From 8657e7751445476e013b2a57c8025f007b16073e Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 28 Mar 2024 10:52:59 +0100 Subject: [PATCH 1/4] bekkalokk: set up pvv-nettsiden --- flake.lock | 58 +++++++++++----- flake.nix | 7 +- hosts/bekkalokk/configuration.nix | 2 +- hosts/bekkalokk/services/nginx/ingress.nix | 4 +- hosts/bekkalokk/services/website.nix | 4 -- hosts/bekkalokk/services/website/default.nix | 66 +++++++++++++++++++ .../services/website/fetch-gallery.nix | 5 ++ secrets/bekkalokk/bekkalokk.yaml | 7 +- 8 files changed, 125 insertions(+), 28 deletions(-) delete mode 100644 hosts/bekkalokk/services/website.nix create mode 100644 hosts/bekkalokk/services/website/default.nix create mode 100644 hosts/bekkalokk/services/website/fetch-gallery.nix diff --git a/flake.lock b/flake.lock index 244b1c6..af43255 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1710169806, - "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=", + "lastModified": 1712356478, + "narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=", "owner": "nix-community", "repo": "disko", - "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498", + "rev": "0a17298c0d96190ef3be729d594ba202b9c53beb", "type": "github" }, "original": { @@ -47,11 +47,11 @@ ] }, "locked": { - "lastModified": 1693864994, - "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=", + "lastModified": 1711853301, + "narHash": "sha256-KxRNyW/fgq690bt3B+Nz4EKLoubybcuASYyMa41bAPE=", "owner": "Programvareverkstedet", "repo": "grzegorz-clients", - "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f", + "rev": "c38f2f22a6d47ae2da015351a45d13cbc1eb48e4", "type": "github" }, "original": { @@ -102,11 +102,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1710248792, - "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=", + "lastModified": 1712386448, + "narHash": "sha256-kacQwZ5WnJv4HH5s8tlZTClyiwVP8XAaywI5I7QqLIY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "efbb274f364c918b9937574de879b5874b5833cc", + "rev": "7644b4bc09c6329bcd82561a076fd7add697d092", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1710033658, - "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=", + "lastModified": 1711819797, + "narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8", + "rev": "2b4e3ca0091049c6fbb4908c66b05b77eaef9f0c", "type": "github" }, "original": { @@ -133,11 +133,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1710247538, - "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=", + "lastModified": 1712381113, + "narHash": "sha256-YL8miM11o/jMqOwt5DsdyhPgh/JgCl1kOIzvX7ukniY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc", + "rev": "6cc8dbb00974248cdd1b7ebd05cbc7c0799ce974", "type": "github" }, "original": { @@ -166,6 +166,27 @@ "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git" } }, + "pvv-nettsiden": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712610183, + "narHash": "sha256-fAwUEpIGK53dDqAf2jn69JvjiEhBpIVFRSY+0Ga2zOs=", + "ref": "nixify-ng", + "rev": "89050016d326933181c13431eef019540acc4908", + "revCount": 444, + "type": "git", + "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" + }, + "original": { + "ref": "nixify-ng", + "type": "git", + "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" + } + }, "root": { "inputs": { "disko": "disko", @@ -176,6 +197,7 @@ "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "pvv-calendar-bot": "pvv-calendar-bot", + "pvv-nettsiden": "pvv-nettsiden", "sops-nix": "sops-nix" } }, @@ -187,11 +209,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1710195194, - "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=", + "lastModified": 1711855048, + "narHash": "sha256-HxegAPnQJSC4cbEbF4Iq3YTlFHZKLiNTk8147EbLdGg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880", + "rev": "99b1e37f9fc0960d064a7862eb7adfb92e64fa10", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a54fa53..fd63ce4 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,9 @@ disko.url = "github:nix-community/disko"; disko.inputs.nixpkgs.follows = "nixpkgs"; + pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=nixify-ng"; + pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs"; + pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git"; pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs"; @@ -26,7 +29,7 @@ grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, pvv-nettsiden, sops-nix, disko, ... }@inputs: let nixlib = nixpkgs.lib; systems = [ @@ -87,9 +90,11 @@ simplesamlphp = final.callPackage ./packages/simplesamlphp { }; }) inputs.nix-gitea-themes.overlays.default + inputs.pvv-nettsiden.overlays.default ]; modules = [ inputs.nix-gitea-themes.nixosModules.default + inputs.pvv-nettsiden.nixosModules.default ]; }; bob = stableNixosConfig "bob" { diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index 3f0e685..53871c0 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -9,7 +9,7 @@ #./services/keycloak.nix # TODO: set up authentication for the following: - # ./services/website.nix + ./services/website ./services/nginx ./services/gitea/default.nix ./services/kerberos diff --git a/hosts/bekkalokk/services/nginx/ingress.nix b/hosts/bekkalokk/services/nginx/ingress.nix index 3b48ca0..a434668 100644 --- a/hosts/bekkalokk/services/nginx/ingress.nix +++ b/hosts/bekkalokk/services/nginx/ingress.nix @@ -1,8 +1,8 @@ { config, lib, ... }: { services.nginx.virtualHosts = { - "www2.pvv.ntnu.no" = { - serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ]; + "pvv.ntnu.no" = { + serverAliases = [ "pvv.org" ]; addSSL = true; enableACME = true; kTLS = true; diff --git a/hosts/bekkalokk/services/website.nix b/hosts/bekkalokk/services/website.nix deleted file mode 100644 index facb35d..0000000 --- a/hosts/bekkalokk/services/website.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ ... }: -{ - -} diff --git a/hosts/bekkalokk/services/website/default.nix b/hosts/bekkalokk/services/website/default.nix new file mode 100644 index 0000000..7f07fae --- /dev/null +++ b/hosts/bekkalokk/services/website/default.nix @@ -0,0 +1,66 @@ +{ pkgs, lib, config, ... }: +let + format = pkgs.formats.php { }; + cfg = config.services.pvv-nettsiden; +in { + imports = [ + ./fetch-gallery.nix + ]; + + services.idp.sp-remote-metadata = [ "https://www2.pvv.ntnu.no/simplesaml/" ]; + + services.pvv-nettsiden = { + enable = true; + + package = pkgs.pvv-nettsiden.override { + extra_files = { + "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix); + "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" '' + array( + # 'core:AdminPassword' + # ), + 'default-sp' => array( + 'saml:SP', + 'entityID' => 'https://www2.pvv.ntnu.no/simplesaml/', + 'idp' => 'https://idp2.pvv.ntnu.no/', + ), + ); + ''; + }; + }; + + domainName = "www2.pvv.ntnu.no"; + + settings = { + DOOR_SECRET = "verysecret"; + + DB = { + DSN = "mysql:dbname=www_data_www2;host=mysql.pvv.ntnu.no"; + USER = "www-data_www2"; + PASS = format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/database/password".path}')"; + }; + + SAML = { + COOKIE_SALT = "changeme"; + COOKIE_SECURE = true; + ADMIN_NAME = "PVV Drift"; + ADMIN_EMAIL = "drift@pvv.ntnu.no"; + ADMIN_PASSWORD = "torskefjes"; + TRUSTED_DOMAINS = [ cfg.domainName ]; + }; + }; + }; + + services.phpfpm.pools."pvv-nettsiden".settings = { + # "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + }; + + sops.secrets."nettsiden/database/password" = { + owner = config.services.phpfpm.pools.pvv-nettsiden.user; + group = config.services.phpfpm.pools.pvv-nettsiden.group; + }; +} diff --git a/hosts/bekkalokk/services/website/fetch-gallery.nix b/hosts/bekkalokk/services/website/fetch-gallery.nix new file mode 100644 index 0000000..0271971 --- /dev/null +++ b/hosts/bekkalokk/services/website/fetch-gallery.nix @@ -0,0 +1,5 @@ +{ pkgs, lib, config, ... }: +{ + +} + diff --git a/secrets/bekkalokk/bekkalokk.yaml b/secrets/bekkalokk/bekkalokk.yaml index 2530ec0..11ac61a 100644 --- a/secrets/bekkalokk/bekkalokk.yaml +++ b/secrets/bekkalokk/bekkalokk.yaml @@ -22,6 +22,9 @@ idp: admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str] postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str] privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str] +nettsiden: + database: + password: ENC[AES256_GCM,data:8Cj6Xu8WJciu7vvdxvl6GwA9,iv:VPe18+Zu6bZd+wxb7i6nFlyN4vT1GHuId6L4alNKwDU=,tag:7x9AxafBNcJIcRetZNHOIg==,type:str] sops: kms: [] gcp_kms: [] @@ -55,8 +58,8 @@ sops: akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-30T21:22:02Z" - mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str] + lastmodified: "2024-04-02T19:09:44Z" + mac: ENC[AES256_GCM,data:9H6xPlE5+ddkezGQHj5IFjXv8LjJjGP8qf2wK44rMdmOQdsLzs4HryQmE+FctohtBfqbxCNdWsmQajPK5YwKbyEF+IMo40Ga8G3ORxYPn5dOSFx6lA/xZRJlqEsHr8WutlGmyJgqst+PZFBClDtOWqsI83HbQJ5wDxYkldEbVC0=,iv:jRfn8lufDbRTUHVe0tZiriia+KAa3Y23FSWXiZNuXRY=,tag:C7pg0BoR/nej0B5iTu3l0w==,type:str] pgp: - created_at: "2023-05-21T00:28:40Z" enc: | From fc19a8f1e1c052b3e7bcc17d4d79d89851482a56 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sun, 7 Apr 2024 00:23:56 +0200 Subject: [PATCH 2/4] bekkalokk: Automatically unpack pvv-nettsiden/gallery and generate thumbnails --- .../services/website/fetch-gallery.nix | 60 ++++++++++++++++++- 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/hosts/bekkalokk/services/website/fetch-gallery.nix b/hosts/bekkalokk/services/website/fetch-gallery.nix index 0271971..59b17ed 100644 --- a/hosts/bekkalokk/services/website/fetch-gallery.nix +++ b/hosts/bekkalokk/services/website/fetch-gallery.nix @@ -1,5 +1,61 @@ { pkgs, lib, config, ... }: -{ +let + galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR; + transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer"; +in { + users.users.${config.services.pvv-nettsiden.user} = { + useDefaultShell = true; + # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh + openssh.authorizedKeys.keys = [ + ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish'' + ]; + }; + + systemd.paths.pvv-nettsiden-gallery-update = { + wantedBy = [ "multi-user.target" ]; + pathConfig = { + PathChanged = "${transferDir}/gallery.tar.gz"; + Unit = "pvv-nettsiden-gallery-update.service"; + MakeDirectory = true; + }; + }; + + systemd.services.pvv-nettsiden-gallery-update = { + path = with pkgs; [ imagemagick gnutar gzip ]; + + script = '' + tar ${lib.cli.toGNUCommandLineShell {} { + extract = true; + file = "${transferDir}/gallery.tar.gz"; + directory = "."; + }} + + # Delete files and directories that exists in the gallery that don't exist in the tarball + filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||'))) + while IFS= read fname; do + rm -f $fname ||: + rm -f .thumbnails/$fname.png ||: + done <<< "$filesToRemove" + + find . -type d -empty -delete + + mkdir -p .thumbnails + images=$(find . -type f -not -path "./.thumbnails*") + + while IFS= read fname; do + [ -f ".thumbnails/$fname.png" ] && continue ||: + + echo "Creating thumbnail for $fname" + mkdir -p $(dirname ".thumbnails/$fname") + convert -define jpeg:size=200x200 "$fname" -thumbnail 500 -auto-orient ".thumbnails/$fname.png" ||: + done <<< "$images" + ''; + + serviceConfig = { + WorkingDirectory = galleryDir; + User = config.services.pvv-nettsiden.user; + Group = config.services.pvv-nettsiden.group; + }; + }; } - From 9577477460d6b392ebfbf5bf6afeb64859740798 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Mon, 8 Apr 2024 23:07:41 +0200 Subject: [PATCH 3/4] bekkalokk/nettsiden: add secrets --- hosts/bekkalokk/services/website/default.nix | 43 ++++++++++++-------- secrets/bekkalokk/bekkalokk.yaml | 12 ++++-- 2 files changed, 34 insertions(+), 21 deletions(-) diff --git a/hosts/bekkalokk/services/website/default.nix b/hosts/bekkalokk/services/website/default.nix index 7f07fae..6076000 100644 --- a/hosts/bekkalokk/services/website/default.nix +++ b/hosts/bekkalokk/services/website/default.nix @@ -7,7 +7,18 @@ in { ./fetch-gallery.nix ]; - services.idp.sp-remote-metadata = [ "https://www2.pvv.ntnu.no/simplesaml/" ]; + sops.secrets = lib.genAttrs [ + "nettsiden/door_secret" + "nettsiden/mysql_password" + "nettsiden/simplesamlphp/admin_password" + "nettsiden/simplesamlphp/cookie_salt" + ] (_: { + owner = config.services.phpfpm.pools.pvv-nettsiden.user; + group = config.services.phpfpm.pools.pvv-nettsiden.group; + restartUnits = [ "phpfpm-pvv-nettsiden.service" ]; + }); + + services.idp.sp-remote-metadata = [ "https://${cfg.domainName}/simplesaml/" ]; services.pvv-nettsiden = { enable = true; @@ -18,12 +29,12 @@ in { "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" '' array( - # 'core:AdminPassword' - # ), + 'admin' => array( + 'core:AdminPassword' + ), 'default-sp' => array( 'saml:SP', - 'entityID' => 'https://www2.pvv.ntnu.no/simplesaml/', + 'entityID' => 'https://${cfg.domainName}/simplesaml/', 'idp' => 'https://idp2.pvv.ntnu.no/', ), ); @@ -33,21 +44,24 @@ in { domainName = "www2.pvv.ntnu.no"; - settings = { - DOOR_SECRET = "verysecret"; + settings = let + includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')"; + in { + DOOR_SECRET = includeFromSops "door_secret"; DB = { - DSN = "mysql:dbname=www_data_www2;host=mysql.pvv.ntnu.no"; - USER = "www-data_www2"; - PASS = format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/database/password".path}')"; + DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no"; + USER = "www-data_nettsi"; + PASS = includeFromSops "mysql_password"; }; + # TODO: set up postgres session for simplesamlphp SAML = { - COOKIE_SALT = "changeme"; + COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt"; COOKIE_SECURE = true; ADMIN_NAME = "PVV Drift"; ADMIN_EMAIL = "drift@pvv.ntnu.no"; - ADMIN_PASSWORD = "torskefjes"; + ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password"; TRUSTED_DOMAINS = [ cfg.domainName ]; }; }; @@ -58,9 +72,4 @@ in { "php_admin_flag[log_errors]" = true; "catch_workers_output" = true; }; - - sops.secrets."nettsiden/database/password" = { - owner = config.services.phpfpm.pools.pvv-nettsiden.user; - group = config.services.phpfpm.pools.pvv-nettsiden.group; - }; } diff --git a/secrets/bekkalokk/bekkalokk.yaml b/secrets/bekkalokk/bekkalokk.yaml index 11ac61a..9ba2100 100644 --- a/secrets/bekkalokk/bekkalokk.yaml +++ b/secrets/bekkalokk/bekkalokk.yaml @@ -23,8 +23,12 @@ idp: postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str] privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str] nettsiden: - database: - password: ENC[AES256_GCM,data:8Cj6Xu8WJciu7vvdxvl6GwA9,iv:VPe18+Zu6bZd+wxb7i6nFlyN4vT1GHuId6L4alNKwDU=,tag:7x9AxafBNcJIcRetZNHOIg==,type:str] + mysql_password: ENC[AES256_GCM,data:Uv74HhWtYRbaFHcfh0Rk/Q==,iv:/lRTaMepwpJKZJWHnwb98Ywa1zP4e2EqYGmwI7BCl1I=,tag:ZnE0u2/65zdkONcoiBGSOQ==,type:str] + door_secret: ENC[AES256_GCM,data:t0jEN1WnyEi10KRSg4Dlcd7IuIMBiOU7riOdYSZjvZTQqPijRYIoMEQ6OemIkD1Yg67uISTxnjxP,iv:Ss02VGKRa4oZMubbi8IfQDAjh3h295+n07vOx/IZGBs=,tag:OvdxqIUdYi/cR7IjopSVQQ==,type:str] + simplesamlphp: + postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str] + cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str] + admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str] sops: kms: [] gcp_kms: [] @@ -58,8 +62,8 @@ sops: akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-02T19:09:44Z" - mac: ENC[AES256_GCM,data:9H6xPlE5+ddkezGQHj5IFjXv8LjJjGP8qf2wK44rMdmOQdsLzs4HryQmE+FctohtBfqbxCNdWsmQajPK5YwKbyEF+IMo40Ga8G3ORxYPn5dOSFx6lA/xZRJlqEsHr8WutlGmyJgqst+PZFBClDtOWqsI83HbQJ5wDxYkldEbVC0=,iv:jRfn8lufDbRTUHVe0tZiriia+KAa3Y23FSWXiZNuXRY=,tag:C7pg0BoR/nej0B5iTu3l0w==,type:str] + lastmodified: "2024-04-08T20:36:13Z" + mac: ENC[AES256_GCM,data:IObBR2H3cPIvBNWSo7A5xwyKeg2HbFkfxcU1U5BpRx2gvNb9/h7lextQ6IWPHOS/LZRXY+lZdhX6zLf6aLQjxTATZcrcF2BIu6YM5wppXOjVxhy3dkItU5TGPuxBdZEZ1bEpFu3B1Ooc1UdWvEWqZz2Mcn2akoX53Mj2vU8WGO8=,iv:fHvPHO33y6y3OSbVkojw2+XnpCNHO1AnCm2RnuwxPVA=,tag:m44YZd4Q4DEHCoDCoayqsg==,type:str] pgp: - created_at: "2023-05-21T00:28:40Z" enc: | From 2bbc851e0e27ef792d8315769209ad532c705c05 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Wed, 10 Apr 2024 21:51:05 +0200 Subject: [PATCH 4/4] Point inputs/nettsiden to master after https://git.pvv.ntnu.no/Projects/nettsiden/pulls/53 --- flake.lock | 11 +++++------ flake.nix | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index af43255..0fceac7 100644 --- a/flake.lock +++ b/flake.lock @@ -173,16 +173,15 @@ ] }, "locked": { - "lastModified": 1712610183, - "narHash": "sha256-fAwUEpIGK53dDqAf2jn69JvjiEhBpIVFRSY+0Ga2zOs=", - "ref": "nixify-ng", - "rev": "89050016d326933181c13431eef019540acc4908", - "revCount": 444, + "lastModified": 1712778310, + "narHash": "sha256-6b2wAaT1Nk1FYOvxyQOe8aMzxPQZY768/SNGlQ4bdHQ=", + "ref": "refs/heads/master", + "rev": "1aa4f4fc8ac646da2e0967a5cb96bce13e3096bc", + "revCount": 448, "type": "git", "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" }, "original": { - "ref": "nixify-ng", "type": "git", "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" } diff --git a/flake.nix b/flake.nix index fd63ce4..e2d0bea 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,7 @@ disko.url = "github:nix-community/disko"; disko.inputs.nixpkgs.follows = "nixpkgs"; - pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=nixify-ng"; + pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git"; pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs"; pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";