/proxmox.nix
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
           ];
           format = "proxmox";
         };
@@ -252,8 +257,8 @@
           modules = [
             ./config/nixos-generators/proxmox-chaosknoten.nix
             ./config/proxmox-chaosknoten-additional-initial-config.nix
-            ./config/common
-            ./config/proxmox-vm
+            self.nixosModules.common
+            self.nixosModules.proxmox-vm
           ];
           format = "proxmox";
         };

From f7ebe660fe961a4ee7944aca10cf4ca3c50cd407 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:52:02 +0100
Subject: [PATCH 119/170] format files with `nix fmt`

---
 config/hosts/eh22-wiki/dokuwiki.nix           |  5 ++-
 config/hosts/mqtt/configuration.nix           | 12 ++---
 config/hosts/mqtt/default.nix                 | 12 ++---
 config/hosts/mqtt/mosquitto.nix               | 44 +++++++++----------
 config/hosts/nix-box-june/users.nix           |  2 +-
 .../virtualHosts/hacker.tours.nix             |  3 +-
 .../hackertours.hamburg.ccc.de.nix            |  3 +-
 .../historic-easterhegg/default.nix           |  4 +-
 .../virtualHosts/historic-easterhegg/eh03.nix |  4 +-
 .../virtualHosts/historic-easterhegg/eh05.nix |  8 ++--
 .../virtualHosts/historic-easterhegg/eh07.nix |  4 +-
 .../virtualHosts/historic-easterhegg/eh09.nix |  4 +-
 .../virtualHosts/historic-easterhegg/eh11.nix |  4 +-
 .../virtualHosts/staging.hacker.tours.nix     |  3 +-
 .../staging.hackertours.hamburg.ccc.de.nix    |  3 +-
 config/hosts/yate/service.nix                 |  8 ++--
 16 files changed, 64 insertions(+), 59 deletions(-)

diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
index c0eafaae..f9a7cbd3 100644
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -21,7 +21,8 @@ let
   app = "dokuwiki";
   domain = "eh22.easterhegg.eu";
   dataDir = "/srv/www/${domain}";
-in {
+in
+{
   systemd.tmpfiles.rules = [
     "d ${dataDir} 0755 ${app} ${app}"
   ];
@@ -76,7 +77,7 @@ in {
       default = true;
       enableACME = true;
       serverName = "${domain}";
-      
+
       listen = [
         {
           addr = "0.0.0.0";
diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix
index 18d01849..793807d9 100644
--- a/config/hosts/mqtt/configuration.nix
+++ b/config/hosts/mqtt/configuration.nix
@@ -1,10 +1,10 @@
 { ... }:
 
 {
-	networking = {
-        hostName = "mqtt";
-        domain = "z9.ccchh.net";
-	};
+  networking = {
+    hostName = "mqtt";
+    domain = "z9.ccchh.net";
+  };
 
-	system.stateVersion = "23.11";
-}
\ No newline at end of file
+  system.stateVersion = "23.11";
+}
diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix
index bb61c12e..bc91d9fc 100644
--- a/config/hosts/mqtt/default.nix
+++ b/config/hosts/mqtt/default.nix
@@ -1,9 +1,9 @@
 { pkgs, ... }:
 
 {
-	imports = [
-		./configuration.nix
-		./networking.nix
-		./mosquitto.nix
-	];
-}
\ No newline at end of file
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./mosquitto.nix
+  ];
+}
diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
index 672c05da..d093bd8a 100644
--- a/config/hosts/mqtt/mosquitto.nix
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -5,29 +5,29 @@
 { ... }:
 
 {
-    services.mosquitto = {
-        enable = true;
-        persistence = true;
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
 
-        # set config for all listeners
-        listeners = [ {
-            settings.allow_anonymous = true;
-            omitPasswordAuth = true;
-            acl = ["topic readwrite #"];
-        } ];
+    # set config for all listeners
+    listeners = [{
+      settings.allow_anonymous = true;
+      omitPasswordAuth = true;
+      acl = [ "topic readwrite #" ];
+    }];
 
-        bridges.winkekatz = {
-            addresses = [
-                { address = "mqtt.winkekatze24.de"; }
-            ];
-            topics = [
-                "winkekatze/allcats/eye/set in 2"
-                "winkekatze/allcats in 2"
-                "+/status out 2 winkekatze/ \"\""
-                "+/connected out 2 winkekatze/ \"\""
-            ];
-        };
+    bridges.winkekatz = {
+      addresses = [
+        { address = "mqtt.winkekatze24.de"; }
+      ];
+      topics = [
+        "winkekatze/allcats/eye/set in 2"
+        "winkekatze/allcats in 2"
+        "+/status out 2 winkekatze/ \"\""
+        "+/connected out 2 winkekatze/ \"\""
+      ];
     };
+  };
 
-    networking.firewall.allowedTCPPorts = [ 1883 ];
-}
\ No newline at end of file
+  networking.firewall.allowedTCPPorts = [ 1883 ];
+}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
index 9f1b217a..dfb333e2 100644
--- a/config/hosts/nix-box-june/users.nix
+++ b/config/hosts/nix-box-june/users.nix
@@ -26,7 +26,7 @@
     };
     yuri = {
       isNormalUser = true;
-      openssh.authorizedKeys.keys = [ 
+      openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
       ];
diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
index 7eaa0866..1ee61800 100644
--- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
@@ -4,7 +4,8 @@ let
   domain = "hacker.tours";
   dataDir = "/var/www/${domain}";
   deployUser = "hackertours-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
index 2077ca73..b0104b6e 100644
--- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@@ -4,7 +4,8 @@ let
   domain = "hackertours.hamburg.ccc.de";
   dataDir = "/var/www/${domain}";
   deployUser = "ht-ccchh-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
index fe53d046..69d88553 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -1,4 +1,4 @@
-{...}:
+{ ... }:
 
 {
   imports = [
@@ -9,4 +9,4 @@
     ./eh11.nix
     ./eh20.nix
   ];
-}
\ No newline at end of file
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
index 60d4f21e..2c5dd866 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
@@ -6,7 +6,7 @@ let
     rev = "74977c56486cd060566bf06678a936e801952f9e";
     hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
   };
-in 
+in
 {
   security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
     "eh2003.hamburg.ccc.de"
@@ -48,7 +48,7 @@ in
       }];
 
       locations."/".return = "302 https://eh03.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
index 7651666d..37cb8939 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
@@ -48,7 +48,7 @@ in
       }];
 
       locations."/".return = "302 https://eh05.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -60,7 +60,7 @@ in
         real_ip_header proxy_protocol;
       '';
     };
-    
+
     "eh05.easterhegg.eu" = {
       forceSSL = true;
       useACMEHost = "eh05.easterhegg.eu";
@@ -71,7 +71,7 @@ in
         ssl = true;
         proxyProtocol = true;
       }];
-      
+
       locations."/" = {
         index = "index.shtml";
         root = eh05;
@@ -80,7 +80,7 @@ in
           default_type text/html;
           # Enable SSI
           ssi on;
-        ''; 
+        '';
       };
 
       extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
index 40fe4805..ebfa7125 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
@@ -54,7 +54,7 @@ in
       }];
 
       locations."/".return = "302 https://eh07.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
           default_type text/html;
           # Enable SSI
           ssi on;
-        ''; 
+        '';
       };
 
       extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
index f7416ed8..ea274af1 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
@@ -54,7 +54,7 @@ in
       }];
 
       locations."/".return = "302 https://eh09.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
           default_type text/html;
           # Enable SSI
           ssi on;
-        ''; 
+        '';
       };
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
index c409641d..39d7fad3 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
@@ -54,7 +54,7 @@ in
       }];
 
       locations."/".return = "302 https://eh11.easterhegg.eu";
-      
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
           default_type text/html;
           # Enable SSI
           ssi on;
-        ''; 
+        '';
       };
 
       extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
index 382f1b6c..14ede9b2 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
@@ -4,7 +4,8 @@ let
   domain = "staging.hacker.tours";
   dataDir = "/var/www/${domain}";
   deployUser = "hackertours-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
index 4b71d531..79ca38cc 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@@ -4,7 +4,8 @@ let
   domain = "staging.hackertours.hamburg.ccc.de";
   dataDir = "/var/www/${domain}";
   deployUser = "ht-ccchh-website-deploy";
-in {
+in
+{
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
index e426a310..e031d4d4 100644
--- a/config/hosts/yate/service.nix
+++ b/config/hosts/yate/service.nix
@@ -6,16 +6,16 @@
     description = "Yate telehony engine";
     unitConfig = {
       Type = "simple";
-      After="network.target";
+      After = "network.target";
     };
     serviceConfig = {
       ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
-      Type="simple";
-      Restart="always";
+      Type = "simple";
+      Restart = "always";
       # ...
     };
     wantedBy = [ "default.target" ];
-    requiredBy = [ "network.target" ]; 
+    requiredBy = [ "network.target" ];
     # ...
   };
 }

From e404d4740f4e2c365db07d754e34cc5c8dfd61f0 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:56:55 +0100
Subject: [PATCH 120/170] remove nixpkgs-unstable

the current version of woodpecker-server in stable now has the features this was original used for, not other usages of unstable are in tree left so removing it.
---
 .../woodpecker-agent/woodpecker-agent.nix       |  5 ++---
 .../woodpecker-server/woodpecker-server.nix     |  6 ++----
 flake.lock                                      | 17 -----------------
 flake.nix                                       |  7 +------
 4 files changed, 5 insertions(+), 30 deletions(-)

diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
index dc89021c..8c6847bf 100644
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -3,13 +3,12 @@
 # - https://woodpecker-ci.org/docs/administration/agent-config
 # - https://woodpecker-ci.org/docs/administration/backends/docker
 
-{ config, pkgs, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
 
 {
   services.woodpecker-agents.agents."docker" = {
     enable = true;
-    # Since we use woodpecker-server from unstable, use the agent from unstable as well.
-    package = pkgs-unstable.woodpecker-agent;
+    package = pkgs.woodpecker-agent;
     extraGroups = [ "docker" ];
     environment = {
       WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index 464af131..2baafc5b 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -5,14 +5,12 @@
 # - https://woodpecker-ci.org/docs/administration/forges/forgejo
 # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 
-{ config, pkgs, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
 
 {
   services.woodpecker-server = {
     enable = true;
-    # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
-    # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
-    package = pkgs-unstable.woodpecker-server;
+    package = pkgs.woodpecker-server;
     environment = {
       WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
       WOODPECKER_SERVER_ADDR = ":8001";
diff --git a/flake.lock b/flake.lock
index 58d521bf..74a53961 100644
--- a/flake.lock
+++ b/flake.lock
@@ -68,27 +68,10 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1731265036,
-        "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix"
       }
     },
diff --git a/flake.nix b/flake.nix
index da7b32e3..f575ac63 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,7 +6,6 @@
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
@@ -23,10 +22,9 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
+  outputs = { self, nixpkgs, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
-      pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
     in
     {
       overlays = {
@@ -204,9 +202,6 @@
             self.nixosModules.prometheus-exporter
             ./config/hosts/woodpecker
           ];
-          specialArgs = {
-            inherit pkgs-unstable;
-          };
         };
 
         status = nixpkgs.lib.nixosSystem {

From 53e33a6641791d61d58c9bd007d4ea05d96e82a6 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 20:24:35 +0100
Subject: [PATCH 121/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565' (2024-10-21)
  → 'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101' (2024-11-14)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e' (2024-10-20)
  → 'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a' (2024-11-10)
• Updated input 'nixos-generators/nixpkgs':
    follows 'nixpkgs'
  → 'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
  → 'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682' (2024-11-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
  → 'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978' (2024-11-17)
• Removed input 'sops-nix/nixpkgs-stable'
---
 flake.lock | 65 ++++++++++++++++++++++++++----------------------------
 flake.nix  |  2 +-
 2 files changed, 32 insertions(+), 35 deletions(-)

diff --git a/flake.lock b/flake.lock
index 74a53961..a41bdb5c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1729386149,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "lastModified": 1731200463,
+        "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "e04234d263750db01c78a412690363dc2226e68a",
         "type": "github"
       },
       "original": {
@@ -18,16 +18,14 @@
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
+        "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1729472750,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "lastModified": 1731546190,
+        "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
         "type": "github"
       },
       "original": {
@@ -38,11 +36,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731133565,
-        "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
+        "lastModified": 1731245184,
+        "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1731842749,
+        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
+        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
         "type": "github"
       },
       "original": {
@@ -52,26 +66,10 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730602179,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "nixos-generators": "nixos-generators",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix"
       }
     },
@@ -79,15 +77,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1731213149,
-        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
+        "lastModified": 1731862312,
+        "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
+        "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index f575ac63..5d1d5e3e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
     nixos-generators = {
       url = "github:nix-community/nixos-generators";
-      inputs.nixpkgs.follows = "nixpkgs";
+      #inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # Add sops-nix as an input for secret management.

From 20033671089a3bc90e2cb4259b212c24a893de14 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Sun, 17 Nov 2024 20:29:04 +0100
Subject: [PATCH 122/170] move authorized keys to flake input

---
 config/common/users.nix |  7 +-----
 flake.lock              | 19 ++++++++++++++++
 flake.nix               | 50 ++++++++++++++++++++++++-----------------
 3 files changed, 50 insertions(+), 26 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 400a1065..4ddef2a0 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -6,14 +6,9 @@
 # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
 # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
 
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, authorizedKeysRepo, ... }:
 
 let
-  authorizedKeysRepo = builtins.fetchGit {
-    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"; 
-    ref = "trunk";
-    rev = "686a6af22f6696f0c0595c56f463c078550049fc";
-  };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
 {
diff --git a/flake.lock b/flake.lock
index a41bdb5c..bd78ff82 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "authorizedKeysRepo": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731276342,
+        "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
+        "ref": "trunk",
+        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+        "revCount": 17,
+        "type": "git",
+        "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+      },
+      "original": {
+        "ref": "trunk",
+        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+        "type": "git",
+        "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+      }
+    },
     "nixlib": {
       "locked": {
         "lastModified": 1731200463,
@@ -68,6 +86,7 @@
     },
     "root": {
       "inputs": {
+        "authorizedKeysRepo": "authorizedKeysRepo",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix"
diff --git a/flake.nix b/flake.nix
index 5d1d5e3e..b7424db7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,10 +20,18 @@
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    authorizedKeysRepo = {
+      url = "git+https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+      flake = false;
+    };
   };
 
-  outputs = { self, nixpkgs, nixos-generators, sops-nix, ... }:
+  outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
     let
+      specialArgs = {
+        inherit authorizedKeysRepo;
+      };
       system = "x86_64-linux";
     in
     {
@@ -43,7 +51,7 @@
       };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -53,7 +61,7 @@
         };
 
         audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -63,7 +71,7 @@
         };
 
         esphome = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -72,7 +80,7 @@
         };
 
         public-reverse-proxy = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -81,7 +89,7 @@
         };
 
         netbox = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -92,7 +100,7 @@
         };
 
         matrix = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -103,7 +111,7 @@
         };
 
         public-web-static = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -114,7 +122,7 @@
         };
 
         git = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -125,7 +133,7 @@
         };
 
         forgejo-actions-runner = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -136,7 +144,7 @@
         };
 
         ptouch-print-server = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -145,7 +153,7 @@
         };
 
         eh22-wiki = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -155,7 +163,7 @@
         };
 
         nix-box-june = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -165,7 +173,7 @@
         };
 
         yate = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -174,7 +182,7 @@
         };
 
         mqtt = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -183,7 +191,7 @@
         };
 
         mjolnir = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -194,7 +202,7 @@
         };
 
         woodpecker = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -205,7 +213,7 @@
         };
 
         status = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -215,7 +223,7 @@
         };
 
         penpot = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -226,7 +234,7 @@
         };
 
         hydra = nixpkgs.lib.nixosSystem {
-          inherit system;
+          inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
@@ -238,6 +246,7 @@
 
       packages.x86_64-linux = {
         proxmox-nixos-template = nixos-generators.nixosGenerate {
+          inherit specialArgs;
           system = "x86_64-linux";
           modules = [
             ./config/nixos-generators/proxmox.nix
@@ -248,6 +257,7 @@
         };
 
         proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
+          inherit specialArgs;
           system = "x86_64-linux";
           modules = [
             ./config/nixos-generators/proxmox-chaosknoten.nix

From ecd9fe4adf1c148dab447b3ad175754274687155 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 21:04:47 +0100
Subject: [PATCH 123/170] fix: use http clone url from forgejo

---
 flake.lock | 4 ++--
 flake.nix  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index bd78ff82..2d7ddf86 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,13 +9,13 @@
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "revCount": 17,
         "type": "git",
-        "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
       },
       "original": {
         "ref": "trunk",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "git",
-        "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
       }
     },
     "nixlib": {
diff --git a/flake.nix b/flake.nix
index b7424db7..273a82c5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
     };
 
     authorizedKeysRepo = {
-      url = "git+https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+      url = "git+https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
       flake = false;
     };
   };

From e3c677ea9bcecf541e8e90b9bd27c27ef363c65d Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Sun, 17 Nov 2024 21:14:46 +0100
Subject: [PATCH 124/170] fix: use tar file

---
 flake.lock | 12 ++++--------
 flake.nix  |  2 +-
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 2d7ddf86..be287b59 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,17 +5,13 @@
       "locked": {
         "lastModified": 1731276342,
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
-        "ref": "trunk",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
-        "revCount": 17,
-        "type": "git",
-        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
+        "type": "tarball",
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
       },
       "original": {
-        "ref": "trunk",
-        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
-        "type": "git",
-        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
+        "type": "tarball",
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       }
     },
     "nixlib": {
diff --git a/flake.nix b/flake.nix
index 273a82c5..b7b74a43 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
     };
 
     authorizedKeysRepo = {
-      url = "git+https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+      url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
       flake = false;
     };
   };

From c78c27862749e1ff3fe3b288330b4ab395c7be50 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 22:43:51 +0100
Subject: [PATCH 125/170] Set WOODPECKER_LIMIT_MEM to 6 GB for woodpecker

so pipelines don't get killed by OOM.
---
 config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index 2baafc5b..1836b733 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -22,6 +22,7 @@
       WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
       WOODPECKER_FORGEJO = "true";
       WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+      WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
       # Set via enviornmentFile:
       # WOODPECKER_FORGEJO_CLIENT
       # WOODPECKER_FORGEJO_SECRET

From 67ab856b82f90ad45a62018ad8af1482f4162ce3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 8 Dec 2024 18:57:36 +0100
Subject: [PATCH 126/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101?narHash=sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8%2BErehqI%3D' (2024-11-14)
  → 'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e?narHash=sha256-bNXO%2BOGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8%3D' (2024-12-05)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a?narHash=sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg%3D' (2024-11-10)
  → 'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e?narHash=sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8%3D' (2024-12-01)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f?narHash=sha256-vmLS8%2Bx%2BgHRv1yzj3n%2BGTAEObwmhxmkkukB2DwtJRdU%3D' (2024-11-10)
  → 'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a?narHash=sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw%3D' (2024-12-02)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17)
  → 'github:nixos/nixpkgs/65d98ad2a50103eee5f72335bf69b7bae9d92612?narHash=sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII%3D' (2024-12-08)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978?narHash=sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM%3D' (2024-11-17)
  → 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02)
---
 flake.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index be287b59..9037a608 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1731200463,
-        "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
+        "lastModified": 1733015484,
+        "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e04234d263750db01c78a412690363dc2226e68a",
+        "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1731546190,
-        "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
+        "lastModified": 1733360821,
+        "narHash": "sha256-bNXO+OGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
+        "rev": "8cdaf8885c9c85d9d27b594dbe882406aadfe00e",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731245184,
-        "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+        "lastModified": 1733097829,
+        "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+        "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1731842749,
-        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
+        "lastModified": 1733647408,
+        "narHash": "sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
+        "rev": "65d98ad2a50103eee5f72335bf69b7bae9d92612",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731862312,
-        "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
+        "lastModified": 1733128155,
+        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
+        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
         "type": "github"
       },
       "original": {

From a039b3febf08f37f26fa590e8e0ada1c33e26850 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 8 Dec 2024 22:21:15 +0100
Subject: [PATCH 127/170] update nixpkgs to 24.11 (small)

Also use non-lts forgejo and adjust config for 24.11.
---
 config/hosts/git/forgejo.nix | 10 ++++++++--
 flake.lock                   |  8 ++++----
 flake.nix                    |  2 +-
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index a57a37f6..665815d1 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -7,13 +7,19 @@
 # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
 # - https://forgejo.org/docs/latest/admin/email-setup/
 
-{ pkgs-unstable, ... }:
+{ pkgs, ... }:
 
 {
   services.forgejo = {
     enable = true;
+    package = pkgs.forgejo;
     database.type = "postgres";
-    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
+
+    secrets = {
+      mailer = {
+        PASSWD = "/run/secrets/forgejo_git_smtp_password";
+      };
+    };
 
     settings = {
       DEFAULT = {
diff --git a/flake.lock b/flake.lock
index 9037a608..f6666c87 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,16 +66,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1733647408,
-        "narHash": "sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII=",
+        "lastModified": 1733642008,
+        "narHash": "sha256-ijS1XixgnF1UW1wnsO5J7rw5li0n6SZCBQWCYSfJwXw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "65d98ad2a50103eee5f72335bf69b7bae9d92612",
+        "rev": "5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05-small",
+        "ref": "nixos-24.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index b7b74a43..9e668039 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake

From 8764841759382651691620c7c4ba607e02036b98 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Mon, 9 Dec 2024 21:21:17 +0100
Subject: [PATCH 128/170] shairport-sync: use airplay2 variant instead of
 custome overlay

---
 flake.nix                                 | 11 -----------
 modules/services/audio/shairport-sync.nix |  1 +
 2 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/flake.nix b/flake.nix
index 9e668039..dd85023c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -35,15 +35,6 @@
       system = "x86_64-linux";
     in
     {
-      overlays = {
-        shairportSyncAirplay2 = final: prev: {
-          shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
-            # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
-            configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
-            buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-          });
-        };
-      };
       nixosModules = {
         common = ./config/common;
         proxmox-vm = ./config/proxmox-vm;
@@ -55,7 +46,6 @@
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
         };
@@ -65,7 +55,6 @@
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
         };
diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix
index cbc58e79..43d12853 100644
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@@ -17,6 +17,7 @@ in
   config = mkIf cfg.enable {
     services.shairport-sync = {
       enable = true;
+      package = pkgs.shairport-sync-airplay2;
       arguments = "-o pw -v";
     };
 

From fa9c8e7ac1edfb47979cc7722c95ebf8243ff1d1 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 16 Dec 2024 22:50:00 +0100
Subject: [PATCH 129/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e' (2024-12-05)
  → 'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e' (2024-12-01)
  → 'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a' (2024-12-02)
  → 'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0' (2024-12-08)
  → 'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856' (2024-12-02)
  → 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12)
---
 flake.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index f6666c87..18512ce4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
       },
       "original": {
         "type": "tarball",
@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1733015484,
-        "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=",
+        "lastModified": 1734224914,
+        "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e",
+        "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1733360821,
-        "narHash": "sha256-bNXO+OGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8=",
+        "lastModified": 1734311693,
+        "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "8cdaf8885c9c85d9d27b594dbe882406aadfe00e",
+        "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733097829,
-        "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=",
+        "lastModified": 1734126203,
+        "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a",
+        "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1733642008,
-        "narHash": "sha256-ijS1XixgnF1UW1wnsO5J7rw5li0n6SZCBQWCYSfJwXw=",
+        "lastModified": 1734298236,
+        "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0",
+        "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733128155,
-        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
+        "lastModified": 1733965552,
+        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
+        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
         "type": "github"
       },
       "original": {

From d36ff73123b6cad8b07e5fc83cf619f1c57a7316 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Thu, 9 Jan 2025 21:44:31 +0100
Subject: [PATCH 130/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16)
  → 'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4' (2024-12-23)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15)
  → 'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c' (2024-12-22)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13)
  → 'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee' (2024-12-17)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15)
  → 'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6' (2025-01-09)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12)
  → 'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773' (2025-01-06)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 18512ce4..4625fa30 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1734224914,
-        "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=",
+        "lastModified": 1734829460,
+        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77",
+        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1734311693,
-        "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=",
+        "lastModified": 1734915500,
+        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb",
+        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734126203,
-        "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
+        "lastModified": 1734435836,
+        "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
+        "rev": "4989a246d7a390a859852baddb1013f825435cee",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1734298236,
-        "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
+        "lastModified": 1736408508,
+        "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
+        "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733965552,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "lastModified": 1736203741,
+        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
         "type": "github"
       },
       "original": {

From 5676b1a4680dbe706686f38902f5607ec33330ff Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 14 Jan 2025 20:49:14 +0100
Subject: [PATCH 131/170] netbox: configure and patch NetBox for OIDC group and
 role mapping

The custom pipeline code is licensed under the Creative Commons: CC
BY-SA 4.0 license.

See:
https://github.com/goauthentik/authentik/blob/main/LICENSE
https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
https://docs.goauthentik.io/integrations/services/netbox/
---
 README.md                                     |  3 +-
 config/hosts/netbox/netbox.nix                | 21 ++++++-
 flake.nix                                     |  8 +++
 ...oup_and_role_mapping_custom_pipeline.patch | 61 +++++++++++++++++++
 4 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch

diff --git a/README.md b/README.md
index 186f14af..def4e603 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,5 @@ nix build .#proxmox-chaosknoten-nixos-template
 
 ## License
 
-This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).  
+[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
index e0f2df94..f816016c 100644
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@@ -9,7 +9,8 @@
 {
   services.netbox = {
     enable = true;
-    package = pkgs.netbox;
+    # Explicitly use the patched NetBox package.
+    package = pkgs.netbox_4_1;
     secretKeyFile = "/run/secrets/netbox_secret_key";
     keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
     settings = {
@@ -24,6 +25,24 @@
       SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
       SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
       SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
+      SOCIAL_AUTH_PIPELINE = [
+        # The default pipeline as can be found in:
+        # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
+        "social_core.pipeline.social_auth.social_details"
+        "social_core.pipeline.social_auth.social_uid"
+        "social_core.pipeline.social_auth.social_user"
+        "social_core.pipeline.user.get_username"
+        "social_core.pipeline.user.create_user"
+        "social_core.pipeline.social_auth.associate_user"
+        "netbox.authentication.user_default_groups_handler"
+        "social_core.pipeline.social_auth.load_extra_data"
+        "social_core.pipeline.user.user_details"
+        # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
+        # See: https://docs.goauthentik.io/integrations/services/netbox/
+        "netbox.custom_pipeline.add_groups"
+        "netbox.custom_pipeline.remove_groups"
+        "netbox.custom_pipeline.set_roles"
+      ];
     };
   };
 
diff --git a/flake.nix b/flake.nix
index dd85023c..fb4ed262 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,6 +40,13 @@
         proxmox-vm = ./config/proxmox-vm;
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
+      overlays = {
+        netbox41OIDCMappingOverlay = final: prev: {
+          netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
+            patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
+          });
+        };
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
@@ -85,6 +92,7 @@
             sops-nix.nixosModules.sops
             self.nixosModules.prometheus-exporter
             ./config/hosts/netbox
+            { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
           ];
         };
 
diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
new file mode 100644
index 00000000..89f805a7
--- /dev/null
+++ b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
@@ -0,0 +1,61 @@
+diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
+new file mode 100644
+index 000000000..470f388dc
+--- /dev/null
++++ b/netbox/netbox/custom_pipeline.py
+@@ -0,0 +1,55 @@
++# Licensed under Creative Commons: CC BY-SA 4.0 license.
++# https://github.com/goauthentik/authentik/blob/main/LICENSE
++# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
++# https://docs.goauthentik.io/integrations/services/netbox/
++from netbox.authentication import Group
++
++class AuthFailed(Exception):
++    pass
++
++def add_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        pass
++
++    # Add all groups from oAuth token
++    for group in groups:
++        group, created = Group.objects.get_or_create(name=group)
++        user.groups.add(group)
++
++def remove_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        # Remove all groups if no groups in oAuth token
++        user.groups.clear()
++        pass
++
++    # Get all groups of user
++    user_groups = [item.name for item in user.groups.all()]
++    # Get groups of user which are not part of oAuth token
++    delete_groups = list(set(user_groups) - set(groups))
++
++    # Delete non oAuth token groups
++    for delete_group in delete_groups:
++        group = Group.objects.get(name=delete_group)
++        user.groups.remove(group)
++
++
++def set_roles(response, user, backend, *args, **kwargs):
++    # Remove Roles temporary
++    user.is_superuser = False
++    user.is_staff = False
++    try:
++        groups = response['groups']
++    except KeyError:
++        # When no groups are set
++        # save the user without Roles
++        user.save()
++        pass
++
++    # Set roles is role (superuser or staff) is in groups
++    user.is_superuser = True if 'superusers' in groups else False
++    user.is_staff = True if 'staff' in groups else False
++    user.save()

From f5bc9024b1036fd3591e759f4bd8ee4d62e27572 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 14 Jan 2025 21:06:26 +0100
Subject: [PATCH 132/170] audio-hauptraum-*: move audio VMs to client network

Do this per request to hopefully improve mDNS discovery.
---
 config/hosts/audio-hauptraum-kueche/networking.nix | 6 +++---
 config/hosts/audio-hauptraum-tafel/networking.nix  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix
index 0118db4c..6e1e7d87 100644
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@@ -5,13 +5,13 @@
     interfaces.net0 = {
       ipv4.addresses = [
         {
-          address = "10.31.210.10";
+          address = "172.31.200.14";
           prefixLength = 23;
         }
       ];
     };
-    defaultGateway = "10.31.210.1";
-    nameservers = [ "10.31.210.1" ];
+    defaultGateway = "172.31.200.1";
+    nameservers = [ "172.31.200.1" ];
   };
 
   systemd.network.links."10-net0" = {
diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix
index 37185b7c..e357d38f 100644
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@@ -5,13 +5,13 @@
     interfaces.net0 = {
       ipv4.addresses = [
         {
-          address = "10.31.210.13";
+          address = "172.31.200.15";
           prefixLength = 23;
         }
       ];
     };
-    defaultGateway = "10.31.210.1";
-    nameservers = [ "10.31.210.1" ];
+    defaultGateway = "172.31.200.1";
+    nameservers = [ "172.31.200.1" ];
   };
 
   systemd.network.links."10-net0" = {

From d55438f104683955be6f81e9a521a32347c48b5a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 19 Jan 2025 20:28:05 +0100
Subject: [PATCH 133/170] public-web-static: remove irc from spaceapi response
 as it's deprecated

---
 .../hosts/public-web-static/spaceapid-config/ccchh-response.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
index 9a5793e2..b49b2da7 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
@@ -14,7 +14,6 @@
     },
     "contact": {
       "phone": "+49 40 23830150",
-      "irc": "ircs://irc.hackint.org:6697/#ccchh",
       "mastodon": "@ccchh@chaos.social",
       "email": "mail@hamburg.ccc.de",
       "ml": "talk@hamburg.ccc.de",

From 2904ebee158b1c3f447dea79417f2635dbd5a4e5 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Sat, 8 Jun 2024 22:18:23 +0200
Subject: [PATCH 134/170] add yate service for autostart

introduce /etc/yate, clone/reset on service start

Fix config via git

make yate systemd service

create yate service user

recreate the full config everytime

decolour the log because of blob data

make sure source is available before deleting config

change yate-config repo

fix yate deploy key

fix yate-config not pulling
---
 .sops.yaml                          |  17 ++
 config/hosts/yate/configuration.nix |   2 +
 config/hosts/yate/default.nix       |   1 +
 config/hosts/yate/secrets.yaml      | 233 ++++++++++++++++++++++++++++
 config/hosts/yate/service.nix       |  39 ++++-
 config/hosts/yate/sops.nix          |   7 +
 config/hosts/yate/yate.nix          |  15 ++
 flake.nix                           |   1 +
 8 files changed, 309 insertions(+), 6 deletions(-)
 create mode 100644 config/hosts/yate/secrets.yaml
 create mode 100644 config/hosts/yate/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index ec660ecd..dedf3c12 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -15,6 +15,7 @@ keys:
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+  - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
   - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
   - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
@@ -147,6 +148,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_penpot
+  - path_regex: config/hosts/yate/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_yate
   - key_groups:
       - pgp:
           - *admin_gpg_djerun
diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
index 6b4bb71d..f350966c 100644
--- a/config/hosts/yate/configuration.nix
+++ b/config/hosts/yate/configuration.nix
@@ -6,5 +6,7 @@
     domain = "z9.ccchh.net";
   };
 
+#  users.users.chaos.password = "yes";
+
   system.stateVersion = "23.11";
 }
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 5304abd5..009e1a12 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -6,5 +6,6 @@
     ./networking.nix
     ./yate.nix
     ./service.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml
new file mode 100644
index 00000000..6235c175
--- /dev/null
+++ b/config/hosts/yate/secrets.yaml
@@ -0,0 +1,233 @@
+git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP
+        TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw
+        KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS
+        bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1
+        xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-08T18:35:07Z"
+  mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str]
+  pgp:
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg
+        do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL
+        r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0
+        cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl
+        Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa
+        JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi
+        ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk
+        YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa
+        QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy
+        aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg
+        GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U
+        ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ
+        ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ
+        et8Y1DEjVg==
+        =u7aP
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9
+        Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S
+        YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4
+        twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2
+        uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx
+        Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ
+        gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU
+        JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng
+        mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji
+        yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp
+        E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S
+        XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq
+        vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX
+        =advR
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz
+        7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec
+        ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa
+        RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty
+        y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE
+        L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8
+        glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ
+        B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl
+        L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl
+        o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO
+        Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS
+        XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb
+        fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy
+        =vqhH
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd
+        +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7
+        Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4
+        LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un
+        kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2
+        cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn
+        3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh
+        7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU
+        K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb
+        QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3
+        Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S
+        XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj
+        IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C
+        =hGXq
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg
+        YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi
+        LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ
+        +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG
+        SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io
+        5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq
+        1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1
+        1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll
+        CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U
+        pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF
+        EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS
+        XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7
+        uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9
+        =vZLC
+        -----END PGP MESSAGE-----
+      fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x
+        p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3
+        XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa
+        oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB
+        SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS
+        5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG
+        oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ
+        XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo
+        IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc
+        2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa
+        XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS
+        XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/
+        fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I
+        =SLD4
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp
+        8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+
+        0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19
+        sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB
+        NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI
+        K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX
+        4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9
+        SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0
+        TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva
+        7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR
+        oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S
+        XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t
+        LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII
+        =MQ9C
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF
+        XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe
+        5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/
+        Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc
+        abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di
+        +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk
+        nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7
+        BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf
+        T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76
+        VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm
+        jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS
+        XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY
+        6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ
+        =uyf4
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st
+        V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2
+        8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/
+        i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d
+        V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE
+        zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz
+        TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p
+        FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF
+        aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO
+        5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym
+        NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS
+        XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn
+        kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr
+        =7R+0
+        -----END PGP MESSAGE-----
+      fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw
+        cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13
+        0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi
+        I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww==
+        =0G+m
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX
+        KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l
+        MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy
+        p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k
+        YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs
+        yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O
+        oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv
+        3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre
+        FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF
+        3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm
+        k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS
+        XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh
+        B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI
+        =ZgbM
+        -----END PGP MESSAGE-----
+      fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
index e031d4d4..90130602 100644
--- a/config/hosts/yate/service.nix
+++ b/config/hosts/yate/service.nix
@@ -1,21 +1,48 @@
 { config, pkgs, ... }:
 
 {
+#  systemd.managerEnvironment = {
+#    SYSTEMD_LOG_LEVEL = "debug";
+#  };
+
+  
+
+  sops.secrets."git_clone_key" = {
+    mode = "0600";
+    owner = "yate";
+    group = "yate-config";
+    restartUnits = [ "yate.service" ];
+};
+
   systemd.services.yate = {
     enable = true;
     description = "Yate telehony engine";
     unitConfig = {
-      Type = "simple";
-      After = "network.target";
+      After= "network-online.target";
     };
     serviceConfig = {
-      ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
-      Type = "simple";
-      Restart = "always";
+      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+      Type="simple";
+      Restart="always";
+      User="yate";
+      Group="yate-config";
+      StateDirectory = "yate";
+      StateDirectoryMode = "0775";
       # ...
     };
     wantedBy = [ "default.target" ];
-    requiredBy = [ "network.target" ];
+    requires = [ "network-online.target" ]; 
+    preStart = "echo \"\n\" >> /run/secrets/git_clone_key
+                sleep 5
+                SSH_SUCCESS=1
+                ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
+                if [ $SSH_SUCCESS = 1 ]; then
+                rm -rf /var/lib/yate/*
+                rm -rf /var/lib/yate/.*
+                env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+                ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+                fi";
+
     # ...
   };
 }
diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix
new file mode 100644
index 00000000..38b06f9a
--- /dev/null
+++ b/config/hosts/yate/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
\ No newline at end of file
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index c4834bbd..3f9b0540 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -10,4 +10,19 @@
 
   # Just disable it for now.
   networking.firewall.enable = false;
+
+  users.users.yate = {
+    description = "yate service user";
+    group = "yate-config";
+    isNormalUser = true;
+  };
+
+
+  users.groups.yate-config = {};
+  users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"];
+
+  environment.etc.yate.user = "yate";
+  environment.etc.yate.group = "yate-config";
+  environment.etc.yate.mode = "symlink";
+  environment.etc.yate.source = "/var/lib/yate";
 }
diff --git a/flake.nix b/flake.nix
index fb4ed262..5ecee982 100644
--- a/flake.nix
+++ b/flake.nix
@@ -174,6 +174,7 @@
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/yate
           ];
         };

From 8045681bb5ab6896cf6fb30a30c47b507c29e589 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 19 Jan 2025 19:05:15 +0100
Subject: [PATCH 135/170] yate: clean up and nicely format nix configuration

---
 config/hosts/yate/configuration.nix |  4 +-
 config/hosts/yate/default.nix       |  3 +-
 config/hosts/yate/service.nix       | 48 ----------------------
 config/hosts/yate/yate.nix          | 64 ++++++++++++++++++++++++-----
 4 files changed, 55 insertions(+), 64 deletions(-)
 delete mode 100644 config/hosts/yate/service.nix

diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
index f350966c..6b1fa990 100644
--- a/config/hosts/yate/configuration.nix
+++ b/config/hosts/yate/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   networking = {
@@ -6,7 +6,5 @@
     domain = "z9.ccchh.net";
   };
 
-#  users.users.chaos.password = "yes";
-
   system.stateVersion = "23.11";
 }
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 009e1a12..66738e87 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -1,11 +1,10 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   imports = [
     ./configuration.nix
     ./networking.nix
     ./yate.nix
-    ./service.nix
     ./sops.nix
   ];
 }
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
deleted file mode 100644
index 90130602..00000000
--- a/config/hosts/yate/service.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-#  systemd.managerEnvironment = {
-#    SYSTEMD_LOG_LEVEL = "debug";
-#  };
-
-  
-
-  sops.secrets."git_clone_key" = {
-    mode = "0600";
-    owner = "yate";
-    group = "yate-config";
-    restartUnits = [ "yate.service" ];
-};
-
-  systemd.services.yate = {
-    enable = true;
-    description = "Yate telehony engine";
-    unitConfig = {
-      After= "network-online.target";
-    };
-    serviceConfig = {
-      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
-      Type="simple";
-      Restart="always";
-      User="yate";
-      Group="yate-config";
-      StateDirectory = "yate";
-      StateDirectoryMode = "0775";
-      # ...
-    };
-    wantedBy = [ "default.target" ];
-    requires = [ "network-online.target" ]; 
-    preStart = "echo \"\n\" >> /run/secrets/git_clone_key
-                sleep 5
-                SSH_SUCCESS=1
-                ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
-                if [ $SSH_SUCCESS = 1 ]; then
-                rm -rf /var/lib/yate/*
-                rm -rf /var/lib/yate/.*
-                env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
-                ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
-                fi";
-
-    # ...
-  };
-}
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 3f9b0540..d3ed2f93 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 
 {
   environment.systemPackages = [
@@ -11,18 +11,60 @@
   # Just disable it for now.
   networking.firewall.enable = false;
 
-  users.users.yate = {
-    description = "yate service user";
-    group = "yate-config";
-    isNormalUser = true;
+  users = {
+    users.yate = {
+      description = "yate service user";
+      group = "yate-config";
+      isNormalUser = true;
+    };
+
+    groups.yate-config = {
+      members = [ "colmema-deploy" "chaos" "root" "yate"];
+    };
   };
 
+  environment.etc.yate = {
+    user = "yate";
+    group = "yate-config";
+    mode = "symlink";
+    source = "/var/lib/yate";
+  };
 
-  users.groups.yate-config = {};
-  users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"];
+  sops.secrets."git_clone_key" = {
+    mode = "0600";
+    owner = "yate";
+    group = "yate-config";
+    restartUnits = [ "yate.service" ];
+  };
 
-  environment.etc.yate.user = "yate";
-  environment.etc.yate.group = "yate-config";
-  environment.etc.yate.mode = "symlink";
-  environment.etc.yate.source = "/var/lib/yate";
+  systemd.services.yate = {
+    enable = true;
+    description = "Yate telehony engine";
+    unitConfig = {
+      After= "network-online.target";
+    };
+    serviceConfig = {
+      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+      Type="simple";
+      Restart="always";
+      User="yate";
+      Group="yate-config";
+      StateDirectory = "yate";
+      StateDirectoryMode = "0775";
+    };
+    wantedBy = [ "default.target" ];
+    requires = [ "network-online.target" ];
+    preStart = ''
+      echo \"\n\" >> /run/secrets/git_clone_key
+      sleep 5
+      SSH_SUCCESS=1
+      ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
+      if [ $SSH_SUCCESS = 1 ]; then
+        rm -rf /var/lib/yate/*
+        rm -rf /var/lib/yate/.*
+        env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+        ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+      fi
+    '';
+  };
 }

From d57c47437ff20dcb3c0008ab666b927de1181121 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Thu, 23 Jan 2025 20:15:37 +0100
Subject: [PATCH 136/170] Add reload script for refreshing config during
 runtime

---
 config/hosts/yate/yate.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index d3ed2f93..d5e64f18 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -45,6 +45,11 @@
     };
     serviceConfig = {
       ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+      ExecReload= ''
+	${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
+	/usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
+	/usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main
+      '';
       Type="simple";
       Restart="always";
       User="yate";

From 73fa9d1e067e626fec76eb713342644f72647c65 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 24 Jan 2025 11:44:29 +0100
Subject: [PATCH 137/170] git: enable Git LFS

---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 665815d1..85b13e6d 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -14,6 +14,7 @@
     enable = true;
     package = pkgs.forgejo;
     database.type = "postgres";
+    lfs.enable = true;
 
     secrets = {
       mailer = {

From 4530608c9900901ece7f0c2448e4035369c8f15b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 24 Jan 2025 11:45:32 +0100
Subject: [PATCH 138/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4?narHash=sha256-A7CTIQ8SW0hfbhKlwK%2BvSsu4pD%2BOaelw3v6goX6go%2BU%3D' (2024-12-23)
  → 'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453?narHash=sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL%2BtIBm49vpepwL1MQ%3D' (2025-01-16)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c?narHash=sha256-dPhc%2Bf2wkmhMqMIfq%2BhColJdysgVxKP9ilZ5bR0NRZI%3D' (2024-12-22)
  → 'github:nix-community/nixpkgs.lib/1418bc28a52126761c02dd3d89b2d8ca0f521181?narHash=sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s%3D' (2025-01-12)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee?narHash=sha256-kMBQ5PRiFLagltK0sH%2B08aiNt3zGERC2297iB6vrvlU%3D' (2024-12-17)
  → 'github:NixOS/nixpkgs/2f9e2f85cb14a46410a1399aa9ea7ecf433e422e?narHash=sha256-FWlPMUzp0lkQBdhKlPqtQdqmp%2B/C%2B1MBiEytaYfrCTY%3D' (2025-01-12)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6?narHash=sha256-WIGZ3DPw5H%2BSPszUXVacK%2BKTh3sJZShP1vGtDwhquNM%3D' (2025-01-09)
  → 'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c?narHash=sha256-fY95Rp63NFzOwRFO6%2BRGi/UTyxgqmFmKtQ/DWg%2B6vsQ%3D' (2025-01-23)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773?narHash=sha256-eSjkBwBdQk%2BTZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4%3D' (2025-01-06)
  → 'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4?narHash=sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw%3D' (2025-01-20)
---
 flake.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index 4625fa30..259f97ac 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1734829460,
-        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1734915500,
-        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
+        "lastModified": 1737057290,
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734435836,
-        "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
+        "lastModified": 1736657626,
+        "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4989a246d7a390a859852baddb1013f825435cee",
+        "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1736408508,
-        "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=",
+        "lastModified": 1737665804,
+        "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6",
+        "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736203741,
-        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
+        "lastModified": 1737411508,
+        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
+        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
         "type": "github"
       },
       "original": {

From bb0af02e5c28952c9c9d937861007955ac25e490 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Fri, 24 Jan 2025 18:00:26 +0100
Subject: [PATCH 139/170] use nix option for ExecReload

---
 config/hosts/yate/yate.nix | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index d5e64f18..89f225ef 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -45,11 +45,6 @@
     };
     serviceConfig = {
       ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
-      ExecReload= ''
-	${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
-	/usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
-	/usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main
-      '';
       Type="simple";
       Restart="always";
       User="yate";
@@ -61,15 +56,22 @@
     requires = [ "network-online.target" ];
     preStart = ''
       echo \"\n\" >> /run/secrets/git_clone_key
+      id
       sleep 5
       SSH_SUCCESS=1
       ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
       if [ $SSH_SUCCESS = 1 ]; then
         rm -rf /var/lib/yate/*
         rm -rf /var/lib/yate/.*
-        env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
-        ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+        env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+        ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate"
       fi
     '';
+    reload= ''
+      id
+      ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
+      /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
+      /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master
+    '';
   };
 }

From 5cf9cffa77b4e1e1179305b9ad7eca6d40cce177 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Fri, 24 Jan 2025 19:54:31 +0100
Subject: [PATCH 140/170] add more checks before config reinit

---
 config/hosts/yate/yate.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 89f225ef..236e1f08 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -55,12 +55,13 @@
     wantedBy = [ "default.target" ];
     requires = [ "network-online.target" ];
     preStart = ''
-      echo \"\n\" >> /run/secrets/git_clone_key
-      id
+      echo "\n" >> /run/secrets/git_clone_key
       sleep 5
+      id
+      echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git"
       SSH_SUCCESS=1
       ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
-      if [ $SSH_SUCCESS = 1 ]; then
+      if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then
         rm -rf /var/lib/yate/*
         rm -rf /var/lib/yate/.*
         env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate

From 934f29a84a32d8770faf6a657ee7519960cd0ed7 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 4 Feb 2025 21:31:09 +0100
Subject: [PATCH 141/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c' (2025-01-23)
  → 'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8' (2025-02-04)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4' (2025-01-20)
  → 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7' (2025-01-31)
---
 flake.lock | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 259f97ac..7f1207b2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
       },
       "original": {
         "type": "tarball",
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1737665804,
-        "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=",
+        "lastModified": 1738663689,
+        "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c",
+        "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737411508,
-        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
+        "lastModified": 1738291974,
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
         "type": "github"
       },
       "original": {

From a665aa15f4001151eb7590c83c877bf30be55b7b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 10 Feb 2025 23:43:05 +0100
Subject: [PATCH 142/170] eh22-wiki: remove because of migration to
 ansible-infra

---
 config/hosts/eh22-wiki/configuration.nix |   7 -
 config/hosts/eh22-wiki/default.nix       |   9 --
 config/hosts/eh22-wiki/dokuwiki.nix      | 166 -----------------------
 config/hosts/eh22-wiki/networking.nix    |  22 ---
 flake.nix                                |  10 --
 5 files changed, 214 deletions(-)
 delete mode 100644 config/hosts/eh22-wiki/configuration.nix
 delete mode 100644 config/hosts/eh22-wiki/default.nix
 delete mode 100644 config/hosts/eh22-wiki/dokuwiki.nix
 delete mode 100644 config/hosts/eh22-wiki/networking.nix

diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix
deleted file mode 100644
index ff45e491..00000000
--- a/config/hosts/eh22-wiki/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "eh22-wiki";
-
-  system.stateVersion = "23.11";
-}
diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix
deleted file mode 100644
index 2d90c6b1..00000000
--- a/config/hosts/eh22-wiki/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./configuration.nix
-    ./dokuwiki.nix
-    ./networking.nix
-  ];
-}
diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
deleted file mode 100644
index f9a7cbd3..00000000
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ /dev/null
@@ -1,166 +0,0 @@
-# Sources for this configuration:
-# - https://www.dokuwiki.org/dokuwiki
-# - https://www.dokuwiki.org/install
-# - https://www.dokuwiki.org/requirements
-# - https://www.dokuwiki.org/install:php
-# - https://www.dokuwiki.org/security
-# - https://www.dokuwiki.org/config:xsendfile
-# - https://www.dokuwiki.org/install:nginx
-# - https://www.dokuwiki.org/faq:uploadsize
-# - https://nixos.wiki/wiki/Phpfpm
-# - https://wiki.archlinux.org/title/Nginx#FastCGI
-# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
-# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
-# - https://www.php.net/manual/en/install.fpm.php
-# - https://www.php.net/manual/en/install.fpm.configuration.php
-
-{ config, pkgs, ... }:
-
-let
-  # This is also used for user and group names.
-  app = "dokuwiki";
-  domain = "eh22.easterhegg.eu";
-  dataDir = "/srv/www/${domain}";
-in
-{
-  systemd.tmpfiles.rules = [
-    "d ${dataDir} 0755 ${app} ${app}"
-  ];
-
-  services.phpfpm.pools."${app}" = {
-    user = "${app}";
-    group = "${app}";
-    phpOptions = ''
-      short_open_tag = Off
-      open_basedir =
-      output_buffering = Off
-      output_handler =
-      zlib.output_compression = Off
-      implicit_flush = Off
-      allow_call_time_pass_reference = Off
-      max_execution_time = 30
-      max_input_time = 60
-      max_input_vars = 10000
-      memory_limit = 128M
-      error_reporting = E_ALL & ~E_NOTICE
-      display_errors = Off
-      display_startup_errors = Off
-      log_errors = On
-      ; error_log should be handled by NixOS.
-      variables_order = "EGPCS"
-      register_argc_argv = Off
-      file_uploads = On
-      upload_max_filesize = 20M
-      post_max_size = 20M
-      session.use_cookies = 1
-      ; Checked the default NixOS PHP extensions and the only one missing from
-      ; DokuWikis list of PHP extensions was bz2, so add that.
-      ; Checked with NixOS 23.11 on 2024-05-02.
-      extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
-    '';
-    settings = {
-      "listen.owner" = "${config.services.nginx.user}";
-      "listen.group" = "${config.services.nginx.group}";
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 4;
-      "pm.max_requests" = 500;
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-
-    virtualHosts."acme-${domain}" = {
-      default = true;
-      enableACME = true;
-      serverName = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 31820;
-        }
-      ];
-    };
-
-    virtualHosts."${domain}" = {
-      default = true;
-      forceSSL = true;
-      useACMEHost = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 8443;
-          ssl = true;
-          proxyProtocol = true;
-        }
-      ];
-
-      root = "${dataDir}";
-
-      locations = {
-        "~ /(conf|bin|inc|vendor)/" = {
-          extraConfig = "deny all;";
-        };
-
-        "~ /install.php" = {
-          extraConfig = "deny all;";
-        };
-
-        "~ ^/data/" = {
-          extraConfig = "internal;";
-        };
-
-        "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
-          extraConfig = "expires 31d;";
-        };
-
-        "/" = {
-          index = "doku.php";
-          extraConfig = "try_files $uri $uri/ @dokuwiki;";
-        };
-
-        "@dokuwiki" = {
-          extraConfig = ''
-            # Rewrites "doku.php/" out of the URLs if the userwrite setting is
-            # set to .htaccess in the DokuWiki config page.
-            rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
-            rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
-            rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
-            rewrite ^/(.*) /doku.php?id=$1&$args last;
-          '';
-        };
-
-        "~ \\.php$" = {
-          extraConfig = ''
-            try_files $uri $uri/ /doku.php;
-            include ${config.services.nginx.package}/conf/fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param REDIRECT_STATUS 200;
-            fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
-          '';
-        };
-      };
-
-      extraConfig = ''
-        # Set maximum file upload size to 20MB (same as upload_max_filesize and
-        # post_max_size in the phpOptions).
-        client_max_body_size 20M;
-        client_body_buffer_size 128k;
-      '';
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
-  networking.firewall.allowedUDPPorts = [ 8443 ];
-
-  users.users."${app}" = {
-    isSystemUser = true;
-    group = "${app}";
-  };
-  users.groups."${app}" = { };
-}
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
deleted file mode 100644
index fba2da9e..00000000
--- a/config/hosts/eh22-wiki/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
-  networking = {
-    interfaces.net0 = {
-      ipv4.addresses = [
-        {
-          address = "172.31.17.159";
-          prefixLength = 25;
-        }
-      ];
-    };
-    defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
-  };
-
-  systemd.network.links."10-net0" = {
-    matchConfig.MACAddress = "BC:24:11:37:F0:AB";
-    linkConfig.Name = "net0";
-  };
-}
diff --git a/flake.nix b/flake.nix
index 5ecee982..347294b0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -149,16 +149,6 @@
           ];
         };
 
-        eh22-wiki = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
-          modules = [
-            self.nixosModules.common
-            self.nixosModules.proxmox-vm
-            self.nixosModules.prometheus-exporter
-            ./config/hosts/eh22-wiki
-          ];
-        };
-
         nix-box-june = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [

From fe5e6cebdc0f0df330b0541c1756cdfc859f1bec Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:02:31 +0100
Subject: [PATCH 143/170] netbox: remove because of migration to ansible-infra

---
 .sops.yaml                                    |  17 --
 config/hosts/netbox/configuration.nix         |   7 -
 config/hosts/netbox/default.nix               |  12 -
 config/hosts/netbox/netbox.nix                |  61 -----
 config/hosts/netbox/networking.nix            |  22 --
 config/hosts/netbox/nginx.nix                 |  67 -----
 config/hosts/netbox/postgresql.nix            |   7 -
 config/hosts/netbox/secrets.yaml              | 234 ------------------
 config/hosts/netbox/sops.nix                  |   7 -
 deployment_configuration.json                 |   3 -
 flake.nix                                     |  19 --
 ...oup_and_role_mapping_custom_pipeline.patch |  61 -----
 12 files changed, 517 deletions(-)
 delete mode 100644 config/hosts/netbox/configuration.nix
 delete mode 100644 config/hosts/netbox/default.nix
 delete mode 100644 config/hosts/netbox/netbox.nix
 delete mode 100644 config/hosts/netbox/networking.nix
 delete mode 100644 config/hosts/netbox/nginx.nix
 delete mode 100644 config/hosts/netbox/postgresql.nix
 delete mode 100644 config/hosts/netbox/secrets.yaml
 delete mode 100644 config/hosts/netbox/sops.nix
 delete mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch

diff --git a/.sops.yaml b/.sops.yaml
index dedf3c12..9a6ae2de 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,7 +13,6 @@ keys:
   - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
   - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
-  - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
   - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
@@ -68,22 +67,6 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_matrix
-  - path_regex: config/hosts/netbox/.*
-    key_groups:
-      - pgp:
-          - *admin_gpg_djerun
-          - *admin_gpg_stb
-          - *admin_gpg_jtbx
-          - *admin_gpg_yuri
-          - *admin_gpg_june
-          - *admin_gpg_haegar
-          - *admin_gpg_dario
-          - *admin_gpg_echtnurich
-          - *admin_gpg_max
-          - *admin_gpg_c6ristian
-          - *admin_gpg_dante
-        age:
-          - *host_age_netbox
   - path_regex: config/hosts/public-web-static/.*
     key_groups:
       - pgp:
diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix
deleted file mode 100644
index 50a584ed..00000000
--- a/config/hosts/netbox/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  networking.hostName = "netbox";
-
-  system.stateVersion = "23.05";
-}
diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix
deleted file mode 100644
index 6ef34697..00000000
--- a/config/hosts/netbox/default.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./configuration.nix
-    ./netbox.nix
-    ./networking.nix
-    ./nginx.nix
-    ./postgresql.nix
-    ./sops.nix
-  ];
-}
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
deleted file mode 100644
index f816016c..00000000
--- a/config/hosts/netbox/netbox.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-# Sources for this configuration:
-# - https://docs.netbox.dev/en/stable/configuration/
-# - https://colmena.cli.rs/unstable/features/keys.html
-# - https://colmena.cli.rs/unstable/reference/deployment.html
-# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix
-
-{ config, pkgs, ... }:
-
-{
-  services.netbox = {
-    enable = true;
-    # Explicitly use the patched NetBox package.
-    package = pkgs.netbox_4_1;
-    secretKeyFile = "/run/secrets/netbox_secret_key";
-    keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
-    settings = {
-      ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
-      SESSION_COOKIE_SECURE = true;
-      # CCCHH ID (Keycloak) integration.
-      # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
-      # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
-      REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
-      SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
-      # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
-      SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
-      SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
-      SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
-      SOCIAL_AUTH_PIPELINE = [
-        # The default pipeline as can be found in:
-        # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
-        "social_core.pipeline.social_auth.social_details"
-        "social_core.pipeline.social_auth.social_uid"
-        "social_core.pipeline.social_auth.social_user"
-        "social_core.pipeline.user.get_username"
-        "social_core.pipeline.user.create_user"
-        "social_core.pipeline.social_auth.associate_user"
-        "netbox.authentication.user_default_groups_handler"
-        "social_core.pipeline.social_auth.load_extra_data"
-        "social_core.pipeline.user.user_details"
-        # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
-        # See: https://docs.goauthentik.io/integrations/services/netbox/
-        "netbox.custom_pipeline.add_groups"
-        "netbox.custom_pipeline.remove_groups"
-        "netbox.custom_pipeline.set_roles"
-      ];
-    };
-  };
-
-  sops.secrets."netbox_secret_key" = {
-    mode = "0440";
-    owner = "netbox";
-    group = "netbox";
-    restartUnits = [ "netbox.service" "netbox-rq.service" ];
-  };
-  sops.secrets."netbox_keycloak_secret" = {
-    mode = "0440";
-    owner = "netbox";
-    group = "netbox";
-    restartUnits = [ "netbox.service" "netbox-rq.service" ];
-  };
-}
diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix
deleted file mode 100644
index a0abcfe3..00000000
--- a/config/hosts/netbox/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
-  networking = {
-    interfaces.net0 = {
-      ipv4.addresses = [
-        {
-          address = "172.31.17.149";
-          prefixLength = 25;
-        }
-      ];
-    };
-    defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
-  };
-
-  systemd.network.links."10-net0" = {
-    matchConfig.MACAddress = "62:ED:44:20:7C:C1";
-    linkConfig.Name = "net0";
-  };
-}
diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix
deleted file mode 100644
index 2673cdc4..00000000
--- a/config/hosts/netbox/nginx.nix
+++ /dev/null
@@ -1,67 +0,0 @@
-# Sources for this configuration:
-# - https://nixos.org/manual/nixos/stable/#module-security-acme
-# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix
-# - https://docs.netbox.dev/en/stable/installation/5-http-server/
-# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf
-
-{ config, pkgs, ... }:
-
-{
-  services.nginx = {
-    enable = true;
-    # So nginx can access the Netbox static files.
-    user = "netbox";
-
-    virtualHosts."acme-netbox.hamburg.ccc.de" = {
-      default = true;
-      enableACME = true;
-      serverName = "netbox.hamburg.ccc.de";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 31820;
-        }
-      ];
-    };
-
-    virtualHosts."netbox.hamburg.ccc.de" = {
-      default = true;
-      forceSSL = true;
-      useACMEHost = "netbox.hamburg.ccc.de";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 8443;
-          ssl = true;
-          proxyProtocol = true;
-        }
-      ];
-
-      locations."/static/" = {
-        alias = "${config.services.netbox.dataDir}/static/";
-      };
-
-      locations."/" = {
-        proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
-      };
-
-      extraConfig = ''
-        # Make use of the ngx_http_realip_module to set the $remote_addr and
-        # $remote_port to the client address and client port, when using proxy
-        # protocol.
-        # First set our proxy protocol proxy as trusted.
-        set_real_ip_from 172.31.17.140;
-        # Then tell the realip_module to get the addreses from the proxy protocol
-        # header.
-        real_ip_header proxy_protocol;
-
-        client_max_body_size 25m;
-      '';
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
-  networking.firewall.allowedUDPPorts = [ 8443 ];
-}
diff --git a/config/hosts/netbox/postgresql.nix b/config/hosts/netbox/postgresql.nix
deleted file mode 100644
index 5f49f30e..00000000
--- a/config/hosts/netbox/postgresql.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ pkgs, config, ... }:
-
-{
-  services.postgresql = {
-    package = pkgs.postgresql_15;
-  };
-}
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
deleted file mode 100644
index 831a7a18..00000000
--- a/config/hosts/netbox/secrets.yaml
+++ /dev/null
@@ -1,234 +0,0 @@
-netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
-netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
-            c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
-            dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
-            V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
-            a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-08T23:54:23Z"
-    mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
-    pgp:
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
-            UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
-            YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
-            e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
-            fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
-            29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
-            g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
-            Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
-            2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
-            ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
-            7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
-            aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
-            Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
-            6PA24RxtGxVm
-            =ES/O
-            -----END PGP MESSAGE-----
-          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
-            kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
-            UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
-            t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
-            2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
-            MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
-            PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
-            Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
-            W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
-            Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
-            NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
-            XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
-            zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
-            =zG3F
-            -----END PGP MESSAGE-----
-          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
-            wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
-            o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
-            yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
-            y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
-            vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
-            OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
-            xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
-            +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
-            9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
-            9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
-            XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
-            CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
-            =PqbF
-            -----END PGP MESSAGE-----
-          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
-            eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
-            5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
-            /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
-            E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
-            aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
-            U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
-            5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
-            vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
-            Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
-            PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
-            XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
-            9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
-            =o7cj
-            -----END PGP MESSAGE-----
-          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
-            QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
-            2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
-            NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
-            vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
-            PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
-            FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
-            n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
-            nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
-            TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
-            ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
-            XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
-            fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
-            =4agQ
-            -----END PGP MESSAGE-----
-          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
-            H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
-            JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
-            ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
-            blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
-            fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
-            APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
-            H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
-            dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
-            VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
-            FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
-            XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
-            Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
-            =x1QX
-            -----END PGP MESSAGE-----
-          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
-            RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
-            I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
-            GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
-            Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
-            arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
-            dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
-            cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
-            6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
-            jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
-            rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
-            XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
-            pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
-            =FXTF
-            -----END PGP MESSAGE-----
-          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
-            /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
-            FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
-            wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
-            3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
-            Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
-            6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
-            wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
-            wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
-            7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
-            N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
-            XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
-            z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
-            =7WGw
-            -----END PGP MESSAGE-----
-          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
-            nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
-            3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
-            07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
-            fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
-            24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
-            QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
-            BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
-            3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
-            zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
-            RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
-            XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
-            yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
-            =pFkW
-            -----END PGP MESSAGE-----
-          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
-            kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
-            0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
-            5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
-            =Lvnj
-            -----END PGP MESSAGE-----
-          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
-        - created_at: "2024-05-26T01:07:22Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
-            77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
-            XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
-            4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
-            T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
-            k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
-            QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
-            9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
-            U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
-            kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
-            1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
-            XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
-            02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
-            =WqHP
-            -----END PGP MESSAGE-----
-          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/config/hosts/netbox/sops.nix b/config/hosts/netbox/sops.nix
deleted file mode 100644
index b4548edb..00000000
--- a/config/hosts/netbox/sops.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  sops = {
-    defaultSopsFile = ./secrets.yaml;
-  };
-}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 20b9f00b..6ac52544 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -3,9 +3,6 @@
     "targetUser": "colmena-deploy"
   },
   "hosts": {
-    "netbox": {
-      "targetHostname": "netbox-intern.hamburg.ccc.de"
-    },
     "matrix": {
       "targetHostname": "matrix-intern.hamburg.ccc.de"
     },
diff --git a/flake.nix b/flake.nix
index 347294b0..7c7cfe02 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,13 +40,6 @@
         proxmox-vm = ./config/proxmox-vm;
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
-      overlays = {
-        netbox41OIDCMappingOverlay = final: prev: {
-          netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
-            patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
-          });
-        };
-      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
@@ -84,18 +77,6 @@
           ];
         };
 
-        netbox = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
-          modules = [
-            self.nixosModules.common
-            self.nixosModules.proxmox-vm
-            sops-nix.nixosModules.sops
-            self.nixosModules.prometheus-exporter
-            ./config/hosts/netbox
-            { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
-          ];
-        };
-
         matrix = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [
diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
deleted file mode 100644
index 89f805a7..00000000
--- a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
-new file mode 100644
-index 000000000..470f388dc
---- /dev/null
-+++ b/netbox/netbox/custom_pipeline.py
-@@ -0,0 +1,55 @@
-+# Licensed under Creative Commons: CC BY-SA 4.0 license.
-+# https://github.com/goauthentik/authentik/blob/main/LICENSE
-+# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
-+# https://docs.goauthentik.io/integrations/services/netbox/
-+from netbox.authentication import Group
-+
-+class AuthFailed(Exception):
-+    pass
-+
-+def add_groups(response, user, backend, *args, **kwargs):
-+    try:
-+        groups = response['groups']
-+    except KeyError:
-+        pass
-+
-+    # Add all groups from oAuth token
-+    for group in groups:
-+        group, created = Group.objects.get_or_create(name=group)
-+        user.groups.add(group)
-+
-+def remove_groups(response, user, backend, *args, **kwargs):
-+    try:
-+        groups = response['groups']
-+    except KeyError:
-+        # Remove all groups if no groups in oAuth token
-+        user.groups.clear()
-+        pass
-+
-+    # Get all groups of user
-+    user_groups = [item.name for item in user.groups.all()]
-+    # Get groups of user which are not part of oAuth token
-+    delete_groups = list(set(user_groups) - set(groups))
-+
-+    # Delete non oAuth token groups
-+    for delete_group in delete_groups:
-+        group = Group.objects.get(name=delete_group)
-+        user.groups.remove(group)
-+
-+
-+def set_roles(response, user, backend, *args, **kwargs):
-+    # Remove Roles temporary
-+    user.is_superuser = False
-+    user.is_staff = False
-+    try:
-+        groups = response['groups']
-+    except KeyError:
-+        # When no groups are set
-+        # save the user without Roles
-+        user.save()
-+        pass
-+
-+    # Set roles is role (superuser or staff) is in groups
-+    user.is_superuser = True if 'superusers' in groups else False
-+    user.is_staff = True if 'staff' in groups else False
-+    user.save()

From 02328a8ba8d00b5e97b192475fe99c3a85f22c5c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:03:14 +0100
Subject: [PATCH 144/170] eh22-wiki: remove leftover deployment configuration

---
 deployment_configuration.json | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/deployment_configuration.json b/deployment_configuration.json
index 6ac52544..cc2fb6de 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -15,9 +15,6 @@
     "forgejo-actions-runner": {
       "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
     },
-    "eh22-wiki": {
-      "targetHostname": "eh22-wiki-intern.hamburg.ccc.de"
-    },
     "nix-box-june": {
       "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
     },

From fd2414ec91a2acc7823158976499004ce744547e Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:04:58 +0100
Subject: [PATCH 145/170] nix-box-june: remove nix-box-june as its being
 decommissioned

nix-infra is built back in general, so remove nix-box-june as well.
---
 config/hosts/nix-box-june/configuration.nix   |  7 ---
 config/hosts/nix-box-june/default.nix         | 10 ----
 .../hosts/nix-box-june/emulated-systems.nix   |  5 --
 config/hosts/nix-box-june/networking.nix      | 22 -------
 config/hosts/nix-box-june/users.nix           | 59 -------------------
 deployment_configuration.json                 |  3 -
 flake.nix                                     | 10 ----
 7 files changed, 116 deletions(-)
 delete mode 100644 config/hosts/nix-box-june/configuration.nix
 delete mode 100644 config/hosts/nix-box-june/default.nix
 delete mode 100644 config/hosts/nix-box-june/emulated-systems.nix
 delete mode 100644 config/hosts/nix-box-june/networking.nix
 delete mode 100644 config/hosts/nix-box-june/users.nix

diff --git a/config/hosts/nix-box-june/configuration.nix b/config/hosts/nix-box-june/configuration.nix
deleted file mode 100644
index 7dddcc1b..00000000
--- a/config/hosts/nix-box-june/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  networking.hostName = "nix-box-june";
-
-  system.stateVersion = "23.11";
-}
diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix
deleted file mode 100644
index 489fd67f..00000000
--- a/config/hosts/nix-box-june/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./configuration.nix
-    ./emulated-systems.nix
-    ./networking.nix
-    ./users.nix
-  ];
-}
diff --git a/config/hosts/nix-box-june/emulated-systems.nix b/config/hosts/nix-box-june/emulated-systems.nix
deleted file mode 100644
index b6065ddf..00000000
--- a/config/hosts/nix-box-june/emulated-systems.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-}
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
deleted file mode 100644
index 2c1faee0..00000000
--- a/config/hosts/nix-box-june/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
-  networking = {
-    interfaces.net0 = {
-      ipv4.addresses = [
-        {
-          address = "172.31.17.158";
-          prefixLength = 25;
-        }
-      ];
-    };
-    defaultGateway = "172.31.17.129";
-    nameservers = [ "212.12.50.158" "192.76.134.90" ];
-    search = [ "hamburg.ccc.de" ];
-  };
-
-  systemd.network.links."10-net0" = {
-    matchConfig.MACAddress = "BC:24:11:6A:33:5F";
-    linkConfig.Name = "net0";
-  };
-}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
deleted file mode 100644
index dfb333e2..00000000
--- a/config/hosts/nix-box-june/users.nix
+++ /dev/null
@@ -1,59 +0,0 @@
-{ lib, ... }:
-
-{
-  users.users = {
-    chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
-    colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
-
-    djerun = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
-      ];
-    };
-    june = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
-    };
-    jtbx = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
-    };
-    dario = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
-    };
-    yuri = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
-      ];
-    };
-    max = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
-    };
-    haegar = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
-    };
-    stb = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
-    };
-    hansenerd = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
-    };
-    echtnurich = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
-    };
-    c6ristian = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
-    };
-  };
-}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index cc2fb6de..9c2f99ac 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -15,9 +15,6 @@
     "forgejo-actions-runner": {
       "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
     },
-    "nix-box-june": {
-      "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
-    },
     "mjolnir": {
       "targetHostname": "mjolnir-intern.hamburg.ccc.de"
     },
diff --git a/flake.nix b/flake.nix
index 7c7cfe02..d7bda34b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -130,16 +130,6 @@
           ];
         };
 
-        nix-box-june = nixpkgs.lib.nixosSystem {
-          inherit system specialArgs;
-          modules = [
-            self.nixosModules.common
-            self.nixosModules.proxmox-vm
-            self.nixosModules.prometheus-exporter
-            ./config/hosts/nix-box-june
-          ];
-        };
-
         yate = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [

From dabaf18dc32ccc3322c0e836543f81857caa0a44 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 02:52:22 +0100
Subject: [PATCH 146/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8?narHash=sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE%3D' (2025-02-04)
  → 'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791?narHash=sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE%3D' (2025-02-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7?narHash=sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320%3D' (2025-01-31)
  → 'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975?narHash=sha256-7JAGezJ0Dn5qIyA2%2BT4Dt/xQgAbhCglh6lzCekTVMeU%3D' (2025-02-11)
---
 flake.lock | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7f1207b2..d6bc2dc2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1738663689,
-        "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=",
+        "lastModified": 1739758141,
+        "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8",
+        "rev": "c618e28f70257593de75a7044438efc1c1fc0791",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1738291974,
-        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
+        "lastModified": 1739262228,
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
         "type": "github"
       },
       "original": {

From 7c13dd1e35618b860a122c078462d03df005ec6a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 19 Feb 2025 21:56:23 +0100
Subject: [PATCH 147/170] git: disable internal login, to force login via SSO

---
 config/hosts/git/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 85b13e6d..89f83c93 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -49,6 +49,7 @@
       };
       service = {
         ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        ENABLE_INTERNAL_SIGNIN = false;
         DEFAULT_USER_VISIBILITY = "limited";
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
         ENABLE_BASIC_AUTHENTICATION = false;

From 535cc518dada1e5c7a3b2ac0aa73d595db0b0ccd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matthias=20K=C3=BChlke?= <mad@unserver.de>
Date: Fri, 28 Feb 2025 23:25:59 +0100
Subject: [PATCH 148/170] MQTT: Make cats accessible from winkekatze24.de

---
 config/hosts/mqtt/mosquitto.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
index d093bd8a..9bc02b01 100644
--- a/config/hosts/mqtt/mosquitto.nix
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -23,6 +23,7 @@
       topics = [
         "winkekatze/allcats/eye/set in 2"
         "winkekatze/allcats in 2"
+        "+/command in 2 winkekatze/ \"\""
         "+/status out 2 winkekatze/ \"\""
         "+/connected out 2 winkekatze/ \"\""
       ];

From 3fc170389d73312e1ff5477e237a64646d6b2182 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 2 Mar 2025 22:00:19 +0100
Subject: [PATCH 149/170] Update to new IPv6 prefix

---
 config/hosts/esphome/networking.nix | 6 +++---
 config/hosts/status/networking.nix  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index a2c64d32..32c38f24 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -11,14 +11,14 @@
       ];
       ipv6.addresses = [
         {
-          address = "2a07:c480:0:1d0::66";
+          address = "2a07:c481:1:2::66";
           prefixLength = 64;
         }
       ];
     };
     defaultGateway = "10.31.208.1";
-    defaultGateway6 = "2a07:c480:0:1d0::1";
-    nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
+    defaultGateway6 = "2a07:c481:1:2::66";
+    nameservers = [ "10.31.208.1" "2a07:c481:1:2::66" ];
     search = [ "z9.ccchh.net" ];
   };
 
diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
index e7f1932e..0a16795e 100644
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@@ -11,14 +11,14 @@
       ];
       ipv6.addresses = [
         {
-          address = "2a07:c480:0:1ce::f";
+          address = "2a07:c481:1:1::a";
           prefixLength = 64;
         }
       ];
     };
     defaultGateway = "10.31.206.1";
-    defaultGateway6 = "2a07:c480:0:1ce::1";
-    nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
+    defaultGateway6 = "2a07:c481:1:1::1";
+    nameservers = [ "10.31.206.1" "2a07:c481:1:1::1" ];
     search = [ "z9.ccchh.net" ];
   };
 

From be351c6ded795a0ea819d80d548fdab1005e62ce Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 14 Mar 2025 20:25:19 +0100
Subject: [PATCH 150/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453' (2025-01-16)
  → 'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791' (2025-02-17)
  → 'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975' (2025-02-11)
  → 'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13)
---
 flake.lock | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/flake.lock b/flake.lock
index d6bc2dc2..ef7bc8da 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
       },
       "original": {
         "type": "tarball",
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1737057290,
-        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
+        "lastModified": 1740947705,
+        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
+        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1739758141,
-        "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=",
+        "lastModified": 1741969460,
+        "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c618e28f70257593de75a7044438efc1c1fc0791",
+        "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739262228,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "lastModified": 1741861888,
+        "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f",
         "type": "github"
       },
       "original": {

From 15f69c20a4514c3f4249613cd4ab0c819a6d7819 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 14 Mar 2025 20:33:29 +0100
Subject: [PATCH 151/170] bump element version

---
 .../virtualHosts/element.hamburg.ccc.de.nix                 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 1836f259..3c859543 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.84";
+  elementWebVersion = "1.11.95";
   element-web = pkgs.fetchzip {
-    url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
+    url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
+    sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 341d839265a7d26cb90ce61a8354831d23a6de4e Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 14 Apr 2025 20:47:51 +0200
Subject: [PATCH 152/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02)
  → 'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11' (2025-03-21)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14)
  → 'github:nixos/nixpkgs/260f6989b03d130d64d521445892dd47f8ea545a' (2025-04-13)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13)
  → 'github:Mic92/sops-nix/7e147a1ae90f0d4a374938cdc3df3cdaecb9d388' (2025-04-13)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index ef7bc8da..214f5899 100644
--- a/flake.lock
+++ b/flake.lock
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1740947705,
-        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
+        "lastModified": 1742568034,
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1741969460,
-        "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
+        "lastModified": 1744568866,
+        "narHash": "sha256-9I7fRg0vp1oGagbkUszgP6zPjG18qY1HQtdvkJwp5Jo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
+        "rev": "260f6989b03d130d64d521445892dd47f8ea545a",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741861888,
-        "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=",
+        "lastModified": 1744518500,
+        "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f",
+        "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
         "type": "github"
       },
       "original": {

From e61fbec5efd76e393f5b06c24c3ab1bfadf33759 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 14 Apr 2025 21:28:59 +0200
Subject: [PATCH 153/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/260f6989b03d130d64d521445892dd47f8ea545a' (2025-04-13)
  → 'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d' (2025-04-12)
---
 flake.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 214f5899..3e957bb8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,16 +66,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1744568866,
-        "narHash": "sha256-9I7fRg0vp1oGagbkUszgP6zPjG18qY1HQtdvkJwp5Jo=",
+        "lastModified": 1744440957,
+        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "260f6989b03d130d64d521445892dd47f8ea545a",
+        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.11-small",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }

From aee3f4b385a7e955268e9585f95b0e750ee00c88 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 19 Apr 2025 15:01:59 +0200
Subject: [PATCH 154/170] c3cat fix

---
 config/hosts/public-web-static/virtualHosts/c3cat.de.nix | 8 ++++++++
 flake.lock                                               | 6 +++---
 flake.nix                                                | 2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index 91d3a40f..ff59fabf 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -40,6 +40,10 @@ in {
         return = "302 https://c3cat.de$request_uri";
       };
 
+      locations."/manuals/eh22-rgb-ears" = {
+        return = "307 https://www.c3cat.de/rgb-ears.html";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
@@ -67,6 +71,10 @@ in {
 
       root = "${dataDir}";
 
+      locations."/manuals/eh22-rgb-ears" = {
+        return = "307 https://c3cat.de/rgb-ears.html";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy
diff --git a/flake.lock b/flake.lock
index 3e957bb8..00e5e12b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744518500,
-        "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
+        "lastModified": 1744669848,
+        "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
+        "rev": "61154300d945f0b147b30d24ddcafa159148026a",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index d7bda34b..2c343739 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake

From 2c3b7854891e6e940c7eacfc83e5a759aa368af3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 23 Apr 2025 19:04:21 +0200
Subject: [PATCH 155/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d?narHash=sha256-FHlSkNqFmPxPJvy%2B6fNLaNeWnF1lZSgqVCl/eWaJRc4%3D' (2025-04-12)
  → 'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3?narHash=sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo%3D' (2025-04-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/61154300d945f0b147b30d24ddcafa159148026a?narHash=sha256-pXyanHLUzLNd3MX9vsWG%2B6Z2hTU8niyphWstYEP3/GU%3D' (2025-04-14)
  → 'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c?narHash=sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA%3D' (2025-04-22)
---
 flake.lock | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 00e5e12b..75915127 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
         "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1744440957,
-        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "lastModified": 1745279238,
+        "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744669848,
-        "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
+        "lastModified": 1745310711,
+        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "61154300d945f0b147b30d24ddcafa159148026a",
+        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
         "type": "github"
       },
       "original": {

From 2395748e7a0ab46910c98d62e8297ad51bc628e9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 28 Apr 2025 20:50:42 +0200
Subject: [PATCH 156/170] esphome: set new v6 address

---
 config/hosts/esphome/networking.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index 32c38f24..8a841126 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -11,14 +11,14 @@
       ];
       ipv6.addresses = [
         {
-          address = "2a07:c481:1:2::66";
+          address = "2a07:c481:1:d0::66";
           prefixLength = 64;
         }
       ];
     };
     defaultGateway = "10.31.208.1";
-    defaultGateway6 = "2a07:c481:1:2::66";
-    nameservers = [ "10.31.208.1" "2a07:c481:1:2::66" ];
+    defaultGateway6 = "2a07:c481:1:d0::1";
+    nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ];
     search = [ "z9.ccchh.net" ];
   };
 

From f2a174750777b40dc55803f0f06853b1472ab1ff Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 28 Apr 2025 21:46:00 +0200
Subject: [PATCH 157/170] status: set new v6 address

---
 config/hosts/status/networking.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
index 0a16795e..0bff4b5b 100644
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@@ -11,14 +11,14 @@
       ];
       ipv6.addresses = [
         {
-          address = "2a07:c481:1:1::a";
+          address = "2a07:c481:1:ce::a";
           prefixLength = 64;
         }
       ];
     };
     defaultGateway = "10.31.206.1";
-    defaultGateway6 = "2a07:c481:1:1::1";
-    nameservers = [ "10.31.206.1" "2a07:c481:1:1::1" ];
+    defaultGateway6 = "2a07:c481:1:ce::1";
+    nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ];
     search = [ "z9.ccchh.net" ];
   };
 

From 3803d6038e7d044a4ea50d72772e188e9f374318 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 20 May 2025 19:39:46 +0200
Subject: [PATCH 158/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D&rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6' (2025-04-28)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11' (2025-03-21)
  → 'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3' (2025-04-21)
  → 'github:nixos/nixpkgs/9b5ac7ad45298d58640540d0323ca217f32a6762' (2025-05-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c' (2025-04-22)
  → 'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18)
---
 flake.lock | 28 ++++++++++++++--------------
 flake.nix  |  2 +-
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 75915127..57a29def 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,15 +3,15 @@
     "authorizedKeysRepo": {
       "flake": false,
       "locked": {
-        "lastModified": 1731276342,
-        "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
-        "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+        "lastModified": 1745870473,
+        "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=",
+        "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6"
       },
       "original": {
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+        "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"
       }
     },
     "nixlib": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1742568034,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1745279238,
-        "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=",
+        "lastModified": 1747485343,
+        "narHash": "sha256-YbsZyuRE1tobO9sv0PUwg81QryYo3L1F3R3rF9bcG38=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3",
+        "rev": "9b5ac7ad45298d58640540d0323ca217f32a6762",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745310711,
-        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 2c343739..a95ee8e7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
     };
 
     authorizedKeysRepo = {
-      url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
+      url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz";
       flake = false;
     };
   };

From bb9653657e59fb664d3f6f0807f8227f353843c7 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 2 Jun 2025 19:43:15 +0200
Subject: [PATCH 159/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/9b5ac7ad45298d58640540d0323ca217f32a6762' (2025-05-17)
  → 'github:nixos/nixpkgs/78add7b7abb61689e34fc23070a8f55e1d26185b' (2025-05-28)
• Added input 'nixpkgs-25-05':
    'github:nixos/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346' (2025-05-31)
---
 flake.lock | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 57a29def..c3f607b0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -64,13 +64,29 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs-25-05": {
       "locked": {
-        "lastModified": 1747485343,
-        "narHash": "sha256-YbsZyuRE1tobO9sv0PUwg81QryYo3L1F3R3rF9bcG38=",
+        "lastModified": 1748708770,
+        "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9b5ac7ad45298d58640540d0323ca217f32a6762",
+        "rev": "a59eb7800787c926045d51b70982ae285faa2346",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1748421225,
+        "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b",
         "type": "github"
       },
       "original": {
@@ -85,6 +101,7 @@
         "authorizedKeysRepo": "authorizedKeysRepo",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs_2",
+        "nixpkgs-25-05": "nixpkgs-25-05",
         "sops-nix": "sops-nix"
       }
     },

From 8440b4e1ea3b8a1f6b2292e74c410ca1c5411bba Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 2 Jun 2025 19:45:08 +0200
Subject: [PATCH 160/170] woodpecker nixos25.05

---
 flake.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/flake.nix b/flake.nix
index a95ee8e7..728fb5e5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -7,6 +7,8 @@
     # https://github.com/NixOS/nixpkgs
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
 
+    nixpkgs-25-05.url = "github:nixos/nixpkgs/nixos-25.05";
+
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
     nixos-generators = {
@@ -27,7 +29,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
+  outputs = { self, nixpkgs, nixpkgs-25-05, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
     let
       specialArgs = {
         inherit authorizedKeysRepo;
@@ -160,7 +162,7 @@
           ];
         };
 
-        woodpecker = nixpkgs.lib.nixosSystem {
+        woodpecker = nixpkgs-25-05.lib.nixosSystem {
           inherit system specialArgs;
           modules = [
             self.nixosModules.common

From 2fda28ca5dce464d806019b7bb6e1fb238668a7c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 14 Jun 2025 17:32:27 +0200
Subject: [PATCH 161/170] Upgrade to NixOS 25.05

---
 flake.lock | 25 ++++---------------------
 flake.nix  |  8 +++-----
 2 files changed, 7 insertions(+), 26 deletions(-)

diff --git a/flake.lock b/flake.lock
index c3f607b0..d8bfc27b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -64,13 +64,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-25-05": {
+    "nixpkgs_2": {
       "locked": {
-        "lastModified": 1748708770,
-        "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=",
+        "lastModified": 1749727998,
+        "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a59eb7800787c926045d51b70982ae285faa2346",
+        "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd",
         "type": "github"
       },
       "original": {
@@ -80,28 +80,11 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1748421225,
-        "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "authorizedKeysRepo": "authorizedKeysRepo",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs_2",
-        "nixpkgs-25-05": "nixpkgs-25-05",
         "sops-nix": "sops-nix"
       }
     },
diff --git a/flake.nix b/flake.nix
index 728fb5e5..53bf4ca5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,9 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
-
-    nixpkgs-25-05.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
@@ -29,7 +27,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-25-05, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
+  outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
     let
       specialArgs = {
         inherit authorizedKeysRepo;
@@ -162,7 +160,7 @@
           ];
         };
 
-        woodpecker = nixpkgs-25-05.lib.nixosSystem {
+        woodpecker = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [
             self.nixosModules.common

From 7d7e45750f419098ce5673454d8bea09a8130f0c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 24 Jun 2025 22:36:36 +0200
Subject: [PATCH 162/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/fd487183437963a59ba763c0cc4f27e3447dd6dd' (2025-06-12)
  → 'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18)
  → 'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17)
---
 flake.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/flake.lock b/flake.lock
index d8bfc27b..d14aa581 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1749727998,
-        "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=",
+        "lastModified": 1750622754,
+        "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd",
+        "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "lastModified": 1750119275,
+        "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
         "type": "github"
       },
       "original": {

From f541a5dd6aaabffc94f22bce00f532ea339f985c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 18 Jul 2025 21:33:30 +0200
Subject: [PATCH 163/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19)
  → 'github:nix-community/nixos-generators/032decf9db65efed428afd2fa39d80f7089085eb' (2025-07-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22)
  → 'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e' (2025-07-15)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17)
  → 'github:Mic92/sops-nix/2c8def626f54708a9c38a5861866660395bb3461' (2025-07-15)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index d14aa581..2ab41bba 100644
--- a/flake.lock
+++ b/flake.lock
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1747663185,
-        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
+        "lastModified": 1751903740,
+        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
+        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1750622754,
-        "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=",
+        "lastModified": 1752620740,
+        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1",
+        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750119275,
-        "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
+        "lastModified": 1752544651,
+        "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
+        "rev": "2c8def626f54708a9c38a5861866660395bb3461",
         "type": "github"
       },
       "original": {

From 0383e604a42d9f03a4270c84e6da4b7ad5689aaa Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 19 Jul 2025 20:59:07 +0200
Subject: [PATCH 164/170] element update

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 3c859543..d0da9207 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.95";
+  elementWebVersion = "1.11.106";
   element-web = pkgs.fetchzip {
     url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc=";
+    sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From a0d0d24d91dfad6c33f286f43785778a801c1a1c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 20 Jul 2025 20:35:02 +0200
Subject: [PATCH 165/170] sops updatekeys junes new key

---
 .sops.yaml | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 9a6ae2de..cc9178ff 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,7 +3,7 @@ keys:
   - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
   - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
   - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
-  - &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+  - &admin_gpg_june 057870A2C72CD82566A3EC983695F4FCBCAE4912
   - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
   - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
   - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
@@ -32,7 +32,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_git
   - path_regex: config/hosts/forgejo-actions-runner/.*
@@ -48,7 +47,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_forgejo_actions_runner
   - path_regex: config/hosts/matrix/.*
@@ -64,7 +62,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_matrix
   - path_regex: config/hosts/public-web-static/.*
@@ -80,7 +77,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_public_web_static
   - path_regex: config/hosts/mjolnir/.*
@@ -96,7 +92,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_mjolnir
   - path_regex: config/hosts/woodpecker/.*
@@ -112,7 +107,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_woodpecker
   - path_regex: config/hosts/penpot/.*
@@ -128,7 +122,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_penpot
   - path_regex: config/hosts/yate/.*
@@ -144,7 +137,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_yate
   - key_groups:
@@ -159,7 +151,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
 stores:
   yaml:
     indent: 2

From 44c1b795979ae71710a2c202cb97af2f4720df5b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 23 Jul 2025 20:53:55 +0200
Subject: [PATCH 166/170] Add cryptoparty-hamburg.de static web host and a
 staging environment

Also redirect cryptoparty.hamburg.ccc.de there.
---
 .../virtualHosts/cryptoparty-hamburg.de.nix   | 97 +++++++++++++++++++
 .../virtualHosts/default.nix                  |  2 +
 .../staging.cryptoparty-hamburg.de.nix        | 94 ++++++++++++++++++
 3 files changed, 193 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
new file mode 100644
index 00000000..37d95b9a
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
@@ -0,0 +1,97 @@
+{ ... }:
+
+let
+  domain = "cryptoparty-hamburg.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "cryptoparty-website-deploy";
+in
+{
+  security.acme.certs."${domain}".extraDomainNames = [
+    "cryptoparty.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "cryptoparty.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/".return = "302 https://${domain}$request_uri";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+
+        port_in_redirect off;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz+Lxi9scblM/SKJq4nl64UwvVn8SuF2xmzOuyQrzR+ deploy key for cryptoparty-hamburg.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index c9d77ef9..59e69e6c 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -4,12 +4,14 @@
   imports = [
     ./branding-resources.hamburg.ccc.de.nix
     ./c3cat.de.nix
+    ./cryptoparty-hamburg.de.nix
     ./element.hamburg.ccc.de.nix
     ./hacker.tours.nix
     ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.c3cat.de.nix
+    ./staging.cryptoparty-hamburg.de.nix
     ./staging.hacker.tours.nix
     ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
diff --git a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix
new file mode 100644
index 00000000..6733dad6
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix
@@ -0,0 +1,94 @@
+{ ... }:
+
+let
+  domain = "staging.cryptoparty-hamburg.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "cryptoparty-website-deploy";
+in
+{
+  security.acme.certs."${domain}".extraDomainNames = [
+    "staging.cryptoparty.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "staging.cryptoparty.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/".return = "302 https://${domain}$request_uri";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        port_in_redirect off;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # Cryptoparty website deploy user already defined in cryptoparty-hamburg.de.nix.
+}

From 071eb88afa67740f792a6e7fb7612509ef596acb Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 24 Jul 2025 02:15:19 +0200
Subject: [PATCH 167/170] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D&rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6' (2025-04-28)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D' (2025-04-28)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e?narHash=sha256-f3pO%2B9lg66mV7IMmmIqG4PL3223TYMlnlw%2Bpnpelbss%3D' (2025-07-15)
  → 'github:nixos/nixpkgs/92c2e04a475523e723c67ef872d8037379073681?narHash=sha256-yLuz5cz5Z%2Bsn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c%3D' (2025-07-21)
---
 flake.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 2ab41bba..559f116a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
         "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=",
         "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6",
         "type": "tarball",
-        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6"
+        "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1752620740,
-        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
+        "lastModified": 1753115646,
+        "narHash": "sha256-yLuz5cz5Z+sn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
+        "rev": "92c2e04a475523e723c67ef872d8037379073681",
         "type": "github"
       },
       "original": {

From df365e67f98be2882280e79aff4834e6158e1ab8 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 11 Aug 2025 04:18:41 +0200
Subject: [PATCH 168/170] audio: fix librespot playback and use avahi for mDNS

Fix librespot playback by building the dev branch and applying the
changes from librespot PR 1528
(https://github.com/librespot-org/librespot/pull/1528) fixing librespot
issue 1527 (https://github.com/librespot-org/librespot/issues/1527).

Also make librespot use Avahi, since shairport-sync already uses that.
---
 README.md                                     |   2 +-
 flake.nix                                     |  24 ++
 modules/services/audio/librespot.nix          |   6 +-
 .../librespot_PR1528_conflicts_resolved.patch | 223 ++++++++++++++++++
 4 files changed, 251 insertions(+), 4 deletions(-)
 create mode 100644 patches/librespot_PR1528_conflicts_resolved.patch

diff --git a/README.md b/README.md
index def4e603..34690bd5 100644
--- a/README.md
+++ b/README.md
@@ -77,4 +77,4 @@ nix build .#proxmox-chaosknoten-nixos-template
 ## License
 
 This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).  
-[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.
+[`librespot_PR1528_conflicts_resolved.patch`](patches/librespot_PR1528_conflicts_resolved.patch) is a modified version of [librespot PR 1528](https://github.com/librespot-org/librespot/pull/1528) and is licensed under the [MIT license](https://github.com/librespot-org/librespot/blob/dev/LICENSE).
diff --git a/flake.nix b/flake.nix
index 53bf4ca5..39183bfc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,6 +40,29 @@
         proxmox-vm = ./config/proxmox-vm;
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
+      overlays = {
+        librespotFixOverlay = final: prev: {
+          librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec {
+            # Build dev branch.
+            name = "${prevAttr.pname}-${version}";
+            version = "dev";
+            src = prev.fetchFromGitHub {
+              owner = "librespot-org";
+              repo = "librespot";
+              rev = "dev";
+              sha256 = "sha256-s9JpIbqXiVXMlhEuIuKio+rD1rM3kc7bAT0+8+5s35w=";
+            };
+            cargoDeps = final.rustPlatform.fetchCargoVendor {
+              inherit src;
+              hash = "sha256-Lujz2revTAok9B0hzdl8NVQ5XMRY9ACJzoQHIkIgKMg=";
+            };
+            # Fix librespot failing with "Unable to load audio item: Error { kind: Unavailable, error: StatusCode(500) }".
+            patches = (prevAttr.patches or []) ++ [
+              ./patches/librespot_PR1528_conflicts_resolved.patch
+            ];
+          });
+        };
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
@@ -56,6 +79,7 @@
             self.nixosModules.common
             self.nixosModules.proxmox-vm
             ./config/hosts/audio-hauptraum-tafel
+            { nixpkgs.overlays = [ self.overlays.librespotFixOverlay ]; }
           ];
         };
 
diff --git a/modules/services/audio/librespot.nix b/modules/services/audio/librespot.nix
index 4c0fadbf..3be5c86e 100644
--- a/modules/services/audio/librespot.nix
+++ b/modules/services/audio/librespot.nix
@@ -19,11 +19,11 @@ in
       enable = true;
       description = "Spotify Connect Receiver Using librespot";
       unitConfig = {
-        Requires = [ "network-online.target" "pipewire.service" ];
-        After = [ "network-online.target" "pipewire.service" ];
+        Requires = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ];
+        After = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ];
       };
       serviceConfig = {
-        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache";
+        ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --zeroconf-backend avahi";
         User = "librespot";
         Group = "librespot";
       };
diff --git a/patches/librespot_PR1528_conflicts_resolved.patch b/patches/librespot_PR1528_conflicts_resolved.patch
new file mode 100644
index 00000000..f97a38ac
--- /dev/null
+++ b/patches/librespot_PR1528_conflicts_resolved.patch
@@ -0,0 +1,223 @@
+From c4c968e594edcfce231682db5563f7186da7c6f0 Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Thu, 7 Aug 2025 12:22:56 +0200
+Subject: [PATCH 1/5] spclient: Specify base url for metadata requests
+
+This fixes #1527
+---
+ core/src/spclient.rs | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/core/src/spclient.rs b/core/src/spclient.rs
+index 87a6098..56c4287 100644
+--- a/core/src/spclient.rs
++++ b/core/src/spclient.rs
+@@ -55,6 +55,7 @@ const CONNECTION_ID: HeaderName = HeaderName::from_static("x-spotify-connection-
+ const NO_METRICS_AND_SALT: RequestOptions = RequestOptions {
+     metrics: false,
+     salt: false,
++    base_url: None,
+ };
+ 
+ #[derive(Debug, Error)]
+@@ -86,6 +87,7 @@ impl Default for RequestStrategy {
+ pub struct RequestOptions {
+     metrics: bool,
+     salt: bool,
++    base_url: Option<String>,
+ }
+ 
+ impl Default for RequestOptions {
+@@ -93,6 +95,7 @@ impl Default for RequestOptions {
+         Self {
+             metrics: true,
+             salt: true,
++            base_url: None,
+         }
+     }
+ }
+@@ -449,7 +452,10 @@ impl SpClient {
+ 
+             // Reconnection logic: retrieve the endpoint every iteration, so we can try
+             // another access point when we are experiencing network issues (see below).
+-            let mut url = self.base_url().await?;
++            let mut url = match &options.base_url {
++                Some(base_url) => base_url.clone(),
++                None => self.base_url().await?,
++            };
+             url.push_str(endpoint);
+ 
+             // Add metrics. There is also an optional `partner` key with a value like
+@@ -566,7 +572,12 @@ impl SpClient {
+ 
+     pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult {
+         let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?);
+-        self.request(&Method::GET, &endpoint, None, None).await
++        let options = RequestOptions {
++            base_url: Some(String::from("https://spclient.wg.spotify.com")),
++            ..Default::default()
++        };
++        self.request_with_options(&Method::GET, &endpoint, None, None, &options)
++            .await
+     }
+ 
+     pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult {
+-- 
+2.49.0
+
+
+From 2b72f3fbdf6519321feeaaecc1ea6e1bb042074e Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Thu, 7 Aug 2025 13:51:55 +0200
+Subject: [PATCH 2/5] spclient: Change RequestOptions to &str
+
+This will allocate less strings and makes it possible to have const
+request option values.
+
+Also document why the metadata base url workaround is needed.
+---
+ core/src/spclient.rs | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/core/src/spclient.rs b/core/src/spclient.rs
+index 56c4287..11bcef4 100644
+--- a/core/src/spclient.rs
++++ b/core/src/spclient.rs
+@@ -87,7 +87,7 @@ impl Default for RequestStrategy {
+ pub struct RequestOptions {
+     metrics: bool,
+     salt: bool,
+-    base_url: Option<String>,
++    base_url: Option<&'static str>,
+ }
+ 
+ impl Default for RequestOptions {
+@@ -453,7 +453,7 @@ impl SpClient {
+             // Reconnection logic: retrieve the endpoint every iteration, so we can try
+             // another access point when we are experiencing network issues (see below).
+             let mut url = match &options.base_url {
+-                Some(base_url) => base_url.clone(),
++                Some(base_url) => base_url.to_owned().to_string(),
+                 None => self.base_url().await?,
+             };
+             url.push_str(endpoint);
+@@ -572,8 +572,11 @@ impl SpClient {
+ 
+     pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult {
+         let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?);
++        // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com.
++        // Otherwise, the API will respond with 500 Internal Server Error responses.
++        // Context: https://github.com/librespot-org/librespot/issues/1527
+         let options = RequestOptions {
+-            base_url: Some(String::from("https://spclient.wg.spotify.com")),
++            base_url: Some("https://spclient.wg.spotify.com"),
+             ..Default::default()
+         };
+         self.request_with_options(&Method::GET, &endpoint, None, None, &options)
+-- 
+2.49.0
+
+
+From 73ed5c50849bb660834cd0d7aaa7110c01397055 Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Sat, 9 Aug 2025 09:28:51 +0200
+Subject: [PATCH 3/5] spclient: Make const request options for get_metadata
+
+---
+ core/src/spclient.rs | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/spclient.rs b/core/src/spclient.rs
+index 11bcef4..cbcf092 100644
+--- a/core/src/spclient.rs
++++ b/core/src/spclient.rs
+@@ -58,6 +58,12 @@ const NO_METRICS_AND_SALT: RequestOptions = RequestOptions {
+     base_url: None,
+ };
+ 
++const SPCLIENT_FALLBACK_ENDPOINT: RequestOptions = RequestOptions {
++    metrics: true,
++    salt: true,
++    base_url: Some("https://spclient.wg.spotify.com"),
++};
++
+ #[derive(Debug, Error)]
+ pub enum SpClientError {
+     #[error("missing attribute {0}")]
+@@ -575,12 +581,14 @@ impl SpClient {
+         // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com.
+         // Otherwise, the API will respond with 500 Internal Server Error responses.
+         // Context: https://github.com/librespot-org/librespot/issues/1527
+-        let options = RequestOptions {
+-            base_url: Some("https://spclient.wg.spotify.com"),
+-            ..Default::default()
+-        };
+-        self.request_with_options(&Method::GET, &endpoint, None, None, &options)
+-            .await
++        self.request_with_options(
++            &Method::GET,
++            &endpoint,
++            None,
++            None,
++            &SPCLIENT_FALLBACK_ENDPOINT,
++        )
++        .await
+     }
+ 
+     pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult {
+-- 
+2.49.0
+
+
+From 6adca21fdf64bd8026a2d6df04c42dd2b1239358 Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Sat, 9 Aug 2025 09:40:20 +0200
+Subject: [PATCH 4/5] spclient: Simplify base url init
+
+---
+ core/src/spclient.rs | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/src/spclient.rs b/core/src/spclient.rs
+index cbcf092..272975d 100644
+--- a/core/src/spclient.rs
++++ b/core/src/spclient.rs
+@@ -458,8 +458,8 @@ impl SpClient {
+ 
+             // Reconnection logic: retrieve the endpoint every iteration, so we can try
+             // another access point when we are experiencing network issues (see below).
+-            let mut url = match &options.base_url {
+-                Some(base_url) => base_url.to_owned().to_string(),
++            let mut url = match options.base_url {
++                Some(base_url) => base_url.to_string(),
+                 None => self.base_url().await?,
+             };
+             url.push_str(endpoint);
+-- 
+2.49.0
+
+
+From 0b5b1eb6c73a9291057b3856939f416113fdd8bb Mon Sep 17 00:00:00 2001
+From: Timon de Groot <tdegroot96@gmail.com>
+Date: Sat, 9 Aug 2025 10:14:02 +0200
+Subject: [PATCH 5/5] Update CHANGELOG.md
+
+---
+ CHANGELOG.md | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/CHANGELOG.md b/CHANGELOG.md
+index 560de2b..b62e9f8 100644
+--- a/CHANGELOG.md
++++ b/CHANGELOG.md
+@@ -51,6 +51,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
+ - [connect] Correctly apply playing/paused state when transferring playback
+ - [player] Saturate invalid seek positions to track duration
+ - [audio] Fall back to other URLs in case of a failure when downloading from CDN
++- [core] Metadata requests failing with 500 Internal Server Error
+ 
+ ### Deprecated
+ 
+-- 
+2.49.0
+

From c7ae6a7ee30ea3a67acc1f253eb737a306fb5daa Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 11 Aug 2025 20:09:05 +0200
Subject: [PATCH 169/170] bump element web to 1.11.109

---
 .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index d0da9207..9e919e20 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.106";
+  elementWebVersion = "1.11.109";
   element-web = pkgs.fetchzip {
     url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo=";
+    sha256 = "sha256-eKPClYJxUhCJznI1+dv9w2h0CoSKgZsBZCsuM3KH5ag=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

From 0c0457793ff759c5b6f376dcbc074a5072d1a561 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 12 Aug 2025 01:11:31 +0200
Subject: [PATCH 170/170] bump Matrix Synapse to version 1.135.2

---
 flake.nix | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/flake.nix b/flake.nix
index 39183bfc..e8a53a96 100644
--- a/flake.nix
+++ b/flake.nix
@@ -41,6 +41,22 @@
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
       overlays = {
+        matrixSynapseFix = final: prev: {
+          matrix-synapse-unwrapped = prev.matrix-synapse-unwrapped.overrideAttrs (finalAttrs: prevAttrs: rec {
+            version = "1.135.2";
+            src = prev.fetchFromGitHub {
+              owner = "element-hq";
+              repo = "synapse";
+              rev = "v${version}";
+              hash = "sha256-4HAA9Xq4C3DHxz0BgqBitfM4wZwPSEu+IO/OPfHzLVw=";
+            };
+            cargoDeps = final.rustPlatform.fetchCargoVendor {
+              inherit src;
+              hash = "sha256-4J92s6cSgsEIYQpbU6OOLI/USIJX2Gc7UdEHgWQgmXc=";
+            };
+            patches = [];
+          });
+        };
         librespotFixOverlay = final: prev: {
           librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec {
             # Build dev branch.
@@ -109,6 +125,7 @@
             sops-nix.nixosModules.sops
             self.nixosModules.prometheus-exporter
             ./config/hosts/matrix
+            { nixpkgs.overlays = [ self.overlays.matrixSynapseFix ]; }
           ];
         };