From 9768db0eb80f6a0e4a59d0364b7befd422fd9d47 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Thu, 28 Mar 2024 10:52:59 +0100
Subject: [PATCH] WIP: bekkalokk: set up pvv-nettsiden

---
 flake.lock                                 | 52 +++++++++++++++-------
 flake.nix                                  | 12 ++++-
 hosts/bekkalokk/configuration.nix          |  2 +-
 hosts/bekkalokk/services/nginx/ingress.nix |  4 +-
 hosts/bekkalokk/services/website.nix       | 39 +++++++++++++++-
 secrets/bekkalokk/bekkalokk.yaml           | 10 +++--
 6 files changed, 94 insertions(+), 25 deletions(-)

diff --git a/flake.lock b/flake.lock
index 1b6860c..cb48983 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710169806,
-        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
+        "lastModified": 1711588700,
+        "narHash": "sha256-vBB5HoQVnA6c/UrDOhLXKAahEwSRccw2YXYHxD7qoi4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
+        "rev": "502241afa3de2a24865ddcbe4c122f4546e32092",
         "type": "github"
       },
       "original": {
@@ -82,11 +82,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1710248792,
-        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
+        "lastModified": 1711569752,
+        "narHash": "sha256-Fo+4/dRnDqdn4d2AKTZlHSa24Kj+qQLjT5WXOziu5UA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
+        "rev": "fd9c477aaa7a4e033f3d966f658ddfb7d15e040c",
         "type": "github"
       },
       "original": {
@@ -97,11 +97,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1710033658,
-        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
+        "lastModified": 1711233294,
+        "narHash": "sha256-eEu5y4J145BYDw9o/YEmeJyqh8blgnZwuz9k234zuWc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
+        "rev": "ac6bdf6181666ebb4f90dd20f31e2fa66ede6b68",
         "type": "github"
       },
       "original": {
@@ -113,11 +113,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1710247538,
-        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
+        "lastModified": 1711572435,
+        "narHash": "sha256-O90CV8yeChD44TenDStUhOqcWAJ862ghfA7/l5jUTfk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
+        "rev": "38760f86d61431987e82108a6afb672e8a236bd8",
         "type": "github"
       },
       "original": {
@@ -146,6 +146,27 @@
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       }
     },
+    "pvv-nettsiden": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1711619095,
+        "narHash": "sha256-tgCBZe0+PBh8GQEnEX9EKNTESLx6eo6ToB+OMLrJEpM=",
+        "ref": "nixify-ng",
+        "rev": "321846d2dac2d56999ebd3833ca51b19c1e7d83d",
+        "revCount": 442,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      },
+      "original": {
+        "ref": "nixify-ng",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      }
+    },
     "root": {
       "inputs": {
         "disko": "disko",
@@ -155,6 +176,7 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
+        "pvv-nettsiden": "pvv-nettsiden",
         "sops-nix": "sops-nix"
       }
     },
@@ -166,11 +188,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1710195194,
-        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
+        "lastModified": 1711249319,
+        "narHash": "sha256-N+Pp3/8H+rd7cO71VNV/ovV/Kwt+XNeUHNhsmyTabdM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
+        "rev": "405987a66cce9a4a82f321f11b205982a7127c88",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 9223b25..7729dfa 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,6 +11,9 @@
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
+    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=nixify-ng";
+    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
+
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -23,7 +26,7 @@
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, pvv-nettsiden, sops-nix, disko, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -59,6 +62,7 @@
             inherit system;
             overlays = [
               inputs.pvv-calendar-bot.overlays.${system}.default
+              inputs.pvv-nettsiden.overlays.${system}.default
             ];
           };
         }
@@ -74,7 +78,11 @@
           inputs.pvv-calendar-bot.nixosModules.default
         ];
       };
-      bekkalokk = stableNixosConfig "bekkalokk" { };
+      bekkalokk = stableNixosConfig "bekkalokk" {
+        modules = [
+          inputs.pvv-nettsiden.nixosModules.default
+        ];
+      };
       bob = stableNixosConfig "bob" {
         modules = [
           disko.nixosModules.disko
diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix
index 618ed75..d4c225b 100644
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -9,7 +9,7 @@
     #./services/keycloak.nix
 
     # TODO: set up authentication for the following:
-    # ./services/website.nix
+    ./services/website.nix
     ./services/nginx
     ./services/gitea/default.nix
     ./services/webmail
diff --git a/hosts/bekkalokk/services/nginx/ingress.nix b/hosts/bekkalokk/services/nginx/ingress.nix
index 2950846..3b2e363 100644
--- a/hosts/bekkalokk/services/nginx/ingress.nix
+++ b/hosts/bekkalokk/services/nginx/ingress.nix
@@ -1,8 +1,8 @@
 { config, lib, ... }:
 {
   services.nginx.virtualHosts = {
-    "www2.pvv.ntnu.no" = {
-      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
+    "pvv.ntnu.no" = {
+      serverAliases = [ "pvv.org" ];
       addSSL = true;
       enableACME = true;
 
diff --git a/hosts/bekkalokk/services/website.nix b/hosts/bekkalokk/services/website.nix
index facb35d..e2a896e 100644
--- a/hosts/bekkalokk/services/website.nix
+++ b/hosts/bekkalokk/services/website.nix
@@ -1,4 +1,39 @@
-{ ... }:
-{
+{ pkgs, lib, config, ... }:
+let
+  format = pkgs.formats.php { };
+  cfg = config.services.pvv-nettsiden;
+in {
+  services.pvv-nettsiden = {
+    enable = true;
 
+    domainName = "www2.pvv.ntnu.no";
+
+    settings = {
+      DOOR_SECRET = "verysecret";
+
+      DB = {
+        DSN = "mysql:dbname=www_data_www2;host=mysql.pvv.ntnu.no";
+        USER = "www-data_www2";
+        PASS = format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/database/password".path}')";
+      };
+
+      SAML = {
+        COOKIE_SALT = "changeme";
+        COOKIE_SECURE = true;
+        ADMIN_PASSWORD = "torskefjes";
+        TRUSTED_DOMAINS = [ cfg.domainName ];
+      };
+    };
+  };
+
+  services.phpfpm.pools."pvv-nettsiden".settings = {
+    # "php_admin_value[error_log]" = "stderr";
+    "php_admin_flag[log_errors]" = true;
+    "catch_workers_output" = true;
+  };
+
+  sops.secrets."nettsiden/database/password" = {
+    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
+    group = config.services.phpfpm.pools.pvv-nettsiden.group;
+  };
 }
diff --git a/secrets/bekkalokk/bekkalokk.yaml b/secrets/bekkalokk/bekkalokk.yaml
index ca9dc31..76e3820 100644
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@@ -13,6 +13,9 @@ mediawiki:
     database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
 keycloak:
     database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
+nettsiden:
+    database:
+        password: ENC[AES256_GCM,data:6jYD6RM+bkWyMxQKaDXhTX/S,iv:3RILCebHs7E7LUX4B5DIM/E6qRWBh8a1Z94YcDZNQdc=,tag:FLW4dQ9DbVeOkjax4aiv3w==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -46,8 +49,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-17T02:02:24Z"
-    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
+    lastmodified: "2024-03-23T20:46:37Z"
+    mac: ENC[AES256_GCM,data:Du1usETRD5lzf4QS3jCQZ8UZRNxdydZID8AI8Y1+YtmX66pszzLTNdzlzvid5fVRi1LFS7gSJfcIcfSPKTv20zeo/qzM5qhUoM9X8JOr+m0+FmjrmBJKnEqBvP7qOysBLZinR+pfr6RiR0tJMTWcmQp9k4q/wTeCU9Aaoz3OXr8=,iv:dCvzA1MOiid8WiIijznf0vvF6i9V9ZDSzvwfRONMN/M=,tag:qCN6RxvQ8wZIcUqwI0jU6g==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -70,4 +73,5 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
+