WIP: idp theme

Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
   - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
   - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
 
   # Hosts
   - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
@@ -18,6 +19,7 @@ creation_rules:
       - *host_jokum
       - *user_danio
       - *user_felixalb
+      - *user_eirikwit
       pgp:
       - *user_oysteikt
 

base.nix

@@ -73,7 +73,6 @@
 
   # Trusted users on the nix builder machines
   users.groups."nix-builder-users".name = "nix-builder-users";
-  users.motd = builtins.readFile ./misc/motd;
 
   services.openssh = {
     enable = true;

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702569759,
-        "narHash": "sha256-Ze3AdEEsVZBRJ4wn13EZpV1Uubkzi59TkC4j2G9xoFI=",
+        "lastModified": 1710169806,
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "98ab91109716871f50ea8cb0e0ac7cc1e1e14714",
+        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
         "type": "github"
       },
       "original": {
@@ -62,14 +62,16 @@
     },
     "matrix-next": {
       "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1701507532,
-        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
+        "lastModified": 1710311999,
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
         "type": "github"
       },
       "original": {
@@ -80,11 +82,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1702601832,
-        "narHash": "sha256-z+GyetKtwj7ZVZrRcI73N8Xy1B3JGAqDyPniBFRpIgo=",
+        "lastModified": 1710248792,
+        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1",
+        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
         "type": "github"
       },
       "original": {
@@ -93,44 +95,29 @@
         "type": "indirect"
       }
     },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1702148972,
-        "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=",
+        "lastModified": 1710033658,
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1702635820,
-        "narHash": "sha256-rClms9NTmSL/WIN5VmEccVhUExMkjCrRNswxU9QGNNo=",
+        "lastModified": 1710247538,
+        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "02357adddd0889782362d999628de9d309d202dc",
+        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
         "type": "github"
       },
       "original": {
@@ -168,7 +155,8 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "ssp-theme": "ssp-theme"
       }
     },
     "sops-nix": {
@@ -179,11 +167,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1702177193,
-        "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=",
+        "lastModified": 1710195194,
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
         "type": "github"
       },
       "original": {
@@ -191,6 +179,22 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "ssp-theme": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1509201641,
+        "narHash": "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=",
+        "ref": "refs/heads/master",
+        "rev": "bda4314030be5f81aeaf2fb1927aee582f1194d9",
+        "revCount": 5,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -15,14 +15,18 @@
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
     matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
     grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    ssp-theme.url = "git+https://git.pvv.ntnu.no/Drift/ssp-theme.git";
+    ssp-theme.flake = false;
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ssp-theme, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -52,16 +56,14 @@
           modules = [
             ./hosts/${name}/configuration.nix
             sops-nix.nixosModules.sops
-          ];
+          ] ++ config.modules or [];
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [
-              inputs.pvv-calendar-bot.overlays.${system}.default
-            ];
+            overlays = [ ] ++ config.overlays or [ ];
           };
         }
-        config
+        (removeAttrs config [ "modules" "overlays" ])
       );
 
       stableNixosConfig = nixosConfig nixpkgs;
@@ -69,19 +71,30 @@
     in {
       bicep = stableNixosConfig "bicep" {
         modules = [
-          ./hosts/bicep/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.matrix-next.nixosModules.default
           inputs.pvv-calendar-bot.nixosModules.default
         ];
+        overlays = [
+          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
+        ];
+      };
+      bekkalokk = stableNixosConfig "bekkalokk" {
+        overlays = [
+          (final: prev: {
+            heimdal = final.callPackage ./packages/heimdal {
+              inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
+              autoreconfHook = final.buildPackages.autoreconfHook269;
+	    };
+            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
+            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+	    ssp-theme = final.runCommandLocal "ssp-theme" { } ''
+	      ln -s ${ssp-theme} $out
+	    '';
+          })
+        ];
       };
-      bekkalokk = stableNixosConfig "bekkalokk" { };
       bob = stableNixosConfig "bob" {
         modules = [
-          ./hosts/bob/configuration.nix
-          sops-nix.nixosModules.sops
-
           disko.nixosModules.disko
           { disko.devices.disk.disk1.device = "/dev/vda"; }
         ];
@@ -92,28 +105,17 @@
 
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
-          ./hosts/brzeczyszczykiewicz/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.grzegorz.nixosModules.grzegorz-kiosk
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
       georg = stableNixosConfig "georg" {
         modules = [
-          ./hosts/georg/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.grzegorz.nixosModules.grzegorz-kiosk
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
-      buskerud = stableNixosConfig "buskerud" {
-        modules = [
-          ./hosts/buskerud/configuration.nix
-          sops-nix.nixosModules.sops
-        ];
-      };
+      buskerud = stableNixosConfig "buskerud" { };
     };
 
     devShells = forAllSystems (system: {
@@ -123,12 +125,28 @@
     packages = {
       "x86_64-linux" = let
         pkgs = nixpkgs.legacyPackages."x86_64-linux";
-      in rec {
-        default = important-machines;
+      in {
+        default = self.packages.x86_64-linux.important-machines;
         important-machines = pkgs.linkFarm "important-machines"
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+
+        #######################
+        # TODO: remove this once nixos 24.05 gets released
+        #######################
+        heimdal = pkgs.callPackage ./packages/heimdal {
+          inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
+          autoreconfHook = pkgs.buildPackages.autoreconfHook269;
+	};
+
+        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+
+        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
+
+	ssp-theme = pkgs.runCommandLocal "ssp-theme" { } ''
+	  ln -s ${ssp-theme} $out
+	'';
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/configuration.nix

@@ -12,8 +12,10 @@
     # ./services/website.nix
     ./services/nginx
     ./services/gitea/default.nix
+    ./services/kerberos
     ./services/webmail
-    # ./services/mediawiki.nix
+    ./services/mediawiki
+    ./services/idp-simplesamlphp
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

hosts/bekkalokk/services/gitea/gitea-import-users.py

@@ -51,6 +51,7 @@ def add_user(username, name):
         existing_users[username] = user
 
     else:
+        user["visibility"] = existing_users[username]["visibility"]
         r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
                            json=user,
                            headers={'Authorization': 'token ' + API_TOKEN})

hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php

@@ -0,0 +1,135 @@
+<?php
+
+/**
+ * Authenticate using HTTP login.
+ *
+ * @author Yorn de Jong
+ * @author Oystein Kristoffer Tveit
+ * @package simpleSAMLphp
+ */
+
+namespace SimpleSAML\Module\authpwauth\Auth\Source;
+
+class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
+{
+    protected $pwauth_bin_path;
+    protected $mail_domain;
+
+    public function __construct(array $info, array &$config) {
+            assert('is_array($info)');
+            assert('is_array($config)');
+
+            /* Call the parent constructor first, as required by the interface. */
+            parent::__construct($info, $config);
+
+            $this->pwauth_bin_path = $config['pwauth_bin_path'];
+            if (array_key_exists('mail_domain', $config)) {
+                    $this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
+            }
+    }
+
+    public function login(string $username, string $password): array {
+            $username = strtolower( $username );
+
+	    if (!file_exists($this->pwauth_bin_path)) {
+                    die("Could not find pwauth binary");
+                    return false;
+	    }
+
+	    if (!is_executable($this->pwauth_bin_path)) {
+                    die("pwauth binary is not executable");
+                    return false;
+	    }
+
+            $handle = popen($this->pwauth_bin_path, 'w');
+            if ($handle === FALSE) {
+                    die("Error opening pipe to pwauth");
+                    return false;
+            }
+
+            $data = "$username\n$password\n";
+            if (fwrite($handle, $data) !== strlen($data)) {
+                    die("Error writing to pwauth pipe");
+                    return false;
+            }
+
+            # Is the password valid?
+            $result = pclose( $handle );
+            if ($result !== 0) {
+                    if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
+                            die("pwauth returned $result for username $username");
+                    }
+                    throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
+            }
+            /*
+            $ldap = ldap_connect('129.241.210.159', 389);
+            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+            ldap_start_tls($ldap);
+            ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
+            $search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
+            $entry = ldap_first_entry($ldap, $search);
+            $dn = ldap_get_dn($ldap, $entry);
+            $newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
+            ldap_modify_batch($ldap, $dn, [
+                    #[
+                    #       'modtype' => LDAP_MODIFY_BATCH_REMOVE,
+                    #       'attrib' => 'unicodePwd',
+                    #       'values' => [$password],
+                    #],
+                    [
+                            #'modtype' => LDAP_MODIFY_BATCH_ADD,
+                            'modtype' => LDAP_MODIFY_BATCH_REPLACE,
+                            'attrib' => 'unicodePwd',
+                            'values' => [$newpassword],
+                    ],
+            ]);
+            */
+
+            #0  -  Login OK.
+            #1  -  Nonexistant login or (for some configurations) incorrect password.
+            #2  -  Incorrect password (for some configurations).
+            #3  -  Uid number is below MIN_UNIX_UID value configured in config.h.
+            #4  -  Login ID has expired.
+            #5  -  Login's password has expired.
+            #6  -  Logins to system have been turned off (usually by /etc/nologin file).
+            #7  -  Limit on number of bad logins exceeded.
+            #50 -  pwauth was not run with real uid SERVER_UID.  If you get this
+            #      this error code, you probably have SERVER_UID set incorrectly
+            #      in pwauth's config.h file.
+            #51 -  pwauth was not given a login & password to check.  The means
+            #      the passing of data from mod_auth_external to pwauth is messed
+            #      up.  Most likely one is trying to pass data via environment
+            #      variables, while the other is trying to pass data via a pipe.
+            #52 -  one of several possible internal errors occured.
+
+
+            $uid = $username;
+	    # TODO: Reinstate this code once passwd is working...
+	    /*
+            $cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
+
+            $groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
+            array_shift($groups);
+            array_shift($groups);
+            array_pop($groups);
+	    
+            $info = posix_getpwnam($uid);
+            $group = $info['gid'];
+            if (!in_array($group, $groups)) {
+                    $groups[] = $group;
+            }
+	    */
+	    $cn = "Unknown McUnknown";
+	    $groups = array();
+
+            $result = array(
+                    'uid' => array($uid),
+                    'cn' => array($cn),
+                    'group' => $groups,
+            );
+            if (isset($this->mail_domain)) {
+                    $result['mail'] = array($uid.$this->mail_domain);
+            }
+            return $result;
+    }
+}

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -0,0 +1,204 @@
+{ config, pkgs, lib, ... }:
+let
+  pwAuthScript = pkgs.writeShellApplication {
+    name = "pwauth";
+    runtimeInputs = with pkgs; [ coreutils heimdal ];
+    text = ''
+      read -r user1
+      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
+      if test "$user1" != "$user2"
+      then
+        read -r _
+        exit 2
+      fi
+      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
+    '';
+  };
+
+  package = pkgs.simplesamlphp.override {
+    extra_files = {
+      # NOTE: Using self signed certificate created 30. march 2024, with command:
+      # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
+      "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
+        <?php
+	  $metadata['https://idp2.pvv.ntnu.no/'] = array(
+	    'host' => '__DEFAULT__',
+	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
+	    'certificate' => '${./idp.crt}',
+	    'auth' => 'pwauth',
+	  );
+	?>
+      '';
+
+      "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
+        <?php
+	  ${ lib.pipe config.services.idp.sp-remote-metadata [
+             (map (url: ''
+               $metadata['${url}'] = [
+                   'SingleLogoutService' => [
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                       ],
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                       ],
+                   ],
+                   'AssertionConsumerService' => [
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                           'index' => 0,
+                       ],
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
+                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                           'index' => 1,
+                       ],
+                   ],
+               ];
+	     ''))
+	     (lib.concatStringsSep "\n")
+	  ]}
+	?>
+      '';
+
+      "config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
+        <?php
+          $config = array(
+	    'admin' => array(
+	      'core:AdminPassword'
+	    ),
+            'pwauth' => array(
+               'authpwauth:PwAuth',
+               'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
+               'mail_domain' => '@pvv.ntnu.no',
+            ),
+          );
+	?>
+      '';
+
+      "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
+        cp ${./config.php} "$out"
+
+        substituteInPlace "$out" \
+          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
+          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
+          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
+          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
+      '';
+
+      "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+      
+      "modules/themepvv" = pkgs.ssp-theme;
+    };
+  };
+in
+{
+  options.services.idp.sp-remote-metadata = lib.mkOption {
+    type = with lib.types; listOf str;
+    default = [ ];
+    description = ''
+      List of urls point to (simplesamlphp) service profiders, which the idp should trust.
+
+      :::{.note}
+	Make sure the url ends with a `/`
+      :::
+    '';
+  };
+
+  config = {
+    sops.secrets = {
+      "idp/privatekey" = {
+        owner = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+      "idp/admin_password" = {
+        owner = "idp";
+        group = "idp";
+      };
+      "idp/postgres_password" = {
+        owner = "idp";
+        group = "idp";
+      };
+      "idp/cookie_salt" = {
+        owner = "idp";
+        group = "idp";
+      };
+    };  
+
+    users.groups."idp" = { };
+    users.users."idp" = {
+      description = "PVV Identity Provider Service User";
+      group = "idp";
+      createHome = false;
+      isSystemUser = true;
+    };
+
+    systemd.tmpfiles.settings."10-idp" = {
+      "/var/cache/idp".d = {
+        user = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+      "/var/lib/idp".d = {
+        user = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+    };
+
+    services.phpfpm.pools.idp = {
+      user = "idp";
+      group = "idp";
+      settings = let
+        listenUser = config.services.nginx.user;
+        listenGroup = config.services.nginx.group;
+      in {
+        "pm" = "dynamic";
+        "pm.max_children" = 32;
+        "pm.max_requests" = 500;
+        "pm.start_servers" = 2;
+        "pm.min_spare_servers" = 2;
+        "pm.max_spare_servers" = 4;
+        "listen.owner" = listenUser;
+        "listen.group" = listenGroup;
+
+        "catch_workers_output" = true;
+        "php_admin_flag[log_errors]" = true;
+        # "php_admin_value[error_log]" = "stderr";
+      };
+    };
+
+    services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "${package}/share/php/simplesamlphp/public";
+      locations =  {
+        # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+        "/" = {
+          alias = "${package}/share/php/simplesamlphp/public/";
+          index = "index.php";
+
+          extraConfig = ''
+            location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+              include ${pkgs.nginx}/conf/fastcgi_params;
+              fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
+              fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
+              fastcgi_param SCRIPT_NAME /$phpfile;
+              fastcgi_param PATH_INFO $pathinfo if_not_empty;
+            }
+          '';
+        };
+      };
+    };
+  };
+}

hosts/bekkalokk/services/idp-simplesamlphp/idp.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
+BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
+FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
+Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
+VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
+cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
+JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
+xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
+dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
+Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
+Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
++8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
+rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
+oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
+sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
+Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
+BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
+xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
+2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
+DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
+2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
+EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
+fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
+T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
+TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
+W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
+HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
+88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
+UxTpf01QJnZkMqf5NQ==
+-----END CERTIFICATE-----

hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix

@@ -0,0 +1,22 @@
+''
+  <?php
+  $metadata['https://idp2.pvv.ntnu.no/'] = [
+      'metadata-set' => 'saml20-idp-hosted',
+      'entityid' => 'https://idp2.pvv.ntnu.no/',
+      'SingleSignOnService' => [
+          [
+              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
+          ],
+      ],
+      'SingleLogoutService' => [
+          [
+              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
+          ],
+      ],
+      'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
+      'certificate' => '${./idp.crt}',
+  ];
+  ?>
+''

hosts/bekkalokk/services/mediawiki.nix

@@ -1,175 +0,0 @@
-{ pkgs, lib, config, values, ... }: let
-  cfg = config.services.mediawiki;
-
-  # "mediawiki"
-  user = config.systemd.services.mediawiki-init.serviceConfig.User;
-
-  # "mediawiki"
-  group = config.users.users.${user}.group;
-in {
-  sops.secrets = {
-    "mediawiki/password" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
-    "keys/postgres/mediawiki" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
-  };
-
-  services.mediawiki = {
-    enable = true;
-    name = "Programvareverkstedet";
-    passwordFile = config.sops.secrets."mediawiki/password".path;
-    passwordSender = "drift@pvv.ntnu.no";
-
-    database = {
-      type = "postgres";
-      host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.port;
-      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
-      createLocally = false;
-      # TODO: create a normal database and copy over old data when the service is production ready
-      name = "mediawiki_test";
-    };
-
-    # Host through nginx
-    webserver = "none";
-    poolConfig = let
-      listenUser = config.services.nginx.user;
-      listenGroup = config.services.nginx.group;
-    in {
-      inherit user group;
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.max_requests" = 500;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 4;
-      "listen.owner" = listenUser;
-      "listen.group" = listenGroup;
-      "php_admin_value[error_log]" = "stderr";
-      "php_admin_flag[log_errors]" = "on";
-      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
-      "catch_workers_output" = true;
-      # to accept *.html file
-      "security.limit_extensions" = "";
-    };
-
-    extensions = {
-      DeleteBatch = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
-	sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
-      };
-      UserMerge = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
-	sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
-      };
-      PluggableAuth = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
-	sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
-      };
-      SimpleSAMLphp = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
-        sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
-      };
-    };
-
-    extraConfig = let
-
-      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
-        pname = "configuredSimpleSAML";
-	version = "2.0.4";
-        src = pkgs.fetchzip {
-          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
-          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
-        };
-
-	buildPhase = ''
-          cat > config/authsources.php << EOF
-          <?php
-          $config = array(
-            'default-sp' => array(
-              'saml:SP',
-              'idp' => 'https://idp.pvv.ntnu.no/',
-            ),
-          );
-	  EOF
-	'';
-
-	installPhase = ''
-	  cp -r . $out
-	'';
-      };
-
-    in ''
-      $wgServer = "https://bekkalokk.pvv.ntnu.no";
-      $wgLocaltimezone = "Europe/Oslo";
-
-      # Only allow login through SSO
-      $wgEnableEmail = false;
-      $wgEnableUserEmail = false;
-      $wgEmailAuthentication = false;
-      $wgGroupPermissions['*']['createaccount'] = false;
-      $wgGroupPermissions['*']['autocreateaccount'] = true;
-      $wgPluggableAuth_EnableAutoLogin = true;
-
-      # Disable anonymous editing
-      $wgGroupPermissions['*']['edit'] = false;
-
-      # Styling
-      $wgLogo = "/PNG/PVV-logo.png";
-      $wgDefaultSkin = "monobook";
-
-      # Misc
-      $wgEmergencyContact = "${cfg.passwordSender}";
-      $wgShowIPinHeader = false;
-      $wgUseTeX = false;
-      $wgLocalInterwiki = $wgSitename;
-
-      # SimpleSAML
-      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
-      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
-      $wgSimpleSAMLphp_RealNameAttribute = "cn";
-      $wgSimpleSAMLphp_EmailAttribute = "mail";
-      $wgSimpleSAMLphp_UsernameAttribute = "uid";
-
-      # Fix https://github.com/NixOS/nixpkgs/issues/183097
-      $wgDBserver = "${toString cfg.database.host}";
-    '';
-  };
-
-  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
-  systemd.services.mediawiki-init.script = let
-    # According to module
-    stateDir = "/var/lib/mediawiki";
-    pkg = cfg.finalPackage;
-    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
-    inherit (lib) optionalString mkForce;
-  in mkForce ''
-    if ! test -e "${stateDir}/secret.key"; then
-      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
-    fi
-
-    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
-      --confpath /tmp \
-      --scriptpath / \
-      --dbserver "${cfg.database.host}" \
-      --dbport ${toString cfg.database.port} \
-      --dbname ${cfg.database.name} \
-      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
-      --dbuser ${cfg.database.user} \
-      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
-      --passfile ${cfg.passwordFile} \
-      --dbtype ${cfg.database.type} \
-      ${cfg.name} \
-      admin
-
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
-  '';
-}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -0,0 +1,257 @@
+{ pkgs, lib, config, values, pkgs-unstable, ... }: let
+  cfg = config.services.mediawiki;
+
+  # "mediawiki"
+  user = config.systemd.services.mediawiki-init.serviceConfig.User;
+
+  # "mediawiki"
+  group = config.users.users.${user}.group;
+
+  simplesamlphp = pkgs.simplesamlphp.override {
+    extra_files = {
+      "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+
+      "config/authsources.php" = ./simplesaml-authsources.php;
+
+      "config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
+        cp ${./simplesaml-config.php} "$out"
+
+        substituteInPlace "$out" \
+          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
+          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
+          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
+          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
+      '';
+    };
+  };
+in {
+  services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
+
+  sops.secrets = {
+    "mediawiki/password" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/postgres_password" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/postgres_password" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/cookie_salt" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/admin_password" = {
+      owner = user;
+      group = group;
+    };
+  };
+
+  services.mediawiki = {
+    enable = true;
+    name = "Programvareverkstedet";
+    passwordFile = config.sops.secrets."mediawiki/password".path;
+    passwordSender = "drift@pvv.ntnu.no";
+
+    database = {
+      type = "mysql";
+      host = "mysql.pvv.ntnu.no";
+      port = 3306;
+      user = "mediawiki";
+      passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
+      createLocally = false;
+      # TODO: create a normal database and copy over old data when the service is production ready
+      name = "mediawiki";
+    };
+
+    # Host through nginx
+    webserver = "none";
+    poolConfig = let
+      listenUser = config.services.nginx.user;
+      listenGroup = config.services.nginx.group;
+    in {
+      inherit user group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "listen.owner" = listenUser;
+      "listen.group" = listenGroup;
+
+      "catch_workers_output" = true;
+      "php_admin_flag[log_errors]" = true;
+      # "php_admin_value[error_log]" = "stderr";
+
+      # to accept *.html file
+      "security.limit_extensions" = "";
+    };
+
+    extensions = {
+      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
+    };
+
+    extraConfig = ''
+      $wgServer = "https://wiki2.pvv.ntnu.no";
+      $wgLocaltimezone = "Europe/Oslo";
+
+      # Only allow login through SSO
+      $wgEnableEmail = false;
+      $wgEnableUserEmail = false;
+      $wgEmailAuthentication = false;
+      $wgGroupPermissions['*']['createaccount'] = false;
+      $wgGroupPermissions['*']['autocreateaccount'] = true;
+      $wgPluggableAuth_EnableAutoLogin = false;
+
+      # Misc. permissions
+      $wgGroupPermissions['*']['edit'] = false;
+      $wgGroupPermissions['*']['read'] = true;
+
+      # Misc. URL rules
+      $wgUsePathInfo = true;
+      $wgScriptExtension = ".php";
+      $wgNamespacesWithSubpages[NS_MAIN] = true;
+
+      # Styling
+      $wgLogos = array(
+        "2x" => "/PNG/PVV-logo.png",
+        "icon" => "/PNG/PVV-logo.svg",
+      );
+      # wfLoadSkin('Timeless');
+      $wgDefaultSkin = "vector-2022";
+      # from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
+      $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
+      $wgVectorResponsive = true;
+
+      # Misc
+      $wgEmergencyContact = "${cfg.passwordSender}";
+      $wgShowIPinHeader = false;
+      $wgUseTeX = false;
+      $wgLocalInterwiki = $wgSitename;
+
+      # SimpleSAML
+      $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
+      $wgPluggableAuth_Config['Log in using my SAML'] = [
+        'plugin' => 'SimpleSAMLphp',
+        'data' => [
+          'authSourceId' => 'default-sp',
+          'usernameAttribute' => 'uid',
+          'emailAttribute' => 'mail',
+          'realNameAttribute' => 'cn',
+        ]
+      ];
+
+      # Fix https://github.com/NixOS/nixpkgs/issues/183097
+      $wgDBserver = "${toString cfg.database.host}";
+    '';
+  };
+
+  # Cache directory for simplesamlphp
+  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+    user = "mediawiki";
+    group = "mediawiki";
+    mode = "0770";
+  };
+
+  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
+  systemd.services.mediawiki-init.script = let
+    # According to module
+    stateDir = "/var/lib/mediawiki";
+    pkg = cfg.finalPackage;
+    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
+    inherit (lib) optionalString mkForce;
+  in mkForce ''
+    if ! test -e "${stateDir}/secret.key"; then
+      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
+    fi
+
+    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
+      --confpath /tmp \
+      --scriptpath / \
+      --dbserver "${cfg.database.host}" \
+      --dbport ${toString cfg.database.port} \
+      --dbname ${cfg.database.name} \
+      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
+      --dbuser ${cfg.database.user} \
+      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
+      --passfile ${cfg.passwordFile} \
+      --dbtype ${cfg.database.type} \
+      ${cfg.name} \
+      admin
+
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
+  '';
+
+  users.groups.mediawiki.members = [ "nginx" ];
+
+  services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
+    locations =  {
+      "/" = {
+	index = "index.php";
+      };
+
+      "~ /(.+\\.php)" = {
+        extraConfig = ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
+      };
+
+      # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+      "^~ /simplesaml/" = {
+        alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
+        index = "index.php";
+
+        extraConfig = ''
+          location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
+            fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
+
+            # Must be prepended with the baseurlpath
+            fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
+
+            fastcgi_param PATH_INFO $pathinfo if_not_empty;
+          }
+        '';
+      };
+
+      "/images/".alias = "${config.services.mediawiki.uploadsDir}/";
+
+      "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
+      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
+      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
+        buildInputs = with pkgs; [ imagemagick ];
+      } ''
+        convert \
+	  -resize x64 \
+	  -gravity center \
+	  -crop 64x64+0+0 \
+	  ${../../../../assets/logo_blue_regular.png} \
+	  -flatten \
+	  -colors 256 \
+	  -background transparent \
+	  $out
+      '';
+    };
+  };
+}

hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php

@@ -0,0 +1,11 @@
+<?php
+$config = array(
+    'admin' => array(
+      'core:AdminPassword'
+    ),
+    'default-sp' => array(
+        'saml:SP',
+        'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
+        'idp' => 'https://idp2.pvv.ntnu.no/',
+    ),
+);

hosts/bekkalokk/services/nginx/default.nix

@@ -16,6 +16,12 @@
     recommendedProxySettings = true;
     recommendedOptimisation = true;
     recommendedGzipSettings = true;
+
+    virtualHosts."bekkalokk.pvv.ntnu.no" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+    };
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];

hosts/bekkalokk/services/openldap.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.openldap = {
+    enable = true;
+  };
+}

hosts/bicep/services/matrix/element.nix

@@ -24,21 +24,26 @@ in {
         features = {
           feature_latex_maths = true;
           feature_pinning = true;
+          feature_render_reaction_images = true;
           feature_state_counters = true;
-          feature_custom_status = false;
+          # element call group calls
+          feature_group_calls = true;
         };
         default_theme = "dark";
+        # Servers in this list should provide some sort of valuable scoping
+        # matrix.org is not useful compared to matrixrooms.info,
+        # because it has so many general members, rooms of all topics are on it.
+        # Something matrixrooms.info is already providing.
         room_directory.servers = [
           "pvv.ntnu.no"
-          "matrix.omegav.no"
-          "matrix.org"
-          "libera.chat"
-          "gitter.im"
-          "mozilla.org"
-          "kde.org"
-          "t2bot.io"
-          "fosdem.org"
-          "dodsorf.as"
+          "matrixrooms.info" # Searches all public room directories
+          "matrix.omegav.no" # Friends
+          "gitter.im" # gitter rooms
+          "mozilla.org" # mozilla and friends
+          "kde.org" # KDE rooms
+          "fosdem.org" # FOSDEM
+          "dodsorf.as" # PVV Member
+          "nani.wtf" # PVV Member
         ];
         enable_presence_by_hs_url = {
           "https://matrix.org" = false;

hosts/bikkje/configuration.nix

@@ -0,0 +1,44 @@
+{ config, pkgs, values, ... }:
+{
+    networking.nat = {
+    enable = true;
+    internalInterfaces = ["ve-+"];
+    externalInterface = "ens3";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.bikkje = {
+    autoStart = true;
+    config = { config, pkgs, ... }: {
+      #import packages
+      packages = with pkgs; [
+          alpine
+          mutt
+          mutt-ics
+          mutt-wizard
+          weechat
+          weechatScripts.edit
+          hexchat
+          irssi
+          pidgin
+      ];
+
+      networking = {
+        firewall = {
+          enable = true;
+          # Allow SSH and HTTP and ports for email and irc
+          allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+        };
+        # Use systemd-resolved inside the container
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+        useHostResolvConf = mkForce false;
+      };
+      
+      system.stateVersion = "23.11";
+      services.resolved.enable = true;
+    };
+  };
+
+};

hosts/buskerud/bikkje/default.nix

@@ -1,125 +0,0 @@
-{ config, pkgs, values, lib, ... }:
-{
-  containers.bikkje = {
-    autoStart = true;
-    interfaces = [ "enp4s0f0" ];
-
-    config = { config, pkgs, ... }: {
-      imports = [
-        ../../../modules/home-areas.nix
-        ./services/kerberos
-      ];
-
-      environment.systemPackages = with pkgs; [
-          zsh
-          bash
-          fish
-          tcsh
-
-          alpine
-          mutt
-          mutt-ics
-          mutt-wizard
-          notmuch
-          mailutils
-          procmail
-
-          irssi
-          weechat
-          weechatScripts.edit
-
-          coreutils-full
-          diffutils
-          findutils
-          ripgrep
-          cvs
-          gawk
-          git
-          gnupg
-          gnused
-          groff
-          less
-          p7zip
-          rcs
-          screen
-          tmux
-          tree
-          unzip
-          zip
-
-          emacs
-          helix
-          joe
-          micro
-          nano
-          neovim
-
-          autossh
-          inetutils
-          lynx
-          mosh
-          rsync
-          w3m
-
-          clang
-          gcc
-          guile
-          lua
-          perl
-          php
-          python3
-          (python3.withPackages (ps: with ps; [
-            numpy
-            sympy
-            scipy
-            requests
-            imageio
-            pillow
-            httpx
-            pycryptodome
-            pandas
-            matplotlib
-          ]))
-          ruby
-          tcl
-      ];
-
-      services.openssh = {
-        enable = true;
-        ports = [ 22 80 443 ];
-        openFirewall = true;
-        extraConfig = ''
-          PubkeyAcceptedAlgorithms=+ssh-rsa
-       '';
-
-        settings = {
-          GatewayPorts = "yes";
-          PermitRootLogin = "yes";
-        };
-      };
-
-      users.motd = builtins.readFile ../../../misc/motd;
-
-      networking = {
-        firewall.enable = true;
-        # Use systemd-resolved inside the container
-        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-        useHostResolvConf = lib.mkForce false;
-        hostName = "bikkje";
-      };
-
-      systemd.network.enable = true;
-      systemd.network.networks."30-enp4s0f0" = values.defaultNetworkConfig // {
-        matchConfig.Name = "enp4s0f0";
-        address = with values.hosts.bikkje; [ (ipv4 + "/25") (ipv6 + "/64") ];
-      };
-      
-      system.stateVersion = "23.11";
-      services.resolved.enable = true;
-    };
-  };
-
-  # TODO
-  # - Kerberos Authentication
-  # - Mail Transfer Agent
-}

hosts/buskerud/configuration.nix

@@ -4,8 +4,6 @@
     ./hardware-configuration.nix
     ../../base.nix
     ../../misc/metrics-exporters.nix
-
-    ./bikkje
   ];
 
   # buskerud does not support efi?

misc/motd

@@ -1,16 +0,0 @@
-		 ███████████  █████   █████ █████   █████
-		░░███░░░░░███░░███   ░░███ ░░███   ░░███
-		 ░███    ░███ ░███    ░███  ░███    ░███
-		 ░██████████  ░███    ░███  ░███    ░███
-		 ░███░░░░░░   ░░███   ███   ░░███   ███
-		 ░███          ░░░█████░     ░░░█████░
-		 █████           ░░███         ░░███
-		░░░░░             ░░░           ░░░
-
-================= EN ==================|================== NB =================
-Welcome to a PVV machine, life is good.|Velkommen til en PVV-maskin,
-                                       |livet er deilig.
-If you are confused, try pvv.ntnu.no or|Hvis du er forvirret prøv pvv.ntnu.no
-our discord server.                    |eller vår discord-server.
-More info at pvv.ntnu.no/kontakt/      |Mer info på pvv.ntnu.no/kontakt/
-===============================================================================

modules/home-areas.nix

@@ -1,20 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  fileSystems = let
-    # See microbel:/etc/exports
-    homeMounts = (lib.listToAttrs (map
-      (l: lib.nameValuePair "/home/pvv/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
-      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]));
-  in { }
-  //
-  (lib.mapAttrs (_: device: {
-    inherit device;
-    fsType = "nfs";
-    options = [
-      "nfsvers=3"
-      "proto=tcp"
-      "nofail"
-      "_netdev"
-    ];
-  }) homeMounts);
-}

packages/heimdal/default.nix

@@ -0,0 +1,178 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2023-11-29";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+  };
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
+    "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "An implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
+  };
+}

packages/mediawiki-extensions/default.nix

@@ -0,0 +1,7 @@
+{ pkgs, lib }:
+lib.makeScope pkgs.newScope (self: {
+  DeleteBatch = self.callPackage ./delete-batch { };
+  PluggableAuth = self.callPackage ./pluggable-auth { };
+  SimpleSAMLphp = self.callPackage ./simple-saml-php { };
+  UserMerge = self.callPackage ./user-merge { };
+})

packages/mediawiki-extensions/delete-batch/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-delete-batch";
+  url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
+  hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
+}

packages/mediawiki-extensions/pluggable-auth/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-pluggable-auth-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
+  hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
+}

packages/mediawiki-extensions/simple-saml-php/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-simple-saml-php-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
+  hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
+}

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
+
+import os
+from pathlib import Path
+import re
+import subprocess
+from collections import defaultdict
+from pprint import pprint
+
+import bs4
+import requests
+
+BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
+
+def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
+    content = requests.get(BASE_URL).text
+    soup = bs4.BeautifulSoup(content, features="html.parser")
+    result = defaultdict(list)
+    for a in soup.find_all('a'):
+        if skip_master and 'master' in a.text:
+            continue
+        split = a.text.split('-')
+        result[split[0]].append(a.text)
+    return result
+
+def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
+    assert package_file.is_file()
+    with open(package_file) as file:
+        content = file.read()
+
+    tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
+    split = tarball.split('-')
+    updated_tarball = plugin_list[split[0]][-1]
+
+    _hash = re.search(f'hash = "(.+?)";', content).group(1)
+
+    out, err = subprocess.Popen(
+        ["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+    out, err = subprocess.Popen(
+        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+
+    updated_hash = out.decode().strip()
+
+    if tarball == updated_tarball and _hash == updated_hash:
+        return
+
+    print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
+
+    updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
+    updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
+    with open(package_file, 'w') as file:
+        file.write(updated_text)
+
+if __name__ == "__main__":
+    plugin_list = fetch_plugin_list()
+
+    for direntry in os.scandir(Path(__file__).parent):
+        if direntry.is_dir():
+            update(Path(direntry) / "default.nix", plugin_list)

packages/mediawiki-extensions/user-merge/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-user-merge-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
+  hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
+}

packages/simplesamlphp/default.nix

@@ -0,0 +1,38 @@
+{ lib
+, php
+, writeText
+, fetchFromGitHub
+, extra_files ? { }
+
+}:
+
+php.buildComposerProject rec {
+  pname = "simplesamlphp";
+  version = "2.2.1";
+
+  src = fetchFromGitHub {
+    owner = "simplesamlphp";
+    repo = "simplesamlphp";
+    rev = "v${version}";
+    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
+  };
+
+  composerStrictValidation = false;
+
+  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
+
+  # TODO: metadata could be fetched automagically with these:
+  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
+  #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
+  postPatch = lib.pipe extra_files [
+    (lib.mapAttrsToList (target_path: source_path: ''
+      mkdir -p $(dirname "${target_path}")
+      cp -r "${source_path}" "${target_path}"
+    ''))
+    (lib.concatStringsSep "\n")
+  ];
+
+  postInstall = ''
+    ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
+  '';
+}

secrets/bekkalokk/bekkalokk.yaml

@@ -10,9 +10,18 @@ gitea:
         epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
 mediawiki:
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
-    database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
+    postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
+    simplesamlphp:
+        postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
+        cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
+        admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
 keycloak:
     database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
+idp:
+    cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
+    admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
+    postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
+    privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -46,8 +55,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-17T02:02:24Z"
-    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
+    lastmodified: "2024-03-30T21:22:02Z"
+    mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -70,4 +79,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

values.nix

@@ -56,10 +56,6 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
-    bikkje = {
-      ipv4 = pvv-ipv4 216;
-      ipv6 = pvv-ipv6 216;
-    };
     buskerud = {
       ipv4 = pvv-ipv4 231;
       ipv6 = pvv-ipv6 231;