bekkalokk: remove keycloak

Reviewed-on: #32

base.nix

@@ -88,17 +88,46 @@
 
   systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
 
-  environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
+  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
     "/etc/certs/nginx" = {
       owner = "nginx";
       group = "nginx";
     };
   };
 
-  services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
+  services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes auto;
+      worker_rlimit_nofile 100000;
+    '';
+    eventsConfig = ''
+      worker_connections 2048;
+      use epoll;
+      multi_accept on;
+    '';
+  };
+
+  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
+    LimitNOFILE = 65536;
+  };
+
+  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
     sslCertificate = "/etc/certs/nginx.crt";
     sslCertificateKey = "/etc/certs/nginx.key";
     addSSL = true;
     extraConfig = "return 444;";
   };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
 }

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710169806,
-        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
+        "lastModified": 1712798444,
+        "narHash": "sha256-aAksVB7zMfBQTz0q2Lw3o78HM3Bg2FRziX2D6qnh+sk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
+        "rev": "a297cb1cb0337ee10a7a0f9517954501d8f6f74d",
         "type": "github"
       },
       "original": {
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696346665,
-        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
+        "lastModified": 1712875951,
+        "narHash": "sha256-4kcRd2Q2XM4r+U2zp+LADjrzazKpWvs0WrMKPktEEkc=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz",
-        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
+        "rev": "9eaba26b1671e8810cb135997c867ac3550e685a",
         "type": "github"
       },
       "original": {
@@ -47,11 +47,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1693864994,
-        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
+        "lastModified": 1711853301,
+        "narHash": "sha256-KxRNyW/fgq690bt3B+Nz4EKLoubybcuASYyMa41bAPE=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz-clients",
-        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
+        "rev": "c38f2f22a6d47ae2da015351a45d13cbc1eb48e4",
         "type": "github"
       },
       "original": {
@@ -102,11 +102,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1710248792,
-        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
+        "lastModified": 1712848736,
+        "narHash": "sha256-CzZwhqyLlebljv1zFS2KWVH/3byHND0LfaO1jKsGuVo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
+        "rev": "1d6a23f11e44d0fb64b3237569b87658a9eb5643",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1710033658,
-        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
+        "lastModified": 1712437997,
+        "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
+        "rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
         "type": "github"
       },
       "original": {
@@ -133,11 +133,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1710247538,
-        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
+        "lastModified": 1712837137,
+        "narHash": "sha256-9joaU/GD35J9Utb0ipelQbOcvsw5eoYTmSarLV3MbNk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
+        "rev": "681d4a87b26b1dcaae7ffe6cf88c9912c575415f",
         "type": "github"
       },
       "original": {
@@ -166,6 +166,26 @@
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       }
     },
+    "pvv-nettsiden": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712834399,
+        "narHash": "sha256-deNJvqboPk3bEoRZ/FyZnxscsf2BpS3/52JM4qXCNSA=",
+        "ref": "refs/heads/master",
+        "rev": "216e153f89f1dbdc4c98a7c1db2a40e52becc901",
+        "revCount": 451,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      }
+    },
     "root": {
       "inputs": {
         "disko": "disko",
@@ -176,6 +196,7 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
+        "pvv-nettsiden": "pvv-nettsiden",
         "sops-nix": "sops-nix"
       }
     },
@@ -187,11 +208,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1710195194,
-        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
+        "lastModified": 1712617241,
+        "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
+        "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -11,6 +11,9 @@
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
+    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
+    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
+
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -26,7 +29,7 @@
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, pvv-nettsiden, sops-nix, disko, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -61,7 +64,11 @@
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [ ] ++ config.overlays or [ ];
+            overlays = [
+              (import ./overlays/nginx-test.nix
+                (builtins.attrNames self.nixosConfigurations.${name}.config.security.acme.certs)
+              )
+            ] ++ config.overlays or [ ];
           };
         }
         (removeAttrs config [ "modules" "overlays" ])
@@ -87,9 +94,11 @@
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
           })
           inputs.nix-gitea-themes.overlays.default
+          inputs.pvv-nettsiden.overlays.default
         ];
         modules = [
           inputs.nix-gitea-themes.nixosModules.default
+          inputs.pvv-nettsiden.nixosModules.default
         ];
       };
       bob = stableNixosConfig "bob" {
@@ -133,7 +142,7 @@
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
-        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
+        # mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/configuration.nix

@@ -6,11 +6,8 @@
     ../../base.nix
     ../../misc/metrics-exporters.nix
 
-    #./services/keycloak.nix
-
-    # TODO: set up authentication for the following:
-    # ./services/website.nix
-    ./services/nginx
+    ./services/website
+    ./services/nginx.nix
     ./services/gitea/default.nix
     ./services/kerberos
     ./services/webmail
@@ -26,8 +23,6 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  virtualisation.podman.enable = true;
-
   networking.hostName = "bekkalokk";
 
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {

hosts/bekkalokk/services/gitea/ci.nix

@@ -27,4 +27,5 @@ lib.mkMerge [
   (mkRunner "alpha")
   (mkRunner "beta")
   (mkRunner "epsilon")
+  { virtualisation.podman.enable = true; }
 ]

hosts/bekkalokk/services/gitea/default.nix

@@ -59,9 +59,9 @@ in {
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
     enableACME = true;
+    kTLS = true;
     locations."/" = {
       proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
-      recommendedProxySettings = true;
       extraConfig = ''
         client_max_body_size 512M;
       '';

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -22,7 +22,7 @@ let
       # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
       "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
         <?php
-	  $metadata['https://idp2.pvv.ntnu.no/'] = array(
+	  $metadata['https://idp.pvv.ntnu.no/'] = array(
 	    'host' => '__DEFAULT__',
 	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
 	    'certificate' => '${./idp.crt}',
@@ -89,7 +89,7 @@ let
           --replace '$SAML_ADMIN_NAME' '"Drift"' \
           --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
           --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
           --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
           --replace '$SAML_DATABASE_USERNAME' '"idp"' \
           --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
@@ -177,9 +177,10 @@ in
       };
     };
 
-    services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
+    services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
       forceSSL = true;
       enableACME = true;
+      kTLS = true;
       root = "${package}/share/php/simplesamlphp/public";
       locations =  {
         # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -197,6 +198,10 @@ in
             }
           '';
         };
+        "^~ /simplesaml/".extraConfig = ''
+	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
+	  return 404;
+	'';
       };
     };
   };

hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix

@@ -1,18 +1,18 @@
 ''
   <?php
-  $metadata['https://idp2.pvv.ntnu.no/'] = [
+  $metadata['https://idp.pvv.ntnu.no/'] = [
       'metadata-set' => 'saml20-idp-hosted',
-      'entityid' => 'https://idp2.pvv.ntnu.no/',
+      'entityid' => 'https://idp.pvv.ntnu.no/',
       'SingleSignOnService' => [
           [
               'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
+              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
           ],
       ],
       'SingleLogoutService' => [
           [
               'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
+              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
           ],
       ],
       'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],

hosts/bekkalokk/services/keycloak.nix

@@ -1,24 +0,0 @@
-{ pkgs, config, values, ... }:
-{
-  sops.secrets."keys/postgres/keycloak" = {
-    owner = "keycloak";
-    group = "keycloak";
-    restartUnits = [ "keycloak.service" ];
-  };
-
-  services.keycloak = {
-    enable = true;
-
-    settings = {
-      hostname = "auth.pvv.ntnu.no";
-      # hostname-strict-backchannel = true;
-    };
-
-    database = {
-      host = values.hosts.bicep.ipv4;
-      createLocally = false;
-      passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
-      caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-    };
-  };
-}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -152,6 +152,7 @@ in {
   users.groups.mediawiki.members = [ "nginx" ];
 
   services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+    kTLS = true;
     forceSSL = true;
     enableACME = true;
     locations =  {

hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php

@@ -6,6 +6,6 @@ $config = array(
     'default-sp' => array(
         'saml:SP',
         'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
-        'idp' => 'https://idp2.pvv.ntnu.no/',
+        'idp' => 'https://idp.pvv.ntnu.no/',
     ),
 );

hosts/bekkalokk/services/nginx.nix

@@ -0,0 +1,4 @@
+{ pkgs, config, ... }:
+{
+  services.nginx.enable = true;
+}

hosts/bekkalokk/services/nginx/default.nix

@@ -1,22 +0,0 @@
-{ pkgs, config, ... }:
-{
-  imports = [
-    ./ingress.nix
-  ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-
-  services.nginx = {
-    enable = true;
-
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-}

hosts/bekkalokk/services/nginx/ingress.nix

@@ -1,55 +0,0 @@
-{ config, lib, ... }:
-{
-  services.nginx.virtualHosts = {
-    "www2.pvv.ntnu.no" = {
-      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
-      addSSL = true;
-      enableACME = true;
-
-      locations = {
-        # Proxy home directories
-        "/~" = {
-          extraConfig = ''
-            proxy_redirect off;
-            proxy_pass https://tom.pvv.ntnu.no;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-          '';
-        };
-
-        # Redirect old wiki entries
-        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
-        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
-        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
-        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
-        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
-        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
-        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
-        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
-        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
-        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
-        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
-        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
-
-        # TODO: Redirect webmail
-        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
-
-        # Redirect everything else to the main website
-        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
-
-        # Proxy the matrix well-known files
-        # Host has be set before proxy_pass
-        # The header must be set so nginx on the other side routes it to the right place
-        "/.well-known/matrix/" = {
-          extraConfig = ''
-            proxy_set_header Host matrix.pvv.ntnu.no;
-            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-          '';
-        };
-      };
-    };
-  };
-}
-

hosts/bekkalokk/services/webmail/default.nix

@@ -4,12 +4,15 @@
     ./roundcube.nix
   ];
 
-  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
     forceSSL = true;
     enableACME = true;
-    #locations."/" = lib.mkForce { };
-    locations."= /" = {
-      return = "301 https://www.pvv.ntnu.no/mail/";
+    kTLS = true;
+    locations = {
+      "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      "/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      "/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      "/rainloop".return = "302 https://webmail.pvv.ntnu.no/roundcube";
     };
   };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -3,7 +3,7 @@
 with lib;
 let
   cfg = config.services.roundcube;
-  domain = "webmail2.pvv.ntnu.no";
+  domain = "webmail.pvv.ntnu.no";
 in 
 {
   services.roundcube = {
@@ -35,6 +35,7 @@ in
   services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
 
   services.nginx.virtualHosts.${domain} = {
+    kTLS = true;
     locations."/roundcube" = {
       tryFiles = "$uri $uri/ =404";
       index = "index.php";

hosts/bekkalokk/services/website.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-
-}

hosts/bekkalokk/services/website/default.nix

@@ -0,0 +1,126 @@
+{ pkgs, lib, config, ... }:
+let
+  format = pkgs.formats.php { };
+  cfg = config.services.pvv-nettsiden;
+in {
+  imports = [
+    ./fetch-gallery.nix
+  ];
+
+  sops.secrets = lib.genAttrs [
+    "nettsiden/door_secret"
+    "nettsiden/mysql_password"
+    "nettsiden/simplesamlphp/admin_password"
+    "nettsiden/simplesamlphp/cookie_salt"
+  ] (_: {
+    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
+    group = config.services.phpfpm.pools.pvv-nettsiden.group;
+    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
+  });
+
+  services.idp.sp-remote-metadata = [ "https://${cfg.domainName}/simplesaml/" ];
+
+  services.pvv-nettsiden = {
+    enable = true;
+
+    package = pkgs.pvv-nettsiden.override {
+      extra_files = {
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
+          <?php
+          $config = array(
+              'admin' => array(
+                'core:AdminPassword'
+              ),
+              'default-sp' => array(
+                  'saml:SP',
+                  'entityID' => 'https://${cfg.domainName}/simplesaml/',
+                  'idp' => 'https://idp.pvv.ntnu.no/',
+              ),
+          );
+	'';
+      };
+    };
+
+    domainName = "www.pvv.ntnu.no";
+
+    settings = let
+      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
+    in {
+      DOOR_SECRET = includeFromSops "door_secret";
+
+      DB = {
+        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
+        USER = "www-data_nettsi";
+        PASS = includeFromSops "mysql_password";
+      };
+
+      # TODO: set up postgres session for simplesamlphp
+      SAML = {
+        COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
+        COOKIE_SECURE = true;
+        ADMIN_NAME = "PVV Drift";
+        ADMIN_EMAIL = "drift@pvv.ntnu.no";
+        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
+        TRUSTED_DOMAINS = [ cfg.domainName ];
+      };
+    };
+  };
+
+  services.phpfpm.pools."pvv-nettsiden".settings = {
+    # "php_admin_value[error_log]" = "stderr";
+    "php_admin_flag[log_errors]" = true;
+    "catch_workers_output" = true;
+  };
+
+  services.nginx.virtualHosts.${cfg.domainName} = {
+    serverAliases = [
+      "pvv.ntnu.no"
+      "www.pvv.org"
+      "pvv.org"
+    ];
+
+    locations = {
+      # Proxy home directories
+      "^~ /~" = {
+        extraConfig = ''
+          proxy_redirect off;
+          proxy_pass https://tom.pvv.ntnu.no;
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+        '';
+      };
+
+      # Redirect the old webmail/wiki paths from spikkjeposche
+      "^~ /webmail".return = "301 https://webmail.pvv.ntnu.no";
+      "~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
+      "= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
+
+      # Redirect old wiki entries
+      "/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
+      "/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
+      "/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
+      "/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
+      "/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
+      "/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
+      "/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
+      "/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
+      "/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
+      "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
+      "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
+      "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
+
+      # Proxy the matrix well-known files
+      # Host has be set before proxy_pass
+      # The header must be set so nginx on the other side routes it to the right place
+      "^~ /.well-known/matrix/" = {
+        extraConfig = ''
+          proxy_set_header Host matrix.pvv.ntnu.no;
+          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+        '';
+      };
+    };
+  };
+}

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -0,0 +1,67 @@
+{ pkgs, lib, config, ... }:
+let
+  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
+  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
+in {
+  users.users.${config.services.pvv-nettsiden.user} = {
+    useDefaultShell = true;
+
+    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
+    openssh.authorizedKeys.keys = [
+    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
+    ];
+  };
+
+  systemd.paths.pvv-nettsiden-gallery-update = {
+    wantedBy = [ "multi-user.target" ];
+    pathConfig = {
+      PathChanged = "${transferDir}/gallery.tar.gz";
+      Unit = "pvv-nettsiden-gallery-update.service";
+      MakeDirectory = true;
+    };
+  };
+
+  systemd.services.pvv-nettsiden-gallery-update = {
+    path = with pkgs; [ imagemagick gnutar gzip ];
+
+    script = ''
+      tar ${lib.cli.toGNUCommandLineShell {} {
+        extract = true;
+        file = "${transferDir}/gallery.tar.gz";
+        directory = ".";
+      }}
+
+      # Delete files and directories that exists in the gallery that don't exist in the tarball
+      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+      while IFS= read fname; do
+        rm -f "$fname" ||:
+        rm -f ".thumbnails/$fname.png" ||:
+      done <<< "$filesToRemove"
+
+      find . -type d -empty -delete
+
+      mkdir -p .thumbnails
+      images=$(find . -type f -not -path "./.thumbnails*")
+
+      while IFS= read fname; do
+        # Skip this file if an up-to-date thumbnail already exists
+        if [ -f ".thumbnails/$fname.png" ] && \
+           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
+        then
+          continue
+        fi
+
+        echo "Creating thumbnail for $fname"
+        mkdir -p $(dirname ".thumbnails/$fname")
+        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
+	touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
+      done <<< "$images"
+    '';
+
+    serviceConfig = {
+      WorkingDirectory = galleryDir;
+      User = config.services.pvv-nettsiden.user;
+      Group = config.services.pvv-nettsiden.group;
+    };
+  };
+}

hosts/bicep/services/matrix/element.nix

@@ -5,6 +5,7 @@ in {
   services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
     enableACME = true;
     forceSSL = true;
+    kTLS = true;
 
     root = pkgs.element-web.override {
       conf = {

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -7,6 +7,9 @@ from synapse import module_api
 
 import re
 
+import logging
+logger = logging.getLogger(__name__)
+
 class SMTPAuthProvider:
     def __init__(self, config: dict, api: module_api):
         self.api = api
@@ -43,8 +46,13 @@ class SMTPAuthProvider:
 
         if result == True:
             userid = self.api.get_qualified_user_id(username)
-            if not self.api.check_user_exists(userid):
-                self.api.register_user(username)
+
+            userid = await self.api.check_user_exists(userid)
+            if not userid:
+                logger.info(f"user did not exist, registering {username}")
+                userid = await self.api.register_user(username)
+                logger.info(f"registered userid: {userid}")
             return (userid, None)
         else:
+            logger.info("returning None")
             return None

hosts/bicep/services/matrix/synapse.nix

@@ -134,80 +134,6 @@ in {
         "129.241.0.0/16"
         "2001:700:300::/44"
       ];
-
-      saml2_config = {
-        sp_config.metadata.remote = [
-          { url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
-        ];
-
-        description = [ "Matrix Synapse SP" "en" ];
-        name = [ "Matrix Synapse SP" "en" ];
-
-        ui_info = {
-          display_name = [
-            {
-              lang = "en";
-              text = "PVV Matrix login";
-            }
-          ];
-          description = [
-            {
-              lang = "en";
-              text = "Matrix is a modern free and open federated chat protocol";
-            }
-          ];
-          #information_url = [
-          #  {
-          #    lang = "en";
-          #    text = "";
-          #  };
-          #];
-          #privacy_statement_url = [
-          #  {
-          #    lang = "en";
-          #    text = "";
-          #  };
-          #];
-          keywords = [
-            {
-              lang = "en";
-              text = [ "Matrix" "Element" ];
-            }
-          ];
-          #logo = [
-          #  {
-          #    lang = "en";
-          #    text = "";
-          #    width = "";
-          #    height = "";
-          #  }
-          #];
-        };
-
-        organization = {
-          name = "Programvareverkstedet";
-          display_name = [ "Programvareverkstedet" "en" ];
-          url = "https://www.pvv.ntnu.no";
-        };
-        contact_person = [
-          { given_name = "Drift";
-            sur_name = "King";
-            email_adress = [ "drift@pvv.ntnu.no" ];
-            contact_type = "technical";
-          }
-        ];
-
-        user_mapping_provider = {
-          config = {
-            mxid_source_attribute =  "uid"; # What is this supposed to be?
-            mxid_mapping = "hexencode";
-          };
-        };
-
-        #attribute_requirements = [
-        #  {attribute = "userGroup"; value = "medlem";} # Do we have this?
-        #];
-      };
     };
   };
 
@@ -217,6 +143,9 @@ in {
   services.redis.servers."".enable = true;
   
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
+  ({
+    kTLS = true;
+  })
   ({
     locations."/.well-known/matrix/server" = {
       return = ''

hosts/bicep/services/nginx/default.nix

@@ -1,15 +1,8 @@
 { config, values, ... }:
 {
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "danio@pvv.ntnu.no";
-  };
-
   services.nginx = {
     enable = true;
-
     enableReload = true;
-
     defaultListenAddresses = [
       values.hosts.bicep.ipv4
       "[${values.hosts.bicep.ipv6}]"
@@ -18,28 +11,5 @@
       "127.0.0.2"
       "[::1]"
     ];
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes 8;
-      worker_rlimit_nofile 8192;
-    '';
-
-    eventsConfig = ''
-      multi_accept on;
-      worker_connections 4096;
-    '';
-
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-    recommendedOptimisation = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  systemd.services.nginx.serviceConfig = {
-    LimitNOFILE = 65536;
   };
 }

hosts/ildkule/services/metrics/grafana.nix

@@ -91,6 +91,7 @@ in {
   services.nginx.virtualHosts.${cfg.settings.server.domain} = {
     enableACME = true;
     forceSSL = true;
+    kTLS = true;
     locations = {
       "/" = {
         proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";

hosts/ildkule/services/nginx/default.nix

@@ -1,15 +1,8 @@
 { config, values, ... }:
 {
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-
   services.nginx = {
     enable = true;
-
     enableReload = true;
-
     defaultListenAddresses = [
       values.hosts.ildkule.ipv4
       "[${values.hosts.ildkule.ipv6}]"
@@ -18,12 +11,5 @@
       "127.0.0.2"
       "[::1]"
     ];
-
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
   };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

modules/grzegorz.nix

@@ -24,15 +24,12 @@ in {
   services.grzegorz-webui.hostName = "${config.networking.fqdn}";
   services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
-
   services.nginx.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   services.nginx.virtualHosts."${config.networking.fqdn}" = {
     forceSSL = true;
     enableACME = true;
+    kTLS = true;
     serverAliases = [
       "${config.networking.hostName}.pvv.org"
     ];

overlays/nginx-test.nix

@@ -0,0 +1,28 @@
+acme-certs: final: prev:
+  let
+    lib = final.lib;
+    crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+    key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+  in {
+  writers = prev.writers // {
+    writeNginxConfig = name: text: final.runCommandLocal name {
+      nginxConfig = prev.writers.writeNginxConfig name text;
+      nativeBuildInputs = [ final.bubblewrap ];
+    } ''
+      ln -s "$nginxConfig" "$out"
+      set +o pipefail
+      bwrap \
+        --ro-bind "${crt}" "/etc/certs/nginx.crt" \
+        --ro-bind "${key}" "/etc/certs/nginx.key" \
+        --ro-bind "/nix" "/nix" \
+        --ro-bind "/etc/hosts" "/etc/hosts" \
+        --dir "/run/nginx" \
+        --dir "/tmp" \
+        --dir "/var/log/nginx" \
+        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs}
+        ${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs}
+        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs}
+        ${lib.getExe' final.nginx "nginx"} -t -c "$out" |& grep "syntax is ok"
+    '';
+  };
+}

secrets/bekkalokk/bekkalokk.yaml

@@ -15,13 +15,18 @@ mediawiki:
         postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
         cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
         admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
-keycloak:
-    database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
 idp:
     cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
     admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
     postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
     privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
+nettsiden:
+    mysql_password: ENC[AES256_GCM,data:Uv74HhWtYRbaFHcfh0Rk/Q==,iv:/lRTaMepwpJKZJWHnwb98Ywa1zP4e2EqYGmwI7BCl1I=,tag:ZnE0u2/65zdkONcoiBGSOQ==,type:str]
+    door_secret: ENC[AES256_GCM,data:t0jEN1WnyEi10KRSg4Dlcd7IuIMBiOU7riOdYSZjvZTQqPijRYIoMEQ6OemIkD1Yg67uISTxnjxP,iv:Ss02VGKRa4oZMubbi8IfQDAjh3h295+n07vOx/IZGBs=,tag:OvdxqIUdYi/cR7IjopSVQQ==,type:str]
+    simplesamlphp:
+        postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str]
+        cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
+        admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -55,8 +60,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-30T21:22:02Z"
-    mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str]
+    lastmodified: "2024-04-14T21:58:31Z"
+    mac: ENC[AES256_GCM,data:+o7YvaaKTjN/uZT5mv3z9FgIbXwG4NPJePWwRmtkBINn9X+vrCmYOXqWhKw7qfInn4Ftcg0FA7cYFZe5Pv8MNp+f8v1yoiLrVX12cxmEYtqTXJz7pNeD2st1YjGJKihNi2/fyCCf4YBCGN+8Ze//HeVf7/tfWNB+ysyC9g9Tze4=,iv:C6XBCVXn8GuNeaWGdJRnUIh1us0i8fSoxu9Sx7Feb58=,tag:W0RLPPv7eP5kCNrhMG3z7A==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |