Compare commits
3 Commits
145a840a2c
...
4f322ec0b1
Author | SHA1 | Date | |
---|---|---|---|
4f322ec0b1 | |||
79bf307ef2 | |||
4d50efc6db |
8
flake.lock
generated
8
flake.lock
generated
@ -173,11 +173,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1712778310,
|
"lastModified": 1712789012,
|
||||||
"narHash": "sha256-6b2wAaT1Nk1FYOvxyQOe8aMzxPQZY768/SNGlQ4bdHQ=",
|
"narHash": "sha256-d6inEw6LZ5PW7DvEPiuZIrt8du7qM8GtFddzVJpu8ng=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "1aa4f4fc8ac646da2e0967a5cb96bce13e3096bc",
|
"rev": "d528df5f99d32dcc3e9e84dcf32409e09064b774",
|
||||||
"revCount": 448,
|
"revCount": 450,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
|
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
|
||||||
},
|
},
|
||||||
|
@ -8,9 +8,8 @@
|
|||||||
|
|
||||||
#./services/keycloak.nix
|
#./services/keycloak.nix
|
||||||
|
|
||||||
# TODO: set up authentication for the following:
|
|
||||||
./services/website
|
./services/website
|
||||||
./services/nginx
|
./services/nginx.nix
|
||||||
./services/gitea/default.nix
|
./services/gitea/default.nix
|
||||||
./services/kerberos
|
./services/kerberos
|
||||||
./services/webmail
|
./services/webmail
|
||||||
@ -26,8 +25,6 @@
|
|||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
virtualisation.podman.enable = true;
|
|
||||||
|
|
||||||
networking.hostName = "bekkalokk";
|
networking.hostName = "bekkalokk";
|
||||||
|
|
||||||
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
|
||||||
|
@ -27,4 +27,5 @@ lib.mkMerge [
|
|||||||
(mkRunner "alpha")
|
(mkRunner "alpha")
|
||||||
(mkRunner "beta")
|
(mkRunner "beta")
|
||||||
(mkRunner "epsilon")
|
(mkRunner "epsilon")
|
||||||
|
{ virtualisation.podman.enable = true; }
|
||||||
]
|
]
|
||||||
|
@ -22,7 +22,7 @@ let
|
|||||||
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
|
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
|
||||||
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
|
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
|
||||||
<?php
|
<?php
|
||||||
$metadata['https://idp2.pvv.ntnu.no/'] = array(
|
$metadata['https://idp.pvv.ntnu.no/'] = array(
|
||||||
'host' => '__DEFAULT__',
|
'host' => '__DEFAULT__',
|
||||||
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
|
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
|
||||||
'certificate' => '${./idp.crt}',
|
'certificate' => '${./idp.crt}',
|
||||||
@ -89,7 +89,7 @@ let
|
|||||||
--replace '$SAML_ADMIN_NAME' '"Drift"' \
|
--replace '$SAML_ADMIN_NAME' '"Drift"' \
|
||||||
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
|
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
|
||||||
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
|
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
|
||||||
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
|
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
|
||||||
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
|
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
|
||||||
--replace '$SAML_DATABASE_USERNAME' '"idp"' \
|
--replace '$SAML_DATABASE_USERNAME' '"idp"' \
|
||||||
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
|
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
|
||||||
@ -177,7 +177,7 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
kTLS = true;
|
kTLS = true;
|
||||||
|
@ -1,18 +1,18 @@
|
|||||||
''
|
''
|
||||||
<?php
|
<?php
|
||||||
$metadata['https://idp2.pvv.ntnu.no/'] = [
|
$metadata['https://idp.pvv.ntnu.no/'] = [
|
||||||
'metadata-set' => 'saml20-idp-hosted',
|
'metadata-set' => 'saml20-idp-hosted',
|
||||||
'entityid' => 'https://idp2.pvv.ntnu.no/',
|
'entityid' => 'https://idp.pvv.ntnu.no/',
|
||||||
'SingleSignOnService' => [
|
'SingleSignOnService' => [
|
||||||
[
|
[
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
|
'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
'SingleLogoutService' => [
|
'SingleLogoutService' => [
|
||||||
[
|
[
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
|
'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
|
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
|
||||||
|
@ -6,6 +6,6 @@ $config = array(
|
|||||||
'default-sp' => array(
|
'default-sp' => array(
|
||||||
'saml:SP',
|
'saml:SP',
|
||||||
'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
|
'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
|
||||||
'idp' => 'https://idp2.pvv.ntnu.no/',
|
'idp' => 'https://idp.pvv.ntnu.no/',
|
||||||
),
|
),
|
||||||
);
|
);
|
||||||
|
@ -1,8 +1,4 @@
|
|||||||
{ pkgs, config, ... }:
|
{ pkgs, config, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
|
||||||
./ingress.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
}
|
}
|
@ -1,56 +0,0 @@
|
|||||||
{ config, lib, ... }:
|
|
||||||
{
|
|
||||||
services.nginx.virtualHosts = {
|
|
||||||
"pvv.ntnu.no" = {
|
|
||||||
serverAliases = [ "pvv.org" ];
|
|
||||||
addSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
kTLS = true;
|
|
||||||
|
|
||||||
locations = {
|
|
||||||
# Proxy home directories
|
|
||||||
"/~" = {
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_redirect off;
|
|
||||||
proxy_pass https://tom.pvv.ntnu.no;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
# Redirect old wiki entries
|
|
||||||
"/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
|
|
||||||
"/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
|
|
||||||
"/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
|
|
||||||
"/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
|
|
||||||
"/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
|
|
||||||
"/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
|
|
||||||
"/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
|
|
||||||
"/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
|
|
||||||
"/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
|
|
||||||
"/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
|
|
||||||
"/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
|
|
||||||
"/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
|
|
||||||
|
|
||||||
# TODO: Redirect webmail
|
|
||||||
"/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
|
|
||||||
|
|
||||||
# Redirect everything else to the main website
|
|
||||||
"/".return = "301 https://www.pvv.ntnu.no$request_uri";
|
|
||||||
|
|
||||||
# Proxy the matrix well-known files
|
|
||||||
# Host has be set before proxy_pass
|
|
||||||
# The header must be set so nginx on the other side routes it to the right place
|
|
||||||
"/.well-known/matrix/" = {
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_set_header Host matrix.pvv.ntnu.no;
|
|
||||||
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
@ -4,12 +4,12 @@
|
|||||||
./roundcube.nix
|
./roundcube.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
kTLS = true;
|
kTLS = true;
|
||||||
locations."= /" = {
|
locations."= /" = {
|
||||||
return = "301 https://www.pvv.ntnu.no/mail/";
|
return = "302 https://webmail.pvv.ntnu.no/roundcube";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.services.roundcube;
|
cfg = config.services.roundcube;
|
||||||
domain = "webmail2.pvv.ntnu.no";
|
domain = "webmail.pvv.ntnu.no";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.roundcube = {
|
services.roundcube = {
|
||||||
|
@ -35,14 +35,14 @@ in {
|
|||||||
'default-sp' => array(
|
'default-sp' => array(
|
||||||
'saml:SP',
|
'saml:SP',
|
||||||
'entityID' => 'https://${cfg.domainName}/simplesaml/',
|
'entityID' => 'https://${cfg.domainName}/simplesaml/',
|
||||||
'idp' => 'https://idp2.pvv.ntnu.no/',
|
'idp' => 'https://idp.pvv.ntnu.no/',
|
||||||
),
|
),
|
||||||
);
|
);
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
domainName = "www2.pvv.ntnu.no";
|
domainName = "www.pvv.ntnu.no";
|
||||||
|
|
||||||
settings = let
|
settings = let
|
||||||
includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
|
includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
|
||||||
@ -72,4 +72,55 @@ in {
|
|||||||
"php_admin_flag[log_errors]" = true;
|
"php_admin_flag[log_errors]" = true;
|
||||||
"catch_workers_output" = true;
|
"catch_workers_output" = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${cfg.domainName} = {
|
||||||
|
serverAliases = [
|
||||||
|
"pvv.ntnu.no"
|
||||||
|
"www.pvv.ntnu.org"
|
||||||
|
"pvv.org"
|
||||||
|
];
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
# Proxy home directories
|
||||||
|
"/~" = {
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_pass https://tom.pvv.ntnu.no;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Redirect the old webmail/wiki paths from spikkjeposche
|
||||||
|
"/webmail".return = "301 https://webmail.pvv.ntnu.no";
|
||||||
|
"~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
|
||||||
|
"= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
|
||||||
|
|
||||||
|
# Redirect old wiki entries
|
||||||
|
"/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
|
||||||
|
"/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
|
||||||
|
"/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
|
||||||
|
"/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
|
||||||
|
"/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
|
||||||
|
"/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
|
||||||
|
"/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
|
||||||
|
"/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
|
||||||
|
"/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
|
||||||
|
"/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
|
||||||
|
"/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
|
||||||
|
"/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
|
||||||
|
|
||||||
|
# Proxy the matrix well-known files
|
||||||
|
# Host has be set before proxy_pass
|
||||||
|
# The header must be set so nginx on the other side routes it to the right place
|
||||||
|
"/.well-known/matrix/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header Host matrix.pvv.ntnu.no;
|
||||||
|
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user