Drift/pvv-nixos-config
17
4
Fork 1
Code Issues Pull Requests9 Actions Wiki Activity

Compare commits

..

1 Commits
add-simple ... heimdal-op

Author SHA1 Message Date
h7x4
c16238a88f WIP: init buskerud/salsa 2024-04-13 18:47:03 +02:00
40 changed files with 1024 additions and 5095 deletions

2
.sops.yaml

@ -3,7 +3,6 @@ keys:
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
# Hosts
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
@ -19,7 +18,6 @@ creation_rules:
- *host_jokum
- *user_danio
- *user_felixalb
- *user_eirikwit
pgp:
- *user_oysteikt

74
flake.lock generated

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1710169806,
"narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
"lastModified": 1709632354,
"narHash": "sha256-jxRHwqrtNze51WKFKvxlQ8Inf62UNRl5cFqEQ2V96vE=",
"owner": "nix-community",
"repo": "disko",
"rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
"rev": "0d11aa8d6431326e10b8656420f91085c3bd0b12",
"type": "github"
},
"original": {
@ -62,16 +62,14 @@
},
"matrix-next": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1710311999,
"narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
"lastModified": 1701507532,
"narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "6c9b67974b839740e2a738958512c7a704481157",
"rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
"type": "github"
},
"original": {
@ -82,11 +80,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1710248792,
"narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
"lastModified": 1709565521,
"narHash": "sha256-YP3H7Lm3IhOKHIcn+qMCLRINJG313Io5CjvNTJyrnhY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "efbb274f364c918b9937574de879b5874b5833cc",
"rev": "9a5f1a573376eeb8c525f936eed32fabfb6e81be",
"type": "github"
},
"original": {
@ -95,13 +93,28 @@
"type": "indirect"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1673743903,
"narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1710033658,
"narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
"lastModified": 1709428628,
"narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
"rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
"type": "github"
},
"original": {
@ -113,11 +126,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1710247538,
"narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
"lastModified": 1712963716,
"narHash": "sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
"rev": "cfd6b5fc90b15709b780a5a1619695a88505a176",
"type": "github"
},
"original": {
@ -155,8 +168,7 @@
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
"sops-nix": "sops-nix",
"ssp-theme": "ssp-theme"
"sops-nix": "sops-nix"
}
},
"sops-nix": {
@ -167,11 +179,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1710195194,
"narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
"lastModified": 1709591996,
"narHash": "sha256-0sQcalXSgqlO6mnxBTXkSQChBHy2GQsokB1XY8r+LpQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
"rev": "291aad29b59ceda517a06e59809f35cb0bb17c6b",
"type": "github"
},
"original": {
@ -179,22 +191,6 @@
"repo": "sops-nix",
"type": "github"
}
},
"ssp-theme": {
"flake": false,
"locked": {
"lastModified": 1509201641,
"narHash": "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=",
"ref": "refs/heads/master",
"rev": "bda4314030be5f81aeaf2fb1927aee582f1194d9",
"revCount": 5,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
}
}
},
"root": "root",

80
flake.nix

@ -15,18 +15,14 @@
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
grzegorz.url = "github:Programvareverkstedet/grzegorz";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
ssp-theme.url = "git+https://git.pvv.ntnu.no/Drift/ssp-theme.git";
ssp-theme.flake = false;
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ssp-theme, ... }@inputs:
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
let
nixlib = nixpkgs.lib;
systems = [
@ -56,14 +52,16 @@
modules = [
./hosts/${name}/configuration.nix
sops-nix.nixosModules.sops
] ++ config.modules or [];
];
pkgs = import nixpkgs {
inherit system;
overlays = [ ] ++ config.overlays or [ ];
overlays = [
inputs.pvv-calendar-bot.overlays.${system}.default
];
};
}
(removeAttrs config [ "modules" "overlays" ])
config
);
stableNixosConfig = nixosConfig nixpkgs;
@ -71,30 +69,19 @@
in {
bicep = stableNixosConfig "bicep" {
modules = [
./hosts/bicep/configuration.nix
sops-nix.nixosModules.sops
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
];
overlays = [
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
heimdal = final.callPackage ./packages/heimdal {
inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = final.buildPackages.autoreconfHook269;
};
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
ssp-theme = final.runCommandLocal "ssp-theme" { } ''
ln -s ${ssp-theme} $out
'';
})
];
};
bekkalokk = stableNixosConfig "bekkalokk" { };
bob = stableNixosConfig "bob" {
modules = [
./hosts/bob/configuration.nix
sops-nix.nixosModules.sops
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/vda"; }
];
@ -105,17 +92,28 @@
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
./hosts/brzeczyszczykiewicz/configuration.nix
sops-nix.nixosModules.sops
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
];
};
georg = stableNixosConfig "georg" {
modules = [
./hosts/georg/configuration.nix
sops-nix.nixosModules.sops
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
];
};
buskerud = stableNixosConfig "buskerud" { };
buskerud = stableNixosConfig "buskerud" {
modules = [
./hosts/buskerud/configuration.nix
sops-nix.nixosModules.sops
];
};
};
devShells = forAllSystems (system: {
@ -125,28 +123,22 @@
packages = {
"x86_64-linux" = let
pkgs = nixpkgs.legacyPackages."x86_64-linux";
in {
default = self.packages.x86_64-linux.important-machines;
pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
in rec {
default = important-machines;
important-machines = pkgs.linkFarm "important-machines"
(nixlib.getAttrs importantMachines self.packages.x86_64-linux);
all-machines = pkgs.linkFarm "all-machines"
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
#######################
# TODO: remove this once nixos 24.05 gets released
#######################
heimdal = pkgs.callPackage ./packages/heimdal {
inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = pkgs.buildPackages.autoreconfHook269;
heimdal = pkgs.callPackage hosts/buskerud/containers/salsa/services/heimdal/package.nix {
inherit (pkgs.apple_sdk.frameworks)
CoreFoundation Security SystemConfiguration;
};
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
ssp-theme = pkgs.runCommandLocal "ssp-theme" { } ''
ln -s ${ssp-theme} $out
'';
heimdal-unstable = pkgs-unstable.callPackage hosts/buskerud/containers/salsa/services/heimdal/package.nix {
inherit (pkgs.apple_sdk.frameworks)
CoreFoundation Security SystemConfiguration;
};
inherit pkgs pkgs-unstable;
} // nixlib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
};

4
hosts/bekkalokk/configuration.nix

@ -12,10 +12,8 @@
# ./services/website.nix
./services/nginx
./services/gitea/default.nix
./services/kerberos
./services/webmail
./services/mediawiki
./services/idp-simplesamlphp
# ./services/mediawiki.nix
];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

2
hosts/bekkalokk/services/gitea/gitea-import-users.py

@ -32,6 +32,7 @@ def add_user(username, name):
"full_name": name,
"username": username,
"login_name": username,
"visibility": "public",
"source_id": 1, # 1 = SMTP
}
@ -51,7 +52,6 @@ def add_user(username, name):
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
json=user,
headers={'Authorization': 'token ' + API_TOKEN})

135
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php

@ -1,135 +0,0 @@
<?php
/**
* Authenticate using HTTP login.
*
* @author Yorn de Jong
* @author Oystein Kristoffer Tveit
* @package simpleSAMLphp
*/
namespace SimpleSAML\Module\authpwauth\Auth\Source;
class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
{
protected $pwauth_bin_path;
protected $mail_domain;
public function __construct(array $info, array &$config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$this->pwauth_bin_path = $config['pwauth_bin_path'];
if (array_key_exists('mail_domain', $config)) {
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
}
}
public function login(string $username, string $password): array {
$username = strtolower( $username );
if (!file_exists($this->pwauth_bin_path)) {
die("Could not find pwauth binary");
return false;
}
if (!is_executable($this->pwauth_bin_path)) {
die("pwauth binary is not executable");
return false;
}
$handle = popen($this->pwauth_bin_path, 'w');
if ($handle === FALSE) {
die("Error opening pipe to pwauth");
return false;
}
$data = "$username\n$password\n";
if (fwrite($handle, $data) !== strlen($data)) {
die("Error writing to pwauth pipe");
return false;
}
# Is the password valid?
$result = pclose( $handle );
if ($result !== 0) {
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
die("pwauth returned $result for username $username");
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
$entry = ldap_first_entry($ldap, $search);
$dn = ldap_get_dn($ldap, $entry);
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
ldap_modify_batch($ldap, $dn, [
#[
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
# 'attrib' => 'unicodePwd',
# 'values' => [$password],
#],
[
#'modtype' => LDAP_MODIFY_BATCH_ADD,
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
'attrib' => 'unicodePwd',
'values' => [$newpassword],
],
]);
*/
#0 - Login OK.
#1 - Nonexistant login or (for some configurations) incorrect password.
#2 - Incorrect password (for some configurations).
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
#4 - Login ID has expired.
#5 - Login's password has expired.
#6 - Logins to system have been turned off (usually by /etc/nologin file).
#7 - Limit on number of bad logins exceeded.
#50 - pwauth was not run with real uid SERVER_UID. If you get this
# this error code, you probably have SERVER_UID set incorrectly
# in pwauth's config.h file.
#51 - pwauth was not given a login & password to check. The means
# the passing of data from mod_auth_external to pwauth is messed
# up. Most likely one is trying to pass data via environment
# variables, while the other is trying to pass data via a pipe.
#52 - one of several possible internal errors occured.
$uid = $username;
# TODO: Reinstate this code once passwd is working...
/*
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
array_shift($groups);
array_shift($groups);
array_pop($groups);
$info = posix_getpwnam($uid);
$group = $info['gid'];
if (!in_array($group, $groups)) {
$groups[] = $group;
}
*/
$cn = "Unknown McUnknown";
$groups = array();
$result = array(
'uid' => array($uid),
'cn' => array($cn),
'group' => $groups,
);
if (isset($this->mail_domain)) {
$result['mail'] = array($uid.$this->mail_domain);
}
return $result;
}
}

1294
hosts/bekkalokk/services/idp-simplesamlphp/config.php

File diff suppressed because it is too large Load Diff

204
hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@ -1,204 +0,0 @@
{ config, pkgs, lib, ... }:
let
pwAuthScript = pkgs.writeShellApplication {
name = "pwauth";
runtimeInputs = with pkgs; [ coreutils heimdal ];
text = ''
read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
if test "$user1" != "$user2"
then
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
'';
};
package = pkgs.simplesamlphp.override {
extra_files = {
# NOTE: Using self signed certificate created 30. march 2024, with command:
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = array(
'host' => '__DEFAULT__',
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
'certificate' => '${./idp.crt}',
'auth' => 'pwauth',
);
?>
'';
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
<?php
${ lib.pipe config.services.idp.sp-remote-metadata [
(map (url: ''
$metadata['${url}'] = [
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
],
'AssertionConsumerService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 1,
],
],
];
''))
(lib.concatStringsSep "\n")
]}
?>
'';
"config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'pwauth' => array(
'authpwauth:PwAuth',
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
'mail_domain' => '@pvv.ntnu.no',
),
);
?>
'';
"config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
cp ${./config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace '$SAML_DATABASE_USERNAME' '"idp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/idp'
'';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
"modules/themepvv" = pkgs.ssp-theme;
};
};
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = ''
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
:::{.note}
Make sure the url ends with a `/`
:::
'';
};
config = {
sops.secrets = {
"idp/privatekey" = {
owner = "idp";
group = "idp";
mode = "0770";
};
"idp/admin_password" = {
owner = "idp";
group = "idp";
};
"idp/postgres_password" = {
owner = "idp";
group = "idp";
};
"idp/cookie_salt" = {
owner = "idp";
group = "idp";
};
};
users.groups."idp" = { };
users.users."idp" = {
description = "PVV Identity Provider Service User";
group = "idp";
createHome = false;
isSystemUser = true;
};
systemd.tmpfiles.settings."10-idp" = {
"/var/cache/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
"/var/lib/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
};
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"/" = {
alias = "${package}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
fastcgi_param SCRIPT_NAME /$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
};
};
};
}

33
hosts/bekkalokk/services/idp-simplesamlphp/idp.crt

@ -1,33 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
+8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
UxTpf01QJnZkMqf5NQ==
-----END CERTIFICATE-----

22
hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix

@ -1,22 +0,0 @@
''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = [
'metadata-set' => 'saml20-idp-hosted',
'entityid' => 'https://idp2.pvv.ntnu.no/',
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
],
],
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
],
],
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
'certificate' => '${./idp.crt}',
];
?>
''

27
hosts/bekkalokk/services/kerberos/default.nix

@ -1,27 +0,0 @@
{ config, pkgs, lib, ... }:
{
#######################
# TODO: remove these once nixos 24.05 gets released
#######################
imports = [
./krb5.nix
./pam.nix
];
disabledModules = [
"config/krb5/default.nix"
"security/pam.nix"
];
#######################
security.krb5 = {
enable = true;
settings = {
libdefaults = {
default_realm = "PVV.NTNU.NO";
dns_lookup_realm = "yes";
dns_lookup_kdc = "yes";
};
realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
};
};
}

1543
hosts/bekkalokk/services/kerberos/pam.nix

File diff suppressed because it is too large Load Diff

175
hosts/bekkalokk/services/mediawiki.nix Normal file

@ -0,0 +1,175 @@
{ pkgs, lib, config, values, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
user = config.systemd.services.mediawiki-init.serviceConfig.User;
# "mediawiki"
group = config.users.users.${user}.group;
in {
sops.secrets = {
"mediawiki/password" = {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
owner = user;
group = group;
};
"keys/postgres/mediawiki" = {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
owner = user;
group = group;
};
};
services.mediawiki = {
enable = true;
name = "Programvareverkstedet";
passwordFile = config.sops.secrets."mediawiki/password".path;
passwordSender = "drift@pvv.ntnu.no";
database = {
type = "postgres";
host = "postgres.pvv.ntnu.no";
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki_test";
};
# Host through nginx
webserver = "none";
poolConfig = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
inherit user group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = "on";
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
"catch_workers_output" = true;
# to accept *.html file
"security.limit_extensions" = "";
};
extensions = {
DeleteBatch = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
};
UserMerge = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
};
PluggableAuth = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
};
SimpleSAMLphp = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
};
};
extraConfig = let
SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
pname = "configuredSimpleSAML";
version = "2.0.4";
src = pkgs.fetchzip {
url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
};
buildPhase = ''
cat > config/authsources.php << EOF
<?php
$config = array(
'default-sp' => array(
'saml:SP',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);
EOF
'';
installPhase = ''
cp -r . $out
'';
};
in ''
$wgServer = "https://bekkalokk.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo";
# Only allow login through SSO
$wgEnableEmail = false;
$wgEnableUserEmail = false;
$wgEmailAuthentication = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = true;
# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
# Styling
$wgLogo = "/PNG/PVV-logo.png";
$wgDefaultSkin = "monobook";
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgShowIPinHeader = false;
$wgUseTeX = false;
$wgLocalInterwiki = $wgSitename;
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
$wgSimpleSAMLphp_RealNameAttribute = "cn";
$wgSimpleSAMLphp_EmailAttribute = "mail";
$wgSimpleSAMLphp_UsernameAttribute = "uid";
# Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}";
'';
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
systemd.services.mediawiki-init.script = let
# According to module
stateDir = "/var/lib/mediawiki";
pkg = cfg.finalPackage;
mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
inherit (lib) optionalString mkForce;
in mkForce ''
if ! test -e "${stateDir}/secret.key"; then
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
fi
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
--confpath /tmp \
--scriptpath / \
--dbserver "${cfg.database.host}" \
--dbport ${toString cfg.database.port} \
--dbname ${cfg.database.name} \
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
--dbuser ${cfg.database.user} \
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
--passfile ${cfg.passwordFile} \
--dbtype ${cfg.database.type} \
${cfg.name} \
admin
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
'';
}

257
hosts/bekkalokk/services/mediawiki/default.nix

@ -1,257 +0,0 @@
{ pkgs, lib, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
user = config.systemd.services.mediawiki-init.serviceConfig.User;
# "mediawiki"
group = config.users.users.${user}.group;
simplesamlphp = pkgs.simplesamlphp.override {
extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"config/authsources.php" = ./simplesaml-authsources.php;
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
cp ${./simplesaml-config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
};
in {
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = {
"mediawiki/password" = {
owner = user;
group = group;
};
"mediawiki/postgres_password" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/postgres_password" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/cookie_salt" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/admin_password" = {
owner = user;
group = group;
};
};
services.mediawiki = {
enable = true;
name = "Programvareverkstedet";
passwordFile = config.sops.secrets."mediawiki/password".path;
passwordSender = "drift@pvv.ntnu.no";
database = {
type = "mysql";
host = "mysql.pvv.ntnu.no";
port = 3306;
user = "mediawiki";
passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki";
};
# Host through nginx
webserver = "none";
poolConfig = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
inherit user group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
# to accept *.html file
"security.limit_extensions" = "";
};
extensions = {
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
};
extraConfig = ''
$wgServer = "https://wiki2.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo";
# Only allow login through SSO
$wgEnableEmail = false;
$wgEnableUserEmail = false;
$wgEmailAuthentication = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = false;
# Misc. permissions
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;
# Misc. URL rules
$wgUsePathInfo = true;
$wgScriptExtension = ".php";
$wgNamespacesWithSubpages[NS_MAIN] = true;
# Styling
$wgLogos = array(
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
# wfLoadSkin('Timeless');
$wgDefaultSkin = "vector-2022";
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
$wgVectorResponsive = true;
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgShowIPinHeader = false;
$wgUseTeX = false;
$wgLocalInterwiki = $wgSitename;
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
$wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [
'authSourceId' => 'default-sp',
'usernameAttribute' => 'uid',
'emailAttribute' => 'mail',
'realNameAttribute' => 'cn',
]
];
# Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}";
'';
};
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
systemd.services.mediawiki-init.script = let
# According to module
stateDir = "/var/lib/mediawiki";
pkg = cfg.finalPackage;
mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
inherit (lib) optionalString mkForce;
in mkForce ''
if ! test -e "${stateDir}/secret.key"; then
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
fi
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
--confpath /tmp \
--scriptpath / \
--dbserver "${cfg.database.host}" \
--dbport ${toString cfg.database.port} \
--dbname ${cfg.database.name} \
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
--dbuser ${cfg.database.user} \
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
--passfile ${cfg.passwordFile} \
--dbtype ${cfg.database.type} \
${cfg.name} \
admin
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
'';
users.groups.mediawiki.members = [ "nginx" ];
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
locations = {
"/" = {
index = "index.php";
};
"~ /(.+\\.php)" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
};
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"^~ /simplesaml/" = {
alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
# Must be prepended with the baseurlpath
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
"/images/".alias = "${config.services.mediawiki.uploadsDir}/";
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
convert \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${../../../../assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \
$out
'';
};
};
}

11
hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php

@ -1,11 +0,0 @@
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
'idp' => 'https://idp2.pvv.ntnu.no/',
),
);

1293
hosts/bekkalokk/services/mediawiki/simplesaml-config.php

File diff suppressed because it is too large Load Diff

6
hosts/bekkalokk/services/nginx/default.nix

@ -16,12 +16,6 @@
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."bekkalokk.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];

6
hosts/bekkalokk/services/openldap.nix

@ -1,6 +0,0 @@
{ ... }:
{
services.openldap = {
enable = true;
};
}

25
hosts/bicep/services/matrix/element.nix

@ -24,26 +24,21 @@ in {
features = {
feature_latex_maths = true;
feature_pinning = true;
feature_render_reaction_images = true;
feature_state_counters = true;
# element call group calls
feature_group_calls = true;
feature_custom_status = false;
};
default_theme = "dark";
# Servers in this list should provide some sort of valuable scoping
# matrix.org is not useful compared to matrixrooms.info,
# because it has so many general members, rooms of all topics are on it.
# Something matrixrooms.info is already providing.
room_directory.servers = [
"pvv.ntnu.no"
"matrixrooms.info" # Searches all public room directories
"matrix.omegav.no" # Friends
"gitter.im" # gitter rooms
"mozilla.org" # mozilla and friends
"kde.org" # KDE rooms
"fosdem.org" # FOSDEM
"dodsorf.as" # PVV Member
"nani.wtf" # PVV Member
"matrix.omegav.no"
"matrix.org"
"libera.chat"
"gitter.im"
"mozilla.org"
"kde.org"
"t2bot.io"
"fosdem.org"
"dodsorf.as"
];
enable_presence_by_hs_url = {
"https://matrix.org" = false;

2
hosts/buskerud/configuration.nix

@ -4,6 +4,8 @@
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./containers/salsa/configuration.nix
];
# buskerud does not support efi?

27
hosts/buskerud/containers/salsa/NOTES.md Normal file

@ -0,0 +1,27 @@
# Misc docs
### Old stuff about storing kerberos state inside LDAP - might not be relevant
- https://wiki.debian.org/LDAP/OpenLDAPSetup#OpenLDAP_as_a_Backend
- https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend
- https://forums.freebsd.org/threads/heimdal-and-openldap-integration-some-questions.58422/
- http://osr507doc.sco.com/cgi-bin/info2html?(heimdal.info.gz)Using%2520LDAP%2520to%2520store%2520the%2520database&lang=en
- https://bbs.archlinux.org/viewtopic.php?id=54236
- https://openldap-software.0penldap.narkive.com/Ml6seAGL/ldap-backend-for-heimdal-kerberos
### Heimdal setup
- http://chschneider.eu/linux/server/heimdal.shtml
- https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/kerberos/heimdal.nix
- https://itk.samfundet.no/dok/Kerberos (possibly a bit dated)
### OpenLDAP setup with new olc stuff
- https://www.openldap.org/doc/admin26/
- https://www.openldap.org/doc/admin26/sasl.html#GSSAPI
- https://www.zytrax.com/books/ldap/
### SASLAUTHD
- https://linux.die.net/man/8/saslauthd
- https://www.cyrusimap.org/sasl/index.html

51
hosts/buskerud/containers/salsa/configuration.nix Normal file

@ -0,0 +1,51 @@
{ config, pkgs, lib, inputs, values, ... }:
{
containers.salsa = {
autoStart = true;
interfaces = [ "enp6s0f1" ];
bindMounts = {
"/data" = { hostPath = "/data/salsa"; isReadOnly = false; };
};
nixpkgs = inputs.nixpkgs-unstable;
config = { config, pkgs, ... }: let
inherit values inputs;
in {
imports = [
inputs.sops-nix.nixosModules.sops
../../../../base.nix
./services/heimdal
./services/openldap.nix
./services/saslauthd.nix
# https://github.com/NixOS/nixpkgs/pull/287611
./modules/krb5
./modules/kerberos
];
disabledModules = [
"security/krb5"
"services/system/kerberos/default.nix"
];
_module.args = {
inherit values inputs;
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
# systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
# matchConfig.Name = "enp6s0f1";
# address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
# ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
# };
networking.useHostResolvConf = lib.mkForce false;
system.stateVersion = "23.11";
};
};
}

101
hosts/buskerud/containers/salsa/modules/kerberos/default.nix Normal file

@ -0,0 +1,101 @@
{ config, pkgs, lib, ... }:
let
inherit (lib) mkOption types;
cfg = config.services.kerberos_server;
inherit (config.security.krb5) package;
format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
in
{
imports = [
(lib.mkRenamedOptionModule [ "services" "kerberos_server" "realms" ] [ "services" "kerberos_server" "settings" "realms" ])
./mit.nix
./heimdal.nix
];
options = {
services.kerberos_server = {
enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server");
settings = let
aclEntry = types.submodule {
options = {
principal = mkOption {
type = types.str;
description = lib.mdDoc "Which principal the rule applies to";
};
access = mkOption {
type = types.either
(types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
(types.enum ["all"]);
default = "all";
description = lib.mdDoc "The changes the principal is allowed to make.";
};
target = mkOption {
type = types.str;
default = "*";
description = lib.mdDoc "The principals that 'access' applies to.";
};
};
};
realm = types.submodule ({ name, ... }: {
freeformType = format.sectionType;
options = {
acl = mkOption {
type = types.listOf aclEntry;
default = [
{ principal = "*/admin"; access = "all"; }
{ principal = "admin"; access = "all"; }
];
description = lib.mdDoc ''
The privileges granted to a user.
'';
};
};
});
in mkOption {
type = types.submodule (format.type.getSubModules ++ [{
options = {
realms = mkOption {
type = types.attrsOf realm;
description = lib.mdDoc ''
The realm(s) to serve keys for.
'';
};
};
}]);
description = ''
Settings for the kerberos server of choice.
See the following documentation:
- Heimdal: {manpage}`kdc.conf(5)`
- MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>
'';
default = { };
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ package ];
assertions = [
{
assertion = cfg.settings.realms != { };
message = "The server needs at least one realm";
}
{
assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
message = "Only one realm per server is currently supported.";
}
];
systemd.slices.system-kerberos-server = { };
systemd.targets.kerberos-server = {
wantedBy = [ "multi-user.target" ];
};
};
}

87
hosts/buskerud/containers/salsa/modules/kerberos/heimdal.nix Normal file

@ -0,0 +1,87 @@
{ pkgs, config, lib, ... } :
let
inherit (lib) mapAttrs;
cfg = config.services.kerberos_server;
package = config.security.krb5.package;
aclConfigs = lib.pipe cfg.settings.realms [
(mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
{ principal, access, target, ... }:
"${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"
) acl))
(lib.mapAttrsToList (name: text:
{
dbname = "/var/lib/heimdal/heimdal";
acl_file = pkgs.writeText "${name}.acl" text;
}
))
];
finalConfig = cfg.settings // {
realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });
kdc = (cfg.settings.kdc or { }) // {
database = aclConfigs;
};
};
format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
kdcConfFile = format.generate "kdc.conf" finalConfig;
in
{
config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {
environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;
systemd.tmpfiles.settings."10-heimdal" = let
databases = lib.pipe finalConfig.kdc.database [
(map (dbAttrs: dbAttrs.dbname or null))
(lib.filter (x: x != null))
lib.unique
];
in lib.genAttrs databases (_: {
d = {
user = "root";
group = "root";
mode = "0700";
};
});
systemd.services.kadmind = {
description = "Kerberos Administration Daemon";
partOf = [ "kerberos-server.target" ];
wantedBy = [ "kerberos-server.target" ];
serviceConfig = {
ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
Slice = "system-kerberos-server.slice";
StateDirectory = "heimdal";
};
restartTriggers = [ kdcConfFile ];
};
systemd.services.kdc = {
description = "Key Distribution Center daemon";
partOf = [ "kerberos-server.target" ];
wantedBy = [ "kerberos-server.target" ];
serviceConfig = {
ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
Slice = "system-kerberos-server.slice";
StateDirectory = "heimdal";
};
restartTriggers = [ kdcConfFile ];
};
systemd.services.kpasswdd = {
description = "Kerberos Password Changing daemon";
partOf = [ "kerberos-server.target" ];
wantedBy = [ "kerberos-server.target" ];
serviceConfig = {
ExecStart = "${package}/libexec/kpasswdd";
Slice = "system-kerberos-server.slice";
StateDirectory = "heimdal";
};
restartTriggers = [ kdcConfFile ];
};
};
}

77
hosts/buskerud/containers/salsa/modules/kerberos/mit.nix Normal file

@ -0,0 +1,77 @@
{ pkgs, config, lib, ... } :
let
inherit (lib) mapAttrs;
cfg = config.services.kerberos_server;
package = config.security.krb5.package;
PIDFile = "/run/kdc.pid";
format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
aclMap = {
add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";
all = "*";
};
aclConfigs = lib.pipe cfg.settings.realms [
(mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
{ principal, access, target, ... }: let
access_code = map (a: aclMap.${a}) (lib.toList access);
in "${principal} ${lib.concatStrings access_code} ${target}"
) acl))
(lib.concatMapAttrs (name: text: {
${name} = {
acl_file = pkgs.writeText "${name}.acl" text;
};
}))
];
finalConfig = cfg.settings // {
realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });
};
kdcConfFile = format.generate "kdc.conf" finalConfig;
env = {
# What Debian uses, could possibly link directly to Nix store?
KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";
};
in
{
config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {
environment = {
etc."krb5kdc/kdc.conf".source = kdcConfFile;
variables = env;
};
systemd.services.kadmind = {
description = "Kerberos Administration Daemon";
partOf = [ "kerberos-server.target" ];
wantedBy = [ "kerberos-server.target" ];
serviceConfig = {
ExecStart = "${package}/bin/kadmind -nofork";
Slice = "system-kerberos-server.slice";
StateDirectory = "krb5kdc";
};
restartTriggers = [ kdcConfFile ];
environment = env;
};
systemd.services.kdc = {
description = "Key Distribution Center daemon";
partOf = [ "kerberos-server.target" ];
wantedBy = [ "kerberos-server.target" ];
serviceConfig = {
Type = "forking";
PIDFile = PIDFile;
ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";
Slice = "system-kerberos-server.slice";
StateDirectory = "krb5kdc";
};
restartTriggers = [ kdcConfFile ];
environment = env;
};
};
}

18
hosts/bekkalokk/services/kerberos/krb5.nix → hosts/buskerud/containers/salsa/modules/krb5/default.nix

@ -77,8 +77,22 @@ in {
};
};
config = mkIf cfg.enable {
environment = {
config = {
assertions = mkIf (cfg.enable || config.services.kerberos_server.enable) [(let
implementation = cfg.package.passthru.implementation or "<NOT SET>";
in {
assertion = lib.elem implementation [ "krb5" "heimdal" ];
message = ''
`security.krb5.package` must be one of:
- krb5
- heimdal
Currently chosen implementation: ${implementation}
'';
})];
environment = mkIf cfg.enable {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};

20
hosts/bekkalokk/services/kerberos/krb5-conf-format.nix → hosts/buskerud/containers/salsa/modules/krb5/krb5-conf-format.nix

@ -10,14 +10,19 @@ let
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
{ }: rec {
sectionType = let
relation = oneOf [
(listOf (attrsOf value))
(attrsOf value)
value
];
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in submodule {
freeformType = attrsOf section;
in attrsOf relation;
type = submodule {
freeformType = attrsOf sectionType;
options = {
include = mkOption {
default = [ ];
@ -71,6 +76,9 @@ in
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else if isList relation
then
concatMapStringsSep "\n" (formatRelation name) relation
else formatValue name relation;
formatValue = name: value:

78
hosts/buskerud/containers/salsa/services/heimdal/default.nix Normal file

@ -0,0 +1,78 @@
{ config, pkgs, lib, ... }:
let
realm = "PVV.NTNU.NO";
cfg = config.security.krb5;
in
{
security.krb5 = {
enable = true;
# NOTE: This has a small edit that moves an include header to $dev/include.
# It is required in order to build smbk5pwd, because of some nested includes.
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
# will do for now.
# package = pkgs.heimdal;
package = pkgs.callPackage ./package.nix {
inherit (pkgs.apple_sdk.frameworks)
CoreFoundation Security SystemConfiguration;
};
settings = {
logging.kdc = "CONSOLE";
realms.${realm} = {
admin_server = "localhost";
kdc = [ "localhost" ];
};
kadmin.default_keys = lib.concatStringsSep " " [
"aes256-cts-hmac-sha1-96:pw-salt"
"aes128-cts-hmac-sha1-96:pw-salt"
];
libdefaults.default_etypes = lib.concatStringsSep " " [
"aes256-cts-hmac-sha1-96"
"aes128-cts-hmac-sha1-96"
];
libdefaults = {
default_realm = realm;
};
domain_realm = {
"pvv.ntnu.no" = realm;
".pvv.ntnu.no" = realm;
};
};
};
services.kerberos_server = {
enable = true;
settings = {
realms.${realm} = {
dbname = "/var/heimdal/heimdal";
mkey = "/var/heimdal/mkey";
};
# kadmin.default_keys = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96:pw-salt"
# "aes128-cts-hmac-sha1-96:pw-salt"
# ];
# libdefaults.default_etypes = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96"
# "aes128-cts-hmac-sha1-96"
# ];
# password_quality.min_length = 8;
};
};
# NOTE: These changes are part of nixpkgs-unstable, but not 23.11.
# The package override needs these changes.
# systemd.services = {
# kdc.serviceConfig.ExecStart = lib.mkForce "${cfg.package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
# kpasswdd.serviceConfig.ExecStart = lib.mkForce "${cfg.package}/libexec/kpasswdd";
# kadmind.serviceConfig.ExecStart = lib.mkForce "${cfg.package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
# };
}

180
hosts/buskerud/containers/salsa/services/heimdal/package.nix Normal file

@ -0,0 +1,180 @@
{ lib
, stdenv
, fetchFromGitHub
, autoreconfHook
, pkg-config
, python3
, perl
, bison
, flex
, texinfo
, perlPackages
, openldap
, libcap_ng
, sqlite
, openssl
, db
, libedit
, pam
, krb5
, libmicrohttpd
, cjson
, CoreFoundation
, Security
, SystemConfiguration
, curl
, jdk
, unzip
, which
, nixosTests
, withCJSON ? true
, withCapNG ? stdenv.isLinux
# libmicrohttpd should theoretically work for darwin as well, but something is broken.
# It affects tests check-bx509d and check-httpkadmind.
, withMicroHTTPD ? stdenv.isLinux
, withOpenLDAP ? true
, withOpenLDAPAsHDBModule ? false
, withOpenSSL ? true
, withSQLite3 ? true
}:
assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
'';
stdenv.mkDerivation {
pname = "heimdal";
version = "7.8.0-unstable-2023-11-29";
src = fetchFromGitHub {
owner = "heimdal";
repo = "heimdal";
rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
};
outputs = [ "out" "dev" "man" "info" ];
nativeBuildInputs = [
autoreconfHook
pkg-config
python3
perl
bison
flex
texinfo
]
++ (with perlPackages; [ JSON ]);
buildInputs = [ db libedit pam ]
++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
++ lib.optionals (withCJSON) [ cjson ]
++ lib.optionals (withCapNG) [ libcap_ng ]
++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
++ lib.optionals (withOpenLDAP) [ openldap ]
++ lib.optionals (withOpenSSL) [ openssl ]
++ lib.optionals (withSQLite3) [ sqlite ];
doCheck = true;
nativeCheckInputs = [
curl
jdk
unzip
which
];
configureFlags = [
"--with-libedit-include=${libedit.dev}/include"
"--with-libedit-lib=${libedit}/lib"
# "--with-berkeley-db-include=${db.dev}/include"
"--with-berkeley-db=${db}/lib"
"--without-x"
"--disable-afs-string-to-key"
] ++ lib.optionals (withCapNG) [
"--with-capng"
] ++ lib.optionals (withCJSON) [
"--with-cjson=${cjson}"
] ++ lib.optionals (withOpenLDAP) [
"--with-openldap=${openldap.dev}"
] ++ lib.optionals (withOpenLDAPAsHDBModule) [
"--enable-hdb-openldap-module"
] ++ lib.optionals (withSQLite3) [
"--with-sqlite3=${sqlite.dev}"
];
# (check-ldap) slapd resides within ${openldap}/libexec,
# which is not part of $PATH by default.
# (check-ldap) prepending ${openldap}/bin to the path to avoid
# using the default installation of openldap on unsandboxed darwin systems,
# which does not support the new mdb backend at the moment (2024-01-13).
# (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
# but the heimdal tests still seem to expect bdb as the openldap backend.
# This might be fixed upstream in a future update.
patchPhase = ''
runHook prePatch
substituteInPlace tests/ldap/slapd-init.in \
--replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
substituteInPlace tests/ldap/check-ldap.in \
--replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
substituteInPlace tests/ldap/slapd.conf \
--replace 'database bdb' 'database mdb'
runHook postPatch
'';
# (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
# which expects either USER or LOGNAME to be set.
preCheck = lib.optionalString (stdenv.isDarwin) ''
export USER=nix-builder
'';
# We need to build hcrypt for applications like samba
postBuild = ''
(cd include/hcrypto; make -j $NIX_BUILD_CORES)
(cd lib/hcrypto; make -j $NIX_BUILD_CORES)
'';
postInstall = ''
# Install hcrypto
(cd include/hcrypto; make -j $NIX_BUILD_CORES install)
(cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
mkdir -p $dev/bin
mv $out/bin/krb5-config $dev/bin/
# asn1 compilers, move them to $dev
mv $out/libexec/heimdal/* $dev/bin
rmdir $out/libexec/heimdal
cp include/heim_threads.h $dev/include
# compile_et is needed for cross-compiling this package and samba
mv lib/com_err/.libs/compile_et $dev/bin
'';
# Issues with hydra
# In file included from hxtool.c:34:0:
# hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
#enableParallelBuilding = true;
passthru = {
implementation = "heimdal";
tests.nixos = nixosTests.kerberos.heimdal;
};
meta = with lib; {
homepage = "https://www.heimdal.software";
changelog = "https://github.com/heimdal/heimdal/releases";
description = "An implementation of Kerberos 5 (and some more stuff)";
license = licenses.bsd3;
platforms = platforms.unix;
maintainers = with maintainers; [ h7x4 ];
};
}

0
packages/heimdal/default.nix → hosts/buskerud/containers/salsa/services/heimdal/package2.nix

115
hosts/buskerud/containers/salsa/services/openldap.nix Normal file

@ -0,0 +1,115 @@
{ config, pkgs, lib, ... }:
{
services.openldap = let
dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no";
cfg = config.services.openldap;
in {
enable = true;
# NOTE: this is a custom build of openldap with support for
# perl and kerberos.
package = pkgs.openldap.overrideAttrs (prev: {
# https://github.com/openldap/openldap/blob/master/configure
configureFlags = prev.configureFlags ++ [
# Connect to slapd via UNIX socket
"--enable-local"
# Cyrus SASL
"--enable-spasswd"
# Reverse hostname lookups
"--enable-rlookups"
# perl
"--enable-perl"
];
buildInputs = prev.buildInputs ++ (with pkgs; [
perl
config.security.krb5.package
]);
extraContribModules = prev.extraContribModules ++ [
# https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
"smbk5pwd"
];
});
settings = {
attrs = {
olcLogLevel = [ "stats" "config" "args" ];
# olcAuthzRegexp = ''
# gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
# "uid=heimdal,${dn2}"
# '';
# olcSaslSecProps = "minssf=0";
};
children = {
"cn=schema".includes = let
# NOTE: needed for smbk5pwd.so module
# schemaToLdif = name: path: pkgs.runCommandNoCC name {
# buildInputs = with pkgs; [ schema2ldif ];
# } ''
# schema2ldif "${path}" > $out
# '';
# hdb-ldif = schemaToLdif "hdb.ldif" "${pkgs.heimdal.src}/lib/hdb/hdb.schema";
# samba-ldif = schemaToLdif "samba.ldif" "${pkgs.heimdal.src}/tests/ldap/samba.schema";
in [
"${cfg.package}/etc/schema/core.ldif"
"${cfg.package}/etc/schema/cosine.ldif"
"${cfg.package}/etc/schema/nis.ldif"
"${cfg.package}/etc/schema/inetorgperson.ldif"
# "${hdb-ldif}"
# "${samba-ldif}"
];
# NOTE: installation of smbk5pwd.so module
# https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
# "cn=module{0}".attrs = {
# objectClass = [ "olcModuleList" ];
# olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
# };
# NOTE: activation of smbk5pwd.so module for {1}mdb
# "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
# olcOverlay = "{0}smbk5pwd";
# olcSmbK5PwdEnable = [ "krb5" "samba" ];
# olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30);
# };
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcSuffix = dn;
# TODO: PW is supposed to be a secret, but it's probably fine for testing
olcRootDN = "cn=admin,${dn}";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcDbDirectory = "/var/lib/openldap/test-db";
olcDbIndex = "objectClass eq";
olcAccess = [
''{0}to attrs=userPassword,shadowLastChange
by dn.exact=cn=admin,${dn} write
by self write
by anonymous auth
by * none''
''{1}to dn.base=""
by * read''
/* allow read on anything else */
# ''{2}to *
# by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
# by * read''
];
};
};
};
};
}

14
hosts/buskerud/containers/salsa/services/saslauthd.nix Normal file

@ -0,0 +1,14 @@
{ ... }:
{
# TODO: This is seemingly required for openldap to authenticate
# against kerberos, but I have no idea how to configure it as
# such. Does it need a keytab? There's a binary "testsaslauthd"
# that follows with `pkgs.cyrus_sasl` that might be useful.
services.saslauthd = {
enable = true;
mechanism = "kerberos5";
# config = ''
# '';
};
}

7
packages/mediawiki-extensions/default.nix

@ -1,7 +0,0 @@
{ pkgs, lib }:
lib.makeScope pkgs.newScope (self: {
DeleteBatch = self.callPackage ./delete-batch { };
PluggableAuth = self.callPackage ./pluggable-auth { };
SimpleSAMLphp = self.callPackage ./simple-saml-php { };
UserMerge = self.callPackage ./user-merge { };
})

7
packages/mediawiki-extensions/delete-batch/default.nix

@ -1,7 +0,0 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-delete-batch";
url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
}

7
packages/mediawiki-extensions/pluggable-auth/default.nix

@ -1,7 +0,0 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-pluggable-auth-source";
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
}

7
packages/mediawiki-extensions/simple-saml-php/default.nix

@ -1,7 +0,0 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-simple-saml-php-source";
url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
}

66
packages/mediawiki-extensions/update-mediawiki-extensions.py

@ -1,66 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
import os
from pathlib import Path
import re
import subprocess
from collections import defaultdict
from pprint import pprint
import bs4
import requests
BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
content = requests.get(BASE_URL).text
soup = bs4.BeautifulSoup(content, features="html.parser")
result = defaultdict(list)
for a in soup.find_all('a'):
if skip_master and 'master' in a.text:
continue
split = a.text.split('-')
result[split[0]].append(a.text)
return result
def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
assert package_file.is_file()
with open(package_file) as file:
content = file.read()
tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
split = tarball.split('-')
updated_tarball = plugin_list[split[0]][-1]
_hash = re.search(f'hash = "(.+?)";', content).group(1)
out, err = subprocess.Popen(
["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
).communicate()
out, err = subprocess.Popen(
["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
).communicate()
updated_hash = out.decode().strip()
if tarball == updated_tarball and _hash == updated_hash:
return
print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
with open(package_file, 'w') as file:
file.write(updated_text)
if __name__ == "__main__":
plugin_list = fetch_plugin_list()
for direntry in os.scandir(Path(__file__).parent):
if direntry.is_dir():
update(Path(direntry) / "default.nix", plugin_list)

7
packages/mediawiki-extensions/user-merge/default.nix

@ -1,7 +0,0 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-user-merge-source";
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
}

38
packages/simplesamlphp/default.nix

@ -1,38 +0,0 @@
{ lib
, php
, writeText
, fetchFromGitHub
, extra_files ? { }
}:
php.buildComposerProject rec {
pname = "simplesamlphp";
version = "2.2.1";
src = fetchFromGitHub {
owner = "simplesamlphp";
repo = "simplesamlphp";
rev = "v${version}";
hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
};
composerStrictValidation = false;
vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
# TODO: metadata could be fetched automagically with these:
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
postPatch = lib.pipe extra_files [
(lib.mapAttrsToList (target_path: source_path: ''
mkdir -p $(dirname "${target_path}")
cp -r "${source_path}" "${target_path}"
''))
(lib.concatStringsSep "\n")
];
postInstall = ''
ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
'';
}

17
secrets/bekkalokk/bekkalokk.yaml

@ -10,18 +10,9 @@ gitea:
epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
mediawiki:
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
simplesamlphp:
postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
keycloak:
database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
idp:
cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
sops:
kms: []
gcp_kms: []
@ -55,8 +46,8 @@ sops:
akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-30T21:22:02Z"
mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str]
lastmodified: "2023-09-17T02:02:24Z"
mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
pgp:
- created_at: "2023-05-21T00:28:40Z"
enc: |
@ -79,4 +70,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.7.3