mattermost: 9.11.4 → 9.11.5

this is a security release:
https://mattermost.com/blog/mattermost-security-updates-10-1-3-10-0-3-9-11-5-esr-9-5-13-esr-released/

.rgignore

@@ -0,0 +1 @@
+websites/*

.sops.yaml

@@ -0,0 +1,23 @@
+keys:
+  - &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
+  - &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
+  - &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
+  - &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
+  - &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
+  - &octycs-m age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
+  - &zauberberg-conway age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
+  - &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
+  - &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
+creation_rules:
+  - path_regex: secrets.yaml
+    key_groups:
+    - age:
+      - *parsons
+      - *hexchen-backup
+      - *stuebinm-ilex
+      - *stuebinm-surltesh-echer
+      - *stuebinm-abbenay
+      - *octycs-m
+      - *zauberberg-conway
+      - *moira-2022-06
+      - *moira-openpgp

README.md

@@ -1,22 +1,26 @@
 # hacc nixfiles
 
-welcome to hacc nixfiles (haccfiles). this is the code describing our nix-based infrastructure.
+Welcome to the hacc nixfiles (haccfiles). This is how we configure (most of)
+our infrastructure.
 
-## structure
+## General layout
 
 - `flake.nix`: Entrypoint & dependencies
-- `common/`: configuration common to all hosts
 - `modules/`: home-grown modules for hacc-specific services
-- `pkgs/`: packages we built and don't want to upstream
-- `hosts/`: configuration.nix per host (currently there's only one of those)
-- `services/`: all services we run; imported in appropriate host config
-- `websites/`: static websites we deploy somewhere
+- `pkgs/`: packages we need which aren't in nixpkgs
+- `websites/`: static websites hosted by us
+- `common/`: meta-level config, reusable across machines
+- `parsons/`: our sole server, its config & the services it runs
 
-## working with the haccfiles
+Right now, we only have a single host. We might add more again in the future.
+
+## Working with this repo
 
 You will need a flake-enabled nix installation, and have your ssh config set up
 so that `ssh parsons` will connect to `parsons.hacc.space`.
 
+### Deploying remotely
+
 It's recommended to use [deploy_rs](https://github.com/serokell/deploy-rs):
 ~~~shell
 deploy .#parsons -k [--dry-activate]
@@ -28,13 +32,12 @@ nixos-rebuild --flake .#parsons --target-host parsons \
   --use-remote-sudo --use-substitutes [test|switch|dry-activate]
 ~~~
 
-If for some reason you have `nix` but not `nixos-rebuild`, you can still build the
-system closure using:
-~~~shell
-nix build .#nixosConfigurations.parsons.config.system.build.toplevel
-~~~
+### Re-deploying on parsons itself
 
-(but you might have trouble deploying it)
+Simply do:
+~~~shell
+nixos-rebuild --flake .#parsons [test|switch|dry-activate]
+~~~
 
 ## Working on websites
 

common/default.nix

@@ -4,7 +4,6 @@
   imports = [
     ../modules
     ./users.nix
-    modules.network.nftables
   ];
 
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
@@ -16,6 +15,7 @@
     SystemMaxUse=512M
     MaxRetentionSec=48h
   '';
+  nix.package = pkgs.lix;
   nix.gc.automatic = lib.mkDefault true;
   nix.gc.options = lib.mkDefault "--delete-older-than 7d";
   nix.settings.trusted-users = [ "root" "@wheel" ];
@@ -27,13 +27,16 @@
   services.openssh = {
     enable = true;
     ports = lib.mkDefault [ 62954 ];
-    passwordAuthentication = false;
-    kbdInteractiveAuthentication = false;
-    permitRootLogin = lib.mkDefault "prohibit-password";
-    extraConfig = "StreamLocalBindUnlink yes";
-    forwardX11 = true;
+    settings = {
+      X11Forwarding = true;
+      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      StreamLocalBindUnlink = true;
+    };
   };
   programs.mosh.enable = true;
+  programs.fish.enable = true;
   security.sudo.wheelNeedsPassword = lib.mkDefault false;
 
   i18n.defaultLocale = "en_IE.UTF-8";
@@ -58,7 +61,7 @@
     whois
     iperf
     fd
-    exa
+    eza
     socat
     tmux
     gnupg
@@ -72,6 +75,8 @@
     ffmpeg-full
     bat 
     niv
+    sqlite-interactive
+    hacc-scripts
   ];
 
   security.acme.defaults.email = "info+acme@hacc.space";

common/users.nix

@@ -19,24 +19,12 @@
       ];
     };
 
-    stuebinm = {
-      uid = 1005;
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-      shell = pkgs.fish;
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7J3peZGB4XGJKI1dV5PdpQS+TzmoJ7qL//ipCG7G5K stuebinm@surltesh-echer"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPB74xA2GBXnDwPEEaxWLONdQyBwjDoJHYagKRQXwO2 stuebinm@abbenay"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8e9WrHsknoFwBm/YaigOSz9VI8dXRRR5G9BX4kKt9/ stuebinm@ilex"
-      ];
-    };
-
     octycs = {
       uid = 1002;
       isNormalUser = true;
       extraGroups = [ "wheel" ];
       openssh.authorizedKeys.keys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDobGLrA6YQAKdJkZMpAsqjlk744G/pCJEvAUNJDuT1Sr59BFKDchPT03exb0o39mjH4iqvw4JDI10RfylKbR1736Ji2yRLlbCzUdgv2CfZc28TAO0rscyT49RHJmzEEE5QD4Ge7MgvFBEmZKXAxntA8M8EbxxEVfzhWp3751BYkzrCbJiHMXcTb+BG9P6rmrraINmgUJxywym5PsMYt2sfHlVus3hSpWnCR/cu0nxmW9E6Tm6CzSkWOXOTdjVuc0Kgh5GXaKDROzJ9K7cJAhd5t8Yzqtpm2xfSU5FVVUH9i7PbXOo8FL82Xi6kWMgdFNLvKimxGqW+bCv3ROlyKWF4I+HQdfdL181KaOQ40jAvjmldrB/ZiEbuWYSBZ/XhxFkKrtBYPDFHq/a5lnH3OvcDm7+/LhwIKUnyZyQ2dXOLOTOEDsO/69xwNveCB8of9o/erDbOeb+d44cXUFpPMUTz4bHXEP6y+zz8TB8/aleGbLQCPUzRZfvazN95jGUDqkumi9B3Lf+W/KpjVUgu3NQsUuJn6khMYW9VefnJvHwzbWpqIzbzNePL4iZFECv4NHPQHO/katajnMbkCie9rfnLk1EjJnrSnZUInEygkW/7Eu4EQM2h7lU4HYfwP1c4ubCFdES0ELGqSuJRwd/ORDbgxbuKOQ7gZ3/lgHdr9KGqJQ== markus.amaseder@amaseder.de"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQqFXSlqW+D4ZtVdCiN9IT461iwyqy2taBRD3qkvXqn m@octycs.eu"
       ];
       hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc.";
     };
@@ -46,7 +34,7 @@
       isNormalUser = true;
       extraGroups = [ "wheel" "cdrom" ];
       openssh.authorizedKeys.keys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfxXSy22k2EZwz1EtvIMwQKGWsswEBeLn5ClhuiI4Ma lukas@Conway.lan"
       ];
       packages = with pkgs; [ ffmpeg ];
     };
@@ -62,5 +50,37 @@
       ];
       hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90";
     };
+
+    stuebinm = {
+      uid = 1005;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      shell = pkgs.fish;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7J3peZGB4XGJKI1dV5PdpQS+TzmoJ7qL//ipCG7G5K stuebinm@surltesh-echer"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPB74xA2GBXnDwPEEaxWLONdQyBwjDoJHYagKRQXwO2 stuebinm@abbenay"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8e9WrHsknoFwBm/YaigOSz9VI8dXRRR5G9BX4kKt9/ stuebinm@ilex"
+      ];
+    };
+
+    leah2 = {
+      uid = 1006;
+      shell = pkgs.fish;
+      isNormalUser = true;
+      extraGroups = [ "wheel" "cdrom" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4o/ncaQUorp/BeZesPnVhzvfoqLJW3WZHtz+CWQvFU"
+      ];
+    };
+
+    floppy = {
+      uid = 1007;
+      shell = pkgs.fish;
+      isNormalUser = true;
+      extraGroups = [ "wheel" "cdrom" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyVQhFDcoMnoYivQu1h8NCTWa+2WriZ1m5BilkuUk4u"
+      ];
+    };
   };
 }

docs/_index.md

@@ -0,0 +1,7 @@
++++
+title = "hacc infra documentation"
+page_template = "doc-page.html"
+sort_by="title"
++++
+
+

docs/auth.md

@@ -0,0 +1,10 @@
++++
+title = "Authentication"
+categories = [ "services", "uffd" ]
++++
+
+We use [uffd](https://git.cccv.de/uffd/uffd) for our SSO, for better or worse.
+Mostly for worse.
+
+
+

docs/domains.md

@@ -0,0 +1,20 @@
++++
+title = "Domains"
+categories = [ "domains", "meta" ]
++++
+
+Perhaps too many of them.
+
+## Domains
+
+| domain               | mc  | status  | date     | reseller    | owner      | custody   |
+| :------------------- | :-: | :-----: | :------: | :---------- | :--------- | :-----:   |
+| 4future.dev          | yes |         |          |             |            | hacc e.V. |
+| infra4future.de      | yes |         |          |             |            | hacc e.V. |
+| hacc.space           | yes |         |          |             |            | hacc e.V. |
+| hacc.earth           | yes |         |          |             |            | hacc e.V. |
+| hacc.media           | yes |         |          |             |            | hacc e.V. |
+| hacc.wiki            | no  |         |          |             |            |           |
+
+mc = managed by cloudflare  
+status = (renewl | autorenewl | expires)

docs/hostnames.md

@@ -0,0 +1,16 @@
++++
+title = "Hostname schema"
++++
+
+[Badass Anarchist Women](https://listverse.com/2018/09/27/10-absolutely-badass-anarchist-women-who-challenged-the-system/)
+- keller
+- deCleyre
+- davidNeel
+- leGuin
+- [parsons](../parsons)
+- ohair
+- berneri
+- michel
+- sanger
+- goldman
+

docs/lxc.md

@@ -0,0 +1,17 @@
++++
+title = "LXC"
+categories = [ "lxc" ]
++++
+
+Some things don't easily run on NixOS. For these we have LXC containers running
+debian.
+
+Right now, only onlyoffice is left.
+
+## Useful commands
+ - login to a container as root with a usable shell
+   `lxc-attach -n <name> -- /usr/bin/sudo -i`
+ - restarting the keycloak and ldap containers
+   `lxc-stop -n <name> && lxc-start -n <name>`
+ - restarting their network bridge:
+   `systemctl restart lxcbr0-netdev.services`

docs/rebooting.md

@@ -0,0 +1,18 @@
++++
+title = "Rebooting Parsons"
+categories = [ "nix" ]
++++
+
+## Check integrity after unexpected shutdown
+These steps are only required if the server shut down unexpectedly or you suspect tampering.
+
+TODO
+
+## Unlock full disk encryption
+Connection to the server via the command listed in the shared password manager.
+Only the Vorstand has access to it!
+
+Enter the passwords for dpool and zroot.
+
+If both are correct, you will be disconnected and the server continues the boot sequence.
+The server should be up after about minute. Please check all services for availability.

docs/secrets.md

@@ -0,0 +1,21 @@
++++
+title = "Secrets"
+categories = [ "services", "sops" ]
++++
+
+## Secret management
+
+We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
+like to have in Git but don't want to be public. Entries in `secrets.yaml` are
+encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
+derived from ssh keys.
+
+For the initial set up, please take a look at the sops-nix Readme file.
+
+To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
+file & open it in your $EDITOR, then re-encrypt it when you're done.
+
+To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
+`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
+the new set of keys.
+

docs/services/_index.md

@@ -0,0 +1,5 @@
++++
+title = "Services"
+sort_by = "title"
+page_template = "doc-page.html"
++++

docs/services/acme.md

@@ -0,0 +1,19 @@
++++
+title = "ACME / letsencrypt"
+categories = [ "domain", "https", "ssl", "tls", "Certificates" ]
++++
+
+
+# Usage
+
+We use the ACME module's nginx integration for basically everything. Beware of
+rate limits when redeploying lots of things at once! Let's Encrypt is a little
+picky about those.
+
+
+## Workarounds & peculiar configuration choices
+
+Certs live under `/var/lib/acme/`
+
+If you need to remove a cert for whatever reason, be aware that there is a
+hidden `.lego` folder, that contains state as well

docs/services/hedgedoc.md

@@ -0,0 +1,68 @@
++++
+title = "hedgedoc"
+taxonomies.categories = [ "services" ]
++++
+
+
+hegedoc was once called codiMD, so container, config and users are still called codimd.
+
+**Do NOT change this** unless you're sure what you're doing.
+
+We have two instances:
+ - `pad-hacc`/pad.hacc.space is connected to our SSO/uffd
+ - `pad-i4f`/pad.infra4future.de is not connected to our SSO and meant to be more public
+
+## Basic Troubleshooting
+
+Usually if hedgedoc dies, it's because postgresql wasn't there yet. Just restart
+hedgedoc.
+
+## More Troubles
+log into the container and take a look at the logs
+
+~~~shell
+sudo nixos-container root-login codimd
+journalctl -e
+~~~
+
+### fixing failed database upgrades
+
+see https://docs.hedgedoc.org/guides/migration-troubleshooting/ (copied below
+for convenience?):
+
+In some cases, HedgeDoc might apply migrations without correctly saving the
+progress. It will then refuse to start with "already exists"-errors like
+ERROR: type "enum_Notes_permission" already exists.
+
+Get the name of the failing migration and append .js to it. For example, if
+you encounter this error:
+
+~~~
+== 20180306150303-fix-enum: migrating =======
+
+ERROR: type "enum_Notes_permission" already exists
+~~~
+
+the name of the failed migration would be 20180306150303-fix-enum.js.
+
+The SQL-statement may look like this:
+
+~~~
+INSERT INTO "SequelizeMeta" (name) VALUES ('20180306150303-fix-enum.js');
+~~~
+
+Make sure HedgeDoc does not run and insert the name into the SequelizeMeta table.
+Enter the container switch to the postgres user, open psql and commect to the
+codimd database:
+
+~~~shell
+su postgres
+psql
+\l
+\c codimd
+UN adjusted SQL STAMEMENT from above ]
+\q
+~~~
+
+Start HedgeDoc again and observe if it starts correctly. It may be necessary to
+repeat this process and insert multiple migrations into the SequelizeMeta table.

docs/services/mail.md

@@ -0,0 +1,65 @@
++++
+title = "mail"
+taxonomies.categories = [ "services" ]
++++
+
+Mail is not connected to our SSO!
+
+## adding a mail account
+- We use `@hacc.space` for our mails
+- `@infra4future.de` is reserved for services, old user accounts will be
+  forwarded & logins disabled
+- choose a name (no aliases or other names can be the same)
+- generate a sha-512 password hash ```mkpasswd -m sha-512``` - **never add an 
+  unhashed password!**
+- add your account to `loginAccounts =` in `//parsons/mail.nix`
+- build and redeploy parsons
+
+**example:**
+```
+zwoelfontheshelf@hacc.space" = {
+	hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUEdxrxdtgvzuGOkBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
+};
+```
+
+## adding to a forward address
+- add the mail address to the corresponding `extraVirtualAliases =`
+- build and redeploy parsons
+
+## adding a forward address
+- add the address to `extraVirtualAliases =`
+- add the addresses it should forward to
+- build and redeploy parsons
+
+**example:**
+```
+"himmel@hacc.space" = [
+	"hexchen@hacc.space"
+	"zauberberg@hacc.space"
+];
+```
+
+## sending & receiving mail
+
+### as a user
+- Your mail client should auto configure correctly
+
+~~~
+mailserver: mail.hacc.space (everywhere)
+username: $your_mail_address
+sending via smtp: port 587 or 465
+recieving
+	imap: port 993
+TLS and STARTTLS are supported
+~~~
+
+- You can send mail as you and any alias you receive mail from. Set a second Identity in your e-mail client
+
+### as an application
+- mailserver: `mail.hacc.space`
+- Do **not** use port 25. It's for server to server communication only.
+- Use smtp ports `587` or `465`
+- enable TLS if possible
+- only send mail from `noreply@infra4future.de`
+- Password is somewhere (TODO!)
+

docs/services/mumble.md

@@ -0,0 +1,40 @@
++++
+title = "mumble"
+taxonomies.categories = [ "mumble" ]
++++
+
+
+[offical Docmuentation](https://wiki.mumble.info/wiki/Main_Page)
+
+Mumble's server is called murmur, but the naming is inconsistent. Sometimes
+it's also just called mumble server.
+
+# Usage
+
+## registration
+Users need to be registered to join any other channel than public.
+An already registered user has to register them with the server.
+1. right click on the username
+2. choose register in the menu. Done.
+
+## restricted channels
+Every channel in the hacc category except for plenum can only be accessed by
+members of the hacc group.
+
+## adding users to a group
+Only admins can edit groups, and only registered users can be added to groups.
+1. right click on the Root channel
+2. select Edit...
+2. In Groups select $groupname
+3. make the change you want to make
+4. click "OK"
+
+# Config details
+- the server is not registered with mumble & not on the public server list 
+- the bitrate is set to 128kb/s; otherwise the client would complain that the
+  server bitrate is less then the configured (default) in its local settings
+
+# Hacks
+- murmur needs a TLS cert, which we get via the ACME module
+- there's a funny group setup so that hopefully murmurd can read the cert
+- this seems to work fine now, but was some source of trouble in the past

docs/services/service.template.md

@@ -0,0 +1,18 @@
++++
+title = "$Service Name"
+draft = true ## Remove this line to make file appear on website
++++
+
+<general information & pointers to official documentation>
+
+# Usage
+<usage from an admin's perspective>
+
+# Config Notes
+<what should one keep in mind when reading the nix file?>
+
+## Updating
+<anything to keep in mind?>
+
+# Hacks
+<ugly things which might break or cause general ???? states>

docs/snapshots.md

@@ -0,0 +1,24 @@
++++
+title = "Use ZFS snapshot"
+taxonomies.categories = [ "zfs", "snapshot", "filesystem", "backup", "update", "upgrade" ]
++++
+
+## Make a ZFS snapshot
+~~~shell
+sudo zfs snapshot zroot/safe/persist@<name>
+~~~
+
+## Rollback
+
+### single files
+The snapshots can be accessed under `<mountpoint>/.zfs/snapshot/...`
+
+### fully
+~~~shell
+sudo zfs rollback zroot/safe/persist@<name>
+~~~
+
+## Delete a ZFS snapshot
+~~~shell
+sudo zfs destroy zroot/safe/persist@<name>
+~~~

flake.lock

@@ -16,58 +16,6 @@
         "type": "gitlab"
       }
     },
-    "colmena": {
-      "inputs": {
-        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nix-hexchen",
-          "nixpkgs"
-        ],
-        "stable": "stable"
-      },
-      "locked": {
-        "lastModified": 1675730932,
-        "narHash": "sha256-XcmirehPIcZGS7PzkS3WvAYQ9GBlBvCxYToIOIV2PVE=",
-        "owner": "zhaofengli",
-        "repo": "colmena",
-        "rev": "e034c15825c439131e4489de5a82cf8e5398fa61",
-        "type": "github"
-      },
-      "original": {
-        "owner": "zhaofengli",
-        "ref": "main",
-        "repo": "colmena",
-        "type": "github"
-      }
-    },
-    "cyberchaos": {
-      "inputs": {
-        "digital-nftables": "digital-nftables",
-        "digital-secretFiles": "digital-secretFiles",
-        "flake-utils": "flake-utils_2",
-        "nixpkgs": [
-          "nix-hexchen",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "host": "cyberchaos.dev",
-        "lastModified": 1675679997,
-        "narHash": "sha256-Gr+YTufBFFdkA5LHX7h9FGLXp1rl99GH59VNst9rTSg=",
-        "owner": "cyberchaoscreatures",
-        "repo": "nixlib",
-        "rev": "d27cf5ebde98528054adeec64cc757f59e6ce006",
-        "type": "gitlab"
-      },
-      "original": {
-        "host": "cyberchaos.dev",
-        "owner": "cyberchaoscreatures",
-        "ref": "update-akkoma",
-        "repo": "nixlib",
-        "type": "gitlab"
-      }
-    },
     "deploy-rs": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -77,11 +25,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1674127017,
-        "narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
         "type": "github"
       },
       "original": {
@@ -90,193 +38,14 @@
         "type": "github"
       }
     },
-    "digital-nftables": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1666650247,
-        "narHash": "sha256-qMeq9JD9B1Ay2KHn8+VX5ESO9nOduo3yFLS5bqzcnLw=",
-        "owner": "~digital",
-        "repo": "digital-nixfiles",
-        "rev": "937355ebc323c4b6db253ac7ac165e30ce6958a0",
-        "type": "sourcehut"
-      },
-      "original": {
-        "owner": "~digital",
-        "ref": "testing",
-        "repo": "digital-nixfiles",
-        "type": "sourcehut"
-      }
-    },
-    "digital-secretFiles": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1665365432,
-        "narHash": "sha256-HF09GMEeDG7/EuLxsqzyR50OwNQY3jvsS86Q5dxl4uA=",
-        "owner": "~digital",
-        "repo": "secretFiles",
-        "rev": "4146e87c049867c9f0786327a746e0a94fda85a7",
-        "type": "sourcehut"
-      },
-      "original": {
-        "owner": "~digital",
-        "ref": "main",
-        "repo": "secretFiles",
-        "type": "sourcehut"
-      }
-    },
-    "doom-emacs": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1662497747,
-        "narHash": "sha256-4n7E1fqda7cn5/F2jTkOnKw1juG6XMS/FI9gqODL3aU=",
-        "owner": "doomemacs",
-        "repo": "doomemacs",
-        "rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac",
-        "type": "github"
-      },
-      "original": {
-        "owner": "doomemacs",
-        "repo": "doomemacs",
-        "rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac",
-        "type": "github"
-      }
-    },
-    "doom-snippets": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1662645711,
-        "narHash": "sha256-XKpPCtECGZQ5bFPPDUX3oAltXOJNwAI/OktxiLnADRE=",
-        "owner": "doomemacs",
-        "repo": "snippets",
-        "rev": "03a62fe7edf7e87fdbd925713fbd3bf292d14b00",
-        "type": "github"
-      },
-      "original": {
-        "owner": "doomemacs",
-        "repo": "snippets",
-        "type": "github"
-      }
-    },
-    "emacs-overlay": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1675362118,
-        "narHash": "sha256-11CqDTkQA9P5I4InVCXmj/IaHvz4nUJaLNFiDiHVvIg=",
-        "owner": "nix-community",
-        "repo": "emacs-overlay",
-        "rev": "a018577287e390e01654a8b44d57d183a51b72b2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "emacs-overlay",
-        "type": "github"
-      }
-    },
-    "emacs-so-long": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1575031854,
-        "narHash": "sha256-xIa5zO0ZaToDrec1OFjBK6l39AbA4l/CE4LInVu2hi0=",
-        "owner": "hlissner",
-        "repo": "emacs-so-long",
-        "rev": "ed666b0716f60e8988c455804de24b55919e71ca",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hlissner",
-        "repo": "emacs-so-long",
-        "type": "github"
-      }
-    },
-    "evil-escape": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1588439096,
-        "narHash": "sha256-aB2Ge5o/93B18tPf4fN1c+O46CNh/nOqwLJbox4c8Gw=",
-        "owner": "hlissner",
-        "repo": "evil-escape",
-        "rev": "819f1ee1cf3f69a1ae920e6004f2c0baeebbe077",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hlissner",
-        "repo": "evil-escape",
-        "type": "github"
-      }
-    },
-    "evil-markdown": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1626852210,
-        "narHash": "sha256-HBBuZ1VWIn6kwK5CtGIvHM1+9eiNiKPH0GUsyvpUVN8=",
-        "owner": "Somelauw",
-        "repo": "evil-markdown",
-        "rev": "8e6cc68af83914b2fa9fd3a3b8472573dbcef477",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Somelauw",
-        "repo": "evil-markdown",
-        "type": "github"
-      }
-    },
-    "evil-org-mode": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1607203864,
-        "narHash": "sha256-JxwqVYDN6OIJEH15MVI6XOZAPtUWUhJQWHyzcrUvrFg=",
-        "owner": "hlissner",
-        "repo": "evil-org-mode",
-        "rev": "a9706da260c45b98601bcd72b1d2c0a24a017700",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hlissner",
-        "repo": "evil-org-mode",
-        "type": "github"
-      }
-    },
-    "evil-quick-diff": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1575189609,
-        "narHash": "sha256-oGzl1ayW9rIuq0haoiFS7RZsS8NFMdEA7K1BSozgnJU=",
-        "owner": "rgrinberg",
-        "repo": "evil-quick-diff",
-        "rev": "69c883720b30a892c63bc89f49d4f0e8b8028908",
-        "type": "github"
-      },
-      "original": {
-        "owner": "rgrinberg",
-        "repo": "evil-quick-diff",
-        "type": "github"
-      }
-    },
-    "explain-pause-mode": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1595842060,
-        "narHash": "sha256-++znrjiDSx+cy4okFBBXUBkRFdtnE2x+trkmqjB3Njs=",
-        "owner": "lastquestion",
-        "repo": "explain-pause-mode",
-        "rev": "2356c8c3639cbeeb9751744dbe737267849b4b51",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lastquestion",
-        "repo": "explain-pause-mode",
-        "type": "github"
-      }
-    },
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1668681692,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -285,522 +54,108 @@
         "type": "github"
       }
     },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1650374568,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_4": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
-      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "format-all": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1581716637,
-        "narHash": "sha256-ul7LCe60W8TIvUmUtZtZRo8489TK9iTPDsLHmzxY57M=",
-        "owner": "lassik",
-        "repo": "emacs-format-all-the-code",
-        "rev": "47d862d40a088ca089c92cd393c6dca4628f87d3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lassik",
-        "repo": "emacs-format-all-the-code",
-        "rev": "47d862d40a088ca089c92cd393c6dca4628f87d3",
-        "type": "github"
-      }
-    },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "nix-hexchen",
-          "nixpkgs"
-        ],
-        "utils": "utils_2"
-      },
-      "locked": {
-        "lastModified": 1675935446,
-        "narHash": "sha256-WajulTn7QdwC7QuXRBavrANuIXE5z+08EdxdRw1qsNs=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "2dce7f1a55e785a22d61668516df62899278c9e4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "mattermost-server": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1670418889,
-        "narHash": "sha256-rCTLA3MPFcDJ88n8B595/WwNUT5c1wNuCwTrcWSHzFU=",
-        "owner": "mattermost",
-        "repo": "mattermost-server",
-        "rev": "7a6d9432c216f5868c9ca29b86083cdee7df75f6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "mattermost",
-        "ref": "v7.1.5",
-        "repo": "mattermost-server",
-        "type": "github"
-      }
-    },
-    "mattermost-webapp": {
-      "flake": false,
-      "locked": {
-        "narHash": "sha256-DYHHv5Bivk7yanRyl7ccD33ohgp8/J66xVXZs9NZmnU=",
-        "type": "tarball",
-        "url": "https://releases.mattermost.com/7.1.5/mattermost-7.1.5-linux-amd64.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://releases.mattermost.com/7.1.5/mattermost-7.1.5-linux-amd64.tar.gz"
-      }
-    },
-    "nix-doom-emacs": {
-      "inputs": {
-        "doom-emacs": "doom-emacs",
-        "doom-snippets": "doom-snippets",
-        "emacs-overlay": "emacs-overlay",
-        "emacs-so-long": "emacs-so-long",
-        "evil-escape": "evil-escape",
-        "evil-markdown": "evil-markdown",
-        "evil-org-mode": "evil-org-mode",
-        "evil-quick-diff": "evil-quick-diff",
-        "explain-pause-mode": "explain-pause-mode",
-        "flake-compat": "flake-compat_4",
-        "flake-utils": [
-          "nix-hexchen",
-          "flake-utils"
-        ],
-        "format-all": "format-all",
-        "nix-straight": "nix-straight",
-        "nixpkgs": [
-          "nix-hexchen",
-          "nixpkgs"
-        ],
-        "nose": "nose",
-        "ob-racket": "ob-racket",
-        "org": "org",
-        "org-contrib": "org-contrib",
-        "org-yt": "org-yt",
-        "php-extras": "php-extras",
-        "revealjs": "revealjs",
-        "rotate-text": "rotate-text",
-        "sln-mode": "sln-mode",
-        "ts-fold": "ts-fold",
-        "ws-butler": "ws-butler"
-      },
-      "locked": {
-        "lastModified": 1675387812,
-        "narHash": "sha256-fGjWMg97w1mP0cDIR9Y8qCa77sEtiIdYzqiRB+P2YcM=",
-        "owner": "nix-community",
-        "repo": "nix-doom-emacs",
-        "rev": "8de922e4e23158790970a266234a853305b1928d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-doom-emacs",
-        "type": "github"
-      }
-    },
-    "nix-hexchen": {
-      "inputs": {
-        "colmena": "colmena",
-        "cyberchaos": "cyberchaos",
-        "deploy-rs": [
-          "deploy-rs"
-        ],
-        "doom-emacs": [
-          "nix-hexchen",
-          "nix-doom-emacs",
-          "doom-emacs"
-        ],
-        "emacs-overlay": [
-          "nix-hexchen",
-          "nix-doom-emacs",
-          "emacs-overlay"
-        ],
-        "flake-compat": "flake-compat_3",
-        "flake-utils": [
-          "deploy-rs",
-          "utils"
-        ],
-        "home-manager": "home-manager",
-        "nix-doom-emacs": "nix-doom-emacs",
-        "nixos-hardware": "nixos-hardware",
-        "nixos-mailserver": [
-          "nixos-mailserver"
-        ],
-        "nixpkgs": [
-          "nixpkgs-unstable"
-        ],
-        "sops-nix": "sops-nix",
-        "waybar-iceportal": "waybar-iceportal"
-      },
-      "locked": {
-        "lastModified": 1676235298,
-        "narHash": "sha256-MWWX8P4nhtfFvwhvDBRrjVfXSG3el8rKQHV/NBAA0hE=",
-        "owner": "hexchen",
-        "repo": "nixfiles",
-        "rev": "29ea80ce8b05b0fd329c1f7928be9b4c443294c6",
-        "type": "gitlab"
-      },
-      "original": {
-        "owner": "hexchen",
-        "repo": "nixfiles",
-        "type": "gitlab"
-      }
-    },
-    "nix-straight": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1666982610,
-        "narHash": "sha256-xjgIrmUsekVTE+MpZb5DMU8DQf9DJ/ZiR0o30L9/XCc=",
-        "owner": "nix-community",
-        "repo": "nix-straight.el",
-        "rev": "ad10364d64f472c904115fd38d194efe1c3f1226",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-straight.el",
-        "type": "github"
-      }
-    },
-    "nixos-hardware": {
-      "locked": {
-        "lastModified": 1675933606,
-        "narHash": "sha256-y427VhPQHOKkYvkc9MMsL/2R7M11rQxzsRdRLM3htx8=",
-        "owner": "NixOS",
-        "repo": "nixos-hardware",
-        "rev": "44ae00e02e8036a66c08f4decdece7e3bbbefee2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "master",
-        "repo": "nixos-hardware",
-        "type": "github"
-      }
-    },
     "nixos-mailserver": {
       "inputs": {
         "blobs": "blobs",
+        "flake-compat": [
+          "deploy-rs",
+          "flake-compat"
+        ],
         "nixpkgs": [
           "nixpkgs-unstable"
         ],
-        "nixpkgs-22_05": [
+        "nixpkgs-24_05": [
           "nixpkgs"
         ],
-        "utils": "utils_3"
+        "utils": [
+          "deploy-rs",
+          "utils"
+        ]
       },
       "locked": {
-        "lastModified": 1655930346,
-        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
+        "lastModified": 1718084203,
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-22.05",
+        "ref": "nixos-24.05",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1676177817,
-        "narHash": "sha256-OQnBnuKkpwkfNY31xQyfU5hNpLs1ilWt+hVY6ztEEOM=",
+        "lastModified": 1731842749,
+        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1b82144edfcd0c86486d2e07c7298f85510e7fb8",
+        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-22.11",
+        "ref": "nixos-24.05-small",
         "type": "indirect"
       }
     },
-    "nixpkgs-stable": {
+    "nixpkgs-oldstable": {
       "locked": {
-        "lastModified": 1676162277,
-        "narHash": "sha256-GK3cnvKNo1l0skGYXXiLJ/TLqdKyIYXd7jOlo0gN+Qw=",
+        "lastModified": 1678761643,
+        "narHash": "sha256-tapXZvg6Kg5Fm7Fm6i+7cRC5Exp2lX7cgMrqsfrGhuc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d863ca850a06d91365c01620dcac342574ecf46f",
+        "rev": "c4aec3c021620d98861639946123214207e98344",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-22.11",
         "repo": "nixpkgs",
+        "rev": "c4aec3c021620d98861639946123214207e98344",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1676150441,
-        "narHash": "sha256-Nfeua9Ua/dGHOQpzOjLtkyMyW/ysQCvZJ9Dd74QQSNk=",
+        "lastModified": 1732007104,
+        "narHash": "sha256-qaWPxgLAvtIHTDcm0qJuc+WNYjcy4ZKigOyn2ag4ihM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6d87734c880d704f6ee13e5c0fe835b98918c34e",
+        "rev": "0705964c881cea8896474610188905ba41b59b08",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable-small",
         "type": "indirect"
       }
     },
-    "nose": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1400604510,
-        "narHash": "sha256-daEi8Kta1oGaDEmUUDDQMahTTPOpvNpDKk22rlr7cB0=",
-        "owner": "emacsattic",
-        "repo": "nose",
-        "rev": "f8528297519eba911696c4e68fa88892de9a7b72",
-        "type": "github"
-      },
-      "original": {
-        "owner": "emacsattic",
-        "repo": "nose",
-        "type": "github"
-      }
-    },
-    "ob-racket": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1584656173,
-        "narHash": "sha256-rBUYDDCXb+3D4xTPQo9UocbTPZ32kWV1Uya/1DmZknU=",
-        "owner": "xchrishawk",
-        "repo": "ob-racket",
-        "rev": "83457ec9e1e96a29fd2086ed19432b9d75787673",
-        "type": "github"
-      },
-      "original": {
-        "owner": "xchrishawk",
-        "repo": "ob-racket",
-        "type": "github"
-      }
-    },
-    "org": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1673519709,
-        "narHash": "sha256-XtGk32Lw2iGDgH5Q4Rjhig0Iq5hpIM0EKQoptJ+nT3k=",
-        "owner": "emacs-straight",
-        "repo": "org-mode",
-        "rev": "ecb62e2e317b1a4b5b8a6c0f111ed7ef18413040",
-        "type": "github"
-      },
-      "original": {
-        "owner": "emacs-straight",
-        "repo": "org-mode",
-        "type": "github"
-      }
-    },
-    "org-contrib": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1664301003,
-        "narHash": "sha256-8CAq/EB52RMQHNLZM0uc/1N5gKTfxGhf7WFt9sMKoD8=",
-        "owner": "emacsmirror",
-        "repo": "org-contrib",
-        "rev": "aa104c0bbc3113f6d3d167b20bd8d6bf6a285f0f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "emacsmirror",
-        "repo": "org-contrib",
-        "type": "github"
-      }
-    },
-    "org-yt": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1527381913,
-        "narHash": "sha256-dzQ6B7ryzatHCTLyEnRSbWO0VUiX/FHYnpHTs74aVUs=",
-        "owner": "TobiasZawada",
-        "repo": "org-yt",
-        "rev": "40cc1ac76d741055cbefa13860d9f070a7ade001",
-        "type": "github"
-      },
-      "original": {
-        "owner": "TobiasZawada",
-        "repo": "org-yt",
-        "type": "github"
-      }
-    },
-    "php-extras": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1573312690,
-        "narHash": "sha256-r4WyVbzvT0ra4Z6JywNBOw5RxOEYd6Qe2IpebHXkj1U=",
-        "owner": "arnested",
-        "repo": "php-extras",
-        "rev": "d410c5af663c30c01d461ac476d1cbfbacb49367",
-        "type": "github"
-      },
-      "original": {
-        "owner": "arnested",
-        "repo": "php-extras",
-        "type": "github"
-      }
-    },
-    "revealjs": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1674652670,
-        "narHash": "sha256-ViqeZlOjQTlY0KM7YcOOjdgkxRLPMZrRKXTqtyc1I00=",
-        "owner": "hakimel",
-        "repo": "reveal.js",
-        "rev": "b1a9842b2f4544a2fda546383db38cc7a81f6b74",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hakimel",
-        "repo": "reveal.js",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "deploy-rs": "deploy-rs",
-        "mattermost-server": "mattermost-server",
-        "mattermost-webapp": "mattermost-webapp",
-        "nix-hexchen": "nix-hexchen",
         "nixos-mailserver": "nixos-mailserver",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-oldstable": "nixpkgs-oldstable",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix",
         "tracktrain": "tracktrain"
       }
     },
-    "rotate-text": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1322962747,
-        "narHash": "sha256-SOeOgSlcEIsKhUiYDJv0p+mLUb420s9E2BmvZQvZ0wk=",
-        "owner": "debug-ito",
-        "repo": "rotate-text.el",
-        "rev": "48f193697db996855aee1ad2bc99b38c6646fe76",
-        "type": "github"
-      },
-      "original": {
-        "owner": "debug-ito",
-        "repo": "rotate-text.el",
-        "type": "github"
-      }
-    },
-    "sln-mode": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1423727528,
-        "narHash": "sha256-XqkqPyEJuTtFslOz1fpTf/Klbd/zA7IGpzpmum/MGao=",
-        "owner": "sensorflo",
-        "repo": "sln-mode",
-        "rev": "0f91d1b957c7d2a7bab9278ec57b54d57f1dbd9c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "sensorflo",
-        "repo": "sln-mode",
-        "type": "github"
-      }
-    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
-          "nix-hexchen",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+          "nixpkgs-unstable"
+        ]
       },
       "locked": {
-        "lastModified": 1676171095,
-        "narHash": "sha256-2laeSjBAAJ9e/C3uTIPb287iX8qeVLtWiilw1uxqG+A=",
+        "lastModified": 1731954233,
+        "narHash": "sha256-vvXx1m2Rsw7MkbKJdpcICzz4YPgZPApGKQGhNZfkhOI=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c5dab21d8706afc7ceb05c23d4244dcb48d6aade",
+        "rev": "e39947d0ee8e341fa7108bd02a33cdfa24a1360e",
         "type": "github"
       },
       "original": {
@@ -809,30 +164,29 @@
         "type": "github"
       }
     },
-    "stable": {
+    "systems": {
       "locked": {
-        "lastModified": 1669735802,
-        "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "731cc710aeebecbf45a258e977e8b68350549522",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-22.11",
-        "repo": "nixpkgs",
+        "owner": "nix-systems",
+        "repo": "default",
         "type": "github"
       }
     },
     "tracktrain": {
       "flake": false,
       "locked": {
-        "lastModified": 1674936614,
-        "narHash": "sha256-BsF4CzI8ukthTsczo9VJIlz+9ILEMXlYMTvh0lIlzDI=",
+        "lastModified": 1720213096,
+        "narHash": "sha256-GrSXD6WvyiXcHx1s+48PEZVn/MTtBJAXpgds+NdEL2g=",
         "ref": "main",
-        "rev": "1612bb5aec55af06f66012ff2627f533e7a57c67",
-        "revCount": 82,
+        "rev": "2943327863bfe5c6e793e5c40e473a2755d45642",
+        "revCount": 126,
         "type": "git",
         "url": "https://stuebinm.eu/git/tracktrain"
       },
@@ -842,101 +196,21 @@
         "url": "https://stuebinm.eu/git/tracktrain"
       }
     },
-    "ts-fold": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1673328482,
-        "narHash": "sha256-6yQ35uJDAK531QNQZgloQaOQayRa8azOlOMbO8lXsHE=",
-        "owner": "jcs-elpa",
-        "repo": "ts-fold",
-        "rev": "75d6f9ed317b042b5bc7cb21503596d1c7a1b8c0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "jcs-elpa",
-        "repo": "ts-fold",
-        "type": "github"
-      }
-    },
     "utils": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "utils_2": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "utils_3": {
-      "locked": {
-        "lastModified": 1605370193,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "waybar-iceportal": {
       "inputs": {
-        "nixpkgs": [
-          "nix-hexchen",
-          "nixpkgs"
-        ]
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1661258114,
-        "narHash": "sha256-wdm35mfyjz/eFrtd9fMeAJwfUk6XskbyM115wYI1kVA=",
-        "owner": "e1mo",
-        "repo": "waybar-iceportal",
-        "rev": "13b297c2cc0b4b56d4caccd626a16b455d8d49e5",
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
         "type": "github"
       },
       "original": {
-        "owner": "e1mo",
-        "repo": "waybar-iceportal",
-        "type": "github"
-      }
-    },
-    "ws-butler": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1634511126,
-        "narHash": "sha256-c0y0ZPtxxICPk+eaNbbQf6t+FRCliNY54CCz9QHQ8ZI=",
-        "owner": "hlissner",
-        "repo": "ws-butler",
-        "rev": "572a10c11b6cb88293de48acbb59a059d36f9ba5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hlissner",
-        "repo": "ws-butler",
+        "owner": "numtide",
+        "repo": "flake-utils",
         "type": "github"
       }
     }

flake.nix

@@ -2,72 +2,59 @@
   description = "hacc infra stuff";
 
   inputs = {
-    mattermost-webapp.url = "https://releases.mattermost.com/7.1.5/mattermost-7.1.5-linux-amd64.tar.gz";
-    mattermost-webapp.flake = false;
-    mattermost-server.url = "github:mattermost/mattermost-server?ref=v7.1.5";
-    mattermost-server.flake = false;
+    nixpkgs.url = "nixpkgs/nixos-24.05-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
+    nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";
 
-    nixpkgs.url = "nixpkgs/nixos-22.11";
-    nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
-    nix-hexchen.url = "gitlab:hexchen/nixfiles";
-    nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
+    nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
     tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
     tracktrain.flake = false;
 
     deploy-rs.url = "github:serokell/deploy-rs";
     deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
     
     # these exist mostly to make the flake.lock somewhat more human-friendly
     # note that in theory doing this might break things, but it seems fairly unlikely
-    nix-hexchen.inputs = {
-      nixos-mailserver.follows = "nixos-mailserver";
-      nixpkgs.follows = "nixpkgs-unstable";
-      deploy-rs.follows = "deploy-rs";
-      doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
-      emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
-      flake-utils.follows = "/deploy-rs/utils";
-    };
     nixos-mailserver.inputs = {
-      "nixpkgs-22_05".follows = "nixpkgs";
+      "nixpkgs-24_05".follows = "nixpkgs";
       nixpkgs.follows = "nixpkgs-unstable";
+      utils.follows = "/deploy-rs/utils";
+      flake-compat.follows = "/deploy-rs/flake-compat";
     };
   };
 
-  outputs = { self, nixpkgs, nix-hexchen, deploy-rs, ... }@inputs:
-    let modules = nix-hexchen.nixosModules;
-        profiles = nix-hexchen.nixosModules.profiles // {
+  outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
+    let modules = {
+          bindMounts = import ./modules/bindmounts.nix;
+          nopersist = import ./modules/nopersist.nix;
+          encboot = import ./modules/encboot.nix;
+        };
+        profiles = {
           container = import ./modules/container-profile.nix;
         };
         pkgs = import ./pkgs {
           sources = inputs;
           system = "x86_64-linux";
+          config.allowUnfree = true;
+          config.permittedInsecurePackages = [ "nextcloud-27.1.11" ];
         };
-        evalConfig = config: (nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          modules = [
-            config
-            nix-hexchen.nixosModules.network.nftables
-            { nixpkgs.pkgs = pkgs; }
-          ];
-          specialArgs = {
-            inherit modules profiles evalConfig;
-            sources = inputs;
-          };
-        }).config.system.build.toplevel;
     in {
-      # do this by hand instead of via nix-hexchen/lib/hosts.nix, since that one
-      # apparently can't support pkgs depending on flake inputs
       nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
-          ./hosts/parsons/configuration.nix
+          ./parsons/configuration.nix
+          ./modules/buildinfo.nix
+          ./modules/containers.nix
+          sops-nix.nixosModules.sops
           { nixpkgs.pkgs = pkgs; }
         ];
         specialArgs = {
-          # with a few exceptions, the flake inputs can be used the same
-          # as the niv-style (import nix/sources.nix {})
           sources = inputs;
-          inherit modules profiles evalConfig;
+          inherit modules profiles;
+          inherit (nixpkgs.lib) nixosSystem;
         };
       };
 
@@ -86,8 +73,20 @@
         (system: deployLib: deployLib.deployChecks self.deploy)
         deploy-rs.lib;
 
-      packages.x86_64-linux =
+      apps.x86_64-linux =
+        let
+	  mkApp = pkg: {
+	    type = "app";
+	    program = pkgs.lib.getExe pkg;
+	  };
+          websites = pkgs.lib.mapAttrs (name: mkApp) 
 	    self.nixosConfigurations.parsons.config.hacc.websites.builders;
+        in
+          { docs = websites."docs.hacc.space"; } // websites;
+
+      packages.x86_64-linux = {
+        inherit (pkgs) mattermost hacc-scripts;
+      };
     };
 
 }

modules/bindmounts.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let cfg = config.hacc;
+
+in {
+
+  options.hacc.bindMounts = mkOption {
+    type = types.attrsOf types.str;
+    default = { };
+    example = { "/etc/asdf" = "/persist/asdf"; };
+  };
+  options.hacc.bindToPersist = mkOption {
+    type = types.listOf types.str;
+    default = [];
+    example = [ "postgres" ];
+  };
+
+  config.fileSystems = mapAttrs (_: device: {
+    inherit device;
+    options = [ "bind" ];
+  }) cfg.bindMounts;
+
+  config.hacc.bindMounts = listToAttrs
+    (map (name: { inherit name; value = "/persist${name}"; })
+      cfg.bindToPersist);
+}

modules/buildinfo.nix

@@ -0,0 +1,29 @@
+{ config, lib, pkgs, sources, ... }:
+
+let
+  self = sources.self;
+
+  formatDate = date: with lib.strings;
+    let
+      year = substring 0 4 date;
+      month = substring 4 2 date;
+      day = substring 6 2 date;
+      hour = substring 8 2 date;
+      minute = substring 10 2 date;
+      second = substring 12 2 date;
+    in
+      "${year}-${month}-${day} ${hour}:${minute}:${second} UTC";
+in
+{
+  system.nixos.label = "${config.system.nixos.release}-haccfiles-${self.shortRev or self.dirtyShortRev}";
+  users.motd = ''
+    Welcome to ${config.networking.hostName}, running NixOS ${config.system.nixos.release}!
+    Built from haccfiles ${self.rev or self.dirtyRev}.
+    Last commit was at ${formatDate self.lastModifiedDate}.
+    ${if self ? dirtyRev then "\nPlease remember to commit your changes.\n" else ""}
+  '';
+
+  # used by monit
+  environment.etc."haccfiles-commit".text = self.rev or self.dirtyRev;
+  environment.etc."haccfiles-timestamp".text = builtins.toString self.lastModified;
+}

modules/container-profile.nix

@@ -14,12 +14,5 @@
     '';
   };
 
-  # I /suspect/ this is not actually needed.
-  # TODO: find spoons to deal with potential breakage, test removing this
-  networking.defaultGateway = {
-    address = "192.168.100.1";
-    interface = "eth0";
-  };
-
   system.stateVersion = lib.mkDefault "21.05";
 }

modules/containers.nix

@@ -0,0 +1,95 @@
+{ config, lib, pkgs, modules, profiles, sources, nixosSystem, ... }:
+
+let
+  mkIPv4 = index: local:
+    "192.168.${if local then "100" else "101"}.${toString index}";
+  mkIPv6 = index: local:
+    "fd00::${if local then "100" else "101"}:${toString index}";
+
+  evalConfig = nixosConfig: (nixosSystem {
+    inherit (config.nixpkgs) system;
+    modules = [
+      nixosConfig
+      modules.nopersist
+      profiles.container
+      { nixpkgs.pkgs = lib.mkForce pkgs; }
+    ];
+    specialArgs = {
+      inherit modules sources;
+    };
+  }).config.system.build.toplevel;
+
+in {
+  options.hacc.containers = with lib.options;
+    mkOption {
+      description = ''
+        hacc-specific containers. These are a thin wrapper around "normal" nixos containers:
+          - they automatically get an IPv4/IPv6 address assigned
+            (note that these are not guaranteed to be stable across config changes,
+            so please use {option}`containers.<name>.hostAddress` & friends to
+            reference them elsewhere)
+          - they set a couple default options (e.g. ephemeral, autoStart, privateNetwork)
+          - they are evaluated with our own version of {nix}`evalConfig`, which includes a
+            couple more modules by default, use our version of `nixpkgs`, and includes the
+            {nix}`profiles.containers` profile setting sane defaults for containers.
+      '';
+      default = { };
+      type = with lib.types;
+        types.attrsOf (types.submodule {
+          options = {
+            bindToPersist = mkOption {
+              default = true;
+              type = types.bool;
+              description =
+                "Wether to mount /persist/containers/<name> at /persist into this container.";
+            };
+
+            bindSecrets = mkOption {
+              default = false;
+              type = types.bool;
+              description =
+                "Whether to mount /run/secrets/<name> at /secrets into this container.";
+            };
+
+            config = mkOption {
+              type = types.unspecified;
+              description =
+                "The container's config, to be evaluated with our own {nix}`evalConfig`.";
+            };
+          };
+        });
+    };
+
+  # wrapped into imap1, which enumerates the containers; IP addresses are then
+  # simply assigned based on the order the containers are in the list.
+  config.containers = lib.mkMerge (lib.imap1
+    (index: { name, value }: let container = value; in {
+      ${name} = {
+        hostAddress = mkIPv4 index false;
+        localAddress = mkIPv4 index true;
+        hostAddress6 = mkIPv6 index false;
+        localAddress6 = mkIPv6 index true;
+
+        privateNetwork = true;
+        autoStart = true;
+        ephemeral = true;
+
+        bindMounts = lib.mkMerge [
+          (lib.mkIf container.bindToPersist {
+            "/persist" = {
+              hostPath = "/persist/containers/${name}";
+              isReadOnly = false;
+            };
+          })
+          (lib.mkIf container.bindSecrets {
+            "/secrets" = {
+              hostPath = "/run/secrets/${name}";
+              isReadOnly = true;
+            };
+          })
+        ];
+
+        path = evalConfig container.config;
+      };
+    }) (lib.attrsToList config.hacc.containers));
+}

modules/encboot.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let cfg = config.hacc.encboot;
+
+in {
+  options = {
+    hacc.encboot = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      networkDrivers = mkOption { type = with types; listOf str; };
+      dataset = mkOption {
+        type = types.str;
+        default = "zroot";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.initrd.kernelModules = cfg.networkDrivers;
+
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 2222;
+        authorizedKeys = with lib;
+          concatLists (mapAttrsToList (name: user:
+            if elem "wheel" user.extraGroups then
+              user.openssh.authorizedKeys.keys
+            else
+              [ ]) config.users.users);
+        hostKeys = [ /etc/ssh/encboot_host ];
+      };
+
+      postCommands = ''
+        zpool import ${cfg.dataset}
+        echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
+      '';
+    };
+  };
+}

modules/nopersist.nix

@@ -0,0 +1,52 @@
+{ config, lib, pkgs, modules, ... }:
+
+with lib;
+
+{
+  imports = [ modules.bindMounts ];
+
+  users.mutableUsers = false;
+
+  boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
+    network.ssh.hostKeys = mkIf config.hacc.encboot.enable
+      (mkForce [ /persist/ssh/encboot_host ]);
+
+    postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
+      (mkAfter ''
+        zfs rollback -r ${config.fileSystems."/".device}@blank
+      '');
+
+    systemd = mkIf config.boot.initrd.systemd.enable {
+      storePaths = [ pkgs.zfs ];
+      services.rollback = {
+        description = "Rollback ZFS datasets to a pristine state";
+        wantedBy = [ "initrd.target" ];
+        after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
+        before = [ "sysroot.mount" ];
+        path = [ pkgs.zfs ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig.Type = "oneshot";
+        script = ''
+          zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
+        '';
+      };
+    };
+  };
+
+  services.openssh = {
+    hostKeys = [
+      {
+        path = "/persist/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
+  services.postgresql.dataDir =
+    "/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
+}

parsons/configuration.nix

@@ -2,52 +2,44 @@
 
 {
   imports = [
-   ../../common
+    ../common
     ./hardware.nix
     modules.encboot
-    modules.network.nftables
-    modules.nftnat
-    sources.nix-hexchen.nixosModules.profiles.nopersist
-
-    ../../services/nextcloud.nix
-    ../../services/mattermost.nix
-    ../../services/thelounge.nix
-    ../../services/murmur.nix
-    ../../services/hedgedoc-hacc.nix
-    ../../services/hedgedoc-i4f.nix
-    ../../services/mail.nix
-    ../../services/gitea.nix
-    ../../services/nginx-pages.nix
-    ../../services/vaultwarden.nix
-    ../../services/tracktrain.nix
-    ../../services/uffd.nix
-
+    modules.nopersist
+    ./nftables.nix
+    ./nextcloud.nix
+    ./mattermost.nix
+    ./murmur.nix
+    ./hedgedoc-hacc.nix
+    ./hedgedoc-i4f.nix
+    ./mail.nix
+    ./forgejo.nix
+    ./nginx-pages.nix
+    ./vaultwarden.nix
+    ./tracktrain.nix
+    ./uffd.nix
     ./lxc.nix
+    ./monit.nix
   ];
 
-  hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme";
-  # fileSystems."/var/lib/acme" = {
-  #   device = "/persist/var/lib/acme";
-  #   fsType = "bind";
-  # };
+  hacc.bindToPersist = [ "/var/lib/acme" ];
 
-  hexchen.encboot = {
+  hacc.encboot = {
     enable = true;
     dataset = "-a";
     networkDrivers = [ "igb" ];
   };
 
+  sops.defaultSopsFile = ../secrets.yaml;
+  sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
+
   boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
   boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
   boot.supportedFilesystems = [ "zfs" ];
 
   networking.hostId = "b2867696";
   networking.useDHCP = true;
   networking.nftables.enable = true;
-  hexchen.nftables.nat.enable = true;
-  networking.nat.internalInterfaces = ["ve-+"];
-  networking.nat.externalInterface = "enp35s0";
 
   networking.hostName = "parsons";
 
@@ -59,13 +51,6 @@
     address = "fe80::1";
     interface = "enp35s0";
   };
-  boot = {
-    kernelModules = [ "nf_nat_ftp" ];
-    kernel.sysctl = {
-      "net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
-      "net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
-    };
-  };
 
   services.nginx = {
     enable = true;
@@ -85,8 +70,8 @@
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   services.restic.backups.tardis = {
-    passwordFile = "/persist/restic/system";
-    environmentFile = "/persist/restic/system.s3creds";
+    passwordFile = "/run/secrets/restic/system";
+    environmentFile = "/run/secrets/restic/s3creds.env";
     paths = [
       "/home"
       "/persist"
@@ -99,5 +84,10 @@
     repository = "b2:tardis-parsons:system";
   };
 
+  sops.secrets = {
+    "restic/system" = {};
+    "restic/s3creds.env" = {};
+  };
+
   system.stateVersion = "21.05";
 }

parsons/forgejo.nix

@@ -1,34 +1,16 @@
-{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  containers.gitea = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.10";
-    autoStart = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/gitea";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
+  hacc.containers.forgejo = {
+    config = { lib, pkgs, ... }: {
       system.stateVersion = "21.11";
 
-      imports = [ profiles.nopersist profiles.container ];
+      environment.systemPackages = [ pkgs.forgejo ];
 
-      environment.systemPackages = [ pkgs.gitea ];
+      hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
 
-      hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea";
-
-      nixpkgs.config.allowUnfree = true;
-
-      services.gitea = {
+      services.forgejo = {
         enable = true;
-        appName = "0x0: git for all creatures";
-        rootUrl = "https://git.infra4future.de/";
-        httpAddress = "0.0.0.0";
-        httpPort = 3000;
         lfs.enable = true;
         database.type = "postgres";
         settings = {
@@ -49,6 +31,9 @@
           server = {
             LANDING_PAGE = "explore";
             OFFLINE_MODE = true;
+            ROOT_URL = "https://git.infra4future.de";
+            HTTP_PORT = 3000;
+            HTTP_ADDR = "0.0.0.0";
           };
           security = { INSTALL_LOCK = true; };
           other = {
@@ -69,38 +54,32 @@
           log.LEVEL = "Info";
           service.DISABLE_REGISTRATION = true;
           session.COOKIE_SECURE = true;
+          default.APP_NAME = "0x0: git for all creatures";
         };
       };
+      services.postgresql.package = pkgs.postgresql_15;
+
       services.postgresqlBackup = {
         enable = true;
-        databases = [ "gitea" ];
+        databases = [ "forgejo" ];
         startAt = "*-*-* 23:45:00";
         location = "/persist/backups/postgres";
       };
       services.openssh = {
         enable = true;
-        passwordAuthentication = false;
-        listenAddresses = [ {
-          addr = "192.168.100.10";
-          port = 22;
-        } ];
-        extraConfig = ''
-          AcceptEnv GIT_PROTOCOL
-        '';
+        settings = {
+          PasswordAuthentication = false;
+          AcceptEnv = "GIT_PROTOCOL";
+        };
+      };
     };
-    });
   };
 
   services.nginx.virtualHosts."git.infra4future.de" = {
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://${config.containers.gitea.localAddress}:3000";
+      proxyPass = "http://${config.containers.forgejo.localAddress}:3000";
     };
   };
-  hexchen.nftables.nat.forwardPorts = [{
-    ports = [ 22 ];
-    destination = "${config.containers.gitea.localAddress}:22";
-    proto = "tcp";
-  }];
 }

parsons/hardware.nix

@@ -28,6 +28,7 @@
   fileSystems."/persist" =
     { device = "zroot/safe/persist";
       fsType = "zfs";
+      neededForBoot = true;
     };
 
   fileSystems."/home" =
@@ -55,11 +56,6 @@
       fsType = "zfs";
     };
 
-  fileSystems."/var/lib/docker" =
-    { device = "zroot/local/docker";
-      fsType = "zfs";
-    };
-
   swapDevices = [ ];
 
 }

parsons/hedgedoc-hacc.nix

@@ -1,21 +1,16 @@
-{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  containers.pad-hacc = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.5";
-    autoStart = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/pad-hacc";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
-      imports = [ profiles.nopersist profiles.container ];
-      nixpkgs.config.allowUnfree = true;
 
+  sops.secrets = {
+    "hedgedoc-hacc/env" = {};
+  };
+
+  containers.pad-hacc.bindMounts = {
+    "/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
+  };
+  hacc.containers.pad-hacc = {
+    config = { config, lib, ... }: {
       services.hedgedoc = {
         enable = true;
         settings = {
@@ -43,7 +38,7 @@
             clientSecret = "lol nope";
           };
         };
-        environmentFile = "/persist/secrets.env";
+        environmentFile = "/secrets/env";
       };
       systemd.services.hedgedoc.environment = {
         "CMD_LOGLEVEL" = "warn";
@@ -59,15 +54,13 @@
         ensureDatabases = [ "codimd" ];
         ensureUsers = [{
           name = "codimd";
-          ensurePermissions = {
-            "DATABASE codimd" = "ALL PRIVILEGES";
-          };
+          ensureDBOwnership = true;
         }];
         authentication = ''
           local all all trust
           host  codimd  codimd  127.0.0.1/32  trust
         '';
-        package = pkgs.postgresql_11;
+        package = pkgs.postgresql_15;
       };
       services.postgresqlBackup = {
         enable = true;
@@ -75,7 +68,8 @@
         startAt = "*-*-* 23:45:00";
         location = "/persist/backups/postgres";
       };
-    });
+      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
+    };
   };
   services.nginx.virtualHosts."pad.hacc.earth" = {
     enableACME = true;

parsons/hedgedoc-i4f.nix

@@ -1,21 +1,8 @@
-{ config, lib, pkgs, modules, evalConfig, sources, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  containers.pad-i4f = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.6";
-    autoStart = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/pad-i4f";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
-      imports = [ profiles.nopersist profiles.container ];
-      nixpkgs.config.allowUnfree = true;
-
+  hacc.containers.pad-i4f = {
+    config = { config, lib, ... }: {
       services.hedgedoc = {
         enable = true;
         settings = {
@@ -41,7 +28,7 @@
       };
       services.postgresql = {
         enable = true;
-        package = pkgs.postgresql_11;
+        package = pkgs.postgresql_15;
         authentication = ''
           local all       all                     trust
           host  hedgedoc  hedgedoc  127.0.0.1/32  trust
@@ -49,9 +36,7 @@
         ensureDatabases = [ "hedgedoc" ];
         ensureUsers = [{
           name = "hedgedoc";
-          ensurePermissions = {
-            "DATABASE hedgedoc" = "ALL PRIVILEGES";
-          };
+          ensureDBOwnership = true;
         }];
       };
       services.postgresqlBackup = {
@@ -60,7 +45,8 @@
         startAt = "*-*-* 23:45:00";
         location = "/persist/backups/postgres";
       };
-    });
+      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
+    };
   };
 
   services.nginx.virtualHosts."pad.infra4future.de" = {

parsons/lxc.nix

@@ -8,7 +8,6 @@
       prefixLength = 24;
     }
   ];
-  networking.nat.internalInterfaces = [ "lxcbr0" ];
 
   virtualisation.lxc.enable = true;
   virtualisation.lxc.systemConfig = ''
@@ -27,10 +26,4 @@
     enableACME = true;
     forceSSL = true;
   };
-
-  services.nginx.virtualHosts."auth.infra4future.de" = {
-    locations."/".proxyPass = "http://10.1.2.104:8080";
-    enableACME = true;
-    forceSSL = true;
-  };
 }

parsons/mail.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, sources, ... }:
+{ config, options, pkgs, lib, sources, ... }:
 
 {
   imports = [ sources.nixos-mailserver.outPath ];
@@ -65,13 +65,16 @@
       "noreply@hacc.space" = {
         hashedPassword =
           "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
-        sendOnly = true;
       };
 
       "noreply@infra4future.de" = {
         hashedPassword =
           "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
-        sendOnly = true;
+      };
+
+      "mattermost@hacc.space" = {
+        hashedPassword =
+          "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
       };
     };
 
@@ -142,7 +145,7 @@
 
     # Use Let's Encrypt certificates. Note that this needs to set up a stripped
     # down nginx and opens port 80.
-    certificateScheme = 3;
+    certificateScheme = "acme-nginx";
 
     # Only allow implict TLS
     enableImap = false;
@@ -184,11 +187,22 @@
     bindIP = "[::1]";
   };
 
-  systemd.services.alps.after = [ "dovecot2.service" ];
+  systemd.services.alps.after = [ "dovecot2.service" "postfix.service" ];
+  systemd.services.alps.bindsTo = [ "dovecot2.service" "postfix.service" ];
 
   services.nginx.virtualHosts."mail.hacc.space" = {
     enableACME = true;
     forceSSL = true;
     locations."/".proxyPass = "http://[::1]:1323";
   };
+
+  hacc.bindToPersist = [
+    "/var/lib/rspamd"
+    "/var/lib/opendkim"
+    "/var/lib/postfix"
+    "/var/lib/dovecot"
+    "/var/sieve"
+    "/var/lib/redis-rspamd"
+    "/var/dkim"
+  ];
 }

parsons/mattermost.nix

@@ -1,35 +1,19 @@
-{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
+{ config, pkgs, lib, ...}:
 
-let
-  mattermost = pkgs.mattermost;
-in {
-  containers.mattermost = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.3";
-
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/mattermost";
-        isReadOnly = false;
-      };
+{
+  sops.secrets = {
+    "mattermost/env" = {};
   };
 
-    path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
-      imports = [ profiles.nopersist profiles.container ];
-      nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ];
+  hacc.containers.mattermost = {
+    bindSecrets = true;
 
-      nixpkgs.config.allowUnfree = true;
+    config = { config, lib, pkgs, ... }: {
+      environment.systemPackages = [ pkgs.morph pkgs.pgloader ];
 
       systemd.services.mattermost.serviceConfig.EnvironmentFile =
-        "/persist/mattermost/secrets.env";
-      # overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
-      systemd.services.mattermost.serviceConfig.ExecStart =
-        lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
+        lib.mkForce "/secrets/env";
 
-      # couldn't figure out how to actually overwrite modules, so now
-      # there's two mattermost modules ...
       services.mattermost = {
         enable = true;
         siteUrl = "https://mattermost.infra4future.de";
@@ -78,8 +62,6 @@ in {
           };
           LogSettings = {
             EnableConsole = true;
-            # note: for some reason this doesn't work (mattermost still sets it to DEBUG);
-            # it's also set in secrets.env, where for some reason it does
             ConsoleLevel = "ERROR";
             EnableDiagnostics = false;
             EnableWebhookDebugging = false;
@@ -125,6 +107,12 @@ in {
             ShowEmailAddress = false;
             ShowFullName = true;
           };
+          # to disable the extra landing page advertising the app
+          NativeAppSettings = {
+            AppDownloadLink = "";
+            AndroidAppDownloadLink = "";
+            IosAppDownloadLink = "";
+          };
           SupportSettings = {
             TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
             PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
@@ -156,18 +144,12 @@ in {
             Enable = true;
             EnableUploads = true;
             Plugins = {
-              bigbluebutton = {
-                adminonly = false;
-                base_url = "https://bbb.infra4future.de/bigbluebutton/api";
-                salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
-              };
               "com.github.matterpoll.matterpoll" = {
                 experimentalui = true;
                 trigger = "poll";
               };
             };
             PluginStates = {
-              bigbluebutton.Enable = true;
               "com.github.matterpoll.matterpoll".Enable = true;
             };
           };
@@ -176,6 +158,8 @@ in {
           MetricsSettings.Enable = false;
           GuestAccountsSettings.Enable = false;
           FeatureFlags.CollapsedThreads = true;
+          SqlSettings.DriverName = "postgres";
+          SqlSettings.DataSource = "postgres:///mattermost?host=/run/postgresql";
         };
 
         # turn of the weirder parts of this module (which insist on passwords
@@ -186,36 +170,28 @@ in {
         localDatabaseCreate = false;
       };
 
-      services.mysql = {
-        enable = true;
-        ensureDatabases = [ "mattermost" ];
-        ensureUsers = [ {
-          name = "mattermost";
-          ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
-        } ];
-        package = pkgs.mysql80;
-        dataDir = "/persist/mysql";
-      };
-
       services.postgresql = {
         enable = lib.mkForce true; # mattermost sets this to false. wtf.
-        package = pkgs.postgresql_11;
+        package = pkgs.postgresql_15;
         ensureDatabases = [ "mattermost" ];
         ensureUsers = [ {
           name = "mattermost";
-          ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
+          ensureDBOwnership = true;
         } ];
 
         authentication = lib.mkForce ''
           # Generated file; do not edit!
           local all all trust
-          host  mattermost mattermost ::1/128      trust
         '';
       };
 
-      networking.firewall.allowedTCPPorts = [ 3000 ];
-
-    });
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "mattermost" ];
+        startAt = "*-*-* 23:45:00";
+        location = "/persist/backups/postgres";
+      };
+    };
   };
 
   services.nginx.virtualHosts."mattermost.infra4future.de" = {

parsons/monit.nix

@@ -0,0 +1,64 @@
+{ config, options, lib, pkgs, ... }:
+
+let
+  checkHash = pkgs.writeScriptBin "check-commit-hash" ''
+    #!${lib.getExe pkgs.fish}
+    set wanted (${lib.getExe pkgs.curl} -s https://git.infra4future.de/api/v1/repos/hacc/haccfiles/branches/main \
+                -H 'accept: application/json' | jq -r .commit.id)
+
+    if test $status != 0
+      echo "could not reach git.infra4future.de"
+      exit 2
+    end
+
+    set actual (cat /etc/haccfiles-commit)
+    if test $status != 0
+      echo "/etc/haccfiles-commit does not exist??"
+      exit 2
+    end
+
+    if test $actual != $wanted
+      echo "parsons was built on $actual, but commit on main is $wanted"
+      exit 1
+    end
+  '';
+
+  checkDeployAge = pkgs.writeScriptBin "check-deploy-age" ''
+    #!${lib.getExe pkgs.fish}
+
+    set date (date +%s)
+    # we do this indirection here so monit's config won't change on each deploy
+    set deploytimestamp (cat /etc/haccfiles-timestamp)
+    set age (expr $date - $deploytimestamp)
+
+    if test $age -ge (expr 3600 \* 24 \* 10)
+      echo "${config.networking.hostName} has not been deployed since 10 days, perhaps someone should do updates?"
+      exit 1
+    end
+  '';
+in
+{
+  mailserver.monitoring = {
+    enable = true;
+    alertAddress = "admin@hacc.space";
+    config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default);
+  };
+
+  services.monit.config = ''
+      check host onlyoffice with address onlyoffice.infra4future.de
+            start program "/run/current-system/sw/bin/lxc-start -n onlyoffice -f /persist/lxc/onlyoffice/config"
+            stop program "/run/current-system/sw/bin/lxc-stop -n onlyoffice"
+            if failed port 443 protocol https status = 302
+            then restart
+
+      check program deployed-commit-on-main path ${lib.getExe checkHash}
+            if status == 1 for 64 cycles then alert
+            if status == 2 for 3 cycles then alert
+
+      check program is-system-running path ${pkgs.systemd}/bin/systemctl is-system-running
+            if status != 0 then alert
+
+      check program check-deploy-age path ${lib.getExe checkDeployAge}
+            if status == 1 then alert
+  '';
+}

parsons/murmur.nix

@@ -1,13 +1,13 @@
-{ config, lib, pkgs, sources, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
-
   services.murmur = {
     enable = true;
     logDays = -1;
-    welcometext =
-      "Welcome to mumble4future! Brought to you by infra4future. The server is now reachable under mumble.hacc.space, please update your bookmarks.";
+    registerName = "hackers against climate change";
+    welcometext = ''
+      <br>Welcome to <b>mumble4future</b>!<br>Brought to you by <b style="color:red">infra4future</b>.<br>On <a href=https://mumble.hacc.space>mumble.hacc.space</a><br>Not confusing at all!
+    '';
     sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
     sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
     bandwidth = 128000;
@@ -25,4 +25,6 @@
   };
   users.users.nginx.extraGroups = [ "mumblecert" ];
   users.users.murmur.extraGroups = [ "mumblecert" ];
+
+  hacc.bindToPersist = [ "/var/lib/murmur" ];
 }

parsons/nextcloud.nix

@@ -1,30 +1,9 @@
-{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  containers.nextcloud = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.2";
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/nextcloud";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, profiles, sources, ... }: {
-      imports = [
-        profiles.nopersist
-        profiles.container
-        (import "${sources.nixpkgs-unstable}/nixos/modules/services/web-apps/nextcloud.nix")
-      ];
-
-      disabledModules = [
-        "services/web-apps/nextcloud.nix"
-      ];
-
-      nixpkgs.config.allowUnfree = true;
-
+  containers.nextcloud.timeoutStartSec = "10 min";
+  hacc.containers.nextcloud = {
+    config = { config, lib, pkgs, ... }: {
       environment.systemPackages = [ pkgs.htop ];
 
       services.nextcloud = {
@@ -32,21 +11,19 @@
 
         # must be set manually; may not be incremented by more than one at
         # a time, otherwise nextcloud WILL break
-        package = pkgs.nextcloud25;
+        package = pkgs.nextcloud29;
 
         home = "/persist/nextcloud";
         https = true;
 
-        # true by default for backwards-compatability, but we don't need it
-        enableBrokenCiphersForSSE = false;
-
         hostName = "cloud.infra4future.de";
         config = {
           dbtype = "pgsql";
           dbuser = "nextcloud";
           dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
           dbname = "nextcloud";
-          adminpassFile = "/persist/nextcloud/config/admin_pw";
+          # socket auth does not needs this, but the module insists it does
+          adminpassFile = "/persist/adminpassfile";
           adminuser = "root";
         };
 
@@ -62,7 +39,7 @@
           "pm.start_servers" = "2";
         };
 
-        extraOptions = {
+        settings = {
           instanceid = "ocxlphb7fbju";
           datadirectory = "/persist/nextcloud/data";
           loglevel = 0;
@@ -72,23 +49,30 @@
 
       services.postgresql = {
         enable = true;
-        package = pkgs.postgresql_11;
+        package = pkgs.postgresql_15;
         ensureDatabases = [ "nextcloud" ];
         ensureUsers = [
           { # by default, postgres has unix sockets enabled, and allows a
             # system user `nextcloud` to log in without other authentication
             name = "nextcloud";
-            ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+            ensureDBOwnership = true;
           }
         ];
       };
 
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "nextcloud" ];
+        startAt = "*-*-* 23:45:00";
+        location = "/persist/backups/postgres";
+      };
+
       # ensure that postgres is running *before* running the setup
       systemd.services."nextcloud-setup" = {
         requires = ["postgresql.service"];
         after = ["postgresql.service"];
       };
-    });
+    };
   };
 
   services.nginx.virtualHosts."cloud.infra4future.de" = {

parsons/nftables.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.firewall.enable = true;
+  networking.firewall.logRefusedConnections = false;
+  networking.nat.enable = true;
+
+  networking.nftables.enable = true;
+  networking.nftables.tables.nat = {
+    family = "ip";
+    content = ''
+      chain prerouting {
+        type nat hook prerouting priority -100
+        iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
+      }
+      chain postrouting {
+        type nat hook postrouting priority 100
+        iifname lxcbr0 oifname enp35s0 masquerade
+        iifname ve-* oifname enp35s0 masquerade
+      }
+    '';
+  };
+}

parsons/nginx-pages.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+
+{
+  hacc.websites = {
+    enable = true;
+    directory = "${../.}/websites";
+  };
+
+
+  services.nginx.virtualHosts."parsons.hacc.space" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/~stuebinm/".root = "/persist/www/";
+  };
+}

parsons/s4f-conference.nix

@@ -0,0 +1,137 @@
+{ config, lib, pkgs, ... }:
+
+{
+  sops.secrets = {
+    "s4f-conference/env" = {};
+  };
+
+  hacc.containers.s4f-conference = {
+    bindSecrets = true;
+
+    config = { config, lib, pkgs, ... }: {
+      systemd.services.mattermost.serviceConfig.EnvironmentFile =
+        lib.mkForce "/secrets/env";
+
+      services.mattermost = {
+        enable = true;
+        siteUrl = "https://s4f-conference.infra4future.de";
+        siteName = "Scientists for Future Chat";
+        listenAddress = "0.0.0.0:3000";
+        mutableConfig = false;
+
+        statePath = "/persist/mattermost";
+
+        extraConfig = {
+          ServiceSettings = {
+            TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
+            EnableEmailInvitations = true;
+          };
+          TeamSettings = {
+            EnableUserCreation = true;
+            MaxUsersPerTeam = 2500;
+            EnableUserDeactivation = true;
+            EnableOpenServer = false;
+          };
+          PasswordSettings = {
+            MinimumLength = 10;
+          };
+          FileSettings = {
+            EnableFileAttachments = true;
+            MaxFileSize = 52428800;
+            DriverName = "local";
+            Directory = "/persist/upload-storage";
+            EnablePublicLink = true;
+            PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
+          };
+          EmailSettings = {
+            EnableSignUpWithEmail = true;
+            EnableSignInWithEmail = true;
+            EnableSignInWithUsername = true;
+            SendEmailNotifications = true;
+            FeedbackName = "mattermost";
+            FeedbackEmail = "mattermost@infra4future.de";
+            ReplyToAddress = "mattermost@infra4future.de";
+            FeedbackOrganization = "∆infra4future.de";
+            EnableSMTPAuth = true;
+            SMTPUsername = "noreply@infra4future.de";
+            SMTPServer = "mail.hacc.space";
+            SMTPPort = "465";
+            SMTPServerTimeout = 10;
+            ConnectionSecurity = "TLS";
+          };
+          RateLimitSettings.Enable = false;
+          PrivacySettings = {
+            ShowEmailAddress = false;
+            ShowFullName = true;
+          };
+          # to disable the extra landing page advertising the app
+          NativeAppSettings = {
+            AppDownloadLink = "";
+            AndroidAppDownloadLink = "";
+            IosAppDownloadLink = "";
+          };
+          LogSettings = {
+            EnableConsole = true;
+            ConsoleLevel = "ERROR";
+            EnableDiagnostics = false;
+            EnableWebhookDebugging = false;
+          };
+          SupportSettings = {
+            TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
+            PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
+            AboutLink = "https://infra4future.de";
+            SupportEmail = "info@infra4future.de";
+            CustomTermsOfServiceEnabled = false;
+            EnableAskCommunityLink = true;
+          };
+          AnnouncementSettings.EnableBanner = false;
+          ComplianceSettings.Enable = false;
+          ClusterSettings.Enable = false;
+          MetricsSettings.Enable = false;
+          GuestAccountsSettings.Enable = true;
+        };
+
+        localDatabaseCreate = false;
+      };
+
+      services.postgresql = {
+        enable = lib.mkForce true; # mattermost sets this to false. wtf.
+        package = pkgs.postgresql_15;
+        ensureDatabases = [ "mattermost" ];
+        ensureUsers = [ {
+          name = "mattermost";
+          ensureDBOwnership = true;
+        } ];
+
+        authentication = lib.mkForce ''
+          # Generated file; do not edit!
+          local all all              trust
+          host  mattermost mattermost ::1/128      trust
+        '';
+      };
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "mattermost" ];
+        startAt = "*-*-* 23:45:00";
+        location = "/persist/backups/postgres";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
+    locations."/" = {
+      proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
+      proxyWebsockets = true;
+      extraConfig = ''
+        # Mattermost CSR Patch
+        proxy_hide_header Content-Security-Policy;
+        proxy_hide_header X-Frame-Options;
+        proxy_redirect off;
+
+        client_max_body_size 100M;
+      '';
+    };
+    forceSSL = true;
+    enableACME = true;
+  };
+}

parsons/tracktrain.nix

@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+
+let
+  tracktrain-config = ''
+    dbstring: "dbname=tracktrain"
+    gtfs: /persist/gtfs.zip
+    assets: ${pkgs.tracktrain}/assets
+
+    warp:
+      port: 4000
+
+    login:
+      enable: true
+      url: https://login.infra4future.de
+      clientName: tracktrain
+      # clientSecret defined in env file
+
+    logging:
+      ntfyTopic: ping.stuebinm.eu/monit
+      name: ilztalbahn
+  '';
+in
+{
+  sops.secrets = {
+    "tracktrain/env" = {};
+  };
+
+  services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://${config.containers.tracktrain.localAddress}:4000";
+      proxyWebsockets = true;
+    };
+    # note: this shadows the /metrics endpoint of tracktrain
+    # in case you remove this, please consider putting something
+    # else here to keep it from being publicly scrapable
+    locations."/metrics/" = {
+      proxyPass = "http://${config.containers.tracktrain.localAddress}:2342";
+      proxyWebsockets = true;
+      extraConfig = ''
+        rewrite  ^/metrics/(.*)  /$1 break;
+      '';
+    };
+  };
+
+  hacc.containers.tracktrain = {
+    bindSecrets = true;
+
+    config = { config, lib, pkgs, ... }: {
+
+      systemd.services.tracktrain = {
+        enable = true;
+
+        description = "tracks trains, hopefully";
+        wantedBy = [ "multi-user.target" ];
+        requires = [ "network.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          Type = "simple";
+          EnvironmentFile = "/secrets/env";
+          DynamicUser = true;
+        };
+        path = [ pkgs.wget pkgs.ntfy-sh ];
+        script = ''
+          cd /tmp
+          ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
+          ${pkgs.tracktrain}/bin/tracktrain +RTS -T
+        '';
+      };
+
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql_15;
+        ensureDatabases = [ "tracktrain" ];
+        ensureUsers = [ {
+          name = "tracktrain";
+          ensureDBOwnership = true;
+        } ];
+        authentication = ''
+          local all all trust
+        '';
+      };
+
+      services.prometheus = {
+        enable = true;
+        port = 9001;
+        scrapeConfigs = [ {
+          job_name = "tracktrain";
+          static_configs = [{
+            targets = [  "0.0.0.0:4000" ];
+          }];
+        } ];
+      };
+
+      systemd.services.grafana.serviceConfig.EnvironmentFile =
+        "/secrets/env";
+      hacc.bindToPersist = [ "/var/lib/grafana" ];
+    };
+  };
+
+}

parsons/uffd.nix

@@ -1,47 +1,31 @@
-{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
-
-let
-  uffd = pkgs.uffd;
-in {
-  containers.uffd = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.9";
-    autoStart = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/uffd";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
-      imports = [ profiles.nopersist profiles.container ];
-
-      nixpkgs.config.allowUnfree = true;
+{ config, lib, pkgs, ... }:
 
+{
+  hacc.containers.uffd = {
+    config = { config, lib, pkgs, ... }: {
       services.uwsgi = {
         enable = true;
         plugins = [ "python3" ];
         instance = {
           type = "normal";
-          pythonPackages = self: with self; [ uffd ];
+          pythonPackages = _: [ pkgs.uffd ];
           module = "uffd:create_app()";
           # socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
           http = ":8080";
           env = [
             "CONFIG_PATH=/persist/uffd/uffd.conf"
           ];
-          hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
+          hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
+        };
       };
     };
-    });
   };
   services.nginx.virtualHosts."login.infra4future.de" = {
     enableACME = true;
     forceSSL = true;
     locations = {
       "/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
-      "/static".root = "${uffd}/lib/python3.10/site-packages/uffd";
+      "/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd";
       "/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png";
       "/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg";
       "/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";
@@ -58,8 +42,25 @@ in {
     wantedBy = [ "multi-user.target" ];
     after = [ "network.target" ];
     serviceConfig.Type = "simple";
-    path = [ pkgs.curl pkgs.jq ];
-    script = "${pkgs.fish}/bin/fish /persist/magic/mattermost-groupsync.fish";
+    path = [ pkgs.fish pkgs.curl pkgs.jq ];
+    script = "${pkgs.hacc-scripts}/bin/uffd-sync-mattermost-groups.fish";
     startAt = "*:0/15";
   };
+
+  systemd.services.uffd-account-expiry-notification = {
+    enable = true;
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig.Type = "simple";
+    path = [ pkgs.hacc-scripts pkgs.sqlite-interactive pkgs.postfix ];
+    script = ''
+      uffd-unused-accounts-notification.scm -v admin
+    '';
+    startAt = "weekly";
+    restartIfChanged = false;
+  };
+
+  sops.secrets."auamost/secrets.fish" = { };
+
+  environment.systemPackages = with pkgs; [ curl jq ];
 }

parsons/vaultwarden.nix

@@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:
 
 {
+  sops.secrets = {
+    "vaultwarden/env" = {};
+  };
+
   services.vaultwarden = {
     enable = true;
     config = {
@@ -27,7 +31,7 @@
       SMTP_USERNAME="noreply@infra4future.de";
 
     };
-    environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
+    environmentFile = "/run/secrets/vaultwarden/env";
     dbBackend = "sqlite";
     backupDir = "/persist/data/vaultwarden_backups/";
   };

pkgs/default.nix

@@ -1,55 +1,37 @@
-{ sources, system ? builtins.currentSystem, ... }@args:
+{ sources, ... }@args:
 
 let
   pkgs = import sources.nixpkgs args;
+  oldstable = import sources.nixpkgs-oldstable args;
   unstable = import sources.nixpkgs-unstable args;
 
   callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
 
   newpkgs = {
 
-    mattermost = callPackage ./mattermost {inherit sources;};
+    mattermost = callPackage ./mattermost.nix {
+      buildGoModule = unstable.buildGo122Module;
+    };
+
+    morph = callPackage ./morph.nix {
+      buildGoModule = unstable.buildGo122Module;
+    };
+
+    forgejo = unstable.forgejo;
 
     tracktrain = import sources.tracktrain {
-      nixpkgs = pkgs;
+      nixpkgs = unstable;
+      compiler = "default";
     };
 
-    # a version of the lounge with some extra css that
-    # hides things the hacc-voc doesn't need
-    thelounge-hacked = pkgs.stdenv.mkDerivation {
-      name = "thelounge-hacked";
-      src = pkgs.thelounge;
+    uffd = oldstable.callPackage ./uffd { };
 
-      phases = [ "buildPhase" "installPhase" ];
-      buildPhase = ''
-        cp $src/* -r .
-        chmod 777 lib/node_modules/thelounge/public/css/style.css
-        cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css
-      '';
+    hacc-scripts = callPackage ./scripts {};
 
-      installPhase = ''
-        mkdir -p $out
-        cp * -r $out
-      '';
-    };
+    inherit (oldstable) uwsgi flask;
 
-    uffd = callPackage ./uffd {};
-
-    # netbox takes a python3, then overrides stuff on it before using it.
-    # since overrides don't accumulate, this does both the override we want
-    # and the one the netbox package would otherwise do, then disables overrides
-    netbox = pkgs.netbox.override rec {
-      python3 = (pkgs.python3.override {
-        packageOverrides = self: super: {
-          django = super.django_4;
-          social-auth-core = super.social-auth-core.overrideAttrs ( old: {
-            patches = [ ./netbox/0001-add-uffd-oauth2-backend.patch ];
-          } );
-        };
-      }) // { override = ignored: python3; };
-    };
-
-    inherit (unstable) vaultwarden vaultwarden-vault;
+    # TODO: once on nixos 24.05, remove this inherit
+    inherit (unstable) lix;
   };
 
 in pkgs.extend(_: _: newpkgs)

pkgs/mattermost.nix

@@ -0,0 +1,85 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, nix-update-script
+, fetchurl
+, nixosTests
+}:
+
+buildGoModule rec {
+  pname = "mattermost";
+  # ESR releases only.
+  # See https://docs.mattermost.com/upgrade/extended-support-release.html
+  # When a new ESR version is available (e.g. 8.1.x -> 9.5.x), update
+  # the version regex in passthru.updateScript as well.
+  version = "9.11.5";
+
+  src = fetchFromGitHub {
+    owner = "mattermost";
+    repo = "mattermost";
+    rev = "v${version}";
+    hash = "sha256-bLZFeG6kBVP0ws50wtBam/bO206sQnz6va8PATAoRAQ=";
+  };
+
+  # Needed because buildGoModule does not support go workspaces yet.
+  # We use go 1.22's workspace vendor command, which is not yet available
+  # in the default version of go used in nixpkgs, nor is it used by upstream:
+  # https://github.com/mattermost/mattermost/issues/26221#issuecomment-1945351597
+  overrideModAttrs = (_: {
+    buildPhase = ''
+      make setup-go-work
+      go work vendor -e
+    '';
+  });
+
+  webapp = fetchurl {
+    url = "https://releases.mattermost.com/${version}/mattermost-${version}-linux-amd64.tar.gz";
+    hash = "sha256-jyaJUN8wpuBivKNdm7f1mYwygO8xC+Zxy0SdkDovdsA=";
+  };
+
+  vendorHash = "sha256-Gwv6clnq7ihoFC8ox8iEM5xp/us9jWUrcmqA9/XbxBE=";
+
+  modRoot = "./server";
+  preBuild = ''
+    make setup-go-work
+  '';
+
+  subPackages = [ "cmd/mattermost" ];
+  offlineCache = webapp;
+
+  tags = [ "production" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
+  ];
+
+  postInstall = ''
+    tar --strip 1 --directory $out -xf $webapp \
+      mattermost/{client,i18n,fonts,templates,config}
+
+    # For some reason a bunch of these files are executable
+    find $out/{client,i18n,fonts,templates,config} -type f -exec chmod -x {} \;
+  '';
+
+  passthru = {
+    updateScript = nix-update-script {
+      extraArgs = [ "--version-regex" "^v(9\.11\.([0-9.]+))" ];
+    };
+    tests.mattermost = nixosTests.mattermost;
+  };
+
+  meta = with lib; {
+    description = "Mattermost is an open source platform for secure collaboration across the entire software development lifecycle";
+    homepage = "https://www.mattermost.org";
+    license = with licenses; [ agpl3Only asl20 ];
+    maintainers = with maintainers; [ ryantm numinit kranzes mgdelacroix ];
+    mainProgram = "mattermost";
+  };
+}

pkgs/mattermost/default.nix

@@ -1,52 +0,0 @@
-{ stdenv, fetchurl, fetchFromGitHub, buildGo118Module, buildEnv, lib, sources }:
-
-let
-  version = "7.1.4";
-
-  mattermost-server = buildGo118Module rec {
-    pname = "mattermost-server";
-    inherit version;
-
-    src = sources.mattermost-server.outPath;
-
-    vendorSha256 = "sha256-98riYN6MaBsKyaueogjXI7x3Lcionk0xcGt4DH684QU=";
-
-    subPackages = [ "cmd/mattermost" ];
-
-    ldflags = [
-	"-s"
-	"-w"
-        "-X github.com/mattermost/mattermost-server/model.BuildNumber=nixpkgs-${version}"
-    ];
-
-  };
-
-  mattermost-webapp = stdenv.mkDerivation {
-    pname = "mattermost-webapp";
-    inherit version;
-
-    src = sources.mattermost-webapp;
-
-    installPhase = ''
-      mkdir -p $out
-      cp -r client $out
-      cp -r i18n $out
-      cp -r fonts $out
-      cp -r templates $out
-      cp -r config $out
-    '';
-  };
-
-in
-  buildEnv {
-    name = "mattermost-${version}";
-    paths = [ mattermost-server mattermost-webapp ];
-
-    meta = with lib; {
-      description = "Open-source, self-hosted Slack-alternative";
-      homepage = "https://www.mattermost.org";
-      license = with licenses; [ agpl3 asl20 ];
-      maintainers = with maintainers; [ fpletz ryantm ];
-      platforms = platforms.unix;
-    };
-  }

pkgs/morph.nix

@@ -0,0 +1,33 @@
+{ buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "mattermost-morph";
+  version = "1.1.0";
+
+  src = fetchFromGitHub {
+    owner = "mattermost";
+    repo = "morph";
+    rev = "v${version}";
+    hash = "sha256-Orh/a9OlUVIlDdLXRpDAnHUmWRiM1N2oO+dijbuJzx8=";
+  };
+
+  vendorHash = null;
+
+  subPackages = [ "cmd/morph" ];
+
+  tags = [ "production" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
+  ];
+
+}

pkgs/netbox/0001-add-uffd-oauth2-backend.patch

@@ -1,70 +0,0 @@
-From 00e282e32b46bb4b6040dc3810599c693306c0ec Mon Sep 17 00:00:00 2001
-From: David Croft <david@sargasso.net>
-Date: Thu, 24 Mar 2022 11:09:14 +0000
-Subject: [PATCH] add uffd oauth2 backend
-
----
- social_core/backends/uffd.py | 51 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 51 insertions(+)
- create mode 100644 social_core/backends/uffd.py
-
-diff --git a/social_core/backends/uffd.py b/social_core/backends/uffd.py
-new file mode 100644
-index 00000000..fb8ffb62
---- /dev/null
-+++ b/social_core/backends/uffd.py
-@@ -0,0 +1,51 @@
-+from urllib.parse import urlencode
-+
-+from .oauth import BaseOAuth2
-+
-+
-+class UffdOAuth2(BaseOAuth2):
-+    """Uffd OAuth2 authentication backend
-+
-+    You need to set the following config:
-+    SOCIAL_AUTH_UFFD_KEY - client id
-+    SOCIAL_AUTH_UFFD_SECRET - client secret
-+    SOCIAL_AUTH_UFFD_BASE_URL - base url to uffd installation
-+    """
-+
-+    name = 'uffd'
-+    ACCESS_TOKEN_METHOD = 'POST'
-+    REFRESH_TOKEN_METHOD = 'POST'
-+    SCOPE_SEPARATOR = ' '
-+    STATE_PARAMETER = True
-+    REDIRECT_STATE = False
-+    EXTRA_DATA = [
-+        ('id', 'id'),
-+    ]
-+
-+    def get_user_details(self, response):
-+        """Return user details from a Uffd account"""
-+        fullname, first_name, last_name = self.get_user_names(fullname=response.get('name'))
-+        return {
-+            'username': response.get('nickname'),
-+            'email': response.get('email') or '',
-+            'fullname': fullname,
-+            'first_name': first_name,
-+            'last_name': last_name,
-+        }
-+
-+    def user_data(self, access_token, *args, **kwargs):
-+        """Loads user data from service"""
-+        url = self.userinfo_url() + '?' + urlencode({'access_token': access_token})
-+        try:
-+            return self.get_json(url)
-+        except ValueError:
-+            return None
-+
-+    def authorization_url(self):
-+        return self.setting('BASE_URL')  + '/oauth2/authorize'
-+
-+    def access_token_url(self):
-+        return self.setting('BASE_URL')  + '/oauth2/token'
-+
-+    def userinfo_url(self):
-+        return self.setting('BASE_URL')  + '/oauth2/userinfo'
--- 
-2.38.1
-

pkgs/scripts/default.nix

@@ -0,0 +1,16 @@
+{ stdenvNoCC, gauche, fish }:
+
+stdenvNoCC.mkDerivation {
+  name = "hacc-utility-scripts";
+
+  src = ./.;
+
+  buildInputs = [ gauche fish ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    fish -n $out/bin/*.fish
+    cp *.{scm,fish} $out/bin
+    chmod +x $out/bin/*
+  '';
+}

pkgs/scripts/uffd-sync-mattermost-groups.fish

@@ -0,0 +1,47 @@
+#!/usr/bin/env fish
+
+source /run/secrets/auamost/secrets.fish
+
+for i in (seq 1 (count $groups))
+    set team $teams[$i]
+    set group $groups[$i]
+    set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group")
+    set usernames (echo "$users" | jq -c "[.[] | .loginname]")
+    for user in (echo "$users" | jq -c ".[]")
+      set id (echo "$user" | jq .id)
+      set username (echo "$user" | jq .loginname)
+      set email (echo "$user" | jq .email)
+      curl -H $mattermost_token \
+           -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \
+           -d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}'
+    end
+    set userids (curl -H $mattermost_token \
+        -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \
+        -d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]')
+    curl -H $mattermost_token \
+        -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \
+        -d "$userids"
+
+    if test "$group" = "hacc"
+      continue
+    end
+
+    set current_members (curl -H $mattermost_token \
+        -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]')
+
+    # membership relations don't contain e.g. usernames, so fetch those, too
+    set current_users (curl -H $mattermost_token \
+        -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \
+        -d "$current_members" | jq -c '.[]')
+
+    set userids (echo "$userids" | jq -c ".[].user_id")
+    for member in $current_users
+        set id (echo $member | jq .id)
+        if not contains -i $id $userids > /dev/null then
+          set id_unquoted (echo $member | jq -r .id)
+          echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\)
+          curl -X DELETE -H $mattermost_token \
+            -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted"
+        end
+    end
+end

pkgs/scripts/uffd-unused-accounts-notification.scm

@@ -0,0 +1,121 @@
+#!/usr/bin/env gosh
+
+(use gauche.process)
+(use text.csv)
+(use scheme.list)
+(use gauche.parseopt)
+(use util.match)
+
+(define cutoff-date "2023-01-01")
+
+(define sqlite-path "/persist/containers/uffd/uffd/db.sqlite")
+(define sqlite-query
+  "select displayname, mail, max(expires) as last_login from oauth2token join user on user_id=user.id group by user_id having last_login < '2023-01-01'
+union all select displayname, mail, '2022' from user where not exists (select * from oauth2token where user_id = user.id);")
+
+(define dry #f)
+(define verbose #f)
+(define very-verbose #f)
+
+(define (main args)
+  (let-args (cdr args)
+      ((averbose     "v|verbose")
+       (averyverbose "very-verbose")
+       (adry         "n|dry-run")
+       (help        "h|help" => (cut show-help (car args)))
+       . restargs
+      )
+      (set! dry adry)
+      (set! verbose averbose)
+      (when averyverbose
+        (set! verbose #t)
+        (set! very-verbose #t))
+      (match restargs
+        [("admin") (do-admin-mail)]
+        [("send-reminder") (send-reminder-mails)]
+        [("list-accounts") (do-list-accounts)]
+        [_ (display "unknown command") (exit 1)]))
+  0)
+
+(define (do-admin-mail)
+  (send-email "admin@hacc.space" "unused accounts list" (mk-admin-mail unused-accounts))
+  (when verbose
+    (display "done")))
+
+(define (do-list-accounts)
+  (display (string-join
+            (map
+             (lambda (row) (format "~a (~a)" (list-ref row 0) (list-ref row 1)))
+             unused-accounts)
+            "\n")))
+
+(define (send-reminder-mails)
+  (map (lambda (row)
+         (send-email (list-ref row 1) "Unbenutzter infra4future.de Account" (mk-email (list-ref row 0) (list-ref row 2))))
+       unused-accounts)
+  (when verbose
+    (display "done")))
+
+
+(define csv-reader
+  (make-csv-reader #\,))
+
+(define unused-accounts
+  (map (lambda (str) (with-input-from-string str csv-reader))
+       ;; (process-output->string-list `(cat example.csv))))
+       (process-output->string-list `(sqlite3 -csv ,sqlite-path ,sqlite-query))))
+
+(define (mk-email displayname last-login)
+  #"
+Hallo ~|displayname|!
+
+Wir haben schon lange (seit über einem Jahr; dein letzter Login war um ~|last-login|)
+nichts mehr von dir gehört und würden demnächst deinen Account löschen wollen.
+Solltest du ihn noch benötigen logge dich bitte einfach auf https://login.infra4future.de ein.
+Falls nicht, musst du weiter nichts tun und wir werden deine Account in ca. 3 Monaten löschen.
+
+Viele Grüße,
+das Infra4Future Team
+")
+
+(define (mk-admin-mail rows)
+  (format #"
+Meow!
+
+this is the uffd-unused-accounts-notification.scm script. There are currently
+~~s accounts which have not logged in since ~|cutoff-date|. To mass-send account
+expiry reminders, invoke this script with the \"send-reminder\" option. To see a
+list of these accounts, invoke it with the \"list-accounts\" option.
+
+(invoke me,, 🥺)
+" (length unused-accounts)))
+
+; utility definitions
+
+(define (send-email address subject text)
+  (when verbose
+    (display (format "sending email to ~a\n" address)))
+  (let ([text (string-append "from: admin@hacc.space\n" "subject: " subject "\n" text "\n")])
+    (when very-verbose
+      (display text))
+    (call-with-output-process
+     (if dry '(cat) `(sendmail ,address))
+     (lambda (port) (display text port))
+     :on-abnormal-exit :ignore)))
+
+(define (show-help progname)
+  (display #"
+~|progname|: unused account expiry helper script.
+
+Invoke as `~|progname| [options] admin' to send a list of unused accounts to administrators.
+
+Invoke as `~|progname| [options] send-reminder' to send a reminder email to all
+currently unused accounts.
+
+Options:
+ -v --verbose      show which emails are being sent
+    --very-verbose also print emails to stdout
+ -n --dry-run      print emails to stdout instead
+ -h --help         show this help
+"))
+

pkgs/thelounge/css-patch.css

@@ -1,24 +0,0 @@
-
-/* Hides extra fields on connect screen */
-.connect-row:nth-of-type(4) {
-    display: none !important;
-}
-
-.connect-row:nth-of-type(2) {
-    display: none !important;
-}
-
-.connect-row:nth-of-type(5) {
-    display: none !important;
-}
-
-
-/* Hides side panel button */
-.header > button:first-child {
-    display: none !important;
-}
-
-/* Hides channel options button (includes leave option) */
-.header > button:nth-last-child(2) {
-    display: none !important;
-}

pkgs/uffd/default.nix

@@ -3,13 +3,14 @@
 python3Packages.buildPythonPackage rec {
   pname = "uffd";
   version = "2.0.1";
+  PACKAGE_VERSION = version;
 
   src = fetchzip {
     url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
     hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
   };
 
-  patches = [ ./gitea-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ];
+  patches = [ ./forgejo-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ];
 
   propagatedBuildInputs = with python3Packages; [
     flask

pkgs/uffd/forgejo-magic.patch

@@ -16,7 +16,7 @@ index d13fd42..94352be 100644
  def userinfo():
  	user = request.oauth.user
 +	client = request.oauth.client_id
-+	if client == "gitea":
++	if client == "forgejo":
 +		return jsonify(
 +	    		id=user.unix_uid,
 +    			full_name=user.displayname,

secrets.yaml

@@ -0,0 +1,105 @@
+hedgedoc-hacc:
+    env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
+mattermost:
+    env: ENC[AES256_GCM,data:ftWpGl6+sUMzJJKgfcPLvbFGGn16AKUPzPn8X6DNVMLrxZIkQ23Tk3ekKLKFpQEUtQfFjVlrTfFZezWKs4nVNLg2LmQqJNGMCCax5PRwAgoAsJ7pa9ewNmHT+EIXtZEjQgVfN5786Yno5n/6JJ1lz6EiGmdn7/0rF5TLGjzig17azazS1+lkIYY=,iv:SZvGGKpVRI/odHbmgY8M6t6zCk8RgM+7EQEgRiizglA=,tag:cInsVo/QD85m+LxldyRlnA==,type:str]
+tracktrain:
+    env: ENC[AES256_GCM,data:W3+8qWomPgGJt5u50aAm9x/dilMpqKY11I2AdaIBTz5posc25ts0LB5S/Sxe1ROz4itpDK3QvjoFUTRhS39k4dwMr5lqXV8Ln4B+sPpvh7oBM8A5zydP8Jj1J1YqRt8++RTUmb4z41DIwb/yaZKMu6z0guXIu1yuYzcbCuk0xe/iOp6UUpfjOzzWTvxY54zY6kWcjHLiCSwD31Cd+MxMPfbUEkHt+0W+sBmYXGeEFI/6ULSB6FnGjNW6F9g=,iv:3ymah8HG+Yg6VYZZA/MRRjHDYvYJz01ezvhfQiftegg=,tag:trht+PRYfKgWJkg2wRwISQ==,type:str]
+vaultwarden:
+    env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
+auamost:
+    secrets.fish: ENC[AES256_GCM,data:QBteJdVPSWa4cmu1BVWJ3AMWWH4zIv2+G83fK0QsbA/fYoIU5jobCT3USyujNz+jQaAAxA45jmQbCWNAFLl1q8hP4i9EIikVECx0VKVXPXILBND+w7zPSLldAbOugRYt2iAt1dDADZPtulKlkz7usdafbB+2igLXdyFRLfIxDTOrBuqQ+5yeofQe5k0XWRcmQQ/1AV0JrRrmLmr69VKsR932JWD8XxmI/HFyZPzWdExBSOmvnj+m4K+DV4cVmN4t6XOY0dM3gRQ95DglEuGlp/V2o3GqwY0mXCvhM1eh81u8mPALKp6Pv2i2yU35F01Puf5t1FHGDfzp0bW0xuKEywfGjAOifFkSE/3JFir434B6G0DiJNpOIl6QJ6DA8rSKfuPdccm6Or0zX8iJGRHDJmREQ05V9l0jHAAxLNuNdbsxg+8kCWVVnW+d1YDn9KW7LbFlP+sx4Ef5leUYft/lYhF4Z5Xp3arqVrlebWjWIBEuZeJTnkE3y+TdUUCs360zzWHqsipGmo1+/88CEqL52FfUOlJ4VCR45/7nYZ3RaRBWDGFW8RvwmWSFSstEcEXQ01U8lCwyn40+blfltme3KJ1f+pWMrZAKhPlOlMHCYfjd7esWI2sYcQbTZqxH49GnW6dsW/W+eiLs3zlD/Deb2CugHe63zRdlivmVPOz4zD1PXcCVpEZHoTTiJl7Om9K2mPYq9wQN41wsDUrNL9p8m9UlhWKbjBh5UU7p6F6OhF5rKH/Fs8fIaPi6B8uamTvEmiOGTUWl3vmQjBvhM8fJWoIkRB8hgCisr9OZ,iv:8jVAImjeXbXfiLKg9G0PyLMTV8cAyDmukeittqjKFpQ=,tag:fLIcsWKbdFQ/vPCgi/W3Zw==,type:str]
+restic:
+    s3creds.env: ENC[AES256_GCM,data:9WNu5S4KmdMXdshSpawEjIexAKH6vZCPwb9xyq6xmerly1lxSfFZzgg60M0L3L+I4joLTVi23YBB8Eh6Xfx9GgxNww7w7BjMCQs/X16ecDWlb346TKf+,iv:Gu4CbXXJAlQYXRqOjIAUYmn8EU4mrvcOVc2eCh1Ikzs=,tag:1xpVIonHiAGHsXTY9liPQQ==,type:str]
+    system: ENC[AES256_GCM,data:RIgO0QHVjwp2D3LoU62vLzepASdsXxu0DqUTA6Voa3K1d4xFHX2u+UR8AcqR,iv:O0K8i5ivne7WU+ygDEUcrvKW6DIfXjVPY63gpfsxEFE=,tag:n/1atQ5qlyB0SMHrYiTCrA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHd0Rrem03aWMwUGgwMlM2
+            dmRJdVYrRVNBTXZrVk5CdEFYcDRyN3VlcUhvCmE5L0lpbzdxanNBWFU1dEprUC9Y
+            eUZqdHVmWks2V1g0SHZRN1BsSU96OU0KLS0tIGl1ZUg2aDNtREZWeUE5UXlPeHNG
+            STcwOFgwK1lpWjdyTkd3c0dBTlAyK28KAKL7rPPH0DNRgL3qqCelAoUPnOy8MydL
+            t2ft9ZmzkoiSdSt0Ad1U5IImQt9ZzhPtYYnYbiEVNcfuFCnGcqdoPw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvT0M2SmdwNmNyWWZ1V2o5
+            OHZ4RDlIbTZONXc5Z0FPMm03V3UzVWhaRnhBCjU5dzZlbkZHRkdacG1nUng4S0p6
+            Q1I5Vjg0Vk5wRzNGZTNONXdCMnpUTEEKLS0tIFo5K0tGdDZpLzNPb0llb0dJdk9u
+            c3p5UVBjZWlNVkxFMlVaQ3VMVFdhZVUKxcIL/JMBEojPRlDLHUIuxKcMPMEEsTkS
+            0zLjYVZL7YDS0dKdaZjaExHKrRzRpsY0qpDBHyhcyzRae1sWA4e5Kw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUmFJc24xV2JGS3dzK25F
+            SVVXTjBaRUxJQ3hXZXlHYTRzaXZVNjVObEFZCmpPQUV1b0lySkUvcURObm1xNSt4
+            WVQrbnlvZkQrbzloQzc4NlJCWnlPeGMKLS0tIDBVa2lpUmcrWURwWW8rc3ZmUUU1
+            U0pGQjJackNhT0d4L2ZIOTdTUjBwcjQKCRWcpevMcv2HsWC4jyc/GzxxjkTEm+UF
+            4QdXjJAHh2QLxV9aXF/k/KogebCFkBTirmyOhRKtBRkt87d1D9FKUA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWnZFOVFuTnFTMmpVMDFU
+            dkw4UFlUenZzNkRuNy90NWk4aVNEd2J2Ukc0Cm9mM2dpZEJpVVY4TVB0WUxmTjEw
+            VFJ3aHB6ZFh5YWptYTZ5cXVjTUNBVkEKLS0tIEx0dVRPVVVacHFCMDhFNE1NMnZy
+            cUxicklTUGtPeTlnSFV1TUZqR1VmRnMKtJ+Q80SgqW/Jad8aF7pViGANHCsTMNEM
+            7TbhITW+zWIhnviVS0xOqXrvQs4iBbMfiNnQbFS7tEX08AT2oAg6cw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT3ZNenJKWTZ3NjdqNWpR
+            Zk9Ya3lsT1Jqd0RIWm8xdm16UjFzcFV1aGlBCkRuMllGSFVIUCs4UEJEQVVGQUxK
+            L1FGNGJwYkFIdU4wOXdFQWt6RSsyR28KLS0tIEgya2xORURncHlvNHJNTnIrb2da
+            emRETSt4WGFYeXR5UmNSajNpUStKUzAKxgDME0M1ewNE/BrL/wFjF4Yj7GupjRPF
+            Fuxae5U3phphzOkflQtreM1ScbUGge8WeiSVWY3Pl1azsYo/yqg8Ew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVEdpZmdSdnBaYnV2RWhT
+            MmMxQW9PUUJ4enRqNjFIZ25kUEkvdHBpOXdRCmJkSTJyWklhTU5neUlybzR1Nkp6
+            YlVHczNwRzl0d0hGalpvTFdEUlV3UHMKLS0tIGhQZXEvd2F0aTlna0FNL2wyaEdC
+            U1oyWXcza08rTG1DS0dUYkZOVWZ4L1kKgpt6jG0lNBMdk/isa1A/tfKYjprnnIo5
+            pi4t1c7CktFBkhMlOv6VPJCsQlP0YtZUh/uut70Kecv48+YH5gC/8A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRzc5WHAzcWhGSU1kdE1E
+            Z1B0aFhqYUQzQ2ptK09YMm9odWh3U0w3bmtvCi9IcWFhOFhvYU5ISlVpTURMY2hX
+            RG5mL1gvNkZ1SDdMZTR4QWxtRG1VUlkKLS0tIFl5UUdIR0JOSmF4OWx1OHBuaFJj
+            N0FDY2xYRlpmaTgxWURGZWxWWktPV00KAHNeeqhzql4LInlJoD9u7ptFWZBgktvp
+            tju4cZ/78VgdZIfEfnlzw8lsqpRx1z5Fw8K4CcXRJJLRVfHuj2CHTA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscDFuL0ZsdWxoUFJBd2xr
+            ZXh3K0lSUnFmTVFTVHB5bGR2TC9lREdUczJrCnFSaGoyUnJjbXJ5d1lQd0RUcFJt
+            REkvdEY2NzcveHpQRWZ1STBSemx0SkkKLS0tIGtyN0svS3lYcmxUbVJiU1RaK21l
+            Ukh0VkVaeVBoOXQ1cmZ6WHNkYjQvTmsKG4914d+pSt1seoKiejoCvATOTaVFN4ih
+            Y74W+WXyaKoQP3Q9QrbSURpE+ICfblxHmkbsPB/agNzZVWrfyBaX1A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqR01XampvRE92VnZ3OTZs
+            YmJYaEN2eVJOVWt1OHE1bTdua1ArSC9oVm1ZClBsVFBSWWtLRUoyNDF0NlUwaUpo
+            b0kyazNwRUFhS0RYd1pGNHNENWxQb28KLS0tIDhzdHhRN1FYczZBMksrM09UWUtJ
+            bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
+            S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-26T13:05:44Z"
+    mac: ENC[AES256_GCM,data:9A8nX155dpCC1cvdH1hgeNKh0tt5FMaOKU7vZQ33jfWbiXOsJbp5iHKXxWOexFc70acyhdweoHwq61oJm2mzVufJIPA55ZAUItQcDXJCCeu6KswHug0tQtKHoCRSwdTdMTRNom4XjrpA/j4WWpuhoilyknycXqTpGHHVSdL2lYg=,iv:N0zwzGtGzAxhbmLzslbkXSr/iKmq5FeyT/iWeE4x2hQ=,tag:yIoLXpqlU2SlVRK5+S/qaw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

services/nginx-pages.nix

@@ -1,9 +0,0 @@
-{ config, pkgs, ... }:
-
-
-{
-  hacc.websites = {
-    enable = true;
-    directory = ../websites;
-  };
-}

services/thelounge.nix

@@ -1,73 +0,0 @@
-{ config, lib, pkgs, evalConfig, ... }:
-
-let
-  # necessary since overlays won't propagate into the
-  # container's config
-  thelounge = pkgs.thelounge-hacked;
-in
-{
-  containers.thelounge = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.4";
-
-    path = evalConfig ({ config, lib, pkgs, profiles, modules, sources, ... }: {
-      # for some inexplicable reason this does not import nopersist.
-      # i'm too lazy rn to deal with possible breakages if I add it.
-      # if you have spoons & nothing else to do, consider this a suggestion!
-      imports = [ profiles.container ];
-
-      nixpkgs.config.allowUnfree = true;
-
-      services.thelounge = {
-        enable = true;
-
-        extraConfig = {
-          public = true;
-          # respect X-Forwarded-For
-          reverseProxy = true;
-          defaults = {
-            name = "libera chat";
-            host = "irc.eu.libera.chat";
-            port = 6697;
-            # encrypt things!
-            tls = true;
-            # yes, please do actually check the cert …
-            rejectUnauthorized = true;
-            nick = "haccGuest%%%%";
-            join = "#hacc-webchat";
-          };
-          lockNetwork = true;
-
-          # don't log messages (default is text / sqlite)
-          messageStorage = [];
-
-          # darker theme
-          #theme = "morning";
-
-          # these three should result in having link previews
-          # which are fetched only by the server, then proxied
-          # (i.e. clients won't directly connect to arbitrary
-          # domains to get previews)
-          prefetch = true;
-          prefetchStorage = true;
-          disableMediaPreview = true;
-
-          leaveMessage = "happy haccing";
-        };
-      };
-
-      # override the package we use
-      systemd.services.thelounge.serviceConfig.ExecStart =
-        pkgs.lib.mkForce "${thelounge}/bin/thelounge start";
-    });
-  };
-
-  services.nginx.virtualHosts."webchat.voc.hacc.space" = {
-    locations."/".proxyPass =
-      "http://${config.containers.thelounge.localAddress}:9000";
-    enableACME = true;
-    forceSSL = true;
-  };
-}

services/tracktrain.nix

@@ -1,152 +0,0 @@
-{ config, lib, pkgs, inputs, evalConfig, ... }:
-
-let
-  tracktrain-config = ''
-    dbstring: "dbname=tracktrain"
-    gtfs: ./gtfs.zip
-
-    warp:
-      port: 4000
-
-    login:
-      enable: true
-      url: https://login.infra4future.de
-      clientname: tracktrain
-      # clientsecret defined in env file
-  '';
-in
-{
-  services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://192.168.42.41:4000";
-      proxyWebsockets = true;
-    };
-    # note: this shadows the /metrics endpoint of tracktrain
-    # in case you remove this, please consider putting something
-    # else here to keep it from being publicly scrapable
-    locations."/metrics/" = {
-      proxyPass = "http://192.168.42.41:2342";
-      proxyWebsockets = true;
-      extraConfig = ''
-        rewrite  ^/metrics/(.*)  /$1 break;
-      '';
-    };
-  };
-
-  containers.tracktrain = {
-    privateNetwork = true;
-    hostAddress = "192.168.42.40";
-    localAddress = "192.168.42.41";
-    autoStart = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/tracktrain";
-        isReadOnly = false;
-      };
-    };
-
-    path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
-      system.stateVersion = "21.11";
-
-      imports = [ profiles.nopersist profiles.container ];
-
-      users.users.tracktrain = {
-        group = "tracktrain";
-        isSystemUser = true;
-      };
-      users.groups.tracktrain = {};
-
-      systemd.services.tracktrain = {
-        enable = true;
-
-        description = "tracks trains, hopefully";
-        wantedBy = [ "multi-user.target" ];
-        requires = [ "network.target" ];
-        after = [ "network.target" ];
-        serviceConfig = {
-          Type = "simple";
-          EnvironmentFile = "/persist/secrets.env";
-          User = "tracktrain";
-          Group = "tracktrain";
-        };
-        path = [ pkgs.wget ];
-        script = ''
-          mkdir -p /persist/tracktrain
-          cd /persist/tracktrain
-          ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
-          wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip" || sleep 4; wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip"
-          ${pkgs.tracktrain}/bin/tracktrain +RTS -T
-        '';
-      };
-
-      services.postgresql = {
-        enable = true;
-
-        ensureDatabases = [ "tracktrain" ];
-        ensureUsers = [ {
-          name = "tracktrain";
-          ensurePermissions = {
-            "DATABASE tracktrain" = "ALL PRIVILEGES";
-          };
-        } ];
-        authentication = ''
-          local   all   all                              trust
-          host    all   all        127.0.0.1/32          trust
-        '';
-      };
-
-      services.prometheus = {
-        enable = true;
-        port = 9001;
-        scrapeConfigs = [ {
-          job_name = "tracktrain";
-          static_configs = [{
-            targets = [  "0.0.0.0:4000" ];
-          }];
-        } ];
-      };
-
-      services.grafana = {
-        enable = true;
-        settings.server = {
-          serve_from_sub_path = true;
-          domain = "tracktrain.ilztalbahn.eu";
-          root_url = "https://%(domain)s/metrics/";
-          http_port = 2342;
-          http_addr = "0.0.0.0";
-        };
-
-        settings."auth.generic_oauth" = {
-          name = "uffd";
-          enabled = true;
-          allow_sign_up = true;
-          empty_scopes = true;
-          client_id = "ilztalbahn-grafana";
-          client_secret = "\${GRAFANA_CLIENT_SECRET}";
-          auth_url = "https://login.infra4future.de/oauth2/authorize";
-          token_url = "https://login.infra4future.de/oauth2/token";
-          api_url = "https://login.infra4future.de/oauth2/userinfo";
-        };
-        # disables the default login screen. comment out if for some
-        # reason you do need it
-        settings.auth.oauth_auto_login = true;
-        settings.users.auto_assign_org_role = "Admin";
-
-        provision = {
-          enable = true;
-          datasources.settings.datasources = [ {
-            url = "http://localhost:9001";
-            type = "prometheus";
-            name = "prometheus";
-          } ];
-        };
-      };
-
-      systemd.services.grafana.serviceConfig.EnvironmentFile =
-        "/persist/secrets.env";
-    });
-  };
-
-}

websites/docs.hacc.space/Readme.md

@@ -0,0 +1,44 @@
+# Markdown docs with zola.
+
+[Zola](https://www.getzola.org/) is a static site generated written in Rust
+(which you'll notice since sometimes it panics).
+
+To run the site locally:
+
+```
+zola serve
+```
+
+## Directory Layout
+
+All the important stuff goes into `content`. If you create subdirectories, make
+sure you remembered to also create an `_index.md` file for it (if in doubt, just
+copy the one at `content/_index.md`); otherwise pages in there won't work.
+
+`templates` is *not* for site templates, but specifies how markdown files should
+be turned into html. If an autogenerated link broke, you'll probably have to
+change something in there. `sass` and `static` do exactly what they sound like.
+
+It usually shouldn't be necessary to change `config.toml`, but if it is, [here
+is the list of all available options](https://www.getzola.org/documentation/getting-started/configuration/).
+
+
+## File Layout
+
+Markdown files start with a frontmatter that should look something like so:
+
+```markdown
++++
+title = "blåhaj"
+taxonomies.categories = [ "flausch" ]
++++
+
+[actual markdown goes here]
+```
+
+The frontmatter is TOML; the `taxonomies.*` keys are special and can be used to
+aggregate posts if enabled in `config.toml` (currently that's only the case for
+`categories`, though). See also the [list of all available keys](https://www.getzola.org/documentation/content/page/).
+
+Please don't repeat the page's title in markdown, otherwise it'll appear twice
+in the html.

websites/docs.hacc.space/config.toml

@@ -0,0 +1,35 @@
+# Zola's configuration file,
+#
+# see https://www.getzola.org/documentation/getting-started/configuration/
+# for available keys.
+
+# The URL the site will be built for
+base_url = "https://docs.hacc.space"
+
+compile_sass = true
+default_language = "en"
+
+# might be useful — this isn't a blog, obviously, but updates for new entries
+# could still be nice, I guess
+generate_feed = true
+feed_filename = "atom.xml"
+
+build_search_index = true
+
+taxonomies = [
+    { name = "categories", feed = false},
+]
+
+[markdown]
+highlight_code = true
+
+[extra] # user-defined keys
+
+# site title text
+main_title = "haccfiles documentation"
+
+# navbar entries
+main_menu = [
+  {url = "$BASE_URL", name = "Home"},
+  {url = "$BASE_URL/categories", name = "Categories"}
+]

websites/docs.hacc.space/content

@@ -0,0 +1 @@
+../../docs

websites/docs.hacc.space/default.nix

@@ -0,0 +1,22 @@
+{ copyPathToStore, stdenvNoCC, zola, writeShellScriptBin }:
+
+stdenvNoCC.mkDerivation rec {
+  name = "docs.hacc.space-static";
+
+  src = ./.;
+  content = copyPathToStore ../../docs;
+
+  phases = [ "buildPhase" ];
+  buildInputs = [ zola ];
+  buildPhase = ''
+    cp -r $src/* .
+    rm content
+    ln -s $content content
+    zola build --output-dir $out
+  '';
+
+  watch = writeShellScriptBin "watch" ''
+    cd $(git rev-parse --show-toplevel)/websites/docs.hacc.space
+    ${zola}/bin/zola serve --output-dir /tmp/hacc-docs "$@"
+  '';
+}

websites/docs.hacc.space/sass/style.scss

@@ -0,0 +1,168 @@
+
+@font-face {
+  font-family: 'share-tech';
+  src: url('ShareTech-Regular.ttf') format('truetype');
+}
+
+html {
+  overflow: hidden;
+  height: 100%;
+}
+
+body {
+  background-color: #000;
+  color: #fff;
+
+  overflow-y: auto;
+  overflow-x: hidden;
+  height: 100%;
+}
+
+#content {
+  font-family: 'share-tech';
+  margin-left: auto;
+  margin-right: auto;
+  max-width: 60em;
+  font-size: 16pt;
+  position: relative;
+}
+
+p.subtitle {
+  font-size: 14pt;
+  font-style: normal;
+  color: gray;
+}
+
+article {
+  margin-bottom: 4em;
+}
+
+#searchresults {
+  width: 90%;
+  text-align: right;
+  right: 0;
+  position: absolute;
+  background-color: black;
+  top: 5em;
+  color: gray;
+}
+
+#searchresults div {
+  padding: 0.5em;
+  border-top: 1px dashed gray;
+}
+
+#searchresults div:last-child {
+  border-bottom: 1px dashed gray;
+}
+
+.searchresultprevtext {
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  display: inline-block;
+  width: 40em;
+  float: left;
+}
+
+footer.content {
+  top: 50px;
+  color: #cccccc;
+  font-size: 14px;
+  margin-bottom: 4em;
+}
+
+footer a {
+  color: #cccccc;
+}
+
+.logo {
+  position: relative;
+  width: 100%;
+}
+.logo > img {
+  width: 300px;
+  max-width: 100%;
+}
+
+h1 {
+  font-size: 32pt;
+}
+
+#headernav {
+  text-align: right;
+  margin: 1em;
+}
+
+#headernav > a {
+  padding: 0.2em;
+  font-size: 20pt;
+  font-family: share-tech;
+}
+
+h1, h2, h3, h4, h5, h6{
+  font-weight: 600;
+  display: inline;
+  font-family: share-tech;
+  background: rgb(59,115,185);
+  background: linear-gradient(90deg, rgb(59, 115, 185) 0%, rgb(229, 35, 33) 100%);
+  background-clip: border-box;
+  color: transparent;
+  -webkit-background-clip: text;
+  background-clip: text;
+}
+/*
+h4 {
+  //font-weight: 600;
+  //display: inline;
+  font-family: share-tech;
+  //background: rgb(59,115,185);
+  //background: linear-gradient(90deg, rgb(59, 115, 185) 0%, rgb(229, 35, 33) 100%);
+  //background-clip: border-box;
+  color: #fff;
+  //-webkit-background-clip: text;
+  //background-clip: text;
+}
+*/
+a {
+  text-decoration: none;
+  color: #3b73b9;
+  transition: color .1s linear;
+}
+a:hover {
+  /*color: #e52321;*/
+  color: #4e9af9;
+}
+
+ul {
+  margin-top: 0;
+}
+
+
+pre {
+  padding: 1rem;
+  overflow: auto;
+  font-size: 16px;
+}
+// The line numbers already provide some kind of left/right padding
+pre[data-linenos] {
+  padding: 1rem 0;
+}
+pre table td {
+  padding: 0;
+}
+// The line number cells
+pre table td:nth-of-type(1) {
+  text-align: center;
+  user-select: none;
+}
+pre mark {
+  // If you want your highlights to take the full width.
+  display: block;
+  // The default background colour of a mark is bright yellow
+  background-color: rgba(254, 252, 232, 0.9);
+}
+pre table {
+  width: 100%;
+  border-collapse: collapse;
+}

websites/docs.hacc.space/static/search.js

@@ -0,0 +1,52 @@
+
+function mkDiv (res) {
+    let div = document.createElement("div");
+    let a = document.createElement("a");
+    a.innerText = res.doc.title;
+    a.href = res.ref;
+    let text = document.createElement("span");
+    text.innerText = res.doc.body.slice(0,400).replaceAll("\n", " ");
+    text.classList.add("searchresultprevtext");
+
+    div.appendChild(text);
+    div.appendChild(a);
+    return div;
+}
+
+window.onload = () => {
+    console.log("hello!")
+    let searchbox = document.getElementById("searchbox");
+    searchbox.innerHTML =
+        "<input id='searchinput' placeholder='search ...'></input> \
+         <div id='searchresults' style='display:none'></div>";
+
+    let searchinput = document.getElementById("searchinput");
+    let searchresults = document.getElementById("searchresults");
+
+    let index = elasticlunr.Index.load(window.searchIndex);
+
+    searchinput.addEventListener("keyup", () => {
+        let term = searchinput.value.trim();
+        let results = [];
+        if (term !== "") {
+            results = index.search(term, {});
+            console.log(results);
+
+            while (searchresults.lastChild) {
+                searchresults.removeChild(searchresults.lastChild)
+            }
+            if (results.length !== 0) {
+                let resultdivs = results.map(mkDiv);
+                resultdivs.map((div) => searchresults.appendChild(div));
+            } else {
+                searchresults.innerHTML =
+                    term.length <= 4 ?
+                    "<div>Need at least four characters to search.</div>"
+                    : "<div>No results here.</div>";
+            }
+            searchresults.style.display = "initial";
+        } else {
+            searchresults.style.display = "none";
+        }
+    });
+}

websites/docs.hacc.space/templates/base.html

@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title>{{ config.extra.main_title }}</title>
+    <link rel="icon" type="image/png" href="favicon.png">
+    <link rel="alternate" type="application/atom+xml" title="Feed" href="{{ get_url(path="atom.xml", trailing_slash=false) }}">
+    <link rel="stylesheet" href="{{ get_url(path="style.css", trailing_slash=false) | safe }}">
+    <script src="{{ get_url(path="search_index.en.js", trailing_slash=false) | safe }}"></script>
+    <script src="{{ get_url(path="elasticlunr.min.js", trailing_slash=false) | safe }}"></script>
+    <script src="{{ get_url(path="search.js", trailing_slash=false) | safe }}"></script>
+    {% block head_extra %}
+    {% endblock head_extra %}
+  </head>
+  <body>
+      <div id="content">
+          <header style="height:10em">
+              <a href="{{config.base_url}}"><h2 style="float:left">{{ config.extra.main_title }}</h2></a>
+              <nav id="headernav" style="float:right">
+                  {% for item in config.extra.main_menu %}
+                  <a itemprop="url"
+                     class="{% if item.url | replace(from="$BASE_URL", to=config.base_url) == current_url %}active{% endif %}"
+                     href="{{ item.url | safe | replace(from="$BASE_URL", to=config.base_url) }}">
+                      {{ item.name }}
+                  </a>
+                  {% endfor %}
+              <div id="searchbox">
+              </div>
+              </nav>
+          </header>
+          
+          {% block content %} {% endblock %}
+          
+          <footer class="content" style="z-index: 200">
+            <div>
+                <a href="https://git.infra4future.de/hacc/haccfiles">Source in git</a> &bull;
+                <a href="https://infra4future.de/impressum.html">Imprint</a>
+            </div>
+        </footer>
+
+      </div>
+  </body>
+</html>

websites/docs.hacc.space/templates/blog.html

@@ -0,0 +1,12 @@
+{% extends "base.html" %}
+
+{% block content %}
+<h1 class="title">
+  {{ section.title }}
+</h1>
+<ul>
+  {% for page in section.pages %}
+  <li><a href="{{ page.permalink | safe }}">{{ page.title }}</a></li>
+  {% endfor %}
+</ul>
+{% endblock content %}

websites/docs.hacc.space/templates/categories/list.html

@@ -0,0 +1,17 @@
+{% extends "base.html" %}
+
+{% block content %}
+<main>
+
+    <h1>Categories</h1>
+    <p>
+    {% if terms %}
+        <ul>
+            {% for term in terms %}
+            <li><a href="{{ term.permalink | safe }}">{{ term.name }}</a> ({{ term.pages | length }})</li>
+            {% endfor %}
+        </ul>
+        {% endif %}
+    </p>
+</main>
+{% endblock content %}

websites/docs.hacc.space/templates/categories/single.html

@@ -0,0 +1,12 @@
+{% extends "base.html" %}
+
+{% import "post_macros.html" as post_macros %}
+{% block content %}
+
+<h1>Posts in category "{{ term.name }}"</h1>
+  {% for page in term.pages %}
+<p>
+    <h2><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h2>
+</p>
+  {% endfor %}
+{% endblock content %}

websites/docs.hacc.space/templates/doc-page.html

@@ -0,0 +1,15 @@
+{% extends "base.html" %}
+
+{% import "post_macros.html" as post_macros %}
+{% block content %}
+<main>
+    <article itemscope itemtype="http://schema.org/CreativeWork">
+        <header>
+            <h1><a href="{{ page.permalink | safe }}">
+                    {{ page.title }}
+            </a></h1>
+        </header>
+        {{ page.content | safe }}
+    </article>
+</main>
+{% endblock content %}

websites/docs.hacc.space/templates/index.html

@@ -0,0 +1,23 @@
+{% extends "base.html" %}
+
+{% block content %}
+  <main>
+      {% for page in section.pages %}
+      <p>
+          <h3><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h3>
+      </p>
+      {% endfor %}
+
+      {% for sub in section.subsections %}
+      {% set subsection = get_section(path=sub) %}
+      <p>
+          <h2><a href="{{ subsection.permalink | safe }}">{{ subsection.title }}</a></h2>
+          {% for page in subsection.pages %}
+          <p>
+              <h3 style="margin-left:1em"><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h3>
+          </p>
+          {% endfor %}
+       </p>
+      {% endfor %}
+  </main>
+{% endblock content %}

websites/docs.hacc.space/templates/post_macros.html

@@ -0,0 +1,15 @@
+{% macro paginator_nav(paginator) %}
+
+      <nav>
+          <p>
+              {% if paginator.previous %}
+              <a href="{{ paginator.previous }}">&laquo; Previous</a> |
+              {% endif %}
+              <span>Page {{ paginator.current_index }} of {{ paginator.number_pagers }}</span>
+              {% if paginator.next %}
+              | <a href="{{ paginator.next }}">Next &raquo;</a>
+              {% endif %}
+          </p>
+      </nav>
+
+{% endmacro paginator_nav %}

websites/docs.hacc.space/templates/section.html

@@ -0,0 +1,15 @@
+{% extends "index.html" %}
+
+{% block content %}
+  <h1>{{ section.title }}</h1>
+  <p>{{ section.content | safe }}</p>
+  <p>Pages in section</p>
+  <ul>
+  {% for page in section.pages | reverse %}
+      <li>
+        <em> <a href="{{ page.permalink }}"> {{ page.title }} </a> </em>
+      </li>
+  {% endfor %}
+  </ul>
+
+{% endblock content %}

websites/hacc.earth/default.nix

@@ -1,4 +1,4 @@
-{ stdenvNoCC, sfz, writeScriptBin }:
+{ stdenvNoCC, sfz, writeShellScriptBin }:
 
 stdenvNoCC.mkDerivation rec {
   name = "hacc.earth-static";
@@ -13,7 +13,8 @@ stdenvNoCC.mkDerivation rec {
     rm $out/default.nix
   '';
 
-  watch = writeScriptBin "watch" ''
-    ${sfz}/bin/sfz -r ${src} "$@"
+  watch = writeShellScriptBin "watch" ''
+    cd $(git rev-parse --show-toplevel)/websites/hacc.earth
+    ${sfz}/bin/sfz "$@"
   '';
 }

websites/hacc.earth/index.html

@@ -270,10 +270,7 @@
         <a href="https://muc.hacc.earth">hacc e.V.</a>, local chapter Munich<sup><a href="#history">*</a></sup>
         <ul>
         <li>
-            <a href="https://web.libera.chat/#hacc">#hacc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc:libera.chat">#hacc:libera.chat</a>
-        </li>
-        <li>
-            <a href="https://web.libera.chat/#hacc-muc">#hacc-muc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:libera.chat">#hacc-muc:libera.chat</a>
+		<a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-muc">#hacc-muc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:hackint.org">#hacc-muc:hackint.org</a>
         </li>
         <li>
             <a href="https://chaos.social/@hacc">@hacc@chaos.social</a>

websites/help.studentsforfuture.info/default.nix

@@ -1,4 +1,4 @@
-{ stdenvNoCC, sfz, writeScriptBin }:
+{ stdenvNoCC, sfz, writeShellScriptBin }:
 
 stdenvNoCC.mkDerivation rec {
   name = "muc.hacc.earth-static";
@@ -13,7 +13,8 @@ stdenvNoCC.mkDerivation rec {
     rm $out/default.nix
   '';
 
-  watch = writeScriptBin "watch" ''
-    ${sfz}/bin/sfz -r ${src}
+  watch = writeShellScriptBin "watch" ''
+    cd $(git rev-parse --show-toplevel)/websites/help.studentsforfuture.info
+    ${sfz}/bin/sfz "$@"
   '';
 }

websites/infra4future.de/_includes/head.html

@@ -6,8 +6,8 @@
   <meta name="format-detection" content="telephone=no">
   <meta name="description" content="{% if page.description %}{{ page.description | strip_html | strip_newlines | truncate: 160 }}{% else %}{{ site.description }}{% endif %}">
   
-  <link rel="icon" href="{{"/assets/img/favicon.png" | prepend: site.baseurl }}">
-  <link rel="stylesheet" href="{{ "/assets/css/main.css" | prepend: site.baseurl }}">
+  <link rel="icon" href="{{"assets/img/favicon.png" | prepend: site.baseurl }}">
+  <link rel="stylesheet" href="{{ "assets/css/main.css" | prepend: site.baseurl }}">
 
     <!-- Emoji script for chrome -->
    <!-- <script src="assets/js/twemoji.min.js"></script>-->

websites/infra4future.de/default.nix

@@ -1,4 +1,4 @@
-{ jekyll, stdenvNoCC, writeScriptBin }:
+{ jekyll, stdenvNoCC, writeShellScriptBin }:
 
 stdenvNoCC.mkDerivation rec {
   name = "infra4future.de-static";
@@ -11,8 +11,9 @@ stdenvNoCC.mkDerivation rec {
     ${jekyll}/bin/jekyll build -d $out --disable-disk-cache
   '';
 
-  watch = writeScriptBin "watch" ''
+  watch = writeShellScriptBin "watch" ''
+    cd $(git rev-parse --show-toplevel)/websites/infra4future.de
     rm -rf /tmp/hacc-website
-    ${jekyll}/bin/jekyll serve -s ${src} --disable-disk-cache -d /tmp/hacc-website
+    ${jekyll}/bin/jekyll serve --disable-disk-cache -d /tmp/hacc-website "$@"
   '';
 }

websites/infra4future.de/docs/index.md

@@ -1,69 +0,0 @@
----
-layout: "simple_page"
-
-title: Infra4future.de - docs
----
-
-# Hallo zusammen 👋️
-
-## Was ist das hier?
-
-Das hier ist der infra4future.de-Server. Aufgebaut und administriert wird er zurzeit von hacc (Hackers against Climate Change) München, nachdem unter einigen Klimaorgas der Wunsch nach einer gemeinsamen Plattform und allgemein einer besseren Infrastruktur als Telegramgruppen aufkam.
-
-Wenn du hier bist, hast du vermutlich deine Mailadresse an einen Admin weitergegeben und bist auf diesen Server eingeladen worden. Schau dich doch einfach mal um!
-
-Die vollständige Übersicht über alle hier betriebenen Dienste findest du auf [infra4future.de](https://infra4future.de).
-
-### Was gibt es hier alles?
-
-Alle wichtigen Funktionen findet ihr oben in der Leiste aufgereiht:
-
-#### Files / Nextcloud:
-
-Files (hier bist du gerade): hier kannst du alle Arten von Dateien ablegen, entweder private Dateien nur für dich, oder Dateien, die du mit einer bestimmten Gruppe von Personen (oder allen hier auf den Server) teilst. Meistens finden sich hier auch Dateien deiner Gruppe. Direkt zu Anfang bekommst du eine Liste mit einigen wichtigen Ordnern angezeigt:
-
-* about: Hier finden sich Informationen über infra4future.de, Anleitungen, hilfreiche Tipps, etc.
-* weitere Ordner: üblicherweise solltest du noch mindestens einen Ordner finden, der den Namen deiner Orga trägt. Dieser ist Gruppenintern; nur Menschen aus deiner Gruppe können ihn sehen
-* private Ordner/Dateien: du kannst auch selbst Dateien & Ordner erstellen. Sofern du sie nicht mit anderen teilst sind diese privat und können nur von dir eingesehen werden. Bitte beachtet, dass wir nur begrenzte Mittel haben und daher allen Accounts zunächst nur 5 GiB Speicher zur Verfügung gestellt werden (falls ihr mehr braucht, meldet euch bei uns – siehe unten)
-
-Natürlich könnt ihr eigene Dateien hochladen, neue Dokumente erstellen oder bereits vorhandene kopieren, verändern (übrigens auch kollaborativ, i.e. zeitgleich mit anderen) oder auf euren eigenen Rechner herunterladen. Das gilt für einfache Textdokumente, aber auch komplexere Dateiformat wie z.B. .odt (auch genutzt z.B. von LibreOffice).
-
-Einzelne Dateien könnt ihr auch kommentieren oder mit tags versehen, nach denen ihr später suchen könnt – nützlich ist das z.B. besonders bei Photos.
-
-#### Galerie:
-
-Eine Galerie. Hier werden alle Bilder angezeigt, die auch unter `Files` für dich sichtbar sind.
-
-#### Kalender:
-
-Hier sind Kalender. Ziemlich selbsterklärend — klickt auf einen Tag, um dort einen Eintrag anzulegen. Wie bei Dateien auch gibt es persönliche Kalender (nur für euch) und Kalender, die für ganze Gruppen oder alle einsehbar sind (nützlich für Termine, die viele Betreffen, z.B. den nächsten Streik oder Congress).
-
-#### Deck:
-
-Ein Kanban-Board für Todos. Hier kannst du Aufgaben als kleine "Notizzettel" anlegen, die dann auf verschiedenen Stapeln (z.B. "wichtig", "in Bearbeitung", "Hilfe gesucht", "fertig") abgelegt werden. Ganz nützlich, um komplexere Aufgaben zu sortieren.
-
-Das Prinzip ist evtl. bekannt von Kanban, Wekan, oder auch Trello.
-
-#### Tasks:
-
-Eine etwas traditionellere Todo-Liste. Du kannst Listen für dich selbst oder Gruppen anlegen, und einzelnen Todos beliebig viele Unterpunkte anhängen.
-
-#### Polls:
-
-Hier könnt ihr (öffentliche) Abstimmungen erstellen. Falls ihr innerhalb eurer Gruppe über etwas abstimmen lassen wollt, ist es vieleicht besser stattdessen eine Abstimmung direkt in Mattermost zu erstellen.
-
-#### Forms:
-
-Umfragen (i.e. deutlich allgemeiner als einfache Abstimmungen).
-
-#### Mattermost:
-
-Ein Echtzeit-Chat mit verschiedenen Channels (grob vergleichbar mit Slack oder Rocket.Chat). Evtl. musst du dich hier nochmal gesondert einloggen, da Mattermost nicht selbst Teil von Nextcloud ist.
-
-Mattermost ist auch unter einem eigenen Link erreichbar: [mattermost.infra4future.de](https://mattermost.infra4future.de)
-
-Mattermost hat selbst unterstützung für Abstimmungen, die dann direkt im Chat auftauchen & ggf. einfacher von allen Beteiligten gesehn werden als Nextcloud Polls. Um eine zu erstellen, tippt einfach "/poll" in das Nachrichtenfeld & schickt die Nachricht ab. Es erscheint dann ein Menü zum erstellen der Abstimmung.
-
-### Mehr Infos:
-
-im Ordner `hilfe` findet ihr Handbücher zu den einzelnen Diensten auf diesem Server.

websites/infra4future.de/docs/mobilapps.md

@@ -1,29 +0,0 @@
----
-layout: "simple_page"
-
-
-title: Infra4future.de
-slogan: Saving the climate with infrastructure
----
-
-# Mobilapps für infra4future.de
-
-Manchmal kann es ganz nützlich sein, auch unterwegs Orga-Kram zu erledigen. Auf diesem Server laufen eine ganze Reihe an Diensten — leider lassen sich die auf Android oder iOS nicht alle in eine App packen, anders als im Browser, wo alles schön oben in der Leiste steht.
-
-Ein grober Überblick:
-
-## Nextcloud (Android/iOS)
-
-Erhältlich: im App Store/Play Store. Nicht durch das blaue Nextcloud-Logo verwirren lassen, es ist die richtige App.
-
-Einrichtung: am Anfang werdet ihr gefragt, auf welchem Server ihr euch anmelden wollt. Dort einfach `cloud.infra4future.de` angeben, dann auf `mit infra4future.de anmelden` und euch mit euren Zugangsdaten dort einloggen.
-
-Die Nextcloud-App gibt es für Android und iOS. Damit habt ihr Zugriff auf Dateien und ein paar weitere grundlegende Sachen. Außerdem gibt es in der Seitenleiste Links auf `Talk` und das `Forum`. Dort müsst ihr euch noch einmal extra anmelden (keine Sorge, die Anmeldedaten sind selbstverständlich dieselben).
-
-## Mattermost
-
-ihr könnt die ganz normale Mattermost-App benutzen; genauso wie bei Nextcloud auch müsst ihr dabei am Anfang einmal angeben, zu welchem Server ihr euch verbinden wollt. Gebt dort einfach `mattermost.infra4future.de` ein, danach werdet ihr auf den normalen Anmeldedialog (auf `login.infra4future.de...`) weiter geleitet. Meldet euch dort an, danach solltet ihr in der App eure Teams & Chat sehen.
-
-## Hilfe suchen
-
-falls etwas nicht wie hier beschrieben funktioniert, sagt uns am besten bescheid: entweder per Mail an admin@infra4future.de oder im IRC #hacc-infra-pub auf `libera.chat`.

websites/infra4future.de/index.md

@@ -39,8 +39,6 @@ Aktuell betreiben wir:
  - [Hedgedoc](https://pad.infra4future.de), für schnelle, kollaborative Notizen.
  - [Gitea](https://git.infra4future.de), eine Hostingplattform für git-Repositories, zum gemeinschaftlichen auf-Software-einhacken.
 
-Detaillierte Beschreibungen aller Dienste findet ihr [hier](docs/index).
-
 Falls das eure Bedürfnisse noch nicht abdeckt oder ihr andere coole Software haben die ihr gerne benutzen würdet, meldet euch bei uns — wir können nichts versprechen, aber wenn möglich fügen wir gerne auch noch weitere Dienste dazu.
 
 

websites/muc.hacc.earth/default.nix

@@ -1,4 +1,4 @@
-{ stdenvNoCC, sfz, writeScriptBin }:
+{ stdenvNoCC, sfz, writeShellScriptBin }:
 
 stdenvNoCC.mkDerivation rec {
   name = "muc.hacc.earth-static";
@@ -13,7 +13,8 @@ stdenvNoCC.mkDerivation rec {
     rm $out/default.nix
   '';
 
-  watch = writeScriptBin "watch" ''
-    ${sfz}/bin/sfz -r ${src}
+  watch = writeShellScriptBin "watch" ''
+    cd $(git rev-parse --show-toplevel)/websites/muc.hacc.earth
+    ${sfz}/bin/sfz "$@"
   '';
 }

websites/muc.hacc.earth/index.html

@@ -267,13 +267,10 @@ Of course we also did and do support multiple events and groups in Munich and Ge
 <p>
     <ul>
         <li>
-            <a href="https://web.libera.chat/#hacc">#hacc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc:libera.chat">#hacc:libera.chat</a>, general chat in English
+	        <a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-muc">#hacc-muc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:hackint.org">#hacc-muc:hackint.org</a>, chat of the local chapter Munich in German
         </li>
         <li>
-            <a href="https://web.libera.chat/#hacc-muc">#hacc-muc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:libera.chat">#hacc-muc:libera.chat</a>, chat of the local chapter Munich in German
-        </li>
-        <li>
-            <a href="https://web.libera.chat/#hacc-voc">#hacc-voc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-voc:libera.chat">#hacc-voc:libera.chat</a>
+	        <a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-voc">#hacc-voc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-voc:hackint.org">#hacc-voc:hackint.org</a>
         </li>
         <li>
             <a href="https://chaos.social/@hacc">@hacc@chaos.social</a>

websites/mumble.infra4future.de/default.nix

@@ -1,4 +1,4 @@
-{ jekyll, stdenvNoCC, writeScriptBin }:
+{ jekyll, stdenvNoCC, writeShellScriptBin }:
 
 stdenvNoCC.mkDerivation rec {
   name = "mumble.infra4future.de-static";
@@ -11,8 +11,9 @@ stdenvNoCC.mkDerivation rec {
     ${jekyll}/bin/jekyll build -d $out --disable-disk-cache
   '';
 
-  watch = writeScriptBin "watch" ''
+  watch = writeShellScriptBin "watch" ''
+    cd $(git rev-parse --show-toplevel)/websites/mumble.infra4future.de
     rm -rf /tmp/hacc-website
-    ${jekyll}/bin/jekyll serve -s ${src} --disable-disk-cache -d /tmp/hacc-website
+    ${jekyll}/bin/jekyll serve --disable-disk-cache -d /tmp/hacc-website "$@"
   '';
 }