Merge remote-tracking branch 'origin/#76-Nuked-Backup' into #76-Nuked-Backup

# Conflicts: # secrets/backup/nuked.age
admin: add eliza and esy as admins to teh secrets
2024-06-07 19:44:51 +01:00 · 2024-06-07 19:20:52 +01:00 · 2024-06-07 19:19:55 +01:00 · 2024-06-06 23:36:50 +01:00
86 changed files with 1716 additions and 1993 deletions
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@ -1,59 +0,0 @@
 name: Build_Deploy
 on:
  workflow_run:
    workflows: [ "Update_Flake" ]
    types:
      - completed
  push:
    branches:
      - 'main'
    paths:
      - applications/**/*
      - machines/**/*
      - secrets/**/*
      - flake.*
      - config/**/*
      - .forgejo/**/*
 jobs:
  linter:
    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix fmt -- --check .
      - run: nix --version
  #if: github.repository == 'Skynet/nixos'
  build:
    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix develop -v
 #      - name: Archive Test Results
 #        if: always()
 #        run: sleep 100m
 #      - run: colmena build -v --on @active-dns
 #      - run: colmena build -v --on @active-core
 #      - run: colmena build -v --on @active
 #      - run: colmena build -v --on @active-ext
 #      - run: colmena build -v --on @active-gitlab
  deploy_dns:
    runs-on: nix
    needs: [ linter, build ]
    steps:
      - uses: actions/checkout@v4
      - run: colmena apply -v --on @active-dns --show-trace
        shell: bash
  deploy_active:
    strategy:
      matrix:
        batch: [ active-core, active, active-ext ]
    runs-on: nix
    needs: [ deploy_dns ]
    steps:
      - uses: actions/checkout@v4
      - run: colmena apply -v --on @${{ matrix.batch }} --show-trace
        shell: bash
--- a/.forgejo/workflows/deploy_forgejo.yaml
+++ b/.forgejo/workflows/deploy_forgejo.yaml
@ -1,12 +0,0 @@
 name: Update_Forgejo
 on:
  workflow_dispatch:
 jobs:
  deploy:
    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: colmena apply -v --on @active-gitlab --show-trace
        shell: bash
--- a/.forgejo/workflows/update_input.yaml
+++ b/.forgejo/workflows/update_input.yaml
@ -1,31 +0,0 @@
 name: Update_Flake
 run-name: "[Update Flake] ${{ inputs.input_to_update }}"
 on:
  workflow_dispatch:
    inputs:
      input_to_update:
        description: 'Flake input to update'
        required: false
        type: string
 jobs:
  update:
    runs-on: nix
    permissions:
      # Give the default GITHUB_TOKEN write permission to commit and push the
      # added or changed files to the repository.
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.PIPELINE_TOKEN }}
      - run: nix flake update ${{ inputs.input_to_update }}
        shell: bash
      - uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
        with:
          commit_message: "Updated flake for ${{ inputs.input_to_update }}"
--- a/.gitignore
+++ b/.gitignore
@ -6,9 +6,6 @@
 *.tmp
 tmp
 # open office tmp lockfiles
 .~lock.*
 # Test files
 test.*
 *.test.*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -30,7 +30,7 @@ update:
    # the part that updates the flake
    - nix --experimental-features 'nix-command flakes' flake lock --update-input $PACKAGE_NAME
    - git add flake.lock
-    - git commit -m "Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
+    - git commit -m "[skip ci] Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
    # we have a custom domain
    - git remote rm origin && git remote add origin ssh://git@gitlab.skynet.ie:2222/compsoc1/skynet/nixos.git
    - git push origin HEAD:$CI_COMMIT_REF_NAME
@ -48,14 +48,13 @@ sync_repos:
    - chmod +x ./sync.sh
    - ./sync.sh
  rules:
    - if: $UPDATE_FLAKE == "yes"
      when: never
    - if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      changes:
        - sync/repos.csv
 .scripts_base: &scripts_base
  # load nix environment
  - git pull origin $CI_COMMIT_REF_NAME
  - . "$HOME/.nix-profile/etc/profile.d/nix.sh"
  - nix --extra-experimental-features 'nix-command flakes'  profile install nixpkgs#colmena
@ -70,8 +69,6 @@ sync_repos:
  - nix --extra-experimental-features 'nix-command flakes'  profile install nixpkgs#attic-client
  - attic login skynet https://nix-cache.skynet.ie/ $CACHE_KEY
  - attic use skynet-cache
  # add any new items to the cache
  - attic watch-store skynet-cache &
 # every commit on main will build and deploy
 .build_template: &builder
@ -81,8 +78,6 @@ sync_repos:
    - *scripts_base
    - *scripts_cache
  rules:
    - if: $UPDATE_FLAKE == "yes"
      when: never
    - changes:
      - applications/**/*
      - machines/**/*
@ -98,8 +93,6 @@ sync_repos:
    - *scripts_base
    - *scripts_cache
  rules:
    - if: $UPDATE_FLAKE == "yes"
      when: never
    - if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      changes:
        - flake.nix
@ -119,7 +112,7 @@ build:
  <<: *builder
  stage: test
  script:
-    - nix --extra-experimental-features 'nix-command flakes' develop
+    - attic watch-store skynet-cache &
    - colmena build -v --on @active-dns
    - colmena build -v --on @active-core
    - colmena build -v --on @active
@ -161,6 +154,7 @@ deploy_ext:
    - deploy_dns
  script:
    - colmena apply -v --on @active-ext
  allow_failure: true
 deploy_gitlab:
  <<: *builder
--- a/ITD/Firewall_Rules.csv
+++ b/ITD/Firewall_Rules.csv
@ -1,45 +0,0 @@
 Rule,Action,Ticket,Status,Source_IP,Source_Server,Destination_IP,Destination_Server,Port_TCP,Port_UDP,Notes
 SKYNET_FIREWALL_00000,Add,,Complete,VPN,-,93.1.99.71 - 193.1.99.126,All,22,-,sftp/ssh required from vpn to servers for admins
 SKYNET_FIREWALL_00001,Add,,Complete,All,-,193.1.99.109,SKYNET00004,-,53,Nameserver for skynet.ie
 SKYNET_FIREWALL_00002,Add,,Complete,All,-,193.1.99.111,SKYNET00005,"80, 443, 8000",-,"ULFM, http(s) for internet streaming, 8000 for connecting to the server."
 SKYNET_FIREWALL_00003,Add,,Complete,All,-,193.1.99.112,SKYNET00006,"80, 443, 25565",-,"Games host, Minecraft uses 25565 (will have more ports in the future)"
 SKYNET_FIREWALL_00004,Add,,Complete,All,-,193.1.99.120,SKYNET00002,-,53,Nameserver for skynet.ie
 SKYNET_FIREWALL_00005,Add,i23-01-19_681,Complete,193.1.99.72,SKYNET00001,All,-,-,-,Allow outbound access
 SKYNET_FIREWALL_00006,Add,i23-01-19_681,Complete,193.1.99.75,SKYNET00008,All,-,-,-,Allow outbound access
 SKYNET_FIREWALL_00007,Add,i23-01-19_681,Complete,193.1.99.109,SKYNET00004,All,-,-,-,Allow outbound access
 SKYNET_FIREWALL_00008,Add,i23-01-19_681,Complete,193.1.99.111,SKYNET00005,All,-,-,-,Allow outbound access
 SKYNET_FIREWALL_00009,Add,i23-01-19_681,Complete,193.1.99.112,SKYNET00006,All,-,-,-,Allow outbound access
 SKYNET_FIREWALL_00010,Add,i23-01-19_681,Complete,193.1.99.120,SKYNET00002,All,-,-,-,Allow outbound access
 SKYNET_FIREWALL_00011,Add,i23-05-18_249,Complete,All,-,193.1.99.75,SKYNET00008,"80, 443",-,For gitlab Access
 SKYNET_FIREWALL_00012,Add,i23-05-18_249,Complete,193.1.99.72 - 193.1.99.126,-,All,-,-,-,"I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages).
 I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones.
 In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control.
 Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured."
 SKYNET_FIREWALL_00013,Add,i23-05-18_249,Complete,All,-,193.1.99.76,SKYNET00009,"143, 993, 587, 465",-,Email Server
 SKYNET_FIREWALL_00014,Add,i23-06-19_525,Complete,All,-,193.1.99.76,SKYNET00009,"80, 443, 25",-,"Mailserver here, SPF, DKIM and DMARC are all set up"
 SKYNET_FIREWALL_00015,Add,i23-06-19_525,Complete,All,-,193.1.99.79,SKYNET00011,"80, 443",-,Main Skynet webserver
 SKYNET_FIREWALL_00016,Add,i23-06-30_024,Complete,All,-,193.1.96.165,SKYNET00012,22,-,"Skynet user's server
 Outlet is 131 or 132"
 SKYNET_FIREWALL_00017,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.120,SKYNET00002,-,53,Allow Skynet server to use our own internal DNS
 SKYNET_FIREWALL_00018,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.74,SKYNET00007,389/636,-,Allow Skynet server to access LDAP
 ,Add,i23-07-28_010,Denied,All,-,193.1.99.74,SKYNET00007,"80, 443",-,Self Service site for Skynet accounts – Only 443 on account modification pages
 SKYNET_FIREWALL_00019,Add,i23-07-28_010,Complete,All,-,193.1.99.74,SKYNET00007,443,-,Self Service site for Skynet accounts
 SKYNET_FIREWALL_00020,Add,i23-09-05_639,Complete,All,-,193.1.96.165,SKYNET00012,"80, 443",-,Web hosting for user sites
 SKYNET_FIREWALL_00021,Add,i23-10-27_014,Complete,All,-,193.1.99.77,SKYNET00014,"80, 443",-,"Nextcloud, selfhosted google services, filestorage and documents"
 SKYNET_FIREWALL_00022,Add,i24-02-01_102,Complete,193.1.96.165,SKYNET00012,103.1.99.109,SKYNET00004,-,53,Give the Skynet server access to ur secondary DNS
 SKYNET_FIREWALL_00023,Add,i24-02-01_102,Complete,193.1.99.78,SKYNET00010,193.1.96.165,SKYNET00012,22,-,Allow our gitlab runner to access and deploy to teh external server
 SKYNET_FIREWALL_00024,Add,i24-02-16_065,Complete,All,-,193.1.99.90,SKYNET00016,"80, 443",-,Games Server Administrative panel
 SKYNET_FIREWALL_00025,Add,i24-02-16_065,Complete,All,-,193.1.99.91,SKYNET00017,25518-25525,"19132, 24418-24425",Minecraft Games server
 SKYNET_FIREWALL_00026,Add,i24-06-04_017,Complete,All,-,193.1.99.76,SKYNET00009,4190,-,"Email sieve to allow members to add email filters to their
 skynet mail."
 SKYNET_FIREWALL_00027,Add,i24-06-04_017,Complete,All,-,193.1.99.82,SKYNET00018,80/443,-,"Public services such as a binary cache, open governance and keyserver"
 ,Add,i24-06-04_017,Denied,All,-,193.1.99.90,SKYNET00016,8080,-,"Websocket for admin panel on games management server
 Denied because more information on wat it was for was requested"
 ,Add,i24-06-04_017,Denied,193.1.99.74,SKYNET00007,193.1.96.165,SKYNET00012,9000-9020,-,"Metrics collection, not done because not enough info provided"
 SKYNET_FIREWALL_00028,Remove,i24-06-04_017,Complete,-,-,193.1.99.112,SKYNET00019,25565,-,No longer the minecraft game host
 SKYNET_FIREWALL_00029,Add,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Websocket for admin panel on games management server
 SKYNET_FIREWALL_00030,Add,i24-06-04_017,Complete,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection
 SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server
 SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel
 SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
 ,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
--- a/ITD/Server_Inventory.csv
+++ b/ITD/Server_Inventory.csv
@ -1,22 +0,0 @@
 Index,Name,Status,IP_Address,OS,Description
 SKYNET00001,agentjones,Active,193.1.99.72,Nixos-24.05,Firewall (currently not active)
 SKYNET00002,vendetta,Active,193.1.99.120,Nixos-24.05,DNS Nameserver 1
 SKYNET00003,jarvis,Active,193.1.99.73,Nixos-24.05,VM Host
 SKYNET00004,vigil,Active,193.1.99.109,Nixos-24.05,DNS Nameserver 2
 SKYNET00005,galatea,Active,193.1.99.111,Nixos-24.05,ULFM Radio
 SKYNET00006,optimus,Retired,193.1.99.112,Nixos-24.05,Retired Games server
 SKYNET00007,kitt,Active,193.1.99.74,Nixos-24.05,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
 SKYNET00008,glados,Active,193.1.99.75,Nixos-24.05,Gitlab server
 SKYNET00009,gir,Active,193.1.99.76,Nixos-24.05,Email and Webmail
 SKYNET00010,wheatly,Active,193.1.99.78,Nixos-24.05,Gitlab Runner
 SKYNET00011,earth,Active,193.1.99.79,Nixos-24.05,Offical website host
 SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ)
 SKYNET00013,neuromancer,Active,193.1.99.80,Nixos-24.05,Local Backup Server
 SKYNET00014,cadie,Active,193.1.99.77,Nixos-24.05,"Services VM, has nextcloud to start with"
 SKYNET00015,marvin,Active,193.1.99.81,Nixos-24.05,Trainee testing server
 SKYNET00016,optimus,Active,193.1.99.90,Debian-12,Games server manager (replacing SKYNET00006 soon)
 SKYNET00017,bumblebee,Active,193.1.99.91,Debian-12,Game server - Minecraft
 SKYNET00018,calculon,Active,193.1.99.82,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver"
 SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic
 SKYNET00020,ariia,Active,193.1.99.83,Nixos-24.05,"Metrics, Grafana and Prometheus"
 SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access
--- a/ITD/VPN_Admins.csv
+++ b/ITD/VPN_Admins.csv
@ -1,6 +0,0 @@
 Index,First Name,Surname,UL Student Email
 SKYNET_VPN_ADM_001,Brendan,Golden,12136891@studentmail.ul.ie
 SKYNET_VPN_ADM_002,Evan,Cassidy,External
 SKYNET_VPN_ADM_003,Eoghan,Conlon,21310262@studentmail.ul.ie
 SKYNET_VPN_ADM_004,Eliza,Macovei,23382619@studentmail.ul.ie
 SKYNET_VPN_ADM_005,Daragh,Downes,22351159@studentmail.ul.ie
--- a/ITD/VPN_Admins_changes.csv
+++ b/ITD/VPN_Admins_changes.csv
@ -1,7 +0,0 @@
 Date,Date Modified,Action,Ticket,ID
 SKYNET_VPN_ADM_CHANGE_001,2023/04/04,Added,,SKYNET_VPN_ADM_001
 SKYNET_VPN_ADM_CHANGE_002,2023/04/04,Added,,SKYNET_VPN_ADM_002
 SKYNET_VPN_ADM_CHANGE_003,2023/04/04,Added,,SKYNET_VPN_ADM_003
 SKYNET_VPN_ADM_CHANGE_003,2024/07/21,Removed,i24-07-22_760,SKYNET_VPN_ADM_003
 SKYNET_VPN_ADM_CHANGE_004,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_004
 SKYNET_VPN_ADM_CHANGE_005,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_005
--- a/ITD_Firewall.csv
+++ b/ITD_Firewall.csv
@ -0,0 +1,19 @@
 Index,Status,Name,IP_Address,DNS_Name,Ports TCP,Ports UDP,Tunnel,Ports_Requested,Related_Tickets,Description
 SKYNET00001,Active,agentjones,193.1.99.72,agentjones,,,,,,Firewall (currently not active)
 SKYNET00002,Active,vendetta,193.1.99.120,vendetta/ns1,,53,,,,DNS Nameserver 1
 SKYNET00003,Active,jarvis,193.1.99.73,jarvis,,,,,,VM Host
 SKYNET00004,Active,vigil,193.1.99.109,vigil/ns2,,53,,,,DNS Nameserver 2
 SKYNET00005,Active,galatea,193.1.99.111,galatea/stream,80/443 8000,,,,,ULFM Radio
 SKYNET00006,Retired,optimus,193.1.99.112,optimus/games/*.games,80/443 25565,,,,,Retired Games server
 SKYNET00007,Active,kitt,193.1.99.74,kitt/account/api.account,443,,,-> skynet:9000-9020,i23-07-28_010,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
 SKYNET00008,Active,glados,193.1.99.75,glados/gitlab/*.pages.gitlab,80/443,,,,i23-05-18_249,Gitlab server
 SKYNET00009,Active,gir,193.1.99.76,gir/mail/imap/pop3/smtp,80/443 25/143/993/587/465,,,4190,i23-06-19_525/i23-06-19_525,Email and Webmail
 SKYNET00010,Active,wheatly,193.1.99.78,wheatly,,,-> skynet:22,,,Gitlab Runner
 SKYNET00011,Active,earth,193.1.99.79,earth,80/443,,,,i23-06-19_525,Offical website host
 SKYNET00012,Active,skynet,193.1.96.165,skynet/*.users,22 80/443,,,,i23-06-30_024,Skynet server. (DMZ)
 SKYNET00013,Active,neuromancer,193.1.99.80,neuromancer,,,,,,Local Backup Server
 SKYNET00014,Active,cadie,193.1.99.77,cadie/nextcloud/onlyoffice.nextcloud,80/443,,,,i23-10-27_014,"Services VM, has nextcloud to start with"
 SKYNET00015,Active,marvin,193.1.99.81,marvin,,,,,,Trainee testing server
 SKYNET00016,Active,optimus,193.1.99.90,,80/443,,,8080,i24-02-16_065,Games server manager (replacing SKYNET00006 soon)
 SKYNET00017,Active,bumblebee,193.1.99.91,,25518-25525,19132 24418-24425,,,i24-02-16_065,Game server - Minecraft
 SKYNET00018,Active,calculon,193.1.99.82,,,,,80/443,,"Public Services such as binary cache, Open Governance and Keyserver"
--- a/9
+++ b/9
@ -1,9 +0,0 @@
 MIT License
 Copyright (c) 2024 Skynet
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/Possible_Server_Names.md
+++ b/Possible_Server_Names.md
@ -1,6 +1,5 @@
 https://web.archive.org/web/20180815150202/https://wiki.skynet.ie/Admin/SkynetMachines   
 https://en.m.wikipedia.org/wiki/Category:Fictional_artificial_intelligences  
 https://en.wikipedia.org/wiki/List_of_artificial_intelligence_films  
 * agentsmith
 * skynet
--- a/applications/_base.nix
+++ b/applications/_base.nix
@ -9,24 +9,9 @@ with lib; let
  cfg = config.services.skynet;
 in {
  imports = [
    # every server needs to have a dns record
    ./dns/dns.nix
    # every server should have proper certs
    ./acme.nix
    ./dns.nix
    ./nginx.nix
    # every server may need the firewall config stuff
    ./firewall.nix
    # every server needs teh ldap client for admins
    ./ldap/client.nix
    # every server will need the config to backup to
    ./restic.nix
    # every server will be monitored for grafana
    ./prometheus.nix
  ];
  options.services.skynet = {
--- a/applications/_retired/games.nix
+++ b/applications/_retired/games.nix
@ -10,6 +10,7 @@ with lib; let
  cfg = config.services.skynet."${name}";
 in {
  imports = [
    ./dns.nix
    ./nginx.nix
    ./games/minecraft.nix
  ];
--- a/applications/_retired/games/minecraft.nix
+++ b/applications/_retired/games/minecraft.nix
@ -13,6 +13,10 @@ with lib; let
  short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
 in {
  imports = [
    ../acme.nix
    ../dns.nix
    ../firewall.nix
    ../nginx.nix
    inputs.arion.nixosModules.arion
  ];
--- a/applications/acme.nix
+++ b/applications/acme.nix
@ -32,15 +32,15 @@ in {
      defaults = {
        email = "admin_acme@skynet.ie";
        credentialsFile = config.age.secrets.acme.path;
        # we use our own dns authorative server for verifying we own the domain.
        dnsProvider = "rfc2136";
        credentialsFile = config.age.secrets.acme.path;
      };
      certs = {
        "skynet" = {
          domain = "skynet.ie";
-          extraDomainNames = lists.naturalSort cfg.domains;
+          extraDomainNames = cfg.domains;
        };
      };
    };
--- a/applications/bitwarden/bitwarden-directory-connector-cli.nix
+++ b/applications/bitwarden/bitwarden-directory-connector-cli.nix
@ -0,0 +1,324 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.services.bitwarden-directory-connector-cli;
 in {
  disabledModules = ["services/security/bitwarden-directory-connector-cli.nix"];
  options.services.bitwarden-directory-connector-cli = {
    enable = mkEnableOption "Bitwarden Directory Connector";
    package = mkPackageOption pkgs "bitwarden-directory-connector-cli" {};
    domain = mkOption {
      type = types.str;
      description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on.";
      example = "https://vaultwarden.example.com";
    };
    user = mkOption {
      type = types.str;
      description = lib.mdDoc "User to run the program.";
      default = "bwdc";
    };
    interval = mkOption {
      type = types.str;
      default = "*:0,15,30,45";
      description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax.";
    };
    ldap = mkOption {
      description = lib.mdDoc ''
        Options to configure the LDAP connection.
        If you used the desktop application to test the configuration you can find the settings by searching for `ldap` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
      '';
      default = {};
      type = types.submodule ({
        config,
        options,
        ...
      }: {
        freeformType = types.attrsOf (pkgs.formats.json {}).type;
        config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
        options = {
          finalJSON = mkOption {
            type = (pkgs.formats.json {}).type;
            internal = true;
            readOnly = true;
            visible = false;
          };
          ssl = mkOption {
            type = types.bool;
            default = false;
            description = lib.mdDoc "Whether to use TLS.";
          };
          startTls = mkOption {
            type = types.bool;
            default = false;
            description = lib.mdDoc "Whether to use STARTTLS.";
          };
          hostname = mkOption {
            type = types.str;
            description = lib.mdDoc "The host the LDAP is accessible on.";
            example = "ldap.example.com";
          };
          port = mkOption {
            type = types.port;
            default = 389;
            description = lib.mdDoc "Port LDAP is accessible on.";
          };
          ad = mkOption {
            type = types.bool;
            default = false;
            description = lib.mdDoc "Whether the LDAP Server is an Active Directory.";
          };
          pagedSearch = mkOption {
            type = types.bool;
            default = false;
            description = lib.mdDoc "Whether the LDAP server paginates search results.";
          };
          rootPath = mkOption {
            type = types.str;
            description = lib.mdDoc "Root path for LDAP.";
            example = "dc=example,dc=com";
          };
          username = mkOption {
            type = types.str;
            description = lib.mdDoc "The user to authenticate as.";
            example = "cn=admin,dc=example,dc=com";
          };
        };
      });
    };
    sync = mkOption {
      description = lib.mdDoc ''
        Options to configure what gets synced.
        If you used the desktop application to test the configuration you can find the settings by searching for `sync` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
      '';
      default = {};
      type = types.submodule ({
        config,
        options,
        ...
      }: {
        freeformType = types.attrsOf (pkgs.formats.json {}).type;
        config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
        options = {
          finalJSON = mkOption {
            type = (pkgs.formats.json {}).type;
            internal = true;
            readOnly = true;
            visible = false;
          };
          removeDisabled = mkOption {
            type = types.bool;
            default = true;
            description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
          };
          overwriteExisting = mkOption {
            type = types.bool;
            default = false;
            description =
              lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
          };
          largeImport = mkOption {
            type = types.bool;
            default = false;
            description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
          };
          memberAttribute = mkOption {
            type = types.str;
            description = lib.mdDoc "Attribute that lists members in a LDAP group.";
            example = "uniqueMember";
          };
          creationDateAttribute = mkOption {
            type = types.str;
            description = lib.mdDoc "Attribute that lists a user's creation date.";
            example = "whenCreated";
          };
          useEmailPrefixSuffix = mkOption {
            type = types.bool;
            default = false;
            description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
          };
          emailPrefixAttribute = mkOption {
            type = types.str;
            description = lib.mdDoc "The attribute that contains the users username.";
            example = "accountName";
          };
          emailSuffix = mkOption {
            type = types.str;
            description = lib.mdDoc "Suffix for the email, normally @example.com.";
            example = "@example.com";
          };
          users = mkOption {
            type = types.bool;
            default = false;
            description = lib.mdDoc "Sync users.";
          };
          userPath = mkOption {
            type = types.str;
            description = lib.mdDoc "User directory, relative to root.";
            default = "ou=users";
          };
          userObjectClass = mkOption {
            type = types.str;
            description = lib.mdDoc "Class that users must have.";
            default = "inetOrgPerson";
          };
          userEmailAttribute = mkOption {
            type = types.str;
            description = lib.mdDoc "Attribute for a users email.";
            default = "mail";
          };
          userFilter = mkOption {
            type = types.str;
            description = lib.mdDoc "LDAP filter for users.";
            example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
            default = "";
          };
          groups = mkOption {
            type = types.bool;
            default = false;
            description = lib.mdDoc "Whether to sync ldap groups into BitWarden.";
          };
          groupPath = mkOption {
            type = types.str;
            description = lib.mdDoc "Group directory, relative to root.";
            default = "ou=groups";
          };
          groupObjectClass = mkOption {
            type = types.str;
            description = lib.mdDoc "A class that groups will have.";
            default = "groupOfNames";
          };
          groupNameAttribute = mkOption {
            type = types.str;
            description = lib.mdDoc "Attribute for a name of group.";
            default = "cn";
          };
          groupFilter = mkOption {
            type = types.str;
            description = lib.mdDoc "LDAP filter for groups.";
            example = "(cn=sales)";
            default = "";
          };
        };
      });
    };
    secrets = {
      ldap = mkOption {
        type = types.str;
        description = "Path to file that contains LDAP password for user in {option}`ldap.username";
      };
      bitwarden = {
        client_path_id = mkOption {
          type = types.str;
          description = "Path to file that contains Client ID.";
        };
        client_path_secret = mkOption {
          type = types.str;
          description = "Path to file that contains Client Secret.";
        };
      };
    };
  };
  config = mkIf cfg.enable {
    users.groups."${cfg.user}" = {};
    users.users."${cfg.user}" = {
      isSystemUser = true;
      group = cfg.user;
    };
    systemd = {
      timers.bitwarden-directory-connector-cli = {
        description = "Sync timer for Bitwarden Directory Connector";
        wantedBy = ["timers.target"];
        after = ["network-online.target"];
        timerConfig = {
          OnCalendar = cfg.interval;
          Unit = "bitwarden-directory-connector-cli.service";
          Persistent = true;
        };
      };
      services.bitwarden-directory-connector-cli = {
        description = "Main process for Bitwarden Directory Connector";
        environment = {
          BITWARDENCLI_CONNECTOR_APPDATA_DIR = "/tmp";
          BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
        };
        serviceConfig = {
          Type = "oneshot";
          User = "${cfg.user}";
          PrivateTmp = true;
          ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
            set -eo pipefail
            # create the config file
            ${lib.getExe cfg.package} data-file
            touch /tmp/data.json.tmp
            chmod 600 /tmp/data.json{,.tmp}
            ${lib.getExe cfg.package} config server ${cfg.domain}
            # now login to set credentials
            export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
            export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
            ${lib.getExe cfg.package} login
            ${lib.getExe pkgs.jq} '.authenticatedAccounts[0] as $account
              | .[$account].directoryConfigurations.ldap |= $ldap_data
              | .[$account].directorySettings.organizationId |= $orgID
              | .[$account].directorySettings.sync |= $sync_data' \
              --argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \
              --arg orgID "''${BW_CLIENTID//organization.}" \
              --argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \
              /tmp/data.json \
              > /tmp/data.json.tmp
            mv -f /tmp/data.json.tmp /tmp/data.json
            # final config
            ${lib.getExe cfg.package} config directory 0
            ${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap}
          '';
          ExecStart = "${lib.getExe cfg.package} sync";
        };
      };
    };
  };
  meta.maintainers = with maintainers; [Silver-Golden];
 }
--- a/applications/bitwarden/bitwarden_sync.nix
+++ b/applications/bitwarden/bitwarden_sync.nix
@ -6,7 +6,9 @@
 }: let
  user = "bwdc";
 in {
-  imports = [];
+  imports = [
    ./bitwarden-directory-connector-cli.nix
  ];
  options = {};
--- a/applications/bitwarden/vaultwarden.nix
+++ b/applications/bitwarden/vaultwarden.nix
@ -13,6 +13,9 @@ with lib; let
  domain = "${domain_sub}.skynet.ie";
 in {
  imports = [
    ../acme.nix
    ../dns.nix
    ../nginx.nix
  ];
  options.services.skynet."${name}" = {
--- a/applications/discord.nix
+++ b/applications/discord.nix
@ -21,6 +21,7 @@ in {
    #backups = [ "/etc/silver_ul_ical/database.db" ];
    age.secrets.discord_token.file = ../secrets/discord/token.age;
    age.secrets.discord_ldap.file = ../secrets/discord/ldap.age;
    age.secrets.discord_mail.file = ../secrets/email/details.age;
    age.secrets.discord_wolves.file = ../secrets/wolves/details.age;
@ -30,9 +31,12 @@ in {
      env = {
        discord = config.age.secrets.discord_token.path;
        ldap = config.age.secrets.discord_ldap.path;
        mail = config.age.secrets.discord_mail.path;
        wolves = config.age.secrets.discord_wolves.path;
      };
      discord.server = "689189992417067052";
    };
  };
 }
--- a/applications/dns/dns.nix
+++ b/applications/dns/dns.nix
@ -3,42 +3,19 @@
  pkgs,
  config,
  nodes,
  self,
  ...
 }: let
  name = "dns";
  cfg = config.services.skynet."${name}";
  # reads that date to a string (will need to be fixed in 2038)
-  current_date = self.lastModified;
+  current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}";
  # this gets a list of all domains we have records for
  domains = lib.lists.naturalSort (lib.lists.unique (
    lib.lists.forEach records (x: x.domain)
  ));
  # get the ip's of our servers
  servers = lib.lists.naturalSort (lib.lists.unique (
    lib.lists.forEach (sort_records_a_server records) (x: x.value)
  ));
  domains_owned = [
    # for historic reasons we own this
    "csn.ul.ie"
    # the main one we use now
    "skynet.ie"
    # a backup
    "ulcompsoc.ie"
  ];
  # gets a list of records that match this type
-  filter_records_type = records: r_type: builtins.filter (x: x.r_type == r_type) records;
+  filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records;
-  # Get all the A records that are for servers (base record for them)
+  filter_records_server = builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type "A");
-  filter_records_a_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
+  filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A");
  # Every other A record
  filter_records_a = records: builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type records "A");
  # These functions are to get the final 3 digits of an IP address so we can use them for reverse pointer
  process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
  process_ptr_sub = record: {
    record = builtins.substring 9 3 record.record;
@ -47,100 +24,87 @@
  };
  ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
-  # filter and sort records so we cna group them in the right place later
+  sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server;
-  sort_records_a_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_a_server records);
+  sort_records_a = builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) filter_records_a;
-  sort_records_a = records: builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) (filter_records_a records);
+  sort_records_cname = builtins.sort (a: b: a.value < b.value) (filter_records_type "CNAME");
-  sort_records_cname = records: builtins.sort (a: b: a.value < b.value) (filter_records_type records "CNAME");
+  sort_records_ptr = builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type "PTR"));
-  sort_records_ptr = records: builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type records "PTR"));
+  sort_records_srv = builtins.sort (a: b: a.record < b.record) (filter_records_type "SRV");
  sort_records_srv = records: builtins.sort (a: b: a.record < b.record) (filter_records_type records "SRV");
-  # a tad overkill but type guarding is useful
+  format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
  max = x: y:
    assert builtins.isInt x;
    assert builtins.isInt y;
      if x < y
      then y
      else x;
-  # get teh max length of a list of strings
+  # small function to trim it down a tad
  max_len = records: lib.lists.foldr (a: b: (max a b)) 0 (lib.lists.forEach records (record: lib.strings.stringLength record.record));
  # Now that we can get teh max lenth of a list of strings
  # we can pad it out to the max len +1
  # this is so that teh generated file is easier for a human to read
  format_records = records: let
    offset = (max_len records) + 1;
  in
    lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
  # small function to add spaces until it reaches teh required length
  padString = text: length: fixedWidthString_post length " " text;
  # like lib.strings.fixedWidthString but postfix
  # recursive function to extend a string up to a limit
  fixedWidthString_post = width: filler: str: let
    strw = lib.stringLength str;
    reqWidth = width - (lib.stringLength filler);
  in
    # this is here because we were manually setting teh length, now max_len does that for us
    assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
      if strw == width
      then str
      else (fixedWidthString_post reqWidth filler str) + filler;
  # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
  # ";" are comments in this file
  get_config_file = (
-    domain: records: ''
+    domain: ''
      $TTL 60  ; 1 minute
-      ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
+      ; hostmaster@${domain} is an email address that recieves stuff related to dns
-      @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
+      @ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. (
         ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
-         ${toString current_date}
+         ${current_date}
         600        ; Refresh (10 minutes)
         300        ; Retry   (5 minutes)
         604800     ; Expire  (1 week)
         3600       ; Minimum (1 hour)
        )
      @ NS  ns1.${domain}.
      @ NS  ns2.${domain}.
        ; @ stands for teh root domain so teh A record below is where ${domain} points to
-      @ NS  ns1.skynet.ie.
+      ;@ A   193.1.99.76
-      @ NS  ns2.skynet.ie.
+      ;@ MX  5 ${domain}.
      ; can have multiple mailserves
      @ MX  10 mail.${domain}.
      ; ------------------------------------------
      ; Server Names (A Records)
      ; ------------------------------------------
-      ${format_records (sort_records_a_server records)}
+      ${format_records sort_records_server 31}
      ; ------------------------------------------
      ; A (non server names
      ; ------------------------------------------
-      ${format_records (sort_records_a records)}
+      ${format_records sort_records_a 31}
      ; ------------------------------------------
      ; CNAMES
      ; ------------------------------------------
-      ${format_records (sort_records_cname records)}
+      ${format_records sort_records_cname 31}
      ; ------------------------------------------
      ; TXT
      ; ------------------------------------------
-      ${format_records (filter_records_type records "TXT")}
+      ${format_records (filter_records_type "TXT") 31}
      ; ------------------------------------------
      ; MX
      ; ------------------------------------------
-      ${format_records (filter_records_type records "MX")}
+      ${format_records (filter_records_type "MX") 31}
      ; ------------------------------------------
      ; SRV
      ; ------------------------------------------
-      ${format_records (sort_records_srv records)}
+      ${format_records sort_records_srv 65}
    ''
  );
  # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
-  # config for our reverse dns pointers (not properly working)
+  # config for our reverse dnspointers (not properly working)
  get_config_file_rev = (
    domain: ''
      $ORIGIN 64-64.99.1.193.in-addr.arpa.
@ -148,7 +112,7 @@
      ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
      @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
         ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
-         ${toString current_date}
+         ${current_date}
         600        ; Refresh (10 minutes)
         300        ; Retry   (5 minutes)
         604800     ; Expire  (1 week)
@ -161,37 +125,55 @@
      ; ------------------------------------------
      ; PTR
      ; ------------------------------------------
-      ${format_records (sort_records_ptr records)}
+      ${format_records sort_records_ptr 3}
    ''
  );
-  # arrays  of teh two nameservers
+  # domains we dont have proper ownship over, only here to ensure the logs dont get cluttered.
-  nameserver_1 = ["193.1.99.109"];
+  get_config_file_old_domains = (
-  nameserver_2 = ["193.1.99.120"];
+    domain: ''
      $TTL 60  ; 1 minute
      ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
      @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
         ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
         ${current_date}
         600        ; Refresh (10 minutes)
         300        ; Retry   (5 minutes)
         604800     ; Expire  (1 week)
         3600       ; Minimum (1 hour)
        )
      @ NS  ns1.skynet.ie.
      @ NS  ns2.skynet.ie.
    ''
  );
  # arrys  of teh two nameservers
  tmp1 = ["193.1.99.109"];
  tmp2 = ["193.1.99.120"];
  primaries = (
    if cfg.server.primary
    then
      # primary servers have no primaries (ones they listen to)
      []
-    else if builtins.elem cfg.server.ip nameserver_1
+    else if builtins.elem cfg.server.ip tmp1
-    then nameserver_2
+    then tmp2
-    else nameserver_1
+    else tmp1
  );
  secondaries = (
    if cfg.server.primary
    then
-      if builtins.elem cfg.server.ip nameserver_1
+      if builtins.elem cfg.server.ip tmp1
-      then nameserver_2
+      then tmp2
-      else nameserver_1
+      else tmp1
    else []
  );
  # small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
-  # now limited explicitly to servers that we are administering
+  create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
  # See i24-09-30_050 for more information
  create_cache_networks = map (x: "${toString x}/32") servers;
  # standard function to create the etc file, pass in the text and domain and it makes it
  create_entry_etc_sub = domain: text: {
@ -203,38 +185,27 @@
      # The UNIX file mode bits
      mode = "0664";
      # content of the file
      text = text;
    };
  };
  # (text.owned "csn.ul.ie")
  # standard function to create the etc file, pass in the text and domain and it makes it
-  create_entry_etc = domain: type: let
+  create_entry_etc = domain: type:
    domain_records = lib.lists.filter (x: x.domain == domain) records;
  in
    # this is the main type of record that most folks are used to
    if type == "owned"
-    then create_entry_etc_sub domain (get_config_file domain domain_records)
+    then create_entry_etc_sub domain (text.owned domain)
    # reverse lookups allow for using an IP to find domains pointing to it
    else if type == "reverse"
-    then create_entry_etc_sub domain (get_config_file_rev domain)
+    then create_entry_etc_sub domain (text.reverse domain)
    else if type == "old"
    then create_entry_etc_sub domain (text.old domain)
    else {};
-  create_entry_zone = domain: let
+  create_entry_zone = domain: extraConfig: {
    if_primary_and_owned =
      if cfg.server.primary && (lib.lists.any (item: item == domain) domains_owned)
      then ''
        allow-update { key rfc2136key.skynet.ie.; };
        dnssec-policy default;
        inline-signing yes;
      ''
      else "";
  in {
    "${domain}" = {
      extraConfig = ''
-        ${if_primary_and_owned}
+        ${extraConfig}
        // for bumping the config
-        // ${toString current_date}
+        // ${current_date}
      '';
      # really wish teh nixos config didnt use master/slave
      master = cfg.server.primary;
@ -247,16 +218,69 @@
    };
  };
  text = {
    owned = domain: get_config_file domain;
    reverse = domain: get_config_file_rev domain;
    old = domain: get_config_file_old_domains domain;
  };
  extraConfig = {
    owned =
      if cfg.server.primary
      then ''
        allow-update { key rfc2136key.skynet.ie.; };
        dnssec-policy default;
        inline-signing yes;
      ''
      else "";
    # no extra config for reverse
    reverse = "";
    old = "";
  };
  records =
    config.skynet.records
    /*
    Need to "manually" grab it from each server.
    Nix is laxy evalusted so if it does not need to open a file it wont.
    This is to iterate through each server (node) and evaluate the dns records for that server.
    */
    ++ builtins.concatLists (
      lib.attrsets.mapAttrsToList (
-        key: value: value.config.services.skynet.dns.records
+        key: value: let
          details_server = value.config.services.skynet."${name}".server;
          details_records = value.config.services.skynet."${name}".records;
        in
          if builtins.hasAttr "dns" value.config.services.skynet
          then
            (
              # got to handle habing a dns record for the dns serves themselves.
              if details_server.enable
              then
                (
                  if details_server.primary
                  then
                    details_records
                    ++ [
                      {
                        record = "ns1";
                        r_type = "A";
                        value = details_server.ip;
                        server = false;
                      }
                    ]
                  else
                    details_records
                    ++ [
                      {
                        record = "ns2";
                        r_type = "A";
                        value = details_server.ip;
                        server = false;
                      }
                    ]
                )
              else details_records
            )
          else []
      )
      nodes
    );
@ -267,7 +291,8 @@
    else "ns2";
 in {
  imports = [
-    ../../config/dns.nix
+    ./firewall.nix
    ../config/dns.nix
  ];
  options.services.skynet."${name}" = {
@ -291,11 +316,28 @@ in {
      };
    };
    # mirrorred in ../config/dns.nix
    records = lib.mkOption {
      description = "Records, sorted based on therir type";
-      type = lib.types.listOf (lib.types.submodule (import ./options-records.nix {
+      type = with lib.types;
-        inherit lib;
+        listOf (submodule {
-      }));
+          options = {
            record = lib.mkOption {
              type = str;
            };
            r_type = lib.mkOption {
              type = enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
            };
            value = lib.mkOption {
              type = str;
            };
            server = lib.mkOption {
              description = "Core record for a server";
              type = bool;
              default = false;
            };
          };
        });
    };
  };
@ -314,40 +356,29 @@ in {
      "ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept"
    ];
-    services.skynet.dns.records = [
+    services.bind.zones =
-      {
+      (create_entry_zone "csn.ul.ie" extraConfig.owned)
-        record = nameserver;
+      // (create_entry_zone "skynet.ie" extraConfig.owned)
-        r_type = "A";
+      // (create_entry_zone "ulcompsoc.ie" extraConfig.owned)
-        value = config.services.skynet.host.ip;
+      // (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse)
-      }
+      // (create_entry_zone "conradcollins.net" extraConfig.old)
-    ];
+      // (create_entry_zone "edelharty.net" extraConfig.old);
-    services.bind.zones = lib.attrsets.mergeAttrsList (
+    environment.etc =
-      # uses teh domains lsited in teh records
+      (create_entry_etc "csn.ul.ie" "owned")
-      (lib.lists.forEach domains (domain: (create_entry_zone domain)))
+      // (create_entry_etc "skynet.ie" "owned")
-      # we have to do a reverse dns
+      // (create_entry_etc "ulcompsoc.ie" "owned")
-      ++ [
+      // (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
-        (create_entry_zone "64-64.99.1.193.in-addr.arpa")
+      // (create_entry_etc "conradcollins.net" "old")
-      ]
+      // (create_entry_etc "edelharty.net" "old");
    );
    environment.etc = lib.attrsets.mergeAttrsList (
      # uses teh domains lsited in teh records
      (lib.lists.forEach domains (domain: (create_entry_etc domain "owned")))
      # we have to do a reverse dns
      ++ [
        (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
      ]
    );
    # secrets required
    age.secrets.dns_dnskeys = {
-      file = ../../secrets/dns_dnskeys.conf.age;
+      file = ../secrets/dns_dnskeys.conf.age;
      owner = "named";
      group = "named";
    };
    # basic but ensure teh dns ports are open
    networking.firewall = {
      allowedTCPPorts = [53];
      allowedUDPPorts = [53];
--- a/applications/dns/options-records.nix
+++ b/applications/dns/options-records.nix
@ -1,31 +0,0 @@
 /*
 Define the options for dns records here.
 They are imported into anything that needs to use them
 */
 {lib, ...}:
 with lib; {
  options = {
    domain = lib.mkOption {
      description = "Domain this record is for";
      type = lib.types.str;
      default = "skynet.ie";
    };
    record = lib.mkOption {
      description = "What you want to name the subdomain.";
      type = lib.types.str;
    };
    r_type = lib.mkOption {
      description = "Type of record that this is.";
      type = lib.types.enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
    };
    value = lib.mkOption {
      description = "What the record points to, normally ip or another record.";
      type = lib.types.str;
    };
    server = lib.mkOption {
      description = "Core record for a server";
      type = lib.types.bool;
      default = false;
    };
  };
 }
--- a/applications/email.nix
+++ b/applications/email.nix
@ -92,7 +92,7 @@ with lib; let
    }
  ];
-  sieveConfigFile =
+  configFile =
    # https://doc.dovecot.org/configuration_manual/sieve/examples/#plus-addressed-mail-filtering
    pkgs.writeText "basic_sieve"
    ''
@ -105,36 +105,24 @@ with lib; let
      # this should be close to teh last step
      if allof (
-        address  :localpart ["To", "Cc"] ["${toString create_config_to}"],
+          address  :localpart ["To"] ["${toString create_config_to}"],
-        address  :domain ["To", "Cc"] "skynet.ie"
+          address  :domain ["To"] "skynet.ie"
          ){
-        if address :matches ["To", "Cc"] "*@skynet.ie" {
+          if address :matches ["To"] "*@skynet.ie" {
            if header :is "X-Spam" "Yes" {
              fileinto :create "''${1}.Junk";
              stop;
            } else {
              fileinto :create "''${1}";
            stop;
          }
        }
      }
      if allof (
        address  :localpart ["From"] ["${toString create_config_to}"],
        address  :domain ["From"] "skynet.ie"
        ){
        if address :matches ["From"] "*@skynet.ie" {
          if header :is "X-Spam" "Yes" {
            fileinto :create "''${1}.Junk";
            stop;
          } else {
            fileinto :create "''${1}";
            stop;
            }
          }
      }
    '';
 in {
  imports = [
    ./dns.nix
    ./acme.nix
    ./nginx.nix
    inputs.simple-nixos-mailserver.nixosModule
    # for teh config
@ -202,7 +190,7 @@ in {
  config = mkIf cfg.enable {
    services.skynet.backup.normal.backups = [
-      #"/var/vmail"
+      "/var/vmail"
      "/var/dkim"
    ];
@ -282,16 +270,7 @@ in {
    };
    # set up dns record for it
-    services.skynet.dns.records =
+    services.skynet.dns.records = [
      [
        # core record
        {
          record = "@";
          r_type = "MX";
          # the number is the priority in teh case of multiple mailservers
          value = "10 mail.${cfg.domain}.";
        }
      # basic one
      {
        record = "mail";
@ -316,6 +295,37 @@ in {
      }
      # TXT records, all tehse are inside escaped strings to allow using ""
      # SPF record
      {
        record = "${cfg.domain}.";
        r_type = "TXT";
        value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
      }
      # DKIM keys
      {
        record = "mail._domainkey.skynet.ie.";
        r_type = "TXT";
        value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
      }
      {
        record = "mail._domainkey.ulcompsoc.ie.";
        r_type = "TXT";
        value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
      }
      # DMARC
      {
        record = "_dmarc.${cfg.domain}.";
        r_type = "TXT";
        # p     : quarantine => sends to spam, reject => never sent
        # rua   : mail that receives reports about DMARC activity
        # pct   : percentage of unathenticated messages that DMARC stops
        # adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
        # aspf  : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
        # sp    : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
        value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=none"'';
      }
      # reverse pointer
      {
@ -348,42 +358,6 @@ in {
        r_type = "SRV";
        value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
      }
      ]
      # SPF record
      ++ [
        {
          record = "${cfg.domain}.";
          r_type = "TXT";
          value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} ip4:${config.services.skynet.host.ip} -all"'';
        }
      ]
      # DKIM keys
      ++ [
        {
          record = "mail._domainkey.skynet.ie.";
          r_type = "TXT";
          value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
        }
        {
          domain = "ulcompsoc.ie";
          record = "mail._domainkey.ulcompsoc.ie.";
          r_type = "TXT";
          value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
        }
      ]
      # DMARC
      ++ [
        {
          record = "_dmarc.${cfg.domain}.";
          r_type = "TXT";
          # p     : quarantine => sends to spam, reject => never sent
          # rua   : mail that receives reports about DMARC activity
          # pct   : percentage of unathenticated messages that DMARC stops
          # adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
          # aspf  : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
          # sp    : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
          value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=quarantine"'';
        }
    ];
    #https://nixos-mailserver.readthedocs.io/en/latest/add-roundcube.html
@ -477,40 +451,7 @@ in {
    };
    services.dovecot2.sieve.scripts = {
-      before = sieveConfigFile;
+      before = configFile;
    };
    # This is to add a bcc to outgoing mail
    # this then interacts with teh filters to put it in the right folder
    # we can directly add to the postfix service here
    services.postfix = let
      # mostly copied from the upstream mailserver config/functions
      mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
      sender_bcc_maps_file = let
        content = lookupTableToString create_skynet_service_bcc;
      in
        builtins.toFile "sender_bcc_maps" content;
      lookupTableToString = attrs: let
        valueToString = value: lib.concatStringsSep ", " value;
      in
        lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
      # convert the mailboxes config to something that can be used here
      create_skynet_email_bcc = mailbox: {
        name = "${mailbox}@skynet.ie";
        value = ["${mailbox}@skynet.ie"];
      };
      create_skynet_service_bcc = builtins.listToAttrs (map (mailbox: (create_skynet_email_bcc mailbox.account)) service_mailboxes);
    in {
      mapFiles."sender_bcc_maps" = sender_bcc_maps_file;
      config = {
        sender_bcc_maps = [
          (mappedFile "sender_bcc_maps")
        ];
      };
    };
    # tune the spam filter
--- a/applications/git/forgejo.nix
+++ b/applications/git/forgejo.nix
@ -1,129 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  name = "forgejo";
  cfg = config.services.skynet."${name}";
  domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
  domain_full = "${cfg.domain.sub}.${domain_base}";
 in {
  imports = [
  ];
  options.services.skynet."${name}" = {
    enable = mkEnableOption "Skynet Forgejo";
    domain = {
      tld = mkOption {
        type = types.str;
        default = "ie";
      };
      base = mkOption {
        type = types.str;
        default = "skynet";
      };
      sub = mkOption {
        type = types.str;
        default = name;
      };
    };
    forgejo = {
      port = mkOption {
        type = types.port;
        default = 3000;
      };
    };
  };
  config = mkIf cfg.enable {
    #    age.secrets.forgejo-mailer-password = {
    #      file = ../../secrets/forgejo/mailer-password.age;
    #      mode = "400";
    #      owner = "forgejo";
    #    };
    services.skynet.acme.domains = [
      "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
    ];
    # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
    services.skynet.dns.records = [
      {
        record = cfg.domain.sub;
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
    ];
    services.nginx.virtualHosts = {
      # main site
      "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
        forceSSL = true;
        useACMEHost = "skynet";
        locations."/" = {
          proxyPass = "http://localhost:${toString cfg.forgejo.port}";
          extraConfig = ''
            client_max_body_size 1000M;
          '';
        };
      };
    };
    # for signing reasons
    programs.gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
    services.forgejo = {
      enable = true;
      package = pkgs.forgejo;
      database.type = "sqlite3";
      # Enable support for Git Large File Storage
      lfs.enable = true;
      settings = {
        server = {
          DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
          # You need to specify this to remove the port from URLs in the web UI.
          ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
          HTTP_PORT = cfg.forgejo.port;
        };
        # You can temporarily allow registration to create an admin user.
        service.DISABLE_REGISTRATION = true;
        # Add support for actions, based on act: https://github.com/nektos/act
        actions = {
          ENABLED = true;
          DEFAULT_ACTIONS_URL = "github";
        };
        # Allow for signing off merge requests
        #        "repository.signing" = {
        #          SIGNING_KEY = "5B2DED0FE9F8627A";
        #          SIGNING_NAME = "Skynet";
        #          SIGNING_EMAIL = "forgejo@glados.skynet.ie";
        #          MERGES = "always";
        #        };
        # Sending emails is completely optional
        # You can send a test email from the web UI at:
        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
        #          mailer = {
        #            ENABLED = true;
        #            SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
        #            FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
        #            USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
        #          };
      };
      #        mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
    };
  };
 }
--- a/applications/git/forgejo_runner.nix
+++ b/applications/git/forgejo_runner.nix
@ -1,159 +0,0 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 with lib; let
  name = "forgejo_runner";
  cfg = config.services.skynet."${name}";
 in {
  imports = [
  ];
  options.services.skynet."${name}" = {
    enable = mkEnableOption "Skynet ForgeJo Runner";
    runner = {
      name = mkOption {
        type = types.str;
        default = config.networking.hostName;
      };
      website = mkOption {
        default = "https://forgejo.skynet.ie";
        type = types.str;
      };
      user = mkOption {
        default = "gitea-runner";
        type = types.str;
      };
    };
  };
  config = mkIf cfg.enable {
    # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
    environment.systemPackages = with pkgs; [
      forgejo-actions-runner
    ];
    age.secrets.forgejo_runner_token = {
      file = ../../secrets/forgejo/runners/token.age;
      owner = cfg.runner.user;
      group = cfg.runner.user;
    };
    # make sure the ssh config stuff is in teh right palce
    systemd.tmpfiles.rules = [
      #"d  /home/${cfg.runner.user}             0755 ${cfg.runner.user} ${cfg.runner.user}"
      "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user}  -   ${./ssh_config}"
    ];
    age.secrets.forgejo_runner_ssh = {
      file = ../../secrets/forgejo/runners/ssh.age;
      mode = "600";
      owner = "${cfg.runner.user}";
      group = "${cfg.runner.user}";
      symlink = false;
      path = "/home/${cfg.runner.user}/.ssh/skynet/root";
    };
    nix = {
      settings = {
        trusted-users = [
          # allow the runner to build nix stuff and to use the cache
          "gitea-runner"
        ];
        trusted-public-keys = [
          "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
          "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        ];
        substituters = [
          "https://nix-cache.skynet.ie/skynet-cache/"
          "https://cache.nixos.org/"
        ];
        trusted-substituters = [
          "https://nix-cache.skynet.ie/skynet-cache/"
          "https://cache.nixos.org/"
        ];
      };
    };
    # very basic setup to always be watching for changes in teh cache
    systemd.services.attic-uploader = {
      enable = true;
      serviceConfig = {
        ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
        User = "root";
        Restart = "always";
        RestartSec = 1;
      };
    };
    # give teh runner user a home to store teh ssh config stuff
    systemd.services.gitea-runner-default.serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = lib.mkForce cfg.runner.user;
    };
    users = {
      groups."${cfg.runner.user}" = {};
      users."${cfg.runner.user}" = {
        #isSystemUser = true;
        isNormalUser = true;
        group = cfg.runner.user;
        createHome = true;
        shell = pkgs.bash;
      };
    };
    boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
    virtualisation.docker.enable = true;
    # taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
    virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
    # the actual runner
    services.gitea-actions-runner = {
      package = pkgs.forgejo-actions-runner;
      instances.default = {
        enable = true;
        name = cfg.runner.name;
        url = cfg.runner.website;
        tokenFile = config.age.secrets.forgejo_runner_token.path;
        labels = [
          ## optionally provide native execution on the host:
          "nix:host"
          "docker:docker://node:22-bookworm"
          "ubuntu-latest:docker://node:22-bookworm"
        ];
        hostPackages = with pkgs; [
          # default ones
          bash
          coreutils
          curl
          gawk
          git
          gnused
          nodejs
          wget
          # useful to have in path
          jq
          which
          dpkg
          zip
          git-lfs
          # used in deployments
          inputs.colmena.defaultPackage."x86_64-linux"
          attic-client
          lix
          openssh
          sudo
        ];
      };
    };
  };
 }
--- a/applications/git/ssh_config
+++ b/applications/git/ssh_config
@ -1,5 +0,0 @@
 Host *.skynet.ie 193.1.99.* 193.1.96.165
   User root
   IdentityFile ~/.ssh/skynet/root
   IdentitiesOnly yes
--- a/applications/git/gitlab.nix
+++ b/applications/git/gitlab.nix
@ -12,6 +12,10 @@ with lib; let
  domain_full = "${cfg.domain.sub}.${domain_base}";
 in {
  imports = [
    ./acme.nix
    ./dns.nix
    ./firewall.nix
    ./nginx.nix
  ];
  options.services.skynet."${name}" = {
@ -56,32 +60,32 @@ in {
    # grep -r --exclude-dir={docker,containers,log,sys,nix,proc}  gitlab /
    age.secrets.gitlab_pw = {
-      file = ../../secrets/gitlab/pw.age;
+      file = ../secrets/gitlab/pw.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_db = {
-      file = ../../secrets/gitlab/secrets_db.age;
+      file = ../secrets/gitlab/secrets_db.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_secret = {
-      file = ../../secrets/gitlab/secrets_secret.age;
+      file = ../secrets/gitlab/secrets_secret.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_otp = {
-      file = ../../secrets/gitlab/secrets_otp.age;
+      file = ../secrets/gitlab/secrets_otp.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_jws = {
-      file = ../../secrets/gitlab/secrets_jws.age;
+      file = ../secrets/gitlab/secrets_jws.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_db_pw = {
-      file = ../../secrets/gitlab/db_pw.age;
+      file = ../secrets/gitlab/db_pw.age;
      owner = cfg.user;
      group = cfg.user;
    };
--- a/applications/gitlab_runner.nix
+++ b/applications/gitlab_runner.nix
@ -0,0 +1,122 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  name = "gitlab_runner";
  cfg = config.services.skynet."${name}";
 in {
  imports = [
  ];
  options.services.skynet."${name}" = {
    enable = mkEnableOption "Skynet Gitlab Runner";
    runner = {
      name = mkOption {
        type = types.str;
      };
      gitlab = mkOption {
        default = "https://gitlab.skynet.ie";
        type = types.str;
      };
      description = mkOption {
        default = cfg.runner.name;
        type = types.str;
      };
      docker = {
        image = mkOption {
          default = "alpine:3.18.4";
          type = types.str;
        };
        cleanup_dates = mkOption {
          # https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS
          # it will use a lot of storage so clear it daily, may change to hourly if required
          default = "daily";
          type = types.str;
        };
      };
    };
  };
  config = mkIf cfg.enable {
    # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
    environment.systemPackages = [
      pkgs.gitlab-runner
    ];
    age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age;
    age.secrets.runner_02_general.file = ../secrets/gitlab/runners/runner02.age;
    boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
    virtualisation.docker.enable = true;
    # taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
    virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
    services.gitlab-runner = {
      enable = true;
      #      clear-docker-cache = {
      #        enable = true;
      #        dates = cfg.runner.docker.cleanup_dates;
      #      };
      services = {
        # might make a function later to have multiple runners, might never need it though
        runner_nix = {
          cloneUrl = cfg.runner.gitlab;
          description = "For Nix only";
          registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
          registrationConfigFile = config.age.secrets.runner_01_nix.path;
          dockerImage = cfg.runner.docker.image;
          # from https://nixos.wiki/wiki/Gitlab_runner
          dockerVolumes = [
            "/nix/store:/nix/store:ro"
            "/nix/var/nix/db:/nix/var/nix/db:ro"
            "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
          ];
          dockerDisableCache = true;
          preBuildScript = pkgs.writeScript "setup-container" ''
            mkdir -p -m 0755 /nix/var/log/nix/drvs
            mkdir -p -m 0755 /nix/var/nix/gcroots
            mkdir -p -m 0755 /nix/var/nix/profiles
            mkdir -p -m 0755 /nix/var/nix/temproots
            mkdir -p -m 0755 /nix/var/nix/userpool
            mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
            mkdir -p -m 1777 /nix/var/nix/profiles/per-user
            mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
            mkdir -p -m 0700 "$HOME/.nix-defexpr"
            . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
            ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3
            ${pkgs.nix}/bin/nix-channel --update nixpkgs
            ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
          '';
          environmentVariables = {
            ENV = "/etc/profile";
            USER = "root";
            NIX_REMOTE = "daemon";
            PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
            NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
          };
          tagList = ["nix"];
        };
        runner_general = {
          cloneUrl = cfg.runner.gitlab;
          description = "General Runner";
          registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
          registrationConfigFile = config.age.secrets.runner_02_general.path;
          dockerImage = cfg.runner.docker.image;
        };
      };
    };
  };
 }
--- a/applications/grafana.nix
+++ b/applications/grafana.nix
@ -9,6 +9,8 @@ with lib; let
  port = 4444;
 in {
  imports = [
    ./acme.nix
    ./dns.nix
  ];
  options.services.skynet."${name}" = {
--- a/applications/ldap/backend.nix
+++ b/applications/ldap/backend.nix
@ -11,6 +11,9 @@ with lib; let
  port_backend = "8087";
 in {
  imports = [
    ../acme.nix
    ../dns.nix
    ../nginx.nix
    inputs.skynet_ldap_backend.nixosModule."x86_64-linux"
    ../../config/users.nix
  ];
@ -40,6 +43,7 @@ in {
    #backups = [ "/etc/silver_ul_ical/database.db" ];
    age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
    age.secrets.ldap_discord.file = ../../secrets/discord/ldap.age;
    age.secrets.ldap_mail.file = ../../secrets/email/details.age;
    age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age;
@ -68,6 +72,7 @@ in {
      # contains teh password in env form
      env = {
        ldap = config.age.secrets.ldap_details.path;
        discord = config.age.secrets.ldap_discord.path;
        mail = config.age.secrets.ldap_mail.path;
        wolves = config.age.secrets.ldap_wolves.path;
      };
--- a/applications/ldap/server.nix
+++ b/applications/ldap/server.nix
@ -15,6 +15,9 @@ with lib; let
 in {
  # these are needed for teh program in question
  imports = [
    ../acme.nix
    ../dns.nix
    ../nginx.nix
  ];
  options.services.skynet."${name}" = {
--- a/applications/nextcloud.nix
+++ b/applications/nextcloud.nix
@ -10,6 +10,9 @@ with lib; let
  domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
 in {
  imports = [
    ./acme.nix
    ./dns.nix
    ./nginx.nix
  ];
  options.services.skynet."${name}" = {
@ -45,7 +48,6 @@ in {
    services.skynet.acme.domains = [
      domain
      "onlyoffice.${domain}"
      "whiteboard.${domain}"
    ];
    services.skynet.dns.records = [
@ -59,18 +61,13 @@ in {
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
      #      {
      #        record = "whiteboard.${cfg.domain.sub}";
      #        r_type = "CNAME";
      #        value = config.services.skynet.host.name;
      #      }
    ];
    # /var/lib/nextcloud/data
    services.nextcloud = {
      enable = true;
-      package = pkgs.nextcloud30;
+      package = pkgs.nextcloud28;
      hostName = domain;
      https = true;
@ -84,8 +81,8 @@ in {
      appstoreEnable = true;
-      extraApps = {
+      extraApps = with config.services.nextcloud.package.packages.apps; {
-        inherit (config.services.nextcloud.package.packages.apps) richdocuments;
+        inherit forms groupfolders maps notes onlyoffice polls;
      };
      settings = {
@ -96,21 +93,10 @@ in {
      };
    };
    #    environment.etc."nextcloud-whiteboard-secret".text = ''
    #      JWT_SECRET_KEY=test123
    #    '';
    #
    #    services.nextcloud-whiteboard-server = {
    #      enable = true;
    #      settings.NEXTCLOUD_URL = "https://nextcloud.skynet.ie";
    #      secrets = ["/etc/nextcloud-whiteboard-secret"];
    #    };
    nixpkgs.config.allowUnfree = true;
-    # impacted by https://github.com/NixOS  /nixpkgs/issues/352443
+    services.onlyoffice = {
-    #    services.onlyoffice = {
+      enable = true;
-    #      enable = true;
+    };
    #    };
    services.nginx.virtualHosts = {
      ${domain} = {
@ -122,14 +108,6 @@ in {
        useACMEHost = "skynet";
        locations."/".proxyPass = "http://127.0.0.1:8000";
      };
      #      "whiteboard.${domain}" = {
      #        forceSSL = true;
      #        useACMEHost = "skynet";
      #        locations."/" = {
      #          proxyPass = "http://localhost:3002";
      #          proxyWebsockets = true;
      #        };
      #      };
    };
  };
 }
--- a/applications/nginx.nix
+++ b/applications/nginx.nix
@ -9,6 +9,8 @@
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    statusPage = true;
    # give Nginx access to our certs
    group = "acme";
  };
--- a/applications/nix_cache/nix_cache.nix
+++ b/applications/nix_cache/nix_cache.nix
@ -15,6 +15,7 @@ https://docs.attic.rs/introduction.html
  lib,
  config,
  pkgs,
  inputs,
  ...
 }:
 with lib; let
@ -22,6 +23,9 @@ with lib; let
  cfg = config.services.skynet."${name}";
 in {
  imports = [
    inputs.attic.nixosModules.atticd
    ../acme.nix
    ../dns.nix
  ];
  options.services.skynet."${name}" = {
@ -51,7 +55,7 @@ in {
      enable = true;
      # Replace with absolute path to your credentials file
-      environmentFile = "/etc/atticd.env";
+      credentialsFile = "/etc/atticd.env";
      settings = {
        listen = "127.0.0.1:8080";
--- a/applications/open_governance/keyserver.nix
+++ b/applications/open_governance/keyserver.nix
@ -13,6 +13,8 @@ with lib; let
  port = 11371;
 in {
  imports = [
    ../acme.nix
    ../dns.nix
  ];
  options.services.skynet."${name}" = {
--- a/applications/open_governance/open_governance.nix
+++ b/applications/open_governance/open_governance.nix
@ -15,6 +15,8 @@ with lib; let
  folder = "/var/skynet/${name}";
 in {
  imports = [
    ../acme.nix
    ../dns.nix
  ];
  options.services.skynet."${name}" = {
--- a/applications/prometheus.nix
+++ b/applications/prometheus.nix
@ -21,7 +21,7 @@ with lib; let
      )
      nodes
    );
-    node = lib.attrsets.mapAttrsToList (key: value: "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.node.port}") nodes;
+    node = lib.attrsets.mapAttrsToList (key: value: "${value.config.deployment.targetHost}:${toString config.services.prometheus.exporters.node.port}") nodes;
  };
  # clears any invalid entries
@ -37,10 +37,8 @@ in {
        type = types.port;
        default = 9001;
      };
    };
-    external = {
+      external.node = mkOption {
      node = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
@ -48,20 +46,12 @@ in {
        '';
      };
    };
    ports = {
      node = mkOption {
        type = types.port;
        default = 9100;
      };
    };
  };
  config = mkMerge [
    {
      services.prometheus.exporters.node = {
        enable = true;
        port = cfg.ports.node;
        openFirewall = true;
        # most collectors are on by default see https://github.com/prometheus/node_exporter for more options
        enabledCollectors = ["systemd" "processes"];
@ -76,7 +66,7 @@ in {
            job_name = "node_exporter";
            static_configs = [
              {
-                targets = filter_empty (exporters.node ++ cfg.external.node);
+                targets = filter_empty (exporters.node ++ cfg.server.external.node);
              }
            ];
          }
--- a/applications/proxmox-lxc.nix
+++ b/applications/proxmox-lxc.nix
@ -12,19 +12,19 @@ with lib; {
    enable = mkOption {
      default = true;
      type = types.bool;
-      description = lib.mdDoc "Whether to enable the Proxmox VE LXC module.";
+      description = lib.mdDoc "Whether to enable the ProxmoxLXC.";
    };
    privileged = mkOption {
      type = types.bool;
      default = false;
-      description = ''
+      description = lib.mdDoc ''
        Whether to enable privileged mounts
      '';
    };
    manageNetwork = mkOption {
      type = types.bool;
      default = false;
-      description = ''
+      description = lib.mdDoc ''
        Whether to manage network interfaces through nix options
        When false, systemd-networkd is enabled to accept network
        configuration from proxmox.
@ -33,7 +33,7 @@ with lib; {
    manageHostName = mkOption {
      type = types.bool;
      default = false;
-      description = ''
+      description = lib.mdDoc ''
        Whether to manage hostname through nix options
        When false, the hostname is picked up from /etc/hostname
        populated by proxmox.
@ -68,8 +68,6 @@ with lib; {
        loader.initScript.enable = true;
      };
      console.enable = true;
      networking = mkIf (!cfg.manageNetwork) {
        useDHCP = false;
        useHostResolvConf = false;
@ -83,14 +81,13 @@ with lib; {
        startWhenNeeded = mkDefault true;
      };
-      systemd = {
+      systemd.mounts =
-        mounts = mkIf (!cfg.privileged) [
+        mkIf (!cfg.privileged)
        [
          {
            enable = false;
            where = "/sys/kernel/debug";
            enable = false;
          }
        ];
        services."getty@".unitConfig.ConditionPathExists = ["" "/dev/%I"];
      };
    };
 }
--- a/applications/restic.nix
+++ b/applications/restic.nix
@ -83,6 +83,9 @@ with lib; let
  ));
 in {
  imports = [
    ./dns.nix
    ./nginx.nix
    ./acme.nix
  ];
  # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@ -142,6 +145,20 @@ in {
        default = false;
      };
    };
    nuked = {
      enable = mkEnableOption "Nuked Backup server";
      port = mkOption {
        type = types.port;
        default = 8765;
      };
      appendOnly = mkOption {
        type = types.bool;
        default = false;
      };
    };
  };
  config = mkMerge [
@ -195,5 +212,58 @@ in {
        }
      ];
    })
    # restic -r rest:https://skynet:testing@nuked.skynet.ie/ init
    (mkIf cfg.nuked.enable {
      assertions = [
        {
          assertion = !cfg.server.enable;
          message = "Our backup and Nuked backup cannot co-exist";
        }
      ];
      services.skynet.acme.domains = [
        "nuked.skynet.ie"
      ];
      services.skynet.dns.records = [
        {
          record = "nuked";
          r_type = "CNAME";
          value = config.services.skynet.host.name;
        }
      ];
      services.nginx.virtualHosts = {
        "nuked.skynet.ie" = {
          forceSSL = true;
          useACMEHost = "skynet";
          locations."/" = {
            proxyPass = "http://${config.services.restic.server.listenAddress}";
            proxyWebsockets = true;
          };
        };
      };
      networking.firewall.allowedTCPPorts = [
        cfg.nuked.port
      ];
      age.secrets.restic_pw = {
        file = ../secrets/backup/nuked.age;
        path = "${config.services.restic.server.dataDir}/.htpasswd";
        symlink = false;
        mode = "770";
        owner = "restic";
        group = "restic";
      };
      services.restic.server = {
        enable = true;
        listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
        appendOnly = cfg.nuked.appendOnly;
        privateRepos = true;
      };
    })
  ];
 }
--- a/applications/skynet.ie/skynet.ie.nix
+++ b/applications/skynet.ie/skynet.ie.nix
@ -10,11 +10,8 @@ with lib; let
  cfg = config.services.skynet."${name}";
 in {
  imports = [
-    # import in past website versions, available at $year.skynet.ie
+    ./acme.nix
-    # at teh end of teh year add it here
+    ./dns.nix
    (import ./old_site.nix {year = "2023";})
    (import ./old_site.nix {year = "2017";})
    (import ./old_site.nix {year = "2009";})
  ];
  options.services.skynet."${name}" = {
@ -23,8 +20,11 @@ in {
  config = mkIf cfg.enable {
    services.skynet.acme.domains = [
      # the root one is already covered by teh certificate
      "2016.skynet.ie"
      "discord.skynet.ie"
      "public.skynet.ie"
      "renew.skynet.ie"
    ];
    services.skynet.dns.records = [
@ -34,6 +34,11 @@ in {
        r_type = "A";
        value = config.services.skynet.host.ip;
      }
      {
        record = "2016";
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
      {
        record = "discord";
        r_type = "CNAME";
@ -44,6 +49,11 @@ in {
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
      {
        record = "renew";
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
    ];
    services.nginx = {
@ -53,7 +63,9 @@ in {
          forceSSL = true;
          useACMEHost = "skynet";
          locations = {
-            "/".root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
+            "/" = {
              root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
            };
            # this redirects old links to new format
            "~* ~(?<username>[a-z_0-9]*)(?<files>\\S*)$" = {
@ -63,6 +75,13 @@ in {
          };
        };
        # archive of teh site as it was ~2012 to 2016
        "2016.skynet.ie" = {
          forceSSL = true;
          useACMEHost = "skynet";
          root = "${inputs.skynet_website_2016.defaultPackage."x86_64-linux"}";
        };
        # a custom discord url, because we are too cheap otehrwise
        "discord.skynet.ie" = {
          forceSSL = true;
@ -76,6 +95,13 @@ in {
          root = "${inputs.compsoc_public.packages.x86_64-linux.default}";
          locations."/".extraConfig = "autoindex on;";
        };
        # for alumni members to renew their account
        "renew.skynet.ie" = {
          forceSSL = true;
          useACMEHost = "skynet";
          root = "${inputs.skynet_website_renew.defaultPackage."x86_64-linux"}";
        };
      };
    };
  };
--- a/applications/skynet.ie/old_site.nix
+++ b/applications/skynet.ie/old_site.nix
@ -1,34 +0,0 @@
 {year}: {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 with lib; {
  imports = [];
  config = {
    services.skynet.acme.domains = [
      "${year}.skynet.ie"
    ];
    services.skynet.dns.records = [
      {
        record = year;
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
    ];
    services.nginx = {
      virtualHosts = {
        "${year}.skynet.ie" = {
          forceSSL = true;
          useACMEHost = "skynet";
          root = "${inputs."skynet_website_${year}".defaultPackage."x86_64-linux"}";
        };
      };
    };
  };
 }
--- a/applications/skynet.ie/wiki.nix
+++ b/applications/skynet.ie/wiki.nix
@ -1,64 +0,0 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 with lib; let
  name = "wiki";
  cfg = config.services.skynet."${name}";
 in {
  imports = [
  ];
  options.services.skynet."${name}" = {
    enable = mkEnableOption "Skynet Wiki";
  };
  config = mkIf cfg.enable {
    services.skynet.acme.domains = [
      "renew.skynet.ie"
      "wiki.skynet.ie"
    ];
    services.skynet.dns.records = [
      {
        record = "renew";
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
      {
        record = "wiki";
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
    ];
    services.nginx = {
      virtualHosts = {
        "wiki.skynet.ie" = {
          forceSSL = true;
          useACMEHost = "skynet";
          root = "${inputs.skynet_website_wiki.defaultPackage."x86_64-linux"}";
          # https://stackoverflow.com/a/38238001/11964934
          extraConfig = ''
            location / {
              if ($request_uri ~ ^/(.*)\.html) {
                return 302 /$1;
              }
              try_files $uri $uri.html $uri/ =404;
            }
          '';
        };
        # redirect old links to the new wiki
        "renew.skynet.ie" = {
          forceSSL = true;
          useACMEHost = "skynet";
          locations."/".return = "307 https://wiki.skynet.ie";
        };
      };
    };
  };
 }
--- a/applications/skynet_users.nix
+++ b/applications/skynet_users.nix
@ -11,6 +11,9 @@ with lib; let
  php_pool = name;
 in {
  imports = [
    ./acme.nix
    ./dns.nix
    ./nginx.nix
  ];
  options.services.skynet."${name}" = {
@ -18,10 +21,7 @@ in {
  };
  config = {
-    # we havea  more limited ports range on the skynet server
+    # ssh access
    services.skynet.prometheus.ports = {
      node = 9000;
    };
    # allow more than admins access
    services.skynet.ldap_client = {
@ -85,20 +85,6 @@ in {
    };
    services.nginx.virtualHosts = {
      "outinul.ie" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = {
            alias = "/home/outinul/public_html/";
            index = "index.html";
            extraConfig = ''
              autoindex on;
            '';
            tryFiles = "$uri$args $uri$args/ /index.html";
          };
        };
      };
      # main site
      "*.users.skynet.ie" = {
        forceSSL = true;
--- a/applications/ulfm.nix
+++ b/applications/ulfm.nix
@ -9,6 +9,10 @@ with lib; let
  cfg = config.services.skynet."${name}";
 in {
  imports = [
    ./acme.nix
    ./dns.nix
    ./firewall.nix
    ./nginx.nix
  ];
  options.services.skynet."${name}" = {
--- a/config/dns.nix
+++ b/config/dns.nix
@ -1,24 +1,35 @@
 {lib, ...}: {
  imports = [
    # Paths to other modules.
    # Compose this module out of smaller ones.
  ];
  # this needs to mirror ../applications/dns.nix
  options.skynet.records = lib.mkOption {
    description = "Records, sorted based on therir type";
-    type = lib.types.listOf (lib.types.submodule (import ../applications/dns/options-records.nix {
+    type = with lib.types;
-      inherit lib;
+      listOf (submodule {
-    }));
+        options = {
          record = lib.mkOption {
            type = str;
          };
          r_type = lib.mkOption {
            type = enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
          };
          value = lib.mkOption {
            type = str;
          };
          server = lib.mkOption {
            description = "Core record for a server";
            type = bool;
            default = false;
          };
        };
      });
  };
  config = {
-    skynet.records =
+    skynet.records = [
      [
        # wifi in server room
        {
          record = "ash";
          r_type = "A";
          value = "193.1.99.114";
          server = true;
        }
      {
        record = "optimus";
        r_type = "A";
@ -44,7 +55,7 @@
      {
        record = "_minecraft._tcp.minecraft.compsoc.games.skynet.ie.";
        r_type = "SRV";
-          value = "0 10 25518 bumblebee.skynet.ie.";
+        value = "0 10 25518 minecraft.compsoc.games.skynet.ie.";
      }
      {
        record = "minecraft-classic.compsoc.games";
@ -54,7 +65,7 @@
      {
        record = "_minecraft._tcp.minecraft-classic.compsoc.games.skynet.ie.";
        r_type = "SRV";
-          value = "0 10 25518 bumblebee.skynet.ie.";
+        value = "0 10 25520 minecraft-classic.compsoc.games.skynet.ie.";
      }
      {
        record = "minecraft.gsoc.games";
@ -64,7 +75,7 @@
      {
        record = "_minecraft._tcp.minecraft.gsoc.games.skynet.ie.";
        r_type = "SRV";
-          value = "0 10 25521 bumblebee.skynet.ie.";
+        value = "0 10 25521 minecraft.gsoc.games.skynet.ie.";
      }
      {
        record = "minecraft.phildeb.games";
@ -74,39 +85,7 @@
      {
        record = "_minecraft._tcp.minecraft.phildeb.games.skynet.ie.";
        r_type = "SRV";
-          value = "0 10 25522 bumblebee.skynet.ie.";
+        value = "0 10 25522 minecraft.phildeb.games.skynet.ie.";
        }
        {
          record = "minecraft-aged.compsoc.games";
          r_type = "CNAME";
          value = "bumblebee";
        }
        {
          record = "_minecraft._tcp.minecraft-aged.compsoc.games.skynet.ie.";
          r_type = "SRV";
          value = "0 10 25519 bumblebee.skynet.ie.";
        }
      ]
      # non skynet domains
      ++ [
        {
          domain = "conradcollins.net";
          record = "www";
          r_type = "CNAME";
          value = "skynet.skynet.ie.";
        }
        {
          domain = "edelharty.net";
          record = "www";
          r_type = "CNAME";
          value = "skynet.skynet.ie.";
        }
        {
          domain = "damienconroy.com";
          record = "www";
          r_type = "CNAME";
          value = "skynet.skynet.ie.";
      }
    ];
  };
--- a/config/users.nix
+++ b/config/users.nix
@ -1,11 +1,6 @@
-{
+{lib, ...}:
  lib,
  config,
  ...
 }:
 with lib; let
  port_backend = "8087";
  cfg = config.skynet.users;
 in {
  options.skynet = {
    users = {
@ -49,37 +44,29 @@ in {
  config.skynet = {
    users = {
-      committee = lib.lists.unique (
+      committee = [
        # Committee - Core
        [
        "silver"
        "eoghanconlon73"
          "nanda"
          "emily1999"
          "dgr"
        ]
        # Committee - OCM
        ++ [
        "sidhiel"
        "maksimsger1"
        "kaiden"
        "pine"
        "nanda"
        "sourabh1805"
        "kronsy"
        "skyapples"
-          "eliza"
+      ];
          "amymucko"
          "archiedms"
        ]
        # Committee - SISTEM
        ++ [
          "peace"
        ]
        # Admins are part of Committee as well
        ++ cfg.admin
      );
      admin = [
        "silver"
        "evanc"
        "eoghanconlon73"
        "eliza"
        "esy"
      ];
-      trainee = [];
+      trainee = [
        "milan"
        "kronsy"
      ];
      lifetime = [];
      banned = [];
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -7,55 +7,76 @@
    # Return to using unstable once the current master is merged in
    # nixpkgs.url = "nixpkgs/nixos-unstable";
    lix-module = {
      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # utility stuff
    flake-utils.url = "github:numtide/flake-utils";
    agenix.url = "github:ryantm/agenix";
    arion.url = "github:hercules-ci/arion";
    alejandra = {
-      url = "github:kamadorueda/alejandra";
+      url = "github:kamadorueda/alejandra/3.0.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    colmena.url = "github:zhaofengli/colmena";
    attic.url = github:zhaofengli/attic;
-    # we host our own
+    # email
    # simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
    simple-nixos-mailserver = {
      inputs.nixpkgs.follows = "nixpkgs";
-      url = "git+https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver";
+      type = "gitlab";
      host = "gitlab.skynet.ie";
      owner = "compsoc1%2Fskynet";
      repo = "misc%2Fnixos-mailserver";
    };
-    ######################
+    # account.skynet.ie
-    ### skynet backend ###
+    skynet_ldap_backend = {
-    ######################
+      type = "gitlab";
-    skynet_ldap_backend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_backend";
+      host = "gitlab.skynet.ie";
-    skynet_ldap_frontend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_frontend";
+      owner = "compsoc1%2Fskynet";
-    skynet_website_wiki.url = "git+https://forgejo.skynet.ie/Skynet/wiki";
+      repo = "ldap%2Fbackend";
-    skynet_website_games.url = "git+https://forgejo.skynet.ie/Skynet/website_games";
+    };
-    skynet_discord_bot.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot";
+    skynet_ldap_frontend = {
-
+      type = "gitlab";
-    #####################
+      host = "gitlab.skynet.ie";
-    ### compsoc stuff ###
+      owner = "compsoc1%2Fskynet";
-    #####################
+      repo = "ldap%2Ffrontend";
-    compsoc_public.url = "git+https://forgejo.skynet.ie/Computer_Society/presentations_compsoc";
+    };
-
+    skynet_website = {
-    #################
+      type = "gitlab";
-    ### skynet.ie ###
+      host = "gitlab.skynet.ie";
-    #################
+      owner = "compsoc1%2Fskynet";
-
+      repo = "website%2F2023";
-    # this should always point to teh current website
+    };
-    skynet_website.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/main.tar.gz";
+    skynet_website_2016 = {
-
+      type = "gitlab";
-    # these are past versions of teh website
+      host = "gitlab.skynet.ie";
-    skynet_website_2023.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/c4d61c753292bf73ed41b47b1607cfc92a82a191.tar.gz";
+      owner = "compsoc1%2Fskynet";
-    # this is not 100% right since this is from teh archive from 2022 or so
+      repo = "website%2F2016";
-    skynet_website_2017.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/edd922c5b13fa1f520e8e265a3d6e4e189852b99.tar.gz";
+    };
-
+    skynet_website_renew = {
-    # this is more of 2012 than 2009 but started in 2009
+      type = "gitlab";
-    skynet_website_2009.url = "https://forgejo.skynet.ie/Skynet/website_2009/archive/main.tar.gz";
+      host = "gitlab.skynet.ie";
      owner = "compsoc1%2Fskynet";
      repo = "website%2Falumni-renew";
    };
    skynet_website_games = {
      type = "gitlab";
      host = "gitlab.skynet.ie";
      owner = "compsoc1%2Fskynet";
      repo = "website%2Fgames.skynet.ie";
    };
    skynet_discord_bot = {
      type = "gitlab";
      host = "gitlab.skynet.ie";
      owner = "compsoc1%2Fskynet";
      repo = "discord-bot";
    };
    compsoc_public = {
      type = "gitlab";
      host = "gitlab.skynet.ie";
      owner = "compsoc1%2Fcompsoc";
      repo = "presentations%2Fpresentations";
    };
  };
  nixConfig = {
@ -95,7 +116,7 @@
          overlays = [];
        };
        specialArgs = {
-          inherit inputs self;
+          inherit inputs;
        };
      };
@ -144,8 +165,7 @@
      # Public Services
      calculon = import ./machines/calculon.nix;
-      # metrics
+      deepthought = import ./machines/deepthought.nix;
      ariia = import ./machines/ariia.nix;
    };
  };
 }
--- a/machines/_base.nix
+++ b/machines/_base.nix
@ -18,11 +18,23 @@ in {
    # for the secrets
    inputs.agenix.nixosModules.default
-    # base application config for all servers
+    # base config for all servers
    ../applications/_base.nix
-    #
+    # every sever may need the firewall config stuff
-    inputs.lix-module.nixosModules.default
+    ../applications/firewall.nix
    # every sever needs to have a dns record
    ../applications/dns.nix
    # every server needs teh ldap client for admins
    ../applications/ldap/client.nix
    # every server will need the config to backup to
    ../applications/restic.nix
    # every server will be monitored for grafana
    ../applications/prometheus.nix
  ];
  options.skynet = {
@ -120,20 +132,19 @@ in {
    # https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9
    systemd.network.wait-online.enable = false;
-    environment.systemPackages = with pkgs; [
+    environment.systemPackages = [
      # for flakes
-      git
+      pkgs.git
      git-lfs
      # useful tools
-      ncdu_2
+      pkgs.ncdu_2
-      htop
+      pkgs.htop
-      nano
+      pkgs.nano
-      nmap
+      pkgs.nmap
-      bind
+      pkgs.bind
-      zip
+      pkgs.zip
-      traceroute
+      pkgs.traceroute
-      openldap
+      pkgs.openldap
-      screen
+      pkgs.screen
    ];
  };
 }
--- a/machines/ariia.nix
+++ b/machines/ariia.nix
@ -1,47 +0,0 @@
 /*
 Name:     https://en.wikipedia.org/wiki/Eagle_Eye
 Why:      ARIIA - Autonomous Reconnaissance Intelligence Integration Analyst
 Type:     VM
 Hardware: -
 From:     2024
 Role:     Metrics gathering and Analysis
 Notes:
 */
 {
  config,
  pkgs,
  lib,
  nodes,
  ...
 }: let
  # name of the server, sets teh hostname and record for it
  name = "ariia";
  ip_pub = "193.1.99.83";
  hostname = "${name}.skynet.ie";
  host = {
    ip = ip_pub;
    name = name;
    hostname = hostname;
  };
 in {
  imports = [
    ../applications/grafana.nix
  ];
  deployment = {
    targetHost = hostname;
    targetPort = 22;
    targetUser = null;
    tags = ["active-core"];
  };
  services.skynet = {
    host = host;
    backup.enable = true;
    prometheus.server.enable = true;
    grafana.enable = true;
  };
 }
--- a/machines/deepthought.nix
+++ b/machines/deepthought.nix
@ -0,0 +1,42 @@
 /*
 Name:     https://hitchhikers.fandom.com/wiki/Deep_Thought
 Why:      Our home(page)
 Type:     VM
 Hardware: -
 From:     2023
 Role:     Public Backup
 Notes:
 */
 {
  pkgs,
  lib,
  nodes,
  inputs,
  ...
 }: let
  name = "deepthought";
  ip_pub = "193.1.99.112";
  hostname = "${name}.skynet.ie";
  host = {
    ip = ip_pub;
    name = name;
    hostname = hostname;
  };
 in {
  imports = [
  ];
  deployment = {
    targetHost = ip_pub;
    targetPort = 22;
    targetUser = null;
    tags = ["active-core"];
  };
  services.skynet = {
    host = host;
    backup.nuked.enable = true;
  };
 }
--- a/machines/earth.nix
+++ b/machines/earth.nix
@ -25,8 +25,7 @@ Notes:
  };
 in {
  imports = [
-    ../applications/skynet.ie/skynet.ie.nix
+    ../applications/skynet.ie.nix
    ../applications/skynet.ie/wiki.nix
  ];
  deployment = {
@ -41,6 +40,5 @@ in {
    host = host;
    backup.enable = true;
    website.enable = true;
    wiki.enable = true;
  };
 }
--- a/machines/glados.nix
+++ b/machines/glados.nix
@ -26,8 +26,7 @@ Notes:    Each user has roughly 20gb os storage
  };
 in {
  imports = [
-    ../applications/git/gitlab.nix
+    ../applications/gitlab.nix
    ../applications/git/forgejo.nix
  ];
  deployment = {
@ -42,6 +41,5 @@ in {
    host = host;
    backup.enable = true;
    gitlab.enable = true;
    forgejo.enable = true;
  };
 }
--- a/machines/kitt.nix
+++ b/machines/kitt.nix
@ -31,6 +31,8 @@ in {
    ../applications/discord.nix
    ../applications/bitwarden/vaultwarden.nix
    ../applications/bitwarden/bitwarden_sync.nix
    ../applications/grafana.nix
    ../applications/prometheus.nix
  ];
  deployment = {
@ -54,5 +56,7 @@ in {
    # committee/admin services
    vaultwarden.enable = true;
    prometheus.server.enable = true;
    grafana.enable = true;
  };
 }
--- a/machines/retired/ash.nix
+++ b/machines/retired/ash.nix
@ -22,6 +22,9 @@ Notes:    Thius vpn is for admin use only, to give access to all the servers via
  hostname = ip_pub;
 in {
  imports = [
    # applications for this particular server
    ../applications/firewall.nix
    ../applications/dns.nix
  ];
  deployment = {
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@ -25,7 +25,7 @@ Notes:
  };
 in {
  imports = [
-    ../applications/git/forgejo_runner.nix
+    ../applications/gitlab_runner.nix
  ];
  deployment = {
@ -39,6 +39,10 @@ in {
  services.skynet = {
    host = host;
    backup.enable = true;
-    forgejo_runner.enable = true;
+
    gitlab_runner = {
      enable = true;
      runner.name = "runner01";
    };
  };
 }
--- a/.mailmap
+++ b/.mailmap
--- a/secrets/backup/nuked.age
+++ b/secrets/backup/nuked.age
@ -0,0 +1,17 @@
 age-encryption.org/v1
 -> ssh-ed25519 V1pwNA dgJJTGIzBXLeK17bfgeYeXXN5YrByBOTbhyIkx+Z2TI
 zgujS6RYpXEzbUYZc1DRz0RlWAGurFNzAJnE4j4zhjY
 -> ssh-ed25519 4PzZog U7EUVcL+2Acv3mBpz88t2ZwVJm4YyNlwXzXpSkZfjk8
 LKQqiFcJ3pIWJG5DSbBbcEzg0dIPFOfiwcKCuR2zfhA
 -> ssh-ed25519 5Nd93w Rsjby+9wJr4PnaixDgUk32319SnfJCxgnC8fQ9Gc0yM
 7jmxPtgrIZ9ZF5c04bMzgYBLLPoqKFfwmU/qG6hF+9s
 -> ssh-ed25519 q8eJgg p5+dL0VBijPOTihOZuDQdE/yLQA+BHlEVSq12gRaizw
 MzQcGLTaUhgarzvJ7h/XfHIyPUb+i6YkbgkbvhOONEo
 -> ssh-ed25519 KVr8rw W9+d0ot3036q0YPNYaY1MS/4EiTU0MnLmq56dvUamE0
 wuIORoGvEG8lqrirf07ycIHawiw/DsjvTUwZrIEjSjk
 -> ssh-ed25519 fia1eQ c5cadKGZlONyUKivzegA+swGqgpb8oLDe5bk7Sb8XBI
 NNrb+ezMjYuKkaDUGumflNYrKPzxnPULoMslxH5/bFI
 -> ssh-ed25519 DVzSig 6uvtkJC55iEwnCPZGAqMrLzW+IuHX9YDhtCX3eHtxkA
 JNmstGPHqh2if+C4j1S19v2bCpbib+Wthp/OCusCSc8
 --- teGaaxnvHxEkKCtyNsBV/yhl3Ohn9BD3nfjl6jq3OcM
 ³Êb_Â^ìòõŠ<C3B5>aX¹&6LFîœ…Ào8Ë˜¯œC.ƒ ~ÿˆŽœž—k3âÃî;¯1Ž²”Iôd*
ÚûV®Ïƒj¦áÖùñÅí?D©´Õd%buš^Øa"Q2„<m<>oãm©œc6Ò¹‚5!…HÂé8Žj9Ä <C384>1º»þ‘àT›@½Îoíâ‹vÂœ¦ß<>&E„áÅË(èˆH©n®}³ÞQÉhe5JãfàåÓ\.,~X<isÅpŽpÆkøb ‘ÿp8aÒfÞ†½0ˆ*‘n¦›»0ù;Øy:hl
--- a/secrets/backup/restic.age
+++ b/secrets/backup/restic.age
--- a/secrets/backup/restic_pw.age
+++ b/secrets/backup/restic_pw.age
@ -1,19 +1,18 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA d/AgQuQidsB5+UMBxg3/YIA/4EVMF9+BeZrEMzgU52Y
+-> ssh-ed25519 V1pwNA Q6fzzE0ZuVtBGR3fFnmw45hrQU/vKj2y2aEzYA2cvAs
-gPmTDd4oeIwwJ5ZdnWp/s6cEupsYPY08TBvmL5fe3NE
+c0A5Ieu188qIE3QKvC+6DqjDxAC4HqfBUbPu3m72NTA
-> ssh-ed25519 4PzZog iR02KGER5WMrs4djPPpMRc3v5qN5FpcpjTkB+O4GyV0
+-> ssh-ed25519 4PzZog AzQaulqa+X3fxgk/sP5jjFfPGAPMzGlbacGIQdKpSxs
-ibvzSePq1ruF03QBsHRr40VCZ6ZcnWjvcJzybB5vt4g
+d5OgkPftJ8wqrMlfGcxLld+DWVQ58/SvXGOmPj79SUQ
-> ssh-ed25519 dA0vRg pVsTTA9yknN8gl6K/CkY/HnUc8eW1F/pSqXq/Upq3SE
+-> ssh-ed25519 5Nd93w u+Fu4cNNKnHht6Gj8NgCK96U8SL4h+hFv9SZ+DSMrGg
-3ymQH0jBAk9ktwBUvth8G9ZdDzr9Ozqi9YNVB8fyvGE
+zy6Jf8ZBInhOVDuFuFAZso6KJl8gLlklqWCayPqb14w
-> ssh-ed25519 5Nd93w fSPTiW3c4va0F5IYoFF+QoN4u1tFGRBrMO9lypICiXo
+-> ssh-ed25519 q8eJgg s6jAIb95QqWDKGEx2lbnJruSfp6mgERcI2SzTip+Gnw
-8MgZPPUXJGGOdmGknXhaV0xgJl76dg9B1e5r0Ud/iW8
+IHPOcqeagr79owKNqyk9dLjz5Qz1fQ1A/vOxt+NPlu4
-> ssh-ed25519 q8eJgg UFiK3B6YB3YR8fVOWOPLlpGuo5pWpK6b7zteIngC2Cc
+-> ssh-ed25519 KVr8rw VO/YREcq6mknjN2JdAr3GWg91Hml4k1Ojx1tUMXAXks
-K+e9B1V7AdimOMdy7YCJ7tJnHsHoQChAmWmOJDIdwMU
+1BhUi7kRCZV+c9TROQIFeNt2WSL9Xa14J40vo/qyJ70
-> ssh-ed25519 KVr8rw FeMibaL1ITDNByDL26VRXVz6d2FP13SpKoN87RgTYDo
+-> ssh-ed25519 fia1eQ w6T0/iajXe7pgvX75tm/94HueS6OlKlXAo3IgIIlcm0
-e0LPmpAe9wRRvgKTYq96Qk+WiUhfixiatuWPPi72Nlk
+Cun2Xmb7fbXCg18lLmsdhqViEG8lqOAGGoghJlvunu0
-> ssh-ed25519 fia1eQ i5+7lIZDOm48wywy6CRMOLVhHWnmV71WM0QLSbyhqV4
+-> ssh-ed25519 3pl/Kw cpVAh+pifXN3ohww8TqmyCrCRWU06OAPPdLX/5DBUwo
-S5nAEPHEmAn3AGxN04FpVKwVHrWtZS2s/dPeVv4ryCE
+GQ7xCXSJp6nwGymXD+9AqeZC7ScJl4a/A/2XWQzKbA
-> ssh-ed25519 3pl/Kw Mhc4y4szabQQaeBWtZ7mVdDnZYRwtninrBhcyHoUm24
+--- GhvvZMgI8VzeGNtLQ+EUIPYpR6EgLpxiuxn9Upu6o7g
-lQpLgpgU0ak9WDQIJxd5Yz/DUe14szLvsUGxAil+5dk
+ðKihãPSëÔd~p‹{%<25>Pàbªc•£„ã't«kÀÙ?[e0¤þbþë
--- eUzkrzEEXETs3FXa2YqSW4yqQiRLFC8Umr1D+Bq334c
+éŠ<EFBFBD>{<7B>ÚÆ&$tWŠë.<2E>œ"ûÆX˜f¥\-‹vIýL{]”óõš¡Õ1;ûúüU¦<55>
 Ú™Ø¡m“	}ïÁý9Ž.›û‚”I^éY%Kcö¨SšÒÈ®#ö¤hVó„Á{þ7Z'i¸<¡Z#–s<E28093>íÆ<C3AD>šs.	Þ<>„zÒIW=†WÀuþ7Ï±ÚàX
--- a/secrets/bitwarden/details.age
+++ b/secrets/bitwarden/details.age
--- a/secrets/bitwarden/id.age
+++ b/secrets/bitwarden/id.age
@ -1,19 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA xqavLiNuEoc7Gn7MchvoSEC2RrsFDrf9MEGFYVf5vEs
+-> ssh-ed25519 V1pwNA abYqfp05DkkiK7wdTOn+E9+FU9iX8y/UcoVNUJQ1wwQ
-ZwOkERtRi8yxlZ6sUl+mzJ+YFw/h82vV0WzhRjQOTo0
+BLIH6HkjumaaeKntAMm5BXC4ADfqLRh3vsq26gVB470
-> ssh-ed25519 4PzZog eiC4yLeOytE1jTUaQDOxtVHsM2jJAvGLrI75XJXRCSA
+-> ssh-ed25519 4PzZog gNCidb7IlrQLJah7iqpLKLFzlhe/4RLk5hexSq96My0
-HJg+GqSKlXld1uB2WPTM28XEygsm3+4iObC7SCMWl8c
+ynnNvbbit8U8CNel3cBEeel006ftNPArV+oAFNdmv/4
-> ssh-ed25519 dA0vRg rStUstoZRf0i7Ot/0Gn6zd1cQMQjDlLQ8ScEIM3XMXE
+-> ssh-ed25519 5Nd93w YnGe4yzhVDQD1z7Mq58KgnF2GJjkBLyiOZBmCygazRU
-PR2UGWuO5VOBVee3bndRxipU/m2ZRXMo0HQkX8pvTyk
+dZg81Rb+XSoeho2Xbth+pIza+6F4TbAuN6s5BbP1OLM
-> ssh-ed25519 5Nd93w hn5Oo+ZoIG+UwAb/DUUJmkDcey35fG5WDBgbe494T2s
+-> ssh-ed25519 q8eJgg H9L5QhInkMWBndRYQHIQTmuMVBrMtaXqCrpEXV/hpBE
-TxUgeQb8UdxlowGV1/j2Tr7DTNqc6d56NGaFGZfeidQ
+QL24qbdGbfdmv2bgS1uYjRHB5fKPrfmbmMidjI9dEIg
-> ssh-ed25519 q8eJgg vcWProg0hXGuIRVWXpFSzyS4Ei4YHSdq17A08avwCmI
+-> ssh-ed25519 KVr8rw GqmHdNfgOFKcZ6+zxKDWg/ImAVEXHTSpzDmBe8f/vmo
-4iKGWyyGfCKEliEa/9r8y+D5LsyLglFvcUeXyzO+FCg
+4u2ek5DHeDuBizYx0nRee02Gf6492fjWM8U7/HL2XwQ
-> ssh-ed25519 KVr8rw 2kNscJDgyfKH6WrfSKWnX5dgRM0Kk7FztGhoJ89VUWw
+-> ssh-ed25519 fia1eQ zYA2FI8k6675UAQn1AlwWzPV5e52dAmv/ESDFMmSQlA
-/biNgciz7/fDOyY6GfwEI57ESdUyRwmKaI4OG5pJs20
+rup+vtydMspXXeQQ9In4s0HQnBNY4IvqRIlIdKPVaZk
-> ssh-ed25519 fia1eQ lv06SnwwoBlmG4AVAeNpeIFgISkt6FktNuRq+P0eJgs
+-> ssh-ed25519 IzAMqA QOiOSUOx76IICb8rSo0OxTtyZnyyA8nZ/pvuDZcVfUI
-VX8O0FYWrEyBVR13t8AkvIq1VpwFdkMX+wBUQHBzXPI
+vDUSgB6dfzKNIpA4/0PbvJ/KzcVgW9l5KqqV6rKbyhM
-> ssh-ed25519 IzAMqA b0DnkDgWeERguN/u9wgiBB1sbxHaMXmMZdPOJ14/UDg
+--- 7Lo9nyTOtFbzsGyr/5Kanvj+yoszus8bUMWquX2rG90
-tmKw26Fs6iKbVq7BBK60UoQSjykp4BzLW59/ZbbD0hw
+¡Çä4†ª+¡¦ÂÐQÍ–BFY2°“$žÄ8sñ¼Ñ„qš.U¾È<C2BE>ª5õ<35>†â–Q·yKëog§ „8^ÏËhîú.±=<3D>ÎæŸ³ŒÉE
 --- rR+hloCeC8YmoV34TBL7hLk/4CSfmYKwtAbmtUjHvKE
 <EFBFBD>7ü¶RHSIÎ”C#‡Ä/ù:öH•ôImId÷ëójkõlàa˜Ñlõb\ƒL¶²¬6Ø¥†/ôPÜ¢+cº÷’U‰MÅYt©
--- a/secrets/bitwarden/secret.age
+++ b/secrets/bitwarden/secret.age
--- a/secrets/discord/ldap.age
+++ b/secrets/discord/ldap.age
@ -1,26 +1,23 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 6NKUbOSUbwVjzW/ZUpl8qEiUTTegFlji4+tVJyqY3SE
+-> ssh-ed25519 V1pwNA FJbuXA9iZkVimh/bRdl2MnswKZpHkF6HmIqG/cmE62s
-fRQvaKnLMkVBboTEriQpWlGY9VBAP3ppsEbAB2QTScs
+2vP3FNg2f1ijAMwWGcLa7aZQD7/Tq8iXwf6+/bMEgb8
-> ssh-ed25519 4PzZog mp/+b5LpB+DvRduqAZiKWqkZq6+tlyQgVTZz7Oge2Us
+-> ssh-ed25519 4PzZog 75e7m7A1i4/XjB+b9OozGjKttQ3VzJuoNwKV6z1xYB4
-OycqmZyDr3levWSfRFxypJOkITLDix0Q15Todya6BNc
+9/czRQ3V/Kb/8p9h3cdiXXbNBECeZfLLEWg8gR+WBE4
-> ssh-ed25519 dA0vRg yp/4LvS9DbdatHFWFsP5qhH8CP8Bs0IjVSenUtG4+Xs
+-> ssh-ed25519 5Nd93w Kier0iAHycxtmgq9n5Mq/eLR2akqKB2Z/JBA2ACjaE8
-hHiJEtl1ffYXltsJzuEMLGUl2i/i3pFzv4bjbx/cbOI
+HokkZ2jHa7DV6KqODEH5rF+YprwNwBIjLLFGbfXdkrc
-> ssh-ed25519 5Nd93w BTngmy4NGLGKhC8lPos63QEVBKoQT82KswQ22EypcQQ
+-> ssh-ed25519 q8eJgg cFNBrJQ1R4tDi4HTI/1lGEy44cjCDpnUXGYsXQ4daA4
-OCnJMkOwwXQVbtCitUizXM4nynC6a1tiPSkm7MxulWA
+GPJ3fX/AxxhUjvfnAJNREQDEGp/Bz4zvfiTWHD5bwMI
-> ssh-ed25519 q8eJgg NaEjVcDBVICRgXuJchEdE4vg3qmkNmJAbDDxLq1fX0M
+-> ssh-ed25519 KVr8rw hzHh/c9qM7v7eFFpvD/uvCcDD12kSaTabVVA8CKosgI
-YFwUmEPwJIik5YJ2SV5IAmqGlY+h24voJJlrBaoCBwA
+3bwDd/aWeYWmYf8b2ko4N37XXgTP5LeP98qYXSlaxwM
-> ssh-ed25519 KVr8rw ZnyVITZFkuozEs/rbTdxXDQNS3Nggo+JkBL1Icht2SM
+-> ssh-ed25519 fia1eQ gol262stWS/VMaXgAJNC/VK5QkNb/UHN8X2khm3PHFQ
-B4jVVts5lK1kIlOWMl0eiN7TpsTeJZWIu7NqildxeGE
+3eBj1/cUkTSNBGANSYp6S7IvMU+8dKKEtZxqo7kMzxY
-> ssh-ed25519 fia1eQ kvzARRScl/eypC2a5cY66sXcH+TZqz4sYg4W/k9iJxQ
+-> ssh-ed25519 IzAMqA Z70Jqsw7IR9vk4uLef56F1+YCQtK2YvDC950d+WVNHk
-Ga+4TVvXiQ6i5/+fgUQ3E5tJiLqdBsEsXjenXEpRV/A
+nXqGHPrbh3VS2DMToRKs9FxBsn8PftR6HTkeA2KXRLU
-> ssh-ed25519 IzAMqA 5sizvlhLhAhAR1bViHJtRJ8fAIO56TAuLVSOwE177QE
+-> ssh-ed25519 uZzB3g Zrc8idjRB+ZPHq9ScsCnXDqipGM83pio/V8mO6YYa0I
-b9oJ8BC2xiBjvc3D0H0EF7bSNDlpvIidyBCTf04ndJI
+JFVQ8V3Jkn8vxklAZzwGpmOcaKUd8QBDFO/+gAyb3Ug
-> ssh-ed25519 uZzB3g g9y66zNmQbqP6Rbhg2t06W3YOgy8DkRvJZbWVegT71s
+-> ssh-ed25519 Hb0ipQ Yhn/pwNTNmMdW3L2RV2MJECEYRlAzNTYztcA5MfRCjk
-2dH7E76tDMrWQJbLPefyORP66iaPHQnSjwu8NCdSyJo
+S3rkfwU9Nln8WFPSr102lX+H96wnHWVZa6z8upTRgvk
-> ssh-ed25519 Hb0ipQ azOzBLXfshInlFVpV0PzIBidL/VzA/+kKRXFFVD6ZF4
+-> ssh-ed25519 IzAMqA 8SVaC/2C2+xmeCP07Mu+/xGFSB1UXrIlVJ/i8YfQXUU
-iXBF/Wcv4KWo5qUXUlyimuo0l6aClKxOCtkm3MxAIBc
+y4mt/hZRuc0+5OXFs3VjYH/Q/nEACAd30YlyUyNzSqw
-> ssh-ed25519 IzAMqA EWitYyV8RsPIB6HEFE2OI/C1zcC6WfBEeDI62rGVmkk
+--- M8Emn3XUVeSu5qTgSbR7/93DjFawmR5iZ2qxQEJ9gd0
-Bk9tdSqIjLjat21J2LM8RXAt9GwdQxYdfPzqDtCjunE
+zg*õFŒô·ç½xÍ?¬7,¬ò”‘ïaƒ1'Ü¥ôtmR t[øVFÝl=ç+Mç¸îmáœ´ÙÑj;¿Ä”Fy6—O\î<>™Ó¬µ²Òªo=¹UG#%{®ÇÛoæÛ<²Àèi*à,RO;L2Oy¤ðŠð×NŠ”¡`g‰*î$‚yÄÜ’R]-õo¼böÑ05Q/ÂXˆýk[dE’Õ_…i	é’
åï+KP8Kÿ
 --- waY7j+HMEOdqEZs/TcLEhUY9gJs6ZSc51VNfuCmCxJ4
 Ý;dÙ9A‡vÔé±nq<“ê;TèáƒBØ‡$ÐGÌvï¯h
 »\^Žé§lÖ¯`š¼ÄÎ?l¸<0C>au~üÐ§×yâ[×šju²üvÂ;]!œ6Ëè±ãXIs4ÇŒ!Ù@ßÏ¶û¬‘|›úïª">eÈÿ[VVŠž´,ÿ5˜ý8N§¹Œh<04><>[ƒ×´ZD,zý&âñíó¡”õIØ>ŠØù¡<C3B9>|ÎézÉm
--- a/secrets/discord/token.age
+++ b/secrets/discord/token.age
--- a/secrets/dns_certs.secret.age
+++ b/secrets/dns_certs.secret.age
--- a/secrets/dns_dnskeys.conf.age
+++ b/secrets/dns_dnskeys.conf.age
@ -1,21 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA +Ug8WtIQLZK1chInj0113Okqae8ImSdTvQYYDD558ig
+-> ssh-ed25519 V1pwNA QUveqW1V2eyNUoLz3VlbU1eoeKqpMhKhM3xidvLzmAc
-ao7w/Uow6sCtoqRDr3Y8NjuF6f9P62sKfx5+5+3yV8k
+ONNE8H73iwIqsGOugXQdeH12oro0eAU2qBgIMc6/OS0
-> ssh-ed25519 4PzZog KZwHoIkqMTVHcHma22+hG19oBgCNZ3zZ9fgs0i3NMx8
+-> ssh-ed25519 4PzZog oYUJKbA2TI8onEnEDLBLpRDqXBZlX4Wa5qk/vT165iY
-hxgtsHVx2KATvEQM790y7foAaWVBFnqXz72CovkbcyU
+J9LPEQfwudit3Fa7Po4tR+ZGMGJEVAL6QWD8S2pVeXk
-> ssh-ed25519 dA0vRg QORz3gYpB5PiM5Dgm4s2JNyJSBFTzY15tlC0JNMtoTE
+-> ssh-ed25519 5Nd93w r3fH+siDMDiuo7MAYUzxpcCk+SM/kY/cL/ndRWn4OhA
-1AuUbuw4YSoyly/iHY2DGBOhRijWoXjsFfFM1pKKlUY
+zPQrQS9E7narD++03B1ECfz3w7Wtckbk3nC002GkjD0
-> ssh-ed25519 5Nd93w glPMyqAhDvJSOgief6VEWflVervhftUbNgnDOVtKX1I
+-> ssh-ed25519 q8eJgg l4ZcaUycpCI4o4NDfsQlsnl/BzS4UKhxSEYKbIclmik
-xDSl0Oe0UPiWRnFythx/6ErNSy04paTWWKrlheEEzLo
+lqT4jCsxhtK2tNNzRIiiZmB5iHFfzMR9w2TayZlTuvs
-> ssh-ed25519 q8eJgg 4Xs8DKl5BV5E8oGE9MrhBanGuTltQZz3JsCI57UYwiU
+-> ssh-ed25519 KVr8rw CRuDx3JbAfKvRQ1SyD5whrlw2MpFnlP33YMiClgXvC4
-c99NCU+f8vbvFq9T+P4Gi51ae5xygzuyLMFGf8px9CQ
+LKZIzgEEjLvKQgDJOZUi6tP9hi/lXehYQyodLOiNrYg
-> ssh-ed25519 KVr8rw mPvw8t8On+jnc97m5f8x79Kcx9ZhHWyL/YW2zVllqUU
+-> ssh-ed25519 fia1eQ uOoglDTy0OlQm+aUqsg3KfPFXynHnJi7d7WStsw7hmQ
-X8CuzLbLfT6sDhZp4rGif9RDD0zHQzjEp+v5PHX2BAk
+Vt214X0k+A+BWzDwbk3JHX9/lOY74bUPVt0CdYUxHHg
-> ssh-ed25519 fia1eQ CRUdnRPTZQtB/YlTqGcghTUjUlN7avoJ3iip5rNgcEo
+-> ssh-ed25519 NtlN/A yAVmup2BnnPIyRVQD4+e3Fh0RTfc6mJZRLKTPV69AHw
-IX1fAfmdteXLwXF7S4aFidVmzr7ClQE5Dlh5siyQZPM
+dEAj8GqDaIMq84hU5DHEQsba5d7Fvp71xaMVQfMD6CQ
-> ssh-ed25519 NtlN/A BRTimkF1zqBp4N1cep8+Mzet7cX45ZHTz9NekWNaNTw
+-> ssh-ed25519 v2Y09A 5rxrWgwLfUKqbWIyPzODXJiFSCPYB+Xlchj+9wF2RTg
-//1gIudKHmPM5A/1fJNPaQO5TqbZzV7FDFM8EhEFzIk
+x9qWFO8KJ6R2EUqbdkFVFYMs7nHelnqZ9XF4bZ6bx8k
-> ssh-ed25519 v2Y09A U0jsaGMHVO2LpKActT5oYiJrbw6oLeSwzgzR7ufQpF8
+--- XvVzqiGGv9j443pVSwh9lZYRjgSuUn98bICJichEzhY
-CfB7xVWpyMHsRZbfwhtlBdZyUwAuLic9R0LBm6vXNUo
+åõ×/—"cÅ–R"_`QS‹ÚÂéyp)öê<C3B6>¯¼»	z¼ÔeNÆîó–júÉTéõc:9%I™ùƒ÷	}$~Û¢<C39B>RW`0Qä'©XÕÍûVJƒ[’@VÛ]$,‚¢ÁžˆËÀÑ±ô[?òuwK½»!à¼Ì¹÷ÔÿáÌuBâç:) xÄ·æÁ‡Ý<E280A1>Ñâi
 --- wiRWKVnnLoriKkk//al7FuIGYKru0nO1/XGhpz6yWls
 §$r¶£üþlÁk=n†CxªgA3Ö•^%ÛõøÚÚ8ùs€±öúJº&<26><> -×Cå&Yõ(Íe(jðv€“ù¦Ž¥!¢ä€ ¤?å9^çU·¿ñ>fA¼ê(ŸÝò„Ó1Ûìæ#<23>\³0c"Zš†Íû³‰^œ4_ÌÜÙ&Zø»•ÏX°¯6+FÃ¿<C383>
--- a/secrets/email/details.age
+++ b/secrets/email/details.age
--- a/secrets/forgejo/runners/ssh.age
+++ b/secrets/forgejo/runners/ssh.age
--- a/secrets/forgejo/runners/token.age
+++ b/secrets/forgejo/runners/token.age
@ -1,19 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 V1pwNA 8acWnck16a9QK194orAzlQgQKINum/cyUzJqO6i0rkg
 In2UpSbBR6QoTMTZR/GpZJN3x+5CK3hZcEvr5fORoOI
 -> ssh-ed25519 4PzZog /YeuXUmWrWFohgOSEmUygaTax668bLZpYO2T7KXl8n8
 mgnBBIsPycR6RMhLk4HQei5xQLzVHiBHaooOzZdb4YA
 -> ssh-ed25519 dA0vRg DidrxIBYvAfPkwNzQXy2+f6inafUafoX8cfUChA7l2Q
 /wfxyJAyrQ3Uycxwov+0b9pKKOxPP9mySRK5g4BzMnY
 -> ssh-ed25519 5Nd93w i+oP7x/eHY/Roj4mdpOFHrBe5rxUL7/4617F4O3jPh8
 yTVD0dR3ljoUSv1qyuKcOvr1fMRm9C8YAZKKjURtCPk
 -> ssh-ed25519 q8eJgg Y0yxgrLm9/E8nYBg6Yvd0GPbY7PwCJCumQ9CtgWFxxo
 9BfGPSP7pTTM8Dm9qXagKaw95hbqvvp7qsFkhQgQco4
 -> ssh-ed25519 KVr8rw pXha2ebkoIFX9dMX3uRz+0rcbwcQ1mwPnLWp/wCzx10
 BQQ77pXJl75c6myecmKlEpqHtWB/rSdG6Pwpbxzcfbk
 -> ssh-ed25519 fia1eQ gCgas1CqGNZ7n09J7iXOvh2xeGgoszn36ABZwiskBBw
 3a7WMN9aB6ZvwFyP98At9V9K99hD1vkvSJgnY16/JKY
 -> ssh-ed25519 CqOTGQ DU1oon3RPo4MCdzigrM2+b3KnTzzTSG/WDSvtBaF1VE
 zwKaQnXT004dMojYFXPz9UERL4ULe7mPZ+vwlZMxFvY
 --- FWICxx8MWe7awI8P5t0XsbA4Ye0zbxCdMbapTs325HI
 wûùÿŒ-”¥d!Ñ×=gŸ&ÜžH¬©ó?÷IçÛ’Úá•ªªêÏ<C3AA>Ò¢Ù„öLÒLË-<08>Ù¸ÏñU¿?	)ûVýJæb®éÄÎC
--- a/secrets/gitlab/db_pw.age
+++ b/secrets/gitlab/db_pw.age
@ -1,19 +1,18 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA To9tGfYsutlmjqXZbFJ+TttdFAnbwY9odSMEOvItmgw
+-> ssh-ed25519 V1pwNA a2hqKI7aO4y8QLvINHmeFrAeUthzoE3gcsNiJS87yTk
-Q8cWN1VF4bVisWVMOEA6IXqhe2JzPl/9M9UUXWWV0Bc
+iy7zvTi6gh3/t42Pe+f5ylDx4eq1hINSAFhI3S1wOks
-> ssh-ed25519 4PzZog e3OTx6aEjhNCwyiysZkbwSC8ecVvVaVNfZV/3iNpZCE
+-> ssh-ed25519 4PzZog S4zRlO88rWpco1NY/7yJDQvCtPnRvYjWosE8VNtYkWU
-o8jHkyg0lptJh2Iew9ZtVi3AUOSAtmDzBIz2nE4mj8k
+iX+b3W2Pa3kw+ErHo/Qk+ZTH5B8svQTfMcXdN4IWVZY
-> ssh-ed25519 dA0vRg 7smMdyMEq1stuvSBUsBZXJoeap4Aru6AsljjFPPpfiM
+-> ssh-ed25519 5Nd93w WDwhO/1jtbE+DbLq8BkReY/Vdyhdc35win+n3HMqclM
-Ip5qA83bAGtYIeqv1w0yo5obRh+FWYJICgOU5+JoeYQ
+v2lqyU6RwTm6KX1z99FE78jv1KlyuoAWRG2x/Wq/X6U
-> ssh-ed25519 5Nd93w z16A2vTVGdxgKmgHoSySJ9K8cwrQglflrWDhBvZ7ME0
+-> ssh-ed25519 q8eJgg J7F4QM4iT3+8HbJo4ARh7iLn5/GBptn1wGM7amyr8ms
-ILd92pWzyVGnTOXwovlZ3EX7LsFX06hqedW7Ov2CYII
+9DuYiyXOOWzXdlUAO7/rUYuPy9MyyxB88w814aM3XE0
-> ssh-ed25519 q8eJgg Rf7U0SdZsP4NEgiDl8Z99tCoOkIwrrl5s0aYpXOG6yQ
+-> ssh-ed25519 KVr8rw BEBn1R3n2JYWqcjgfO5IIRWnrcPnMtI2E/hQGktypVk
-tg+Y2WHuokaCVI4CCxuv9UW3GIa8CMuX0JJEWTTkwjU
+ErzCxi8fht4tWQxzMAvkDnbNUtcbiyBiC9pNdp1vbaY
-> ssh-ed25519 KVr8rw YUN5VlTaxW7Niwtm9+FTGOILOklbEGL5EVw1BucGvXA
+-> ssh-ed25519 fia1eQ G6EtgOxK54K97LCUNZ8h87WwWwXrn8cKtkCXa75pKGc
-zXYcis5ANsDGPeFoV1aRzTJiOQY2P1ZLHsJDkE9RFT4
+M86xqkKJ/DtjB7mIE1gPhoXTYzHp2393w0cZMOHQNQQ
-> ssh-ed25519 fia1eQ TnSlOXGQ0BuVk25Yj9YpWWtYmonlM5h+uC9hUq3MM3E
+-> ssh-ed25519 uZzB3g /sd3xL4WAKbPxvdqq/fihyAhxkn0FAiBCYydIXB1/VY
-8KrW7R5AgumY9wLVQyUmKlHD3zcUNIc+VU/X+vvY2LY
+/hdi7E2cEU8U82/CVB+OpGacC+OfVpXXYEu6B8bQnB0
-> ssh-ed25519 uZzB3g 9ms4lu4KjQED/2AHQwr9oLd/6ws01IxuK7Z05CY6N3U
+--- HGKIhGq5mH/k6m63FdnLdO2R1fs7o7K/wlP6zBwopL0
-H/4AnWwt5fnZMvWjmXdoe/Os5ttJFYsMmjaHHqBdAxo
+Ťw×7°Ą1ńµ“×»Áě	}5¨-<2D>g-+GXVŘpŞD’ĺł)IëoróŇŁmŹ´!ňąç®]7ď–Z)»Ĺ<C2BB>±Śý"˙…±šétŻÖu$zâUŢyJ‡g_ż‰<C5BC>Yř'94<39>Th‚Â_*„dĽ%I‚<c$ć!žĆŞF{aBY8.$
--- zI2RSKtND2Ep69vshrRkM1KOiReF/m5vdY4jIH7NSvA
+îžú»Jśi†
üűŇÉ*ŞČâçČ
 ûì‹ënà›µ·ÞÒÜ
I¯ü$¨¬Í<C2AC>[ëP…Uó¯"ÕÎºZX„ñN<C3B1>nNg<19>† àú¶dP}¥GZ?<
/—!«÷c
„= üïhnZ`ß0‘²Âˆª1•nl‘±Üç»vÄÕfw<66>ÄjÓE@2<>1{ßù…ÐúEØØg“|èñQ\2Ðóe¹~ÇšÁ=Ó¬¾]fdRnó¶á¸
--- a/secrets/gitlab/ldap_pw.age
+++ b/secrets/gitlab/ldap_pw.age
--- a/secrets/gitlab/pw.age
+++ b/secrets/gitlab/pw.age
--- a/secrets/gitlab/runners/runner01.age
+++ b/secrets/gitlab/runners/runner01.age
--- a/secrets/gitlab/runners/runner02.age
+++ b/secrets/gitlab/runners/runner02.age
--- a/secrets/gitlab/secrets_db.age
+++ b/secrets/gitlab/secrets_db.age
@ -1,20 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA rEsQ/q9FmFkVdXfXfYG3zHN4KvXTfRmZBLEibdzbQBo
+-> ssh-ed25519 V1pwNA nvvDGnr/WMta+0XVEnUlmg8KV3mO+5zX9ZlFQZQS1Bg
-fJSlFRK0Oi4OpGBf7Z65U5+OFu4+Ts8MqKe7B2G+gYM
+YyVLxI+TxfXXsncaIyi9Su6tzh5KLTbHxHxbWhplXXw
-> ssh-ed25519 4PzZog aOPnUpH7F3AS6IauahbpQYYYSX7hSJcix2C1CgUsoi8
+-> ssh-ed25519 4PzZog zuxuhtcAiEhrr28adZrFPK5Z4399/8gbf8aWoAtI7HU
-h83ikYOIqng/YKfo2RJc9MwbdaKV0V3DFLj5socRi6A
+vR/0DkXhUQmbfdzMBVAFDd1S/87DDpg9v0gyZDVv2UY
-> ssh-ed25519 dA0vRg oK+zniCPQd3Hw/Bm1/cG6d0If6Wq7VVdxR1nrH/MHAQ
+-> ssh-ed25519 5Nd93w CUTmUrZomxIY6wwemYIwaIBO9CFSPrcQaIWs1tUdMm8
-c9Q6gyqil1XvTsl/QB9dpvYHa9Bi8bbfWNNfEx2wwo8
+btVGPdTgvyxqd4rYiuIXLGJcQoF45g1hx5OnTHQgCrg
-> ssh-ed25519 5Nd93w B1mA5u9RHQ28ZopDLlJh8Z5Q530tJ9wjOzhMzsJSTUE
+-> ssh-ed25519 q8eJgg wKjpIAXn+5FAC09yengwsJmAgPVY4BSNOkzC6bdZUBM
-KbCpkJ666a/dnnatT5QIcPbEOMP+dUkiMERcc9tRMvc
+LUifpX/UNLC0ge/ApqC0VZ6NWwug865Gtp5t2/Fbijw
-> ssh-ed25519 q8eJgg ps+fnslUfJUthZB+bLXZdvwXgaM/Jsec5YVJiTZy6AU
+-> ssh-ed25519 KVr8rw 0YwXdULrmM1CaWqe4ppSvn3rI4qaHpjVFxZLtE/jFiY
-vpwxjfgKkieWlxSjWz+b6U0p16zJq4Q+NqO2zXISWbg
+GXxdfK6NU0M0tBf9Txl9M7SzUEkAoDJ6VhGQuQtDRCg
-> ssh-ed25519 KVr8rw sIxHbaWSfSZVoMIchJnvEPH0S1ZrSa0sS+Pa++yUZ1o
+-> ssh-ed25519 fia1eQ BoAjwSD4dQG+35NLGjPwYcENbtkukIoEVxo23A3mukE
-3pn9e3IzOF0JxohMP424AFWw6IrCPm+fnS70cfnKZ1U
+1YAgdZedWip4daImkXA1UnHJNGu5LBF5g8t4FotjiTg
-> ssh-ed25519 fia1eQ XPBMusFIRQ2mqQgnYPpbn40heCrqiqa2P5tiq5H9fgY
+-> ssh-ed25519 uZzB3g g/yGqYocU7fg27BOj75yUgFYHfYhLg5iOA490U7xpUY
-7T2S+TJ5jd7cfnCa9iWLaf2zUHG3YIUZFnt/ek3pHUk
+huOnWVaBT71Li8CO/NialjSzBC0jscJIE7Vddc34Aes
-> ssh-ed25519 uZzB3g NxRK4Dsc4U7a3MPQoApPTNdybonx2RdXUGc61WB8l0I
+--- 9iDIOye0Eass4rxrC2ZcfxXu09TG0F5SQoMAi7VOsfg
-YHoL+K85aXdCTAm33Oc9d1/BD6xFXCHZ8uJCqqn8pQ0
+Ãµm§Od¹åŒ½xõà·o#Ï5i‰¯¢;ËYóÔÜ:>†,n,³Qô¤}K{½)œi¨XêÜU”jvS?jú(ªr@'ó†<C3B3>sç@ö çáLQ…ç<E280A6>ÅÞC^ý¯w‹<77>€XœólqŠcÑOÀ«ÆP¾Ñ<C2BE>Mnç_<C3A7>jÚÁÅÍ<L<…C+¦œå\YüëÜû$Ì3<C38C>|r”ÿN€x<E282AC>2A¹¿~
 --- BHDuf9Sxnh49jes8mUA6Rq2cTNqBxpsz51UZgL2np4c
 þC
<<3C>\ã2fkÛ×L+\¶‰éÿØ²µp‘&‹®6~<7E>Ø<àÌv¯sé<73>ærx§.ùO¢Y
 jÚEA-ýûyã&N2&M•<4D>ïn‚

4!c²™^$¬^;¿XJÁ@éFÿÍûf*²BIÉ<49>`g†e{„ÍGžËm<C38B>ý…ñ?U¨i«toažìŠ<!”3ä— <E28094>Ó›l1~2W7óC
--- a/secrets/gitlab/secrets_jws.age
+++ b/secrets/gitlab/secrets_jws.age
--- a/secrets/gitlab/secrets_otp.age
+++ b/secrets/gitlab/secrets_otp.age
--- a/secrets/gitlab/secrets_secret.age
+++ b/secrets/gitlab/secrets_secret.age
@ -1,19 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA J3U7/2AXc6au88y6cZ1ottq7ZY/dU/N6xDg0LRPbXxo
+-> ssh-ed25519 V1pwNA 9M7GmhZKBWIG3aKDhybPf3j9L4lhTrGG9aGpV7dRKy8
-0haZ3EvhpeeeT0cISY6tjxcE6VpDJqGLX+68m071gn8
+BfUZCdKn6rZGgHMf3475lgPqJamnm2W0tPkPctZHqyk
-> ssh-ed25519 4PzZog oXXG203aCEltjB9FZx/H4W/QMPG1MiixW3a4nV1kPyg
+-> ssh-ed25519 4PzZog ijLfuYQCg2bofPXdcj+2wo4yar/Rcocw4e69nO/Kuyk
-WxUvEWcDF3XFP4YkXceRx00SWY7adxCZ2nmGsytBDEU
+H8/Un3MCa/u+WvWUIl1L0W6agAC7qMm6XyRslDy/4SE
-> ssh-ed25519 dA0vRg MTQucbTSFClxM1NM/LS0128AESkGjkVPOdpTsGbEEFM
+-> ssh-ed25519 5Nd93w ti92GZohdr4Yr2ezaLt4iJJaBeu6xfe3cU8YUvW0vH0
-X1xEivyUoxu/Par6uBXD37f0/GeXodHuagFqguuHQco
+NFm7YCcsy+X3OykCrBcO5/83qVojV2JacoSSdR1ctaw
-> ssh-ed25519 5Nd93w rZzdZrjSce5JhPTPPCzHJxKIUFcDJY9mccA6/QnCa3A
+-> ssh-ed25519 q8eJgg PvJPouqT8s+EeBv+SZUsfVXk6VY4R+o8SktSyDdxvHE
-Wo+eoxbZZ3m82w5bywcvrpHxnyn8in6TDUb0oaglADo
+kGVDmEqA2kKGwmtK6Ue/rq8rmOUIdrF7tvZI4qjCuoc
-> ssh-ed25519 q8eJgg Xs7oARCYw4wmA9p1L36jRwp1r0KRZ9+XePaYIoQITRI
+-> ssh-ed25519 KVr8rw iQOHwjOQgTHEnn63/GBv9mRS5DZMouNK6ssawJIomGU
-AWpIl5i7TjgJK2WPz3VZR0UVEeK0u77V6pTTRSgvGas
+5wrSu/IlWpOWQ5WW0Ii0JhgWfY2qDRTT2dIayJWfPPQ
-> ssh-ed25519 KVr8rw 7viimD+3AhhCl+ORBApuvtnrjY2bNsEbUqGoM0R9q1g
+-> ssh-ed25519 fia1eQ ORWzCW6WqJttUok3KIJOJuR2a3mvJRD6EqJMDhaTHi4
-vylA7Zx4eVkI4kg+lKx/D+Ro5Bbn2wWP36Hnxas7Z4I
+cO4hefRRmCNJT/5ShZ5G68JR5nNqsjIuCsMm9ymWW84
-> ssh-ed25519 fia1eQ LYO7HMLlyXRpJJJgJ1uyrYrsfdCbRYqxXgeBtTyrn2w
+-> ssh-ed25519 uZzB3g tlXiwBwJtKqA8xIJpUtS3/3R0loyD2uYI57P7HzcwXs
-5oNtkzAoPWg1JY9aoXVYWByCMqEuQ1QDs7Jw6/VEEiw
+8Y1cOMDwGTPIUOKSZpx8ngab7dgtTRzvTb3r87x6Um8
-> ssh-ed25519 uZzB3g GKbJ3OU6hN4u0hS+601Hau09sq6q5ZCNwlFJhVeEEiM
+--- KZjYtWrcPBYnbBRRzKuyOr1IUvEdd+XggCg3rzPLKX8
-LcN5eHSOgEFxR2rmC10RkHMllbQW9ZDARUG+9XeX24E
+l˜M ¯Ô0Æ4a¨Ÿ”À'h^‚<03>³žš®°<C2AE>ž/ðìé!©óÖ<C3B3>{D#]Ô”îõ¶û
Ž ø;úqax×&¼ÉÑ1®(zwí"6<>YÕa±¿Ôì‹Wàv:©ÀÙˆÊ²ß<C2B2>ÔÙOvc•
--- siGgnCjaHw6TOAYR4mjwfLjtQRxFjnjGN2/MRAkIdeY
+Ë8<EFBFBD>¦ÉdjbA€º¢µ
-<EFBFBD>}+3'ýY†[/*û†ÒÉo¿Ìãcbyê<79>û	RÃ!¤ŽS\ÿ‡@N4‰®æPŒ=`N7<µ‚àa‹ãbšÑ²ÛUN7Ã9 dµ%~òæ{Çý éñºJ¾›ú`ÉH|™È,îë[·»4Êb¿=œ“ÿûÒF‘ÁI¹ímÀëbM„’Û¥4Ùšnz-<2D>9‹£OIu„µFó
+\·ø–l¤›Ož>ðä=‹Gÿò¾œYQçóñ¬ÅÙ	
--- a/secrets/grafana/pw.age
+++ b/secrets/grafana/pw.age
@ -1,19 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA Je94T4psgEbYV6YBZ2BSQ4JZbKubHtPEKNuVjL9CaSk
+-> ssh-ed25519 V1pwNA LAEKkf1x39PdLIH97OJtIJfTZX1M6gT8No8qqTYPA3c
-Fp8uHwymTnjkFQBfezrFj2ycXsYrnqqW2+KeKfsjONY
+2iOWDr+BbDIaTz58B7AzN4NWT7RwSb7XkuiVJ57B1j0
-> ssh-ed25519 4PzZog paDltxaTs3odGMIkWFMuTfe+LnO2RqvRTqAi7pK8EB0
+-> ssh-ed25519 4PzZog Cw8kkkTDezUXzQ2gphOAv2jSDKVoERI99A6tytjwv3c
-+ZtGVOK71gSGzgY6nSlDT32Q6IQFFvZd8xMp42GD/xg
+hYNdr4UWSlrn2PwFCBlI0IW3tQClDWcbuNjdAwoteho
-> ssh-ed25519 dA0vRg 2ZGLw9dW0qbzkJb+M1DhhEaW19VaPdgy9YvzxeEuZzw
+-> ssh-ed25519 5Nd93w Pe1qtfWj87qtN6DWuBiB5NoBLI+aSfSgHoq421na720
-Gycx9hEatq1jOQpE7EqF4G8y3+XvRnIC8oNK3hJmOzw
+7kb4ChNHhvfp7hM9wd4OZWUlm51cE7/RR3IFdomw12g
-> ssh-ed25519 5Nd93w uyUnDy48bjq4cfG/HfIF57bnCxNGSFze18MTW2XmDmc
+-> ssh-ed25519 q8eJgg p9LYkhCE37NkSDxV/as4eM7UiiITWcK0GIsXitD0Vi0
-TWCJRIC3J9KyjbCaM/WmCoD0x2MtrGGKVgHCA/TBe0I
+T0m6EuQ5oa7EU4X4Dx+BWyGKH+zm8A28QQUvwiaNPmc
-> ssh-ed25519 q8eJgg qPb7JIMkwOWIWw4yIhQku0u6d09QqFKtOXx1gC3XowA
+-> ssh-ed25519 KVr8rw XuxmoWmw07yr9Tqi61RMvuwf6oYIVbJUhfT+FgBwgEg
-8+YLpW8xzEzq02zKFhlbjOggEWfMZ6j2G5RGIq/TE/o
+Hzym4T2/f/6A/UYTdIbBavj3hrq3sGCNO7mwewS/mg8
-> ssh-ed25519 KVr8rw zcZRh0qTa55ENUWXRIPk/kAv3tKB0+anEQ+IuEhsFjY
+-> ssh-ed25519 fia1eQ f2XQkWEUmk0n9DtS7vhZt9o3+aPtgiwro8Eu9mcnvmk
-8oN0U8jD1BA07XOS4idvHgu8LA7/E5aciLZOshsZJJY
+/43wuhInhHfSPcFziObogHjyZy6qXr7X1jAPTMzulJI
-> ssh-ed25519 fia1eQ gkdxv6Uda41PT9GhALDwPCfzzSiCDWluZG5m3WRwKAQ
+-> ssh-ed25519 IzAMqA eqAgjVRof9nHZiYzY0m5MRlEzy0LBXxb/yi11K29kkQ
-5YSmnIYFXmBgTur0Z7PcLOT9ANvLJgIech5gp4Pqwjk
+wS86BxKIoT9ZOW1n8Xo6GomhOlRztBp7DpQNv/s9PRs
-> ssh-ed25519 rmrvjw H0ZmvmeUIpb4ZAUvh+7k47mUmZidcsKxDHC2oC/100A
+--- axgiJ8IqNurtt+4iAL6j3mRLi73NnjoG5+TMeIKwjI0
-IjYufbdJxMMANqicCHQQAU0Vh/NvROfCfaxJBM3rai8
+Ô
9ÓŠö†âFÛ„XþX_î(ÝŠ.Œc{<02>¼~™ègÍ}<7D>S¬<>à"92K¬J4„s4×u#1‹	Äæ~ÚëRX/@°K8~áBö
 --- TrZyyHaK0o4ot71wVxZzBT+3mVrVUQ3jKv6FuWNO4Mc
 R3±g”GÛVðgñX3cÅœëñÕPÌ\Úy’‹gûqÐqÒ·"KO(ôÜ.ý©
÷8Í·&Ò3Äpëù‹)‡‹4:MRS¦³pK
--- a/secrets/ldap/details.age
+++ b/secrets/ldap/details.age
--- a/secrets/ldap/pw.age
+++ b/secrets/ldap/pw.age
--- a/secrets/nextcloud/pw.age
+++ b/secrets/nextcloud/pw.age
@ -1,20 +1,18 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA wC7Nch41YKEjrwpf/sDR+SUWKm1porqP2DyQhz/MLh0
+-> ssh-ed25519 V1pwNA gR4aFo/u2ow8mMgTInSPElO6gBhgig2s9Wzp+IkGjlY
-Mu8NGcxWphZZLgb0F7h10EJGCPiontn6y2lWNSldNGw
+mVWoBrKH7AihCbdrspCIzPjF8N0kQGDML6pkybH5Y4U
-> ssh-ed25519 4PzZog 6H6fsEDq6xiIkmIy6gUUGL+Mm03HSEaSGnjel3EO8EU
+-> ssh-ed25519 4PzZog BhiSfpYVlUgTLX6rHisiyzLOmzrqcZ8JKDqwY1lg+D4
-xzqv1RZijhQqeiWIFq7ReVzh2JLtBoo9HmZJ1VXrMPU
+nSxNNHRYPy0C0ufqa2QMIylMr5IPlPUiDcg+d79KkDA
-> ssh-ed25519 dA0vRg UC9Vm0pLH8N9XGxKAZ/3Efe/9SRvx/rlxCYx0u5oljg
+-> ssh-ed25519 5Nd93w +bZMaaPc0jTIQ/eu/uWWgA41UQnKveaaVjgqoIaAGyw
-gF4IFYdCIXfvPPrOsJFvGMf1PzrSyureKpOP66ZHB1Q
+elodhm0K17eQQInvae1tkkhFY1aPrbTdaRsviYDEBEg
-> ssh-ed25519 5Nd93w 338ts/scFEwjZ+3f4Vcd8C9Q//E/ZGoSxIutAxKgpAo
+-> ssh-ed25519 q8eJgg LlaIdTPw3c2H8R5mDIIam4Ygvvk5gpgPahNJvf9UnB8
-C0vs3fiisD9FsZ8gYJZj/I81mT3Psw3g1jN5ztyuDQ4
+BN901oRUt0j75RnQZnn4uFiLKEtRhCvFtKHug7Ikg8U
-> ssh-ed25519 q8eJgg eIHEYfE/50IRNy+gnNmqQD4jtVgJRla4ilAQp2gYfjE
+-> ssh-ed25519 KVr8rw Bv9wfs5KP7lvH3Bpnsbzpgzduq1xiQlwVcWndWFL7Qo
-bFNJA6KPlBiZWrB5vjyTilXC+rkW+xqVSWcvHln9H/8
+LgGA4X5MOelYhpXWfsX95J+YGjcPzL6ISlPKr9ZNv/w
-> ssh-ed25519 KVr8rw Kq/0pxm2r136ezrKRugC1So2cIIx2VTShPv6WTc6m1E
+-> ssh-ed25519 fia1eQ WaxlI+aHWQdJs2YtttcQ4TzI3aIlkmdbm21mhv71VRE
-W7VrsPf9jkkxqndVjrFuGBwqJR3v4hwig7Fed9xJSAI
+yI6QKxZ/TwXRDdaHxt6+ZVldnB7sZRGQFABnd7zeXtE
-> ssh-ed25519 fia1eQ 1sA1YfEKVatTzHV5Wd/tzqwRiIPUBQlfoKZkJpxRYig
+-> ssh-ed25519 YFaxCg /V6Ab/BqFQ13K0qN1DOfaw8LLGR049s0S/FuK6dL6WA
-lLtPzvg8H0y+FpfGfF/Q5g1nCap1TgW2wipIKU+Q+WA
+fZbxvQWiPh/MH4/fOzV5trPL+B4H2o2WtVBIPuFsdLE
-> ssh-ed25519 YFaxCg zUYYpsC6BXvPRcIignITwUmvBhfhy9EnxFeCFg1niQk
+--- kUKnoRQARSlp+lGUNu5Zu7KztkK36VZeK9xozWZwmyY
-QcmAhpDajw2lJyttDX9kn+0bdugmYYifSl1esaa3xpU
+¼‚‚Ï¶ÞãtT€‚)<29>ÊãQ*12wc¹ÍÛvÑ¶^<5E>ÁE~]ïÀ!³TÎÎB‰3?³
--- 0sQ4g4YxMBe/VBe39F9ZfwVh9XEOHYHqgiX5oakBzPU
+§R™}ˆDÚ><3E><>º uðÃ-.¿¹<C2BF>9DóŒ
 ¦cò±hðWÚp@å
‘
"L·<4C>åÒ[)’ØtŠ¼/<2F>+”MyÍä¾ò'
 ‘8K¼ƒ[©m›}·qÿÈ1«{²µ¯]·OS%á™¯>»
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,7 +1,6 @@
 let
  admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
-  silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg silver@helios";
+  silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg NixOS Laptop";
  silver_laptop_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmm4CCnpT+tF7vecSrku0+7aDA1z3pQ+PDqZvoCynCR silver@aether";
  silver_desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop";
  thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
  eliza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJaVEGPDxG/0gbYJovPB+tiODgBDUABlgc1OokmF3WA eliza-skynet";
@ -10,7 +9,6 @@ let
  users = [
    admin
    silver_laptop
    silver_laptop_2
    silver_desktop
    thenobrainer
    eliza
@ -23,7 +21,7 @@ let
  galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea";
  optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus";
  glados = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6go7ScvOga9vYqC5HglPfh2Nu8wQTpEKpvIZuMAZom root@glados";
-  wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPlgCGtyvd3xwYg9ZNyjTJNB/LvUSJO01SzN8PGcDLP root@wheatly";
+  wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEehcrWqZbTr4+do1ONE9Il/SayP0xXMvhozm845tonN root@wheatly";
  kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt";
  gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir";
  neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFAs6lBJSUBRhtZO3zGKhEIlWvqnHFGAQuQ//9FdAn6 root@neuromancer";
@ -32,7 +30,6 @@ let
  cadie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACcwg27wzzFVvzuTytcnzRmCfGkhULwlHJA/3BeVtgf root@cadie";
  marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAme2vuVpGYX4La/JtXm3zunsWNDP+SlGmBk/pWmYkH root@marvin";
  calculon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsmeBfh4Jw2GOL7Iyswzn4TVNzalDbxDgh7WuQotFxR root@calculon";
  ariia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4kV6W1/tP/nf2ZWNhRoV1mK04R4pS+c5vdsA1n5gpN root@ariia";
  systems = [
    agentjones
@ -50,7 +47,6 @@ let
    cadie
    marvin
    calculon
    ariia
  ];
  dns = [
@ -78,7 +74,7 @@ let
  ];
  grafana = [
-    ariia
+    kitt
  ];
  # these need dns stuff
@ -117,6 +113,10 @@ let
  bitwarden = [
    kitt
  ];
  nuked = [
    optimus
  ];
 in {
  # nix run github:ryantm/agenix -- -e secret1.age
@ -136,9 +136,6 @@ in {
  "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
  "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
  "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
  "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
  # for ldap
  "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
  # for use connectring to teh ldap
@ -147,8 +144,10 @@ in {
  # everyone has access to this
  "backup/restic.age".publicKeys = users ++ systems;
  "backup/restic_pw.age".publicKeys = users ++ restic;
  "backup/nuked.age".publicKeys = users ++ nuked;
  # discord bot and discord
  "discord/ldap.age".publicKeys = users ++ ldap ++ discord;
  "discord/token.age".publicKeys = users ++ discord;
  # email stuff
--- a/secrets/stream_ulfm.age
+++ b/secrets/stream_ulfm.age
--- a/secrets/wolves/details.age
+++ b/secrets/wolves/details.age
Author	SHA1	Message	Date
Brendan Golden	b77f846a33	Merge remote-tracking branch 'origin/#76-Nuked-Backup' into #76-Nuked-Backup # Conflicts: # secrets/backup/nuked.age	2024-06-07 19:44:51 +01:00
Brendan Golden	097fa21af8	admin: add eliza and esy as admins to teh secrets Actually add the keys this time....	2024-06-07 19:20:52 +01:00
Brendan Golden	3e10c14a4b	feat: Gonna use the space left behind Optimus to test this out Relates to #76	2024-06-07 19:19:55 +01:00
Brendan Golden	223fcb4202	feat: Gonna use the space left behind Optimus to test this out Relates to #76	2024-06-06 23:36:50 +01:00