Compare commits

..

7 Commits

Author SHA1 Message Date
ee097c49a3 WIP: idp theme
Some checks failed
Eval nix flake / evals (push) Failing after 1m49s
2024-03-31 05:01:24 +02:00
ce3aeb4e08 bekkalokk: init mediawiki
Some checks failed
Eval nix flake / evals (push) Failing after 1m40s
Eval nix flake / evals (pull_request) Failing after 1m39s
Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>
2024-03-31 05:01:24 +02:00
49a0b1a5f7 bekkalokk: init idp-simplesamlphp 2024-03-31 04:41:45 +02:00
4c1966365b bekkalokk: redirect bekkalokk.pvv.ntnu.no to git.pvv.ntnu.no 2024-03-31 04:41:15 +02:00
e0b3ce9378 bekkalokk: package mediawiki extensions outside of module 2024-03-31 04:41:15 +02:00
50df317a26 packages: init simplesamlphp 2024-03-31 04:41:15 +02:00
1262bc7125 bekkalokk: set up kerberos client 2024-03-29 03:31:19 +01:00
13 changed files with 290 additions and 145 deletions

View File

@@ -17,10 +17,6 @@ creation_rules:
key_groups:
- age:
- *host_jokum
- *host_ildkule
- *host_bekkalokk
- *host_bicep
- *user_danio
- *user_felixalb
- *user_eirikwit

View File

@@ -3,8 +3,6 @@
{
imports = [
./users
./modules/snakeoil-certs.nix
./modules/debug-locations.nix
];
networking.domain = "pvv.ntnu.no";
@@ -60,7 +58,6 @@
gnupg
htop
nano
ripgrep
rsync
screen
tmux
@@ -85,27 +82,5 @@
settings.PermitRootLogin = "yes";
};
sops.age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
# nginx return 444 for all nonexistent virtualhosts
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
"/etc/certs/nginx" = {
owner = "nginx";
group = "nginx";
};
};
services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
}

19
flake.lock generated
View File

@@ -155,7 +155,8 @@
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
"sops-nix": "sops-nix"
"sops-nix": "sops-nix",
"ssp-theme": "ssp-theme"
}
},
"sops-nix": {
@@ -178,6 +179,22 @@
"repo": "sops-nix",
"type": "github"
}
},
"ssp-theme": {
"flake": false,
"locked": {
"lastModified": 1509201641,
"narHash": "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=",
"ref": "refs/heads/master",
"rev": "bda4314030be5f81aeaf2fb1927aee582f1194d9",
"revCount": 5,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
}
}
},
"root": "root",

View File

@@ -21,9 +21,12 @@
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
ssp-theme.url = "git+https://git.pvv.ntnu.no/Drift/ssp-theme.git";
ssp-theme.flake = false;
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ssp-theme, ... }@inputs:
let
nixlib = nixpkgs.lib;
systems = [
@@ -42,7 +45,6 @@
];
in {
nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
rec {
system = "x86_64-linux";
@@ -79,9 +81,15 @@
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
heimdal = unstablePkgs.heimdal;
heimdal = final.callPackage ./packages/heimdal {
inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = final.buildPackages.autoreconfHook269;
};
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
ssp-theme = final.runCommandLocal "ssp-theme" { } ''
ln -s ${ssp-theme} $out
'';
})
];
};
@@ -117,16 +125,28 @@
packages = {
"x86_64-linux" = let
pkgs = nixpkgs.legacyPackages."x86_64-linux";
in rec {
default = important-machines;
in {
default = self.packages.x86_64-linux.important-machines;
important-machines = pkgs.linkFarm "important-machines"
(nixlib.getAttrs importantMachines self.packages.x86_64-linux);
all-machines = pkgs.linkFarm "all-machines"
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
#######################
# TODO: remove this once nixos 24.05 gets released
#######################
heimdal = pkgs.callPackage ./packages/heimdal {
inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = pkgs.buildPackages.autoreconfHook269;
};
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
ssp-theme = pkgs.runCommandLocal "ssp-theme" { } ''
ln -s ${ssp-theme} $out
'';
} // nixlib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
};

View File

@@ -556,6 +556,7 @@ $config = [
'module.enable' => [
'admin' => true,
'authpwauth' => true,
'themepvv' => true,
],
@@ -858,7 +859,7 @@ $config = [
/*
* Which theme directory should be used?
*/
'theme.use' => 'default',
'theme.use' => 'themepvv:pvv',
/*
* Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

View File

@@ -11,8 +11,7 @@ let
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
kdestroy >/dev/null 2>/dev/null
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
'';
};
@@ -97,6 +96,8 @@ let
'';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
"modules/themepvv" = pkgs.ssp-theme;
};
};
in

View File

@@ -33,19 +33,28 @@
in {
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = lib.pipe [
"mediawiki/password"
"mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password"
"mediawiki/simplesamlphp/cookie_salt"
"mediawiki/simplesamlphp/admin_password"
] [
(map (key: lib.nameValuePair key {
sops.secrets = {
"mediawiki/password" = {
owner = user;
group = group;
}))
lib.listToAttrs
];
};
"mediawiki/postgres_password" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/postgres_password" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/cookie_salt" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/admin_password" = {
owner = user;
group = group;
};
};
services.mediawiki = {
enable = true;
@@ -118,6 +127,7 @@ in {
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
# wfLoadSkin('Timeless');
$wgDefaultSkin = "vector-2022";
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
@@ -154,6 +164,37 @@ in {
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
systemd.services.mediawiki-init.script = let
# According to module
stateDir = "/var/lib/mediawiki";
pkg = cfg.finalPackage;
mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
inherit (lib) optionalString mkForce;
in mkForce ''
if ! test -e "${stateDir}/secret.key"; then
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
fi
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
--confpath /tmp \
--scriptpath / \
--dbserver "${cfg.database.host}" \
--dbport ${toString cfg.database.port} \
--dbname ${cfg.database.name} \
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
--dbuser ${cfg.database.user} \
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
--passfile ${cfg.passwordFile} \
--dbtype ${cfg.database.type} \
${cfg.name} \
admin
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
'';
users.groups.mediawiki.members = [ "nginx" ];
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {

View File

@@ -16,6 +16,12 @@
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."bekkalokk.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];

View File

@@ -0,0 +1,6 @@
{ ... }:
{
services.openldap = {
enable = true;
};
}

View File

@@ -1,13 +0,0 @@
{ config, lib, ... }:
let
cfg = config.environment.debug-locations;
in
{
options.environment.debug-locations = lib.mkOption {
description = "Paths and derivations to symlink in `/etc/debug`";
type = with lib.types; attrsOf path;
default = { };
};
config.environment.etc = lib.mapAttrs' (k: v: lib.nameValuePair "debug/${k}" { source = v; }) cfg;
}

View File

@@ -1,83 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.environment.snakeoil-certs;
in
{
options.environment.snakeoil-certs = lib.mkOption {
default = { };
description = "Self signed certs, which are rotated regularly";
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0660";
};
daysValid = lib.mkOption {
type = lib.types.str;
default = "90";
};
extraOpenSSLArgs = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
certificate = lib.mkOption {
type = lib.types.str;
default = "${name}.crt";
};
certificateKey = lib.mkOption {
type = lib.types.str;
default = "${name}.key";
};
subject = lib.mkOption {
type = lib.types.str;
default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
};
}));
};
config = {
systemd.services."generate-snakeoil-certs" = {
enable = true;
serviceConfig.Type = "oneshot";
script = let
openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then
echo "Regenerating '${value.certificate}'"
${openssl} req \
-newkey rsa:4096 \
-new -x509 \
-days "${toString value.daysValid}" \
-nodes \
-subj "${value.subject}" \
-out "${value.certificate}" \
-keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.extraOpenSSLArgs}
fi
chown "${value.owner}:${value.group}" "${value.certificate}"
chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}"
'') (lib.attrsToList cfg);
};
systemd.timers."generate-snakeoil-certs" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Persistent = true;
Unit = "generate-snakeoil-certs.service";
};
};
};
}

View File

@@ -0,0 +1,178 @@
{ lib
, stdenv
, fetchFromGitHub
, autoreconfHook
, pkg-config
, python3
, perl
, bison
, flex
, texinfo
, perlPackages
, openldap
, libcap_ng
, sqlite
, openssl
, db
, libedit
, pam
, krb5
, libmicrohttpd
, cjson
, CoreFoundation
, Security
, SystemConfiguration
, curl
, jdk
, unzip
, which
, nixosTests
, withCJSON ? true
, withCapNG ? stdenv.isLinux
# libmicrohttpd should theoretically work for darwin as well, but something is broken.
# It affects tests check-bx509d and check-httpkadmind.
, withMicroHTTPD ? stdenv.isLinux
, withOpenLDAP ? true
, withOpenLDAPAsHDBModule ? false
, withOpenSSL ? true
, withSQLite3 ? true
}:
assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
'';
stdenv.mkDerivation {
pname = "heimdal";
version = "7.8.0-unstable-2023-11-29";
src = fetchFromGitHub {
owner = "heimdal";
repo = "heimdal";
rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
};
outputs = [ "out" "dev" "man" "info" ];
nativeBuildInputs = [
autoreconfHook
pkg-config
python3
perl
bison
flex
texinfo
]
++ (with perlPackages; [ JSON ]);
buildInputs = [ db libedit pam ]
++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
++ lib.optionals (withCJSON) [ cjson ]
++ lib.optionals (withCapNG) [ libcap_ng ]
++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
++ lib.optionals (withOpenLDAP) [ openldap ]
++ lib.optionals (withOpenSSL) [ openssl ]
++ lib.optionals (withSQLite3) [ sqlite ];
doCheck = true;
nativeCheckInputs = [
curl
jdk
unzip
which
];
configureFlags = [
"--with-libedit-include=${libedit.dev}/include"
"--with-libedit-lib=${libedit}/lib"
"--with-berkeley-db-include=${db.dev}/include"
"--with-berkeley-db"
"--without-x"
"--disable-afs-string-to-key"
] ++ lib.optionals (withCapNG) [
"--with-capng"
] ++ lib.optionals (withCJSON) [
"--with-cjson=${cjson}"
] ++ lib.optionals (withOpenLDAP) [
"--with-openldap=${openldap.dev}"
] ++ lib.optionals (withOpenLDAPAsHDBModule) [
"--enable-hdb-openldap-module"
] ++ lib.optionals (withSQLite3) [
"--with-sqlite3=${sqlite.dev}"
];
# (check-ldap) slapd resides within ${openldap}/libexec,
# which is not part of $PATH by default.
# (check-ldap) prepending ${openldap}/bin to the path to avoid
# using the default installation of openldap on unsandboxed darwin systems,
# which does not support the new mdb backend at the moment (2024-01-13).
# (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
# but the heimdal tests still seem to expect bdb as the openldap backend.
# This might be fixed upstream in a future update.
patchPhase = ''
runHook prePatch
substituteInPlace tests/ldap/slapd-init.in \
--replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
substituteInPlace tests/ldap/check-ldap.in \
--replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
substituteInPlace tests/ldap/slapd.conf \
--replace 'database bdb' 'database mdb'
runHook postPatch
'';
# (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
# which expects either USER or LOGNAME to be set.
preCheck = lib.optionalString (stdenv.isDarwin) ''
export USER=nix-builder
'';
# We need to build hcrypt for applications like samba
postBuild = ''
(cd include/hcrypto; make -j $NIX_BUILD_CORES)
(cd lib/hcrypto; make -j $NIX_BUILD_CORES)
'';
postInstall = ''
# Install hcrypto
(cd include/hcrypto; make -j $NIX_BUILD_CORES install)
(cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
mkdir -p $dev/bin
mv $out/bin/krb5-config $dev/bin/
# asn1 compilers, move them to $dev
mv $out/libexec/heimdal/* $dev/bin
rmdir $out/libexec/heimdal
# compile_et is needed for cross-compiling this package and samba
mv lib/com_err/.libs/compile_et $dev/bin
'';
# Issues with hydra
# In file included from hxtool.c:34:0:
# hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
#enableParallelBuilding = true;
passthru = {
implementation = "heimdal";
tests.nixos = nixosTests.kerberos.heimdal;
};
meta = with lib; {
homepage = "https://www.heimdal.software";
changelog = "https://github.com/heimdal/heimdal/releases";
description = "An implementation of Kerberos 5 (and some more stuff)";
license = licenses.bsd3;
platforms = platforms.unix;
maintainers = with maintainers; [ h7x4 ];
};
}

View File