Compare commits

..

7 Commits

Author SHA1 Message Date
ee097c49a3 WIP: idp theme 2024-03-31 05:01:24 +02:00
ce3aeb4e08 bekkalokk: init mediawiki
Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>
2024-03-31 05:01:24 +02:00
49a0b1a5f7 bekkalokk: init idp-simplesamlphp 2024-03-31 04:41:45 +02:00
4c1966365b bekkalokk: redirect bekkalokk.pvv.ntnu.no to git.pvv.ntnu.no 2024-03-31 04:41:15 +02:00
e0b3ce9378 bekkalokk: package mediawiki extensions outside of module 2024-03-31 04:41:15 +02:00
50df317a26 packages: init simplesamlphp 2024-03-31 04:41:15 +02:00
1262bc7125 bekkalokk: set up kerberos client 2024-03-29 03:31:19 +01:00
114 changed files with 1339 additions and 2746 deletions
.editorconfig.envrc.git-blame-ignore-revs.gitignore.sops.yamlbase.nix
base
flake.lockflake.nix
hosts
justfile
misc
modules
packages
heimdal
mediawiki-extensions
simplesamlphp
secrets
shell.nixstatix.toml
users
values.nix

@@ -1,10 +0,0 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
[*.nix]
indent_style = space
indent_size = 2

1
.envrc

@@ -1 +0,0 @@
use flake

@@ -1 +0,0 @@
e00008da1afe0d760badd34bbeddff36bb08c475

2
.gitignore vendored

@@ -1,4 +1,2 @@
result*
/configuration.nix
/.direnv/
*.qcow2

@@ -4,13 +4,10 @@ keys:
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
# Hosts
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
@@ -23,23 +20,17 @@ creation_rules:
- *user_danio
- *user_felixalb
- *user_eirikwit
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
# Host specific secrets
- path_regex: secrets/bekkalokk/[^/]+\.yaml$
key_groups:
- age:
- *host_bekkalokk
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
@@ -49,9 +40,6 @@ creation_rules:
- *host_jokum
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
@@ -61,20 +49,14 @@ creation_rules:
- *host_ildkule
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/bicep/[^/]+\.yaml$
key_groups:
- age:
- *host_bicep
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt

86
base.nix Normal file

@@ -0,0 +1,86 @@
{ config, lib, pkgs, inputs, values, ... }:
{
imports = [
./users
];
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
systemd.network.enable = true;
services.resolved = {
enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--update-input" "nixpkgs"
"--update-input" "nixpkgs-unstable"
"--no-write-lock-file"
];
};
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 2d";
nix.settings.experimental-features = [ "nix-command" "flakes" ];
/* This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
*/
nix.registry = {
nixpkgs.flake = inputs.nixpkgs;
};
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
rsync
screen
tmux
vim
wget
kitty.terminfo
];
programs.zsh.enable = true;
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
services.openssh = {
enable = true;
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
'';
settings.PermitRootLogin = "yes";
};
}

@@ -1,60 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
../users
../modules/snakeoil-certs.nix
./networking.nix
./nix.nix
./services/acme.nix
./services/auto-upgrade.nix
./services/irqbalance.nix
./services/logrotate.nix
./services/nginx.nix
./services/openssh.nix
./services/postfix.nix
./services/smartd.nix
./services/thermald.nix
];
boot.tmp.cleanOnBoot = lib.mkDefault true;
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
ripgrep
rsync
screen
tmux
vim
wget
kitty.terminfo
];
programs.zsh.enable = true;
security.sudo.execWheelOnly = true;
security.sudo.extraConfig = ''
Defaults lecture = never
'';
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
}

@@ -1,16 +0,0 @@
{ lib, values, ... }:
{
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
systemd.network.enable = true;
services.resolved = {
enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
}

@@ -1,30 +0,0 @@
{ inputs, ... }:
{
nix = {
gc = {
automatic = true;
options = "--delete-older-than 2d";
};
settings = {
allow-dirty = true;
auto-optimise-store = true;
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" ];
log-lines = 50;
use-xdg-base-directories = true;
};
/* This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
*/
registry = {
"nixpkgs".flake = inputs.nixpkgs;
"pvv-nix".flake = inputs.self;
};
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
};
}

@@ -1,15 +0,0 @@
{ ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
};
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root";
};
}

@@ -1,12 +0,0 @@
{ ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--update-input" "nixpkgs"
"--update-input" "nixpkgs-unstable"
"--no-write-lock-file"
];
};
}

@@ -1,4 +0,0 @@
{ ... }:
{
services.irqbalance.enable = true;
}

@@ -1,42 +0,0 @@
{ ... }:
{
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig = {
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}

@@ -1,44 +0,0 @@
{ config, lib, ... }:
{
# nginx return 444 for all nonexistent virtualhosts
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
"/etc/certs/nginx" = {
owner = "nginx";
group = "nginx";
};
};
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
services.nginx = {
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
appendConfig = ''
pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
worker_connections 2048;
use epoll;
multi_accept on;
'';
};
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
}

@@ -1,14 +0,0 @@
{ ... }:
{
services.openssh = {
enable = true;
startWhenNeeded = true;
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
Match Group wheel
PasswordAuthentication no
Match All
'';
settings.PermitRootLogin = "yes";
};
}

@@ -1,23 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.postfix;
in
{
services.postfix = {
enable = true;
hostname = "${config.networking.hostName}.pvv.ntnu.no";
domain = "pvv.ntnu.no";
relayHost = "smtp.pvv.ntnu.no";
relayPort = 465;
config = {
smtp_tls_wrappermode = "yes";
smtp_tls_security_level = "encrypt";
};
# Nothing should be delivered to this machine
destination = [ ];
};
}

@@ -1,8 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.smartd.enable = lib.mkDefault true;
environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
smartmontools
]);
}

@@ -1,8 +0,0 @@
{ config, lib, ... }:
{
# Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
]) true;
}

165
flake.lock generated

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1715445235,
"narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
"lastModified": 1710169806,
"narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
"owner": "nix-community",
"repo": "disko",
"rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
"rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
"type": "github"
},
"original": {
@@ -20,58 +20,18 @@
"type": "github"
}
},
"fix-python": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"grzegorz",
"nixpkgs"
]
},
"locked": {
"lastModified": 1713887124,
"narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=",
"owner": "GuillaumeDesforges",
"repo": "fix-python",
"rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf",
"type": "github"
},
"original": {
"owner": "GuillaumeDesforges",
"repo": "fix-python",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"grzegorz": {
"inputs": {
"fix-python": "fix-python",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1715364232,
"narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
"lastModified": 1696346665,
"narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
"rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
"type": "github"
},
"original": {
@@ -87,11 +47,11 @@
]
},
"locked": {
"lastModified": 1715384651,
"narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
"lastModified": 1693864994,
"narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
"rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
"type": "github"
},
"original": {
@@ -107,62 +67,41 @@
]
},
"locked": {
"lastModified": 1717234745,
"narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
"lastModified": 1710311999,
"narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
"rev": "6c9b67974b839740e2a738958512c7a704481157",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "v0.6.0",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"nix-gitea-themes": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1714416973,
"narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
"ref": "refs/heads/main",
"rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
"revCount": 6,
"type": "git",
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1719520878,
"narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
"lastModified": 1710248792,
"narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
"rev": "efbb274f364c918b9937574de879b5874b5833cc",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05-small",
"ref": "nixos-23.11-small",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1714858427,
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
"lastModified": 1710033658,
"narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
"rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
"type": "github"
},
"original": {
@@ -174,11 +113,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1715435713,
"narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
"lastModified": 1710247538,
"narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
"rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
"type": "github"
},
"original": {
@@ -194,11 +133,11 @@
]
},
"locked": {
"lastModified": 1723850344,
"narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
"lastModified": 1693136143,
"narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
"ref": "refs/heads/main",
"rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
"revCount": 19,
"rev": "a32894b305f042d561500f5799226afd1faf5abb",
"revCount": 9,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
},
@@ -207,38 +146,17 @@
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}
},
"pvv-nettsiden": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1722722932,
"narHash": "sha256-K81a2GQpY2kRX+C9ek9r91THlZB674CqRTSMMb5IO7E=",
"ref": "refs/heads/master",
"rev": "6580cfe546c902cdf11e17b0b8aa30b3c412bb34",
"revCount": 465,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}
},
"root": {
"inputs": {
"disko": "disko",
"grzegorz": "grzegorz",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"nix-gitea-themes": "nix-gitea-themes",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
"pvv-nettsiden": "pvv-nettsiden",
"sops-nix": "sops-nix"
"sops-nix": "sops-nix",
"ssp-theme": "ssp-theme"
}
},
"sops-nix": {
@@ -249,11 +167,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1715244550,
"narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
"lastModified": 1710195194,
"narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
"rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
"type": "github"
},
"original": {
@@ -262,19 +180,20 @@
"type": "github"
}
},
"systems": {
"ssp-theme": {
"flake": false,
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
"lastModified": 1509201641,
"narHash": "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=",
"ref": "refs/heads/master",
"rev": "bda4314030be5f81aeaf2fb1927aee582f1194d9",
"revCount": 5,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
}
}
},

@@ -2,7 +2,7 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05-small";
nixpkgs.url = "nixpkgs/nixos-23.11-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix";
@@ -11,25 +11,22 @@
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
matrix-next.url = "github:dali99/nixos-matrix-modules";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
grzegorz.url = "github:Programvareverkstedet/grzegorz";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
ssp-theme.url = "git+https://git.pvv.ntnu.no/Drift/ssp-theme.git";
ssp-theme.flake = false;
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ssp-theme, ... }@inputs:
let
nixlib = nixpkgs.lib;
systems = [
@@ -37,8 +34,8 @@
"aarch64-linux"
"aarch64-darwin"
];
forAllSystems = f: nixlib.genAttrs systems f;
allMachines = builtins.attrNames self.nixosConfigurations;
forAllSystems = f: nixlib.genAttrs systems (system: f system);
allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
importantMachines = [
"bekkalokk"
"bicep"
@@ -47,10 +44,7 @@
"ildkule"
];
in {
inherit inputs;
nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
rec {
system = "x86_64-linux";
@@ -66,9 +60,7 @@
pkgs = import nixpkgs {
inherit system;
overlays = [
# Global overlays go here
] ++ config.overlays or [ ];
overlays = [ ] ++ config.overlays or [ ];
};
}
(removeAttrs config [ "modules" "overlays" ])
@@ -89,16 +81,16 @@
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
heimdal = unstablePkgs.heimdal;
heimdal = final.callPackage ./packages/heimdal {
inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = final.buildPackages.autoreconfHook269;
};
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
ssp-theme = final.runCommandLocal "ssp-theme" { } ''
ln -s ${ssp-theme} $out
'';
})
inputs.nix-gitea-themes.overlays.default
inputs.pvv-nettsiden.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.pvv-nettsiden.nixosModules.default
];
};
bob = stableNixosConfig "bob" {
@@ -126,11 +118,6 @@
buskerud = stableNixosConfig "buskerud" { };
};
nixosModules = {
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
};
devShells = forAllSystems (system: {
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
});
@@ -138,22 +125,29 @@
packages = {
"x86_64-linux" = let
pkgs = nixpkgs.legacyPackages."x86_64-linux";
in rec {
default = important-machines;
in {
default = self.packages.x86_64-linux.important-machines;
important-machines = pkgs.linkFarm "important-machines"
(nixlib.getAttrs importantMachines self.packages.x86_64-linux);
all-machines = pkgs.linkFarm "all-machines"
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
#######################
# TODO: remove this once nixos 24.05 gets released
#######################
heimdal = pkgs.callPackage ./packages/heimdal {
inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = pkgs.buildPackages.autoreconfHook269;
};
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
} //
(nixlib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
(nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
])
// nixlib.genAttrs allMachines
mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
ssp-theme = pkgs.runCommandLocal "ssp-theme" { } ''
ln -s ${ssp-theme} $out
'';
} // nixlib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
};
};

@@ -3,18 +3,19 @@
imports = [
./hardware-configuration.nix
../../base
../../base.nix
../../misc/metrics-exporters.nix
#./services/keycloak.nix
# TODO: set up authentication for the following:
# ./services/website.nix
./services/nginx
./services/gitea/default.nix
./services/idp-simplesamlphp
./services/kerberos
./services/mediawiki
./services/nginx.nix
./services/phpfpm.nix
./services/vaultwarden.nix
./services/webmail
./services/website
./services/mediawiki
./services/idp-simplesamlphp
];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
@@ -25,6 +26,8 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
virtualisation.podman.enable = true;
networking.hostName = "bekkalokk";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
@@ -32,8 +35,6 @@
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.btrfs.autoScrub.enable = true;
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";

@@ -15,9 +15,9 @@ let
enable = true;
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
];
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
];
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
};
};
@@ -27,5 +27,4 @@ lib.mkMerge [
(mkRunner "alpha")
(mkRunner "beta")
(mkRunner "epsilon")
{ virtualisation.podman.enable = true; }
]

@@ -1,4 +1,4 @@
{ config, values, pkgs, lib, ... }:
{ config, values, pkgs, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
@@ -6,8 +6,6 @@ let
in {
imports = [
./ci.nix
./import-users
./web-secret-provider
];
sops.secrets = {
@@ -15,85 +13,36 @@ in {
owner = "gitea";
group = "gitea";
};
"gitea/email-password" = {
owner = "gitea";
group = "gitea";
};
"gitea/passwd-ssh-key" = { };
"gitea/ssh-known-hosts" = { };
"gitea/import-user-env" = { };
};
services.gitea = {
enable = true;
stateDir = "/data/gitea";
appName = "PVV Git";
database = {
type = "postgres";
host = "postgres.pvv.ntnu.no";
port = config.services.postgresql.settings.port;
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."gitea/database".path;
createDatabase = false;
};
mailerPasswordFile = config.sops.secrets."gitea/email-password".path;
# https://docs.gitea.com/administration/config-cheat-sheet
settings = {
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix";
SSH_PORT = sshPort;
START_SSH_SERVER = true;
START_LFS_SERVER = true;
LANDING_PAGE = "explore";
};
mailer = {
ENABLED = true;
FROM = "gitea@pvv.ntnu.no";
PROTOCOL = "smtp";
SMTP_ADDR = "smtp.pvv.ntnu.no";
SMTP_PORT = 587;
USER = "gitea@pvv.ntnu.no";
SUBJECT_PREFIX = "[pvv-git]";
START_SSH_SERVER = true;
};
indexer.REPO_INDEXER_ENABLED = true;
service = {
DISABLE_REGISTRATION = true;
ENABLE_NOTIFY_MAIL = true;
AUTO_WATCH_NEW_REPOS = false;
};
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
database.LOG_SQL = false;
repository = {
PREFERRED_LICENSES = lib.concatStringsSep "," [
"AGPL-3.0-only"
"AGPL-3.0-or-later"
"Apache-2.0"
"BSD-3-Clause"
"CC-BY-4.0"
"CC-BY-NC-4.0"
"CC-BY-NC-ND-4.0"
"CC-BY-NC-SA-4.0"
"CC-BY-ND-4.0"
"CC-BY-SA-4.0"
"CC0-1.0"
"GPL-2.0-only"
"GPL-3.0-only"
"GPL-3.0-or-later"
"LGPL-3.0-linking-exception"
"LGPL-3.0-only"
"LGPL-3.0-or-later"
"MIT"
"MPL-2.0"
"Unlicense"
];
DEFAULT_REPO_UNITS = lib.concatStringsSep "," [
"repo.code"
"repo.issues"
"repo.pulls"
"repo.releases"
];
};
picture = {
DISABLE_GRAVATAR = true;
ENABLE_FEDERATED_AVATAR = false;
@@ -108,9 +57,9 @@ in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
locations."/" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
recommendedProxySettings = true;
extraConfig = ''
client_max_body_size 512M;
'';
@@ -119,34 +68,38 @@ in {
networking.firewall.allowedTCPPorts = [ sshPort ];
# Extra customization
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
systemd.services.install-gitea-customization = {
description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
# Automatically import users
systemd.services.gitea-import-users = {
enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" { libraries = [ pkgs.python3Packages.requests ]; } (builtins.readFile ./gitea-import-users.py);
LoadCredential=[
"sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
];
DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
};
script = let
logo-svg = ../../../../assets/logo_blue_regular.svg;
logo-png = ../../../../assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
'';
};
systemd.timers.gitea-import-users = {
requires = [ "gitea.service" ];
after = [ "gitea.service" ];
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Persistent = true;
Unit = "gitea-import-users.service";
};
};
system.activationScripts.linkGiteaLogo.text = let
logo-svg = ../../../../assets/logo_blue_regular.svg;
logo-png = ../../../../assets/logo_blue_regular.png;
in ''
install -Dm444 ${logo-svg} ${cfg.stateDir}/custom/public/img/logo.svg
install -Dm444 ${logo-png} ${cfg.stateDir}/custom/public/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.stateDir}/custom/public/img/loading.png
'';
}

@@ -0,0 +1,94 @@
import requests
import secrets
import os
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
if EMAIL_DOMAIN is None:
EMAIL_DOMAIN = 'pvv.ntnu.no'
API_TOKEN = os.getenv('API_TOKEN')
if API_TOKEN is None:
raise Exception('API_TOKEN not set')
GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
BANNED_SHELLS = [
"/usr/bin/nologin",
"/usr/sbin/nologin",
"/sbin/nologin",
"/bin/false",
"/bin/msgsh",
]
existing_users = {}
# This function should only ever be called when adding users
# from the passwd file
def add_user(username, name):
user = {
"full_name": name,
"username": username,
"login_name": username,
"source_id": 1, # 1 = SMTP
}
if username not in existing_users:
user["password"] = secrets.token_urlsafe(32)
user["must_change_password"] = False
user["visibility"] = "private"
user["email"] = username + '@' + EMAIL_DOMAIN
r = requests.post(GITEA_API_URL + '/admin/users', json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 201:
print('ERR: Failed to create user ' + username + ': ' + r.text)
return
print('Created user ' + username)
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
print('ERR: Failed to update user ' + username + ': ' + r.text)
return
print('Updated user ' + username)
def main():
# Fetch existing users
r = requests.get(GITEA_API_URL + '/admin/users',
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
raise Exception('Failed to get users: ' + r.text)
for user in r.json():
existing_users[user['login']] = user
# Read the file, add each user
with open("/tmp/passwd-import", 'r') as f:
for line in f.readlines():
uid = int(line.split(':')[2])
if uid < 1000:
continue
shell = line.split(':')[-1]
if shell in BANNED_SHELLS:
continue
username = line.split(':')[0]
name = line.split(':')[4].split(',')[0]
add_user(username, name)
if __name__ == '__main__':
main()

@@ -1,41 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea;
in
{
sops.secrets = {
"gitea/passwd-ssh-key" = { };
"gitea/ssh-known-hosts" = { };
"gitea/import-user-env" = { };
};
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
flakeIgnore = [
"E501" # Line over 80 chars lol
];
libraries = with pkgs.python3Packages; [ requests ];
} (builtins.readFile ./gitea-import-users.py);
LoadCredential=[
"sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
];
DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
};
};
systemd.timers.gitea-import-users = lib.mkIf cfg.enable {
requires = [ "gitea.service" ];
after = [ "gitea.service" ];
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Persistent = true;
Unit = "gitea-import-users.service";
};
};
}

@@ -1,198 +0,0 @@
import requests
import secrets
import os
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
if EMAIL_DOMAIN is None:
EMAIL_DOMAIN = 'pvv.ntnu.no'
API_TOKEN = os.getenv('API_TOKEN')
if API_TOKEN is None:
raise Exception('API_TOKEN not set')
GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
r = requests.get(
GITEA_API_URL + '/admin/users',
headers={'Authorization': 'token ' + API_TOKEN}
)
if r.status_code != 200:
print('Failed to get users:', r.text)
return None
return {user['login']: user for user in r.json()}
def gitea_create_user(username: str, userdata: dict[str, any]) -> bool:
r = requests.post(
GITEA_API_URL + '/admin/users',
json=userdata,
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 201:
print(f'ERR: Failed to create user {username}:', r.text)
return False
return True
def gitea_edit_user(username: str, userdata: dict[str, any]) -> bool:
r = requests.patch(
GITEA_API_URL + f'/admin/users/{username}',
json=userdata,
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 200:
print(f'ERR: Failed to update user {username}:', r.text)
return False
return True
def gitea_list_teams_for_organization(org: str) -> dict[str, any] | None:
r = requests.get(
GITEA_API_URL + f'/orgs/{org}/teams',
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 200:
print(f"ERR: Failed to list teams for {org}:", r.text)
return None
return {team['name']: team for team in r.json()}
def gitea_add_user_to_organization_team(username: str, team_id: int) -> bool:
r = requests.put(
GITEA_API_URL + f'/teams/{team_id}/members/{username}',
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 204:
print(f'ERR: Failed to add user {username} to org team {team_id}:', r.text)
return False
return True
# If a passwd user has one of the following shells,
# it is most likely not a PVV user, but rather a system user.
# Users with these shells should thus be ignored.
BANNED_SHELLS = [
"/usr/bin/nologin",
"/usr/sbin/nologin",
"/sbin/nologin",
"/bin/false",
"/bin/msgsh",
]
# Reads out a passwd-file line for line, and filters out
# real PVV users (as opposed to system users meant for daemons and such)
def passwd_file_parser(passwd_path):
with open(passwd_path, 'r') as f:
for line in f.readlines():
uid = int(line.split(':')[2])
if uid < 1000:
continue
shell = line.split(':')[-1]
if shell in BANNED_SHELLS:
continue
username = line.split(':')[0]
name = line.split(':')[4].split(',')[0]
yield (username, name)
# This function either creates a new user in gitea
# and fills it out with some default information if
# it does not exist, or ensures that the default information
# is correct if the user already exists. All user information
# (including non-default fields) is pulled from gitea and added
# to the `existing_users` dict
def add_or_patch_gitea_user(
username: str,
name: str,
existing_users: dict[str, dict[str, any]],
) -> None:
user = {
"full_name": name,
"username": username,
"login_name": username,
"source_id": 1, # 1 = SMTP
}
if username not in existing_users:
user["password"] = secrets.token_urlsafe(32)
user["must_change_password"] = False
user["visibility"] = "private"
user["email"] = username + '@' + EMAIL_DOMAIN
if not gitea_create_user(username, user):
return
print('Created user', username)
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
if not gitea_edit_user(username, user):
return
print('Updated user', username)
# This function adds a user to a gitea team (part of organization)
# if the user is not already part of said team.
def ensure_gitea_user_is_part_of_team(
username: str,
org: str,
team_name: str,
) -> None:
teams = gitea_list_teams_for_organization(org)
if teams is None:
return
if team_name not in teams:
print(f'ERR: could not find team "{team_name}" in organization "{org}"')
gitea_add_user_to_organization_team(username, teams[team_name]['id'])
print(f'User {username} is now part of {org}/{team_name}')
# List of teams that all users should be part of by default
COMMON_USER_TEAMS = [
("Projects", "Members"),
("Kurs", "Members"),
]
def main():
existing_users = gitea_list_all_users()
if existing_users is None:
exit(1)
for username, name in passwd_file_parser("/tmp/passwd-import"):
print(f"Processing {username}")
add_or_patch_gitea_user(username, name, existing_users)
for org, team_name in COMMON_USER_TEAMS:
ensure_gitea_user_is_part_of_team(username, org, team_name)
print()
if __name__ == '__main__':
main()

@@ -1,114 +0,0 @@
{ config, pkgs, lib, ... }:
let
organizations = [
"Drift"
"Projects"
"Kurs"
];
giteaCfg = config.services.gitea;
giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
libraries = with pkgs.python3Packages; [ requests ];
flakeIgnore = [
"E501" # Line over 80 chars lol
"E201" # "whitespace after {"
"E202" # "whitespace after }"
"E251" # unexpected spaces around keyword / parameter equals
"W391" # Newline at end of file
];
makeWrapperArgs = [
"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
];
} (builtins.readFile ./gitea-web-secret-provider.py);
in
{
users.groups."gitea-web" = { };
users.users."gitea-web" = {
group = "gitea-web";
isSystemUser = true;
};
sops.secrets."gitea/web-secret-provider/token" = {
owner = "gitea-web";
group = "gitea-web";
restartUnits = [
"gitea-web-secret-provider@"
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
};
systemd.slices.system-giteaweb = {
description = "Gitea web directories";
};
# https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
# %i - instance name (after the @)
# %d - secrets directory
systemd.services."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content";
requires = [ "gitea.service" "network.target" ];
serviceConfig = {
Slice = "system-giteaweb.slice";
Type = "oneshot";
ExecStart = let
args = lib.cli.toGNUCommandLineShell { } {
org = "%i";
token-path = "%d/token";
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
key-dir = "/var/lib/gitea-web/keys/%i";
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
'';
web-dir = "/var/lib/gitea-web/web";
};
in "${giteaWebSecretProviderScript} ${args}";
User = "gitea-web";
Group = "gitea-web";
StateDirectory = "gitea-web";
StateDirectoryMode = "0750";
LoadCredential = [
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
];
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectSystem = true;
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
};
};
systemd.timers."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content";
timerConfig = {
RandomizedDelaySec = "1h";
Persistent = true;
Unit = "gitea-web-secret-provider@%i.service";
OnCalendar = "daily";
};
};
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
users.users.nginx.extraGroups = [ "gitea-web" ];
services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
kTLS = true;
forceSSL = true;
enableACME = true;
root = "/var/lib/gitea-web/web";
};
}

@@ -1,112 +0,0 @@
import argparse
import hashlib
import os
import requests
import subprocess
from pathlib import Path
def parse_args():
parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
parser.add_argument("--token-path", metavar='PATH', required=True, type=Path, help="Path to a file containing the Gitea API token")
parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
return parser.parse_args()
def add_secret(args: argparse.Namespace, token: str, repo: str, name: str, secret: str):
result = requests.put(
f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
json = { 'data': secret },
headers = { 'Authorization': 'token ' + token },
)
if result.status_code not in (201, 204):
raise Exception(f"Failed to add secret: {result.json()}")
def get_org_repo_list(args: argparse.Namespace, token: str):
result = requests.get(
f"{args.api_url}/orgs/{args.org}/repos",
headers = { 'Authorization': 'token ' + token },
)
return [repo["name"] for repo in result.json()]
def generate_ssh_key(args: argparse.Namespace, repository: str):
keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
key_path = args.key_dir / keyname
if not key_path.is_file() or args.force:
subprocess.run(
[
"ssh-keygen",
*("-t", "ed25519"),
*("-f", key_path),
*("-N", ""),
*("-C", f"{args.org}/{repository}"),
],
check=True,
stdin=subprocess.DEVNULL,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
print(f"Generated SSH key for `{args.org}/{repository}`")
with open(key_path, "r") as f:
private_key = f.read()
pub_key_path = args.key_dir / (keyname + '.pub')
with open(pub_key_path, "r") as f:
public_key = f.read()
return private_key, public_key
SSH_OPTS = ",".join([
"restrict",
"no-agent-forwarding",
"no-port-forwarding",
"no-pty",
"no-X11-forwarding",
])
def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
lines = []
for repo, public_key in repo_public_keys:
command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
with open(args.authorized_keys_path, "w") as f:
f.writelines(lines)
def main():
args = parse_args()
with open(args.token_path, "r") as f:
token = f.read().strip()
os.makedirs(args.key_dir, 0o700, exist_ok=True)
os.makedirs(args.authorized_keys_path.parent, 0o700, exist_ok=True)
repos = get_org_repo_list(args, token)
print(f'Found {len(repos)} repositories in `{args.org}`')
repo_public_keys = []
for repo in repos:
print(f"Locating key for `{args.org}/{repo}`")
private_key, public_key = generate_ssh_key(args, repo)
add_secret(args, token, repo, "WEB_SYNC_SSH_KEY", private_key)
repo_public_keys.append((repo, public_key))
generate_authorized_keys(args, repo_public_keys)
print(f"Wrote authorized_keys file to `{args.authorized_keys_path}`")
if __name__ == "__main__":
main()

@@ -112,7 +112,7 @@ class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
array_shift($groups);
array_shift($groups);
array_pop($groups);
$info = posix_getpwnam($uid);
$group = $info['gid'];
if (!in_array($group, $groups)) {

@@ -58,7 +58,7 @@ $config = [
/*
* The following settings are *filesystem paths* which define where
* SimpleSAMLphp can find or write the following things:
* - 'cachedir': Where SimpleSAMLphp can write its cache.
* - 'cachedir': Where SimpleSAMLphp can write its cache.
* - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
* handler other than `file`.
* - 'datadir': Storage of general data.
@@ -556,6 +556,7 @@ $config = [
'module.enable' => [
'admin' => true,
'authpwauth' => true,
'themepvv' => true,
],
@@ -858,7 +859,7 @@ $config = [
/*
* Which theme directory should be used?
*/
'theme.use' => 'default',
'theme.use' => 'themepvv:pvv',
/*
* Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

@@ -11,8 +11,7 @@ let
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
kdestroy >/dev/null 2>/dev/null
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
'';
};
@@ -22,81 +21,83 @@ let
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
<?php
$metadata['https://idp.pvv.ntnu.no/'] = array(
'host' => '__DEFAULT__',
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
'certificate' => '${./idp.crt}',
'auth' => 'pwauth',
);
?>
$metadata['https://idp2.pvv.ntnu.no/'] = array(
'host' => '__DEFAULT__',
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
'certificate' => '${./idp.crt}',
'auth' => 'pwauth',
);
?>
'';
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
<?php
${ lib.pipe config.services.idp.sp-remote-metadata [
(map (url: ''
$metadata['${url}'] = [
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
],
'AssertionConsumerService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 1,
],
],
];
''))
(lib.concatStringsSep "\n")
]}
?>
${ lib.pipe config.services.idp.sp-remote-metadata [
(map (url: ''
$metadata['${url}'] = [
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
],
'AssertionConsumerService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 1,
],
],
];
''))
(lib.concatStringsSep "\n")
]}
?>
'';
"config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'admin' => array(
'core:AdminPassword'
),
'pwauth' => array(
'authpwauth:PwAuth',
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
'mail_domain' => '@pvv.ntnu.no',
'authpwauth:PwAuth',
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
'mail_domain' => '@pvv.ntnu.no',
),
);
?>
?>
'';
"config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
cp ${./config.php} "$out"
substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace '$SAML_DATABASE_USERNAME' '"idp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/idp'
'';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
"modules/themepvv" = pkgs.ssp-theme;
};
};
in
@@ -108,7 +109,7 @@ in
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
:::{.note}
Make sure the url ends with a `/`
Make sure the url ends with a `/`
:::
'';
};
@@ -132,7 +133,7 @@ in
owner = "idp";
group = "idp";
};
};
};
users.groups."idp" = { };
users.users."idp" = {
@@ -177,10 +178,9 @@ in
};
};
services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -198,10 +198,6 @@ in
}
'';
};
"^~ /simplesaml/".extraConfig = ''
rewrite ^/simplesaml/(.*)$ /$1 redirect;
return 404;
'';
};
};
};

@@ -1,18 +1,18 @@
''
<?php
$metadata['https://idp.pvv.ntnu.no/'] = [
$metadata['https://idp2.pvv.ntnu.no/'] = [
'metadata-set' => 'saml20-idp-hosted',
'entityid' => 'https://idp.pvv.ntnu.no/',
'entityid' => 'https://idp2.pvv.ntnu.no/',
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
],
],
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
],
],
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],

@@ -1,5 +1,18 @@
{ config, pkgs, lib, ... }:
{
#######################
# TODO: remove these once nixos 24.05 gets released
#######################
imports = [
./krb5.nix
./pam.nix
];
disabledModules = [
"config/krb5/default.nix"
"security/pam.nix"
];
#######################
security.krb5 = {
enable = true;
settings = {

@@ -879,15 +879,15 @@ let
inherit (pkgs) pam_krb5 pam_ccreds;
use_ldap = config.users.ldap.enable && config.users.ldap.loginPam;
use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
# Create a limits.conf(5) file.
makeLimitsConf = limits:
pkgs.writeText "limits.conf"
(concatMapStrings ({ domain, type, item, value }:
"${domain} ${type} ${item} ${toString value}\n")
limits);
(concatMapStrings ({ domain, type, item, value }:
"${domain} ${type} ${item} ${toString value}\n")
limits);
limitsType = with lib.types; listOf (submodule ({ ... }: {
options = {
@@ -935,8 +935,8 @@ let
}));
motd = if config.users.motdFile == null
then pkgs.writeText "motd" config.users.motd
else config.users.motdFile;
then pkgs.writeText "motd" config.users.motd
else config.users.motdFile;
makePAMService = name: service:
{ name = "pam.d/${name}";
@@ -976,20 +976,20 @@ in
item = "maxlogins";
value = "4";
}
];
];
description = lib.mdDoc ''
Define resource limits that should apply to users or groups.
Each item in the list should be an attribute set with a
{var}`domain`, {var}`type`,
{var}`item`, and {var}`value`
attribute. The syntax and semantics of these attributes
must be that described in {manpage}`limits.conf(5)`.
description = lib.mdDoc ''
Define resource limits that should apply to users or groups.
Each item in the list should be an attribute set with a
{var}`domain`, {var}`type`,
{var}`item`, and {var}`value`
attribute. The syntax and semantics of these attributes
must be that described in {manpage}`limits.conf(5)`.
Note that these limits do not apply to systemd services,
whose limits can be changed via {option}`systemd.extraConfig`
instead.
'';
Note that these limits do not apply to systemd services,
whose limits can be changed via {option}`systemd.extraConfig`
instead.
'';
};
security.pam.services = mkOption {
@@ -1507,10 +1507,10 @@ in
runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
/* FIXME: should runuser -l start a systemd session? Currently
it complains "Cannot create session: Already running in a
session". */
it complains "Cannot create session: Already running in a
session". */
runuser-l = { rootOK = true; unixAuth = false; };
} // optionalAttrs config.security.pam.enableFscrypt {
} // optionalAttrs (config.security.pam.enableFscrypt) {
# Allow fscrypt to verify login passphrase
fscrypt = {};
};

@@ -0,0 +1,24 @@
{ pkgs, config, values, ... }:
{
sops.secrets."keys/postgres/keycloak" = {
owner = "keycloak";
group = "keycloak";
restartUnits = [ "keycloak.service" ];
};
services.keycloak = {
enable = true;
settings = {
hostname = "auth.pvv.ntnu.no";
# hostname-strict-backchannel = true;
};
database = {
host = values.hosts.bicep.ipv4;
createLocally = false;
passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
};
}

@@ -17,36 +17,44 @@
cp ${./simplesaml-config.php} "$out"
substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
};
in {
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = lib.pipe [
"mediawiki/password"
"mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password"
"mediawiki/simplesamlphp/cookie_salt"
"mediawiki/simplesamlphp/admin_password"
] [
(map (key: lib.nameValuePair key {
sops.secrets = {
"mediawiki/password" = {
owner = user;
group = group;
restartUnits = [ "phpfpm-mediawiki.service" ];
}))
lib.listToAttrs
];
};
"mediawiki/postgres_password" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/postgres_password" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/cookie_salt" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/admin_password" = {
owner = user;
group = group;
};
};
services.mediawiki = {
enable = true;
@@ -65,10 +73,12 @@ in {
name = "mediawiki";
};
webserver = "nginx";
nginx.hostName = "wiki.pvv.ntnu.no";
poolConfig = {
# Host through nginx
webserver = "none";
poolConfig = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
inherit user group;
"pm" = "dynamic";
"pm.max_children" = 32;
@@ -76,6 +86,8 @@ in {
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
@@ -86,24 +98,11 @@ in {
};
extensions = {
inherit (pkgs.mediawiki-extensions)
CodeEditor
CodeMirror
DeleteBatch
PluggableAuth
Popups
Scribunto
SimpleSAMLphp
TemplateData
TemplateStyles
UserMerge
VisualEditor
WikiEditor
;
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
};
extraConfig = ''
$wgServer = "https://wiki.pvv.ntnu.no";
$wgServer = "https://wiki2.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo";
# Only allow login through SSO
@@ -118,7 +117,9 @@ in {
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;
# Allow subdirectories in article URLs
# Misc. URL rules
$wgUsePathInfo = true;
$wgScriptExtension = ".php";
$wgNamespacesWithSubpages[NS_MAIN] = true;
# Styling
@@ -126,6 +127,7 @@ in {
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
# wfLoadSkin('Timeless');
$wgDefaultSkin = "vector-2022";
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
@@ -133,27 +135,13 @@ in {
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgShowIPinHeader = false;
$wgUseTeX = false;
$wgLocalInterwiki = $wgSitename;
# Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}";
$wgAllowCopyUploads = true;
# Misc program paths
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
$wgExiftool = '${pkgs.exiftool}/bin/exiftool';
$wgExiv2Command = '${pkgs.exiv2}/bin/exiv2';
# See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
$wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran';
$wgGitBin = '${pkgs.git}/bin/git';
# Debugging
$wgShowExceptionDetails = false;
$wgShowIPinHeader = false;
# EXT:{SimpleSAML,PluggableAuth}
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
$wgPluggableAuth_Config['Log in using SAML'] = [
$wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [
'authSourceId' => 'default-sp',
@@ -163,12 +151,8 @@ in {
]
];
# EXT:Scribunto
$wgScribuntoDefaultEngine = 'luastandalone';
$wgScribuntoEngineConf['luastandalone']['luaPath'] = '${pkgs.lua}/bin';
# EXT:WikiEditor
$wgWikiEditorRealtimePreview = true;
# Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}";
'';
};
@@ -180,15 +164,56 @@ in {
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
systemd.services.mediawiki-init.script = let
# According to module
stateDir = "/var/lib/mediawiki";
pkg = cfg.finalPackage;
mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
inherit (lib) optionalString mkForce;
in mkForce ''
if ! test -e "${stateDir}/secret.key"; then
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
fi
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
--confpath /tmp \
--scriptpath / \
--dbserver "${cfg.database.host}" \
--dbport ${toString cfg.database.port} \
--dbname ${cfg.database.name} \
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
--dbuser ${cfg.database.user} \
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
--passfile ${cfg.passwordFile} \
--dbtype ${cfg.database.type} \
${cfg.name} \
admin
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
'';
users.groups.mediawiki.members = [ "nginx" ];
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
kTLS = true;
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
locations = {
"= /wiki/Main_Page" = lib.mkForce {
return = "301 /wiki/Programvareverkstedet";
"/" = {
index = "index.php";
};
"~ /(.+\\.php)" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
};
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -199,7 +224,7 @@ in {
extraConfig = ''
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
# Must be prepended with the baseurlpath
@@ -210,22 +235,23 @@ in {
'';
};
"/images/".alias = "${config.services.mediawiki.uploadsDir}/";
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
convert \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${../../../../assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \
$out
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${../../../../assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \
$out
'';
};
};
}

@@ -5,7 +5,7 @@ $config = array(
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
'idp' => 'https://idp.pvv.ntnu.no/',
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
'idp' => 'https://idp2.pvv.ntnu.no/',
),
);

@@ -58,7 +58,7 @@ $config = [
/*
* The following settings are *filesystem paths* which define where
* SimpleSAMLphp can find or write the following things:
* - 'cachedir': Where SimpleSAMLphp can write its cache.
* - 'cachedir': Where SimpleSAMLphp can write its cache.
* - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
* handler other than `file`.
* - 'datadir': Storage of general data.

@@ -1,4 +0,0 @@
{ pkgs, config, ... }:
{
services.nginx.enable = true;
}

@@ -0,0 +1,28 @@
{ pkgs, config, ... }:
{
imports = [
./ingress.nix
];
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."bekkalokk.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

@@ -0,0 +1,55 @@
{ config, lib, ... }:
{
services.nginx.virtualHosts = {
"www2.pvv.ntnu.no" = {
serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
addSSL = true;
enableACME = true;
locations = {
# Proxy home directories
"/~" = {
extraConfig = ''
proxy_redirect off;
proxy_pass https://tom.pvv.ntnu.no;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
# Redirect old wiki entries
"/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
"/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
"/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
"/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
"/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
"/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
"/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
"/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
"/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
"/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
"/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
"/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
# TODO: Redirect webmail
"/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
# Redirect everything else to the main website
"/".return = "301 https://www.pvv.ntnu.no$request_uri";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"/.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
};
}

@@ -0,0 +1,6 @@
{ ... }:
{
services.openldap = {
enable = true;
};
}

@@ -1,51 +0,0 @@
{ lib, ... }:
let
pools = map (pool: "phpfpm-${pool}") [
"idp"
"mediawiki"
"pvv-nettsiden"
"roundcube"
"snappymail"
];
in
{
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
systemd.services = lib.genAttrs pools (_: {
serviceConfig = let
caps = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_CHOWN"
"CAP_KILL"
"CAP_IPC_LOCK"
"CAP_DAC_OVERRIDE"
];
in {
AmbientCapabilities = caps;
CapabilityBoundingSet = caps;
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateMounts = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RemoveIPC = true;
UMask = "0077";
RestrictNamespaces = "~mnt";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
KeyringMode = "private";
SystemCallFilter = [
"@system-service"
];
};
});
}

@@ -1,104 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.vaultwarden;
domain = "pw.pvv.ntnu.no";
address = "127.0.1.2";
port = 3011;
wsPort = 3012;
in {
sops.secrets."vaultwarden/environ" = {
owner = "vaultwarden";
group = "vaultwarden";
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = config.sops.secrets."vaultwarden/environ".path;
config = {
domain = "https://${domain}";
rocketAddress = address;
rocketPort = port;
websocketEnabled = true;
websocketAddress = address;
websocketPort = wsPort;
signupsAllowed = true;
signupsVerify = true;
signupsDomainsWhitelist = "pvv.ntnu.no";
smtpFrom = "vaultwarden@pvv.ntnu.no";
smtpFromName = "VaultWarden PVV";
smtpHost = "smtp.pvv.ntnu.no";
smtpUsername = "vaultwarden";
smtpSecurity = "force_tls";
smtpAuthMechanism = "Login";
# Configured in environ:
# databaseUrl = "postgresql://vaultwarden@/vaultwarden";
# smtpPassword = hemli
};
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
extraConfig = ''
client_max_body_size 128M;
'';
locations."/" = {
proxyPass = "http://${address}:${toString port}";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://${address}:${toString wsPort}";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://${address}:${toString port}";
proxyWebsockets = true;
};
};
systemd.services.vaultwarden = lib.mkIf cfg.enable {
serviceConfig = {
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
# MemoryDenyWriteExecute = true;
PrivateMounts = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0007";
};
};
}

@@ -2,20 +2,14 @@
{
imports = [
./roundcube.nix
./snappymail.nix
];
services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
locations = {
"= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
"/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
"/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
"/rainloop".return = "302 https://snappymail.pvv.ntnu.no/";
"/snappymail".return = "302 https://snappymail.pvv.ntnu.no/";
#locations."/" = lib.mkForce { };
locations."= /" = {
return = "301 https://www.pvv.ntnu.no/mail/";
};
};
}

@@ -3,8 +3,8 @@
with lib;
let
cfg = config.services.roundcube;
domain = "webmail.pvv.ntnu.no";
in
domain = "webmail2.pvv.ntnu.no";
in
{
services.roundcube = {
enable = true;
@@ -35,7 +35,6 @@ in
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
services.nginx.virtualHosts.${domain} = {
kTLS = true;
locations."/roundcube" = {
tryFiles = "$uri $uri/ =404";
index = "index.php";

@@ -1,18 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.snappymail;
in {
imports = [ ../../../../modules/snappymail.nix ];
services.snappymail = {
enable = true;
hostname = "snappymail.pvv.ntnu.no";
};
services.nginx.virtualHosts.${cfg.hostname} = {
forceSSL = true;
enableACME = true;
kTLS = true;
};
}

@@ -0,0 +1,4 @@
{ ... }:
{
}

@@ -1,131 +0,0 @@
{ pkgs, lib, config, ... }:
let
format = pkgs.formats.php { };
cfg = config.services.pvv-nettsiden;
in {
imports = [
./fetch-gallery.nix
];
sops.secrets = lib.genAttrs [
"nettsiden/door_secret"
"nettsiden/mysql_password"
"nettsiden/simplesamlphp/admin_password"
"nettsiden/simplesamlphp/cookie_salt"
] (_: {
owner = config.services.phpfpm.pools.pvv-nettsiden.user;
group = config.services.phpfpm.pools.pvv-nettsiden.group;
restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
});
services.idp.sp-remote-metadata = [
"https://www.pvv.ntnu.no/simplesaml/"
"https://pvv.ntnu.no/simplesaml/"
"https://www.pvv.org/simplesaml/"
"https://pvv.org/simplesaml/"
];
services.pvv-nettsiden = {
enable = true;
package = pkgs.pvv-nettsiden.override {
extra_files = {
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://${cfg.domainName}/simplesaml/',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);
'';
};
};
domainName = "www.pvv.ntnu.no";
settings = let
includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
in {
DOOR_SECRET = includeFromSops "door_secret";
DB = {
DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
USER = "www-data_nettsi";
PASS = includeFromSops "mysql_password";
};
# TODO: set up postgres session for simplesamlphp
SAML = {
COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
COOKIE_SECURE = true;
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [ cfg.domainName ];
};
};
};
services.phpfpm.pools."pvv-nettsiden".settings = {
# "php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
services.nginx.virtualHosts.${cfg.domainName} = {
serverAliases = [
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
locations = {
# Proxy home directories
"^~ /~" = {
extraConfig = ''
proxy_redirect off;
proxy_pass https://tom.pvv.ntnu.no;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
# Redirect the old webmail/wiki paths from spikkjeposche
"^~ /webmail".return = "301 https://webmail.pvv.ntnu.no";
"~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
"= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
# Redirect old wiki entries
"/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
"/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
"/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
"/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
"/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
"/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
"/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
"/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
"/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
"/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
"/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
"/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
}

@@ -1,67 +0,0 @@
{ pkgs, lib, config, ... }:
let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in {
users.users.${config.services.pvv-nettsiden.user} = {
useDefaultShell = true;
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
openssh.authorizedKeys.keys = [
''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
];
};
systemd.paths.pvv-nettsiden-gallery-update = {
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathChanged = "${transferDir}/gallery.tar.gz";
Unit = "pvv-nettsiden-gallery-update.service";
MakeDirectory = true;
};
};
systemd.services.pvv-nettsiden-gallery-update = {
path = with pkgs; [ imagemagick gnutar gzip ];
script = ''
tar ${lib.cli.toGNUCommandLineShell {} {
extract = true;
file = "${transferDir}/gallery.tar.gz";
directory = ".";
}}
# Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
while IFS= read fname; do
rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove"
find . -type d -empty -delete
mkdir -p .thumbnails
images=$(find . -type f -not -path "./.thumbnails*")
while IFS= read fname; do
# Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
then
continue
fi
echo "Creating thumbnail for $fname"
mkdir -p $(dirname ".thumbnails/$fname")
convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images"
'';
serviceConfig = {
WorkingDirectory = galleryDir;
User = config.services.pvv-nettsiden.user;
Group = config.services.pvv-nettsiden.group;
};
};
}

@@ -3,7 +3,7 @@
imports = [
./hardware-configuration.nix
../../base
../../base.nix
../../misc/metrics-exporters.nix
./services/nginx
@@ -12,7 +12,8 @@
./services/mysql.nix
./services/postgres.nix
./services/mysql.nix
./services/calendar-bot.nix
# TODO: fix the calendar bot
# ./services/calendar-bot.nix
./services/matrix
];

@@ -2,19 +2,11 @@
let
cfg = config.services.pvv-calendar-bot;
in {
sops.secrets = {
"calendar-bot/matrix_token" = {
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/matrix_token";
owner = cfg.user;
group = cfg.group;
};
"calendar-bot/mysql_password" = {
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/mysql_password";
owner = cfg.user;
group = cfg.group;
};
sops.secrets."calendar-bot/matrix_token" = {
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/matrix_token";
owner = cfg.user;
group = cfg.group;
};
services.pvv-calendar-bot = {
@@ -26,11 +18,6 @@ in {
user = "@bot_calendar:pvv.ntnu.no";
channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
};
database = {
host = "mysql.pvv.ntnu.no";
user = "calendar-bot";
passwordFile = config.sops.secrets."calendar-bot/mysql_password".path;
};
secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
onCalendar = "*-*-* 09:00:00";
};

@@ -26,7 +26,7 @@
"turns:turn.pvv.ntnu.no:5349?transport=tcp"
"turns:turn.pvv.ntnu.no:5349?transport=udp"
"turns:turn.pvv.ntnu.no:3478?transport=udp"
"turns:turn.pvv.ntnu.no:3478?transport=tcp"
"turn:turn.pvv.ntnu.no:3478?transport=udp"
@@ -69,7 +69,7 @@
tls-listening-port = 443;
alt-tls-listening-port = 5349;
listening-port = 3478;
min-port = 49000;
@@ -116,7 +116,7 @@
#total-quota=1200
'';
};
networking.firewall = {
interfaces.enp6s0f0 = let
range = with config.services.coturn; [ {

@@ -12,6 +12,6 @@
./discord.nix
];
}

@@ -5,7 +5,6 @@ in {
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
kTLS = true;
root = pkgs.element-web.override {
conf = {

@@ -11,7 +11,7 @@
services.mjolnir = {
enable = true;
pantalaimon.enable = false;
homeserverUrl = "https://matrix.pvv.ntnu.no";
homeserverUrl = http://127.0.0.1:8008;
accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
protectedRooms = map (a: "https://matrix.to/#/${a}") [

@@ -7,9 +7,6 @@ from synapse import module_api
import re
import logging
logger = logging.getLogger(__name__)
class SMTPAuthProvider:
def __init__(self, config: dict, api: module_api):
self.api = api
@@ -46,13 +43,8 @@ class SMTPAuthProvider:
if result == True:
userid = self.api.get_qualified_user_id(username)
userid = await self.api.check_user_exists(userid)
if not userid:
logger.info(f"user did not exist, registering {username}")
userid = await self.api.register_user(username)
logger.info(f"registered userid: {userid}")
if not self.api.check_user_exists(userid):
self.api.register_user(username)
return (userid, None)
else:
logger.info("returning None")
return None

@@ -134,6 +134,80 @@ in {
"129.241.0.0/16"
"2001:700:300::/44"
];
saml2_config = {
sp_config.metadata.remote = [
{ url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
];
description = [ "Matrix Synapse SP" "en" ];
name = [ "Matrix Synapse SP" "en" ];
ui_info = {
display_name = [
{
lang = "en";
text = "PVV Matrix login";
}
];
description = [
{
lang = "en";
text = "Matrix is a modern free and open federated chat protocol";
}
];
#information_url = [
# {
# lang = "en";
# text = "";
# };
#];
#privacy_statement_url = [
# {
# lang = "en";
# text = "";
# };
#];
keywords = [
{
lang = "en";
text = [ "Matrix" "Element" ];
}
];
#logo = [
# {
# lang = "en";
# text = "";
# width = "";
# height = "";
# }
#];
};
organization = {
name = "Programvareverkstedet";
display_name = [ "Programvareverkstedet" "en" ];
url = "https://www.pvv.ntnu.no";
};
contact_person = [
{ given_name = "Drift";
sur_name = "King";
email_adress = [ "drift@pvv.ntnu.no" ];
contact_type = "technical";
}
];
user_mapping_provider = {
config = {
mxid_source_attribute = "uid"; # What is this supposed to be?
mxid_mapping = "hexencode";
};
};
#attribute_requirements = [
# {attribute = "userGroup"; value = "medlem";} # Do we have this?
#];
};
};
};
@@ -141,12 +215,9 @@ in {
services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
{
kTLS = true;
}
{
({
locations."/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
@@ -156,47 +227,31 @@ in {
add_header Access-Control-Allow-Origin *;
'';
};
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{
})
({
locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in lib.mapAttrs' (n: v: lib.nameValuePair
(metricsPath v) {
(metricsPath v) ({
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all;
'';
})
}))
cfg.workers.instances;
}
{
})
({
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all;
'';
};
@@ -214,5 +269,5 @@ in {
labels = { };
}]) + "/";
};
}];
})];
}

@@ -1,7 +1,4 @@
{ pkgs, lib, config, values, ... }:
let
backupDir = "/var/lib/mysql/backups";
in
{
sops.secrets."mysql/password" = {
owner = "mysql";
@@ -18,12 +15,12 @@ in
mysqld = {
# PVV allows a lot of connections at the same time
max_connect_errors = 10000;
bind-address = values.services.mysql.ipv4;
skip-networking = 0;
bind-address = values.services.mysql.ipv4;
skip-networking = 0;
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
};
};
@@ -39,6 +36,11 @@ in
}];
};
services.mysqlBackup = {
enable = true;
location = "/var/lib/mysql/backups";
};
networking.firewall.allowedTCPPorts = [ 3306 ];
systemd.services.mysql.serviceConfig = {
@@ -48,58 +50,4 @@ in
values.ipv6-space
];
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves
systemd.services."backup-mysql" = {
description = "Backup MySQL data";
requires = [ "mysql.service" ];
path = [
pkgs.coreutils
pkgs.rsync
pkgs.gzip
config.services.mysql.package
];
script = let
rotations = 10;
# rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/mysql";
rsyncTarget = "/data/backup/mysql";
in ''
set -eo pipefail
mysqldump --all-databases | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
done
rsync -avz --delete "${backupDir}" '${rsyncTarget}'
'';
serviceConfig = {
Type = "oneshot";
User = "mysql";
Group = "mysql";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [
backupDir
"/data/backup/mysql" # NOTE: should not be part of this option once rsyncTarget is remote
];
};
startAt = "*-*-* 02:15:00";
};
systemd.tmpfiles.settings."10-mysql-backup".${backupDir}.d = {
user = "mysql";
group = "mysql";
mode = "700";
};
}

@@ -1,8 +1,15 @@
{ config, values, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "danio@pvv.ntnu.no";
};
services.nginx = {
enable = true;
enableReload = true;
defaultListenAddresses = [
values.hosts.bicep.ipv4
"[${values.hosts.bicep.ipv6}]"
@@ -11,5 +18,28 @@
"127.0.0.2"
"[::1]"
];
appendConfig = ''
pcre_jit on;
worker_processes 8;
worker_rlimit_nofile 8192;
'';
eventsConfig = ''
multi_accept on;
worker_connections 4096;
'';
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.serviceConfig = {
LimitNOFILE = 65536;
};
}

@@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, ... }:
let
backupDir = "/var/lib/postgresql/backups";
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
in
{
services.postgresql = {
@@ -79,71 +79,19 @@ in
systemd.services.postgresql.serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
"cert:${sslCert.directory}/cert.pem"
"key:${sslCert.directory}/key.pem"
];
};
environment.snakeoil-certs."/etc/certs/postgres" = {
owner = "postgres";
group = "postgres";
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
users.groups.acme.members = [ "postgres" ];
networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ];
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves
systemd.services."backup-postgresql" = {
description = "Backup PostgreSQL data";
requires = [ "postgresql.service" ];
path = [
pkgs.coreutils
pkgs.rsync
pkgs.gzip
config.services.postgresql.package
];
script = let
rotations = 10;
# rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/postgresql";
rsyncTarget = "/data/backup/postgresql";
in ''
set -eo pipefail
pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
done
rsync -avz --delete "${backupDir}" '${rsyncTarget}'
'';
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [
backupDir
"/data/backup/postgresql" # NOTE: should not be part of this option once rsyncTarget is remote
];
};
startAt = "*-*-* 01:15:00";
};
systemd.tmpfiles.settings."10-postgresql-backup".${backupDir}.d = {
user = "postgres";
group = "postgres";
mode = "700";
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgres/backups";
backupAll = true;
};
}

@@ -35,10 +35,10 @@
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = mkForce false;
};
system.stateVersion = "23.11";
services.resolved.enable = true;
};
};
};
};

@@ -3,7 +3,7 @@
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base
../../base.nix
../../misc/metrics-exporters.nix
./disks.nix

@@ -3,7 +3,7 @@
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base
../../base.nix
../../misc/metrics-exporters.nix
./services/grzegorz.nix

@@ -2,10 +2,8 @@
{
imports = [
./hardware-configuration.nix
../../base
../../base.nix
../../misc/metrics-exporters.nix
./services/libvirt.nix
];
# buskerud does not support efi?

@@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
boot.kernelModules = [ "kvm-intel" ];
# On a gui-enabled machine, connect with:
# $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
}

@@ -3,7 +3,7 @@
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base
../../base.nix
../../misc/metrics-exporters.nix
../../modules/grzegorz.nix

@@ -3,11 +3,11 @@
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base
../../base.nix
../../misc/metrics-exporters.nix
./services/monitoring
./services/nginx
./services/metrics
];
sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
@@ -15,37 +15,28 @@
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.device = "/dev/vda";
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "ildkule"; # Define your hostname.
# Main connection, using the global/floatig IP, for communications with the world
systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // {
matchConfig.Name = "ens4";
# Add the global addresses in addition to the local address learned from DHCP
addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; }
];
};
# Secondary connection only for use within the university network
systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // {
matchConfig.Name = "ens3";
# Add the ntnu-internal addresses in addition to the local address learned from DHCP
addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
];
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
system.stateVersion = "23.11"; # Did you read the comment?
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

@@ -1,9 +1,37 @@
{ modulesPath, lib, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/afe70fe4-681a-4675-8cbd-e5d08cdcf5b5";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B71A-E5CD";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

@@ -3164,4 +3164,4 @@
"title": "PostgreSQL Database",
"uid": "000000039",
"version": 1
}
}

@@ -2,9 +2,8 @@
{
imports = [
./prometheus
./grafana.nix
./loki.nix
./prometheus
./uptime-kuma.nix
];
}

@@ -7,6 +7,7 @@ in {
in {
"keys/grafana/secret_key" = { inherit owner group; };
"keys/grafana/admin_password" = { inherit owner group; };
"keys/postgres/grafana" = { inherit owner group; };
};
services.grafana = {
@@ -17,7 +18,7 @@ in {
secretFile = path: "$__file{${path}}";
in {
server = {
domain = "grafana.pvv.ntnu.no";
domain = "ildkule.pvv.ntnu.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
@@ -26,6 +27,13 @@ in {
secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
};
database = {
type = "postgres";
user = "grafana";
host = "${values.hosts.bicep.ipv4}:5432";
password = secretFile config.sops.secrets."keys/postgres/grafana".path;
};
};
provision = {
@@ -34,13 +42,13 @@ in {
{
name = "Ildkule Prometheus";
type = "prometheus";
url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
isDefault = true;
url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
isDefault = true;
}
{
name = "Ildkule loki";
type = "loki";
url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
}
];
dashboards.settings.providers = [
@@ -56,13 +64,13 @@ in {
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json;
}
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# {
# name = "MySQL";
# type = "file";
# url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
# options.path = dashboards/mysql.json;
# }
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# {
# name = "MySQL";
# type = "file";
# url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
# options.path = dashboards/mysql.json;
# }
{
name = "Postgresql";
type = "file";
@@ -83,7 +91,6 @@ in {
services.nginx.virtualHosts.${cfg.settings.server.domain} = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";

@@ -50,6 +50,7 @@ in {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-index";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
shared_store = "filesystem";
cache_ttl = "24h";
};
filesystem = {
@@ -58,13 +59,14 @@ in {
};
limits_config = {
allow_structured_metadata = false;
enforce_metric_name = false;
reject_old_samples = true;
reject_old_samples_max_age = "72h";
};
compactor = {
working_directory = "/var/lib/loki/compactor";
shared_store = "filesystem";
};
# ruler = {

@@ -38,7 +38,7 @@ in {
};
systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
localCfg = config.services.prometheus.exporters.postgres;
localCfg = config.services.prometheus.exporters.postgres;
in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
ExecStart = ''

@@ -1,20 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no";
in {
services.uptime-kuma = {
enable = true;
settings = {
PORT = "5059";
HOST = "127.0.1.2";
};
};
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
};
}

@@ -1,7 +1,29 @@
{ config, values, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
};
services.nginx = {
enable = true;
enableReload = true;
defaultListenAddresses = [
values.hosts.ildkule.ipv4
"[${values.hosts.ildkule.ipv6}]"
"127.0.0.1"
"127.0.0.2"
"[::1]"
];
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

@@ -3,7 +3,7 @@
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base
../../base.nix
../../misc/metrics-exporters.nix
];

@@ -1,25 +0,0 @@
export GUM_FILTER_HEIGHT := "15"
nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
@_default:
just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
check:
nix flake check --keep-going
build-machine machine=`just _a_machine`:
{{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
run-vm machine=`just _a_machine`:
nixos-rebuild build-vm --flake .#{{ machine }}
QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
@update-inputs:
nix eval .#inputs --apply builtins.attrNames --json \
| jq '.[]' -r \
| gum choose --no-limit --height=15 \
| xargs nix flake update --commit-lock-file
_a_machine:
nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter

@@ -14,8 +14,6 @@
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
values.hosts.ildkule.ipv4_global
values.hosts.ildkule.ipv6_global
];
};

@@ -32,7 +32,7 @@
color = "red";
command = "hostname | ${pkgs.toilet}/bin/toilet -f mono9";
};
service_status = {
Accounts = "accounts-daemon";
Cron = "cron";
@@ -40,16 +40,16 @@
Matrix = "matrix-synapse";
sshd = "sshd";
};
uptime = {
prefix = "Uptime: ";
};
# Not relevant for server
# user_service_status = {
# Gpg-agent = "gpg-agent";
# };
filesystems = let
inherit (lib.attrsets) attrNames listToAttrs nameValuePair;
inherit (lib.lists) imap1;
@@ -61,7 +61,7 @@
getName = i: v: if (v.label != null) then v.label else "<? ${toString i}>";
in
imap1Attrs' (i: n: v: nameValuePair (getName i v) n) fileSystems;
memory = {
swap_pos = "beside"; # or "below" or "none"
};
@@ -70,14 +70,14 @@
inherit (lib.lists) imap1;
inherit (lib.attrsets) filterAttrs nameValuePair attrValues listToAttrs;
inherit (config.users) users;
normalUsers = filterAttrs (n: v: v.isNormalUser || n == "root") users;
userNPVs = imap1 (index: user: nameValuePair user.name index) (attrValues normalUsers);
in listToAttrs userNPVs;
last_run = {};
};
toml = pkgs.formats.toml {};
in toml.generate "rust-motd.toml" cfg;

@@ -24,12 +24,15 @@ in {
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
security.acme.acceptTerms = true;
security.acme.defaults.email = "pederbs@pvv.ntnu.no";
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${config.networking.hostName}.pvv.org"
];

@@ -1,85 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.environment.snakeoil-certs;
in
{
options.environment.snakeoil-certs = lib.mkOption {
default = { };
description = "Self signed certs, which are rotated regularly";
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0660";
};
daysValid = lib.mkOption {
type = lib.types.str;
default = "90";
};
extraOpenSSLArgs = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
certificate = lib.mkOption {
type = lib.types.str;
default = "${name}.crt";
};
certificateKey = lib.mkOption {
type = lib.types.str;
default = "${name}.key";
};
subject = lib.mkOption {
type = lib.types.str;
default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
};
}));
};
config = {
systemd.services."generate-snakeoil-certs" = {
enable = true;
serviceConfig.Type = "oneshot";
script = let
openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then
echo "Regenerating '${value.certificate}'"
${openssl} req \
-newkey rsa:4096 \
-new -x509 \
-days "${toString value.daysValid}" \
-nodes \
-subj "${value.subject}" \
-out "${value.certificate}" \
-keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.extraOpenSSLArgs}
fi
chown "${value.owner}:${value.group}" "${value.certificate}"
chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}"
echo "\n-----------------\n"
'') (lib.attrsToList cfg);
};
systemd.timers."generate-snakeoil-certs" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Persistent = true;
Unit = "generate-snakeoil-certs.service";
};
};
};
}

@@ -1,103 +0,0 @@
{ config, pkgs, lib, ... }:
let
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
cfg = config.services.snappymail;
maxUploadSize = "256M";
in {
options.services.snappymail = {
enable = mkEnableOption "Snappymail";
package = mkPackageOption pkgs "snappymail" { };
dataDir = mkOption {
type = types.str;
default = "/var/lib/snappymail";
description = "State directory for snappymail";
};
hostname = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail.example.com";
description = "Enable nginx with this hostname, null disables nginx";
};
user = mkOption {
type = types.str;
default = "snappymail";
description = "System user under which snappymail runs";
};
group = mkOption {
type = types.str;
default = "snappymail";
description = "System group under which snappymail runs";
};
};
config = mkIf cfg.enable {
users.users = mkIf (cfg.user == "snappymail") {
snappymail = {
description = "Snappymail service";
group = cfg.group;
home = cfg.dataDir;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "snappymail") {
snappymail = {};
};
services.phpfpm.pools.snappymail = {
user = cfg.user;
group = cfg.group;
phpOptions = generators.toKeyValue {} {
upload_max_filesize = maxUploadSize;
post_max_size = maxUploadSize;
memory_limit = maxUploadSize;
};
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
services.nginx = mkIf (cfg.hostname != null) {
virtualHosts."${cfg.hostname}" = {
locations."/".extraConfig = ''
index index.php;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
'';
locations."^~ /data".extraConfig = ''
deny all;
'';
locations."~ \\.php$".extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.snappymail.socket};
'';
extraConfig = ''
client_max_body_size ${maxUploadSize};
'';
root = if (cfg.package == pkgs.snappymail) then
pkgs.snappymail.override {
dataPath = cfg.dataDir;
}
else cfg.package;
};
};
};
}

@@ -0,0 +1,178 @@
{ lib
, stdenv
, fetchFromGitHub
, autoreconfHook
, pkg-config
, python3
, perl
, bison
, flex
, texinfo
, perlPackages
, openldap
, libcap_ng
, sqlite
, openssl
, db
, libedit
, pam
, krb5
, libmicrohttpd
, cjson
, CoreFoundation
, Security
, SystemConfiguration
, curl
, jdk
, unzip
, which
, nixosTests
, withCJSON ? true
, withCapNG ? stdenv.isLinux
# libmicrohttpd should theoretically work for darwin as well, but something is broken.
# It affects tests check-bx509d and check-httpkadmind.
, withMicroHTTPD ? stdenv.isLinux
, withOpenLDAP ? true
, withOpenLDAPAsHDBModule ? false
, withOpenSSL ? true
, withSQLite3 ? true
}:
assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
'';
stdenv.mkDerivation {
pname = "heimdal";
version = "7.8.0-unstable-2023-11-29";
src = fetchFromGitHub {
owner = "heimdal";
repo = "heimdal";
rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
};
outputs = [ "out" "dev" "man" "info" ];
nativeBuildInputs = [
autoreconfHook
pkg-config
python3
perl
bison
flex
texinfo
]
++ (with perlPackages; [ JSON ]);
buildInputs = [ db libedit pam ]
++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
++ lib.optionals (withCJSON) [ cjson ]
++ lib.optionals (withCapNG) [ libcap_ng ]
++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
++ lib.optionals (withOpenLDAP) [ openldap ]
++ lib.optionals (withOpenSSL) [ openssl ]
++ lib.optionals (withSQLite3) [ sqlite ];
doCheck = true;
nativeCheckInputs = [
curl
jdk
unzip
which
];
configureFlags = [
"--with-libedit-include=${libedit.dev}/include"
"--with-libedit-lib=${libedit}/lib"
"--with-berkeley-db-include=${db.dev}/include"
"--with-berkeley-db"
"--without-x"
"--disable-afs-string-to-key"
] ++ lib.optionals (withCapNG) [
"--with-capng"
] ++ lib.optionals (withCJSON) [
"--with-cjson=${cjson}"
] ++ lib.optionals (withOpenLDAP) [
"--with-openldap=${openldap.dev}"
] ++ lib.optionals (withOpenLDAPAsHDBModule) [
"--enable-hdb-openldap-module"
] ++ lib.optionals (withSQLite3) [
"--with-sqlite3=${sqlite.dev}"
];
# (check-ldap) slapd resides within ${openldap}/libexec,
# which is not part of $PATH by default.
# (check-ldap) prepending ${openldap}/bin to the path to avoid
# using the default installation of openldap on unsandboxed darwin systems,
# which does not support the new mdb backend at the moment (2024-01-13).
# (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
# but the heimdal tests still seem to expect bdb as the openldap backend.
# This might be fixed upstream in a future update.
patchPhase = ''
runHook prePatch
substituteInPlace tests/ldap/slapd-init.in \
--replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
substituteInPlace tests/ldap/check-ldap.in \
--replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
substituteInPlace tests/ldap/slapd.conf \
--replace 'database bdb' 'database mdb'
runHook postPatch
'';
# (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
# which expects either USER or LOGNAME to be set.
preCheck = lib.optionalString (stdenv.isDarwin) ''
export USER=nix-builder
'';
# We need to build hcrypt for applications like samba
postBuild = ''
(cd include/hcrypto; make -j $NIX_BUILD_CORES)
(cd lib/hcrypto; make -j $NIX_BUILD_CORES)
'';
postInstall = ''
# Install hcrypto
(cd include/hcrypto; make -j $NIX_BUILD_CORES install)
(cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
mkdir -p $dev/bin
mv $out/bin/krb5-config $dev/bin/
# asn1 compilers, move them to $dev
mv $out/libexec/heimdal/* $dev/bin
rmdir $out/libexec/heimdal
# compile_et is needed for cross-compiling this package and samba
mv lib/com_err/.libs/compile_et $dev/bin
'';
# Issues with hydra
# In file included from hxtool.c:34:0:
# hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
#enableParallelBuilding = true;
passthru = {
implementation = "heimdal";
tests.nixos = nixosTests.kerberos.heimdal;
};
meta = with lib; {
homepage = "https://www.heimdal.software";
changelog = "https://github.com/heimdal/heimdal/releases";
description = "An implementation of Kerberos 5 (and some more stuff)";
license = licenses.bsd3;
platforms = platforms.unix;
maintainers = with maintainers; [ h7x4 ];
};
}

@@ -1,95 +1,7 @@
{ pkgs, lib }:
let
kebab-case-name = project-name: lib.pipe project-name [
(builtins.replaceStrings
lib.upperChars
(map (x: "-${x}") lib.lowerChars)
)
(lib.removePrefix "-")
];
mw-ext = {
name
, commit
, hash
, tracking-branch ? "REL1_41"
, kebab-name ? kebab-case-name name
, fetchgit ? pkgs.fetchgit
}:
{
${name} = (fetchgit {
name = "mediawiki-${kebab-name}-source";
url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}";
rev = commit;
inherit hash;
}).overrideAttrs (_: {
passthru = { inherit name kebab-name tracking-branch; };
});
};
in
# NOTE: to add another extension, you can add an mw-ext expression
# with an empty (or even wrong) commit and empty hash, and
# run the update script
lib.mergeAttrsList [
(mw-ext {
name = "CodeEditor";
commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
})
(mw-ext {
name = "CodeMirror";
commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
})
(mw-ext {
name = "DeleteBatch";
commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
})
(mw-ext {
name = "PluggableAuth";
commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
})
(mw-ext {
name = "Popups";
commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
})
(mw-ext {
name = "Scribunto";
commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
})
(mw-ext {
name = "SimpleSAMLphp";
kebab-name = "simple-saml-php";
commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
})
(mw-ext {
name = "TemplateData";
commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
})
(mw-ext {
name = "TemplateStyles";
commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
})
(mw-ext {
name = "UserMerge";
commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
})
(mw-ext {
name = "VisualEditor";
commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
})
(mw-ext {
name = "WikiEditor";
commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
})
]
lib.makeScope pkgs.newScope (self: {
DeleteBatch = self.callPackage ./delete-batch { };
PluggableAuth = self.callPackage ./pluggable-auth { };
SimpleSAMLphp = self.callPackage ./simple-saml-php { };
UserMerge = self.callPackage ./user-merge { };
})

@@ -0,0 +1,7 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-delete-batch";
url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
}

@@ -0,0 +1,7 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-pluggable-auth-source";
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
}

@@ -0,0 +1,7 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-simple-saml-php-source";
url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
}

@@ -1,5 +1,5 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])" nix-prefetch-git
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
import os
from pathlib import Path
@@ -7,149 +7,60 @@ import re
import subprocess
from collections import defaultdict
from pprint import pprint
from dataclasses import dataclass
from functools import cache
import json
import bs4
import requests
BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
BASE_WEB_URL = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions"
BASE_GIT_URL = "https://gerrit.wikimedia.org/r/mediawiki/extensions/"
@dataclass
class PluginMetadata:
project_name: str
tracking_branch: str | None
commit: str
hash_: str
@cache
def get_package_listing_path():
return Path(__file__).parent / "default.nix"
@cache
def get_global_tracking_branch() -> str:
with open(get_package_listing_path()) as file:
file_content = file.read()
return re.search(r'\btracking-branch\b \? "([^"]+?)"', file_content).group(1)
def get_metadata(package_expression: str) -> PluginMetadata | None:
project_name_search = re.search(r'\bname\b = "([^"]+?)";', package_expression)
tracking_branch_search = re.search(r'\btracking-branch\b = "([^"]+?)";', package_expression)
commit_search = re.search(r'\bcommit\b = "([^"]*?)";', package_expression)
hash_search = re.search(r'\bhash\b = "([^"]*?)";', package_expression)
if project_name_search is None:
print("Could not find project name in package:")
print(package_expression)
return None
tracking_branch = None;
if tracking_branch_search is not None:
tracking_branch = tracking_branch_search.group(1)
if commit_search is None:
print("Could not find commit in package:")
print(package_expression)
return None
if hash_search is None:
print("Could not find hash in package:")
print(package_expression)
return None
return PluginMetadata(
commit = commit_search.group(1),
tracking_branch = tracking_branch,
project_name = project_name_search.group(1),
hash_ = hash_search.group(1),
)
def update_metadata(package_expression: str, metadata: PluginMetadata) -> str:
result = package_expression
result = re.sub(r'\bcommit\b = "[^"]*";', f'commit = "{metadata.commit}";', result)
result = re.sub(r'\bhash\b = "[^"]*";', f'hash = "{metadata.hash_}";', result)
def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
content = requests.get(BASE_URL).text
soup = bs4.BeautifulSoup(content, features="html.parser")
result = defaultdict(list)
for a in soup.find_all('a'):
if skip_master and 'master' in a.text:
continue
split = a.text.split('-')
result[split[0]].append(a.text)
return result
def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
assert package_file.is_file()
with open(package_file) as file:
content = file.read()
def get_newest_commit(project_name: str, tracking_branch: str) -> str:
content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
soup = bs4.BeautifulSoup(content, features="html.parser")
try:
a = soup.find('li').findChild('a')
commit_sha = a['href'].split('/')[-1]
except AttributeError:
print(f"ERROR: Could not parse page for {project_name}:")
print(soup.prettify())
exit(1)
return commit_sha
tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
split = tarball.split('-')
updated_tarball = plugin_list[split[0]][-1]
_hash = re.search(f'hash = "(.+?)";', content).group(1)
def get_nix_hash(url: str, commit: str) -> str:
out, err = subprocess.Popen(
["nix-prefetch-git", "--url", url, "--rev", commit, "--fetch-submodules", "--quiet"],
["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
).communicate()
out, err = subprocess.Popen(
["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
).communicate()
return json.loads(out.decode().strip())['hash']
updated_hash = out.decode().strip()
def update_expression(package_expression: str) -> str:
old_metadata = get_metadata(package_expression)
if old_metadata is None:
print("ERROR: could not find metadata for expression:")
print(package_expression)
if tarball == updated_tarball and _hash == updated_hash:
return
if old_metadata.commit == "":
old_metadata.commit = "<none>"
if old_metadata.hash_ == "":
old_metadata.hash_ = "<none>"
tracking_branch = old_metadata.tracking_branch
if tracking_branch is None:
tracking_branch = get_global_tracking_branch()
new_commit = get_newest_commit(old_metadata.project_name, tracking_branch)
new_hash = get_nix_hash(f"{BASE_GIT_URL}/{old_metadata.project_name}", new_commit)
if new_hash is None or new_hash == "":
print(f"ERROR: could not fetch hash for {old_metadata.project_name}")
exit(1)
print(f"Updating {old_metadata.project_name}[{tracking_branch}]: {old_metadata.commit} -> {new_commit}")
new_metadata = PluginMetadata(
project_name = old_metadata.project_name,
tracking_branch = old_metadata.tracking_branch,
commit = new_commit,
hash_ = new_hash,
)
return update_metadata(package_expression, new_metadata)
def update_all_expressions_in_default_nix() -> None:
with open(get_package_listing_path()) as file:
file_content = file.read()
new_file_content = re.sub(
r"\(mw-ext\s*\{(?:.|\n)+?\}\)",
lambda m: update_expression(m.group(0)),
file_content,
flags = re.MULTILINE,
)
with open(get_package_listing_path(), 'w') as file:
file.write(new_file_content)
print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
with open(package_file, 'w') as file:
file.write(updated_text)
if __name__ == "__main__":
update_all_expressions_in_default_nix()
plugin_list = fetch_plugin_list()
for direntry in os.scandir(Path(__file__).parent):
if direntry.is_dir():
update(Path(direntry) / "default.nix", plugin_list)

@@ -0,0 +1,7 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-user-merge-source";
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
}

Some files were not shown because too many files have changed in this diff Show More