bikkje: various package additions

base.nix

@@ -73,6 +73,7 @@
 
   # Trusted users on the nix builder machines
   users.groups."nix-builder-users".name = "nix-builder-users";
+  users.motd = builtins.readFile ./misc/motd;
 
   services.openssh = {
     enable = true;

hosts/bikkje/configuration.nix

@@ -1,44 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-    networking.nat = {
-    enable = true;
-    internalInterfaces = ["ve-+"];
-    externalInterface = "ens3";
-    # Lazy IPv6 connectivity for the container
-    enableIPv6 = true;
-  };
-
-  containers.bikkje = {
-    autoStart = true;
-    config = { config, pkgs, ... }: {
-      #import packages
-      packages = with pkgs; [
-          alpine
-          mutt
-          mutt-ics
-          mutt-wizard
-          weechat
-          weechatScripts.edit
-          hexchat
-          irssi
-          pidgin
-      ];
-
-      networking = {
-        firewall = {
-          enable = true;
-          # Allow SSH and HTTP and ports for email and irc
-          allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
-          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
-        };
-        # Use systemd-resolved inside the container
-        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-        useHostResolvConf = mkForce false;
-      };
-      
-      system.stateVersion = "23.11";
-      services.resolved.enable = true;
-    };
-  };
-
-};

hosts/buskerud/bikkje/default.nix

@@ -0,0 +1,125 @@
+{ config, pkgs, values, lib, ... }:
+{
+  containers.bikkje = {
+    autoStart = true;
+    interfaces = [ "enp4s0f0" ];
+
+    config = { config, pkgs, ... }: {
+      imports = [
+        ../../../modules/home-areas.nix
+        ./services/kerberos
+      ];
+
+      environment.systemPackages = with pkgs; [
+          zsh
+          bash
+          fish
+          tcsh
+
+          alpine
+          mutt
+          mutt-ics
+          mutt-wizard
+          notmuch
+          mailutils
+          procmail
+
+          irssi
+          weechat
+          weechatScripts.edit
+
+          coreutils-full
+          diffutils
+          findutils
+          ripgrep
+          cvs
+          gawk
+          git
+          gnupg
+          gnused
+          groff
+          less
+          p7zip
+          rcs
+          screen
+          tmux
+          tree
+          unzip
+          zip
+
+          emacs
+          helix
+          joe
+          micro
+          nano
+          neovim
+
+          autossh
+          inetutils
+          lynx
+          mosh
+          rsync
+          w3m
+
+          clang
+          gcc
+          guile
+          lua
+          perl
+          php
+          python3
+          (python3.withPackages (ps: with ps; [
+            numpy
+            sympy
+            scipy
+            requests
+            imageio
+            pillow
+            httpx
+            pycryptodome
+            pandas
+            matplotlib
+          ]))
+          ruby
+          tcl
+      ];
+
+      services.openssh = {
+        enable = true;
+        ports = [ 22 80 443 ];
+        openFirewall = true;
+        extraConfig = ''
+          PubkeyAcceptedAlgorithms=+ssh-rsa
+       '';
+
+        settings = {
+          GatewayPorts = "yes";
+          PermitRootLogin = "yes";
+        };
+      };
+
+      users.motd = builtins.readFile ../../../misc/motd;
+
+      networking = {
+        firewall.enable = true;
+        # Use systemd-resolved inside the container
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+        useHostResolvConf = lib.mkForce false;
+        hostName = "bikkje";
+      };
+
+      systemd.network.enable = true;
+      systemd.network.networks."30-enp4s0f0" = values.defaultNetworkConfig // {
+        matchConfig.Name = "enp4s0f0";
+        address = with values.hosts.bikkje; [ (ipv4 + "/25") (ipv6 + "/64") ];
+      };
+      
+      system.stateVersion = "23.11";
+      services.resolved.enable = true;
+    };
+  };
+
+  # TODO
+  # - Kerberos Authentication
+  # - Mail Transfer Agent
+}

hosts/buskerud/bikkje/services/kerberos/default.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+{
+  #######################
+  # TODO: remove these once nixos 24.05 gets released
+  #######################
+  imports = [
+    ./krb5.nix
+    ./pam.nix
+  ];
+  disabledModules = [
+    "config/krb5/default.nix"
+    "security/pam.nix"
+  ];
+  #######################
+
+  security.krb5 = {
+    enable = true;
+    settings = {
+      libdefaults = {
+        default_realm = "PVV.NTNU.NO";
+        dns_lookup_realm = "yes";
+        dns_lookup_kdc = "yes";
+      };
+      realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
+    };
+  };
+}

hosts/buskerud/bikkje/services/kerberos/krb5-conf-format.nix

@@ -0,0 +1,88 @@
+{ pkgs, lib, ... }:
+
+# Based on
+# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
+# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
+
+let
+  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
+    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
+  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
+    str submodule;
+in
+{ }: {
+  type = let
+    section = attrsOf relation;
+    relation = either (attrsOf value) value;
+    value = either (listOf atom) atom;
+    atom = oneOf [int str bool];
+  in submodule {
+    freeformType = attrsOf section;
+    options = {
+      include = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      includedir = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Directories containing files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      module = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Modules to obtain Kerberos configuration from.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+    };
+  };
+
+  generate = let
+    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
+
+    formatToplevel = args @ {
+      include ? [ ],
+      includedir ? [ ],
+      module ? [ ],
+      ...
+    }: let
+      sections = removeAttrs args [ "include" "includedir" "module" ];
+    in concatStringsSep "\n" (filter (x: x != "") [
+      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
+      (concatMapStringsSep "\n" (m: "module ${m}") module)
+      (concatMapStringsSep "\n" (i: "include ${i}") include)
+      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
+    ]);
+
+    formatSection = name: section: ''
+      [${name}]
+      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
+    '';
+
+    formatRelation = name: relation:
+      if isAttrs relation
+      then ''
+        ${name} = {
+        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
+        }''
+      else formatValue name relation;
+
+    formatValue = name: value:
+      if isList value
+      then concatMapStringsSep "\n" (formatAtom name) value
+      else formatAtom name value;
+
+    formatAtom = name: atom: let
+      v = if isBool atom then boolToString atom else toString atom;
+    in "${name} = ${v}";
+  in
+    name: value: pkgs.writeText name ''
+      ${formatToplevel value}
+    '';
+}

hosts/buskerud/bikkje/services/kerberos/krb5.nix

@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
+  inherit (lib.types) bool;
+
+  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
+  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
+    The option `krb5.${name}' has been removed. Use
+    `security.krb5.settings.${name}' for structured configuration.
+  '';
+
+  cfg = config.security.krb5;
+  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
+in {
+  imports = [
+    (mkRemovedOptionModuleCfg "libdefaults")
+    (mkRemovedOptionModuleCfg "realms")
+    (mkRemovedOptionModuleCfg "domain_realm")
+    (mkRemovedOptionModuleCfg "capaths")
+    (mkRemovedOptionModuleCfg "appdefaults")
+    (mkRemovedOptionModuleCfg "plugins")
+    (mkRemovedOptionModuleCfg "config")
+    (mkRemovedOptionModuleCfg "extraConfig")
+    (mkRemovedOptionModule' "kerberos" ''
+      The option `krb5.kerberos' has been moved to `security.krb5.package'.
+    '')
+  ];
+
+  options = {
+    security.krb5 = {
+      enable = mkOption {
+        default = false;
+        description = mdDoc "Enable and configure Kerberos utilities";
+        type = bool;
+      };
+
+      package = mkPackageOption pkgs "krb5" {
+        example = "heimdal";
+      };
+
+      settings = mkOption {
+        default = { };
+        type = format.type;
+        description = mdDoc ''
+          Structured contents of the {file}`krb5.conf` file. See
+          {manpage}`krb5.conf(5)` for details about configuration.
+        '';
+        example = {
+          include = [ "/run/secrets/secret-krb5.conf" ];
+          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
+
+          libdefaults = {
+            default_realm = "ATHENA.MIT.EDU";
+          };
+
+          realms = {
+            "ATHENA.MIT.EDU" = {
+              admin_server = "athena.mit.edu";
+              kdc = [
+                "athena01.mit.edu"
+                "athena02.mit.edu"
+              ];
+            };
+          };
+
+          domain_realm = {
+            "mit.edu" = "ATHENA.MIT.EDU";
+          };
+
+          logging = {
+            kdc = "SYSLOG:NOTICE";
+            admin_server = "SYSLOG:NOTICE";
+            default = "SYSLOG:NOTICE";
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment = {
+      systemPackages = [ cfg.package ];
+      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
+    };
+  };
+
+  meta.maintainers = builtins.attrValues {
+    inherit (lib.maintainers) dblsaiko h7x4;
+  };
+}

hosts/buskerud/configuration.nix

@@ -4,6 +4,8 @@
     ./hardware-configuration.nix
     ../../base.nix
     ../../misc/metrics-exporters.nix
+
+    ./bikkje
   ];
 
   # buskerud does not support efi?

misc/motd

@@ -0,0 +1,16 @@
+		 ███████████  █████   █████ █████   █████
+		░░███░░░░░███░░███   ░░███ ░░███   ░░███
+		 ░███    ░███ ░███    ░███  ░███    ░███
+		 ░██████████  ░███    ░███  ░███    ░███
+		 ░███░░░░░░   ░░███   ███   ░░███   ███
+		 ░███          ░░░█████░     ░░░█████░
+		 █████           ░░███         ░░███
+		░░░░░             ░░░           ░░░
+
+================= EN ==================|================== NB =================
+Welcome to a PVV machine, life is good.|Velkommen til en PVV-maskin,
+                                       |livet er deilig.
+If you are confused, try pvv.ntnu.no or|Hvis du er forvirret prøv pvv.ntnu.no
+our discord server.                    |eller vår discord-server.
+More info at pvv.ntnu.no/kontakt/      |Mer info på pvv.ntnu.no/kontakt/
+===============================================================================

modules/home-areas.nix

@@ -0,0 +1,20 @@
+{ pkgs, lib, ... }:
+{
+  fileSystems = let
+    # See microbel:/etc/exports
+    homeMounts = (lib.listToAttrs (map
+      (l: lib.nameValuePair "/home/pvv/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
+      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]));
+  in { }
+  //
+  (lib.mapAttrs (_: device: {
+    inherit device;
+    fsType = "nfs";
+    options = [
+      "nfsvers=3"
+      "proto=tcp"
+      "nofail"
+      "_netdev"
+    ];
+  }) homeMounts);
+}

values.nix

@@ -56,6 +56,10 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
+    bikkje = {
+      ipv4 = pvv-ipv4 216;
+      ipv6 = pvv-ipv6 216;
+    };
     buskerud = {
       ipv4 = pvv-ipv4 231;
       ipv6 = pvv-ipv6 231;