WIP

flake.lock

@@ -1,27 +1,5 @@
 {
   "nodes": {
-    "bro": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1779629827,
-        "narHash": "sha256-nrlB50/oelB8oFx9DhOoXI5z0VoTZGEA6XxYvkvpqDA=",
-        "ref": "main",
-        "rev": "7d0f35e12e4dec39f981c08fc33515589f41f4a5",
-        "revCount": 3,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
-      },
-      "original": {
-        "ref": "main",
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
-      }
-    },
     "crane": {
       "locked": {
         "lastModified": 1776635034,
@@ -123,7 +101,7 @@
         "nixpkgs": [
           "nixpkgs-unstable"
         ],
-        "rust-overlay": "rust-overlay_2"
+        "rust-overlay": "rust-overlay"
       },
       "locked": {
         "lastModified": 1777019032,
@@ -187,7 +165,7 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "rust-overlay": "rust-overlay_3"
+        "rust-overlay": "rust-overlay_2"
       },
       "locked": {
         "lastModified": 1767906976,
@@ -316,11 +294,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1779774845,
-        "narHash": "sha256-QJU1J4eupwjRrtvWGzRut0GY3woql92RS9O/acWkJkk=",
+        "lastModified": 1764869785,
+        "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
         "ref": "main",
-        "rev": "13667cd216db260ab549e6f1b6281aa230d2f9e0",
-        "revCount": 29,
+        "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
+        "revCount": 23,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       },
@@ -374,7 +352,6 @@
     },
     "root": {
       "inputs": {
-        "bro": "bro",
         "dibbler": "dibbler",
         "disko": "disko",
         "gergle": "gergle",
@@ -400,7 +377,7 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "rust-overlay": "rust-overlay_4"
+        "rust-overlay": "rust-overlay_3"
       },
       "locked": {
         "lastModified": 1778600367,
@@ -419,27 +396,6 @@
       }
     },
     "rust-overlay": {
-      "inputs": {
-        "nixpkgs": [
-          "bro",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1779419951,
-        "narHash": "sha256-dMX0PUslUHPajP6o8FEoRdFv9afq/dec4POR0vVfjK4=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "5b5c521d6cae9ef4aa32f888eb2c0ce595c9be52",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
-    "rust-overlay_2": {
       "inputs": {
         "nixpkgs": [
           "greg-ng",
@@ -460,7 +416,7 @@
         "type": "github"
       }
     },
-    "rust-overlay_3": {
+    "rust-overlay_2": {
       "inputs": {
         "nixpkgs": [
           "minecraft-heatmap",
@@ -481,7 +437,7 @@
         "type": "github"
       }
     },
-    "rust-overlay_4": {
+    "rust-overlay_3": {
       "inputs": {
         "nixpkgs": [
           "roowho2",

flake.nix

@@ -47,9 +47,6 @@
 
     qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
     qotd.inputs.nixpkgs.follows = "nixpkgs";
-
-    bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main";
-    bro.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = {
@@ -217,14 +214,7 @@
         };
         shark = stableNixosConfig "shark" {};
         wenche = stableNixosConfig "wenche" {};
-        temmie = stableNixosConfig "temmie" {
-          overlays = [
-            inputs.bro.overlays.default
-          ];
-          modules = [
-            inputs.bro.nixosModules.default
-          ];
-        };
+        temmie = stableNixosConfig "temmie" {};
         gluttony = stableNixosConfig "gluttony" {
           overlays = [
             (final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })

hosts/bekkalokk/services/website/default.nix

@@ -60,8 +60,10 @@ in {
       DOOR_SECRET = includeFromSops "door_secret";
 
       DB = {
-        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
-        USER = "www-data_nettsi";
+        # DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
+        # USER = "www-data_nettsi";
+        DSN = "pgsql:dbname=pvv_nettsiden;host=postgres.pvv.ntnu.no";
+        USER = "pvv_nettsiden";
         PASS = includeFromSops "mysql_password";
       };
 
@@ -81,6 +83,7 @@ in {
 
   services.phpfpm.pools."pvv-nettsiden".settings = {
     "php_admin_value[error_log]" = "syslog";
+    "php_flag[display_errors]" = true;
     "php_admin_flag[log_errors]" = true;
     "catch_workers_output" = true;
 

hosts/bikkje/hardware-configuration.nix

@@ -1,39 +0,0 @@
-# Do modify this file!  It was generated by „nixos-generate-config“
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix and run ⟪nix-env --switch-profile⟫ instead.
-{ config, lib, pkgs, modulesPath, home-manager, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "af_alg" "esp4" "esp6" "rds" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/sdj1";
-      fsType = "bcachefs";
-    };
-
-  fileSystems."/boott" =
-    { device = "/dev/disk/by-uuid/AAAA-AAAA";
-      fsType = "vfat";
-    };
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with ‹networking.interfaces.<interface>.useDHCP›.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.em1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.em2.useDHCP = lib.mkDefault true;
-  # networking.interfaces.pflog0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "i686-freebsd";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  hardware.infiniband.enable = true;
-  hardware.flipperzero.enable = lib.mkIf (config.security.isolate.cgRoot == "auto:/run/isolate/tank") true;
-}

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, values, ... }:
+{ config, pkgs, lib, ... }:
 let
   cfg = config.services.uptime-kuma;
   domain = "status.pvv.ntnu.no";
@@ -24,21 +24,4 @@ in {
     fsType = "bind";
     options = [ "bind" ];
   };
-
-  services.rsync-pull-targets = {
-    enable = true;
-    locations.${stateDir} = {
-      user = "root";
-      rrsyncArgs.ro = true;
-      authorizedKeysAttrs = [
-        "restrict"
-        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
-        "no-agent-forwarding"
-        "no-port-forwarding"
-        "no-pty"
-        "no-X11-forwarding"
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXzcDm6cVr4NmWzUSroy33FlielKqaG83wY0RCMC0p/ uptime_kuma rsync backup";
-    };
-  };
 }

hosts/kommode/services/gitea/gpg.nix

@@ -50,8 +50,6 @@ in
     SIGNING_NAME = "PVV Git";
     SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
     INITIAL_COMMIT = "always";
-    MERGES = lib.concatStringsSep "," [ "always" ];
-    CRUD_ACTIONS = lib.concatStringsSep "," [ "always" ];
     WIKI = "always";
   };
 }

hosts/temmie/services/userweb/default.nix

@@ -39,7 +39,7 @@ let
     extraConfig = phpOptions;
   };
 
-  perlEnv = (pkgs.perl.withPackages (ps: with ps; [
+  perlEnv = pkgs.perl.withPackages (ps: with ps; [
     pkgs.exiftool
     pkgs.ikiwiki
     pkgs.irssi
@@ -54,14 +54,7 @@ let
     ImageMagick
     JSON
     TemplateToolkit
-  ])).overrideAttrs (prev: {
-    # NOTE: `pkgs.perl.propagatedBuildInputs` don't actually propagate through the
-    #       wrapper derivation created by `withPackages`. This should compensate
-    #       for that.
-    postBuild = prev.postBuild + ''
-      cp -r '${pkgs.perl}/nix-support' "$out"/nix-support
-    '';
-  });
+  ]);
 
   # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
   pythonEnv = pkgs.python3.buildEnv.override {
@@ -74,6 +67,21 @@ let
     ignoreCollisions = true;
   };
 
+  sendmailWrapper = pkgs.writeShellApplication {
+    name = "sendmail";
+    runtimeInputs = [ ];
+    text = ''
+      args=("$@")
+
+      if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
+          # Prepend -fusername to the argument list, so bounces go to the user
+          args=("-f$USERDIR_USER" "''${args[@]}")
+      fi
+
+      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
+    '';
+  };
+
   # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
   fhsEnv = pkgs.buildEnv {
     name = "userweb-env";
@@ -81,7 +89,7 @@ let
     paths = with pkgs; [
       bash
 
-      config.services.bro.instances.userweb-sendmail.client.package
+      sendmailWrapper
 
       perlEnv
       pythonEnv
@@ -176,21 +184,17 @@ in
     extraModules = [
       "systemd"
       "userdir"
-      {
-        name = "perl";
-        path = let
-          mod_perl = pkgs.symlinkJoin {
-            name = "userweb_modperl_with_custom_perl_env";
-            ignoreCollisions = true;
-            paths = [
-              (pkgs.apacheHttpdPackages.mod_perl.override {
-                apacheHttpd = cfg.package.out;
-              })
-              perlEnv
-            ];
-          };
-        in "${mod_perl}/modules/mod_perl.so";
-      }
+      # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
+      #       incorrect or restrictive assumptions upstream, either nixpkgs or source
+      # {
+      #   name = "perl";
+      #   path = let
+      #     mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
+      #       apacheHttpd = cfg.package.out;
+      #       perl = perlEnv;
+      #     };
+      #   in "${mod_perl}/modules/mod_perl.so";
+      # }
     ];
 
     extraConfig = ''
@@ -199,14 +203,11 @@ in
       ScriptLog ${cfg.logDir}/cgi.log
     '';
 
+    # virtualHosts."userweb.pvv.ntnu.no" = {
     virtualHosts."temmie.pvv.ntnu.no" = {
       forceSSL = true;
       enableACME = true;
 
-      serverAliases = [
-        "www2.pvv.ntnu.no"
-      ];
-
       extraConfig = ''
         UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
         UserDir disabled root
@@ -257,14 +258,6 @@ in
   #   ];
   # };
 
-  # NOTE: 54 -> 33, this is the UID/GID we used for www-data on tom in the past.
-  #       Any files accessed by or created by httpd will do so over NFS with this
-  #       UID/GID pair as its credentials.
-  #       This overlaps with the hardcoded `disnix` uid in nixpkgs, but we *probably*
-  #       won't be using that for the foreseeable future.
-  users.users."wwwrun".uid = lib.mkForce 33;
-  users.groups."wwwrun".gid = lib.mkForce 33;
-
   systemd.services.httpd = {
     after = [ "pvv-homedirs.target" ];
     requires = [ "pvv-homedirs.target" ];

hosts/temmie/services/userweb/mail.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 {
   services.postfix.enable = lib.mkForce false;
 
@@ -9,111 +9,4 @@
       remotes = "mail.pvv.ntnu.no smtp --port=25";
     };
   };
-
-  services.bro = {
-    enable = true;
-
-    instances.userweb-sendmail = {
-      enable = true;
-
-      client = {
-        settings.BRO_FILE_FLAGS = [
-          "-C"
-        ];
-      };
-
-      server = {
-        settings = {
-          executable = let
-            sendmailWrapper = pkgs.writeShellApplication {
-              name = "sendmail";
-              runtimeInputs = [ ];
-              bashOptions = [
-                "errexit"
-                "pipefail"
-              ];
-              text = ''
-                args=("$@")
-
-                if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
-                    # Prepend -fusername to the argument list, so bounces go to the user
-                    args=("-f$USERDIR_USER" "''${args[@]}")
-                fi
-
-                exec '${lib.getExe pkgs.system-sendmail}' -t -i "''${args[@]}"
-              '';
-            };
-          in lib.getExe sendmailWrapper;
-          allowed-env = [ "USERDIR_USER" ];
-        };
-      };
-    };
-  };
-
-  environment.systemPackages = [
-    (config.services.bro.instances.userweb-sendmail.client.package.overrideAttrs (prev: {
-      buildCommand = prev.buildCommand + ''
-        mv "$out/bin/sendmail" "$out/bin/bro-sendmail"
-      '';
-    }))
-  ];
-
-  users.users.nullmailer-user = {
-    enable = true;
-    isSystemUser = true;
-    group = "nullmailer-user";
-  };
-
-  users.groups.nullmailer-user = { };
-
-  systemd.services.bro-userweb-sendmail = {
-    serviceConfig = {
-      User = "nullmailer-user";
-      Group = "nullmailer-user";
-
-      ReadWritePaths = [
-        "/var/spool/nullmailer"
-      ];
-
-      AmbientCapabilities = "";
-      CapabilityBoundingSet = "";
-      NoNewPrivileges = false;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      PrivateDevices = true;
-      PrivateUsers = false;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = [
-        "AF_UNIX"
-        "AF_INET"
-        "AF_INET6"
-        "AF_NETLINK"
-      ];
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateMounts = true;
-      ProcSubset = "pid";
-      ProtectProc = "invisible";
-      RemoveIPC = true;
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@resources"
-      ];
-      UMask = "0077";
-    };
-  };
-
-  systemd.services.httpd.serviceConfig = {
-    BindPaths = [ (lib.head config.systemd.sockets.bro-userweb-sendmail.listenStreams) ];
-  };
 }

modules/matrix-ooye.nix

@@ -171,9 +171,6 @@ in
         requires = [ "matrix-ooye-pre-start.service" ];
         wantedBy = [ "multi-user.target" ];
 
-        startLimitIntervalSec = 5;
-        startLimitBurst = 5;
-
         serviceConfig = {
           ExecStart = lib.getExe config.services.matrix-ooye.package;
           WorkingDirectory = "/var/lib/matrix-ooye";
@@ -185,6 +182,8 @@ in
           #PrivateDevices = true;
           Restart = "on-failure";
           RestartSec = "5s";
+          StartLimitIntervalSec = "5s";
+          StartLimitBurst = "5";
           DynamicUser = true;
         };
       };