WIP: idp theme

Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>

.sops.yaml

@@ -17,10 +17,6 @@ creation_rules:
     key_groups:
     - age:
       - *host_jokum
-      - *host_ildkule
-      - *host_bekkalokk
-      - *host_bicep
-
       - *user_danio
       - *user_felixalb
       - *user_eirikwit

base.nix

@@ -3,8 +3,6 @@
 {
   imports = [
     ./users
-    ./modules/snakeoil-certs.nix
-    ./modules/debug-locations.nix
   ];
 
   networking.domain = "pvv.ntnu.no";
@@ -60,7 +58,6 @@
     gnupg
     htop
     nano
-    ripgrep
     rsync
     screen
     tmux
@@ -85,27 +82,5 @@
     settings.PermitRootLogin = "yes";
   };
 
-  sops.age = {
-    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    keyFile = "/var/lib/sops-nix/key.txt";
-    generateKey = true;
-  };
 
-  # nginx return 444 for all nonexistent virtualhosts
-
-  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
-
-  environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
-    "/etc/certs/nginx" = {
-      owner = "nginx";
-      group = "nginx";
-    };
-  };
-
-  services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
-  };
 }

flake.lock

@@ -155,7 +155,8 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "ssp-theme": "ssp-theme"
       }
     },
     "sops-nix": {
@@ -178,6 +179,22 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "ssp-theme": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1509201641,
+        "narHash": "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=",
+        "ref": "refs/heads/master",
+        "rev": "bda4314030be5f81aeaf2fb1927aee582f1194d9",
+        "revCount": 5,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -21,9 +21,12 @@
     grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    ssp-theme.url = "git+https://git.pvv.ntnu.no/Drift/ssp-theme.git";
+    ssp-theme.flake = false;
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ssp-theme, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -42,7 +45,6 @@
     ];
   in {
     nixosConfigurations = let
-      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
@@ -79,9 +81,15 @@
       bekkalokk = stableNixosConfig "bekkalokk" {
         overlays = [
           (final: prev: {
-            heimdal = unstablePkgs.heimdal;
+            heimdal = final.callPackage ./packages/heimdal {
+              inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
+              autoreconfHook = final.buildPackages.autoreconfHook269;
+	    };
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+	    ssp-theme = final.runCommandLocal "ssp-theme" { } ''
+	      ln -s ${ssp-theme} $out
+	    '';
           })
         ];
       };
@@ -117,16 +125,28 @@
     packages = {
       "x86_64-linux" = let
         pkgs = nixpkgs.legacyPackages."x86_64-linux";
-      in rec {
+      in {
-        default = important-machines;
+        default = self.packages.x86_64-linux.important-machines;
         important-machines = pkgs.linkFarm "important-machines"
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
 
+        #######################
+        # TODO: remove this once nixos 24.05 gets released
+        #######################
+        heimdal = pkgs.callPackage ./packages/heimdal {
+          inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
+          autoreconfHook = pkgs.buildPackages.autoreconfHook269;
+	};
+
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
         mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
+
+	ssp-theme = pkgs.runCommandLocal "ssp-theme" { } ''
+	  ln -s ${ssp-theme} $out
+	'';
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/services/idp-simplesamlphp/config.php

@@ -556,6 +556,7 @@ $config = [
     'module.enable' => [
         'admin' => true,
 	'authpwauth' => true,
+	'themepvv' => true,
     ],
 
 
@@ -858,7 +859,7 @@ $config = [
     /*
      * Which theme directory should be used?
      */
-    'theme.use' => 'default',
+    'theme.use' => 'themepvv:pvv',
 
     /*
      * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -11,8 +11,7 @@ let
         read -r _
         exit 2
       fi
-      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
+      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
-      kdestroy >/dev/null 2>/dev/null
     '';
   };
 
@@ -97,6 +96,8 @@ let
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+      
+      "modules/themepvv" = pkgs.ssp-theme;
     };
   };
 in

hosts/bekkalokk/services/mediawiki/default.nix

@@ -33,19 +33,28 @@
 in {
   services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
 
-  sops.secrets = lib.pipe [
+  sops.secrets = {
-    "mediawiki/password"
+    "mediawiki/password" = {
-    "mediawiki/postgres_password"
-    "mediawiki/simplesamlphp/postgres_password"
-    "mediawiki/simplesamlphp/cookie_salt"
-    "mediawiki/simplesamlphp/admin_password"
-  ] [
-    (map (key: lib.nameValuePair key {
       owner = user;
       group = group;
-    }))
+    };
-    lib.listToAttrs
+    "mediawiki/postgres_password" = {
-  ];
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/postgres_password" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/cookie_salt" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/admin_password" = {
+      owner = user;
+      group = group;
+    };
+  };
 
   services.mediawiki = {
     enable = true;
@@ -118,6 +127,7 @@ in {
         "2x" => "/PNG/PVV-logo.png",
         "icon" => "/PNG/PVV-logo.svg",
       );
+      # wfLoadSkin('Timeless');
       $wgDefaultSkin = "vector-2022";
       # from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
       $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
@@ -154,6 +164,37 @@ in {
     mode = "0770";
   };
 
+  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
+  systemd.services.mediawiki-init.script = let
+    # According to module
+    stateDir = "/var/lib/mediawiki";
+    pkg = cfg.finalPackage;
+    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
+    inherit (lib) optionalString mkForce;
+  in mkForce ''
+    if ! test -e "${stateDir}/secret.key"; then
+      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
+    fi
+
+    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
+      --confpath /tmp \
+      --scriptpath / \
+      --dbserver "${cfg.database.host}" \
+      --dbport ${toString cfg.database.port} \
+      --dbname ${cfg.database.name} \
+      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
+      --dbuser ${cfg.database.user} \
+      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
+      --passfile ${cfg.passwordFile} \
+      --dbtype ${cfg.database.type} \
+      ${cfg.name} \
+      admin
+
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
+  '';
+
   users.groups.mediawiki.members = [ "nginx" ];
 
   services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {

hosts/bekkalokk/services/nginx/default.nix

@@ -16,6 +16,12 @@
     recommendedProxySettings = true;
     recommendedOptimisation = true;
     recommendedGzipSettings = true;
+
+    virtualHosts."bekkalokk.pvv.ntnu.no" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+    };
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];

hosts/bekkalokk/services/openldap.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.openldap = {
+    enable = true;
+  };
+}

modules/debug-locations.nix

@@ -1,13 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.environment.debug-locations;
-in
-{
-  options.environment.debug-locations = lib.mkOption {
-    description = "Paths and derivations to symlink in `/etc/debug`";
-    type = with lib.types; attrsOf path;
-    default = { };
-  };
-
-  config.environment.etc = lib.mapAttrs' (k: v: lib.nameValuePair "debug/${k}" { source = v; }) cfg;
-}

modules/snakeoil-certs.nix

@@ -1,83 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.environment.snakeoil-certs;
-in
-{
-  options.environment.snakeoil-certs = lib.mkOption {
-    default = { };
-    description = "Self signed certs, which are rotated regularly";
-    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
-      options = {
-        owner = lib.mkOption {
-          type = lib.types.str;
-          default = "root";
-        };
-        group = lib.mkOption {
-          type = lib.types.str;
-          default = "root";
-        };
-        mode = lib.mkOption {
-          type = lib.types.str;
-          default = "0660";
-        };
-        daysValid = lib.mkOption {
-          type = lib.types.str;
-          default = "90";
-        };
-        extraOpenSSLArgs = lib.mkOption {
-          type = with lib.types; listOf str;
-          default = [ ];
-        };
-        certificate = lib.mkOption {
-          type = lib.types.str;
-          default = "${name}.crt";
-        };
-        certificateKey = lib.mkOption {
-          type = lib.types.str;
-          default = "${name}.key";
-        };
-	subject = lib.mkOption {
-	  type = lib.types.str;
-	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
-	};
-      };
-    }));
-  };
-
-  config = {
-    systemd.services."generate-snakeoil-certs" = {
-      enable = true;
-      serviceConfig.Type = "oneshot";
-      script = let
-        openssl = lib.getExe pkgs.openssl;
-      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
-        then
-           echo "Regenerating '${value.certificate}'"
-           ${openssl} req \
-             -newkey rsa:4096 \
-             -new -x509 \
-             -days "${toString value.daysValid}" \
-             -nodes \
-             -subj "${value.subject}" \
-             -out "${value.certificate}" \
-             -keyout "${value.certificateKey}" \
-             ${lib.escapeShellArgs value.extraOpenSSLArgs}
-        fi
-        chown "${value.owner}:${value.group}" "${value.certificate}"
-        chown "${value.owner}:${value.group}" "${value.certificateKey}"
-        chmod "${value.mode}" "${value.certificate}"
-        chmod "${value.mode}" "${value.certificateKey}"
-      '') (lib.attrsToList cfg);
-    };
-    systemd.timers."generate-snakeoil-certs" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnCalendar = "*-*-* 02:00:00";
-        Persistent = true;
-        Unit = "generate-snakeoil-certs.service";
-      };
-    };
-  };
-}

packages/heimdal/default.nix

@@ -0,0 +1,178 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2023-11-29";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+  };
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
+    "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "An implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
+  };
+}