Drift/pvv-nixos-config
Drift
/
pvv-nixos-config
16
4
Fork 1
Code Issues Pull Requests 6 Wiki Activity

Compare commits

base: Drift:fda9cc2795112b33d5e6fd92dc21eb87310fe280
Branches Tags
Drift:main
Drift:init-bakke
Drift:hookshot
Drift:disable-postgres-on-bekkalokk
Drift:sleipner-authorised-keys
Drift:pvvvvv
Drift:sounding
Drift:retain-flake-inputs
Drift:openstack-image-builder
Drift:elysium
Drift:cleanup
Drift:fix-openstack-networking
Drift:systemd_exporter
Drift:backup-databases
Drift:smartd-notifs
Drift:systemd-journald-remote
Drift:skrot
Drift:deploy-doorbell
Drift:misc-gitea-fixes
Drift:run-vm
Drift:spotifyd
Drift:remote
Drift:nix-topology
Drift:dagali-heimdal-openldap-sasl-stack
Drift:setup-bikkje-login
Drift:ozai-prod
Drift:add-bluemap
Drift:ozai
Drift:setup-postfix-for-service-machines
Drift:fix-gitea-ci-runner-network-issues
Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
Drift:gitea-metrics
Drift:misc1
Drift:add-simple-saml-theme
Drift:misc-extra-gitea-setup
Drift:add-skrott
Drift:setup-kerberos
Drift:setup-home-areas
Drift:setup-openvpn-tunnel
Drift:shark-kanidm
Drift:prometheusexim
..
compare: Drift:18448c183ebbbdc72374294ae57a5d5337a0599c
Branches Tags
Drift:main
Drift:init-bakke
Drift:hookshot
Drift:disable-postgres-on-bekkalokk
Drift:sleipner-authorised-keys
Drift:pvvvvv
Drift:sounding
Drift:retain-flake-inputs
Drift:openstack-image-builder
Drift:elysium
Drift:cleanup
Drift:fix-openstack-networking
Drift:systemd_exporter
Drift:backup-databases
Drift:smartd-notifs
Drift:systemd-journald-remote
Drift:skrot
Drift:deploy-doorbell
Drift:misc-gitea-fixes
Drift:run-vm
Drift:spotifyd
Drift:remote
Drift:nix-topology
Drift:dagali-heimdal-openldap-sasl-stack
Drift:setup-bikkje-login
Drift:ozai-prod
Drift:add-bluemap
Drift:ozai
Drift:setup-postfix-for-service-machines
Drift:fix-gitea-ci-runner-network-issues
Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
Drift:gitea-metrics
Drift:misc1
Drift:add-simple-saml-theme
Drift:misc-extra-gitea-setup
Drift:add-skrott
Drift:setup-kerberos
Drift:setup-home-areas
Drift:setup-openvpn-tunnel
Drift:shark-kanidm
Drift:prometheusexim

No commits in common. "fda9cc2795112b33d5e6fd92dc21eb87310fe280" and "18448c183ebbbdc72374294ae57a5d5337a0599c" have entirely different histories.
fda9cc2795 ... 18448c183e

13 changed files with 277 additions and 384 deletions
Show Stats Expand all files Collapse all files

205
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php
View File

@ -6,129 +6,110 @@
* @author Yorn de Jong
* @package simpleSAMLphp
*/
class sspmod_authpwauth_Auth_Source_PwAuth extends sspmod_core_Auth_UserPassBase {
namespace SimpleSAML\Module\authpwauth\Auth\Source;
protected $pwauth_bin_path;
protected $mail_domain;
class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
{
protected $pwauth_bin_path;
protected $mail_domain;
public function __construct($info, $config) {
assert('is_array($info)');
assert('is_array($config)');
public function __construct(array $info, array &$config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$this->pwauth_bin_path = $config['pwauth_bin_path'];
if (array_key_exists('mail_domain', $config)) {
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
}
}
$this->pwauth_bin_path = $config['pwauth_bin_path'];
if (array_key_exists('mail_domain', $config)) {
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
}
}
public function login($username, $password) {
$username = strtolower( $username );
public function login(string $username, string $password): array {
$username = strtolower( $username );
$handle = popen($this->pwauth_bin_path, 'w');
if ($handle === FALSE) {
die("Error opening pipe to pwauth");
return false;
}
if (!file_exists($this->pwauth_bin_path)) {
die("Could not find pwauth binary");
return false;
}
$data = "$username\n$password\n";
if (fwrite($handle, $data) !== strlen($data)) {
die("Error writing to pwauth pipe");
return false;
}
if (!is_executable($this->pwauth_bin_path)) {
die("pwauth binary is not executable");
return false;
}
# Is the password valid?
$result = pclose( $handle );
if ($result !== 0) {
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
die("pwauth returned $result for username $username");
}
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
$entry = ldap_first_entry($ldap, $search);
$dn = ldap_get_dn($ldap, $entry);
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
ldap_modify_batch($ldap, $dn, [
#[
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
# 'attrib' => 'unicodePwd',
# 'values' => [$password],
#],
[
#'modtype' => LDAP_MODIFY_BATCH_ADD,
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
'attrib' => 'unicodePwd',
'values' => [$newpassword],
],
]);
*/
$handle = popen($this->pwauth_bin_path, 'w');
if ($handle === FALSE) {
die("Error opening pipe to pwauth");
return false;
}
$data = "$username\n$password\n";
if (fwrite($handle, $data) !== strlen($data)) {
die("Error writing to pwauth pipe");
return false;
}
# Is the password valid?
$result = pclose( $handle );
if ($result !== 0) {
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
die("pwauth returned $result for username $username");
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
$entry = ldap_first_entry($ldap, $search);
$dn = ldap_get_dn($ldap, $entry);
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
ldap_modify_batch($ldap, $dn, [
#[
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
# 'attrib' => 'unicodePwd',
# 'values' => [$password],
#],
[
#'modtype' => LDAP_MODIFY_BATCH_ADD,
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
'attrib' => 'unicodePwd',
'values' => [$newpassword],
],
]);
*/
#0 - Login OK.
#1 - Nonexistant login or (for some configurations) incorrect password.
#2 - Incorrect password (for some configurations).
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
#4 - Login ID has expired.
#5 - Login's password has expired.
#6 - Logins to system have been turned off (usually by /etc/nologin file).
#7 - Limit on number of bad logins exceeded.
#50 - pwauth was not run with real uid SERVER_UID. If you get this
# this error code, you probably have SERVER_UID set incorrectly
# in pwauth's config.h file.
#51 - pwauth was not given a login & password to check. The means
# the passing of data from mod_auth_external to pwauth is messed
# up. Most likely one is trying to pass data via environment
# variables, while the other is trying to pass data via a pipe.
#52 - one of several possible internal errors occured.
#0 - Login OK.
#1 - Nonexistant login or (for some configurations) incorrect password.
#2 - Incorrect password (for some configurations).
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
#4 - Login ID has expired.
#5 - Login's password has expired.
#6 - Logins to system have been turned off (usually by /etc/nologin file).
#7 - Limit on number of bad logins exceeded.
#50 - pwauth was not run with real uid SERVER_UID. If you get this
# this error code, you probably have SERVER_UID set incorrectly
# in pwauth's config.h file.
#51 - pwauth was not given a login & password to check. The means
# the passing of data from mod_auth_external to pwauth is messed
# up. Most likely one is trying to pass data via environment
# variables, while the other is trying to pass data via a pipe.
#52 - one of several possible internal errors occured.
$uid = $username;
# TODO: Reinstate this code once passwd is working...
/*
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
$uid = $username;
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
array_shift($groups);
array_shift($groups);
array_pop($groups);
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
array_shift($groups);
array_shift($groups);
array_pop($groups);
$info = posix_getpwnam($uid);
$group = $info['gid'];
if (!in_array($group, $groups)) {
$groups[] = $group;
}
*/
$cn = "Unknown McUnknown";
$groups = array();
$result = array(
'uid' => array($uid),
'cn' => array($cn),
'group' => $groups,
);
if (isset($this->mail_domain)) {
$result['mail'] = array($uid.$this->mail_domain);
}
return $result;
}
$info = posix_getpwnam($uid);
$group = $info['gid'];
if (!in_array($group, $groups)) {
$groups[] = $group;
}
$result = array(
'uid' => array($uid),
'cn' => array($cn),
'group' => $groups,
);
if (isset($this->mail_domain)) {
$result['mail'] = array($uid.$this->mail_domain);
}
return $result;
}
}

11
hosts/bekkalokk/services/idp-simplesamlphp/authsources.php Normal file
View File

@ -0,0 +1,11 @@
<?php
$config = array(
/* This is the name of this authentication source, and will be used to access it later. */
'default-sp' => array(
'saml:SP',
# 'entityID' => 'https://wiki.pvv.ntnu.no/',
'entityID' => 'https://bekkalokk.pvv.ntnu.no/',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);

9
hosts/bekkalokk/services/idp-simplesamlphp/config.php
View File

@ -31,7 +31,7 @@ $config = [
* external url, no matter where you come from (direct access or via the
* reverse proxy).
*/
'baseurlpath' => '/',
'baseurlpath' => 'simplesaml/',
/*
* The 'application' configuration array groups a set configuration options
@ -66,7 +66,7 @@ $config = [
* When specified as a relative path, this is relative to the SimpleSAMLphp
* root directory.
*/
'cachedir' => '$CACHE_DIRECTORY',
'cachedir' => '/var/cache/mediawiki/simplesamlphp',
//'loggingdir' => '/var/log/',
//'datadir' => '/var/data/',
@ -532,7 +532,7 @@ $config = [
* one of the functionalities below, but in some cases you could run multiple functionalities.
* In example when you are setting up a federation bridge.
*/
'enable.saml20-idp' => true,
'enable.saml20-idp' => false,
'enable.adfs-idp' => false,
@ -555,7 +555,6 @@ $config = [
'module.enable' => [
'admin' => true,
'authpwauth' => true,
],
@ -1195,7 +1194,7 @@ $config = [
* See http://www.php.net/manual/en/pdo.drivers.php for the various
* syntaxes.
*/
'store.sql.dsn' => 'sqlite:$STATE_DIRECTORY/simplesamlphp.sqlite3',
'store.sql.dsn' => 'sqlite:/var/lib/mediawiki/simplesamlphp.sqlite3',
/*
* The username and password to use when connecting to the database.

232
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
View File

@ -2,7 +2,6 @@
let
pwAuthScript = pkgs.writeShellApplication {
name = "pwauth";
runtimeInputs = with pkgs; [ coreutils heimdal ];
text = ''
read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@ -11,181 +10,86 @@ let
read -r _
exit 2
fi
# kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
${pkgs.heimdal}/bin/kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
'';
};
package = pkgs.simplesamlphp.override {
extra_files = {
# NOTE: Using self signed certificate created 30. march 2024, with command:
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = array(
'host' => '__DEFAULT__',
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
'certificate' => '${./idp.crt}',
'auth' => 'pwauth',
);
?>
'';
package = (pkgs.simplesamlphp.override {
authsourcesFile = pkgs.writeText "idp-authsources.php" ''
<?php
$config = array(
'pwauth' => array(
'authpwauth:PwAuth',
'pwauth_bin_path' => '${pwAuthScript}/bin/pwauth',
'mail_domain' => '@pvv.ntnu.no',
),
);
'';
saml20-idp-remoteFile = pkgs.writeText "saml20-idp-remote.php" '''';
configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
cp ${./config.php} "$out"
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
<?php
${ lib.pipe config.services.idp.sp-remote-metadata [
(map (url: ''
$metadata['${url}'] = [
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
],
'AssertionConsumerService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 1,
],
],
];
''))
(lib.concatStringsSep "\n")
]}
?>
'';
"config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'pwauth' => array(
'authpwauth:PwAuth',
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
'mail_domain' => '@pvv.ntnu.no',
),
);
?>
'';
"config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
cp ${./config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
--replace '$STATE_DIRECTORY' '/var/lib/idp' \
--replace '$CACHE_DIRECTORY' '/var/cache/idp'
'';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
};
};
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )'
'';
}).overrideAttrs (prev: {
postInstall = prev.postInstall + ''
install -Dm444 "${./authpwauth.php}" $out/share/php/simplesamlphp/modules/authpwauth/lib/Auth/Source/PwAuth.php
'';
});
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = ''
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
:::{.note}
Make sure the url ends with a `/`
:::
'';
users.groups."idp" = { };
users.users."idp" = {
description = "PVV Identity Provider Service User";
group = "idp";
createHome = false;
isSystemUser = true;
};
config = {
sops.secrets = {
"idp/certificate" = {
owner = "idp";
group = "idp";
mode = "0770";
};
"idp/privatekey" = {
owner = "idp";
group = "idp";
mode = "0770";
};
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
users.groups."idp" = { };
users.users."idp" = {
description = "PVV Identity Provider Service User";
group = "idp";
createHome = false;
isSystemUser = true;
};
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
"/".index = "index.php";
systemd.tmpfiles.settings."10-idp" = {
"/var/cache/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
"/var/lib/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
};
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
"~ /(.+\\.php)" = {
extraConfig = ''
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"/" = {
alias = "${package}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
fastcgi_param SCRIPT_NAME /$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$request_filename;
fastcgi_param SCRIPT_NAME $request_filename;
'';
};
};
};

33
hosts/bekkalokk/services/idp-simplesamlphp/idp.crt
View File

@ -1,33 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
+8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
UxTpf01QJnZkMqf5NQ==
-----END CERTIFICATE-----

22
hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix
View File

@ -1,22 +0,0 @@
''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = [
'metadata-set' => 'saml20-idp-hosted',
'entityid' => 'https://idp2.pvv.ntnu.no/',
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
],
],
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
],
],
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
'certificate' => '${./idp.crt}',
];
?>
''

23
hosts/bekkalokk/services/idp-simplesamlphp/saml20-idp-remote.php Normal file
View File

@ -0,0 +1,23 @@
<?php
$metadata['https://idp.pvv.ntnu.no/'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'https://idp.pvv.ntnu.no/',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);

61
hosts/bekkalokk/services/mediawiki/default.nix
View File

@ -8,27 +8,19 @@
group = config.users.users.${user}.group;
simplesamlphp = pkgs.simplesamlphp.override {
extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
authsourcesFile = ./simplesamlphp/authsources.php;
saml20-idp-remoteFile = ./simplesamlphp/saml20-idp-remote.php;
configFile = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
cp ${./simplesamlphp/config.php} "$out"
"config/authsources.php" = ./simplesaml-authsources.php;
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
cp ${./simplesaml-config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
--replace '$STATE_DIRECTORY' '/var/lib/mediawiki' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )'
'';
};
in {
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = {
"mediawiki/password" = {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
@ -73,6 +65,7 @@ in {
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
@ -102,10 +95,7 @@ in {
$wgGroupPermissions['*']['edit'] = false;
# Styling
$wgLogos = array(
"2x" => "/PNG/PVV-logo.png",
"svg" => "/PNG/PVV-logo.svg",
);
$wgLogo = "/PNG/PVV-logo.png";
$wgDefaultSkin = "monobook";
# Misc
@ -116,13 +106,15 @@ in {
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
$wgSimpleSAMLphp_RealNameAttribute = "cn";
$wgSimpleSAMLphp_EmailAttribute = "mail";
$wgSimpleSAMLphp_UsernameAttribute = "uid";
$wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [
'authSourceId' => 'default-sp',
'usernameAttribute' => 'uid',
'emailAttribute' => 'mail',
'realNameAttribute' => 'cn',
]
];
@ -131,9 +123,13 @@ in {
'';
};
# 'usernameAttribute' => 'username',
# 'realNameAttribute' => 'name',
# 'emailAttribute' => 'email'
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp/core".d = {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
@ -211,7 +207,18 @@ in {
"/images".root = config.services.mediawiki.uploadsDir;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
# Redirects from gitea
"/Projects".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"^~ /Projects/(.+\\.php)".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/oysteikt".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/Drift".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/felixalb".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/adriangl".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/danio".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/pederbs".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/jonmro".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
"/explore".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
};
};
}

12
hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php
View File

@ -1,12 +0,0 @@
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
# 'entityID' => 'https://idp2.pvv.ntnu.no/',
'idp' => 'https://idp2.pvv.ntnu.no/',
),
);

11
hosts/bekkalokk/services/mediawiki/simplesamlphp/authsources.php Normal file
View File

@ -0,0 +1,11 @@
<?php
$config = array(
/* This is the name of this authentication source, and will be used to access it later. */
'default-sp' => array(
'saml:SP',
# 'entityID' => 'https://wiki.pvv.ntnu.no/',
'entityID' => 'https://wiki2.pvv.ntnu.no/',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);

4
hosts/bekkalokk/services/mediawiki/simplesaml-config.php → hosts/bekkalokk/services/mediawiki/simplesamlphp/config.php
View File

@ -66,7 +66,7 @@ $config = [
* When specified as a relative path, this is relative to the SimpleSAMLphp
* root directory.
*/
'cachedir' => '$CACHE_DIRECTORY',
'cachedir' => '/var/cache/mediawiki/simplesamlphp',
//'loggingdir' => '/var/log/',
//'datadir' => '/var/data/',
@ -1195,7 +1195,7 @@ $config = [
* See http://www.php.net/manual/en/pdo.drivers.php for the various
* syntaxes.
*/
'store.sql.dsn' => 'sqlite:$STATE_DIRECTORY/simplesamlphp.sqlite3',
'store.sql.dsn' => 'sqlite:/var/lib/mediawiki/simplesamlphp.sqlite3',
/*
* The username and password to use when connecting to the database.

23
hosts/bekkalokk/services/mediawiki/simplesamlphp/saml20-idp-remote.php Normal file
View File

@ -0,0 +1,23 @@
<?php
$metadata['https://idp.pvv.ntnu.no/'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'https://idp.pvv.ntnu.no/',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);

17
packages/simplesamlphp/default.nix
View File

@ -1,9 +1,9 @@
{ lib
, php
{ php
, writeText
, fetchFromGitHub
, extra_files ? { }
, configFile ? "config/config.php.dist"
, authsourcesFile ? "config/authsources.php.dist"
, saml20-idp-remoteFile ? writeText "saml20-idp-remote.php" "<?php ?>"
}:
php.buildComposerProject rec {
@ -24,10 +24,11 @@ php.buildComposerProject rec {
# TODO: metadata could be fetched automagically with these:
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
postPatch = lib.pipe extra_files [
(lib.mapAttrsToList (target_path: source_path: ''install -Dm444 "${source_path}" "${target_path}"''))
(lib.concatStringsSep "\n")
];
postPatch = ''
install -Dm444 "${configFile}" "config/config.php"
install -Dm444 "${authsourcesFile}" "config/authsources.php"
install -Dm444 "${saml20-idp-remoteFile}" "metadata/saml20-idp-remote.php"
'';
postInstall = ''
ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base