.sops.yaml

@@ -8,8 +8,8 @@ keys:
   - &fugi BF37903AE6FD294C4C674EE24472A20091BFA792
   - &emmanuel E83F398E6423179FE4F63D4FF085CAD394DE329D
   - &joachim  B1A16011B86BACB56ADB713DB712039D23133661
+  - &jonasga FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB
   - &hendrik FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D
-  - &frieder age1x76ajqw8w4l5vlkwt5s3flz5a5jq5qlxv7uppmnf8ckj9egh9ekqjclzt6
   - &quitte age1wvdnprpnq2rcc4se3zpx2p267n0apxg2jucvlm93e3pfj439ephqh2506t
   - &tomate age18lwgjazaxujqgcc5j0gjllnykhtjn6p0q44jzrsk4au2a5k6nd9s77kd6d
 
@@ -23,9 +23,9 @@ creation_rules:
         - *rouven
         - *fugi
         - *joachim
+        - *jonasga
         - *hendrik
         age:
-        - *frieder
         - *quitte
   - path_regex: secrets/tomate\.yaml$
     key_groups:
@@ -36,9 +36,9 @@ creation_rules:
         - *rouven
         - *fugi
         - *joachim
+        - *jonasga
         - *hendrik
         age:
-        - *frieder
         - *tomate
   - path_regex: secrets/admin\.yaml$
     key_groups:
@@ -49,5 +49,5 @@ creation_rules:
         - *rouven
         - *fugi
         - *joachim
+        - *jonasga
         - *hendrik
-        - *frieder

flake.lock

@@ -1,53 +1,9 @@
 {
   "nodes": {
-    "authentik": {
-      "inputs": {
-        "authentik-src": "authentik-src",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
-        "napalm": "napalm",
-        "nixpkgs": "nixpkgs",
-        "pyproject-build-systems": "pyproject-build-systems",
-        "pyproject-nix": "pyproject-nix",
-        "systems": "systems",
-        "uv2nix": "uv2nix"
-      },
-      "locked": {
-        "lastModified": 1746294280,
-        "narHash": "sha256-Y8JGnaYXk71ipBYFw83dvS1zKBftppT1RnRT/XsWKIM=",
-        "owner": "MarcelCoding",
-        "repo": "authentik-nix",
-        "rev": "c2a6bb12f90241df93fe2d5553c8bca476dcb52b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "MarcelCoding",
-        "repo": "authentik-nix",
-        "type": "github"
-      }
-    },
-    "authentik-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1745954192,
-        "narHash": "sha256-QuIgeu3CN6S44/zSiaj+iIkDz2494mb1MWvD3eYYkVE=",
-        "owner": "goauthentik",
-        "repo": "authentik",
-        "rev": "22412729e2379d645da2ac0c0270a0ac6147945e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "goauthentik",
-        "ref": "version/2025.4.0",
-        "repo": "authentik",
-        "type": "github"
-      }
-    },
     "course-management": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
         "poetry2nix": "poetry2nix"
       },
       "locked": {
@@ -84,53 +40,16 @@
         "url": "https://git.ifsr.de/ese/manual-website"
       }
     },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
-      },
-      "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
-        "systems": [
+        "systems": "systems"
-          "authentik",
-          "systems"
-        ]
       },
       "locked": {
-        "lastModified": 1731533236,
+        "lastModified": 1726560853,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -159,25 +78,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
-      },
-      "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_4": {
-      "inputs": {
-        "systems": "systems_6"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -200,11 +101,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744024964,
+        "lastModified": 1732530918,
-        "narHash": "sha256-zmYWGZ7/tRSCy/PzghdguMpAdauWiYr6AJnbYCVHBFE=",
+        "narHash": "sha256-O5cmb7xeIq1luKn9FbS3UP4aziP2UuBKARsq/w7CGqs=",
         "owner": "fsr",
         "repo": "kpp",
-        "rev": "03e9650edb8d1e9ff424c2c2799736fbae56314b",
+        "rev": "b867b6b3d4c604c177e1866d2babc7ae5c0f6a9d",
         "type": "github"
       },
       "original": {
@@ -213,32 +114,6 @@
         "type": "github"
       }
     },
-    "napalm": {
-      "inputs": {
-        "flake-utils": [
-          "authentik",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "authentik",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1725806412,
-        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
-        "owner": "willibutz",
-        "repo": "napalm",
-        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "willibutz",
-        "ref": "avoid-foldl-stack-overflow",
-        "repo": "napalm",
-        "type": "github"
-      }
-    },
     "nix-github-actions": {
       "inputs": {
         "nixpkgs": [
@@ -268,11 +143,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746330942,
+        "lastModified": 1737861961,
-        "narHash": "sha256-ShizFaJCAST23tSrHHtFFGF0fwd72AG+KhPZFFQX/0o=",
+        "narHash": "sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf+TpE=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "137fd2bd726fff343874f85601b51769b48685cc",
+        "rev": "79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523",
         "type": "github"
       },
       "original": {
@@ -282,37 +157,6 @@
       }
     },
     "nixpkgs": {
-      "locked": {
-        "lastModified": 1746183838,
-        "narHash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "bf3287dac860542719fe7554e21e686108716879",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1743296961,
-        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
       "locked": {
         "lastModified": 1730531603,
         "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
@@ -328,13 +172,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_2": {
       "locked": {
-        "lastModified": 1746557022,
+        "lastModified": 1738023785,
-        "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=",
+        "narHash": "sha256-BPHmb3fUwdHkonHyHi1+x89eXB3kA1jffIpwPVJIVys=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860",
+        "rev": "2b4230bf03deb33103947e2528cac2ed516c5c89",
         "type": "github"
       },
       "original": {
@@ -344,7 +188,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1682134069,
         "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@@ -358,36 +202,15 @@
         "type": "indirect"
       }
     },
-    "notenrechner": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "utils": "utils"
-      },
-      "locked": {
-        "lastModified": 1742228793,
-        "narHash": "sha256-USud87Uu/ZI6R+4vM0hxLdkOUr6nsJCnAEeIrtSRkCU=",
-        "ref": "refs/heads/main",
-        "rev": "c100e3dba23a089fbdf403d2ba31cf87614ee035",
-        "revCount": 10,
-        "type": "git",
-        "url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git"
-      }
-    },
     "poetry2nix": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
         "nix-github-actions": "nix-github-actions",
         "nixpkgs": [
           "course-management",
           "nixpkgs"
         ],
-        "systems": "systems_4",
+        "systems": "systems_3",
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
@@ -424,65 +247,13 @@
         "type": "github"
       }
     },
-    "pyproject-build-systems": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik",
-          "nixpkgs"
-        ],
-        "pyproject-nix": [
-          "authentik",
-          "pyproject-nix"
-        ],
-        "uv2nix": [
-          "authentik",
-          "uv2nix"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744599653,
-        "narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=",
-        "owner": "pyproject-nix",
-        "repo": "build-system-pkgs",
-        "rev": "7dba6dbc73120e15b558754c26024f6c93015dd7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "build-system-pkgs",
-        "type": "github"
-      }
-    },
-    "pyproject-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1746146146,
-        "narHash": "sha256-60+mzI2lbgn+G8F5mz+cmkDvHFn4s5oqcOna1SzYy74=",
-        "owner": "pyproject-nix",
-        "repo": "pyproject.nix",
-        "rev": "3e9623bdd86a3c545e82b7f97cfdba5f07232d9a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "pyproject.nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
-        "authentik": "authentik",
         "course-management": "course-management",
         "ese-manual": "ese-manual",
         "kpp": "kpp",
         "nix-index-database": "nix-index-database",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
-        "notenrechner": "notenrechner",
         "print-interface": "print-interface",
         "sops-nix": "sops-nix",
         "vscode-server": "vscode-server"
@@ -495,11 +266,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746485181,
+        "lastModified": 1737411508,
-        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
+        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
+        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
         "type": "github"
       },
       "original": {
@@ -510,16 +281,16 @@
     },
     "systems": {
       "locked": {
-        "lastModified": 1689347949,
+        "lastModified": 1681028828,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
-        "repo": "default-linux",
+        "repo": "default",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default-linux",
+        "repo": "default",
         "type": "github"
       }
     },
@@ -539,21 +310,6 @@
       }
     },
     "systems_3": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_4": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -567,22 +323,7 @@
         "type": "indirect"
       }
     },
-    "systems_5": {
+    "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_6": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -619,53 +360,10 @@
         "type": "github"
       }
     },
-    "utils": {
-      "inputs": {
-        "systems": "systems_5"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "uv2nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik",
-          "nixpkgs"
-        ],
-        "pyproject-nix": [
-          "authentik",
-          "pyproject-nix"
-        ]
-      },
-      "locked": {
-        "lastModified": 1746048139,
-        "narHash": "sha256-LdCLyiihLg6P2/mjzP0+W7RtraDSIaJJPTy6SCtW5Ag=",
-        "owner": "pyproject-nix",
-        "repo": "uv2nix",
-        "rev": "680e2f8e637bc79b84268949d2f2b2f5e5f1d81c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "uv2nix",
-        "type": "github"
-      }
-    },
     "vscode-server": {
       "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_3"
       },
       "locked": {
         "lastModified": 1729422940,

flake.nix

@@ -14,15 +14,6 @@
     ese-manual.url = "git+https://git.ifsr.de/ese/manual-website";
     ese-manual.inputs.nixpkgs.follows = "nixpkgs";
     vscode-server.url = "github:nix-community/nixos-vscode-server";
-    notenrechner.url = "git+https://git.ifsr.de/frieder.hannenheim/notenrechner.git";
-    notenrechner.inputs.nixpkgs.follows = "nixpkgs";
-    authentik = {
-      # change to old one when we are at 25.05
-      # see https://github.com/nix-community/authentik-nix/issues/56 for context
-      url = "github:MarcelCoding/authentik-nix";
-      # url = "github:nix-community/authentik-nix";
-    };
-
 
     course-management = {
       url = "github:fsr/course-management";
@@ -39,7 +30,6 @@
     , vscode-server
     , course-management
     , print-interface
-    , authentik
     , ...
     }@inputs:
     let
@@ -78,13 +68,10 @@
             ese-manual.nixosModules.default
             course-management.nixosModules.default
             vscode-server.nixosModules.default
-            authentik.nixosModules.default
-
             ./hosts/quitte/configuration.nix
             ./options
 
             ./modules/core
-            ./modules/authentik
             ./modules/ldap
             ./modules/mail
             ./modules/web
@@ -93,7 +80,6 @@
             ./modules/matrix
             ./modules/keycloak
             ./modules/monitoring
-            ./modules/unbound
 
             ./modules/nix-serve.nix
             ./modules/hedgedoc.nix
@@ -102,7 +88,7 @@
             ./modules/vaultwarden.nix
             ./modules/forgejo
             ./modules/kanboard.nix
-            # ./modules/zammad.nix
+            ./modules/zammad.nix
             # ./modules/decisions.nix
             ./modules/stream.nix
             # ./modules/struktur-bot.nix

hosts/quitte/network.nix

@@ -15,7 +15,6 @@
 
     firewall = {
       logRefusedConnections = false;
-      trustedInterfaces = [ "podman0" ];
     };
   };
 
@@ -47,8 +46,10 @@
       ];
       networkConfig = {
         DNS = [
-          "127.0.0.1"
+          "9.9.9.9"
-          "::1"
+          "149.112.112.112"
+          "2620:fe::fe"
+          "2620:fe::9"
         ];
         LLDP = true;
         EmitLLDP = "nearest-bridge";

keys/pgp/jonasga.asc

@@ -0,0 +1,92 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGNNDUkBEADJu4HorNwlrimCfAmf1Sb2iHMoS4xwYn7AaU+U3RVivIfB/qNi
++ggKF6osggihttIPEQqXqS591jutnIKP+KKvD9n8/jfCsDi5m6Ddwz61rL2NvEad
+bMJSViUzIEIDgQTJT8CByWJpPPND3MoKOuEK/XUQpKmhACT8l+xWSz9UpxPchAUa
+1vI7Q+jt/ik0EI7sH5WFaBzFj4xAwXXyWYuw6G5nP2oW237NLQnMwMFywLOyI7Qm
++PfY/l4HKrNFYBiuv4ToGU5tAb1a23Rp+IV9faPZsT0IFYdxdkQUuu9s2JZ2UnvV
+VfJ0NWheToCY/R4TZkMDGhNSpotsRLhgdsVJsoBws61ndV/IgrIQbVnMNZrXvn+z
+tOtdlECVflGIICJkbXtBiGtgMRdJMNHnt4a3/2yPtCTG03Kt+38COh0ox5j3+HIg
+87Xxxln7z8zolalRkKi6NbOY7qoITcnbZIF972/8SI3UjYERJ4/ay9ucKIU1WLGv
+Ei97s+IDHt8KXJizc4Z7XfssZ9BcIZ/ekfOopN2Av0U33LCcTKHw9ZVmuoZCfL+u
+L8TDQLHJT75n+4yOTKXu00pYxWqT5FOFS0RMYb98QLDmcIDQ+B7pw82UGF3/3Fx6
+YBNY4IjFqIovVmU1UKt4KdLrdOSN8cQtcCxORqT+89bjIG68DbIzO7iCpQARAQAB
+tDFKb25hcyBHYWZma2UgPGpvbmFzLmdhZmZrZUBtYWlsYm94LnR1LWRyZXNkZW4u
+ZGU+iQJUBBMBCgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE+0TwdG3y
+XwskourlhsiiV8PsgqsFAmS3zscFCQcOW/4ACgkQhsiiV8Psgqvirg/9H+XHvntb
+shbst+vM9x8IKwhaOrH6IwZa/b9v8y8MRmbXoculQUuDyoeN0+RZkdeYZ25cjbnj
+qGzFS2gspWgNcpQ6yH3lOiwFMWG18M8RrXnpe0lOuo1JrqN10xgnbE/XahAdzshq
+riTMd8c2u8xaTQpLajdzPjgn13eDsqq1GfdTUi+p6olIwEhVH+PBxNQsav5EaU/0
+BzVnIC0U/TDeNmZk6NNvxJItDwdGbDW9fIlWSoz112WlnBTaP0cwg9lKVGSXfECc
+HSh+FKhJoaCxXxy2lsSJTz0yvjZp/lKCQ1aOd546CMChoncaN7G+rQZjk2reCoE2
+zMey8zm0o3ik4aVEHLRbPhM7en0wywp1H4NmEq94cvQ2epYS58YB8owrZk/cSlqc
+NH3Jw9wqQx3Wd+WLCYVn/Hoyj1QxeQJ1xvLau4KDE7dTVBXfWX9pv+zUi54R1bxB
+82907uId83VrtC0hGtwNz68wIfFduZJapZ50nIe+aXM3h4/BBqA7R2H/MKBy3VoA
++pVVcIXk1HHEoZCt141ikHLOYAeUo8A98Dh6BESCuh0tCNa7Xh/3EZnvPIAVmiP4
+twrHYz2ARG6NgIVJCwnmSHyV76gPwT98fuX5KRkGh9Ev19DBL75tvLiwLiqSiR4Y
+liwM4YMa71wqet+CsQ7CAdI7LaGOB1wo7Xe0H0pvbmFzIEdhZmZrZSA8am9uYXNA
+am9uYXNnYS5pbz6JAlQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AW
+IQT7RPB0bfJfCySi6uWGyKJXw+yCqwUCZLfOxwUJBw5b/gAKCRCGyKJXw+yCq0tN
+D/4/sle7D5dGsl12/2hq09rKOYeN2IedzTYtY6EYaMVMGgh35YVUXYRsj0JmIt3c
+m/L68d3rhxkiIxSdaXxZDvVvoOATgAnn4wXuz2LrtxoPpwVb8yREBIDSTymAHKgT
+5IXWl/x2CB6rQ9rlyg00m4sEOJ3newytVK24QtEiSseuDrR+5RGyP85UFjVSKWtE
+kYuIk1Rst+T0XJUJlIMjpMLtTF9Z15FwTRvPUhHfO8wmdp/xfHWdyB0qZI0QdnlA
+4uGP1TaXw7fm1o1frlla6LxIRCIe/Bk4pIPVg70BjO8HDPr8AQhTLqa2+1rI+AXD
+Wp3ROOe5X0fXV3liT/J/lXLBerWbYibVcHZluvEru7cgS3xBrbKP4OCF0i3xvueU
+dZnat1bfNPua6VXxACfoIGP7XYoRH+mx1Pv0tCiGv++5Lr9QGmDRwFEC1IgMnPu3
+YVu3wrTVZhyhyPKlp1golx9ZCemgyimqNNdfDEea0I75UTkoOfLpjwFGHuB2KiOX
+xyfaIxgOLN3/eefT6GYGmI9/it7E2cZhjEMCRRHsqFEa3MSZABIs/VGFctsJVVQy
+ke5hZavElLUGbDeP3GCdAnYb+DG3lP1KuzCqaGwpfZOh9WqlmxhGHnr+SkPDcAwO
+E6FZ63E6da1BW7aqQK9IQIlz1wT2fwLfyyiNTuH0GksA67QkSm9uYXMgR2FmZmtl
+IDxqb25hcy5nYWZma2VAYWdkc24uZGU+iQJUBBMBCgA+AhsDBQsJCAcCBhUKCQgL
+AgQWAgMBAh4BAheAFiEE+0TwdG3yXwskourlhsiiV8PsgqsFAmS3zscFCQcOW/4A
+CgkQhsiiV8PsgqvrihAAryY5C9niS6gXqKVnXWNlf/cesDCRNEs1akOLmwF4S541
+dsbKt9Ox4EWjaGkVC3ucKa7ejRqkOSoVnj+8iEDFaLJbhd2btYjKqWRXm8leuiHq
+SJ8tdsBDXXYodp8riTaPw8q+BV/OIjalTRq06dCon7kJtQiPolSvUr+pz9BIcWCV
+DxVlx/tI5SUuLEfa0cxFjkxVX/PyjijF3NXelMxDGDv4VjXZcZ8/gbHZUQeba4ku
+utfyeUpz8Jk2QcCROtO9XQNvPw8ae9KC+zSmiWOmK8CEMM9UAnHHV3M4nPi8Toef
+Na/W+48uWX7MNsD2DvQPft8Rv71bPnJpdU2sPfND4I8TsV0cjKRapfuhDkBA7QF7
+RxQtDS2QE1pMI2MbLoAJi2vItnXx1GV61ZL40pNbofVylJLfddjSJ2Mt2Vr9CxOJ
+yNk+lq36DzWELcWTbW8wlinEmzg3EPFMQKfPtMGAqQ/c+5e4WCxGPdwYZMpX5CRc
+SevoIWIS7D0lSzxMFnEmSEbV8UTCiQTqOYKvwXpD8APJ0BlJzxSxh6nWOvW63O4q
+hZWU+iNjifongAZ5bHdj9LTnLcMZtNZCUaGOT3JQOfXo9CFCa9CQY45RNHFCyWpj
+jMONEUxh/kSBiNmCQ7hReiMOo0v0DPziZGlU6xOgbO7FY65w/aBG4KzyO54ObtG0
+I0pvbmFzIEdhZmZrZSA8am9uYXMuZ2FmZmtlQGlmc3IuZGU+iQJUBBMBCgA+AhsD
+BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE+0TwdG3yXwskourlhsiiV8PsgqsF
+AmS3zscFCQcOW/4ACgkQhsiiV8Psgqu1uRAAxd4g81gphfrBqh7dQdJxYoj6CWqZ
++yrqkoFLrHtT2nEc2o/gzJ3NRtUOVVkbZavWm3+U0/kYn0l/2pC/rRh7EzMmqVqV
+tib+F56dWTSiJ/4jwkUIxKiQdUYP9M1HHyYUY+aNU+ob3S19IMy4hvE/jSk7o8y6
+vYx4LsOkxr2/VclsUE+1F9rPUUymbwPzcLCuStP2dHrIvyVTyKFEE2SYv8Vt53sb
+6IFfo1Fef3gVzlfPgYVpprnumF1SDufSIT4xy5NIbKngeUxlLzsXFpgjoAEqGJQM
+XdlAc1JwOL0vB5F8fYVXvCn/xqGdm5XByAQZhZsod0yPvfLr56T57wRQl2KZLDFk
+90FSVgn9Z+mfimixgo5sQ6PJaLmBZl4ZLdnX1RGT8sjXyhX8QRdB8VRk1NEoxBWv
+W7ZvuLZXJ5HuVj8zsrS56PFBwcIure4K9OZyYdWIDLLGDyMWBcXhmbrcHxTsBoCH
+vWIY6xQdpKBwnK/eDeMTcvyxnfbRbg1InvPp9WwUHixiJpFfJg/D3ljKp9DfhG1I
+KZs6kc7rxiUdrxsAul2thrd9OdVWHWc8KZgHH3Lu/+0Ff4BqgTCHOtAQF1WRLGMq
+Bz/ZmkaPpF+bCFL8DIWKpZ0RIroGzRrJ/+HpPrNifgTLppXFeORaERmBKjsvGxk9
+kxs4/YrT7NRJFci5Ag0EY00NSQEQAL2QNEcd2EB7Pxgfywr8FKH5j7pa5LcLPAIQ
+zSQYIcjkNJ2RwCFJ2NRmnlHi1K/Ig2rU/CyHn2AQ5xJirMn08Zfe40L8fLjR8nx8
+8123BxURzC9jOy9/P4XQnVsyA82nyjm1b7ZdYxBKtfuw1p3N5ZBn0VIQ8tcdIkVw
+WB1WWK5kvkhHzjrtJBTKsgFXGreKdy7eSXdJ+GnXRAcGMtvDdLI3FuuqFhSiQk5Z
+8iuG8vbIefC/FvK74qADST3rFi+hKDVx+nMrGMtaNs41ogrgcsOL5kg62MLH562x
+g3/a4xk75374t9j1SuJOz74PuSdpyNuj1Np9nrA7qjCpiXgoD2RKv6nUVdtg2ONT
+2D4HU65gq4/EJhgLm0pybImBmaNV0yQ7c1jvTl5UvDe6eo+PiKSheDJUKt1Yf+qM
+8RGquQ08kYvYSIqGEPmZGWTLfKUrmGdRPP8M1GiavOph5zagRRUvx8fMAZ24YmBD
+NdkrFs4TykfwWpKXxxgnAFfpe/U8qh0Nn3EpMbFVddykGgbu/lp0hlD9sBwMRKSN
+WrjP6EcQxU+2F+iXA7ycnqc0gm2NFbF7hxfq01aeHsAEDYjJ7P3MqhS77eizubnF
+uMmFBN7bX8nSzgBW3EPf/U6MXWgVmBu6AoTlLryDN7FVM/lQROyysAzXAZTpVfdj
+JYvK6Ek7ABEBAAGJAjYEGAEKACAWIQT7RPB0bfJfCySi6uWGyKJXw+yCqwUCY00N
+SQIbDAAKCRCGyKJXw+yCq894EADEaqstXPduTKMdKoI3nA4IzODp89HXEyxZ5w7I
+WBX9QVu6bsI6uIXCb6YTNaleLUoz6XKHKctzCexyNOSChbKeFC5pnCejqjTHZfip
+6bUcuaFYGsbzWUEasIlMxISLs3yHSf5sN7FNU2Oms/3EE5nY/pFZKR4V/bvk7FdG
+UIE6/Pv9Z7Xw/y83CH+W72y83Ugk3iqFjcNcFRQ1JIHASqka5T2k6FTSfTvHlrRG
+yTSsGe9r2Gkh8GkGmaMboIW/drd71w81Wn5wUWDZBWqEP0UMQ5mld/sGCnmiM2u7
+yWbYXSTUvluutHsXZuhlAv8TGp6VkpCtmUquoM1UpmEGRb223YDPtBZdyOl+UnQE
+b8pN0pt+yDlYXX7kMi/i9WgR/vKm6YlAKziJwOdnKG4bP/urZDz602BXJWH8TWim
+/1CT5uMEdSEN5xBjyUt0q6Q1eGtB4Rub9J492yGJmp3IhvzeYoOmKjtmyPKFdDki
+21eBTU/TSPHToYtVW3Xm5afdM9313Y+hB3gyC9cQWWJdDi/rUtVi//j8lQErKxoM
+h97b5VOeFMO21EFXGiTLlPaP+qs7Ngqc4/Y7rGAbr50CVVDJUxawMO0+r32j+M2o
+rBWzVWTKM0uFGTRdVzwWSnYTltU1JoZ0xmV9HGJhLuQHRJ+F+8n7YxIke9wVU1yR
+q0Mleg==
+=M2wX
+-----END PGP PUBLIC KEY BLOCK-----

keys/ssh/frieder

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH70IC7DaiGBYdftUhuOE9CatcdYj2L50eZfztQA+pVs fried@Frieders-Void-Laptop

keys/ssh/jonasga

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpOQuIl31BL16yXdLlbzSDCle6bjE3WNVXzOV9ibdzEC3PpUufJDTU7FMW3WCO9fnYJ5osPKbV9nou5/10mPuN0g+k1e0NWUZNHbG+5zRqS7QYGFmtDC8EUTx1xnri5zMBMn9jzjNE8BkqvsjGrHcVCtI2T51slwFjE60GFkloQ7izRDrNkge1iM57KhoXz5MeYJtolDqeOh5P7nfAUR4bGT/gGtYVd85oCvbsHcjF9vgDovAfNP+zQhUn51ZOXvGp8+1/MAJVtxLfjC9Ma3LRiiliD6w5zcsksG5cUGcj2Sk9i/7nTm7g5MGo4EKwgPMw/MRzSRzvlZ76oPSPSLKn jonas@T14s

modules/authentik/default.nix

@@ -1,16 +0,0 @@
-{ config, lib, ... }:
-let
-  domain = "idm.${config.networking.domain}";
-in
-{
-  sops.secrets."authentik/env" = { };
-  services.authentik = {
-    enable = true;
-    nginx = {
-      enable = true;
-      host = domain;
-      enableACME = true;
-    };
-    environmentFile = config.sops.secrets."authentik/env".path;
-  };
-}

modules/core/base.nix

@@ -64,6 +64,7 @@
       ../../keys/ssh/jannusch
       ../../keys/ssh/jannusch-arch
       ../../keys/ssh/tassilo
+      ../../keys/ssh/jonasga
       ../../keys/ssh/rouven
       ../../keys/ssh/joachim
     ];
@@ -114,7 +115,6 @@
     zsh
     unzip
     yazi
-    imagemagick
   ];
 }
 

modules/core/mysql.nix

@@ -10,6 +10,7 @@
     user = "mysql";
     location = "/var/lib/backup/mysql";
     databases = [
+      "decisions"
       "fsrewsp"
       "nightline"
       "wiki_ese"

modules/kanboard.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
   domain = "kanboard.${config.networking.domain}";
   domain_short = "kb.${config.networking.domain}";

modules/ldap/default.nix

@@ -82,4 +82,9 @@ in
       };
     };
   };
+  networking.firewall = {
+    extraInputRules = ''
+      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
+    '';
+  };
 }

modules/mail/rspamd.nix

@@ -184,7 +184,6 @@ in
     redis = {
       vmOverCommit = true;
       servers.rspamd = {
-        port = 0;
         enable = true;
       };
     };

modules/stream.nix

@@ -1,12 +1,13 @@
 { config, ... }:
-let cfg = config.services.owncast;
-in
 {
   services = {
     nginx = {
       virtualHosts = {
         "stream.${config.networking.domain}" = {
           locations."/" =
+            let
+              cfg = config.services.owncast;
+            in
             {
               proxyPass = "http://${toString cfg.listen}:${toString cfg.port}";
               proxyWebsockets = true;
@@ -18,12 +19,8 @@ in
       enable = true;
       port = 13142;
       listen = "[::ffff:127.0.0.1]";
+      openFirewall = true;
       rtmp-port = 1935;
     };
   };
-  networking.firewall = {
-    extraInputRules = ''
-      ip saddr {141.30.0.0/16, 141.76.0.0/16} tcp dport ${toString cfg.rtmp-port} accept comment "Allow rtmp access from campus nets"
-    '';
-  };
 }

modules/unbound/default.nix

@@ -1,14 +0,0 @@
-{ ... }:
-{
-  services.resolved.extraConfig = ''
-    DNSStubListener=no
-  '';
-  services.unbound = {
-    enable = true;
-    settings = {
-      server = {
-        interface = [ "127.0.0.1" "::1" ];
-      };
-    };
-  };
-}

modules/web/default.nix

@@ -12,6 +12,5 @@
     ./userdir.nix
     ./ftp.nix
     ./hyperilo.nix
-    ./notenrechner.nix
   ];
 }

modules/web/ftp.nix

@@ -11,7 +11,6 @@ in
       fancyindex_exact_size off;
       error_page 403 /403.html;
       fancyindex_localtime on;
-      charset utf-8;
     '';
     locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = ''
       allow 141.30.0.0/16;

modules/web/hyperilo.nix

@@ -12,7 +12,6 @@
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection $connection_upgrade_capitalized;
-      proxy_set_header Authorization ""; # drop the basic auth headers, otherwise remote console doesn't work
     '';
   };
 

modules/web/ifsrde.nix

@@ -60,7 +60,6 @@ in
         "~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
         "/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
         "/kpp".return = "301 https://kpp.ifsr.de";
-        "/mese".return = "301 https://ifsr.de/news/mese-and-welcome-back";
         "/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
         # security
         "~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";

modules/web/notenrechner.nix

@@ -1,9 +0,0 @@
-{ config, specialArgs, ... }:
-let
-  domain = "notenrechner.${config.networking.domain}";
-in
-{
-  services.nginx.virtualHosts."${domain}" = {
-    root = specialArgs.notenrechner.packages."x86_64-linux".default;
-  };
-}

modules/web/sharepic.nix

@@ -1,14 +1,60 @@
-{ pkgs, config, ... }:
+{ pkgs, config, lib, ... }:
 let
   domain = "sharepic.${config.networking.domain}";
+  user = "sharepic";
+  group = "sharepic";
 in
 {
-  services.nginx.virtualHosts."${domain}" = {
+  users.users.${user} = {
-    root = pkgs.fetchFromGitHub {
+    group = group;
-      owner = "jannikmenzel";
+    isSystemUser = true;
-      repo = "iFSR-Sharepicgenerator";
+  };
-      rev = "ac721d5fff2dba1f046939a6d6532b1a8cfceba8";
+  users.groups.${group} = { };
-      hash = "sha256-of+N58TDt2BcbDVEriKn6rjQVl0GdV4ZMEblrdUutZk=";
+
+  services.phpfpm.pools.sharepic = {
+    user = "sharepic";
+    group = "sharepic";
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "stderr";
+      "php_admin_flag[log_errors]" = true;
+      "catch_workers_output" = true;
+    };
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."${domain}" = {
+      root = "/srv/web/sharepic";
+      extraConfig = ''
+        index index.php index.html;
+      '';
+
+      locations = {
+        "/" = {
+          tryFiles = "$uri $uri/ =404";
+        };
+        "~ \.php$" = {
+          extraConfig = ''
+            try_files $uri =404;
+            fastcgi_pass unix:${config.services.phpfpm.pools.sharepic.socket};
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_index index.php;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            include ${pkgs.nginx}/conf/fastcgi.conf;
+            fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+          '';
+        };
+        "/data".return = "403";
+      };
     };
   };
 }

modules/wiki/ese.nix

@@ -6,9 +6,6 @@ let
 in
 {
 
-  system.activationScripts.hacky-mediawiki-convert = ''
-    cp ${pkgs.imagemagick}/bin/convert /srv/web/wiki.ese/convert
-  '';
   users.users.${user} = {
     group = group;
     isSystemUser = true;

modules/wiki/fsr.nix

@@ -38,7 +38,6 @@ in
       };
 
       extraConfig = ''
-        wfLoadSkin( 'MinervaNeue' );
         $wgSitename = "FSR Wiki";
         $wgArticlePath = '/$1';
 
@@ -58,7 +57,6 @@ in
         $wgUseAjax = true;
         $wgEnableMWSuggest = true;
         $wgDefaultSkin = 'timeless';
-        $wgDefaultMobileSkin = 'minerva';
 
         //TODO what about $wgUpgradeKey ?
 
@@ -77,15 +75,13 @@ in
           ],
         ];
       '';
+
       extensions = {
         # some extensions are included and can enabled by passing null
         VisualEditor = null;
         # the dir in the mediawiki-1.42.3.tar.gz inside of the extension folder is called "SyntaxHighlight_GeSHi" not "SyntaxHighlight"
         SyntaxHighlight_GeSHi = null;
-        MobileFrontend = pkgs.fetchzip {
+
-          url = "https://extdist.wmflabs.org/dist/extensions/MobileFrontend-REL1_43-3b4cac8.tar.gz";
-          hash = "sha256-aJOArZl+oO/ADjxIhlFVGS8hGmpSp6nsgC7XkKEk1Ks=";
-        };
         PluggableAuth = pkgs.fetchzip {
           url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_42-1da98f4.tar.gz";
           hash = "sha256-5uBUy7lrr86ApASYPWgF6Wa09mxxP0o+lXLt1gVswlA=";

modules/zammad.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, ... }:
 let
   domain = "tickets.${config.networking.domain}";
 in
@@ -9,18 +9,11 @@ in
       createLocally = true;
       type = "PostgreSQL";
     };
-    redis.port = 6380;
     port = 8085;
     secretKeyBaseFile = config.sops.secrets."zammad_secret".path;
   };
 
 
-    services.redis = {
-      servers.zammad = {
-        port = lib.mkForce 6380;
-        enable = true;
-      };
-    };
   # disably spammy logs
   systemd.services.zammad-web.preStart = ''
     sed -i -e "s|debug|warn|" ./config/environments/production.rb 

overlays/default.nix

@@ -1,7 +1,6 @@
 _final: prev:
 let
   inherit (prev) fetchurl;
-  inherit (prev) fetchpatch;
   inherit (prev) callPackage;
 in
 {