Merge pull request 'docs: update deletion request docs' (#317) from update-deletion-request-docs into main

Reviewed-on: #317
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>

.forgejo/workflows/check.yml

@@ -18,20 +18,7 @@ jobs:
           # Prevent cache garbage collection by creating GC roots
           mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results
 
-          for target in $(nix flake show --json --all-systems | jq --raw-output '
+          sed -i 's/virtualisation.cores .*/virtualisation.cores = 16;/' tests/keycloak.nix
-            .["nixosConfigurations"] |
+          sed -i 's/virtualisation.memorySize .*/virtualisation.memorySize = 16384;/' tests/keycloak.nix
-            to_entries[] |
+          # 1 eval-worker needs about 13GB of memory
-            .key'
+          nix --accept-flake-config --access-tokens '' develop --command nix-fast-build --no-nom --skip-cached --systems "x86_64-linux" --max-jobs 10 --eval-workers 2 --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/nix-fast-build
-          ); do
-            nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
-              build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel"
-          done
-
-          for check in $(nix flake show --json --all-systems | jq --raw-output '
-            .checks."x86_64-linux" |
-            to_entries[] |
-            .key'
-          ); do
-            nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
-              build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$check" ".#checks.x86_64-linux.${check}"
-          done

docs/README.md

@@ -0,0 +1,7 @@
+# pub.solar documentation
+
+This directory holds a collection of notes and documentation for pub.solar admins.
+
+### Systems Overview
+
+To get a first overview of existing pub.solar systems, please see the [pub.solar systems overview](./systems-overview.md).

docs/administrative-access.md

@@ -28,18 +28,18 @@ People with admin access to the infrastructure are added to [`logins/admins.nix`
 SSH is not reachable from the open internet. Instead, SSH Port 22 is protected by a wireguard VPN network. Thus, to get root access on the servers, at least two pieces of information have to be added to the admins config:
 
 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
-2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
+2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network uses the subnets `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
 
 One can access our hosts using this domain scheme:
 
 ```
-ssh barkeeper@<hostname>.wg.pub.solar
+ssh <unix-username>@<hostname>.wg.pub.solar
 ```
 
 So, for example for `nachtigall`:
 
 ```
-ssh barkeeper@nachtigall.wg.pub.solar
+ssh teutat3s@nachtigall.wg.pub.solar
 ```
 
 Example NixOS snippet for WireGuard client config

docs/deletion-request.md

@@ -34,13 +34,27 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server
 ### Mastodon
 
 ```
+mkdir /tmp/tootctl
+sudo chown mastodon /tmp/tootctl
+cd /tmp/tootctl
+
 sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
+
+rm -r /tmp/tootctl
 ```
 
 Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
 
 ### Forgejo
 
+Make sure you have access to the gitea/forgejo command:
+
+```
+nix shell nixpkgs#forgejo
+```
+
+Then, delete the user:
+
 ```
 sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
 ```
@@ -53,8 +67,34 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
 curl --header "Authorization: Bearer <admin-access-token>" --request POST http://127.0.0.1:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
 ```
 
-Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account
+Docs: https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account
+
+The authentication token should be in the keepass. If it is expired, you can get a new one by running the following:
+
+```
+# get full path to mas-cli command with current --config flags from
+# sudo systemctl cat matrix-authentication-service
+sudo -u matrix-authentication-service mas-cli --config nix-store-config --config /run/agenix/matrix-authentication-service-secret-config.yml manage issue-compatibility-token --yes-i-want-to-grant-synapse-admin-privileges crew
+```
 
 ### OpenBikeSensor
 
 Not implemented, see: https://github.com/openbikesensor/portal/issues/95
+
+## Notifying the user
+
+Make sure to send an e-mail to the specified address notifying the user of the accounts deletion.
+
+You can use this template:
+
+```
+Hello,
+
+Your pub.solar ID has been deactivated. Associated data in pub.solar services has been deleted.
+
+Please note that the username is now blocked to prevent impersonation attempts.
+
+Best,
+
+@<name> for the pub.solar crew
+```

docs/deploying.md

@@ -7,16 +7,29 @@ be manually deployed.
 To deploy, make sure you have a [working development shell](./development-shell.md).
 Then, run `deploy-rs` with the hostname of the server you want to deploy:
 
+### Dry-run
+
+Use `--dry-activate` to show a diff of updated packages and all services that
+would be restarted by the update. This will also put all files in place without
+switching to the new generation, enabling a quick switch to the new config at a
+later moment.
+
 For nachtigall.pub.solar:
 
 ```
-deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
+deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --dry-activate
+```
+
+After reviewing the changes, apply the update with:
+
+```
+deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results
 ```
 
 For metronom.pub.solar (aarch64-linux):
 
 ```
-deploy --targets '.#metronom' --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build
+deploy --targets '.#metronom' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build
 ```
 
 Usually we skip all rollback functionality, but if you want to deploy a change
@@ -25,9 +38,6 @@ that might lock you out, e.g. to SSH, it might make sense to set these to `true`
 To skip flake checks, e.g. because you already ran them manually before
 deployment, add the flag `--skip-checks` at the end of the command.
 
-`--dry-activate` can be used to only put all files in place without switching,
-to enable switching to the new config quickly at a later moment.
-
 We use `--keep-result --result-path ./results` to keep the last `result`
 symlink of each `deploy` from being garbage collected. That way, we keep builds
 cached in the Nix store. This is optional and both flags can be removed if disk

docs/garage.md

@@ -8,7 +8,7 @@ Requirements:
 - [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell`
 
 ```
-ssh barkeeper@trinkgenossin.wg.pub.solar
+ssh <unix-username>@trinkgenossin.wg.pub.solar
 ```
 
 ```
@@ -58,7 +58,7 @@ Further reading:
 ### Notes on manual setup steps
 
 ```
-ssh barkeeper@trinkgenossin.wg.pub.solar
+ssh <unix-username>@trinkgenossin.wg.pub.solar
 
 # Add a few spaces to avoid leaking the secret to the shell history
     export GARAGE_RPC_SECRET=<secret-in-keepass>

docs/keycloak/delete-unverified-accounts.md

@@ -12,7 +12,7 @@ Run following after SSH'ing to `nachtigall`.
 Credentials for the following command are in keepass. Create a keycloak
 config/credentials file at `/tmp/kcadm.config`:
 
-```
+```bash
 sudo --user keycloak kcadm.sh config credentials \
   --config /tmp/kcadm.config \
   --server https://auth.pub.solar \
@@ -22,7 +22,7 @@ sudo --user keycloak kcadm.sh config credentials \
 
 Get list of accounts without a verified email address:
 
-```
+```bash
 sudo --user keycloak kcadm.sh get \
   --config /tmp/kcadm.config \
   users \
@@ -35,7 +35,7 @@ Review list of accounts, especially check `createdTimestamp` if any accounts
 were created in the past 2 days. If so, delete those from the
 `/tmp/keycloak-unverified-accounts` file.
 
-```
+```bash
 createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
 
 # timestamps are in nanoseconds since epoch, so we need to strip the last three digits
@@ -46,17 +46,17 @@ vim /tmp/keycloak-unverified-accounts
 
 Check how many accounts are going to be deleted:
 
-```
+```bash
 jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
 ```
 
-```
+```bash
 jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
 ```
 
 Final check before deletion (dry-run):
 
-```
+```bash
 for id in $(cat /tmp/keycloak-unverified-account-ids)
   do
     echo sudo --user keycloak kcadm.sh delete \
@@ -68,7 +68,7 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
 
 THIS WILL DELETE ACCOUNTS:
 
-```
+```bash
 for id in $(cat /tmp/keycloak-unverified-account-ids)
   do
     sudo --user keycloak kcadm.sh delete \
@@ -77,3 +77,9 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
       --realm pub.solar
   done
 ```
+
+Delete the temp files:
+
+```bash
+sudo rm /tmp/kcadm.config /tmp/keycloak-unverified-accounts /tmp/keycloak-unverified-account-ids
+```

docs/matrix-suspend-account.md

@@ -0,0 +1,27 @@
+# Matrix account suspension
+
+> Unlike [account locking](https://spec.matrix.org/v1.12/client-server-api/#account-locking),
+> [suspension](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/3823-code-for-account-suspension.md)
+> allows the user to have a (largely) readonly view of their account.
+> Homeserver administrators and moderators may use this functionality to
+> temporarily deactivate an account, or place conditions on the account's
+> experience. Critically, like locking, account suspension is reversible, unlike
+> the deactivation mechanism currently available in Matrix - a destructive,
+> irreversible, action.
+
+Required:
+
+- `matrix-synapse admin token`
+- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
+
+## Suspending an account
+
+```bash
+curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": true}'
+```
+
+## Unsuspending an account
+
+```bash
+curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": false}'
+```

docs/nachtigall/notes-disk-extension.md

@@ -0,0 +1,348 @@
+# Notes on adding two disks to server nachtigall
+
+Status after Hetzner support added two additional 1TB NVMe disks:
+
+```
+teutat3s in 🌐 nachtigall in ~
+❯ lsblk -f
+NAME        FSTYPE     FSVER LABEL     UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
+nvme0n1
+├─nvme0n1p1
+├─nvme0n1p2 vfat       FAT16           5494-BA1E                               385M    21% /boot2
+└─nvme0n1p3 zfs_member 5000  root_pool 8287701206764130981
+nvme1n1
+├─nvme1n1p1
+├─nvme1n1p2 vfat       FAT32           5493-EFF5                               1.8G     5% /boot1
+└─nvme1n1p3 zfs_member 5000  root_pool 8287701206764130981
+nvme2n1
+nvme3n1
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo fdisk -l /dev/nvme0n1
+Disk /dev/nvme0n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
+Disk model: KXG60ZNV1T02 TOSHIBA
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: gpt
+Disk identifier: 28F8681A-4559-4801-BF3F-BFEC8058236B
+
+Device          Start        End    Sectors   Size Type
+/dev/nvme0n1p1   2048       4095       2048     1M BIOS boot
+/dev/nvme0n1p2   4096     999423     995328   486M EFI System
+/dev/nvme0n1p3 999424 2000408575 1999409152 953.4G Linux filesystem
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo fdisk -l /dev/nvme1n1
+Disk /dev/nvme1n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
+Disk model: SAMSUNG MZVL21T0HCLR-00B00
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: gpt
+Disk identifier: A143A806-69C5-4EFC-8E34-20C35574D990
+
+Device           Start        End    Sectors  Size Type
+/dev/nvme1n1p1    2048       4095       2048    1M BIOS boot
+/dev/nvme1n1p2    4096    3905535    3901440  1.9G EFI System
+/dev/nvme1n1p3 3905536 2000408575 1996503040  952G Linux filesystem
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo fdisk -l /dev/nvme2n1
+Disk /dev/nvme2n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
+Disk model: SAMSUNG MZVL21T0HDLU-00B07
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo fdisk -l /dev/nvme3n1
+Disk /dev/nvme3n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
+Disk model: SAMSUNG MZVL21T0HCLR-00B00
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+```
+
+Partitioning and formatting the new disks `/dev/nvme2n1` and `/dev/nvme3n1`:
+
+```
+teutat3s in 🌐 nachtigall in ~
+❯ sudo fdisk /dev/nvme2n1
+
+Welcome to fdisk (util-linux 2.39.4).
+Changes will remain in memory only, until you decide to write them.
+Be careful before using the write command.
+
+Device does not contain a recognized partition table.
+Created a new DOS (MBR) disklabel with disk identifier 0x0852470c.
+
+Command (m for help): p
+Disk /dev/nvme2n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
+Disk model: SAMSUNG MZVL21T0HDLU-00B07
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: dos
+Disk identifier: 0x0852470c
+
+Command (m for help): m
+
+Help:
+
+  DOS (MBR)
+   a   toggle a bootable flag
+   b   edit nested BSD disklabel
+   c   toggle the dos compatibility flag
+
+  Generic
+   d   delete a partition
+   F   list free unpartitioned space
+   l   list known partition types
+   n   add a new partition
+   p   print the partition table
+   t   change a partition type
+   v   verify the partition table
+   i   print information about a partition
+
+  Misc
+   m   print this menu
+   u   change display/entry units
+   x   extra functionality (experts only)
+
+  Script
+   I   load disk layout from sfdisk script file
+   O   dump disk layout to sfdisk script file
+
+  Save & Exit
+   w   write table to disk and exit
+   q   quit without saving changes
+
+  Create a new label
+   g   create a new empty GPT partition table
+   G   create a new empty SGI (IRIX) partition table
+   o   create a new empty MBR (DOS) partition table
+   s   create a new empty Sun partition table
+
+
+Command (m for help): g
+Created a new GPT disklabel (GUID: 8CC98E3F-20A8-4A2D-8D50-9CD769EE4C65).
+
+Command (m for help): p
+Disk /dev/nvme2n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
+Disk model: SAMSUNG MZVL21T0HDLU-00B07
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: gpt
+Disk identifier: 8CC98E3F-20A8-4A2D-8D50-9CD769EE4C65
+
+Command (m for help): n
+Partition number (1-128, default 1):
+First sector (2048-2000409230, default 2048):
+Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-2000409230, default 2000408575): 4095
+
+Created a new partition 1 of type 'Linux filesystem' and of size 1 MiB.
+
+Command (m for help): t
+Selected partition 1
+Partition type or alias (type L to list all): L
+  1 EFI System                     C12A7328-F81F-11D2-BA4B-00A0C93EC93B
+  2 MBR partition scheme           024DEE41-33E7-11D3-9D69-0008C781F39F
+  3 Intel Fast Flash               D3BFE2DE-3DAF-11DF-BA40-E3A556D89593
+  4 BIOS boot                      21686148-6449-6E6F-744E-656564454649
+  5 Sony boot partition            F4019732-066E-4E12-8273-346C5641494F
+  6 Lenovo boot partition          BFBFAFE7-A34F-448A-9A5B-6213EB736C22
+  7 PowerPC PReP boot              9E1A2D38-C612-4316-AA26-8B49521E5A8B
+  8 ONIE boot                      7412F7D5-A156-4B13-81DC-867174929325
+  9 ONIE config                    D4E6E2CD-4469-46F3-B5CB-1BFF57AFC149
+ 10 Microsoft reserved             E3C9E316-0B5C-4DB8-817D-F92DF00215AE
+ 11 Microsoft basic data           EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
+ 12 Microsoft LDM metadata         5808C8AA-7E8F-42E0-85D2-E1E90434CFB3
+ 13 Microsoft LDM data             AF9B60A0-1431-4F62-BC68-3311714A69AD
+ 14 Windows recovery environment   DE94BBA4-06D1-4D40-A16A-BFD50179D6AC
+ 15 IBM General Parallel Fs        37AFFC90-EF7D-4E96-91C3-2D7AE055B174
+ 16 Microsoft Storage Spaces       E75CAF8F-F680-4CEE-AFA3-B001E56EFC2D
+ 17 HP-UX data                     75894C1E-3AEB-11D3-B7C1-7B03A0000000
+ 18 HP-UX service                  E2A1E728-32E3-11D6-A682-7B03A0000000
+ 19 Linux swap                     0657FD6D-A4AB-43C4-84E5-0933C84B4F4F
+ 20 Linux filesystem               0FC63DAF-8483-4772-8E79-3D69D8477DE4
+...
+Partition type or alias (type L to list all): 4
+Changed type of partition 'Linux filesystem' to 'BIOS boot'.
+
+Command (m for help): n
+Partition number (2-128, default 2):
+First sector (4096-2000409230, default 4096):
+Last sector, +/-sectors or +/-size{K,M,G,T,P} (4096-2000409230, default 2000408575): 3901440
+
+Created a new partition 2 of type 'Linux filesystem' and of size 1.9 GiB.
+
+Command (m for help): t
+Partition number (1,2, default 2): 2
+Partition type or alias (type L to list all): 1
+
+Changed type of partition 'Linux filesystem' to 'EFI System'.
+
+Command (m for help): n
+Partition number (3-128, default 3):
+First sector (3901441-2000409230, default 3903488):
+Last sector, +/-sectors or +/-size{K,M,G,T,P} (3903488-2000409230, default 2000408575):
+
+Created a new partition 3 of type 'Linux filesystem' and of size 952 GiB.
+
+Command (m for help): p
+Disk /dev/nvme2n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
+Disk model: SAMSUNG MZVL21T0HDLU-00B07
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: gpt
+Disk identifier: 8CC98E3F-20A8-4A2D-8D50-9CD769EE4C65
+
+Device           Start        End    Sectors  Size Type
+/dev/nvme2n1p1    2048       4095       2048    1M BIOS boot
+/dev/nvme2n1p2    4096    3901440    3897345  1.9G EFI System
+/dev/nvme2n1p3 3903488 2000408575 1996505088  952G Linux filesystem
+
+Command (m for help): w
+The partition table has been altered.
+Calling ioctl() to re-read partition table.
+Syncing disks.
+
+
+teutat3s in 🌐 nachtigall in ~ took 5m41s
+❯ sudo fdisk /dev/nvme3n1
+
+Welcome to fdisk (util-linux 2.39.4).
+Changes will remain in memory only, until you decide to write them.
+Be careful before using the write command.
+
+Device does not contain a recognized partition table.
+Created a new DOS (MBR) disklabel with disk identifier 0xa77eb504.
+
+Command (m for help): g
+Created a new GPT disklabel (GUID: 56B64CEE-5E0C-4EAA-AE2F-5BF4356183A5).
+
+Command (m for help): n
+Partition number (1-128, default 1):
+First sector (2048-2000409230, default 2048):
+Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-2000409230, default 2000408575): 4095
+
+Created a new partition 1 of type 'Linux filesystem' and of size 1 MiB.
+
+Command (m for help): t
+Selected partition 1
+Partition type or alias (type L to list all): 4
+Changed type of partition 'Linux filesystem' to 'BIOS boot'.
+
+Command (m for help): n
+Partition number (2-128, default 2):
+First sector (4096-2000409230, default 4096):
+Last sector, +/-sectors or +/-size{K,M,G,T,P} (4096-2000409230, default 2000408575): 3901440
+
+Created a new partition 2 of type 'Linux filesystem' and of size 1.9 GiB.
+
+Command (m for help): t
+Partition number (1,2, default 2): 2
+Partition type or alias (type L to list all): 1
+
+Changed type of partition 'Linux filesystem' to 'EFI System'.
+
+Command (m for help): n
+Partition number (3-128, default 3):
+First sector (3901441-2000409230, default 3903488):
+Last sector, +/-sectors or +/-size{K,M,G,T,P} (3903488-2000409230, default 2000408575):
+
+Created a new partition 3 of type 'Linux filesystem' and of size 952 GiB.
+
+Command (m for help): p
+Disk /dev/nvme3n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
+Disk model: SAMSUNG MZVL21T0HCLR-00B00
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: gpt
+Disk identifier: 56B64CEE-5E0C-4EAA-AE2F-5BF4356183A5
+
+Device           Start        End    Sectors  Size Type
+/dev/nvme3n1p1    2048       4095       2048    1M BIOS boot
+/dev/nvme3n1p2    4096    3901440    3897345  1.9G EFI System
+/dev/nvme3n1p3 3903488 2000408575 1996505088  952G Linux filesystem
+
+Command (m for help): w
+The partition table has been altered.
+Calling ioctl() to re-read partition table.
+Syncing disks.
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo mkfs.vfat /dev/nvme2n1p2
+mkfs.fat 4.2 (2021-01-31)
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo mkfs.vfat /dev/nvme3n1p2
+mkfs.fat 4.2 (2021-01-31)
+
+teutat3s in 🌐 nachtigall in ~
+❯ lsblk -f
+NAME        FSTYPE     FSVER LABEL     UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
+nvme0n1
+├─nvme0n1p1
+├─nvme0n1p2 vfat       FAT16           5494-BA1E                               385M    21% /boot2
+└─nvme0n1p3 zfs_member 5000  root_pool 8287701206764130981
+nvme1n1
+├─nvme1n1p1
+├─nvme1n1p2 vfat       FAT32           5493-EFF5                               1.8G     5% /boot1
+└─nvme1n1p3 zfs_member 5000  root_pool 8287701206764130981
+nvme2n1
+├─nvme2n1p1
+├─nvme2n1p2 vfat       FAT32           E4E4-88C7
+└─nvme2n1p3
+nvme3n1
+├─nvme3n1p1
+├─nvme3n1p2 vfat       FAT32           E76C-A8A0
+└─nvme3n1p3
+```
+
+Finally, adding the new drives to the ZFS zpool `root_pool` to extend available disk space:
+
+```
+teutat3s in 🌐 nachtigall in ~
+❯ sudo zpool status
+  pool: root_pool
+ state: ONLINE
+  scan: scrub repaired 0B in 00:17:47 with 0 errors on Sat Mar  1 03:35:20 2025
+config:
+
+	NAME                                                      STATE     READ WRITE CKSUM
+	root_pool                                                 ONLINE       0     0     0
+	  mirror-0                                                ONLINE       0     0     0
+	    nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371-part3  ONLINE       0     0     0
+	    nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL-part3          ONLINE       0     0     0
+
+errors: No known data errors
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo zpool add root_pool mirror nvme-SAMSUNG_MZVL21T0HDLU-00B07_S77WNF0XA01902-part3 nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NU0W623944-part3
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo zpool status
+  pool: root_pool
+ state: ONLINE
+  scan: scrub repaired 0B in 00:17:47 with 0 errors on Sat Mar  1 03:35:20 2025
+config:
+
+	NAME                                                      STATE     READ WRITE CKSUM
+	root_pool                                                 ONLINE       0     0     0
+	  mirror-0                                                ONLINE       0     0     0
+	    nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371-part3  ONLINE       0     0     0
+	    nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL-part3          ONLINE       0     0     0
+	  mirror-1                                                ONLINE       0     0     0
+	    nvme-SAMSUNG_MZVL21T0HDLU-00B07_S77WNF0XA01902-part3  ONLINE       0     0     0
+	    nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NU0W623944-part3  ONLINE       0     0     0
+
+teutat3s in 🌐 nachtigall in ~
+❯ sudo zfs list root_pool
+NAME        USED  AVAIL  REFER  MOUNTPOINT
+root_pool   782G  1.04T   192K  none
+```

docs/nix-flake-updates.md

@@ -41,3 +41,7 @@ wrapped-ruby-mastodon-gems: 4.2.1 → 4.2.3
 zfs-kernel: 2.2.1-6.1.64 → 2.2.2-6.1.66
 zfs-user: 2.2.1 → 2.2.2
 ```
+
+### Deploying updates
+
+See [deploying.md](./deploying.md).

docs/nixos-anywhere.md

@@ -1,13 +1,29 @@
+# Deploying with nixos-anywhere
+
+## On Target: Enter NixOS from non-NixOS host
+
+In case you cannot boot easily into a nixos-installer image you can download the kexec installer image of NixOS and kexec into it:
+
 ```
 curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-x86_64-linux.tar.gz | tar -xzf- -C /root
 /root/kexec/run
 ```
 
-```
+## Run Disko
-mkdir -p /etc/secrets/initrd
-ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key
-```
 
 ```
-nix run github:nix-community/nixos-anywhere -- --flake .#blue-shell root@194.13.83.205
+nix run github:nix-community/nixos-anywhere -- --flake .#<hostname> --target-host root@<host> --phases disko
+```
+
+## On Target: Create inital ssh host key used in initrd
+
+```
+mkdir -p /mnt/etc/secrets/initrd
+ssh-keygen -t ed25519 -f /mnt/etc/secrets/initrd/ssh_host_ed25519_key
+```
+
+## Run NixOS Anywhere
+
+```
+nix run github:nix-community/nixos-anywhere -- --flake .#<hostname> --target-host root@<host> --phases install,reboot
 ```

docs/systems-overview.md

@@ -0,0 +1,179 @@
+# pub.solar Systems Overview
+
+Last updated: 2025-03-11
+
+Jump to:
+
+1. [Server nachtigall](#server-nachtigall)
+2. [Server metronom](#server-metronom)
+3. [Server trinkgenossin](#server-trinkgenossin)
+4. [Server blue-shell](#server-blue-shell)
+5. [Server delite](#server-delite)
+6. [Server tankstelle](#server-tankstelle)
+7. [Server underground](#server-underground)
+8. [Hetzner 1TB storagebox](#hetzner-1tb-storagebox)
+
+### Server nachtigall
+
+**Specs:**
+
+- AMD Ryzen 7 3700X 8-Core Processor
+- 64 GB RAM
+- 4x 1TB NVMe disks
+
+**Disk layout:**
+
+- Encrypted ZFS mirror vdevs
+
+**Operating System:**
+
+- NixOS 24.11 `linux-x86_64`
+
+**Usage:**
+Main pub.solar server. Hosts the majority of pub.solar services. Non-exhaustive list:
+
+- collabora
+- coturn
+- forgejo
+- keycloak
+- mailman
+- mastodon
+- matrix-synapse (homeserver)
+- mediawiki
+- nextcloud
+- owncast
+- searx
+- tmate
+- tt-rss
+- obs-portal
+
+### Server metronom
+
+**Specs:**
+
+- Hetzner VPS type: CAX11
+- 2 vCPU
+- 4 GB RAM
+- 40GB disk
+
+**Disk layout:**
+
+- Encrypted ZFS single disk (stripe)
+
+**Operating System:**
+
+- NixOS 24.11 `linux-aach64`
+
+**Usage:**
+pub.solar mail server. Note this is an ARM server.
+
+### Server trinkgenossin
+
+**Specs:**
+
+- Strato VPS type: VPS Linux VC8-32
+- 8 core AMD EPYC-Milan Processor
+- 32 GB RAM
+- 1TB NVMe disk
+
+**Disk layout:**
+
+- Encrypted LUKS single disk
+
+**Operating System:**
+
+- NixOS 24.11 `linux-x86_64`
+
+**Usage:**
+Monitor, garage cluster node. Services:
+
+- grafana
+- loki
+- prometheus
+- garage
+- forgejo-actions-runner (docker)
+
+### Server blue-shell
+
+**Specs:**
+
+- netcup VPS type: VPS 1000 G11
+- 4 core AMD EPYC-Rome Processor
+- 8 GB RAM
+- 256 GB SSD disk
+- 850GB mechanical disk
+
+**Disk layout:**
+
+- Encrypted LVM on LUKS single disk and encrypted LUKS garage data disk
+
+**Operating System:**
+
+- NixOS 24.11 `linux-x86_64`
+
+**Usage:**
+Garage cluster node.
+
+### Server delite
+
+**Specs:**
+
+- liteserver VPS type: HDD Storage VPS - HDD-2G
+- 1 core AMD EPYC 7452
+- 2 GB RAM
+- 1TB mechanical disk
+
+**Disk layout:**
+
+- Encrypted LVM on LUKS single disk
+
+**Operating System:**
+
+- NixOS 24.11 `linux-x86_64`
+
+**Usage:**
+Garage cluster node.
+
+### Server tankstelle
+
+**Specs:**
+
+- 24 core Intel Xeon E5-2670 v2 @ 2.50GHz
+- 40 GB RAM
+- 80GB SSD disk
+
+**Disk layout:**
+
+- LVM
+
+**Operating System:**
+
+- NixOS 24.11 `linux-x86_64`
+
+**Usage:**
+
+- forgejo-actions-runner (selfhosted, NixOS)
+
+### Server underground
+
+**Specs:**
+
+- 8 core Intel Xeon E5-2670 v2 @ 2.50GHz
+- 16 GB RAM
+- 40 GB SSD disk
+
+**Disk layout:**
+
+- LVM on LUKS, single disk
+
+**Operating System:**
+
+- NixOS 24.11 `linux-x86_64`
+
+**Usage:**
+Testing server.
+
+### Hetzner 1TB storagebox
+
+**Usage:**
+Backups get pushed to a Hetzner storagebox every night.

docs/zfs-quickstart.md

@@ -0,0 +1,19 @@
+# ZFS Quick Start
+
+View current status of the ZFS pool (zpool):
+
+```
+sudo zpool status
+```
+
+View available disk space of the pool, replace `<pool-name>` with the pool name from the output above:
+
+```
+sudo zfs list <pool-name>
+```
+
+List all snapshots:
+
+```
+sudo zfs list -t snapshot
+```

flake.lock

@@ -14,11 +14,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1723293904,
+        "lastModified": 1736955230,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731895210,
+        "lastModified": 1740485968,
-        "narHash": "sha256-z76Q/OXLxO/RxMII3fIt/TG665DANiE2lVvnolK2lXk=",
+        "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "639d1520df9417ca2761536c3072688569e83c80",
+        "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
         "type": "github"
       },
       "original": {
@@ -185,11 +185,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1730504689,
+        "lastModified": 1740872218,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
         "type": "github"
       },
       "original": {
@@ -236,16 +236,16 @@
     },
     "fork": {
       "locked": {
-        "lastModified": 1729963002,
+        "lastModified": 1738846146,
-        "narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
+        "narHash": "sha256-cIPiBEspPXQxju2AUZK9kjh6oqea+HkPFqmGv7yUztM=",
         "owner": "teutat3s",
         "repo": "nixpkgs",
-        "rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
+        "rev": "e370f40b129e47b08562524ab4f053a172a94273",
         "type": "github"
       },
       "original": {
         "owner": "teutat3s",
-        "ref": "init-matrix-authentication-service-module",
+        "ref": "init-matrix-authentication-service-module-0.13.0",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -257,16 +257,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1726989464,
+        "lastModified": 1739757849,
-        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+        "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+        "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-24.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -280,11 +280,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731518114,
+        "lastModified": 1738012343,
-        "narHash": "sha256-h9Wb3VjmXBZwTO3prRweUKwp2H9hZHCQKrkbU+2WPQs=",
+        "narHash": "sha256-agMgWwVxXII+RtCqok8ROjzpKJung/5N5f2BVDmMC5Q=",
         "ref": "main",
-        "rev": "060ecccc5f8c92a0705ab91ff047811efd559468",
+        "rev": "4ffd7bc8ea032991756c5e8e8a37b039789045bc",
-        "revCount": 36,
+        "revCount": 38,
         "type": "git",
         "url": "https://git.pub.solar/pub-solar/keycloak-theme"
       },
@@ -298,11 +298,11 @@
       "flake": false,
       "locked": {
         "dir": "web",
-        "lastModified": 1718796561,
+        "lastModified": 1733177811,
-        "narHash": "sha256-RKAAHve17lrJokgAPkM2k/E+f9djencwwg3Xcd70Yfw=",
+        "narHash": "sha256-1n7bPSCRw7keTCIu4tJGnUlkoId6H1+dPsTPzKo3Rrk=",
         "owner": "maunium",
         "repo": "stickerpicker",
-        "rev": "333567f481e60443360aa7199d481e1a45b3a523",
+        "rev": "89d3aece041c85ebe5a1ad4e620388af5227cbb0",
         "type": "github"
       },
       "original": {
@@ -320,11 +320,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732016537,
+        "lastModified": 1741112248,
-        "narHash": "sha256-XwXUK+meYnlhdQz2TVE4Wv+tsx1CkdGbDPt1tRzCNH4=",
+        "narHash": "sha256-Y340xoE1Vgo0eCDJi4srVjuwlr50vYSoyJrZeXHw3n0=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "61cee20168a3ebb71a9efd70a55adebaadfbe4d4",
+        "rev": "991bb2f6d46fc2ff7990913c173afdb0318314cb",
         "type": "github"
       },
       "original": {
@@ -336,30 +336,30 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731797254,
+        "lastModified": 1740932899,
-        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
+        "narHash": "sha256-F0qDu2egq18M3edJwEOAE+D+VQ+yESK6YWPRQBfOqq8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
+        "rev": "1546c45c538633ae40b93e2d14e0bb6fd8f13347",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1730504152,
+        "lastModified": 1740872140,
-        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
+        "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
       }
     },
     "root": {
@@ -387,22 +387,21 @@
         "nixpkgs": [
           "unstable"
         ],
-        "nixpkgs-24_05": [
+        "nixpkgs-24_11": [
           "nixpkgs"
-        ],
+        ]
-        "utils": "utils_2"
       },
       "locked": {
-        "lastModified": 1718084203,
+        "lastModified": 1734884447,
-        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
+        "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
+        "rev": "63209b1def2c9fc891ad271f474a3464a5833294",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
@@ -467,28 +466,13 @@
         "type": "github"
       }
     },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "unstable": {
       "locked": {
-        "lastModified": 1731676054,
+        "lastModified": 1741010256,
-        "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
+        "narHash": "sha256-WZNlK/KX7Sni0RyqLSqLPbK8k08Kq7H7RijPJbq9KHM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
+        "rev": "ba487dbc9d04e0634c64e3b1f0d25839a0a68246",
         "type": "github"
       },
       "original": {
@@ -515,24 +499,6 @@
         "repo": "flake-utils",
         "type": "github"
       }
-    },
-    "utils_2": {
-      "inputs": {
-        "systems": "systems_5"
-      },
-      "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -1,14 +1,14 @@
 {
   inputs = {
     # Track channels with commits tested and built by hydra
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
+    fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module-0.13.0";
 
     nix-darwin.url = "github:lnl7/nix-darwin/master";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
 
-    home-manager.url = "github:nix-community/home-manager/release-24.05";
+    home-manager.url = "github:nix-community/home-manager/release-24.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
@@ -37,8 +37,8 @@
     element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
     element-stickers.inputs.nixpkgs.follows = "nixpkgs";
 
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
-    simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs";
+    simple-nixos-mailserver.inputs.nixpkgs-24_11.follows = "nixpkgs";
     simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable";
   };
 
@@ -73,11 +73,28 @@
               overlays = [ inputs.agenix.overlays.default ];
             };
             unstable = import inputs.unstable { inherit system; };
-            master = import inputs.master { inherit system; };
           };
 
           checks =
             let
+              machinesPerSystem = {
+                aarch64-linux = [
+                  "metronom"
+                ];
+                x86_64-linux = [
+                  "blue-shell"
+                  "delite"
+                  "nachtigall"
+                  "tankstelle"
+                  "trinkgenossin"
+                  "underground"
+                ];
+              };
+              nixosMachines = inputs.nixpkgs.lib.mapAttrs' (n: inputs.nixpkgs.lib.nameValuePair "nixos-${n}") (
+                inputs.nixpkgs.lib.genAttrs (machinesPerSystem.${system} or [ ]) (
+                  name: self.nixosConfigurations.${name}.config.system.build.toplevel
+                )
+              );
               nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
               testDir = builtins.attrNames (builtins.readDir ./tests);
               testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
@@ -94,12 +111,13 @@
                   }
                 );
               }) testFiles
-            );
+            )
+            // nixosMachines;
 
           devShells.default = pkgs.mkShell {
             buildInputs = with pkgs; [
               deploy-rs
-              nixpkgs-fmt
+              nix-fast-build
               agenix
               age-plugin-yubikey
               cachix
@@ -108,9 +126,9 @@
               nvfetcher
               shellcheck
               shfmt
-              inputs.unstable.legacyPackages.${system}.treefmt2
+              treefmt2
               nixos-generators
-              inputs.unstable.legacyPackages.${system}.opentofu
+              opentofu
               terraform-backend-git
               terraform-ls
               jq
@@ -120,13 +138,7 @@
           devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
         };
 
-      flake =
+      flake = {
-        let
-          username = "barkeeper";
-        in
-        {
-          inherit username;
-
         nixosModules = builtins.listToAttrs (
           map (x: {
             name = x;
@@ -138,36 +150,29 @@
           system: deployLib: deployLib.deployChecks self.deploy
         ) inputs.deploy-rs.lib;
 
-          formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
+        formatter."x86_64-linux" = inputs.nixpkgs.legacyPackages."x86_64-linux".nixfmt-rfc-style;
 
         deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
           nachtigall = {
             hostname = "nachtigall.wg.pub.solar";
-              sshUser = username;
           };
           metronom = {
             hostname = "metronom.wg.pub.solar";
-              sshUser = username;
           };
           tankstelle = {
             hostname = "tankstelle.wg.pub.solar";
-              sshUser = username;
           };
           underground = {
             hostname = "80.244.242.3";
-              sshUser = username;
           };
           trinkgenossin = {
             hostname = "trinkgenossin.wg.pub.solar";
-              sshUser = username;
           };
           delite = {
             hostname = "delite.wg.pub.solar";
-              sshUser = username;
           };
           blue-shell = {
             hostname = "blue-shell.wg.pub.solar";
-              sshUser = username;
           };
         };
       };

hosts/blue-shell/wireguard.nix

@@ -22,7 +22,7 @@ in
         "${wireguardIPv6}/96"
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
         {
           # trinkgenossin.pub.solar
           publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";

hosts/delite/wireguard.nix

@@ -22,7 +22,7 @@ in
         "${wireguardIPv6}/96"
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
         {
           # trinkgenossin.pub.solar
           publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";

hosts/metronom/wireguard.nix

@@ -18,7 +18,7 @@
         "fd00:fae:fae:fae:fae:3::/96"
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
         {
           # nachtigall.pub.solar
           endpoint = "138.201.80.102:51820";

hosts/nachtigall/configuration.nix

@@ -20,6 +20,14 @@
         devices = [ "/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL" ];
         path = "/boot2";
       }
+      {
+        devices = [ "/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HDLU-00B07_S77WNF0XA01902" ];
+        path = "/boot3";
+      }
+      {
+        devices = [ "/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NU0W623944" ];
+        path = "/boot4";
+      }
     ];
     copyKernels = true;
   };
@@ -73,22 +81,24 @@
     owner = "matrix-synapse";
   };
 
-  age.secrets."matrix-synapse-sliding-sync-secret" = {
-    file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
-    mode = "400";
-    owner = "matrix-synapse";
-  };
-
   age.secrets."matrix-authentication-service-secret-config.yml" = {
     file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
     mode = "400";
     owner = "matrix-authentication-service";
   };
 
+  # matrix-appservice-irc
+  age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
+    file = "${flake.self}/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
+    mode = "400";
+    owner = "matrix-appservice-irc";
+  };
+
   pub-solar-os.matrix = {
     enable = true;
+    appservice-irc.mediaproxy.signingKeyPath =
+      config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
     synapse = {
-      sliding-sync.enable = false;
       signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
       extra-config-files = [
         config.age.secrets."matrix-synapse-secret-config.yaml".path

hosts/nachtigall/default.nix

@@ -9,12 +9,10 @@
     ./networking.nix
     ./wireguard.nix
     ./backups.nix
-    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
+    "${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
-    "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
   ];
 
   disabledModules = [
     "services/matrix/matrix-authentication-service.nix"
-    "services/web-apps/mastodon.nix"
   ];
 }

hosts/nachtigall/hardware-configuration.nix

@@ -50,6 +50,16 @@
     fsType = "vfat";
   };
 
+  fileSystems."/boot3" = {
+    device = "/dev/disk/by-uuid/E4E4-88C7";
+    fsType = "vfat";
+  };
+
+  fileSystems."/boot4" = {
+    device = "/dev/disk/by-uuid/E76C-A8A0";
+    fsType = "vfat";
+  };
+
   swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

hosts/nachtigall/wireguard.nix

@@ -18,7 +18,7 @@
         "fd00:fae:fae:fae:fae:1::/96"
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
         {
           # tankstelle.pub.solar
           endpoint = "80.244.242.5:51820";

hosts/tankstelle/configuration.nix

@@ -10,6 +10,9 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  # kernel same-page merging
+  hardware.ksm.enable = true;
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   system.stateVersion = "23.11";

hosts/tankstelle/wireguard.nix

@@ -18,7 +18,7 @@
         "fd00:fae:fae:fae:fae:4::/96"
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
         {
           # nachtigall.pub.solar
           endpoint = "138.201.80.102:51820";

hosts/trinkgenossin/default.nix

@@ -7,6 +7,7 @@
 
     ./networking.nix
     ./wireguard.nix
+    ./forgejo-actions-runner.nix
     #./backups.nix
   ];
 }

hosts/trinkgenossin/forgejo-actions-runner.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  pkgs,
+  lib,
+  flake,
+  ...
+}:
+let
+  hostname = config.networking.hostName;
+in
+{
+  age.secrets."forgejo-actions-runner-token.age" = {
+    file = "${flake.self}/secrets/trinkgenossin-forgejo-actions-runner-token.age";
+    owner = "gitea-runner";
+    mode = "440";
+  };
+
+  # Label configuration on gitea-actions-runner instance requires either docker or podman
+  virtualisation.docker.enable = true;
+
+  # Trust docker bridge interface traffic
+  # Needed for the docker runner to communicate with the act_runner cache
+  networking.firewall.trustedInterfaces = [ "br-+" ];
+
+  users.users.gitea-runner = {
+    home = "/var/lib/gitea-runner/${hostname}";
+    useDefaultShell = true;
+    group = "gitea-runner";
+    # Required to interact with nix daemon
+    extraGroups = [ "wheel" ];
+    isSystemUser = true;
+  };
+
+  users.groups.gitea-runner = { };
+
+  systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
+
+  systemd.services."gitea-runner-${hostname}" = {
+    serviceConfig.DynamicUser = lib.mkForce false;
+  };
+
+  # forgejo actions runner
+  # https://forgejo.org/docs/latest/admin/actions/
+  # https://docs.gitea.com/usage/actions/quickstart
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances."${hostname}" = {
+      enable = true;
+      name = hostname;
+      url = "https://git.pub.solar";
+      tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path;
+      labels = [
+        # provide a debian 12 bookworm base with Node.js for actions
+        "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
+        # fake the ubuntu name, commonly used in actions examples
+        "ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
+        # alpine with Node.js
+        "alpine-latest:docker://node:20-alpine"
+      ];
+    };
+  };
+}

hosts/trinkgenossin/wireguard.nix

@@ -22,7 +22,7 @@ in
         "${wireguardIPv6}/96"
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
         {
           # nachtigall.pub.solar
           endpoint = "138.201.80.102:51820";

hosts/underground/configuration.nix

@@ -42,8 +42,17 @@
     owner = "matrix-authentication-service";
   };
 
+  # matrix-appservice-irc
+  age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
+    file = "${flake.self}/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
+    mode = "400";
+    owner = "matrix-appservice-irc";
+  };
+
   pub-solar-os.matrix = {
     enable = true;
+    appservice-irc.mediaproxy.signingKeyPath =
+      config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
     synapse = {
       extra-config-files = [
         config.age.secrets."staging-matrix-synapse-secret-config.yaml".path

hosts/underground/default.nix

@@ -7,7 +7,7 @@
     ./configuration.nix
 
     ./networking.nix
-    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
+    "${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
   ];
 
   disabledModules = [

logins/admins.nix

@@ -38,6 +38,22 @@
           "fd00:fae:fae:fae:fae:200::/96"
         ];
       }
+      {
+        # chocolatebar
+        publicKey = "AS9w0zDUFLcH6IiF6T1vsyZPWPJ3p5fKsjIsM2AoZz8=";
+        allowedIPs = [
+          "10.7.6.205/32"
+          "fd00:fae:fae:fae:fae:205::/96"
+        ];
+      }
+      {
+        # biolimo
+        publicKey = "gnLq6KikFVVGxLxPW+3ZnreokEKLDoso+cUepPOZsBA=";
+        allowedIPs = [
+          "10.7.6.206/32"
+          "fd00:fae:fae:fae:fae:206::/96"
+        ];
+      }
     ];
   };
 

logins/default.nix

@@ -6,19 +6,16 @@ in
 {
   flake = {
     logins = {
-      admins =
+      admins = admins;
-        lib.lists.foldl
+      wireguardDevices = lib.lists.foldl (
-          (logins: adminConfig: {
+        wireguardDevices: adminConfig:
-            sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
+        wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
-            wireguardDevices =
+      ) [ ] (lib.attrsets.attrValues admins);
-              logins.wireguardDevices
+      sshPubKeys = lib.lists.foldl (
-              ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
+        sshPubKeys: adminConfig:
-          })
+        sshPubKeys
-          {
+        ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
-            sshPubKeys = [ ];
+      ) [ ] (lib.attrsets.attrValues admins);
-            wireguardDevices = [ ];
-          }
-          (lib.attrsets.attrValues admins);
       robots.sshPubKeys = lib.attrsets.attrValues robots;
     };
   };

logins/robots.nix

@@ -1,6 +1,8 @@
 {
   # Used for restic backups to droppie, a server run by @b12f
-  "root@droppie" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
+  "root@droppie" =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
 
-  "hakkonaut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
+  "hakkonaut" =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
 }

modules/backups/default.nix

@@ -283,8 +283,10 @@ in
 
     # Used for pub-solar-os.backups.repos.storagebox
     programs.ssh.knownHosts = {
-      "u377325.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
+      "u377325.your-storagebox.de".publicKey =
-      "[u377325.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+        "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
+      "[u377325.your-storagebox.de]:23".publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
     };
   };
 }

modules/core/default.nix

@@ -54,9 +54,5 @@
     };
 
     time.timeZone = "Etc/UTC";
-
-    home-manager.users.${config.pub-solar-os.authentication.username} = {
-      home.stateVersion = "23.05";
-    };
   };
 }

modules/core/terminal-tooling.nix

@@ -1,9 +1,20 @@
-{ flake, config, ... }:
+{ flake, lib, ... }:
 {
-  home-manager.users.${config.pub-solar-os.authentication.username} = {
+  home-manager.users = (
+    lib.attrsets.foldlAttrs (
+      acc: name: value:
+      acc
+      // {
+        ${name} = {
           programs.git.enable = true;
           programs.starship.enable = true;
-    programs.bash.enable = true;
+          programs.bash = {
+            enable = true;
+            historyControl = [
+              "ignoredups"
+              "ignorespace"
+            ];
+          };
           programs.neovim = {
             enable = true;
             vimAlias = true;
@@ -17,3 +28,6 @@
           };
         };
       }
+    ) { } flake.self.logins.admins
+  );
+}

modules/core/users.nix

@@ -11,18 +11,6 @@
       inherit (lib) mkOption types;
     in
     {
-      username = mkOption {
-        description = "Username for the adminstrative user";
-        type = types.str;
-        default = flake.self.username;
-      };
-
-      sshPubKeys = mkOption {
-        description = "SSH Keys that should have administrative root access";
-        type = types.listOf types.str;
-        default = flake.self.logins.admins.sshPubKeys;
-      };
-
       root.initialHashedPassword = mkOption {
         description = "Hashed password of the root account";
         type = types.str;
@@ -43,22 +31,29 @@
     };
 
   config = {
-    users.users.${config.pub-solar-os.authentication.username} = {
+    users.users =
-      name = config.pub-solar-os.authentication.username;
+      (lib.attrsets.foldlAttrs (
-      group = config.pub-solar-os.authentication.username;
+        acc: name: value:
+        acc
+        // {
+          ${name} = {
+            name = name;
+            group = name;
             extraGroups = [
               "wheel"
               "docker"
             ];
             isNormalUser = true;
-      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+            openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
           };
-    users.groups.${config.pub-solar-os.authentication.username} = { };
+        }
-
+      ) { } flake.self.logins.admins)
+      // {
         # TODO: Remove when we stop locking ourselves out.
-    users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+        root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
+        root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
 
-    users.users.${config.pub-solar-os.authentication.robot.username} = {
+        ${config.pub-solar-os.authentication.robot.username} = {
           description = "CI and automation user";
           home = "/home/${config.pub-solar-os.authentication.robot.username}";
           createHome = true;
@@ -68,11 +63,28 @@
           isSystemUser = true;
           openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
         };
+      };
 
-    users.groups.${config.pub-solar-os.authentication.robot.username} = { };
+    home-manager.users = (
+      lib.attrsets.foldlAttrs (
+        acc: name: value:
+        acc
+        // {
+          ${name} = {
+            home.stateVersion = "23.05";
+          };
+        }
+      ) { } flake.self.logins.admins
+    );
 
-    users.users.root.initialHashedPassword =
+    users.groups =
-      config.pub-solar-os.authentication.root.initialHashedPassword;
+      (lib.attrsets.foldlAttrs (
+        acc: name: value:
+        acc // { "${name}" = { }; }
+      ) { } flake.self.logins.admins)
+      // {
+        ${config.pub-solar-os.authentication.robot.username} = { };
+      };
 
     security.sudo.wheelNeedsPassword = false;
   };

modules/forgejo/default.nix

@@ -65,6 +65,7 @@
 
   services.forgejo = {
     enable = true;
+    package = pkgs.forgejo;
     user = "gitea";
     group = "gitea";
     database = {
@@ -75,7 +76,7 @@
     };
     stateDir = "/var/lib/forgejo";
     lfs.enable = true;
-    mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
+    secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
     settings = {
       DEFAULT.APP_NAME = "pub.solar git server";
 
@@ -185,7 +186,7 @@
       "/tmp/forgejo-backup.sql"
     ];
     timerConfig = {
-      OnCalendar = "*-*-* 00:00:00 Etc/UTC";
+      OnCalendar = "*-*-* 23:00:00 Etc/UTC";
     };
     initialize = true;
     passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;

modules/grafana/default.nix

@@ -43,7 +43,8 @@
   services.nginx.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
     enableACME = true;
     forceSSL = true;
-    locations."/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+    locations."/".proxyPass =
+      "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
   };
 
   services.grafana = {

modules/keycloak/default.nix

@@ -50,7 +50,8 @@
         hostname = "auth.${config.pub-solar-os.networking.domain}";
         http-host = "127.0.0.1";
         http-port = 8080;
-        proxy = "edge";
+        proxy-headers = "xforwarded";
+        http-enabled = true;
       };
       themes = {
         "pub.solar" =

modules/matrix-irc/default.nix

@@ -16,6 +16,16 @@ let
   synapseClientPort = "${toString listenerWithClient.port}";
 in
 {
+  options.pub-solar-os = {
+    matrix.appservice-irc.mediaproxy = {
+      signingKeyPath = lib.mkOption {
+        description = "Path to file containing the IRC appservice mediaproxy signing key";
+        type = lib.types.str;
+        default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
+      };
+    };
+  };
+  config = {
     services.matrix-appservice-irc = {
       enable = true;
       localpart = "irc_bot";
@@ -25,7 +35,6 @@ in
         homeserver = {
           domain = "${config.pub-solar-os.networking.domain}";
           url = "http://127.0.0.1:${synapseClientPort}";
-        media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
           enablePresence = false;
         };
         ircService = {
@@ -43,6 +52,13 @@ in
           matrixHandler = {
             eventCacheSize = 4096;
           };
+          mediaProxy = {
+            signingKeyPath = config.pub-solar-os.matrix.appservice-irc.mediaproxy.signingKeyPath;
+            # keep media for 2 weeks
+            ttlSeconds = 1209600;
+            bindPort = 11111;
+            publicUrl = "https:///matrix.${config.pub-solar-os.networking.domain}/media";
+          };
           metrics = {
             enabled = true;
             remoteUserAgeBuckets = [
@@ -124,4 +140,5 @@ in
         };
       };
     };
+  };
 }

modules/matrix/default.nix

@@ -32,11 +32,6 @@ in
           type = lib.types.str;
           default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
         };
-
-        sliding-sync.enable = lib.mkEnableOption {
-          description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
-          default = false;
-        };
       };
 
       matrix-authentication-service = {
@@ -124,6 +119,17 @@ in
         enable_room_list_search = true;
         encryption_enabled_by_default_for_room_type = "off";
         event_cache_size = "100K";
+
+        # https://github.com/element-hq/synapse/issues/11203
+        # No YAML deep-merge, so this needs to be in secret extraConfigFiles
+        # together with msc3861
+        #experimental_features = {
+        #  # Room summary API
+        #  msc3266_enabled = true;
+        #  # Rendezvous server for QR Code generation
+        #  msc4108_enabled = true;
+        #};
+
         federation_rr_transactions_per_room_per_second = 50;
         federation_client_minimum_tls_version = "1.2";
         forget_rooms_on_leave = true;
@@ -328,24 +334,13 @@ in
       };
     };
 
-    services.matrix-sliding-sync = {
-      enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable;
-      settings = {
-        SYNCV3_SERVER = "https://${publicDomain}";
-        SYNCV3_BINDADDR = "127.0.0.1:8011";
-        # The bind addr for Prometheus metrics, which will be accessible at
-        # /metrics at this address
-        SYNCV3_PROM = "127.0.0.1:9100";
-      };
-      environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
-    };
-
     pub-solar-os.backups.restic.matrix-synapse = {
       paths = [
         "/var/lib/matrix-synapse"
         "/var/lib/matrix-appservice-irc"
         "/var/lib/mautrix-telegram"
         "/tmp/matrix-synapse-backup.sql"
+        "/tmp/matrix-authentication-service-backup.sql"
       ];
       timerConfig = {
         OnCalendar = "*-*-* 05:00:00 Etc/UTC";
@@ -353,9 +348,11 @@ in
       initialize = true;
       backupPrepareCommand = ''
         ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
+        ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix-authentication-service > /tmp/matrix-authentication-service-backup.sql
       '';
       backupCleanupCommand = ''
         rm /tmp/matrix-synapse-backup.sql
+        rm /tmp/matrix-authentication-service-backup.sql
       '';
       pruneOpts = [
         "--keep-daily 7"

modules/mediawiki/default.nix

@@ -70,6 +70,8 @@ let
       $wgUploadDirectory = "/var/www/html/uploads";
       $wgUploadPath = $wgScriptPath . "/uploads";
 
+      $wgFileExtensions = [ 'png', 'gif', 'jpg', 'jpeg', 'webp', 'svg', 'pdf', ];
+
       $wgUseImageMagick = true;
       $wgImageMagickConvertCommand = "/usr/bin/convert";
 
@@ -139,6 +141,10 @@ let
       // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
       $wgPluggableAuth_EnableAutoLogin = false;
       $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
+      // Avoid getting logged out after 30 minutes
+      // https://www.mediawiki.org/wiki/Topic:W4be4h6t63vf3y8p
+      // https://www.mediawiki.org/wiki/Manual:$wgRememberMe
+      $wgRememberMe = 'always';
 
       // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
       $wgPluggableAuth_Config[] = [
@@ -211,7 +217,7 @@ in
       backend = "docker";
 
       containers."mediawiki" = {
-        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.1";
+        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.43.0";
         user = "1000:${builtins.toString gid}";
         autoStart = true;
 
@@ -240,7 +246,7 @@ in
       "/tmp/mediawiki-backup.sql"
     ];
     timerConfig = {
-      OnCalendar = "*-*-* 00:30:00 Etc/UTC";
+      OnCalendar = "*-*-* 00:00:00 Etc/UTC";
     };
     initialize = true;
     backupPrepareCommand = ''

modules/nextcloud/default.nix

@@ -2,6 +2,7 @@
   config,
   pkgs,
   flake,
+  lib,
   ...
 }:
 {
@@ -22,12 +23,33 @@
     forceSSL = true;
   };
 
-  services.nextcloud = {
+  services.nextcloud =
+    let
+      exiftool_1270 = pkgs.perlPackages.buildPerlPackage rec {
+        # NOTE nextcloud-memories needs this specific version of exiftool
+        # https://github.com/NixOS/nixpkgs/issues/345267
+        pname = "Image-ExifTool";
+        version = "12.70";
+        src = pkgs.fetchFromGitHub {
+          owner = "exiftool";
+          repo = "exiftool";
+          rev = version;
+          hash = "sha256-YMWYPI2SDi3s4KCpSNwovemS5MDj5W9ai0sOkvMa8Zg=";
+        };
+        nativeBuildInputs = lib.optional pkgs.stdenv.hostPlatform.isDarwin pkgs.shortenPerlShebang;
+        postInstall = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
+          shortenPerlShebang $out/bin/exiftool
+        '';
+      };
+    in
+    {
       hostName = "cloud.${config.pub-solar-os.networking.domain}";
       home = "/var/lib/nextcloud";
 
       enable = true;
-    package = pkgs.nextcloud29;
+      # When updating package, remember to update nextcloud30Packages in
+      # services.nextcloud.extraApps
+      package = pkgs.nextcloud30;
       https = true;
       secretFile = config.age.secrets."nextcloud-secrets".path; # secret
       maxUploadSize = "1G";
@@ -45,11 +67,10 @@
         dbuser = "nextcloud";
         dbtype = "pgsql";
         dbname = "nextcloud";
-      dbtableprefix = "oc_";
       };
 
       settings = {
-      overwrite.cli.url = "http://cloud.${config.pub-solar-os.networking.domain}";
+        overwrite.cli.url = "https://cloud.${config.pub-solar-os.networking.domain}";
         overwriteprotocol = "https";
 
         installed = true;
@@ -73,25 +94,43 @@
         allow_local_remote_servers = true;
 
         enable_previews = true;
+        jpeg_quality = 60;
         enabledPreviewProviders = [
           "OC\\Preview\\PNG"
           "OC\\Preview\\JPEG"
           "OC\\Preview\\GIF"
           "OC\\Preview\\BMP"
+          "OC\\Preview\\HEIC"
+          "OC\\Preview\\TIFF"
           "OC\\Preview\\XBitmap"
+          "OC\\Preview\\SVG"
+          "OC\\Preview\\WebP"
+          "OC\\Preview\\Font"
           "OC\\Preview\\Movie"
-        "OC\\Preview\\PDF"
+          "OC\\Preview\\ImaginaryPDF"
           "OC\\Preview\\MP3"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\Krita"
           "OC\\Preview\\TXT"
           "OC\\Preview\\MarkDown"
+          "OC\\Preview\\Imaginary"
         ];
-      preview_max_x = "1024";
+        preview_imaginary_url = "http://127.0.0.1:${toString config.services.imaginary.port}/";
-      preview_max_y = "768";
+        preview_max_filesize_image = 128; # MB
-      preview_max_scale_factor = "1";
+        preview_max_memory = 512; # MB
+        preview_max_x = 2048; # px
+        preview_max_y = 2048; # px
+        preview_max_scale_factor = 1;
+        "preview_ffmpeg_path" = lib.getExe pkgs.ffmpeg-headless;
+
+        "memories.exiftool_no_local" = false;
+        "memories.exiftool" = "${exiftool_1270}/bin/exiftool";
+        "memories.vod.ffmpeg" = lib.getExe pkgs.ffmpeg;
+        "memories.vod.ffprobe" = lib.getExe' pkgs.ffmpeg-headless "ffprobe";
 
         auth.bruteforce.protection.enabled = true;
         trashbin_retention_obligation = "auto,7";
-      skeletondirectory = "./nextcloud-skeleton";
+        skeletondirectory = "${pkgs.nextcloud-skeleton}/{lang}";
         defaultapp = "file";
         activity_expire_days = "14";
         integrity.check.disabled = false;
@@ -132,10 +171,103 @@
       };
 
       caching.redis = true;
-    autoUpdateApps.enable = true;
+      # Don't allow the installation and updating of apps from the Nextcloud appstore,
+      # because we declaratively install them
+      appstoreEnable = false;
+      autoUpdateApps.enable = false;
+      extraApps = {
+        inherit (pkgs.nextcloud30Packages.apps)
+          calendar
+          contacts
+          cospend
+          deck
+          end_to_end_encryption
+          groupfolders
+          integration_deepl
+          mail
+          memories
+          notes
+          notify_push
+          previewgenerator
+          quota_warning
+          recognize
+          richdocuments
+          spreed
+          tasks
+          twofactor_webauthn
+          user_oidc
+          ;
+      };
       database.createLocally = true;
     };
 
+  # https://docs.nextcloud.com/server/30/admin_manual/installation/server_tuning.html#previews
+  services.imaginary = {
+    enable = true;
+    address = "127.0.0.1";
+    settings.return-size = true;
+  };
+
+  systemd = {
+    services =
+      let
+        occ = "/run/current-system/sw/bin/nextcloud-occ";
+      in
+      {
+        nextcloud-cron-preview-generator = {
+          environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.home}/config";
+          serviceConfig = {
+            ExecStart = "${occ} preview:pre-generate";
+            Type = "oneshot";
+            User = "nextcloud";
+          };
+        };
+
+        nextcloud-preview-generator-setup = {
+          wantedBy = [ "multi-user.target" ];
+          requires = [ "phpfpm-nextcloud.service" ];
+          after = [ "phpfpm-nextcloud.service" ];
+          environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.home}/config";
+          script = # bash
+            ''
+              # check with:
+              # for size in squareSizes widthSizes heightSizes; do echo -n "$size: "; nextcloud-occ config:app:get previewgenerator $size; done
+
+              # extra commands run for preview generator:
+              # 32   icon file list
+              # 64   icon file list android app, photos app
+              # 96   nextcloud client VFS windows file preview
+              # 256  file app grid view, many requests
+              # 512  photos app tags
+              ${occ} config:app:set --value="32 64 96 256 512" previewgenerator squareSizes
+
+              # 341 hover in maps app
+              # 1920 files/photos app when viewing picture
+              ${occ} config:app:set --value="341 1920" previewgenerator widthSizes
+
+              # 256 hover in maps app
+              # 1080 files/photos app when viewing picture
+              ${occ} config:app:set --value="256 1080" previewgenerator heightSizes
+            '';
+          serviceConfig = {
+            Type = "oneshot";
+            User = "nextcloud";
+          };
+        };
+      };
+    timers.nextcloud-cron-preview-generator = {
+      after = [ "nextcloud-setup.service" ];
+      timerConfig = {
+        OnCalendar = "*:0/10";
+        OnUnitActiveSec = "9m";
+        Persistent = true;
+        RandomizedDelaySec = 60;
+        Unit = "nextcloud-cron-preview-generator.service";
+      };
+      wantedBy = [ "timers.target" ];
+    };
+  };
+
   services.restic.backups.nextcloud-storagebox = {
     paths = [
       "/var/lib/nextcloud/data"

modules/nginx-matrix/default.nix

@@ -24,14 +24,6 @@ let
       secure_backup_required = false;
       secure_backup_setup_methods = [ ];
     };
-    "m.integrations" = {
-      managers = [
-        {
-          api_url = "https://dimension.${domain}/api/v1/scalar";
-          ui_url = "https://dimension.${domain}/element";
-        }
-      ];
-    };
   };
   wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; };
   wellKnownSupport = {
@@ -128,6 +120,13 @@ in
           extraConfig = commonHeaders;
         };
 
+        # For IRC appservice media proxy
+        "/media" = {
+          priority = 100;
+          proxyPass = "http://127.0.0.1:${toString (config.services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort)}";
+          extraConfig = commonHeaders;
+        };
+
         # Forward to the auth service
         "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
           priority = 100;

modules/nginx-matrix/element-client-config.nix

@@ -50,4 +50,15 @@
     # FUTUREWORK: Replace with pub.solar logo
     auth_header_logo_url = "themes/element/img/logos/element-logo.svg";
   };
+  # Enable Element Call Beta
+  features = {
+    feature_video_rooms = true;
+    feature_group_calls = true;
+    feature_element_call_video_rooms = true;
+  };
+  element_call = {
+    url = "https://call.element.io";
+    participant_limit = 50;
+    brand = "Element Call";
+  };
 }

modules/obs-portal/default.nix

@@ -154,7 +154,7 @@ in
       "/tmp/obs-portal-backup.sql"
     ];
     timerConfig = {
-      OnCalendar = "*-*-* 01:30:00 Etc/UTC";
+      OnCalendar = "*-*-* 06:00:00 Etc/UTC";
     };
     initialize = true;
     backupPrepareCommand = ''

modules/unlock-luks-on-boot/default.nix

@@ -10,7 +10,7 @@
 
       # Please create this manually the first time.
       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+      authorizedKeys = flake.self.logins.sshPubKeys;
     };
     postCommands = ''
       # Automatically ask for the password on SSH login

modules/unlock-zfs-on-boot/default.nix

@@ -11,7 +11,7 @@
 
       # Please create this manually the first time.
       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+      authorizedKeys = flake.self.logins.sshPubKeys;
     };
     # this will automatically load the zfs password prompt on login
     # and kill the other prompt so boot can continue

overlays/default.nix

@@ -1,7 +1,7 @@
-{ self, inputs, ... }:
+{ inputs, ... }:
 {
   flake = {
-    nixosModules = rec {
+    nixosModules = {
       overlays = (
         { ... }:
         {
@@ -12,12 +12,12 @@
                 unstable = import inputs.unstable { system = prev.system; };
               in
               {
+                matrix-authentication-service = unstable.matrix-authentication-service;
                 element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
                 element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
                   inherit (inputs) element-stickers maunium-stickerpicker;
                 };
-                mastodon = unstable.mastodon;
+                nextcloud-skeleton = prev.callPackage ./pkgs/nextcloud-skeleton { };
-                matrix-authentication-service = unstable.matrix-authentication-service;
               }
             )
           ];

overlays/pkgs/nextcloud-skeleton/de/Fotos/pubsolar.svg

@@ -4,7 +4,7 @@
    data-name="Layer 3"
    viewBox="0 0 275.3 276.37"
    version="1.1"
-   sodipodi:docname="pubsolar.svg"
+   sodipodi:docname="pub.solar.svg"
    inkscape:version="1.1.2 (0a00cf5339, 2022-02-04)"
    xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
    xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"

overlays/pkgs/nextcloud-skeleton/de/Liesmich.md

@@ -0,0 +1,7 @@
+# Willkommen zu deiner pub.solar Cloud!
+
+Standardmässig ist die Cloud auf 10MB Speicherplatz begrenzt. Wenn Du mehr zur Verfügung haben möchtest, sende uns gerne eine kurze Mail an [crew@pub.solar](mailto:crew@pub.solar).
+
+Zum Download von Nextcloud Desktop Clients, besuche bitte https://nextcloud.com/download. Eine Anleitung zur Einrichtung findest Du hier in unserem [Wiki zu Nextcloud](https://wiki.pub.solar/index.php/Nextcloud).
+
+Du kannst diese Datei bearbeiten, indem Du den Text hier anklickst und zum Beispiel Notizen für dieses Verzeichnis schreiben : )

overlays/pkgs/nextcloud-skeleton/default.nix

@@ -0,0 +1,29 @@
+# Based on:
+# https://nix.dev/tutorials/working-with-local-files.html#union-explicitly-include-files
+{
+  stdenvNoCC,
+  lib,
+}:
+let
+  fs = lib.fileset;
+  sourceFiles = fs.unions [
+    ./default/Documents/Example.odt
+    ./default/Pictures/pubsolar.png
+    ./default/Pictures/pubsolar.svg
+    ./default/Readme.md
+    ./de/Dokumente/Beispiel.odt
+    ./de/Fotos/pubsolar.png
+    ./de/Fotos/pubsolar.svg
+    ./de/Liesmich.md
+  ];
+in
+stdenvNoCC.mkDerivation {
+  name = "nextcloud-skeleton";
+  src = fs.toSource {
+    root = ./.;
+    fileset = sourceFiles;
+  };
+  postInstall = ''
+    cp -vr . $out
+  '';
+}

overlays/pkgs/nextcloud-skeleton/default/Pictures/pubsolar.svg

@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   id="Layer_3"
+   data-name="Layer 3"
+   viewBox="0 0 275.3 276.37"
+   version="1.1"
+   sodipodi:docname="pub.solar.svg"
+   inkscape:version="1.1.2 (0a00cf5339, 2022-02-04)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <sodipodi:namedview
+     id="namedview226"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     showgrid="false"
+     inkscape:zoom="4.3962803"
+     inkscape:cx="95.762774"
+     inkscape:cy="149.33079"
+     inkscape:window-width="2560"
+     inkscape:window-height="1380"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="Layer_3" />
+  <defs
+     id="defs197">
+    <style
+       id="style195">.cls-1,.cls-2{fill:#ed1c24;}.cls-1{stroke:#ed1c24;stroke-width:6.89px;}.cls-1,.cls-2,.cls-4{stroke-miterlimit:10;}.cls-2{stroke:#fff;stroke-width:4.72px;}.cls-3{fill:#fff;}.cls-4{stroke:#000;stroke-width:4.58px;}</style>
+  </defs>
+  <title
+     id="title199">PubSolar logo</title>
+  <path
+     class="cls-1"
+     d="M362.85,272.68v11.78l-4.39,1.84a18.38,18.38,0,0,0-11.24,15.8l-.59,9.43-7.92.61a18.38,18.38,0,0,0-15.53,11.22l-2.47,5.9H309.07a18.38,18.38,0,0,0-14.13,6.63l-6.8,8.17-10.58-3.17a18.38,18.38,0,0,0-14.89,1.95l-9.84,6-8.65-5.75a18.38,18.38,0,0,0-15.75-2.2l-10,3.17-5.88-7a18.38,18.38,0,0,0-15.43-6.51l-10.24.76-4.62-8.75a18.38,18.38,0,0,0-14.22-9.69l-9.7-1.08-1.89-10.65a18.38,18.38,0,0,0-11.06-13.77L134.7,283l.93-11.32a18.38,18.38,0,0,0-7-16l-6.52-5.06,3.55-8.77a18.38,18.38,0,0,0-1.77-17.13l-5.74-8.57,6.06-8a18.38,18.38,0,0,0,2.54-17.63l-3.93-10.34,5.12-2.87a18.38,18.38,0,0,0,9.31-17.78l-1.12-11.75,8.18-2.64a18.38,18.38,0,0,0,12.67-16l.75-9.5h6.44a18.38,18.38,0,0,0,17.59-13L184,99.13l12.19,1.25a18.38,18.38,0,0,0,17.27-8.25l4.11-6.3,8.21,3.79a18.38,18.38,0,0,0,20.12-3.14l5.85-5.36L261,88.21a18.38,18.38,0,0,0,18.23,2.32L287.76,87l6,7.67a18.38,18.38,0,0,0,15.32,7l11.25-.51,3.21,7.56a18.38,18.38,0,0,0,15.29,11.12l9.33.83.48,7.39A18.38,18.38,0,0,0,358.1,143l9.37,5.18-.71,11.41a18.38,18.38,0,0,0,7.43,15.93l7.14,5.26-3.79,10.66a18.38,18.38,0,0,0,2,16.27l5.57,8.45-6.46,10.31a18.38,18.38,0,0,0-2.11,14.77l2.66,9.38-9.63,7.93A18.38,18.38,0,0,0,362.85,272.68Z"
+     transform="translate(-113.88 -76.62)"
+     id="path201" />
+  <circle
+     class="cls-2"
+     cx="137.72"
+     cy="138.48"
+     r="117.79"
+     id="circle203" />
+  <path
+     class="cls-3"
+     d="M326.34,141.78A105.72,105.72,0,0,0,181.56,295.61,105.7,105.7,0,1,1,326.34,141.78Z"
+     transform="translate(-113.88 -76.62)"
+     id="path205" />
+  <path
+     class="cls-3"
+     d="m 180.73,231.12 c 0.57,1.71 6.47,20.7 10,30 3.53,9.3 7.59,16.9 12.87,17.74 5.28,0.84 10.64,-7.56 16.9,-7.78 8.76,-0.31 13.68,-1 18.13,-8.12 3.56,-5.67 9.9,1.76 25.87,-7.49 8.71,-5 26.56,-4.08 43.4,-11.91 20.26,-9.42 6.82,-12 6.83,-24 0,-3.84 3.66,-4.88 9.42,-7.17 3.82,-1.52 9.75,-4.8 8.63,-8.92 -1.24,-4.55 -0.79,-6.28 -5.2,-7.93 -8.95912,-3.35701 -15.41112,0.51436 -20.81894,2.56685 -7.90305,3.13369 -9.25397,-5.78637 -14.68734,-7.38637 -3.84252,-1.13153 -10.81538,-2.53029 -12.21968,-9.01195 C 278.1258,173.18465 270.1,170.58 261.8,170.42 c -4.33,-0.08 -8,1.37 -11,-5.82 -3.38,-8.07 -10.07,-19.35 -16.92,-12 -6.85,7.35 2,17.55 3.13,27 0.19,1.55 -0.08,3 -1.63,3.23 -3.79619,0.48553 -7.30604,2.27403 -9.93,5.06 -4.27,4.41 -8.18,-2.59 -15.09,3.8 -6.32,5.85 -13.27,-0.73 -25.52,-0.41 -20.65,0.56 -4.11,39.84 -4.11,39.84 z"
+     transform="translate(-113.88,-76.62)"
+     id="path207"
+     sodipodi:nodetypes="csscccccccccscccscccccc" />
+  <path
+     class="cls-4"
+     d="M200.74,254.41a27,27,0,0,0,1.31,3c2.16,4.33,1.11,2.86,3.11,6.36,1.22,2.13,4.06,6.21,2.11,6.86-1.68.56-4.06-1-4.75-3.08-.34-1-.59-2.08-.93-3.1-2.72-8.19-6.6-15.8-9.33-24-3-9-5.76-18.25-7.12-27.94-.46-3.57-3.28-10.18-.86-11,1.49-.49,2.14.53,2.48,1.55.74,2.23.09,2.45.5,3.66a1.31,1.31,0,0,0,1.7.78c1.68-.56,1.9-3.63,3.95-4.31,7.36-2.45,15.23,5.38,17.4,11.9,1.48,6-1.4,10.39-6.34,15.14a7.39,7.39,0,0,1-2.86,1.67c-2,.68-4.81.46-6.12.89s-1.61,1.36-1.15,2.76,1.21,2.7,1.67,4.1c.68,2,1.15,4.07,1.83,6.11a13.67,13.67,0,0,0,.71,1.83C198.94,249.94,200,252.18,200.74,254.41Zm-6.45-48.32c-6.52,2.17-4.88,13.31-3,19.08,1.3,3.91,4.19,5.44,8.09,4.14,5.59-1.86,9.23-8.65,7.37-14.24C205.11,211,199.22,204.45,194.29,206.09Z"
+     transform="translate(-113.88 -76.62)"
+     id="path209" />
+  <path
+     class="cls-4"
+     d="M216.34,197.41a.88.88,0,0,1,1.35.45c2.1,3.85,3.09,9.07,5.33,13.18,2.1,3.85,7.1,7,9.45,5.68,2.67-1.46,4.77-8.79,2.56-12.83-.64-1.17-1.64-2.24-2.5-3.8-1.32-2.41-2.15-6.11.13-7.35,1.37-.75,1.92-.2,2.31.52.07.13.08.29.15.43.25.46.59.78.84,1.23,1.1,2,1.14,4.88,1.54,6.86a21.85,21.85,0,0,0,2,6.08,14.16,14.16,0,0,0,4.19,4.74c.38.38,1,.73,1.24,1.18a1.24,1.24,0,0,1-.71,1.66c-.85.46-3.88-1.52-4.84-3.28-.21-.39-.3-.85-.55-1.31a.78.78,0,0,0-1.14-.23c-.65.36-.62,2.12-.83,2.82-.76,2-1.51,4.21-3.33,5.21-4,2.21-9.11-1.63-10.89-4.89-.43-.78-.79-1.6-1.25-2.45C219.43,207.58,215.43,197.91,216.34,197.41Z"
+     transform="translate(-113.88 -76.62)"
+     id="path211" />
+  <path
+     class="cls-4"
+     d="M251.1,184.25c.22.55.06,1.41,1.17,1,.62-.24.83-1.12,1.06-1.77a7.57,7.57,0,0,1,4.54-4.5c6.36-2.5,13.65,1.82,15.88,7.49,2.12,5.39,1,13.9-5.72,16.54a10.23,10.23,0,0,1-5.58.43,4,4,0,0,0-2-.18c-.9.35,0,2.33-1.08,2.74-1.94.76-3.25-.83-4.09-2.74-1.37-3.29-3.11-8.25-4.44-11.64s-2.43-7.19-3.84-10.79c-1.33-3.39-3-6.71-4.39-10.17-.6-1.52-1.13-3.07-1.7-4.52a17.75,17.75,0,0,0-2.25-4.31,1,1,0,0,1-.23-.39,1.46,1.46,0,0,1,1.06-1.77,1.54,1.54,0,0,1,2.14,1l.14.35a75.7,75.7,0,0,0,3.53,10.19c.35.9.8,1.84,1.15,2.74l-.07,0C247.73,177.34,249.77,180.86,251.1,184.25Zm8-3.06c-5.33,2.09-6.44,8.2-4.32,13.59a9.89,9.89,0,0,0,13,5.9c4.36-1.71,5.62-9.07,3.88-13.5C268.24,181.58,263.7,179.37,259.07,181.19Z"
+     transform="translate(-113.88 -76.62)"
+     id="path213" />
+  <path
+     class="cls-4"
+     d="M216.42,242.8c-.49-2.48,2.88-6.17,6.16-6.81,1.83-.36,4.94.47,5.28,2.22a1.91,1.91,0,0,1-1.12,2c-1.38.27-2.88-1.93-4.33-1.65s-3.39,2.41-3.13,3.72c.59,3,7.19,5.79,10.06,8.48a7,7,0,0,1,2.07,3.61,7.5,7.5,0,0,1-5.63,8.37c-5.76,1.13-9.07-3-11.63-6.81a2,2,0,0,1-.39-.83,1.4,1.4,0,0,1,1-1.71c.87-.17,1.43.7,1.86,1.38,1.5,3,4,6.41,8.28,5.57,2.7-.53,4.44-3.22,3.79-6.57C227.21,249.93,217.23,247,216.42,242.8Z"
+     transform="translate(-113.88 -76.62)"
+     id="path215" />
+  <path
+     class="cls-4"
+     d="M244.38,250.12c-6.18-5.9-6.33-14.67-2.63-18.54,2.46-2.58,9.1-4.36,13.13-.51,3.39,3.23,6.36,13.57,1.38,18.78a6.15,6.15,0,0,1-5.21,1.91,7.1,7.1,0,0,0-3.3.34c-.83.33-1,.34-1.85-.43-.27-.26-.59-.67-1.08-1.13Zm8.85-17.44a6.87,6.87,0,0,0-9.3.16c-2.62,2.74-1.09,12.22,1.38,14.58s7.16,2.94,9.68.3C258,244.55,257.58,236.83,253.23,232.67Z"
+     transform="translate(-113.88 -76.62)"
+     id="path217" />
+  <path
+     class="cls-4"
+     d="M269.24,237.75a63.21,63.21,0,0,0-2.83-6.39s-1-2.71-1.6-4.88c-.76-1.94-1.59-3.84-2.35-5.78-2.09-5.33-10.17-21.45-6.49-20.18,1.83.63,2.79.82,3.06,1.52a28.65,28.65,0,0,1,1,4.84c1.23,4.66,4.57,13.94,6.83,19.68.9,2.28,1.89,4.61,2.93,6.83,2,4.46,4.33,9.33,4.18,10.25C273.94,243.64,272.62,248.25,269.24,237.75Z"
+     transform="translate(-113.88 -76.62)"
+     id="path219" />
+  <path
+     class="cls-4"
+     d="M288.05,226.57c1-.37,1.51-1,1.29-2.58-.3-2.13-2.48-6.48-4.62-6.18-1.84.26-3.45,3.78-4.85,4-.59.08-1.23-.73-1.29-1.17-.26-1.84,4.38-4.66,5.92-4.88,5.22-.73,7.52,9.3,9.65,15.91.44,1.52,1,2.41,2.74,2.39.68.06,1.72,0,1.83.72A2.08,2.08,0,0,1,297,237c-1.25.17-2.61-1.51-3.64-1.37-2.06.29-3.5,3.94-6.3,4.33a4.31,4.31,0,0,1-4.94-3.66c0-.22,0-.45,0-.67C281.56,230.56,283.06,228.39,288.05,226.57ZM284.42,235c.21,1.47.62,2.84,2.54,2.57s5.26-4.26,5-6.32c-.33-2.36-2.1-2.71-3.91-2.76C285.44,228.81,284,231.64,284.42,235Z"
+     transform="translate(-113.88 -76.62)"
+     id="path221" />
+  <path
+     class="cls-4"
+     d="M306.07,208c2.38-.87,14.61-5.28,16.95-6.05.86-.23,1.94-.52,2.28.78.92,3.45-22.71,6-20.38,14.81,1.28,4.81,2.85,9.55,4,14.3.25.93.1,1.82-1,2.11-2.08.56-4.25-10.17-4.27-10.24C301.92,216.9,299.43,210.42,306.07,208Z"
+     transform="translate(-113.88 -76.62)"
+     id="path223" />
+  <ellipse
+     style="fill:#000000;fill-rule:evenodd;stroke-width:0.83809"
+     id="path429"
+     cx="172.17104"
+     cy="122.1034"
+     rx="4.5852861"
+     ry="4.9624691" />
+  <metadata
+     id="metadata3053">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:title>PubSolar logo</dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+</svg>

overlays/pkgs/nextcloud-skeleton/default/Readme.md

@@ -2,6 +2,6 @@
 
 By default, the cloud is limited to 10MB of storage. If you want more, just send a short request to [crew@pub.solar](mailto:crew@pub.solar).
 
-To download a desktop client, go to https://nextcloud.com/download.
+To download a Nextlcoud desktop client, go to https://nextcloud.com/download. You can find instructions on how to set it up on our [Nextcloud wiki page](https://wiki.pub.solar/index.php/Nextcloud).
 
 You can edit this file by clicking here, and put any contents you want as notes for this directory :)

secrets/forgejo-mailer-password.age

@@ -1,43 +1,43 @@
 age-encryption.org/v1
--> ssh-ed25519 iDKjwg vmr542fc5ndYRiW5ukHanhTMBV4TgSduloYjuWwmpw8
+-> ssh-ed25519 iDKjwg YUx9BsGMd2Ktik7WpwB3De9yJ6LlvjdT4NlQ10cYCkU
-ACSBzerGx8Rd17zNfgO3qSqwBuQio9oyYaa5ypUbBxk
+iv1++TiwEXdzUV2kkrOKG7L3PARkK8zhkFTiwz6+7ng
--> ssh-ed25519 uYcDNw fjP84i8BsNOfBoVDpH25MBC6D3xPXwbbO9ghLKr+mE4
+-> ssh-ed25519 uYcDNw LhnuH/EWh0avSUUJ0KN0R+hnYHb4IHf/IDJ4JRhednU
-TRKHWqVvzLP/AOJ5SJ5qeKj6UdYp2+tsxO/GVRy+qt0
+TMTsyAql6P1OU/Ul7hmKQxA0tFgvpmpc6rV/t8ED/Us
 -> ssh-rsa f5THog
-IMiwRGW5B09oJDDJamyQBOwtFu+KhxUQQ1w0RJEnpITZZzyfHOuhAuwsjLy+us9v
+aFpnc2pOpKxetwVCbaYICWoQJequV5WRYApzeZsLb5QmizHppsc3aXnOjLXhn/4X
-znzSA7bo1YusdFjzfW4RZeueuW8vvWdsv9Cjadlg6Bb2uP7sWeh7qH+IoyB2Z9Kt
+NgUBk6DftL/IjlaelqlR3MPWHKYLRlhu5r27mkp+2xQHXTsXd1yA8D/qdjNX2CV6
-fZ0O6O+65pOybsCKZ9cUuZ+E9E5nG2KRjzdV+csEKAshGLqeo2RILKZB8oSx9tZr
+lydx9nKJ8sEWA2OLgDlyFT7jY8M8cIOxv96ONwvAIm0u+9VOPyVteYiLuUb/LbVI
-sjPXRFLchj/6zbY1yBs+q0+qC7ldUBdJLDtl5Yj6hzB4fk1JuPTSDWtKSHBYDz60
+rVmxD66Y8mA+/JFtQozGp6Skl5UgzY73gbgSt4ZTOINY+TB1Mi0ntmXGcpJYPnvq
-Ri3CO1Z0z+8/IJWZqaa0a7jCYH6v4ZzboGrdE7MJq6Tyorl26bitSSevXHJmCrJq
+zxepbi3yhOVjWg0i0JZ7oRrLUU/7LzpRwXFNag0x7DClLhGyWwgY7Sh922fHX0ik
-ZpcpZfs/kVFu05ftaVul6vyPM09QOIQx+ia9tIKmCgWNcrM5mSy63C9klutXOW6j
+7Ss4SCzX2XE7cRkUnJztPCrP52TucTVVSmtmT2ik6aGBz6eYcBGOBXUbLKIDZBmA
-GZ60YUnOvVDz+i0wmaZvMs3C4THhdtOsln/dVrqOKFKf704mAsO4cSEwqNyoXy7n
+KlsJwNFX3IEEB2qpMg4ddnVUX/mq0vqJdoG0vDLcOttZUAY6iWVc45CzM7aHrEN9
-/WbxDQcTU62pKEkwlU//CjuA0rHwmX8m/tweNuokh8fPJ6SLE9dLqxPzmeq9JX7q
+1jPht+END3l3rSZJea+aUhXcLbslCyyd9GUdaKFBd7LfK4cvyx9P3VvNWbpbSgpL
-RNO+eZZ2NnjpkrI46stVS3p3FUHPbk9mhIiyfr4LgSBCoNWv1TkLS8DOqWOeNKfy
+yI8Qi+5rEl9++Dv4u8iS/uV/O3yTkFi0OMVrjudXRi9wpnnM6xHB1gn5kFFm/Y3h
-8wLAjgvpNIk8Vgbhoe4/G8wB5Qvr0vfGmdjzA5miu28YZ8PXHN6DlkaT9T0iROuZ
+Cq9sVgGPy0HzVeivE/PlX/e8FZKThEa3+GofBFgfDCuSrTlKw9AKQRSvx6m6VVki
-HM8j2FND2EYLB/Je19ctYNDjCmEYFhsvH/H448QMODw
+w1ejms4bZZY29U32+fFdPPNTLyJVYifSlQLL6bw7hyI
 -> ssh-rsa kFDS0A
-nSuC6Kgnp3+r41SXWEqIkryUlhWQTl5Qr0muXhnsBmuN+2iVBGYFqxqJSDpdnvbM
+nEw8pNW6YS7MUCMnKfaJtX8uVGNCcX/X3qwuLnD6GK26QqQBjbLuLc5uQn4staeA
-SIIy5c5rLfGSNRejRebgvyCntEvrOiGtmgubpURMEaXwJiEI+Hqfju1V8yi2RUto
+4z68hJ30Zx5Yncscr+61/Afa3UP/IYTcZbnMLs62D29qeJaNKSDs3r/LpIf8IXq4
-KTR/YhYv0i50pLMV4JD7MWPga/zeYUVhE8eISUNFbiJS+ve3BP/3Tg2E9tUvTsCG
+GwdaKFqRRsqVTyAZj0nRdRbzWQqYftQWVdgPTkl6t9cx/3BLAaH9ID2mwgI4H5KQ
-j7MxM4Td1jH2jCa7ueYOJ0R/qr0BKIEOGP4e+7YCByujYWKTV1JHOZehzIYA5wFs
+h2tT0ytfvZlXHYkUj2YVdh7e+MDRv/Wzssdm7869vL7vhZH5D3hSrunOrMaat3Io
-Bqq7GZnTTiP5n/kh7CgNyWORdBW4gaBslyhjAJI3hCbBvZer547K4moP6aPKog32
+VDuGLBf4374bRtREnBwlFlOI5+VwUov8JSP6aakb8P0PfIuCyA8yb+Qde0xxKBkd
-yTZQVVu/kZzCIgA/4TzWr/g11fKD0dUnPCmXbctQVgeOtYAbnWJBFwMmXvQdRU2P
+FTVlBx+w5To8gjcakoeVVtBO3fRcW9WuVjXocUYK9/SDeTmUFpxOGNtd128Jefra
-jt5Ce0WqwhExaE8fAx7v3AYXhYgAOBem4uIe34PAuj672Tc1U61hztSCynE2cXI/
+PGOvC62k2NnFuVSJHKDusBjtVIwxbu1+8n6LcEv6yON+6ckUG0KYXGRLFsZ5va2d
-2ZyCoWZZC/4fjUTFXC8urATfjgGV5PrhRcU4JtnQwytjd0Ru4pm56zZCpzmHxWMi
+mizsRRMyErJoxMsOpjJfsYuXMo+qP3qelPuC5+OLjakQmS0grnnOJfpmB8k880uY
-bbyVSF5NisCvjF5rxyS4XXNfg52fkV01gJsJ48B9dnSs5HYTBaWQWJ00sO5ssGRm
+ort/J8G/zqw2IjbJt6T8sXRkQpJGb0RtTjtsQUeLIcOYcHhc/zYJFfKXC71/QyJQ
-9H+T/Bsi42X6lnlt8ybzYD7aDIJbfz56vHf18/tfRhOzYbIBE7Rnkvs0vsNwT05K
+cZcoMFzrMkTzPR0pQhPOWIWQ4iI53BJ62x4UJWZGyLtISy860R+XO2kN2exgTaoM
-OGOb3iLFtxGGIpSC5Ba1T8h1TuEAawhmrHkF/Lfdr8g
+EjyUt8dgMpFv0dUEgp0zV+RYbxQ6igkw+VjgpBQVeUs
--> piv-p256 vRzPNw AquhJELiSYcW1KeKiied88TcDZYgtjdZm46FlV7CRsmt
+-> piv-p256 vRzPNw A7sx9kkQ3NzJz+d/Ya+g4A3Ix+Qt1vtLh51MD9L/KYAI
-ikxq4EIkI3UXqjns1QJdAe0N3mEh7sbzYPu9H0IvmCA
+3lcDBl2ASZFtVbm85rWoWhcms4uX2HSclaOA2uI2nsw
--> piv-p256 zqq/iw A94RUts75asVyQG7IZSfg7mDgcWI/hruOfRqD8Pdn4Ff
+-> piv-p256 zqq/iw A+QlOdyKHPpzJcMfelkjoZAIKH+CaIYEXvjEBqhkK+Fq
-17kI8IKl98f5lMqdcvqpTO8EN7pr9HP0SJJxFlIMcrw
+U8jveuLYYD7xZS38Tt+5lXwIivp6mbqoeimmR5YCzc0
--> ssh-ed25519 YFSOsg gvcjFcWsCaBjYXvab/eyIhDhfw2bjc3u+nOenGiebTc
+-> ssh-ed25519 YFSOsg pwEdRXKO421mOmY7nXMheQpklLWJIhhyKLiUcDA/qTc
-hi30KYU9aYxWG/ZWFZQ4qW/P+hi+ms3140/9BTYNo7k
+1ElMMBsK3pGM6ZmQHJiEHmZAz9L8oVBxoNRqA7bouHo
--> ssh-ed25519 iHV63A RVCt2pceoQfdaBWd5qXcT0x/0dQgLP3jKpa6xeDdnyY
+-> ssh-ed25519 iHV63A FIqGqLEuP8K4GXUXevEIDYGNGhNkK3fOpyLAGcJG3F8
-Q1arCu2nmcl3Qt/uqV6UeXUf/OffvNl7ZWtqbWjrw4k
+DHaPjWqKWZPUqEKB2WeYOarVnPv7r9tKqTI6/Dul9m0
--> ssh-ed25519 BVsyTA DX/5O7PCLEBoraM0qFy821i8GZysh2+XhR1fGV50SCw
+-> ssh-ed25519 BVsyTA xJ4b6U7UEnGcoftf7kIg0kVEbSUXopgQg4Zd4GxPwEw
-hN/a4NwiX9oySM7Uyt6vS9hjOTHNbN3tF9DAHF0vDiI
+k3D/0yg/+u/LrYwHjJC9mHB0CE+zvT9hhDbhNk/5f/8
--> ssh-ed25519 +3V2lQ uXmSWC+gV5JsARpa8cDv6faykEoYJHH0TqnWc8yzhQM
+-> ssh-ed25519 +3V2lQ b8V94Zy8Zh/4FkFyOkXZtASinRCUetLeDkLXb4Z7nns
-/y/94BU9Mwqcez6y2tJoCEkg8c5x9p8FkUbbhUpKh9M
+Rg7mEGEE/+la9DePIISQ4HD0U3bnUIfs0SuuGibb4wY
---- SA5BB1izTywLQB/5ghs3XqlOzr0ag2gI2/09M3eVtjY
+--- ikxtrZbYSkXtO/KzCj4WNITN7urLK2cXHJ0lVaL0ZO0
-±µ¦ýE¨Õ8SLJðZ½Ð°s\–4Â#ÏRB
rç|eÉY/ü|/.B¹
<0A>ÖÑ
+¦÷_PÕ¦¬o*Î_B	±Ÿ‘±ItÄs_AYUñ¾õè{Öa茯ªêz*ó¾¢Ý8m'ô*GÚ<16>–Ÿ£)

secrets/mail/admins.age

@@ -1,44 +1,43 @@
 age-encryption.org/v1
--> ssh-ed25519 UE5Ceg gD5QRHbcUWSile/Qrcd8JzEd07QTQsgxD4NkyNZYYVI
+-> ssh-ed25519 UE5Ceg /F0w5batb5Xwb9Uk/ayJ1bki4AY27MgXG+asgrAmvGM
-l2b1/Vue2S2ymlzCuHyHBDhSr3HQg4UMK12UCjTF6hw
+5faxx7aeLfJyNgjZvZak8G3LSK43LLM6LAWakT9DB1I
--> ssh-ed25519 uYcDNw os3fheZXnX06seK0rrB0jvVFULf7H+sxrymQHtkM+D4
+-> ssh-ed25519 uYcDNw bRvonmvcjyAertes4JaGeLrXQgwvI3bmILyDkRgXBnE
-+xzkMSJxAh7OJDEvznwCZXPi2tUAD0ejBV7qLM2KlV0
+kfmI6HGohHhE3kYLhjz4ZXBSJ8eVr8TncVPQQXr+NNo
 -> ssh-rsa f5THog
-sMUYZP1yspVxsI4zWydUKPyATbc/dHED1slRmQMYBCgiJbpXxrcfyU7JvwEiW2Nf
+QT6LrOzcJgcYdwEoLwDlgYm1eUAGIbbB5vkFyL4S0qOASGU/dKI20veQhS9DVYp9
-KXGU1HxBdstuC78+1jgVnSqRG2FUol+gAZPvqJCO30SznefSWciCvBfC71MKUjx5
+wR6m3E+/lR3h4qpYlFbb3HC4bjeodCpihraC6oDaJeTpQzUh5O4KiDqLn2kJd6Rs
-00WRZjQT/oSVAha7o/5nRqfsYy3mEkCvYOAX0X+ajpbIRJlywB29JNf19Smr4XNH
+ZZPq+IdMHL0hTl2Qat4VRXL1qkb5ufnyotK/i4/KdsdmVMVBR5J5PeSggdfw7b9X
-cYtiOMQlqYvHj+YAHIZPqvZN5Pt75zNRdHqr0b0s6GI9/SuCxwkwU5eeO/QYM94d
+ODUhHbyEvD4OugjpZevgnhF52lC9qLmjJjFsprfC3lZ0XTsXD0XK14loEQut1pmD
-QckXRdg56gZKyJ87QFRFCMXi2KAAwGjLNVhws7wvnh3G03ZCQ2rWGR8YZxtDYyee
+6AMdHI0MgHXjXm03r2/7iPCcHx43lIlXnNZ8RlEy4QjmN3PTHVg1TbLV8UfZs66C
-TXPBo1JNDlIrKyGOz3AfXSNq8UwZDodpRy7Vu0LQBQNCOicGYrWl2lQ8Mo5zfNp4
+D0gM6zaDzJ94qGd8Y9X5CXELmSGOIdIHN59cJLF2TnLXmItpqcS53Gu6h8JjD5Sh
-SbJZCxHztvHqeBWC3EQnQx95dUfUiui/zTp7HkQZ0bLVPS2qrSJCTlceT7JX7cIy
+QgzSf/1dchF1RKSX+h9Adtjy6e74xsyJYlVLTDyt01Xv32rcvU+0rvjm3jZuCLf0
-krgTQ1/qcFqt8VWSUFz5sKXwE2FnvvJ5QPGsRPkBs2GAKpMQXpyLkv173iPksBMb
+iMUxe2zaniPZWkRhu7EURkLlr+L30CO8V7YQUSeIjmNOCa/HIMCyZFfqc291YziG
-NU1slvMlPzfeg3xHuGCJYofVlhhcUMi/RTQKWmhwwzfLBXZfocINZqOKn72TnAb5
+i0Qy5bhrMPsWLTYMVi4Eh4QfF0UgsuiSPeWuffM07bJD3CbCCQgNPgKnq2L7Gawy
-yfJ2t3BEZkaY5rkGrUhnPFIteUczaavu+P76cqp79recEmFwq+hrtOMSsUF/t6eM
+7Gg5BQQLqyYaka0f2EHYYl819z41DXonn6Nms6SsVQyMMYsl1JMiAgVK/UOMvwGM
-R3uPzN+6gLHvc3IFL2WkKYT50cb1rOAK9FdZ5ilsVFc
+kcFjew8Imh1AHDThsiKC+4ogcKaBQL7yQylCT32NEcw
 -> ssh-rsa kFDS0A
-mNMbBAtl8DqLVje6lOnsZv6C9ytsl/dJBoJj+qfM5mTo5vkhyGPzo4NaaZIPnMVs
+HCbvIBMmGw0uxB5WqSzX5YtGNFB8DeM17U6PIOPailcgBc58NeKWLGy+V7TeM9FI
-SIckvd8gUhaPC4D98oPANl/GgBHEYSjVVwYS99THMYurW0E/brG+Awy+wYchO8yU
+2Uyd7ajj4R4UsDaPVzQ5pwU4ndFX7siq6gx2/IMsZmDPXQuSnEEPWGLQ9sWRYP1l
-rN14o4uk+LkAuRhSpDs7ExA91H/BIQFwNbkubY5Hp1dFvEjn99vhTi9ntHcsOLgR
+3l6NcerUgQ9j0n8EMAN7hJIzYrLOqv7E/8wyyLoQfn+sr6ZzV0UNt0LCNEZdrZ9t
-PE1QlfW2uzBvm+gwJ4zFPWDe3XqIUb+hU0N9hCdtRF6LxR5FaMzWuF2Y06O3qlLf
+X037HEDINcvmu8ZIhkopSmRUgX7abd3+gYOYE7jhR2Op7NtFMUVBmRodxA3MGYi0
-oamlPpB4jQAq4LXgm/GuW1csOmc+PPBEEc/V8DnLNqy9PAScd5LS/u0zL/D+NHCs
+Xxgvkr+3N4A43DsxMSOv7dXY1wDvsQt6h6A52JqTy9WNXFVuM6qbGVzHRdZuTqLN
-i3CRwDce5yCp3S+mrhIwoVZW4doK6fiKvkoYCC7lZYvA++eEUmZ4Xuj6eK9H14Yi
+JrB6hFhoYBmlAQQAQ6z+cswWWBnIUW+NRVvWHffP0UOUygW4IvmDJJIxF2tVjccl
-g3lF3k0NLH7xw5dUGB7faUOAtpVLaGRy4nyVHp9qOWgTvdxMCGjt+GbfSTnDQcvz
+4eo9KCVnKVssu1OdZALCgTCJtZf/qePTDycdVHnYlAPHMhgZ3GabtjopTZj0WL/9
-S9+FfDIPVOAh0jMv1J6w1aREPSeEOikC/TDBwB3f7UwKiFSS8aDwqRraUwmqiLaq
+hUc846TKbAY/wqv266O7m9zkigQ1t8p45FkM12kjHS/FsNl41Y6U2cLBZPBP4FkO
-L/lYo2DK5vBf20C5iM6SwowrvDV47ZBUbLO/ulvKDXydG1C9whMJGsBnEo06hASL
+0L2e4UItl4krM/j5vCjb9Rmu6OD6AVoL3Od41NtsrctHO2OmtQmYLlhNMQujPxA9
-oZK4oRpzJapil350Z94q/mShQUkzxYe6GS5h5eV+jly1mvL++7CJYywsWfe3Z6O5
+2kc2p2hIXARhaF6RsZPGzo9fmxY8RNj098eHfSIu1LDGXDWh0qn/Ron0wJjrIuf0
-Oy31UxjhpRhbW5iqOcvjALbCYEPiNst0zLqeFywZ+GE
+duobybLrn56z0ZbLco8yIlktzaupN/7G21Cd1obv/cw
--> piv-p256 vRzPNw A+EBgtoEKicMn8YJpH3ZGwV0PVt9l+YW6fTjs3deN70x
+-> piv-p256 vRzPNw A4lb3iojebwu1jnystqCo2mu1JcNF/ZJokIHAlq3UVWL
-RCx4lJavJo3pZRvj661M91wbZY6XTAMuqex95J6A22g
+BmTNumd62GqVHQffMceFTJggcrB5I2xL/o0y7zx06Wo
--> piv-p256 zqq/iw AhMeJNZ/JlBnn7+3scs1hU3NgQBsKDC9L6sK5i1IBPIx
+-> piv-p256 zqq/iw A1l2dATtpN2hIuBWPFe2pXjE+o4m0jAuBj/XEBeT4ciW
-QDZFPPU/Y5t9WQkP5CfZtPkl9CidOyebsubwbav4PCQ
+2pspweRhOy3O/Bp/pIsRfC98nw8jjC6hzK73s33xyk8
--> ssh-ed25519 YFSOsg kbmALRNCorj3qcJYyV5X2CGk0PBjOI6ay3INT15dFAA
+-> ssh-ed25519 YFSOsg FlcT5XKfbbQvL1cYTqGOW3/UlHyjV8Kj+v7i2/nh1Gs
-pfKCr+INssY1gccTCbFvnaaXLMoXr6DsCqgz4UD0mDE
+k6VAESkFmBk7NaBc8srEJVuRxrTuQ8DBnuoHBxUPJ0M
--> ssh-ed25519 iHV63A 8jd9mJGDe6yCjPGDIOusCzCR95Y7wRla5QjaBE1ESCU
+-> ssh-ed25519 iHV63A ASS2e8h/wzJPbGJ5a0Myk5cq8Bo1CjI+7p0+vpYR+D0
-vmjDhBr+lYTCu765o1FupE0/RbOGaB3X0wEbDyOfh3o
+o8NSe7Ro060AzxOHbTpOeKky8RPJlGy9bqToCa2/+5c
--> ssh-ed25519 BVsyTA e8lbhf+RO8CDMrR6MmBYgyeYJMXNMJ5cO5GsdYosbh4
+-> ssh-ed25519 BVsyTA ayvAZlLBX4XOEDo2fN1G5zDfe12UBTS5sy5Uhyy5UUY
-RKGw/EqxnQXeLrdPtCh84zZSN6lu0FyFfNSF7Rllbxk
+3DktYH9gTayHnC0Fn9bLmLjp4+fm4A0iS4u6oJzyopg
--> ssh-ed25519 +3V2lQ f4is4PhlyDSkRwbMIW6nehwLD6feea0so9AXWECX0ys
+-> ssh-ed25519 +3V2lQ 9wT3l+ng/VLiE57UvKZufrcgs4XNmvLtO5gh2QxbqXc
-0wUtiufdA5FzCIqZrcUE1XKSNOA7YK/PNAdRMnbXaNk
+0QF2WGB/I298EA/LGUapNEk1xYzokZqJSVmzhZI31lA
---- rHG5GfdaRsmhAQyX4M6fDFTwCWKfI4MXTgyFL4py7RY
+--- AL0d5/3pSSt2dfoHbha1EJKfSO6Z4PW55d648EvFYZQ
-|#÷üðÅd/Q‡Ä™‹”gÍGÅÄ…Äû—kýôjF@:}¶‹©
+Å›‹¯øÄ<EFBFBD>	<09>{ÁL?‚ïÌÿq%DÑSµçN]›W‡–ô‚¨}9ÅuÞš´çüüè⑪YÂœì,;èxŽöZ–e©vlÞ«	(f7öT:Ôf”<66>rNmJDJ§‰Ñ<uD(
-ˇÄ8:0ž"®ó“ì°Žß‹4ÿ¨PŒ›ª¶äJÑ?MxYhb—”Ï­•ê˜«#ç'tš

secrets/mastodon-smtp-password.age

@@ -1,45 +1,44 @@
 age-encryption.org/v1
--> ssh-ed25519 iDKjwg Td1xpczm4SaXNEVNf5TjN2QlbKJy3CW8LPDGiMclakI
+-> ssh-ed25519 iDKjwg /lzZjAYnRnyDSUN/ga+IlKbdHqEIetNRDFboG4zxPzo
-kFi0PFg+VHptG9WRBOtTJvDa4kjOua/4PF5AV6MPEZ4
+tK88QU+VTR+R/ZPr67TlIn8Ji5Km7eboDrznQCtSx9U
--> ssh-ed25519 uYcDNw NMzLBxORxWCd5A7sm5g+Mp0oORk8NFQ1kSmXLXr1lks
+-> ssh-ed25519 uYcDNw oy1/l0srtDa0g1uop8qWzAuEtvEQL68hk2QpC5uu1jI
-H3l3Ow3YMKKFkuwphewGH3J/3vl6QsbKW6w2l41+ERI
+6b1/Z8tdCAqWX0tnYz3TzCsTsGakCGUsafouguOLqEs
 -> ssh-rsa f5THog
-OXoPASz2VOPWVdFa6obQppMnVr6q/DdsMU4Wh0ok6cV7Mm1U/WIsTGCFxPtRUCAz
+RSDEWuJElPQVR9hh6TmB5zsseFnTwxEgBkpbXSr9rAbjLGWdopfC//jr3A87CUtF
-NhTi667lnXXgrkKmlJhC6R8R2HTNp2WeaDzllexX1uvYACc/rnvD7KPqmxePvoc7
+ka5YiCsTF4q9sgvVp3OoNmgQqSb1bpqn4Grh76XGJlawjKS5O8wv+ZHhReK+wD/x
-TYLawVxl83+wsWLDQR7vuK2lSB/S6qZ7yPpF0nDIM153WI7edHu69/Yu0V+xJp0A
+1M0WFHjEZ1W4n/vVBzZ7OJJpzqCMtJAnKzRFSFyIsv46qMw5xs8WS7hhHB0ehbWg
-UbSJTP53C+DA1J87H6SsN+qE/a67qTV6J3qhRD3tAW5EY0ZOQ+Lr7OQFRnEW4hOL
+tMpTo/IDFQ1KdgugNIJB91T1EZ1bxBnU0GZdwzqWakdArFh057Cte6y5vyoAihpm
-mbIXzgTISU/eQSJ22Xz7vk0jUOPN77RH5B/1EJmEbKJifZYYb9sajgrWwGvBbp4E
+yuqawfjG6rpS8MqcX704B7+r5OBnbPLmecYEtFBgN/XA/FdwgQWu+SQiO2fKNuWb
-hvWpGPqd2Jxxev1uhjjbwcf19O4/Gv1vCxTCQ6SQnW7t6L4hhWVKeH9p3/ZGHdcV
+0RzhU+o0o4xnzY5263peOTVhuca9CoDt3fl8jzEvYYyLyjOHBnznW/xrJentr3so
-GL7TtD7Qnj5uZfc4bOWZ5RSm/JYdjyIYFe0wP7qz21hup3j92nKMIruOL2o6s0nv
+1uPV7EHigdWP0eo5o/NCWZq98d52GznhFsq8A9PaQgwMa5p2LecgtYfvPEHIOQ9N
-m75n0aoZwQWyOdk5RZpfs9Bfw+y6tnsAWqg+PYR3RFV4raLbpFJJFYdPKO2E5gDx
+5JoVtawczAPA1BDthtKncteoFWIh7akQc39X0lnhtzboNntEzAwhpU3II5vCJYF0
-/y22LGVYZqajuKzfRmznHKGlSTxF0Aa+cFV5HWqmN3oA5UiteZX6JCQRVy5egfSo
+GzP8fEXESmfdZYiEqUB7KEvwr01Kn3gjVOAm35WHgGITq2/wMQXRwLT1frNao1M5
-KMNhpR37wxI6B5AUS0UMGay0kIWSUCJGe0PF/lPWoM9Q6Lp6CqJEUMwojZtISc8y
+JGUf+/OA9mW5MY8BDkMmZbTavSXXZkfjDk4h2WRINnTf/9mD8y7ewx5td/z3dVBz
-BJJclZ+M48HCR1OiCMXlduipXbRUV6TN9KytA+erRuo
+DsaOhg3yRwEDLqOfYUEjNUhSkH3midO8cRpb4k0Q6so
 -> ssh-rsa kFDS0A
-oNmPaJpfuPxGgcdYsPwDiaeu5lmoWLTdFjdKQqr/vEsmTC9TbgVIu3ijbixpaO7g
+bR+BGqJ8qQD3Ycci6KstU9b7UYhfm+mDY3PU8L+2DM1a9pDR1wm5oPHdpeV3fTl9
-cabLWs6WCAE4yV6bq8DCNVwok4IltRq6gz0E2H47qP9r5SsLGiu5HjBLajGlesId
+vDk/rDnsGypfKSBYWyZ9qdvPtyq9L69fpJSvlFw+l3dM7H8uAeK7BqlwGeA9VlM3
-8mxEL5dQIxnaBwFIsKreFfh2FlTuljTAmVtsqzQAspjGa/fHd/K8ZWUsyInHWaMR
+ixBlGDs3qG5mbmDOYapq1WLYsY+gr9nSFtmVt+jG4NDCL4G71/y+yVyLQusq8tKi
-KtgqGPjmbgWY0SM8j07j1OkKHuzIK2v/LRUUqvkcC/vZjoGqVbbJA40PhfRzDd2B
+AFqX/1lWG3+mGXtGo4FZUyEsJ6c6qrsyHYQQJneAOg+KmRLNctQ4fZSF8g56wCAC
-+FdYUHP86ZfeW1/dORSTQrad4OacWX38HI+P1atWq436wa+K9qOGzJcJfudtYJ43
+CeVz23S/286qxDh1S2erCcXw4dk/HJ4QQ9uVr7+m5+jpGcbEWppJ03728XjUnFle
-ZvF8rus5GOTP+M+HX1J2flSbG36WEB/0JD1nACsvE5eMtWtynAVbu/tyKuAmWzTS
+zsRJynTK6eyj9/93NuLYEkZvFdFmfuR2T0Mmbw1ummhDNbF+GrvVYBrUPJgBO7MQ
-zCy/biMn4vMYzHg3jsZIJvvGLwk2xTd3tesvqvOviDRGE1WmUK77shLlG7fGR76e
+YkELivZUX07HqEsq0RgvuECwY7s0vlU6Jc1gV6v+DCSrtcogO+ouIJhgLlWzFwG1
-/t1Zsvw2SFhpgeSbPYwoZcFQlxi0PVGgaT38mjWi5s6I6oA7hmvS8bcM2IXkICdu
+jwsYne+fbZVcI0GyfKvj9k6F71rLKUk/c00YObo5DwaMzolJhiipJw2T0r6Rytaa
-TBQ+nGjhwfmkhnfkHiEy6A9LYxziiDIJL15dma0KG7Kc6qhH7X62/mE+2OITKylA
+tOB4arjgAcEk9iLQciJJRXYQOkf1i6NpX/baP3nZ5ZUsDiK3pG7Nk/Wpf3rQWf3G
-+zB5BX0HI/UJx3tFDxoL9SwVqcXi6qWHWy+4vRHJUGe1hGLkF+f+iJTWxNL9Lcky
+z4h30uZXqxXQ1SXCPRQVR+T2szpDgEZvPADscred96PzTHhCL/KbbctYRnfATxb4
-VwJyO/kAQdDg5SNCDY3ohGhBb4VOBzX0AMJdXB7aE7s
+MvEwJGHNLSNWpBOXyMGC3g1zMUdCCFL6enbHjnHKKN0
--> piv-p256 vRzPNw A95+KMAiva5R852fe8G5ceXc23HfkCkio4H6w1eiZS61
+-> piv-p256 vRzPNw AsX0eqWcgaZnW0ll+SDjGtfSxhLs+7Re75jkZkkf1ejU
-ulukL7Gic4R1ptaKGWckIU+kaq/1AGwYI2aTrM87eMY
+ExwVpIrN223z22zUX7fGHRlU2uLwRsQENy/3vLYoKYk
--> piv-p256 zqq/iw Aj5KBZXqgzT1nq4lFoFJpKWSxZ1NmPX+nQkrC/0wbMt1
+-> piv-p256 zqq/iw AiKZsl0ahcMINu7X4Gw/V/lU3bDA9tbBAWi7zActxF06
-2DHEAmbQ2/XNDJ1umkGdHXbDzq5YDMUdmD/J3JMiaRo
+K1A8TlSdn5Wy1SU3fx10NYZ65kkZJjnbdFrXqJHKqSQ
--> ssh-ed25519 YFSOsg Bekl48HOIuCKbZ9xWeHtk5q/e1nFQXoiK2GYQWJ4/jo
+-> ssh-ed25519 YFSOsg NPEvPhLXAMdUS/EdOwsXY3YbWzJaq5FTEYj7zONAREA
-VtL/msbj5MaRl3V4GMoyWdqxyppTx+NYClMsTha/Prk
+dFpcvXAvJoH0Fo3cjUbkBKYFPU6lHnjAhA4CotsB3Qs
--> ssh-ed25519 iHV63A P2u2Lpz8kmaOfKMFMgQtcXYFzwy5wlAgciy20Ay/rV0
+-> ssh-ed25519 iHV63A txg54W7jhZ1B4tZW8kaB9sfzgEvKZprAqih2gp+qLSM
-FbOG+kykxeOioqiJ0ARNZUlcn85iBc0qmxdWb1VxmLU
+XjSxs4SiQ8IVWuluHkTt4FyMhJOZv1r5JZ+EnL8tSjY
--> ssh-ed25519 BVsyTA +602HApwdGhQ0Kd+oVNOKOuGCCBLLNp+/QLfLcV4nwE
+-> ssh-ed25519 BVsyTA p4KN+bojxjVnUu7kw0F5I2lB1e5dvn3WQm/5R7uX7lo
-gVnMaQszX3sps2hjiXxgcrq22W0mFfpMaT7OXqZS69s
+rU1SkFq9P9tta9nLM5vYkq9DKaSzO7svl6zbnSmiI+Q
--> ssh-ed25519 +3V2lQ GSgwPGbFo1TFNNrdIiiQapn/FXEk2JJgk5xzRDL6okY
+-> ssh-ed25519 +3V2lQ F2f9haPH7DaXkAQxwyQKJiwWuMw9UbD9QgxnU+EC6zE
-CnhJlD68e7P3xixU3DOwJJGiu0PpzeR3Ag2SUjti468
+G7aRwv+MRWz9eF4fKwi0PMfAkhP5IzEE+xeaWnjdWAI
---- 5Adibjlpvg9vr6rB/vaPEMj9y+MPL8vGRx582w9YIz0
+--- VotiCmupUOWIWZwJPR//t4Q1stiuYeiJ4b7xUBJocZA
-¦öÑõɈ²A
+Ôú‡%¶E<C2B6>;ìŒGÃÜCµ‚åR¿•ŒÂP²ÎÞ	ˆn:Ú_
-_Û;@1ò)»=4س†ÕÜè¼dmÕgZÕi“<69>T=ˆmMm®
+ý—¡J»oÃ9´ªÁsÐ1¨«Ëý^¸J`\³d
-®

secrets/matrix-synapse-sliding-sync-secret.age

@@ -1,45 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iDKjwg GPTqfaZZC6ze7BUkT1uF4VslvE29BFKm0+AlJk+DKQQ
-GxI7erqw8p3GrCArh5vZOiTmYh40DVisCphNyFhNTqM
--> ssh-ed25519 uYcDNw oo52Nh9BCO5NNF0YyzracKfvMifSiREsxyQqiRZ6WTs
-JvqwRX5yOMtEYgWyc7dIQs85wDghMRHQCIi6t5QxIwo
--> ssh-rsa f5THog
-w+B5hc0E9u1fFWNNPaTtPmJfPJWUBbRwHYK/T69g2ORNfaBYynl0LL4vSUs8o9Gw
-rwBY+cLpth6e4tS819H5C7HtvT47KR3KF8JLxVjA2mbVO83+BnWFjThjYB452CdI
-KZvQQPhkSH/43YF6pjxnQjNWB/wroScyjGVtUamcij7YHxt71z0AAnyqE5PgWEc6
-6/ao5gLfTKhcWpxkTTz8LHn05s9IppXywDrvpwtJaU8LKgJT2H6Epsaci348lG+I
-tAZYODhQqP+yKl92DZbuQQCjxH5CJfhdBs2ZR63hQPj9OrIFRjLg4V+1gdcxzAuz
-9FwwIeLq3uxWXPdwTRR8RUsHEGhKMcVty4PkW0vlt+VwZrZBhdz3k+ApVG7Jvclz
-MPZYLzKC0DiODqPuA23ye6suFRCHXYfq3ZyCIIN6wOci0X0crSr9ZXW4M8R7aWaZ
-XDeZRaUgvd54WI0HZhVWBvJQyswgUXf+/RkS4aI8IgnNV801x12h+mTdWX9BC/cD
-YRIWBnGkfTX4WM4OEE2VEgqSDuKl/90o2LFIquIIJULVd2Vs5C2S8FhJcsT7+HmL
-TFWnLeIfGbw7RDUeH0c/Bbg9NK11SZF0/VdRZcBQ/zIXBMBlL1EZsH1HfIfhKISN
-PyHFB5kfmuVIBhDXgtDdgjKfDmQL9/9Aq1U4ZMBcUKA
--> ssh-rsa kFDS0A
-KysKtr7wrKKJ8w+Dj7qjJstyXtKIw9weFi9oVwJkMvy2utn+JARs7puh7KC27TXC
-slZJrHf4vx+y8qSjRS0W4z8CPl8/auiYOilepT9JoxwGUP7J/nTr5SCofgWcdZm5
-FtgHoCcABjzcF+mrKUofuqrx6oYSDCS0JkV2tClQI6ybXnjRwIIicLmBN9UDHCuU
-9ZOesYp5XrJyBoD3Zv51b19xJyOfuWAUQvlNPRH2TpgvisutpESU/o869z5AMn4Z
-BfDD/0oR1ALbk/sB3r13Xi6oJZAB2AbggoQRlwvPeWc3MdS+bFNV2o2ue0ov6Fkd
-U5C/GnJVlyE0cv9I+YvxtLT6T/Gf/yoUZGfB7xD5QkHpMIEmKxUYqGNBB/NcnFMY
-Tal8jMDtZDEk+uk0MahE7GsL6Z3xrkKTevG+Rr3j+beFYie2RJbNwwUyQ1lL3EoA
-Rx1AMk+nYlvxVHiciYJNh9nffgAXXwO255IkWvYzmuPBEP1LmqadA4fQPf5Rgj3u
-DuOX3hJ+rIyRIoDXOZio3SDf+bb380xCxF+7efJ27Ep0sFviAq5qKeptbyt51Dp8
-tlbeYAylhVbV9Zgd+EozwE7Btlfqt3sbUij/0Iy+BdOYSPLmvx3oKybpipZ0i3fo
-KR/bZHlMKF1Ipd5L7zEwh5aTjImuomoyRyZG3NWdv44
--> piv-p256 vRzPNw A7FwWUuml/VyHcOmha3R/DOg1RvnRXcwjaJJH/sgmsBR
-+CP1/qY8sHbR7nkFl1T5HPsjYLRPDCSR01DEJaim96o
--> piv-p256 zqq/iw AgYhaJWqe+QbVCHkXsU7AQhWhte/fjwVbOgmHVRPHsEE
-7jNmDI62i/9RakJhbo3MP0qMgXYGlhAW9BKo8HLWQYc
--> ssh-ed25519 YFSOsg cGPMyhqcd20TDBeMkSDJ8hQ/vE9cuDgVi1hfcwAKVjw
-U9GRSr607w5oUGr0rC6XqdWMD65JidY/Ri3Ex1dmGXI
--> ssh-ed25519 iHV63A cW7bblsvL1TwI6lp8KjPfUwB5EzWilLhc6Z2geE3SQw
-PzBdZ/LXA7iGI7ZjErredqC7ehHsr5MCY3qENv0nZI8
--> ssh-ed25519 BVsyTA AGDqp6Rrp2vStBU9+eJMGf5O4SZQIASE63n8vbf8PEs
-SFakjoivQrFkSUBGZ9sISKVhAxNOpc2RxugiBTSK9/k
--> ssh-ed25519 +3V2lQ MmMv45CQFAdgkV/B7InOY22iXzvIU8TY41SV5Jxx7RQ
-vNIRE5wSXVzy4miZLV90T1TEOhOjYQT12GWtZpsTxJ8
---- EBBXvYr1OpETpgXOsUfJn6h1e4rXF+olz6DbhDUWCcw
-.Œ
-ösÊ~¦—åHͯk‘	2 ¦À9<C380>¶§Bz¤¨?°3ëþTÇJ`§gº¦P°çioÙÜr<C39C>Š€" 
ØÝöwÒs-K€6©òšfÝ
-ß0XÎŒvù‘Xª&£8

š¶gÐ=ÄzrH¥jh>

secrets/secrets.nix

@@ -60,6 +60,7 @@ in
   "keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
 
   "tankstelle-forgejo-actions-runner-token.age".publicKeys = tankstelleKeys ++ adminKeys;
+  "trinkgenossin-forgejo-actions-runner-token.age".publicKeys = trinkgenossinKeys ++ adminKeys;
   "forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
   "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
   "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
@@ -67,12 +68,14 @@ in
   "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
-  "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys = nachtigallKeys ++ adminKeys;
 
   "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
   "staging-matrix-authentication-service-secret-config.yml.age".publicKeys =
     undergroundKeys ++ adminKeys;
+  "staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys =
+    undergroundKeys ++ adminKeys;
 
   "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
   "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;

secrets/trinkgenossin-forgejo-actions-runner-token.age

@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 NID4eA +iD73cCN5j4zSi+6Pv8KblglzrIleayuzc+zXV1Dfn0
+Jf7IwEqt/Zs7Vcnmr51Zpn0YKuPAASJ8iGSKV+Y5mnQ
+-> ssh-ed25519 uYcDNw vVNfTtCO3LQJ4xCxsYFEAfM3eP3bqfawxm4JkW5xjU0
+BGrReIXoR0R0Xs5weOvz4Kuf5OxoSjCJSlg5xDhqS54
+-> ssh-rsa f5THog
+UyeGX4ZC4T1j6a+cNUFN5Ly4LsDEybd4KAd+eZs/s4fQiFH3b1xZ1uAVwxUtCMem
+ugpie2W1f/VrsviCSgdY+WZAEP6zmErak3NQ85VYQauKt4HibboTADGo0PBZxtmn
+Nctq++tdJrg0LUf9SIGkwmOKJ3iRw77tlE2l+pLq6IVsGGuMVDZBXl+jLrelOEQP
+1kXFI1VMJ44M8hQuKvplcDEy8clcHedWiK2eD9MWw1aAat7ZJtTXgb0do0u67IAa
+h8EWsaoOQbraJa7IhcKQTiLYLAT0FDkDfxZu6dSHWsBwOrh0FajFNGa/0xChkw2Q
+FuAlSQmE8qg9XuSDayMXeZOUMsNIzD5LXk4UL+RMjVRxtMDDY7vBUCjsx1VceWS0
+blWC5MNihJySE7Uj/h6Dnpc8HDBd4/wnxoooSR5pAl6AE6Ifs0CbVo9bEp2WTMy3
+OtUX8nYbrfjep1VQ0XudpEa+NL8mT772dJmwdAX+XtJc4eSVUPbDfg2hZkqCe3Xq
+E9JUVg4CPEVqS56J4j1uKhcGEK80SCNe/w0W/B0ORfLmSA/dOZRF0h+yFQWGlRzA
+PqG2YhpctdkBNA+6vGK5n7aGPJfJrTMAAjA37us+lWDA1boF5/JZmrcv1z3+dyGS
+Bi4i3rJlWoqS/XX59w2cVllIjIyeV0odbymfQhyAz8c
+-> ssh-rsa kFDS0A
+ZLz/VMJ17fDwULcEy1eSEz79Qu/lhJjahEsn3HYJWiWjO74/SdY+ha/rqSQnjcSG
+reuD0eNYifqyXRnDpiSTgOSFEESL7wL727U3MqLbPIwxJ2ugmQfiKcDUjp/cwHIO
+NJmn5hb5upDGHYpTf1i85W0AalZBO3yiq9mdGDkDyPmSGazDGo6zy2eL378iFsK5
+Xs/k9T+T2xzUNdLRpEfJq2gtYVxA67ovbaUjtkj5JtTUJB/hmVqSzFsJyvGRqdS/
+W6ZhPPMfPBCPb9RdiyHtDWY/39Ls8EneR6ZzP2tUx5hzObV9Lrf4gd6zpFIHtEtt
+8/u2Ns0wrQ9r//3TG0sAR/4l9O8V2y8rjDOpZL8csWWcpQVmdJI6e7/chiqTUI/6
+Tf1iSaUG55uBFn/YPQpGHXDTkntNTSQN5Ms5qnNdbcmjBGwnqH3B1o2peNx+Yxyi
+xcmsD4cStDx/Ej1yY+egyToT/ZvrH2RR56Rc+HltRYfBK8wUtmY6/g7NcoWFF61M
+dCa351LY+AZBQvfsg8PmypLnQwHg1AG4ogwLNUI0ygeVFSl1wAuDKCtpy6zfs035
+agU8J4A9MQPmaX99UFV6FWMv3+H3QDjTWqFW/37bXmFl03l5h1n5xZ0Kc786KDv0
+8tvy0csqW1MIvnzoyujghienP4OTfWwMPnCIqeAG0UA
+-> piv-p256 vRzPNw A3wssMH6Nlh9cBTsipou44CwzCE++4TarqGjObd2/8Xd
++WsJqumP6xpJfjg7yEc6NRRz+D2ksTJpgVZXqXalM18
+-> piv-p256 zqq/iw A3JV+cHOFLTBsfBDHM5K7k/lsUZsIvpkvx1rpUAjWPuU
+CowRYCoRJ9x1PswAw7aLUbQpvDiggBJT84/likBAHPc
+-> ssh-ed25519 YFSOsg +CaWUAu6+hp1xpVwKZZO9328d9E+bVIejGL5w8MuLF4
+YvwVnv/8exOf6IpjUlQAVHUBgLET8uEYEO/nH9+P6Qc
+-> ssh-ed25519 iHV63A didGnygsV/Dh+Ni6u+bCv83dTJakWe4lzZERHcpQ7Rg
+Y07PZjU9i7VKrzW3+K0zJif6YBsp3T+JMDbeXxGWq40
+-> ssh-ed25519 BVsyTA KENv1RVR11qe+MnytyJQHIcsUVBsXRwFDw344vGD53Q
+mRqWR5QzBhgbzoofIygPhKkbSjzpKwbc4IFJhCjurrE
+-> ssh-ed25519 +3V2lQ cocFFuJ/bErUGrE6jBvwzjCi7hyrUaZd6SMA0zuuqWU
+068MLruYKztolTd4F7nmsUj+BDGGclxEe3xsgrt/964
+--- IOwBL6PiBIiyFKMnwBrTBNqYPJONjpSHpuZX/QUjz1M
+‰P)£‚i*ÿ? Zèœ4o»÷ZÅw‰*áåS„[g’O:"EëÙ–<C399>)#üUj™Ù À¨yÌ
-B:2í½u`ì'7-l<y6péi¶¤<C2B6>1

secrets/tt-rss-smtp-password.age

@@ -1,44 +1,43 @@
 age-encryption.org/v1
--> ssh-ed25519 iDKjwg WbEnorGKZBLanQ63E3iqSuskr41uL3P0EckXYvoPYVI
+-> ssh-ed25519 iDKjwg Zn/Fz/Al2fyQLTiMGIlu2p3sDHMeUktUpo7ZxmsS63A
-mL1Mzbmi2eFPhem5b9zvdjgAxPEnPC/OWIKJo4vis/c
+k93K1/dELZzuwVxfYgI+y3kz/kI7xs/qopi601SFycg
--> ssh-ed25519 uYcDNw GCgFEjNhBZ06rp+9GjrdxC/jfEUYUt4MmyrWVcYhu2A
+-> ssh-ed25519 uYcDNw k4Px1Oxt27bjO9EBIOE0bvVOpJdAVyyYsPI91Ryu/iM
-Fsx5N81bOTx6Qv+GtUd0+yD5MrvORUH2i9xtplRy4q4
+SDAj5LeplQ5tnDZvfrW2KUD0nIH2GZ9MBiT5hFaCHZ0
 -> ssh-rsa f5THog
-YpePMxa553BGm44EWS3LhUHvaANlo0z+UL3QBuD0qfAtBW2u3EK4lVSY+CkjsCeO
+yC9ONviP5h5mg24p2Fn9J8tlBnZVRecCJVuOjVPspWIM4qHhTS2PWm6JzfxuZ5zb
-/fCSaE3M17RyWdXI+V4J5eOt6SQ3L42P4oiwVd0kLPnfi0Rt1lGze5/nwM3ztp4Y
+VO5A0I5p1wNkmVRGR3aUIVgSRWUI3wf4J74xlRuHdeOZWpb/GXQX+AFY2o4vPsB2
-QVw9FROY3ksknFhjfThw6NGKG14DnSPBL+zD5GDhR+anT3G4cviIHVRLkl8iCDU0
+8h53v2/yBwCtFdqVopghTi99yJV56X1cAlkqvywXkShY71Gchu2cNak2lNaPPOcs
-l5biZH+O4fWmwucPMflTn0uYtfgE0wJBN/42KJ4qeD70a553idhGzm1T6QjsdQuu
+TlJ2lJbiH2khYcAXwuz2jJI1jWvJNw+/scBGEegoFp836OJJjxOFj9yuPsdhB7VN
-dckTWL/ovtr2nS3bZflYZxrsksiYhC01S1rLuBtkadf4VWPwV5qBTLaleCkx4RYp
+ceDSCZNke3nZCwOKl5Qf7niT8W43Hj0quYCLX0g4QcBTSX+VHY3af/VtWqggsOwU
-NDRA37Px+KU2mKT6wdsWogkO9oR16ElyZwmr2e8NJO9pVgP6Ct5ZbIFxtOKC4vFS
+Eh/0DAg90skuLZag+nRHJLrBxq1HwotvG+DdEJ3yAO8EtpVp3hHps8sNsZZ11kNe
-fqtYY/WpApU6ROJI3TA92aCMH4epIirlozsxP6/FjaMtB9pz8kMUOs4T0sWtmsRt
+NWodOdUFffb1EpIgaib7uybL7QROnK6S69LAXQMd/9zGmy158o/hejeHGs7jpux6
-ABmJ7dMeYecGqkpURZXCnIom6v/4s5U1IbTN82XajQT1qDNnplwVL4Bi6dcQUkLX
+phoxU8z3VpRmTnzTuNW9AmSzZ0jMWb/3LKNMrVj/eoncTDnPEtox/0U6YBDa0ybz
-ZxQQUqzQNK/7qYIbYYT1XPoP5P3hRA1e3XAzEP0lqJqhAET6GBpM4jyV7VB8ASl3
++eo8vvyXVkG67/II4UdN5UvQj21zGr85I7dsQ+NvvuwlHS/GK7PFUyxHkPJcqMg/
-rX/zGT8fssrYboEGWXQkGtCkj3u0+0XzKRgDwdnnyfPJ16olpVGEsWbMMCbqHXrM
+GTN7xuWS/MTnylmhqAmKvsGCb29Cipz646x+t0/0qBVyF3H2PGQRNaQwMfzOuplr
-yHASa3UMobLPt3frvNt4SII5bkPN+7Toprp7raUEXww
+/wcY/t3BZdAHsNWmqxOqVbeKDsx9entVhG1pGKgVtq8
 -> ssh-rsa kFDS0A
-Nxm0/uHu1RyDmznnAAYWrgBqt9dAp2YhAHuxVwCRxiJRolfQhZiyVo/MuhHTpLae
+ZhNJJ/MP/AauTmW+GMWzNh7bHdKgvn2KM9UcTLlkklqO6Yx0mg+kzhzHiwndHPX+
-f7IgqbpZni8T44xGCvdmcCjhvKI553v5HFf92spzFbPy/6H+hW6eD6Rz/UH6b5Pf
+mrBohHI67avzR52OUgDpbVLd1CQPZcLz2GD7n8/ozn7EjzC1eHrGKeKw/hf8C/2N
-B+WC15HcLOFeChM+BeP09dZR6pA18FLCc1xLW9gofTdXekE7E5w/SngaGLgyMWKQ
+qvFNPQ3MtEA4BQ2dwSMbWV/gjphXf+Rm/+qPtyeBqU6yNepAxqgZ3PCfr0QByqeE
-gDDlMX5YLaBML86KdzZxtJAr1dm7ucJm929DgZb0drU/Lwixys7LcnjjPpQQcD6C
+SY8hThxHXL49BCpDHhxJvAqZtxVMbtpHO0AIXSVQ0BdD9hylPpkhbcx6PhRbAd8X
-+c7xPbENuIoI7tyaPmzD0iHD88O4Qxo0yFeIqvHvnB1U/VRVH5r+7hBEmfaWEDBq
+UxUu4XO6GJSKYqVcwwGeqoR7C1wvOgcGvMo/tLTx3ovzvpcnyQ9KCemENYy9dE4Q
-jJcPidByhi0lfFabjKvluFaTGOhymi5MqX0LfnK55ATnXQDr/AIn8bRPdbfNmpjg
+Nn40qRrOR3NzzUW/ONs93+hVswtpKTivP1LMegZxAE9EXTILflzFjmMsDLmEWY3M
-StzXyNWlvEObJ34vhg5nmQRK2qfwBS5MnRzGf7nnUtKLpBkCrYK6P03tJcSwBujg
+i8GPr33JOmHxTkwY21SD6enYsQtbsVdreQd0FJZesXBaLReAHwXDpMlA/Py/iqTY
-XEsNCMs1O/YoMq66OKaGIyIuYAxGSCGu5a3rkqDbVaS2TtkxiEKLFrqgYelYMval
+RYXuxw3RgXxvHTV9QdsArq7Tz0euVUoEXC6CiYlH/1TPJByj9PibJoT/OoQxrRyj
-urgCvvELE0yc/QF0sdib/4VG4MD05LRetud5kkQA9jmkl13kG280boq+jp4kXghW
+7wemAPvN+sLv6Rs5ZeTrJBKIinvuS7k5OiwKxkJGLNPgYmRviyJEQlqVMTHNRN21
-ZQJMLWi6KwNJdnx5aOCn4jxVuPjqN3967uSFhVGn0q3P8yDevg9MEx/KAkhssqTr
+RKkLzJrIDjJ6l+tW3wwDARDL9u2lxFoVF98GdOGVa/yZvKbJGECJKLGQ6bEqVomQ
-WVE42OHP89XY9ATyxSrwH/vMygSw3bU7eJelKzzBlvM
+sN6k7/ydbOfuPwtq6/Ax8RVKHkdfR5HORFiRrEC5jc0
--> piv-p256 vRzPNw A1XRwUSI02j0Sm4DJc8q4mqpYXQ0E7DxIRDbpT3ksZoi
+-> piv-p256 vRzPNw AlL/+S0yI6mpICDYlVboboFBrLTGjP+xPoWJkGVqVide
-cpGPHqlX2VlajAKbDX3/91ey6IUTUqc2vkkNed7ZITE
+zaI3+1ZmGzE1E+FKtvLuabepXuM0YYwMPQQUQhssUm8
--> piv-p256 zqq/iw AzzpoEHT91n9HLlfFHqHE/q3JvpAhiWd73m1mN6FnmO3
+-> piv-p256 zqq/iw A5ef4pOc6NCKaCOev0HRg0yvECGRXQkkW6qcOBwOTNne
-me9vdrrs+2MUsFzEKjbJ55wYClho9IFX00Vkit7RFCs
+hfBE7el+0M3+dDWOepMyiB7/hhMjZ6AsobfxGFqMSkc
--> ssh-ed25519 YFSOsg aUSPBWIbV3SWOGTI1z66g9Ac2NBG0dAwCdlE1HfJdCU
+-> ssh-ed25519 YFSOsg GHsjugc0+RzkSCU1VFs1BKLB8MGvkWef+axklDUS4Qo
-bMCzMGAwOhZI+X6yhPt8IIiYchc3pKKcDPDcJxDqqx4
+zqEJPv9QwBZwb4s79w5CP3T64vlXVCbsWiDP1sgjgUc
--> ssh-ed25519 iHV63A jua7T9NZLwMXI6UTXal6FTpmqZte0v2EyWqrFhQ8blQ
+-> ssh-ed25519 iHV63A NJZEaUKZ03Y0cmkZS+m5ckmMYsOoAb9J22isDTtLeEw
-YkgUlZV6XP4ZjhmbRlN/JHrb8NVMOTr3sOUEIR1vVDs
+kbqt8Xce6gSjHg76Z5HXHDoXLCfCcjkC0O76/0fJxwo
--> ssh-ed25519 BVsyTA gu/kC7wUVcdUXc+NTdj+wJgxYqnmKZvCbOUK1bZXVE4
+-> ssh-ed25519 BVsyTA arqPduVIieRmtyFaoeovsOle9nNhc18IBFmJJPTaoWc
-W7oi2FNhuVO31ZZPzauHjkBQvMU8UcKL4YZ3oafC8Dg
+QfrfpdGYiK5Y4w0YFA56u60T6CV5qwdfQZKAr7UQqYg
--> ssh-ed25519 +3V2lQ UZZOiUHXtpZCtevljcAarYESIZanZouH1Mur73QNtR4
+-> ssh-ed25519 +3V2lQ 6oZIAyrrn4GezQ5K0YxwVL3ceKpwgtZoZ00M+aREEi4
-AW+w+l14WNDv9Rk8Tjz251zrK1GKCFa4PBNLhSN/xa4
+kBLTRckPYLtKug0G0vN5ix1Oa08iP5hZA2XwGSuY8ug
---- k+c7i6XrBCm3D5h3R0WnUZ5E12ESJyb/OqN2PtK4om0
+--- JTzuhPCSkc4zBpp6drMB7/4WKke+q52srW4hiRM5RFo
-`9Hˆ&Q
+ÿ`lîÛgî£
°z=uà¿ÇÅŠìfvwoûœñ^¬ÎåÂÒ–FÌþâ~ªŠ&P­œ¢]ºÔâÍ»'<27>$¡
-Š‡†÷½Xð¤³Ån"Éæ*
\˜(õöýÐ<ùuòø<0E>_
Ÿ©

tests/keycloak.nix

@@ -46,6 +46,7 @@ in
 
       systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
 
+      virtualisation.cores = 1;
       virtualisation.memorySize = 4096;
 
       pub-solar-os.auth = {
@@ -66,7 +67,7 @@ in
   testScript =
     { nodes, ... }:
     let
-      user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
+      user = nodes.client.users.users.b12f;
       #uid = toString user.uid;
       bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
       gdbus = "${bus} gdbus";
@@ -75,17 +76,19 @@ in
       wmClass = su "${gdbus} ${gseval} global.display.focus_window.wm_class";
     in
     ''
-      start_all()
+      nachtigall.start()
 
-      nachtigall.wait_for_unit("system.slice")
+      nachtigall.wait_for_unit("default.target")
       nachtigall.succeed("ping 127.0.0.1 -c 2")
       nachtigall.wait_for_unit("nginx.service")
       nachtigall.wait_for_unit("keycloak.service")
+      nachtigall.wait_for_open_port(8080)
+      nachtigall.wait_for_open_port(443)
       nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/")
       nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/")
 
-      client.wait_for_unit("system.slice")
+      client.start()
-      client.sleep(30)
+      client.wait_for_unit("default.target")
       # client.wait_until_succeeds("${wmClass} | grep -q 'firefox'")
       client.screenshot("screen")
     '';

tests/support/client.nix

@@ -11,7 +11,7 @@
   services.xserver.displayManager.gdm.enable = true;
   services.xserver.desktopManager.gnome.enable = true;
   services.xserver.displayManager.autoLogin.enable = true;
-  services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
+  services.xserver.displayManager.autoLogin.user = "b12f";
 
   systemd.user.services = {
     "org.gnome.Shell@wayland" = {

tests/website.nix

@@ -31,6 +31,7 @@
         ./support/global.nix
       ];
 
+      virtualisation.cores = 1;
       virtualisation.memorySize = 4096;
 
       networking.interfaces.eth0.ipv4.addresses = [
@@ -43,17 +44,20 @@
   };
 
   testScript = ''
-    start_all()
+    acme_server.start()
 
-    acme_server.wait_for_unit("system.slice")
+    acme_server.wait_for_unit("default.target")
     acme_server.wait_for_unit("step-ca.service")
     acme_server.succeed("ping ca.test.pub.solar -c 2")
+    acme_server.wait_for_open_port(443)
     acme_server.wait_until_succeeds("curl 127.0.0.1:443")
 
-    nachtigall.wait_for_unit("system.slice")
+    nachtigall.start()
+    nachtigall.wait_for_unit("default.target")
     nachtigall.succeed("ping test.pub.solar -c 2")
     nachtigall.succeed("ping ca.test.pub.solar -c 2")
     nachtigall.wait_for_unit("nginx.service")
+    nachtigall.wait_for_open_port(443, "test.pub.solar")
     nachtigall.wait_until_succeeds("curl https://test.pub.solar/")
   '';
 }