From 4d50efc6db1270b099949fb6188a89fd6d33d56b Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Wed, 10 Apr 2024 23:31:04 +0200 Subject: [PATCH 1/2] Finalize www/idp/webmail migration from spikkjeposche to bekkalokk --- hosts/bekkalokk/services/idp-simplesamlphp/default.nix | 6 +++--- .../bekkalokk/services/idp-simplesamlphp/metadata.php.nix | 8 ++++---- .../services/mediawiki/simplesaml-authsources.php | 2 +- hosts/bekkalokk/services/webmail/default.nix | 4 ++-- hosts/bekkalokk/services/webmail/roundcube.nix | 2 +- hosts/bekkalokk/services/website/default.nix | 4 ++-- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix index 28e7063..e943f2d 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix +++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix @@ -22,7 +22,7 @@ let # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" '' '__DEFAULT__', 'privatekey' => '${config.sops.secrets."idp/privatekey".path}', 'certificate' => '${./idp.crt}', @@ -89,7 +89,7 @@ let --replace '$SAML_ADMIN_NAME' '"Drift"' \ --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \ --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \ - --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \ + --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \ --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \ --replace '$SAML_DATABASE_USERNAME' '"idp"' \ --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \ @@ -177,7 +177,7 @@ in }; }; - services.nginx.virtualHosts."idp2.pvv.ntnu.no" = { + services.nginx.virtualHosts."idp.pvv.ntnu.no" = { forceSSL = true; enableACME = true; kTLS = true; diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix b/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix index ff4ed34..0ba2763 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix +++ b/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix @@ -1,18 +1,18 @@ '' 'saml20-idp-hosted', - 'entityid' => 'https://idp2.pvv.ntnu.no/', + 'entityid' => 'https://idp.pvv.ntnu.no/', 'SingleSignOnService' => [ [ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', - 'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService', + 'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService', ], ], 'SingleLogoutService' => [ [ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', - 'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout', + 'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout', ], ], 'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ], diff --git a/hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php b/hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php index 3282484..5ccdb21 100644 --- a/hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php +++ b/hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php @@ -6,6 +6,6 @@ $config = array( 'default-sp' => array( 'saml:SP', 'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/', - 'idp' => 'https://idp2.pvv.ntnu.no/', + 'idp' => 'https://idp.pvv.ntnu.no/', ), ); diff --git a/hosts/bekkalokk/services/webmail/default.nix b/hosts/bekkalokk/services/webmail/default.nix index 752d00a..a1d6186 100644 --- a/hosts/bekkalokk/services/webmail/default.nix +++ b/hosts/bekkalokk/services/webmail/default.nix @@ -4,12 +4,12 @@ ./roundcube.nix ]; - services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = { + services.nginx.virtualHosts."webmail.pvv.ntnu.no" = { forceSSL = true; enableACME = true; kTLS = true; locations."= /" = { - return = "301 https://www.pvv.ntnu.no/mail/"; + return = "302 https://webmail.pvv.ntnu.no/roundcube"; }; }; } diff --git a/hosts/bekkalokk/services/webmail/roundcube.nix b/hosts/bekkalokk/services/webmail/roundcube.nix index ef157ac..a320a34 100644 --- a/hosts/bekkalokk/services/webmail/roundcube.nix +++ b/hosts/bekkalokk/services/webmail/roundcube.nix @@ -3,7 +3,7 @@ with lib; let cfg = config.services.roundcube; - domain = "webmail2.pvv.ntnu.no"; + domain = "webmail.pvv.ntnu.no"; in { services.roundcube = { diff --git a/hosts/bekkalokk/services/website/default.nix b/hosts/bekkalokk/services/website/default.nix index 6076000..2886a44 100644 --- a/hosts/bekkalokk/services/website/default.nix +++ b/hosts/bekkalokk/services/website/default.nix @@ -35,14 +35,14 @@ in { 'default-sp' => array( 'saml:SP', 'entityID' => 'https://${cfg.domainName}/simplesaml/', - 'idp' => 'https://idp2.pvv.ntnu.no/', + 'idp' => 'https://idp.pvv.ntnu.no/', ), ); ''; }; }; - domainName = "www2.pvv.ntnu.no"; + domainName = "www.pvv.ntnu.no"; settings = let includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')"; From 79bf307ef266a5b477f4735c1d1da22206902610 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Thu, 11 Apr 2024 00:29:55 +0200 Subject: [PATCH 2/2] bekkalokk: Reconfigure www ingress --- flake.lock | 8 +-- hosts/bekkalokk/configuration.nix | 5 +- hosts/bekkalokk/services/gitea/ci.nix | 1 + .../services/{nginx/default.nix => nginx.nix} | 4 -- hosts/bekkalokk/services/nginx/ingress.nix | 56 ------------------- hosts/bekkalokk/services/website/default.nix | 51 +++++++++++++++++ 6 files changed, 57 insertions(+), 68 deletions(-) rename hosts/bekkalokk/services/{nginx/default.nix => nginx.nix} (60%) delete mode 100644 hosts/bekkalokk/services/nginx/ingress.nix diff --git a/flake.lock b/flake.lock index 0fceac7..d3f1c4f 100644 --- a/flake.lock +++ b/flake.lock @@ -173,11 +173,11 @@ ] }, "locked": { - "lastModified": 1712778310, - "narHash": "sha256-6b2wAaT1Nk1FYOvxyQOe8aMzxPQZY768/SNGlQ4bdHQ=", + "lastModified": 1712789012, + "narHash": "sha256-d6inEw6LZ5PW7DvEPiuZIrt8du7qM8GtFddzVJpu8ng=", "ref": "refs/heads/master", - "rev": "1aa4f4fc8ac646da2e0967a5cb96bce13e3096bc", - "revCount": 448, + "rev": "d528df5f99d32dcc3e9e84dcf32409e09064b774", + "revCount": 450, "type": "git", "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" }, diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index 53871c0..26d1e9c 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -8,9 +8,8 @@ #./services/keycloak.nix - # TODO: set up authentication for the following: ./services/website - ./services/nginx + ./services/nginx.nix ./services/gitea/default.nix ./services/kerberos ./services/webmail @@ -26,8 +25,6 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - virtualisation.podman.enable = true; - networking.hostName = "bekkalokk"; systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { diff --git a/hosts/bekkalokk/services/gitea/ci.nix b/hosts/bekkalokk/services/gitea/ci.nix index c33c72d..5533cba 100644 --- a/hosts/bekkalokk/services/gitea/ci.nix +++ b/hosts/bekkalokk/services/gitea/ci.nix @@ -27,4 +27,5 @@ lib.mkMerge [ (mkRunner "alpha") (mkRunner "beta") (mkRunner "epsilon") + { virtualisation.podman.enable = true; } ] diff --git a/hosts/bekkalokk/services/nginx/default.nix b/hosts/bekkalokk/services/nginx.nix similarity index 60% rename from hosts/bekkalokk/services/nginx/default.nix rename to hosts/bekkalokk/services/nginx.nix index 0ff747d..41d3c38 100644 --- a/hosts/bekkalokk/services/nginx/default.nix +++ b/hosts/bekkalokk/services/nginx.nix @@ -1,8 +1,4 @@ { pkgs, config, ... }: { - imports = [ - ./ingress.nix - ]; - services.nginx.enable = true; } diff --git a/hosts/bekkalokk/services/nginx/ingress.nix b/hosts/bekkalokk/services/nginx/ingress.nix deleted file mode 100644 index a434668..0000000 --- a/hosts/bekkalokk/services/nginx/ingress.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, lib, ... }: -{ - services.nginx.virtualHosts = { - "pvv.ntnu.no" = { - serverAliases = [ "pvv.org" ]; - addSSL = true; - enableACME = true; - kTLS = true; - - locations = { - # Proxy home directories - "/~" = { - extraConfig = '' - proxy_redirect off; - proxy_pass https://tom.pvv.ntnu.no; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - - # Redirect old wiki entries - "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp"; - "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen"; - "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover"; - "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret"; - "/info/".return = "301 https://www.pvv.ntnu.no/pvv/"; - "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner"; - "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent"; - "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider"; - "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT"; - "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift"; - "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse"; - "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza"; - - # TODO: Redirect webmail - "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail"; - - # Redirect everything else to the main website - "/".return = "301 https://www.pvv.ntnu.no$request_uri"; - - # Proxy the matrix well-known files - # Host has be set before proxy_pass - # The header must be set so nginx on the other side routes it to the right place - "/.well-known/matrix/" = { - extraConfig = '' - proxy_set_header Host matrix.pvv.ntnu.no; - proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/; - ''; - }; - }; - }; - }; -} - diff --git a/hosts/bekkalokk/services/website/default.nix b/hosts/bekkalokk/services/website/default.nix index 2886a44..d3ebb2e 100644 --- a/hosts/bekkalokk/services/website/default.nix +++ b/hosts/bekkalokk/services/website/default.nix @@ -72,4 +72,55 @@ in { "php_admin_flag[log_errors]" = true; "catch_workers_output" = true; }; + + services.nginx.virtualHosts.${cfg.domainName} = { + serverAliases = [ + "pvv.ntnu.no" + "www.pvv.ntnu.org" + "pvv.org" + ]; + + locations = { + # Proxy home directories + "/~" = { + extraConfig = '' + proxy_redirect off; + proxy_pass https://tom.pvv.ntnu.no; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + + # Redirect the old webmail/wiki paths from spikkjeposche + "/webmail".return = "301 https://webmail.pvv.ntnu.no"; + "~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1"; + "= /pvv".return = "301 https://wiki.pvv.ntnu.no/"; + + # Redirect old wiki entries + "/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp"; + "/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen"; + "/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover"; + "/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret"; + "/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/"; + "/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner"; + "/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent"; + "/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider"; + "/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT"; + "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift"; + "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse"; + "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza"; + + # Proxy the matrix well-known files + # Host has be set before proxy_pass + # The header must be set so nginx on the other side routes it to the right place + "/.well-known/matrix/" = { + extraConfig = '' + proxy_set_header Host matrix.pvv.ntnu.no; + proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/; + ''; + }; + }; + }; }