chore: ran deadnix

formatting
rspamd: remove nixspam blocklist
2025-02-15 00:32:05 +01:00 · 2025-02-15 00:31:05 +01:00 · 2025-02-15 00:30:43 +01:00 · 2025-02-12 15:39:05 +01:00 · 2025-02-04 12:20:46 +01:00 · 2025-02-03 19:13:19 +01:00
44 changed files with 1479 additions and 374 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -10,6 +10,7 @@ keys:
  - &joachim  B1A16011B86BACB56ADB713DB712039D23133661
  - &jonasga FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB
  - &hendrik FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D
  - &frieder age1x76ajqw8w4l5vlkwt5s3flz5a5jq5qlxv7uppmnf8ckj9egh9ekqjclzt6
  - &quitte age1wvdnprpnq2rcc4se3zpx2p267n0apxg2jucvlm93e3pfj439ephqh2506t
  - &tomate age18lwgjazaxujqgcc5j0gjllnykhtjn6p0q44jzrsk4au2a5k6nd9s77kd6d
@ -26,6 +27,7 @@ creation_rules:
        - *jonasga
        - *hendrik
        age:
        - *frieder
        - *quitte
  - path_regex: secrets/tomate\.yaml$
    key_groups:
@ -39,6 +41,7 @@ creation_rules:
        - *jonasga
        - *hendrik
        age:
        - *frieder
        - *tomate
  - path_regex: secrets/admin\.yaml$
    key_groups:
@ -51,3 +54,4 @@ creation_rules:
        - *joachim
        - *jonasga
        - *hendrik
        - *frieder
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        "poetry2nix": "poetry2nix"
      },
      "locked": {
-        "lastModified": 1714117615,
+        "lastModified": 1730751072,
-        "narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
+        "narHash": "sha256-+FQjzCNV3k8U4BfNcFmoZTRf8aO9ufn3s7kkzHj/b7s=",
        "owner": "fsr",
        "repo": "course-management",
-        "rev": "9e5ab11788b926a9a26d2aaa0e0958c3c5865cc9",
+        "rev": "60b7062ce47ee9f0609e701ad5eb5e3e0a857ff2",
        "type": "github"
      },
      "original": {
@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1698049587,
+        "lastModified": 1730889586,
-        "narHash": "sha256-gNxpJdxSrpWMTBSGFO4HfXgr+FiAGtwEXCvxd6W8IUQ=",
+        "narHash": "sha256-SLgo7UjWLaFaaUPFqzKbr9DLAGzm5kparfxuJHEpK3w=",
        "ref": "refs/heads/main",
-        "rev": "2d05abcd2b4e59db421c86fa9adaffa3dccb1086",
+        "rev": "a111147ce5eaea4f1d691afe1203e7529d68522d",
-        "revCount": 7,
+        "revCount": 9,
        "type": "git",
        "url": "https://git.ifsr.de/ese/manual-website"
      },
@ -45,11 +45,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1694529238,
+        "lastModified": 1726560853,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
@ -63,11 +63,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1694529238,
+        "lastModified": 1726560853,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
@ -78,7 +78,7 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1681202837,
@ -101,11 +101,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1708628927,
+        "lastModified": 1739371104,
-        "narHash": "sha256-1ObvmmEzbW2YjY/jJyfOoxhxIe54zcsOBMzgehnclRg=",
+        "narHash": "sha256-k7RZrUCxPPV2htf5bSEGlailgMSXh0c5DTPY6uvB1QY=",
        "owner": "fsr",
        "repo": "kpp",
-        "rev": "05e370097af21ddb776bec907942c60e6aebc394",
+        "rev": "c98d8003aaf7b8b085c674ce6d931cb6014a5c95",
        "type": "github"
      },
      "original": {
@ -123,11 +123,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1698974481,
+        "lastModified": 1729742964,
-        "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
-        "rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
        "type": "github"
      },
      "original": {
@ -143,11 +143,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720334033,
+        "lastModified": 1738466368,
-        "narHash": "sha256-X9pEvvHTVWJphhbUYqXvlLedOndNqGB7rvhSvL2CIgU=",
+        "narHash": "sha256-PZhUjtvQZOH3PO0EYdTpQvcqkgkq1NkP2A6w9SPHYsk=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "685e40e1348007d2cf76747a201bab43d86b38cb",
+        "rev": "46a8f5fc9552b776bfc5c5c96ea3bede33f68f52",
        "type": "github"
      },
      "original": {
@ -158,11 +158,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1701253981,
+        "lastModified": 1730531603,
-        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
+        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
+        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
        "type": "github"
      },
      "original": {
@ -172,34 +172,18 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1720282526,
        "narHash": "sha256-dudRkHPRivMNOhd04YI+v4sWvn2SnN5ODSPIu5IVbco=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "550ac3e955c30fe96dd8b2223e37e0f5d225c927",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1720244366,
+        "lastModified": 1738574474,
-        "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
+        "narHash": "sha256-rvyfF49e/k6vkrRTV4ILrWd92W+nmBDfRYZgctOyolQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
+        "rev": "fecfeb86328381268e29e998ddd3ebc70bbd7f7c",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -218,6 +202,27 @@
        "type": "indirect"
      }
    },
    "notenrechner": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
        "lastModified": 1738260727,
        "narHash": "sha256-dqwlhg3L5SPoHSWbdI10EL0Vs/7BGW76h+q05laKyTA=",
        "ref": "refs/heads/main",
        "rev": "72c70b74f9216a3cb2913df91c8edf8516de1800",
        "revCount": 9,
        "type": "git",
        "url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git"
      }
    },
    "poetry2nix": {
      "inputs": {
        "flake-utils": "flake-utils_2",
@ -230,11 +235,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1701399357,
+        "lastModified": 1730284601,
-        "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
+        "narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=",
        "owner": "nix-community",
        "repo": "poetry2nix",
-        "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
+        "rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e",
        "type": "github"
      },
      "original": {
@ -270,6 +275,7 @@
        "kpp": "kpp",
        "nix-index-database": "nix-index-database",
        "nixpkgs": "nixpkgs_2",
        "notenrechner": "notenrechner",
        "print-interface": "print-interface",
        "sops-nix": "sops-nix",
        "vscode-server": "vscode-server"
@ -279,15 +285,14 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1720321395,
+        "lastModified": 1738291974,
-        "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
        "type": "github"
      },
      "original": {
@ -355,6 +360,21 @@
        "type": "github"
      }
    },
    "systems_5": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
@ -364,11 +384,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1699786194,
+        "lastModified": 1730120726,
-        "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
+        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
+        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
        "type": "github"
      },
      "original": {
@ -377,17 +397,35 @@
        "type": "github"
      }
    },
    "utils": {
      "inputs": {
        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "vscode-server": {
      "inputs": {
        "flake-utils": "flake-utils_3",
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1713958148,
+        "lastModified": 1729422940,
-        "narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
+        "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
        "owner": "nix-community",
        "repo": "nixos-vscode-server",
-        "rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
+        "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,6 +1,6 @@
 {
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    nix-index-database.url = "github:nix-community/nix-index-database";
@ -14,6 +14,9 @@
    ese-manual.url = "git+https://git.ifsr.de/ese/manual-website";
    ese-manual.inputs.nixpkgs.follows = "nixpkgs";
    vscode-server.url = "github:nix-community/nixos-vscode-server";
    notenrechner.url = "git+https://git.ifsr.de/frieder.hannenheim/notenrechner.git";
    notenrechner.inputs.nixpkgs.follows = "nixpkgs";
    course-management = {
      url = "github:fsr/course-management";
@ -36,6 +39,7 @@
      supportedSystems = [ "x86_64-linux" ];
      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
      pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
    in
    {
      packages = forAllSystems (system: rec {
@ -77,21 +81,24 @@
            ./modules/courses
            ./modules/wiki
            ./modules/matrix
            ./modules/keycloak
            ./modules/monitoring
            ./modules/nix-serve.nix
            ./modules/hedgedoc.nix
            ./modules/padlist.nix
            ./modules/nextcloud.nix
            ./modules/keycloak.nix
            ./modules/monitoring.nix
            ./modules/vaultwarden.nix
            ./modules/forgejo
            ./modules/kanboard.nix
            ./modules/zammad.nix
-            ./modules/decisions.nix
+            # ./modules/decisions.nix
            ./modules/stream.nix
            # ./modules/struktur-bot.nix
            {
-              nixpkgs.overlays = [ self.overlays.default ];
+              nixpkgs.overlays = [
                self.overlays.default
              ];
              sops.defaultSopsFile = ./secrets/quitte.yaml;
            }
          ];
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, ... }:
 {
  imports =
@ -16,7 +16,6 @@
  # boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
  boot.loader.efi.canTouchEfiVariables = true;
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  services.zfs = {
    trim.enable = true;
@ -27,6 +26,17 @@
  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "en_US.UTF-8";
  security.sudo.extraRules = [
    {
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
      groups = [ "admins" ];
    }
  ];
  # prevent fork bombs
  security.pam.loginLimits = [
    {
--- a/hosts/quitte/network.nix
+++ b/hosts/quitte/network.nix
@ -31,14 +31,26 @@
    networks."10-wired-default" = {
      matchConfig.Name = "enp65s0f0np0";
-      address = [ "141.30.30.169/25" ];
+      address = [
        "141.30.30.194/26"
        "2a13:dd85:b23:1::1337/64"
      ];
      routes = [
        {
-          routeConfig.Gateway = "141.30.30.129";
+          Gateway = "141.30.30.193";
        }
        {
          Gateway = "fe80::7a24:59ff:fe5e:6e2f";
        }
      ];
      networkConfig = {
-        DNS = "141.30.1.1";
+        DNS = [
          "9.9.9.9"
          "149.112.112.112"
          "2620:fe::fe"
          "2620:fe::9"
        ];
        LLDP = true;
        EmitLLDP = "nearest-bridge";
      };
--- a/hosts/tomate/configuration.nix
+++ b/hosts/tomate/configuration.nix
@ -106,7 +106,6 @@
  };
  # Enable sound with pipewire.
  sound.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
--- a/hosts/tomate/network.nix
+++ b/hosts/tomate/network.nix
@ -27,7 +27,7 @@
      address = [ "141.30.86.196/26" ];
      routes = [
        {
-          routeConfig.Gateway = "141.30.86.193";
+          Gateway = "141.30.86.193";
        }
      ];
      networkConfig = {
--- a/keys/ssh/frieder
+++ b/keys/ssh/frieder
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH70IC7DaiGBYdftUhuOE9CatcdYj2L50eZfztQA+pVs fried@Frieders-Void-Laptop
--- a/modules/core/bacula.nix
+++ b/modules/core/bacula.nix
@ -14,8 +14,9 @@
    enable = true;
    name = "ifsr-quitte";
    extraClientConfig = ''
      Comm Compression = no
      Maximum Concurrent Jobs = 20
-      FDAddress = 141.30.30.169
+      FDAddress = 141.30.30.194
      PKI Signatures = Yes
      PKI Encryption = Yes
      PKI Keypair = ${config.sops.secrets."bacula/keypair".path}
--- a/modules/core/base.nix
+++ b/modules/core/base.nix
@ -73,6 +73,7 @@
  time.timeZone = "Europe/Berlin";
  # basic shell & editor
  programs.vim.enable = true;
  programs.vim.defaultEditor = true;
  # List packages installed in system profile. To search, run:
@ -104,6 +105,7 @@
    ltrace
    strace
    mtr
    nix-output-monitor
    traceroute
    smartmontools
    sysstat
@ -112,6 +114,7 @@
    eza
    zsh
    unzip
    yazi
  ];
 }
--- a/modules/core/fail2ban.nix
+++ b/modules/core/fail2ban.nix
@ -15,13 +15,14 @@
        enabled = true
        # aggressive mode to add blocking for aborted connections
        filter = dovecot[mode=aggressive]
-        maxretry = 3
+        maxretry = 15
      '';
      postfix = ''
        enabled = true
        filter = postfix[mode=aggressive]
-        maxretry = 3
+        maxretry = 15
      '';
      sshd.settings.maxretry = 15;
    };
  };
 }
--- a/modules/core/logging.nix
+++ b/modules/core/logging.nix
@ -3,7 +3,9 @@
  services.rsyslogd = {
    enable = true;
    defaultConfig = ''
      $FileCreateMode 0640
      :programname, isequal, "postfix" /var/log/postfix.log
      :programname, isequal, "portunus" /var/log/portunus.log
      auth.*                          -/var/log/auth.log
    '';
--- a/modules/core/nginx.nix
+++ b/modules/core/nginx.nix
@ -7,10 +7,14 @@
        ({ name, ... }: {
          enableACME = true;
          forceSSL = true;
          # enable http3 for all hosts
          quic = true;
          http3 = true;
          # split up nginx access logs per vhost
          extraConfig = ''
            access_log /var/log/nginx/${name}_access.log;
            error_log /var/log/nginx/${name}_error.log;
            add_header Alt-Svc 'h3=":443"; ma=86400';
          '';
        })
      );
--- a/modules/core/podman.nix
+++ b/modules/core/podman.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
  # From: https://nixos.wiki/wiki/Podman
  virtualisation.containers.enable = true;
--- a/modules/core/postgres.nix
+++ b/modules/core/postgres.nix
@ -5,7 +5,6 @@
    enable = true;
    location = "/var/lib/backup/postgresql";
    databases = [
      "directus_ese"
      "course-management"
      "git"
      "grafana"
--- a/modules/courses/default.nix
+++ b/modules/courses/default.nix
@ -3,7 +3,6 @@ let
  hostName = "kurse.${config.networking.domain}";
 in
 {
  imports = [ ./phil.nix ];
  sops.secrets =
    let inherit (config.services.course-management) user;
    in
--- a/modules/decisions.nix
+++ b/modules/decisions.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 let
  domain = "decisions.${config.networking.domain}";
 in
--- a/modules/forgejo/actions.nix
+++ b/modules/forgejo/actions.nix
@ -0,0 +1,30 @@
 { config, pkgs, ... }:
 {
  sops.secrets."forgejo/runner-token" = { };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances."quitte" = {
      enable = true;
      labels = [
        # provide a debian base with nodejs for actions
        "debian-latest:docker://node:18-bullseye"
        # fake the ubuntu name, because node provides no ubuntu builds
        "ubuntu-latest:docker://node:18-bullseye"
        # provide native execution on the host
        # "native:host"
      ];
      tokenFile = config.sops.secrets."forgejo/runner-token".path;
      url = "https://git.ifsr.de";
      name = "quitte";
      settings = {
        container = {
          # use podman's default network, otherwise dns was not working for some reason
          network = "podman";
          # don't mount the docker socket into the build containers,
          # this would basically mean root on the host...
          docker_host = "-";
        };
      };
    };
  };
 }
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@ -4,9 +4,9 @@ let
  gitUser = "git";
 in
 {
-  # imports = [
+  imports = [
-  #   ./actions.nix
+    ./actions.nix
-  # ];
+  ];
  sops.secrets.gitea_ldap_search = {
    key = "portunus/search-password";
    owner = config.services.forgejo.user;
@ -22,17 +22,9 @@ in
  services.forgejo = {
    enable = true;
    # package = pkgs.forgejo.overrideAttrs (_old: {
    #   # patches = [
    #   #   # migration fix
    #   #   (pkgs.fetchpatch {
    #   #     url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
    #   #     hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
    #   #   })
    #   # ];
    # });
    user = gitUser;
    group = gitUser;
    package = pkgs.forgejo;
    lfs.enable = true;
    database = {
@ -79,6 +71,8 @@ in
        PROVIDER = "db";
      };
      actions.ENABLED = true;
      # federation.ENABLED = true;
      webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
    };
  };
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@ -49,6 +49,7 @@ in
        # allow anonymous editing, but not creation of pads
        allowAnonymous = false;
        allowAnonymousEdits = true;
        allowAnonymousUploads = false;
        defaultPermission = "limited";
        defaultNotePath = builtins.toString template;
        # ldap auth
--- a/modules/kanboard.nix
+++ b/modules/kanboard.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 let
  domain = "kanboard.${config.networking.domain}";
  domain_short = "kb.${config.networking.domain}";
@ -8,7 +8,7 @@ in
  virtualisation.oci-containers = {
    containers.kanboard = {
-      image = "ghcr.io/kanboard/kanboard:v1.2.36";
+      image = "ghcr.io/kanboard/kanboard:v1.2.43";
      volumes = [
        "kanboard_data:/var/www/app/data"
        "kanboard_plugins:/var/www/app/plugins"
--- a/modules/keycloak/default.nix
+++ b/modules/keycloak/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
  domain = "sso.${config.networking.domain}";
 in
@ -12,7 +12,9 @@ in
      http-port = 8086;
      https-port = 19000;
      hostname = domain;
-      proxy = "edge";
+      proxy-headers = "xforwarded";
      http-enabled = true;
      hostname-strict-https = false;
    };
    # The module requires a password for the DB and works best with its own DB config
    # Does an automatic Postgresql configuration
@ -20,6 +22,9 @@ in
      passwordFile = config.sops.secrets."keycloak/db".path;
    };
    initialAdminPassword = "plschangeme";
    themes = with pkgs ; {
      ifsr = keycloak_ifsr_theme;
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/" = {
--- a/modules/keycloak/theme.nix
+++ b/modules/keycloak/theme.nix
@ -0,0 +1,15 @@
 { stdenv }:
 stdenv.mkDerivation rec {
  name = "keycloak_ifsr_theme";
  version = "1.1";
  src = ./theme;
  nativeBuildInputs = [ ];
  buildInputs = [ ];
  installPhase = ''
    mkdir -p $out
    cp -a login $out
  '';
 }
--- a/modules/keycloak/theme/login/resources/css/login.css
+++ b/modules/keycloak/theme/login/resources/css/login.css
@ -0,0 +1,772 @@
 .login-pf {
    background: none;
 }
 .login-pf body {
    background: url(../img/background.jpg) no-repeat center center fixed;
    background-size: cover;
    height: 100%;
 }
 /*IE compatibility*/
 .pf-c-form-control {
    font-size: 14px;
    font-size: var(--pf-global--FontSize--sm);
    border-width: 1px;
    border-width: var(--pf-global--BorderWidth--sm);;
    border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
    border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
    background-color: #FFFFFF;
    background-color: var(--pf-global--BackgroundColor--100);
    height: 36px;
    height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
    padding: 5px 0.5rem;
    padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
 }
 textarea.pf-c-form-control {
 	height: auto;
 }
 .pf-c-form-control:hover, .pf-c-form-control:focus {
    border-bottom-color: #0066CC;
    border-bottom-color: var(--pf-global--primary-color--100);
    border-bottom-width: 2px;
    border-bottom-width: var(--pf-global--BorderWidth--md);
 }
 .pf-c-form-control[aria-invalid=true] {
    border-bottom-color: #C9190B;
    border-bottom-color: var(--pf-global--danger-color--100);
    border-bottom-width: 2px;
    border-bottom-width: var(--pf-global--BorderWidth--md);
 }
 .pf-c-check__label, .pf-c-radio__label {
 	font-size: 14px;
 	font-size: var(--pf-global--FontSize--sm);
 }
 .pf-c-alert.pf-m-inline {
    margin-bottom: 0.5rem; /* default - IE compatibility */
    margin-bottom: var(--pf-global--spacer--sm);
    padding: 0.25rem;
    padding: var(--pf-global--spacer--xs);
    border: solid #ededed;
    border: solid var(--pf-global--BorderColor--300);
    border-width: 1px;
    border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
    display: -ms-flexbox;
    display: grid;
    -ms-grid-columns: max-content 1fr max-content;
    grid-template-columns:max-content 1fr max-content;
    grid-template-columns: var(--pf-c-alert--grid-template-columns);
    grid-template-rows: 1fr auto;
    grid-template-rows: var(--pf-c-alert--grid-template-rows);
 }
 .pf-c-alert.pf-m-inline::before {
    position: absolute;
    top: -1px;
    top: var(--pf-c-alert--m-inline--before--Top);
    bottom: -1px;
    bottom: var(--pf-c-alert--m-inline--before--Bottom);
    left: 0;
    width: 3px;
    width: var(--pf-c-alert--m-inline--before--Width);
    content: ;
    background-color: #FFFFFF;
    background-color: var(--pf-global--BackgroundColor--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-success::before {
    background-color: #92D400;
    background-color: var(--pf-global--success-color--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-danger::before {
    background-color: #C9190B;
    background-color: var(--pf-global--danger-color--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-warning::before {
    background-color: #F0AB00;
    background-color: var(--pf-global--warning-color--100);
 }
 .pf-c-alert.pf-m-inline .pf-c-alert__icon {
    padding: 1rem 0.5rem 1rem 1rem;
    padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
    font-size: 16px;
    font-size: var(--pf-c-alert--m-inline__icon--FontSize);
 }
 .pf-c-alert.pf-m-success .pf-c-alert__icon {
    color: #92D400;
    color: var(--pf-global--success-color--100);
 }
 .pf-c-alert.pf-m-success .pf-c-alert__title {
    color: #486B00;
    color: var(--pf-global--success-color--200);
 }
 .pf-c-alert.pf-m-danger .pf-c-alert__icon {
    color: #C9190B;
    color: var(--pf-global--danger-color--100);
 }
 .pf-c-alert.pf-m-danger .pf-c-alert__title {
    color: #A30000;
    color: var(--pf-global--danger-color--200);
 }
 .pf-c-alert.pf-m-warning .pf-c-alert__icon {
    color: #F0AB00;
    color: var(--pf-global--warning-color--100);
 }
 .pf-c-alert.pf-m-warning .pf-c-alert__title {
    color: #795600;
    color: var(--pf-global--warning-color--200);
 }
 .pf-c-alert__title {
    font-size: 14px; /* default - IE compatibility */
    font-size: var(--pf-global--FontSize--sm);
    padding: 5px 8px;
    padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
 }
 .pf-c-button{
    padding:0.375rem 1rem;
    padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
 }
 /* default - IE compatibility */
 .pf-m-primary {
    color: #FFFFFF;
    background-color: #0066CC;
    background-color: var(--pf-global--primary-color--100);
 }
 /* default - IE compatibility */
 .pf-m-primary:hover {
    background-color: #004080;
    background-color: var(--pf-global--primary-color--200);
 }
 /* default - IE compatibility */
 .pf-c-button.pf-m-control {
    border: solid 1px;
    border: solid var(--pf-global--BorderWidth--sm);
    border-color: rgba(230, 230, 230, 0.5);
 }
 /*End of IE compatibility*/
 h1#kc-page-title {
    margin-top: 10px;
 }
 #kc-locale ul {
    background-color: #FFF;
    background-color: var(--pf-global--BackgroundColor--100);
    display: none;
    top: 20px;
    min-width: 100px;
    padding: 0;
 }
 #kc-locale-dropdown{
    display: inline-block;
 }
 #kc-locale-dropdown:hover ul {
    display:block;
 }
 /* IE compatibility */
 #kc-locale-dropdown a {
    color: #6A6E73;
    color: var(--pf-global--Color--200);
    text-align: right;
    font-size: 14px;
    font-size: var(--pf-global--FontSize--sm);
 }
 /* IE compatibility */
 a#kc-current-locale-link::after {
    content: 2c5;
    margin-left: 4px;
    margin-left: var(--pf-global--spacer--xs)
 }
 .login-pf .container {
    padding-top: 40px;
 }
 .login-pf a:hover {
    color: #0099d3;
 }
 #kc-logo {
    width: 100%;
 }
 div.kc-logo-text {
    background-image: url(../img/agdsn_logo.png);
    background-repeat: no-repeat;
       background-size: auto;
   position: relative;
    top: 0%;
    left: 25%;
    width: 950px;
  height: 250px;
 }
 div.kc-logo-text span {
    display: none;
 }
 #kc-header {
    color: #ededed;
    overflow: visible;
    white-space: nowrap;
 }
 #kc-header-wrapper {
    font-size: 29px;
    text-transform: uppercase;
    letter-spacing: 3px;
    line-height: 1.2em;
    padding: 62px 10px 20px;
    white-space: normal;
 }
 #kc-content {
    width: 100%;
 }
 #kc-attempted-username {
    font-size: 20px;
    font-family: inherit;
    font-weight: normal;
    padding-right: 10px;
 }
 #kc-username {
    text-align: center;
    margin-bottom:-10px;
 }
 #kc-webauthn-settings-form {
    padding-top: 8px;
 }
 #kc-form-webauthn .select-auth-box-parent {
    pointer-events: none;
 }
 #kc-form-webauthn .select-auth-box-desc {
    color: var(--pf-global--palette--black-600);
 }
 #kc-form-webauthn .select-auth-box-headline {
    color: var(--pf-global--Color--300);
 }
 #kc-form-webauthn .select-auth-box-icon {
    flex: 0 0 3em;
 }
 #kc-form-webauthn .select-auth-box-icon-properties {
    margin-top: 10px;
    font-size: 1.8em;
 }
 #kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
    margin-top: 3px;
 }
 #kc-form-webauthn .pf-l-stack__item {
    margin: -1px 0;
 }
 #kc-content-wrapper {
    margin-top: 20px;
 }
 #kc-form-wrapper {
    margin-top: 10px;
 }
 #kc-info {
    margin: 20px -40px -30px;
 }
 #kc-info-wrapper {
    font-size: 13px;
    padding: 15px 35px;
    background-color: #F0F0F0;
 }
 #kc-form-options span {
    display: block;
 }
 #kc-form-options .checkbox {
    margin-top: 0;
    color: #72767b;
 }
 #kc-terms-text {
    margin-bottom: 20px;
 }
 #kc-registration {
    margin-bottom: 0;
 }
 /* TOTP */
 .subtitle {
    text-align: right;
    margin-top: 30px;
    color: #909090;
 }
 .required {
    color: #A30000; /* default - IE compatibility */
    color: var(--pf-global--danger-color--200);
 }
 ol#kc-totp-settings {
    margin: 0;
    padding-left: 20px;
 }
 ul#kc-totp-supported-apps {
    margin-bottom: 10px;
 }
 #kc-totp-secret-qr-code {
    max-width:150px;
    max-height:150px;
 }
 #kc-totp-secret-key {
    background-color: #fff;
    color: #333333;
    font-size: 16px;
    padding: 10px 0;
 }
 /* OAuth */
 #kc-oauth h3 {
    margin-top: 0;
 }
 #kc-oauth ul {
    list-style: none;
    padding: 0;
    margin: 0;
 }
 #kc-oauth ul li {
    border-top: 1px solid rgba(255, 255, 255, 0.1);
    font-size: 12px;
    padding: 10px 0;
 }
 #kc-oauth ul li:first-of-type {
    border-top: 0;
 }
 #kc-oauth .kc-role {
    display: inline-block;
    width: 50%;
 }
 /* Code */
 #kc-code textarea {
    width: 100%;
    height: 8em;
 }
 /* Social */
 .kc-social-links {
    margin-top: 20px;
 }
 .kc-social-provider-logo {
    font-size: 23px;
    width: 30px;
    height: 25px;
    float: left;
 }
 .kc-social-gray {
    color: #737679; /* default - IE compatibility */
    color: var(--pf-global--Color--200);
 }
 .kc-social-item {
    margin-bottom: 0.5rem; /* default - IE compatibility */
    margin-bottom: var(--pf-global--spacer--sm);
    font-size: 15px;
    text-align: center;
 }
 .kc-social-provider-name {
    position: relative;
    top: 3px;
 }
 .kc-social-icon-text {
    left: -15px;
 }
 .kc-social-grid {
    display:grid;
    grid-column-gap: 10px;
    grid-row-gap: 5px;
    grid-column-end: span 6;
    --pf-l-grid__item--GridColumnEnd: span 6;
 }
 .kc-social-grid .kc-social-icon-text {
    left: -10px;
 }
 .kc-login-tooltip {
    position: relative;
    display: inline-block;
 }
 .kc-social-section {
    text-align: center;
 }
 .kc-social-section hr{
    margin-bottom: 10px
 }
 .kc-login-tooltip .kc-tooltip-text{
    top:-3px;
    left:160%;
    background-color: black;
    visibility: hidden;
    color: #fff;
    min-width:130px;
    text-align: center;
    border-radius: 2px;
    box-shadow:0 1px 8px rgba(0,0,0,0.6);
    padding: 5px;
    position: absolute;
    opacity:0;
    transition:opacity 0.5s;
 }
 /* Show tooltip */
 .kc-login-tooltip:hover .kc-tooltip-text {
    visibility: visible;
    opacity:0.7;
 }
 /* Arrow for tooltip */
 .kc-login-tooltip .kc-tooltip-text::after {
    content:  ;
    position: absolute;
    top: 15px;
    right: 100%;
    margin-top: -5px;
    border-width: 5px;
    border-style: solid;
    border-color: transparent black transparent transparent;
 }
@media (min-width: 768px) {
    #kc-container-wrapper {
        position: absolute;
        width: 100%;
    }
    .login-pf .container {
        padding-right: 80px;
    }
    #kc-locale {
        position: relative;
        text-align: right;
        z-index: 9999;
    }
 }
@media (max-width: 767px) {
    .login-pf body {
        background: white;
    }
    #kc-header {
        padding-left: 15px;
        padding-right: 15px;
        float: none;
        text-align: left;
    }
    #kc-header-wrapper {
        font-size: 16px;
        font-weight: bold;
        padding: 20px 60px 0 0;
        color: #72767b;
        letter-spacing: 0;
    }
    div.kc-logo-text {
        margin: 0;
        width: 150px;
        height: 32px;
        background-size: 100%;
    }
    #kc-form {
        float: none;
    }
    #kc-info-wrapper {
        border-top: 1px solid rgba(255, 255, 255, 0.1);
        background-color: transparent;
    }
    .login-pf .container {
        padding-top: 15px;
        padding-bottom: 15px;
    }
    #kc-locale {
        position: absolute;
        width: 200px;
        top: 20px;
        right: 20px;
        text-align: right;
        z-index: 9999;
    }
 }
@media (min-height: 646px) {
    #kc-container-wrapper {
        bottom: 12%;
    }
 }
@media (max-height: 645px) {
    #kc-container-wrapper {
        padding-top: 50px;
        top: 20%;
    }
 }
 .card-pf form.form-actions .btn {
    float: right;
    margin-left: 10px;
 }
 #kc-form-buttons {
    margin-top: 20px;
 }
 .login-pf-page .login-pf-brand {
    margin-top: 20px;
    max-width: 360px;
    width: 40%;
 }
 /* Internet Explorer 11 compatibility workaround for select-authenticator screen */
@media all and (-ms-high-contrast: none),
 (-ms-high-contrast: active) {
    .select-auth-box-parent {
        border-top: 1px solid #f0f0f0;
        padding-top: 1rem;
        padding-bottom: 1rem;
        cursor: pointer;
    }
    .select-auth-box-headline {
        font-size: 16px;
        color: #06c;
        font-weight: bold;
    }
    .select-auth-box-desc {
        font-size: 14px;
    }
    .pf-l-stack {
        flex-basis: 100%;
    }
 }
 /* End of IE11 workaround for select-authenticator screen */
 .select-auth-box-arrow{
    display: flex;
    align-items: center;
    margin-right: 2rem;
 }
 .select-auth-box-icon{
    display: flex;
    flex: 0 0 2em;
    justify-content: center;
    margin-right: 1rem;
    margin-left: 3rem;
 }
 .select-auth-box-parent{
    border-top: 1px solid var(--pf-global--palette--black-200);
    padding-top: 1rem;
    padding-bottom: 1rem;
    cursor: pointer;
 }
 .select-auth-box-parent:hover{
    background-color: #f7f8f8;
 }
 .select-auth-container {
 }
 .select-auth-box-headline {
    font-size: var(--pf-global--FontSize--md);
    color: var(--pf-global--primary-color--100);
    font-weight: bold;
 }
 .select-auth-box-desc {
    font-size: var(--pf-global--FontSize--sm);
 }
 .select-auth-box-paragraph {
    text-align: center;
    font-size: var(--pf-global--FontSize--md);
    margin-bottom: 5px;
 }
 .card-pf {
    margin: 0 auto;
    box-shadow: var(--pf-global--BoxShadow--lg);
    padding: 0 20px;
    max-width: 500px;
    border-top: 4px solid;
    border-color: #0066CC; /* default - IE compatibility */
    border-color: var(--pf-global--primary-color--100);
 }
 /*phone*/
@media (max-width: 767px) {
    .login-pf-page .card-pf {
        max-width: none;
        margin-left: 0;
        margin-right: 0;
        padding-top: 0;
        border-top: 0;
        box-shadow: 0 0;
    }
    .kc-social-grid {
        grid-column-end: 12;
        --pf-l-grid__item--GridColumnEnd: span 12;
    }
    .kc-social-grid .kc-social-icon-text {
        left: -15px;
    }
 }
 .login-pf-page .login-pf-signup {
    font-size: 15px;
    color: #72767b;
 }
 #kc-content-wrapper .row {
    margin-left: 0;
    margin-right: 0;
 }
 .login-pf-page.login-pf-page-accounts {
    margin-left: auto;
    margin-right: auto;
 }
 .login-pf-page .btn-primary {
    margin-top: 0;
 }
 .login-pf-page .list-view-pf .list-group-item {
    border-bottom: 1px solid #ededed;
 }
 .login-pf-page .list-view-pf-description {
    width: 100%;
 }
 #kc-form-login div.form-group:last-of-type,
 #kc-register-form div.form-group:last-of-type,
 #kc-update-profile-form div.form-group:last-of-type {
    margin-bottom: 0px;
 }
 .no-bottom-margin {
    margin-bottom: 0;
 }
 #kc-back {
    margin-top: 5px;
 }
 /* Recovery codes */
 .kc-recovery-codes-warning {
    margin-bottom: 32px;
 }
 .kc-recovery-codes-warning .pf-c-alert__description p {
    font-size: 0.875rem;
 }
 .kc-recovery-codes-list {
    list-style: none;
    columns: 2;
    margin: 16px 0;
    padding: 16px 16px 8px 16px;
    border: 1px solid #D2D2D2;
 }
 .kc-recovery-codes-list li {
    margin-bottom: 8px;
    font-size: 11px;
 }
 .kc-recovery-codes-list li span {
    color: #6A6E73;
    width: 16px;
    text-align: right;
    display: inline-block;
    margin-right: 1px;
 }
 .kc-recovery-codes-actions {
    margin-bottom: 24px;
 }
 .kc-recovery-codes-actions button {
    padding-left: 0;
 }
 .kc-recovery-codes-actions button i {
    margin-right: 8px;
 }
 .kc-recovery-codes-confirmation {
    align-items: baseline;
    margin-bottom: 16px;
 }
 /* End Recovery codes */
--- a/modules/keycloak/theme/login/resources/img/background.jpg
+++ b/modules/keycloak/theme/login/resources/img/background.jpg
--- a/modules/keycloak/theme/login/theme.properties
+++ b/modules/keycloak/theme/login/theme.properties
@ -0,0 +1,4 @@
 parent=keycloak
 import=common/keycloak
 styles=css/login.css
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, system, ... }:
+{ config, pkgs, ... }:
 let
  domain = "auth.${config.networking.domain}";
  seedSettings = {
@ -84,7 +84,7 @@ in
  };
  networking.firewall = {
    extraInputRules = ''
-      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
+      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
    '';
  };
 }
--- a/modules/mail/postfix.nix
+++ b/modules/mail/postfix.nix
@ -44,11 +44,9 @@ in
        # hostname used in helo command. It is recommended to have this match the reverse dns entry
        smtp_helo_name = config.networking.rDNS;
        smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
-        smtp_use_tls = true;
+        smtp_tls_security_level = "may";
-        # smtp_tls_security_level = "encrypt";
+        smtpd_tls_security_level = "may";
-        smtpd_use_tls = true;
+        smtpd_tls_auth_only = true;
        # smtpd_tls_security_level = lib.mkForce "encrypt";
        # smtpd_tls_auth_only = true;
        smtpd_tls_protocols = [
          "!SSLv2"
          "!SSLv3"
--- a/modules/mail/rspamd.nix
+++ b/modules/mail/rspamd.nix
@ -141,22 +141,26 @@ in
              filter = "email:domain";
              map = "/var/lib/rspamd/whitelist.sender.domain.map";
              action = "accept";
              regexp = true;
            }
            WHITELIST_SENDER_EMAIL {
              type = "from";
              map = "/var/lib/rspamd/whitelist.sender.email.map";
              action = "accept";
              regexp = true;
            }
            BLACKLIST_SENDER_DOMAIN {
              type = "from";
              filter = "email:domain";
              map = "/var/lib/rspamd/blacklist.sender.domain.map";
              action = "reject";
              regexp = true;
            }
            BLACKLIST_SENDER_EMAIL {
              type = "from";
              map = "/var/lib/rspamd/blacklist.sender.email.map";
              action = "reject";
              regexp = true;
            }
            BLACKLIST_SUBJECT_KEYWORDS {
              type = "header";
@ -189,6 +193,11 @@ in
          "/" = {
            proxyPass = "http://127.0.0.1:11334";
            proxyWebsockets = true;
            extraConfig = ''
              allow 141.30.0.0/16;
              allow 141.76.0.0/16;
              deny all;
            '';
          };
        };
      };
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -27,6 +27,9 @@ in
    key = "portunus/search-password";
    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
  };
  nixpkgs.config.permittedInsecurePackages = [
    "olm-3.2.16"
  ];
  services = {
    postgresql = {
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@ -37,12 +37,8 @@ in
        token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token";
        api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo";
        role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
      };
    };
  };
  services.postgresql = {
@ -65,10 +61,6 @@ in
        enabledCollectors = [ "systemd" ];
        port = 9002;
      };
      postfix = {
        enable = true;
        port = 9003;
      };
    };
    scrapeConfigs = [
      {
@ -78,13 +70,6 @@ in
        }];
        scrape_interval = "15s";
      }
      {
        job_name = "postfix";
        static_configs = [{
          targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ];
        }];
        # scrape_interval = "60s";
      }
      {
        job_name = "rspamd";
        static_configs = [{
@ -92,6 +77,13 @@ in
        }];
        scrape_interval = "15s";
      }
      {
        job_name = "fabric";
        static_configs = [{
          targets = [ "127.0.0.1:25585" ];
        }];
        scrape_interval = "60s";
      }
    ];
  };
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -15,7 +15,7 @@ in
    nextcloud = {
      enable = true;
      configureRedis = true;
-      package = pkgs.nextcloud29;
+      package = pkgs.nextcloud30;
      hostName = domain;
      https = true; # Use https for all urls
      phpExtraExtensions = all: [
--- a/modules/padlist.nix
+++ b/modules/padlist.nix
@ -43,6 +43,7 @@ in
          '';
        };
        "/vendor".return = "403";
        "/.git".return = "403";
      };
    };
  };
--- a/modules/web/default.nix
+++ b/modules/web/default.nix
@ -11,5 +11,7 @@
    ./sharepic.nix
    ./userdir.nix
    ./ftp.nix
    ./hyperilo.nix
    ./notenrechner.nix
  ];
 }
--- a/modules/web/ese.nix
+++ b/modules/web/ese.nix
@ -1,80 +1,33 @@
 { config, pkgs, ... }:
 let
  domain = "ese.${config.networking.domain}";
-  cms-domain = "directus-ese.${config.networking.domain}";
+  webRoot = "/srv/web/ese";
 in
 {
  sops.secrets."directus_env" = { };
  environment.systemPackages = [ pkgs.nodejs_22 ];
  virtualisation.oci-containers = {
    containers.directus-ese = {
      image = "directus/directus:latest";
      volumes = [
        "/srv/web/directus-ese/uploads:/directus/uploads"
        "/srv/web/directus-ese/database:/directus/database"
      ];
      extraOptions = [ "--network=host" ];
      environment = {
        "DB_CLIENT" = "pg";
        "DB_HOST" = "localhost";
        "DB_PORT" = "5432";
        "DB_DATABASE" = "directus_ese";
        "DB_USER" = "directus_ese";
        "PUBLIC_URL" = "https://directus-ese.ifsr.de";
        "AUTH_PROVIDERS" = "keycloak";
        "AUTH_KEYCLOAK_DRIVER" = "openid";
        "AUTH_KEYCLOAK_CLIENT_ID" = "directus-ese";
        "AUTH_KEYCLOAK_ISSUER_URL" = "https://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
        "AUTH_KEYCLOAK_IDENTIFIER_KEY" = "email";
        "AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION" = "true";
        "AUTH_KEYCLOAK_DEFAULT_ROLE_ID" = "a6b7a1b6-a6fa-442c-87fd-e37c2a16424b";
      };
      environmentFiles = [
        config.sops.secrets."directus_env".path
      ];
    };
  };
  services.postgresql = {
    enable = true;
    ensureUsers = [
      {
        name = "directus_ese";
        ensureDBOwnership = true;
      }
    ];
    ensureDatabases = [ "directus_ese" ];
  };
  services.nginx = {
    virtualHosts."${cms-domain}" = {
      locations."/" = {
        extraConfig = ''
          if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain; charset=utf-8';
            add_header 'Content-Length' 0;
            return 204;
          }
          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
        '';
        proxyPass = "http://127.0.0.1:8055";
      };
    };
    virtualHosts."${domain}" = {
      locations."= /" = {
-        return = "301 /2024/";
+        return = "302 /2025/";
      };
      locations."/" = {
-        root = "/srv/web/ese/served";
+        root = webRoot;
        tryFiles = "$uri $uri/ =404";
      };
      # cache static assets
      locations."~* \.(?:css|svg|webp|jpg|jpeg|gif|png|ico|mp4|mp3|ogg|ogv|webm|ttf|woff2|woff)$" = {
        root = webRoot;
        extraConfig = ''
          expires 1y;
        '';
      };
    };
  };
  users.users."ese-deploy" = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = [
      ''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWGdTdobZN2oSLsTQmHOahdc9vqyuwUBS0PSk5IQhGV''
    ];
  };
 }
--- a/modules/web/ftp.nix
+++ b/modules/web/ftp.nix
@ -22,15 +22,137 @@ in
    '';
    locations."=/403.html" = {
      root = pkgs.writeTextDir "403.html" ''
        <!DOCTYPE html>
        <html>
-          <head>
+        <head>
-            <title>403 Forbidden</title>
+            <meta charset="UTF-8">
-          </head>
+            <meta name="viewport" content="width=device-width, initial-scale=1.0">
-          <body>
+            <title>403 Forbidden - iFSR</title>
-            <center><h1>403 Forbidden</h1></center>
+            <style>
-            <center>Dieser Ordner ist nur aus dem Uni-Netz zug&aumlnglich.</center>
+                body {
-            <center>This directory is only accessible from the TUD network.</center>
+                    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
-          </body>
+                    background-color: #f8f9fa;
                    margin: 0;
                    padding: 1rem;
                    min-height: 100vh;
                    display: flex;
                    align-items: center;
                    justify-content: center;
                }
                .container {
                    background: white;
                    padding: 2rem;
                    border-radius: 12px;
                    box-shadow: 0 2px 15px rgba(0, 0, 0, 0.1);
                    text-align: center;
                    max-width: 600px;
                    width: 100%;
                }
                .error-code {
                    font-size: 3.5rem;
                    font-weight: bold;
                    color: #dc3545;
                    margin: 0;
                    line-height: 1;
                }
                .error-title {
                    font-size: 1.5rem;
                    color: #343a40;
                    margin: 1rem 0;
                }
                .error-message {
                    color: #495057;
                    margin: 1rem 0;
                    line-height: 1.6;
                }
                .language-section {
                    padding: 1.5rem;
                    margin: 1rem 0;
                    background: #f8f9fa;
                    border-radius: 8px;
                    text-align: left;
                }
                .language-header {
                    display: flex;
                    align-items: center;
                    gap: 0.5rem;
                    font-weight: bold;
                    margin-bottom: 1rem;
                    color: #343a40;
                }
                .help-list {
                    margin: 0;
                    padding-left: 1.2rem;
                    list-style-type: none;
                }
                .help-list li {
                    margin: 0.5rem 0;
                    position: relative;
                }
                .help-list li:before {
                    content: "•";
                    position: absolute;
                    left: -1.2rem;
                    color: #6c757d;
                }
                .logo {
                    width: 180px;
                    height: auto;
                    margin-bottom: 1.5rem;
                }
                @media (max-width: 480px) {
                    .container {
                        padding: 1.5rem;
                    }
                    .language-section {
                        padding: 1rem;
                        margin: 0.5rem 0;
                    }
                    .error-code {
                        font-size: 3rem;
                    }
                    .error-title {
                        font-size: 1.25rem;
                    }
                    .logo {
                        width: 150px;
                    }
                }
            </style>
        </head>
        <body>
            <div class="container">
                <img src="https://ifsr.de/user/themes/ifsr/images/logo.svg" alt="iFSR Logo" class="logo">
                <h1 class="error-code">403</h1>
                <h2 class="error-title">Zugriff verweigert / Access Forbidden</h2>
                <div class="language-section">
                    <div class="language-header">
                        🇩🇪 Deutsch
                    </div>
                    <p class="error-message">
                        Dieser Ordner ist nur aus dem Uni-Netz zugänglich.
                    </p>
                    <ul class="help-list">
                        <li>Stellen Sie sicher, dass Sie mit dem TUD-Netzwerk verbunden sind</li>
                        <li>Oder wählen Sie sich über VPN ein</li>
                    </ul>
                </div>
                <div class="language-section">
                    <div class="language-header">
                        🇬🇧 English
                    </div>
                    <p class="error-message">
                        This directory is only accessible from the TUD network.
                    </p>
                    <ul class="help-list">
                        <li>Make sure you are connected to the TUD network</li>
                        <li>Or connect via VPN</li>
                    </ul>
                </div>
            </div>
        </body>
        </html>
      '';
    };
--- a/modules/web/hyperilo.nix
+++ b/modules/web/hyperilo.nix
@ -0,0 +1,34 @@
 { ... }:
 {
  # provide access to iLO of colocated server
  # in case of questions, contact @bennofs
  services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
    forceSSL = true;
    locations."/".proxyPass = "https://192.168.0.120:443";
    locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
    locations."/".extraConfig = ''
      proxy_ssl_verify off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade_capitalized;
    '';
  };
  # HP iLO requires uppercase Upgrade, not lowercase "upgrade"
  services.nginx.commonHttpConfig = ''
    map $http_upgrade $connection_upgrade_capitalized {
      default  Upgrade;
      '''      close;
    }
  '';
  systemd.network.networks."20-hyperilo" = {
    matchConfig.Name = "eno8303";
    address = [ "192.168.0.1/24" ];
    networkConfig.LLDP = true;
    networkConfig.EmitLLDP = "nearest-bridge";
  };
  sops.secrets."hyperilo_htaccess".owner = "nginx";
 }
--- a/modules/web/notenrechner.nix
+++ b/modules/web/notenrechner.nix
@ -0,0 +1,9 @@
 { config, specialArgs, ... }:
 let
  domain = "notenrechner.${config.networking.domain}";
 in
 {
  services.nginx.virtualHosts."${domain}" = {
    root = specialArgs.notenrechner.packages."x86_64-linux".default;
  };
 }
--- a/modules/web/sharepic.nix
+++ b/modules/web/sharepic.nix
@ -1,60 +1,14 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, ... }:
 let
  domain = "sharepic.${config.networking.domain}";
  user = "sharepic";
  group = "sharepic";
 in
 {
-  users.users.${user} = {
+  services.nginx.virtualHosts."${domain}" = {
-    group = group;
+    root = pkgs.fetchFromGitHub {
-    isSystemUser = true;
+      owner = "jannikmenzel";
-  };
+      repo = "iFSR-Sharepicgenerator";
-  users.groups.${group} = { };
+      rev = "ac721d5fff2dba1f046939a6d6532b1a8cfceba8";
-
+      hash = "sha256-of+N58TDt2BcbDVEriKn6rjQVl0GdV4ZMEblrdUutZk=";
  services.phpfpm.pools.sharepic = {
    user = "sharepic";
    group = "sharepic";
    settings = {
      "listen.owner" = config.services.nginx.user;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 5;
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = true;
      "catch_workers_output" = true;
    };
    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
  };
  services.nginx = {
    enable = true;
    virtualHosts."${domain}" = {
      root = "/srv/web/sharepic";
      extraConfig = ''
        index index.php index.html;
      '';
      locations = {
        "/" = {
          tryFiles = "$uri $uri/ =404";
        };
        "~ \.php$" = {
          extraConfig = ''
            try_files $uri =404;
            fastcgi_pass unix:${config.services.phpfpm.pools.sharepic.socket};
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_index index.php;
            include ${pkgs.nginx}/conf/fastcgi_params;
            include ${pkgs.nginx}/conf/fastcgi.conf;
            fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
          '';
        };
        "/data".return = "403";
      };
    };
  };
 }
--- a/modules/wiki/fsr.nix
+++ b/modules/wiki/fsr.nix
@ -64,7 +64,8 @@ in
        # https://www.mediawiki.org/wiki/Extension:PluggableAuth
        # https://www.mediawiki.org/wiki/Extension:OpenID_Connect
        $wgOpenIDConnect_MigrateUsersByEmail = true;
-        $wgPluggableAuth_EnableLocalLogin = true;
+        //$wgOpenIDConnect_MigrateUsersByUserName = true;
        $wgPluggableAuth_EnableLocalLogin = false;
        $wgPluggableAuth_Config["iFSR Login"] = [
          "plugin" => "OpenIDConnect",
          "data" => [
@ -76,21 +77,18 @@ in
      '';
      extensions = {
        # some extensions are included and can enabled by passing null
        VisualEditor = null;
        # the dir in the mediawiki-1.42.3.tar.gz inside of the extension folder is called "SyntaxHighlight_GeSHi" not "SyntaxHighlight"
        SyntaxHighlight_GeSHi = null;
        PluggableAuth = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-3689731.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_42-1da98f4.tar.gz";
-          hash = "sha256-BMA0qV+x+iQt/P9tbl9csEUni9jiQcBtZeuwdjx2QPk=";
+          hash = "sha256-5uBUy7lrr86ApASYPWgF6Wa09mxxP0o+lXLt1gVswlA=";
        };
        OpenIDConnect = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-b354cdb.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_42-6c28c16.tar.gz";
-          hash = "sha256-gLHaveEzfmpqU9fWATZsUU377FJj2yq//raHZUR/VWk=";
+          hash = "sha256-X5kUuvxINbuXaLMKRcLOl2L3qbnMT72lg2NA3A9Daj8=";
        };
        VisualEditor = pkgs.fetchzip {
          url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-8970b62.tar.gz";
          hash = "sha256-G+qvKVuF6OCnwS5q2cKfij1/aH1I6lOw84K6fED980s=";
        };
        SyntaxHighlight = pkgs.fetchzip {
          url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_40-1170e8f.tar.gz";
          hash = "sha256-75+wwTvHhwPBP1jVLK2fQWBi7vznOvPVgNpY3kzWJtg=";
        };
      };
    };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,7 +1,8 @@
 _final: prev:
 let
  inherit (prev) fetchurl;
-  inherit (prev) fetchFromGitHub;
+  inherit (prev) fetchpatch;
  inherit (prev) callPackage;
 in
 {
  # AGDSN is running an outdated version that we have to comply to
@ -12,17 +13,42 @@ in
      sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
    };
  }));
-  # (hopefully) fix systemd journal reading
+  # Mailman internal server error fix
-  prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
+  # https://gitlab.com/mailman/mailman/-/issues/1137
-    patches = [
+  # https://github.com/NixOS/nixpkgs/pull/321136
-      ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
+  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
-    ];
+    (_python-final: python-prev: {
-    src = fetchFromGitHub {
+      readme-renderer = python-prev.readme-renderer.overridePythonAttrs (_oldAttrs: {
-      owner = "adangel";
+        propagatedBuildInputs = [ python-prev.cmarkgfm ];
-      repo = "postfix_exporter";
+      });
-      rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
+    })
-      hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
+  ];
  keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix { };
  portunus = callPackage ./portunus.nix { };
  mediawiki = (prev.mediawiki.overrideAttrs (_old: rec {
    version = "1.43.0";
    src = fetchurl {
      url = "https://releases.wikimedia.org/mediawiki/${prev.lib.versions.majorMinor version}/mediawiki-${version}.tar.gz";
      hash = "sha256-VuCn/i/3jlC5yHs9WJ8tjfW8qwAY5FSypKI5yFhr2O4=";
    };
  }));
  hedgedoc = prev.hedgedoc.overrideAttrs ({ patches ? [ ], ... }: {
    patches = patches ++ [
      ./hedgedoc/0001-anonymous-uploads.patch
    ];
  });
  # patch to remove the nixspam blocklist. Remove after next rspamd release
  rspamd = prev.rspamd.overrideAttrs ({ patches ? [ ], ... }: {
    patches = patches ++ [
      (fetchpatch {
        url = "https://patch-diff.githubusercontent.com/raw/rspamd/rspamd/pull/5300.diff";
        hash = "sha256-7zY+l5ADLWgPTTBNG/GxX23uX2OwQ33hyzSuokTLgqc=";
      })
    ];
  });
 }
--- a/overlays/hedgedoc/0001-anonymous-uploads.patch
+++ b/overlays/hedgedoc/0001-anonymous-uploads.patch
@ -0,0 +1,62 @@
 diff --git a/app.js b/app.js
 index d41dbfbd7..faf686cfa 100644
 --- a/app.js
 +++ b/app.js
@@ -203,6 +203,7 @@ app.locals.serverURL = config.serverURL
 app.locals.sourceURL = config.sourceURL
 app.locals.allowAnonymous = config.allowAnonymous
 app.locals.allowAnonymousEdits = config.allowAnonymousEdits
 +app.locals.allowAnonymousUploads = config.allowAnonymousUploads
 app.locals.disableNoteCreation = config.disableNoteCreation
 app.locals.authProviders = {
   facebook: config.isFacebookEnable,
 diff --git a/lib/config/default.js b/lib/config/default.js
 index d038e5311..9ab9a6bb1 100644
 --- a/lib/config/default.js
 +++ b/lib/config/default.js
@@ -33,6 +33,7 @@ module.exports = {
   protocolUseSSL: false,
   allowAnonymous: true,
   allowAnonymousEdits: false,
 +  allowAnonymousUploads: false,
   allowFreeURL: false,
   requireFreeURLAuthentication: false,
   disableNoteCreation: false,
 diff --git a/lib/config/environment.js b/lib/config/environment.js
 index da50a660d..b74d122f4 100644
 --- a/lib/config/environment.js
 +++ b/lib/config/environment.js
@@ -31,6 +31,7 @@ module.exports = {
   allowOrigin: toArrayConfig(process.env.CMD_ALLOW_ORIGIN),
   allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS),
   allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS),
 +  allowAnonymousUploads: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_UPLOADS),
   allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
   requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION),
   disableNoteCreation: toBooleanConfig(process.env.CMD_DISABLE_NOTE_CREATION),
 diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
 index c40ffc961..20c2da83b 100644
 --- a/lib/config/hackmdEnvironment.js
 +++ b/lib/config/hackmdEnvironment.js
@@ -22,6 +22,7 @@ module.exports = {
   allowOrigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
   allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
   allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
 +  allowAnonymousUploads: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_UPLOADS),
   allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
   defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
   dbURL: process.env.HMD_DB_URL,
 diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
 index d9964827b..7321bc805 100644
 --- a/lib/web/imageRouter/index.js
 +++ b/lib/web/imageRouter/index.js
@@ -59,8 +59,7 @@ async function checkUploadType (filePath) {
 imageRouter.post('/uploadimage', function (req, res) {
   if (
     !req.isAuthenticated() &&
 -    !config.allowAnonymous &&
 -    !config.allowAnonymousEdits
 +    !config.allowAnonymousUploads
   ) {
     logger.error(
       'Image upload error: Anonymous edits and therefore uploads are not allowed'
--- a/overlays/portunus.nix
+++ b/overlays/portunus.nix
@ -0,0 +1,32 @@
 { lib
 , buildGoModule
 , fetchFromGitHub
 , libxcrypt-legacy
 , nixosTests
 }:
 buildGoModule rec {
  pname = "portunus";
  version = "2.1.1";
  src = fetchFromGitHub {
    owner = "majewsky";
    repo = "portunus";
    rev = "v${version}";
    sha256 = "sha256-+pMMIutj+OWKZmOYH5NuA4a7aS5CD+33vAEC9bJmyfM=";
  };
  buildInputs = [ libxcrypt-legacy ];
  vendorHash = null;
  passthru.tests = { inherit (nixosTests) portunus; };
  meta = with lib; {
    description = "Self-contained user/group management and authentication service";
    homepage = "https://github.com/majewsky/portunus";
    license = licenses.gpl3Plus;
    platforms = platforms.linux;
    maintainers = with maintainers; [ majewsky ] ++ teams.c3d2.members;
  };
 }
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
Author	SHA1	Message	Date
Rouven Seifert	708059a7b6	chore: ran deadnix	2025-02-15 00:32:05 +01:00
Rouven Seifert	966fbde1e9	formatting	2025-02-15 00:31:05 +01:00
Rouven Seifert	74c6cec7c6	rspamd: remove nixspam blocklist	2025-02-15 00:30:43 +01:00
Rouven Seifert	00360fccc2	deploy new kpp version	2025-02-12 15:39:05 +01:00
Rouven Seifert	edcba9dc85	updates 2025-02-04	2025-02-04 12:20:46 +01:00
Frieder Hannenheim	f1f330daab	Neuer sharepic-generator. Keine Begrenzug auf Uninetz da keine SPD-Assets mehr	2025-02-03 19:13:19 +01:00
Rouven Seifert	969ff27555	sharepic: limit to university nets	2025-02-02 19:59:42 +01:00
Frieder Hannenheim	839b00af20	add ssh key for frieder	2025-01-31 16:35:24 +01:00
Frieder Hannenheim	a8cb4d45ba	update notenrechner to add disclaimer about correctness	2025-01-30 19:13:53 +01:00
Rouven Seifert	7377c77952	sops: reencrypt secrets	2025-01-30 18:00:02 +01:00
Frieder Hannenheim	e9d1e22b43	update notenrechner to fix the package not building	2025-01-30 14:55:06 +01:00
Frieder Hannenheim	8b80988768	add sops key for Frieder Hannenheim	2025-01-30 13:33:51 +01:00
Frieder Hannenheim	a07d51bb56	Merge branch 'frieder.hannenheim-notenrechner'	2025-01-30 13:23:05 +01:00
Frieder Hannenheim	4782376b23	remove redundant forceSSL and enableACME from notenrechner.nix	2025-01-30 13:22:04 +01:00
Frieder Hannenheim	cca6385ce8	add notenrechner website	2025-01-30 13:10:44 +01:00
Rouven Seifert	7aa9df065d	updates 2025-01-29	2025-01-29 10:37:47 +01:00
Rouven Seifert	29c702b2e5	hedgedoc: disable anonymous patches https://c3d2.social/@sandro/113900709169130028	2025-01-27 22:08:59 +01:00
Jonas Gaffke	ff4df0aae0	mediawiki: downgrade auth plugins for login fix	2025-01-21 20:46:00 +01:00
Rouven Seifert	d252ec452f	mediawiki: update to lastest versions	2025-01-21 15:34:49 +01:00
Rouven Seifert	3fc5565c6b	updates 2025-01-21	2025-01-21 14:00:39 +01:00
Rouven Seifert	22608b8ec0	medawiki: beautify plugin fetching	2025-01-20 12:05:37 +01:00
quitte	d997cf3106	Revert "nginx: disable http/3" This reverts commit `d2e06a075e`.	2025-01-20 11:20:21 +01:00
Jonas Gaffke	44549dddbe	ftp: redesign 403 error page for better UX	2025-01-19 13:18:41 +01:00
Jonas Gaffke	87e50986bf	mediawiki: update plugins for mediawiki version 1.42	2025-01-19 11:38:41 +01:00
Rouven Seifert	d9dec34e3a	minecraft: remove vorerst deaktiviert bis sich jemand beschwert die daten verbleiben in /srv/minecraft	2025-01-16 14:53:49 +01:00
Rouven Seifert	bc46330abe	updates 2025-01-16	2025-01-16 14:37:03 +01:00
Rouven Seifert	9577f93dae	updates 2025-01-11	2025-01-11 15:19:20 +01:00
Rouven Seifert	57f52c9958	dns: add more quad9 addresses	2025-01-09 13:59:11 +01:00
quitte	469da0ec41	dns: use quad9	2025-01-09 13:31:26 +01:00
Rouven Seifert	d5617bea3f	updates 2025-01-08	2025-01-08 12:52:11 +01:00
Rouven Seifert	8c6282c4fa	update ese redirect to 2025	2025-01-02 00:16:57 +01:00
Rouven Seifert	c85492d896	updates 2025-01-01	2025-01-01 23:50:45 +01:00
Jonas Gaffke	01ad4cf730	kanboard: update	2024-12-31 11:36:45 +01:00
Rouven Seifert	786038cae3	add nom	2024-12-29 21:11:31 +01:00
Rouven Seifert	810d878dfc	forgejo: use latest verison	2024-12-29 21:10:10 +01:00
Rouven Seifert	cd1519e3e8	updates 2024-12-29 Happy new year^^	2024-12-29 19:59:18 +01:00
quitte	0e984c8e97	padlist: .git 403	2024-12-15 16:08:21 +01:00
Rouven Seifert	943e208e3a	quitte: fix portunus	2024-12-14 16:23:31 +01:00
Rouven Seifert	e3dd58a1f9	upgrade quitte to 24.11	2024-12-13 19:51:28 +01:00
Rouven Seifert	7d7d60c189	quitte: add ipv6	2024-12-13 19:09:05 +01:00
Rouven Seifert	faf2607319	fix IP	2024-12-08 13:04:18 +01:00
Rouven Seifert	fe8c721f45	quitte: remove 141.30.30.169	2024-12-06 14:13:51 +01:00
Rouven Seifert	37f9447a38	increase fail2ban limits	2024-12-05 19:16:39 +01:00
Rouven Seifert	1a1b3ad0f2	fix typo	2024-12-05 19:15:43 +01:00
Rouven Seifert	bef4f24477	quitte: set new ip	2024-12-04 13:35:55 +01:00
Rouven Seifert	db4eab1c0d	updates 2024-11-17	2024-11-27 15:56:10 +01:00
Jonas Gaffke	62e4ac6368	monitoring: add minecraft server	2024-11-24 09:37:38 +01:00
Rouven Seifert	1875088472	updates 2024-11-19	2024-11-19 14:27:49 +01:00
Jonas Gaffke	bd90107f91	kanboard: update to 1.2.42	2024-11-16 10:21:11 +01:00
Rouven Seifert	451c099d3f	updates 2024-11-15	2024-11-15 16:08:40 +01:00
Rouven Seifert	48c04ce61e	updates 2024-11-12	2024-11-12 15:12:16 +01:00
Rouven Seifert	d075afaac5	courses: disable phil	2024-11-12 15:12:01 +01:00
Rouven Seifert	8e3a5b0ff3	monitoring: remove postfix	2024-11-08 11:19:59 +01:00
Rouven Seifert	06281a1432	monitoring: move to module folder	2024-11-08 11:16:21 +01:00
Fugi	97cb91d703	update course-management	2024-11-04 21:20:39 +01:00
Rouven Seifert	c442ea54a4	updates 2024-10-30	2024-10-30 11:06:06 +01:00
Rouven Seifert	ae4fcb60cc	rspamd web interface: limit to university nets	2024-10-28 13:16:15 +01:00
Jonas Gaffke	e8e71eda7c	kanboard: update to 1.2.41	2024-10-27 09:06:33 +01:00
Rouven Seifert	4d5e2ae3eb	updates 2024-10-25	2024-10-25 11:17:20 +02:00
quitte	2fa18c816d	Revert "kanboard: move away from podman because of nftables and podman bug" This reverts commit `6416be37f5`.	2024-10-23 23:58:08 +02:00
Rouven Seifert	dd9aaba3ef	updates 2024-10-20	2024-10-20 19:58:26 +02:00
Rouven Seifert	37bf91a57a	close wireguard port	2024-10-13 22:53:15 +02:00
Rouven Seifert	6fa82f7453	remove ese secret	2024-10-13 22:51:18 +02:00
Rouven Seifert	f518bd545d	remove ese wireguard	2024-10-13 22:50:06 +02:00
Rouven Seifert	3d0f3cfa21	nix: flake update	2024-10-13 14:16:01 +02:00
Rouven Seifert	fb0b36b200	Merge pull request 'switch to lts kernel' (#94 ) from linux-lts into main Reviewed-on: wurzel/fruitbasket#94	2024-10-13 14:09:34 +02:00
Rouven Seifert	7d69600115	switch to lts kernel zfs latestCompatibleLinuxPackages will be deprecated at some point	2024-10-08 21:39:17 +02:00
Rouven Seifert	efc38dac8f	ran deadnix	2024-10-08 21:36:52 +02:00
Fugi	ea8efc298d	add ese-deploy user	2024-10-06 23:09:22 +02:00
Fugi	7c86415c50	change ese web root	2024-10-06 20:37:13 +02:00
Fugi	9662b35f42	fix forgejo actions	2024-10-06 20:04:32 +02:00
Fugi	161a4ae838	ese website caching	2024-10-06 16:54:32 +02:00
Rouven Seifert	fcffa5f79c	fix ese wireguard	2024-10-04 16:34:54 +02:00
Rouven Seifert	0d9bd777c8	network: init ese wireguard	2024-10-04 15:39:10 +02:00
Rouven Seifert	e80eb649ca	updates 2024-10-04	2024-10-04 14:22:46 +02:00
Rouven Seifert	af3c401cf6	core: add sudo rule	2024-10-03 00:17:05 +02:00
Rouven Seifert	c25d9d3f9e	updates 2024-09-28	2024-09-28 23:03:28 +02:00
Jonas Gaffke	d4ae4d1743	remove broken decisions tool	2024-09-28 10:48:10 +02:00
Rouven Seifert	4e99931626	directus: remove yeet	2024-09-26 20:11:04 +02:00
Rouven Seifert	f6cda1a4fc	updates 2024-09-26	2024-09-26 17:51:50 +02:00
Rouven Seifert	74f8e85f51	updates 2024-09-23	2024-09-23 15:41:33 +02:00
Rouven Seifert	f5cf94d257	mail: don't forbid non-tls connections	2024-09-22 23:34:52 +02:00
Rouven Seifert	ec5f15946e	the postfix nixos module has stupid defaults	2024-09-22 23:05:37 +02:00
Rouven Seifert	c2149ec639	mail: remove deprecated postfix tls options	2024-09-22 23:01:32 +02:00
Rouven Seifert	d2c543fc07	updates: 2024-09-17	2024-09-17 16:24:43 +02:00
Rouven Seifert	ed3e8de2cb	updades 2024-09-13	2024-09-13 22:42:24 +02:00
Rouven Seifert	6e2b0d262f	backup: disable compression	2024-09-10 20:29:52 +02:00
Rouven Seifert	f83abbfe8d	updates 2024-09-10	2024-09-10 09:30:38 +02:00
Rouven Seifert	e10b491cdf	formatting	2024-09-07 11:33:19 +02:00
Benno Fünfstück	ddecabc25f	hyperilo: fix websocket config	2024-09-06 17:12:45 +02:00
Benno Fünfstück	776f860a92	hyperilo: proxy websockets for console	2024-09-06 17:05:02 +02:00
Jonas Gaffke	e84a83e305	mediawiki: add visual editor and update extensions to 1.41	2024-09-05 16:04:03 +02:00
Rouven Seifert	643f92dfc5	keycloak: format	2024-09-05 15:32:19 +02:00
Rouven Seifert	805484dd0b	matrix: allow olm as insecure	2024-09-05 15:32:03 +02:00
Rouven Seifert	173d5e693d	updates 2024-09-05	2024-09-05 15:26:22 +02:00
Rouven Seifert	fc01acbc46	mediawiki: remove VisualEditor	2024-09-05 15:25:19 +02:00
Fugi	096a04e00c	forgejo: disable federation again for now we have to update to Forgejo 8.x and test if it does leak all existing user accounts, and if it's possible to prevent that.	2024-09-04 16:52:42 +02:00
Rouven Seifert	8177e8407a	forgejo: properly configure runner	2024-09-04 12:00:59 +02:00
Rouven Seifert	46b0bfaa8d	updates 2024-09-03	2024-09-03 21:23:56 +02:00
Jonas Gaffke	c98206231c	Merge branch 'forgejo-runner'	2024-09-03 11:27:14 +02:00
Rouven Seifert	f54d5fd867	forgejo actions: disable native for now	2024-09-03 11:24:41 +02:00
Rouven Seifert	5286041789	forgejo: initial runner configuration	2024-09-03 11:24:41 +02:00
quitte	703002d148	forgejo: allow *.ifsr.de webhooks	2024-09-03 10:44:26 +02:00
quitte	382bbc6601	forgejo: federation	2024-09-03 10:17:25 +02:00
quitte	6416be37f5	kanboard: move away from podman because of nftables and podman bug	2024-09-02 11:14:02 +02:00
quitte	23a5062f7b	kanboard: update	2024-09-02 10:34:23 +02:00
quitte	a6ada675df	save the teich!!!	2024-09-02 09:49:25 +02:00
Rouven Seifert	e470b83cb6	keycloak: remove dangling file	2024-09-01 22:40:52 +02:00
Benno Fünfstück	c1a0b67261	add hyperilo reverse proxy	2024-09-01 21:39:45 +02:00
Rouven Seifert	0d0512a539	keycloak: add ifsr theme	2024-08-31 22:15:42 +02:00
Rouven Seifert	c4d2b5fd08	readd stream.ifsr.de	2024-08-31 13:48:18 +02:00
Rouven Seifert	c5cc3bd8b8	updates 2024-08-31	2024-08-31 13:39:27 +02:00
Jonas Gaffke	923d8a8697	minecraft: allow monitoring ip	2024-08-29 07:59:46 +02:00
Rouven Seifert	a506e7d550	updates 2024-08-28	2024-08-28 16:38:24 +02:00
Rouven Seifert	62b344a2c2	minecraft: switch to fabric	2024-08-26 13:53:44 +02:00
Rouven Seifert	72566b656a	updates 2024-08-23	2024-08-23 13:48:08 +02:00
quitte	ab1e4d10ee	update 2024-08-21	2024-08-21 18:13:05 +02:00
quitte	f268507d85	base: add yazi	2024-08-21 18:07:15 +02:00
Rouven Seifert	df82b2e35b	updates 2024-08-20	2024-08-20 20:21:06 +02:00
Rouven Seifert	7d1cf705ee	updates 2024-08-14	2024-08-14 14:03:32 +02:00
Rouven Seifert	697df17b33	updates 2024-08-13	2024-08-13 16:49:57 +02:00
Rouven Seifert	530570699a	updates 2024-08-12	2024-08-12 16:01:18 +02:00
Rouven Seifert	3fae2321f3	updates 2024-08-07	2024-08-07 11:39:49 +02:00
Rouven Seifert	00104e593c	updates 2024-08-01	2024-08-01 16:26:34 +02:00
Rouven Seifert	33497714db	updates 2024-07-30	2024-07-30 13:01:00 +02:00
Rouven Seifert	d7389d41da	updates 2024-07-27	2024-07-27 13:40:58 +02:00
Fugi	42b3613b95	add mailman error fix	2024-07-26 13:10:36 +02:00
Rouven Seifert	799c9a67ff	logging: fix filemodes	2024-07-24 10:53:35 +02:00
Rouven Seifert	6d6e00f5bf	bluemap: render hourly	2024-07-22 18:09:36 +02:00
Rouven Seifert	49d48dc8d4	minecraft: fix server and init bluemap	2024-07-22 18:05:26 +02:00
Rouven Seifert	7a9e841a5f	treewide: format	2024-07-22 18:05:07 +02:00
Rouven Seifert	85f8932908	minecraft-server: init	2024-07-22 13:26:53 +02:00
Rouven Seifert	21a1000dad	updates: 2024-07-19	2024-07-19 10:58:00 +02:00
Rouven Seifert	fe5836b8c9	updates 2024-07-15	2024-07-15 17:15:39 +02:00
Rouven Seifert	340781cafd	rspamd: allow more regexes in blacklists	2024-07-14 14:32:25 +02:00
Rouven Seifert	2fc48b6708	updates 2024-07-12	2024-07-12 14:02:43 +02:00
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH70IC7DaiGBYdftUhuOE9CatcdYj2L50eZfztQA+pVs fried@Frieders-Void-Laptop`