Drift/pvv-nixos-config
Drift
/
pvv-nixos-config
16
4
Fork 1
Code Issues Pull Requests 6 Wiki Activity

Compare commits

base: Drift:18448c183ebbbdc72374294ae57a5d5337a0599c
Branches Tags
Drift:main
Drift:gitea-gpg-signing
Drift:pvvvvv
Drift:init-bakke
Drift:hookshot
Drift:disable-postgres-on-bekkalokk
Drift:sleipner-authorised-keys
Drift:sounding
Drift:retain-flake-inputs
Drift:openstack-image-builder
Drift:elysium
Drift:cleanup
Drift:fix-openstack-networking
Drift:systemd_exporter
Drift:backup-databases
Drift:smartd-notifs
Drift:systemd-journald-remote
Drift:skrot
Drift:deploy-doorbell
Drift:misc-gitea-fixes
Drift:run-vm
Drift:spotifyd
Drift:remote
Drift:nix-topology
Drift:dagali-heimdal-openldap-sasl-stack
Drift:setup-bikkje-login
Drift:ozai-prod
Drift:add-bluemap
Drift:ozai
Drift:setup-postfix-for-service-machines
Drift:fix-gitea-ci-runner-network-issues
Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
Drift:gitea-metrics
Drift:misc1
Drift:add-simple-saml-theme
Drift:misc-extra-gitea-setup
Drift:add-skrott
Drift:setup-kerberos
Drift:setup-home-areas
Drift:setup-openvpn-tunnel
Drift:shark-kanidm
Drift:prometheusexim
...
compare: Drift:fda9cc2795112b33d5e6fd92dc21eb87310fe280
Branches Tags
Drift:main
Drift:gitea-gpg-signing
Drift:pvvvvv
Drift:init-bakke
Drift:hookshot
Drift:disable-postgres-on-bekkalokk
Drift:sleipner-authorised-keys
Drift:sounding
Drift:retain-flake-inputs
Drift:openstack-image-builder
Drift:elysium
Drift:cleanup
Drift:fix-openstack-networking
Drift:systemd_exporter
Drift:backup-databases
Drift:smartd-notifs
Drift:systemd-journald-remote
Drift:skrot
Drift:deploy-doorbell
Drift:misc-gitea-fixes
Drift:run-vm
Drift:spotifyd
Drift:remote
Drift:nix-topology
Drift:dagali-heimdal-openldap-sasl-stack
Drift:setup-bikkje-login
Drift:ozai-prod
Drift:add-bluemap
Drift:ozai
Drift:setup-postfix-for-service-machines
Drift:fix-gitea-ci-runner-network-issues
Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
Drift:gitea-metrics
Drift:misc1
Drift:add-simple-saml-theme
Drift:misc-extra-gitea-setup
Drift:add-skrott
Drift:setup-kerberos
Drift:setup-home-areas
Drift:setup-openvpn-tunnel
Drift:shark-kanidm
Drift:prometheusexim

3 Commits
18448c183e ... fda9cc2795

Author SHA1 Message Date
Oystein Kristoffer Tveit fda9cc2795 rebase mediawiki
Eval nix flake / evals (push) Failing after 1m48s Details
2024-03-30 05:12:33 +01:00
Oystein Kristoffer Tveit 1b4eb641e6 rebase package 2024-03-30 05:07:54 +01:00
Oystein Kristoffer Tveit aafda754a4 rebase idp 2024-03-30 05:07:25 +01:00
13 changed files with 386 additions and 279 deletions
Show Stats Expand all files Collapse all files

205
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php
View File

@ -6,110 +6,129 @@
* @author Yorn de Jong * @author Yorn de Jong
* @package simpleSAMLphp * @package simpleSAMLphp
*/ */
class sspmod_authpwauth_Auth_Source_PwAuth extends sspmod_core_Auth_UserPassBase {
protected $pwauth_bin_path; namespace SimpleSAML\Module\authpwauth\Auth\Source;
protected $mail_domain;
public function __construct($info, $config) { class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
assert('is_array($info)'); {
assert('is_array($config)'); protected $pwauth_bin_path;
protected $mail_domain;
/* Call the parent constructor first, as required by the interface. */ public function __construct(array $info, array &$config) {
parent::__construct($info, $config); assert('is_array($info)');
assert('is_array($config)');
$this->pwauth_bin_path = $config['pwauth_bin_path']; /* Call the parent constructor first, as required by the interface. */
if (array_key_exists('mail_domain', $config)) { parent::__construct($info, $config);
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
}
}
public function login($username, $password) { $this->pwauth_bin_path = $config['pwauth_bin_path'];
$username = strtolower( $username ); if (array_key_exists('mail_domain', $config)) {
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
}
}
$handle = popen($this->pwauth_bin_path, 'w'); public function login(string $username, string $password): array {
if ($handle === FALSE) { $username = strtolower( $username );
die("Error opening pipe to pwauth");
return false;
}
$data = "$username\n$password\n"; if (!file_exists($this->pwauth_bin_path)) {
if (fwrite($handle, $data) !== strlen($data)) { die("Could not find pwauth binary");
die("Error writing to pwauth pipe"); return false;
return false; }
}
# Is the password valid? if (!is_executable($this->pwauth_bin_path)) {
$result = pclose( $handle ); die("pwauth binary is not executable");
if ($result !== 0) { return false;
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) { }
die("pwauth returned $result for username $username");
}
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
$entry = ldap_first_entry($ldap, $search);
$dn = ldap_get_dn($ldap, $entry);
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
ldap_modify_batch($ldap, $dn, [
#[
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
# 'attrib' => 'unicodePwd',
# 'values' => [$password],
#],
[
#'modtype' => LDAP_MODIFY_BATCH_ADD,
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
'attrib' => 'unicodePwd',
'values' => [$newpassword],
],
]);
*/
#0 - Login OK. $handle = popen($this->pwauth_bin_path, 'w');
#1 - Nonexistant login or (for some configurations) incorrect password. if ($handle === FALSE) {
#2 - Incorrect password (for some configurations). die("Error opening pipe to pwauth");
#3 - Uid number is below MIN_UNIX_UID value configured in config.h. return false;
#4 - Login ID has expired. }
#5 - Login's password has expired.
#6 - Logins to system have been turned off (usually by /etc/nologin file). $data = "$username\n$password\n";
#7 - Limit on number of bad logins exceeded. if (fwrite($handle, $data) !== strlen($data)) {
#50 - pwauth was not run with real uid SERVER_UID. If you get this die("Error writing to pwauth pipe");
# this error code, you probably have SERVER_UID set incorrectly return false;
# in pwauth's config.h file. }
#51 - pwauth was not given a login & password to check. The means
# the passing of data from mod_auth_external to pwauth is messed # Is the password valid?
# up. Most likely one is trying to pass data via environment $result = pclose( $handle );
# variables, while the other is trying to pass data via a pipe. if ($result !== 0) {
#52 - one of several possible internal errors occured. if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
die("pwauth returned $result for username $username");
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
$entry = ldap_first_entry($ldap, $search);
$dn = ldap_get_dn($ldap, $entry);
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
ldap_modify_batch($ldap, $dn, [
#[
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
# 'attrib' => 'unicodePwd',
# 'values' => [$password],
#],
[
#'modtype' => LDAP_MODIFY_BATCH_ADD,
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
'attrib' => 'unicodePwd',
'values' => [$newpassword],
],
]);
*/
#0 - Login OK.
#1 - Nonexistant login or (for some configurations) incorrect password.
#2 - Incorrect password (for some configurations).
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
#4 - Login ID has expired.
#5 - Login's password has expired.
#6 - Logins to system have been turned off (usually by /etc/nologin file).
#7 - Limit on number of bad logins exceeded.
#50 - pwauth was not run with real uid SERVER_UID. If you get this
# this error code, you probably have SERVER_UID set incorrectly
# in pwauth's config.h file.
#51 - pwauth was not given a login & password to check. The means
# the passing of data from mod_auth_external to pwauth is messed
# up. Most likely one is trying to pass data via environment
# variables, while the other is trying to pass data via a pipe.
#52 - one of several possible internal errors occured.
$uid = $username; $uid = $username;
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1')); # TODO: Reinstate this code once passwd is working...
/*
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid))); $groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
array_shift($groups); array_shift($groups);
array_shift($groups); array_shift($groups);
array_pop($groups); array_pop($groups);
$info = posix_getpwnam($uid);
$group = $info['gid'];
if (!in_array($group, $groups)) {
$groups[] = $group;
}
*/
$cn = "Unknown McUnknown";
$groups = array();
$info = posix_getpwnam($uid); $result = array(
$group = $info['gid']; 'uid' => array($uid),
if (!in_array($group, $groups)) { 'cn' => array($cn),
$groups[] = $group; 'group' => $groups,
} );
$result = array( if (isset($this->mail_domain)) {
'uid' => array($uid), $result['mail'] = array($uid.$this->mail_domain);
'cn' => array($cn), }
'group' => $groups, return $result;
); }
if (isset($this->mail_domain)) {
$result['mail'] = array($uid.$this->mail_domain);
}
return $result;
}
} }

11
hosts/bekkalokk/services/idp-simplesamlphp/authsources.php
View File

@ -1,11 +0,0 @@
<?php
$config = array(
/* This is the name of this authentication source, and will be used to access it later. */
'default-sp' => array(
'saml:SP',
# 'entityID' => 'https://wiki.pvv.ntnu.no/',
'entityID' => 'https://bekkalokk.pvv.ntnu.no/',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);

9
hosts/bekkalokk/services/idp-simplesamlphp/config.php
View File

@ -31,7 +31,7 @@ $config = [
* external url, no matter where you come from (direct access or via the * external url, no matter where you come from (direct access or via the
* reverse proxy). * reverse proxy).
*/ */
'baseurlpath' => 'simplesaml/', 'baseurlpath' => '/',
/* /*
* The 'application' configuration array groups a set configuration options * The 'application' configuration array groups a set configuration options
@ -66,7 +66,7 @@ $config = [
* When specified as a relative path, this is relative to the SimpleSAMLphp * When specified as a relative path, this is relative to the SimpleSAMLphp
* root directory. * root directory.
*/ */
'cachedir' => '/var/cache/mediawiki/simplesamlphp', 'cachedir' => '$CACHE_DIRECTORY',
//'loggingdir' => '/var/log/', //'loggingdir' => '/var/log/',
//'datadir' => '/var/data/', //'datadir' => '/var/data/',
@ -532,7 +532,7 @@ $config = [
* one of the functionalities below, but in some cases you could run multiple functionalities. * one of the functionalities below, but in some cases you could run multiple functionalities.
* In example when you are setting up a federation bridge. * In example when you are setting up a federation bridge.
*/ */
'enable.saml20-idp' => false, 'enable.saml20-idp' => true,
'enable.adfs-idp' => false, 'enable.adfs-idp' => false,
@ -555,6 +555,7 @@ $config = [
'module.enable' => [ 'module.enable' => [
'admin' => true, 'admin' => true,
'authpwauth' => true,
], ],
@ -1194,7 +1195,7 @@ $config = [
* See http://www.php.net/manual/en/pdo.drivers.php for the various * See http://www.php.net/manual/en/pdo.drivers.php for the various
* syntaxes. * syntaxes.
*/ */
'store.sql.dsn' => 'sqlite:/var/lib/mediawiki/simplesamlphp.sqlite3', 'store.sql.dsn' => 'sqlite:$STATE_DIRECTORY/simplesamlphp.sqlite3',
/* /*
* The username and password to use when connecting to the database. * The username and password to use when connecting to the database.

234
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
View File

@ -2,6 +2,7 @@
let let
pwAuthScript = pkgs.writeShellApplication { pwAuthScript = pkgs.writeShellApplication {
name = "pwauth"; name = "pwauth";
runtimeInputs = with pkgs; [ coreutils heimdal ];
text = '' text = ''
read -r user1 read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')" user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@ -10,86 +11,181 @@ let
read -r _ read -r _
exit 2 exit 2
fi fi
${pkgs.heimdal}/bin/kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null # kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
''; '';
}; };
package = (pkgs.simplesamlphp.override { package = pkgs.simplesamlphp.override {
authsourcesFile = pkgs.writeText "idp-authsources.php" '' extra_files = {
<?php # NOTE: Using self signed certificate created 30. march 2024, with command:
$config = array( # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
'pwauth' => array( "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
'authpwauth:PwAuth', <?php
'pwauth_bin_path' => '${pwAuthScript}/bin/pwauth', $metadata['https://idp2.pvv.ntnu.no/'] = array(
'mail_domain' => '@pvv.ntnu.no', 'host' => '__DEFAULT__',
), 'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
); 'certificate' => '${./idp.crt}',
''; 'auth' => 'pwauth',
saml20-idp-remoteFile = pkgs.writeText "saml20-idp-remote.php" ''''; );
configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } '' ?>
cp ${./config.php} "$out" '';
substituteInPlace "$out" \ "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
--replace '$SAML_COOKIE_SECURE' 'true' \ <?php
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \ ${ lib.pipe config.services.idp.sp-remote-metadata [
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \ (map (url: ''
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' $metadata['${url}'] = [
''; 'SingleLogoutService' => [
}).overrideAttrs (prev: { [
postInstall = prev.postInstall + '' 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
install -Dm444 "${./authpwauth.php}" $out/share/php/simplesamlphp/modules/authpwauth/lib/Auth/Source/PwAuth.php 'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
''; ],
}); [
in 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
{ 'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
users.groups."idp" = { }; ],
users.users."idp" = { ],
description = "PVV Identity Provider Service User"; 'AssertionConsumerService' => [
group = "idp"; [
createHome = false; 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
isSystemUser = true; 'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
}; 'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 1,
],
],
];
''))
(lib.concatStringsSep "\n")
]}
?>
'';
services.phpfpm.pools.idp = { "config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
user = "idp"; <?php
group = "idp"; $config = array(
settings = let 'admin' => array(
listenUser = config.services.nginx.user; 'core:AdminPassword'
listenGroup = config.services.nginx.group; ),
in { 'pwauth' => array(
"pm" = "dynamic"; 'authpwauth:PwAuth',
"pm.max_children" = 32; 'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
"pm.max_requests" = 500; 'mail_domain' => '@pvv.ntnu.no',
"pm.start_servers" = 2; ),
"pm.min_spare_servers" = 2; );
"pm.max_spare_servers" = 4; ?>
"listen.owner" = listenUser; '';
"listen.group" = listenGroup;
"catch_workers_output" = true; "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
"php_admin_flag[log_errors]" = true; cp ${./config.php} "$out"
# "php_admin_value[error_log]" = "stderr";
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
--replace '$STATE_DIRECTORY' '/var/lib/idp' \
--replace '$CACHE_DIRECTORY' '/var/cache/idp'
'';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
}; };
}; };
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = ''
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = { :::{.note}
forceSSL = true; Make sure the url ends with a `/`
enableACME = true; :::
root = "${package}/share/php/simplesamlphp/public"; '';
locations = { };
"/".index = "index.php";
# fastcgi_split_path_info ^(.+\.php)(/.+)$; config = {
"~ /(.+\\.php)" = { sops.secrets = {
extraConfig = '' "idp/certificate" = {
fastcgi_index index.php; owner = "idp";
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket}; group = "idp";
include ${pkgs.nginx}/conf/fastcgi_params; mode = "0770";
include ${pkgs.nginx}/conf/fastcgi.conf; };
"idp/privatekey" = {
owner = "idp";
group = "idp";
mode = "0770";
};
};
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$request_filename; users.groups."idp" = { };
fastcgi_param SCRIPT_NAME $request_filename; users.users."idp" = {
''; description = "PVV Identity Provider Service User";
group = "idp";
createHome = false;
isSystemUser = true;
};
systemd.tmpfiles.settings."10-idp" = {
"/var/cache/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
"/var/lib/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
};
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"/" = {
alias = "${package}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
fastcgi_param SCRIPT_NAME /$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
}; };
}; };
}; };

33
hosts/bekkalokk/services/idp-simplesamlphp/idp.crt Normal file
View File

@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
+8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
UxTpf01QJnZkMqf5NQ==
-----END CERTIFICATE-----

22
hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix Normal file
View File

@ -0,0 +1,22 @@
''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = [
'metadata-set' => 'saml20-idp-hosted',
'entityid' => 'https://idp2.pvv.ntnu.no/',
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
],
],
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
],
],
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
'certificate' => '${./idp.crt}',
];
?>
''

23
hosts/bekkalokk/services/idp-simplesamlphp/saml20-idp-remote.php
View File

@ -1,23 +0,0 @@
<?php
$metadata['https://idp.pvv.ntnu.no/'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'https://idp.pvv.ntnu.no/',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);

61
hosts/bekkalokk/services/mediawiki/default.nix
View File

@ -8,19 +8,27 @@
group = config.users.users.${user}.group; group = config.users.users.${user}.group;
simplesamlphp = pkgs.simplesamlphp.override { simplesamlphp = pkgs.simplesamlphp.override {
authsourcesFile = ./simplesamlphp/authsources.php; extra_files = {
saml20-idp-remoteFile = ./simplesamlphp/saml20-idp-remote.php; "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
configFile = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
cp ${./simplesamlphp/config.php} "$out"
substituteInPlace "$out" \ "config/authsources.php" = ./simplesaml-authsources.php;
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \ "config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \ cp ${./simplesaml-config.php} "$out"
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )'
''; substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
--replace '$STATE_DIRECTORY' '/var/lib/mediawiki' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
}; };
in { in {
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = { sops.secrets = {
"mediawiki/password" = { "mediawiki/password" = {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
@ -65,7 +73,6 @@ in {
"pm.max_spare_servers" = 4; "pm.max_spare_servers" = 4;
"listen.owner" = listenUser; "listen.owner" = listenUser;
"listen.group" = listenGroup; "listen.group" = listenGroup;
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
"catch_workers_output" = true; "catch_workers_output" = true;
"php_admin_flag[log_errors]" = true; "php_admin_flag[log_errors]" = true;
@ -95,7 +102,10 @@ in {
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['edit'] = false;
# Styling # Styling
$wgLogo = "/PNG/PVV-logo.png"; $wgLogos = array(
"2x" => "/PNG/PVV-logo.png",
"svg" => "/PNG/PVV-logo.svg",
);
$wgDefaultSkin = "monobook"; $wgDefaultSkin = "monobook";
# Misc # Misc
@ -106,15 +116,13 @@ in {
# SimpleSAML # SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/"; $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
$wgSimpleSAMLphp_RealNameAttribute = "cn";
$wgSimpleSAMLphp_EmailAttribute = "mail";
$wgSimpleSAMLphp_UsernameAttribute = "uid";
$wgPluggableAuth_Config['Log in using my SAML'] = [ $wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp', 'plugin' => 'SimpleSAMLphp',
'data' => [ 'data' => [
'authSourceId' => 'default-sp', 'authSourceId' => 'default-sp',
'usernameAttribute' => 'uid',
'emailAttribute' => 'mail',
'realNameAttribute' => 'cn',
] ]
]; ];
@ -123,13 +131,9 @@ in {
''; '';
}; };
# 'usernameAttribute' => 'username',
# 'realNameAttribute' => 'name',
# 'emailAttribute' => 'email'
# Cache directory for simplesamlphp # Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp"; # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp/core".d = { systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
user = "mediawiki"; user = "mediawiki";
group = "mediawiki"; group = "mediawiki";
mode = "0770"; mode = "0770";
@ -207,18 +211,7 @@ in {
"/images".root = config.services.mediawiki.uploadsDir; "/images".root = config.services.mediawiki.uploadsDir;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png; "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
# Redirects from gitea
"/Projects".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"^~ /Projects/(.+\\.php)".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/oysteikt".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/Drift".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/felixalb".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/adriangl".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/danio".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/pederbs".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/jonmro".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/explore".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
}; };
}; };
} }

12
hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php Normal file
View File

@ -0,0 +1,12 @@
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
# 'entityID' => 'https://idp2.pvv.ntnu.no/',
'idp' => 'https://idp2.pvv.ntnu.no/',
),
);

4
hosts/bekkalokk/services/mediawiki/simplesamlphp/config.php → hosts/bekkalokk/services/mediawiki/simplesaml-config.php
View File

@ -66,7 +66,7 @@ $config = [
* When specified as a relative path, this is relative to the SimpleSAMLphp * When specified as a relative path, this is relative to the SimpleSAMLphp
* root directory. * root directory.
*/ */
'cachedir' => '/var/cache/mediawiki/simplesamlphp', 'cachedir' => '$CACHE_DIRECTORY',
//'loggingdir' => '/var/log/', //'loggingdir' => '/var/log/',
//'datadir' => '/var/data/', //'datadir' => '/var/data/',
@ -1195,7 +1195,7 @@ $config = [
* See http://www.php.net/manual/en/pdo.drivers.php for the various * See http://www.php.net/manual/en/pdo.drivers.php for the various
* syntaxes. * syntaxes.
*/ */
'store.sql.dsn' => 'sqlite:/var/lib/mediawiki/simplesamlphp.sqlite3', 'store.sql.dsn' => 'sqlite:$STATE_DIRECTORY/simplesamlphp.sqlite3',
/* /*
* The username and password to use when connecting to the database. * The username and password to use when connecting to the database.

11
hosts/bekkalokk/services/mediawiki/simplesamlphp/authsources.php
View File

@ -1,11 +0,0 @@
<?php
$config = array(
/* This is the name of this authentication source, and will be used to access it later. */
'default-sp' => array(
'saml:SP',
# 'entityID' => 'https://wiki.pvv.ntnu.no/',
'entityID' => 'https://wiki2.pvv.ntnu.no/',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);

23
hosts/bekkalokk/services/mediawiki/simplesamlphp/saml20-idp-remote.php
View File

@ -1,23 +0,0 @@
<?php
$metadata['https://idp.pvv.ntnu.no/'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'https://idp.pvv.ntnu.no/',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);

17
packages/simplesamlphp/default.nix
View File

@ -1,9 +1,9 @@
{ php { lib
, php
, writeText , writeText
, fetchFromGitHub , fetchFromGitHub
, configFile ? "config/config.php.dist" , extra_files ? { }
, authsourcesFile ? "config/authsources.php.dist"
, saml20-idp-remoteFile ? writeText "saml20-idp-remote.php" "<?php ?>"
}: }:
php.buildComposerProject rec { php.buildComposerProject rec {
@ -24,11 +24,10 @@ php.buildComposerProject rec {
# TODO: metadata could be fetched automagically with these: # TODO: metadata could be fetched automagically with these:
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html # - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php # - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
postPatch = '' postPatch = lib.pipe extra_files [
install -Dm444 "${configFile}" "config/config.php" (lib.mapAttrsToList (target_path: source_path: ''install -Dm444 "${source_path}" "${target_path}"''))
install -Dm444 "${authsourcesFile}" "config/authsources.php" (lib.concatStringsSep "\n")
install -Dm444 "${saml20-idp-remoteFile}" "metadata/saml20-idp-remote.php" ];
'';
postInstall = '' postInstall = ''
ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base