WIP: gitea metrics

the matrix-synapse-next module seems to already add some of the nginx
options we set in base.nix, making it fail. These should only be set if
they're not already set by this module

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
   - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
   - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
 
   # Hosts
   - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
@@ -18,6 +19,7 @@ creation_rules:
       - *host_jokum
       - *user_danio
       - *user_felixalb
+      - *user_eirikwit
       pgp:
       - *user_oysteikt
 

base.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./users
+    ./modules/snakeoil-certs.nix
   ];
 
   networking.domain = "pvv.ntnu.no";
@@ -58,6 +59,7 @@
     gnupg
     htop
     nano
+    ripgrep
     rsync
     screen
     tmux
@@ -82,5 +84,50 @@
     settings.PermitRootLogin = "yes";
   };
 
+  # nginx return 444 for all nonexistent virtualhosts
 
+  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
+
+  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
+    "/etc/certs/nginx" = {
+      owner = "nginx";
+      group = "nginx";
+    };
+  };
+
+  services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    appendConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) ''
+      pcre_jit on;
+      worker_processes auto;
+      worker_rlimit_nofile 100000;
+    '';
+    eventsConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) ''
+      worker_connections 2048;
+      use epoll;
+      multi_accept on;
+    '';
+  };
+
+  systemd.services.nginx.serviceConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) {
+    LimitNOFILE = 65536;
+  };
+
+  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+    sslCertificate = "/etc/certs/nginx.crt";
+    sslCertificateKey = "/etc/certs/nginx.key";
+    addSSL = true;
+    extraConfig = "return 444;";
+  };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
 }

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700927249,
-        "narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=",
+        "lastModified": 1712356478,
+        "narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22",
+        "rev": "0a17298c0d96190ef3be729d594ba202b9c53beb",
         "type": "github"
       },
       "original": {
@@ -47,11 +47,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1693864994,
-        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
+        "lastModified": 1711853301,
+        "narHash": "sha256-KxRNyW/fgq690bt3B+Nz4EKLoubybcuASYyMa41bAPE=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz-clients",
-        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
+        "rev": "c38f2f22a6d47ae2da015351a45d13cbc1eb48e4",
         "type": "github"
       },
       "original": {
@@ -62,76 +62,82 @@
     },
     "matrix-next": {
       "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1697936579,
-        "narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=",
+        "lastModified": 1710311999,
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
         "type": "github"
       }
     },
+    "nix-gitea-themes": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712621190,
+        "narHash": "sha256-O8xtza+wPplTmSm0EAPk8Ud9sJ6huVNY6jU21FYHCp4=",
+        "ref": "refs/heads/main",
+        "rev": "812c1fc4061d534a8c7d35271ce32b6c76a9f385",
+        "revCount": 5,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1701362232,
-        "narHash": "sha256-GVdzxL0lhEadqs3hfRLuj+L1OJFGiL/L7gCcelgBlsw=",
+        "lastModified": 1712386448,
+        "narHash": "sha256-kacQwZ5WnJv4HH5s8tlZTClyiwVP8XAaywI5I7QqLIY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d2332963662edffacfddfad59ff4f709dde80ffe",
+        "rev": "7644b4bc09c6329bcd82561a076fd7add697d092",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-23.05-small",
+        "ref": "nixos-23.11-small",
         "type": "indirect"
       }
     },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1700905716,
-        "narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=",
+        "lastModified": 1711819797,
+        "narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dfb95385d21475da10b63da74ae96d89ab352431",
+        "rev": "2b4e3ca0091049c6fbb4908c66b05b77eaef9f0c",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1701368325,
-        "narHash": "sha256-3OqZyi2EdopJxpxwrySPyCTuCvfBY4oXTLVgQ4B6qDg=",
+        "lastModified": 1712381113,
+        "narHash": "sha256-YL8miM11o/jMqOwt5DsdyhPgh/JgCl1kOIzvX7ukniY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3934dbde4f4a0e266825348bc4ad1bdd00a8d6a3",
+        "rev": "6cc8dbb00974248cdd1b7ebd05cbc7c0799ce974",
         "type": "github"
       },
       "original": {
@@ -160,15 +166,37 @@
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       }
     },
+    "pvv-nettsiden": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712834399,
+        "narHash": "sha256-deNJvqboPk3bEoRZ/FyZnxscsf2BpS3/52JM4qXCNSA=",
+        "ref": "refs/heads/master",
+        "rev": "216e153f89f1dbdc4c98a7c1db2a40e52becc901",
+        "revCount": 451,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
+      }
+    },
     "root": {
       "inputs": {
         "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
+        "nix-gitea-themes": "nix-gitea-themes",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
+        "pvv-nettsiden": "pvv-nettsiden",
         "sops-nix": "sops-nix"
       }
     },
@@ -180,11 +208,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1701127353,
-        "narHash": "sha256-qVNX0wOl0b7+I35aRu78xUphOyELh+mtUp1KBx89K1Q=",
+        "lastModified": 1711855048,
+        "narHash": "sha256-HxegAPnQJSC4cbEbF4Iq3YTlFHZKLiNTk8147EbLdGg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b1edbf5c0464b4cced90a3ba6f999e671f0af631",
+        "rev": "99b1e37f9fc0960d064a7862eb7adfb92e64fa10",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,7 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.05-small";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -11,11 +11,17 @@
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
+    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
+    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
+
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    # Last release compatible with 23.05
-    matrix-next.url = "github:dali99/nixos-matrix-modules/e09814657187c8ed1a5fe1646df6d8da1eb2dee9";
+    matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
+
+    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
+    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
     grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
@@ -23,7 +29,7 @@
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, pvv-nettsiden, sops-nix, disko, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -42,6 +48,7 @@
     ];
   in {
     nixosConfigurations = let
+      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
@@ -53,19 +60,14 @@
           modules = [
             ./hosts/${name}/configuration.nix
             sops-nix.nixosModules.sops
-          ];
+          ] ++ config.modules or [];
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [
-              (final: prev: {
-                mx-puppet-discord = prev.mx-puppet-discord.override { nodejs_14 = final.nodejs_18; };
-              })
-              inputs.pvv-calendar-bot.overlays.${system}.default
-            ];
+            overlays = [ ] ++ config.overlays or [ ];
           };
         }
-        config
+        (removeAttrs config [ "modules" "overlays" ])
       );
 
       stableNixosConfig = nixosConfig nixpkgs;
@@ -73,19 +75,30 @@
     in {
       bicep = stableNixosConfig "bicep" {
         modules = [
-          ./hosts/bicep/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.matrix-next.nixosModules.default
           inputs.pvv-calendar-bot.nixosModules.default
         ];
+        overlays = [
+          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
+        ];
+      };
+      bekkalokk = stableNixosConfig "bekkalokk" {
+        overlays = [
+          (final: prev: {
+            heimdal = unstablePkgs.heimdal;
+            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
+            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+          })
+          inputs.nix-gitea-themes.overlays.default
+          inputs.pvv-nettsiden.overlays.default
+        ];
+        modules = [
+          inputs.nix-gitea-themes.nixosModules.default
+          inputs.pvv-nettsiden.nixosModules.default
+        ];
       };
-      bekkalokk = stableNixosConfig "bekkalokk" { };
       bob = stableNixosConfig "bob" {
         modules = [
-          ./hosts/bob/configuration.nix
-          sops-nix.nixosModules.sops
-
           disko.nixosModules.disko
           { disko.devices.disk.disk1.device = "/dev/vda"; }
         ];
@@ -96,28 +109,17 @@
 
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
-          ./hosts/brzeczyszczykiewicz/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.grzegorz.nixosModules.grzegorz-kiosk
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
       georg = stableNixosConfig "georg" {
         modules = [
-          ./hosts/georg/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.grzegorz.nixosModules.grzegorz-kiosk
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
-      buskerud = stableNixosConfig "buskerud" {
-        modules = [
-          ./hosts/buskerud/configuration.nix
-          sops-nix.nixosModules.sops
-        ];
-      };
+      buskerud = stableNixosConfig "buskerud" { };
     };
 
     devShells = forAllSystems (system: {
@@ -133,6 +135,10 @@
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+
+        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+
+        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/configuration.nix

@@ -8,12 +8,13 @@
 
     #./services/keycloak.nix
 
-    # TODO: set up authentication for the following:
-    # ./services/website.nix
-    ./services/nginx
+    ./services/website
+    ./services/nginx.nix
     ./services/gitea/default.nix
+    ./services/kerberos
     ./services/webmail
-    # ./services/mediawiki.nix
+    ./services/mediawiki
+    ./services/idp-simplesamlphp
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
@@ -24,8 +25,6 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  virtualisation.podman.enable = true;
-
   networking.hostName = "bekkalokk";
 
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {

hosts/bekkalokk/services/gitea/ci.nix

@@ -27,4 +27,5 @@ lib.mkMerge [
   (mkRunner "alpha")
   (mkRunner "beta")
   (mkRunner "epsilon")
+  { virtualisation.podman.enable = true; }
 ]

hosts/bekkalokk/services/gitea/default.nix

@@ -6,6 +6,7 @@ let
 in {
   imports = [
     ./ci.nix
+    ./import-users.nix
   ];
 
   sops.secrets = {
@@ -13,9 +14,6 @@ in {
       owner = "gitea";
       group = "gitea";
     };
-    "gitea/passwd-ssh-key" = { };
-    "gitea/ssh-known-hosts" = { };
-    "gitea/import-user-env" = { };
   };
 
   services.gitea = {
@@ -37,7 +35,7 @@ in {
         ROOT_URL = "https://${domain}/";
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
-	      START_SSH_SERVER = true;
+        START_SSH_SERVER = true;
       };
       indexer.REPO_INDEXER_ENABLED = true;
       service.DISABLE_REGISTRATION = true;
@@ -47,8 +45,8 @@ in {
         DISABLE_GRAVATAR = true;
         ENABLE_FEDERATED_AVATAR = false;
       };
+      metrics.ENABLED = true;
       actions.ENABLED = true;
-      "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
     };
   };
 
@@ -57,49 +55,48 @@ in {
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
     enableACME = true;
+    kTLS = true;
     locations."/" = {
       proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
-      recommendedProxySettings = true;
       extraConfig = ''
         client_max_body_size 512M;
       '';
     };
+
+    locations."/metrics" = {
+      proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+      extraConfig = ''
+        allow ${values.hosts.ildkule.ipv4};
+        allow ${values.hosts.ildkule.ipv6};
+	deny all;
+      '';
+    };
   };
 
   networking.firewall.allowedTCPPorts = [ sshPort ];
 
-  # Automatically import users
-  systemd.services.gitea-import-users = {
-    enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
-    serviceConfig = {
-      ExecStart = pkgs.writers.writePython3 "gitea-import-users" { libraries = [ pkgs.python3Packages.requests ]; } (builtins.readFile ./gitea-import-users.py);
-      LoadCredential=[
-        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
-        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
-      ];
-      DynamicUser="yes";
-      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
-    };
-  };
+  # Extra customization
 
-  systemd.timers.gitea-import-users = {
-    requires = [ "gitea.service" ];
-    after = [ "gitea.service" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "*-*-* 02:00:00";
-      Persistent = true;
-      Unit = "gitea-import-users.service";
-    };
-  };
+  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
 
-  system.activationScripts.linkGiteaLogo.text = let
-    logo-svg = ../../../../assets/logo_blue_regular.svg;
-    logo-png = ../../../../assets/logo_blue_regular.png;
-  in ''
-    install -Dm444 ${logo-svg} ${cfg.stateDir}/custom/public/img/logo.svg
-    install -Dm444 ${logo-png} ${cfg.stateDir}/custom/public/img/logo.png
-    install -Dm444 ${./loading.apng} ${cfg.stateDir}/custom/public/img/loading.png
-  '';
+  systemd.services.install-gitea-customization = {
+    description = "Install extra customization in gitea's CUSTOM_DIR";
+    wantedBy = [ "gitea.service" ];
+    requiredBy = [ "gitea.service" ];
+
+    serviceConfig =  {
+      Type = "oneshot";
+      User = cfg.user;
+      Group = cfg.group;
+    };
+
+    script = let
+      logo-svg = ../../../../assets/logo_blue_regular.svg;
+      logo-png = ../../../../assets/logo_blue_regular.png;
+    in ''
+      install -Dm444 ${logo-svg} ${cfg.customDir}/public/img/logo.svg
+      install -Dm444 ${logo-png} ${cfg.customDir}/public/img/logo.png
+      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/img/loading.png
+    '';
+  };
 }

hosts/bekkalokk/services/gitea/gitea-import-users.py

@@ -32,7 +32,6 @@ def add_user(username, name):
             "full_name": name,
             "username": username,
             "login_name": username,
-            "visibility": "public",
             "source_id": 1,  # 1 = SMTP
     }
 
@@ -52,6 +51,7 @@ def add_user(username, name):
         existing_users[username] = user
 
     else:
+        user["visibility"] = existing_users[username]["visibility"]
         r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
                            json=user,
                            headers={'Authorization': 'token ' + API_TOKEN})

hosts/bekkalokk/services/gitea/import-users.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea;
+in
+{
+  sops.secrets = {
+    "gitea/passwd-ssh-key" = { };
+    "gitea/ssh-known-hosts" = { };
+    "gitea/import-user-env" = { };
+  };
+
+  systemd.services.gitea-import-users = lib.mkIf cfg.enable {
+    enable = true;
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
+    serviceConfig = {
+      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
+        libraries = with pkgs.python3Packages; [ requests ];
+      } (builtins.readFile ./gitea-import-users.py);
+      LoadCredential=[
+        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
+        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
+      ];
+      DynamicUser="yes";
+      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
+    };
+  };
+
+  systemd.timers.gitea-import-users = lib.mkIf cfg.enable {
+    requires = [ "gitea.service" ];
+    after = [ "gitea.service" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "*-*-* 02:00:00";
+      Persistent = true;
+      Unit = "gitea-import-users.service";
+    };
+  };
+}

hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php

@@ -0,0 +1,135 @@
+<?php
+
+/**
+ * Authenticate using HTTP login.
+ *
+ * @author Yorn de Jong
+ * @author Oystein Kristoffer Tveit
+ * @package simpleSAMLphp
+ */
+
+namespace SimpleSAML\Module\authpwauth\Auth\Source;
+
+class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
+{
+    protected $pwauth_bin_path;
+    protected $mail_domain;
+
+    public function __construct(array $info, array &$config) {
+            assert('is_array($info)');
+            assert('is_array($config)');
+
+            /* Call the parent constructor first, as required by the interface. */
+            parent::__construct($info, $config);
+
+            $this->pwauth_bin_path = $config['pwauth_bin_path'];
+            if (array_key_exists('mail_domain', $config)) {
+                    $this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
+            }
+    }
+
+    public function login(string $username, string $password): array {
+            $username = strtolower( $username );
+
+	    if (!file_exists($this->pwauth_bin_path)) {
+                    die("Could not find pwauth binary");
+                    return false;
+	    }
+
+	    if (!is_executable($this->pwauth_bin_path)) {
+                    die("pwauth binary is not executable");
+                    return false;
+	    }
+
+            $handle = popen($this->pwauth_bin_path, 'w');
+            if ($handle === FALSE) {
+                    die("Error opening pipe to pwauth");
+                    return false;
+            }
+
+            $data = "$username\n$password\n";
+            if (fwrite($handle, $data) !== strlen($data)) {
+                    die("Error writing to pwauth pipe");
+                    return false;
+            }
+
+            # Is the password valid?
+            $result = pclose( $handle );
+            if ($result !== 0) {
+                    if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
+                            die("pwauth returned $result for username $username");
+                    }
+                    throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
+            }
+            /*
+            $ldap = ldap_connect('129.241.210.159', 389);
+            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+            ldap_start_tls($ldap);
+            ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
+            $search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
+            $entry = ldap_first_entry($ldap, $search);
+            $dn = ldap_get_dn($ldap, $entry);
+            $newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
+            ldap_modify_batch($ldap, $dn, [
+                    #[
+                    #       'modtype' => LDAP_MODIFY_BATCH_REMOVE,
+                    #       'attrib' => 'unicodePwd',
+                    #       'values' => [$password],
+                    #],
+                    [
+                            #'modtype' => LDAP_MODIFY_BATCH_ADD,
+                            'modtype' => LDAP_MODIFY_BATCH_REPLACE,
+                            'attrib' => 'unicodePwd',
+                            'values' => [$newpassword],
+                    ],
+            ]);
+            */
+
+            #0  -  Login OK.
+            #1  -  Nonexistant login or (for some configurations) incorrect password.
+            #2  -  Incorrect password (for some configurations).
+            #3  -  Uid number is below MIN_UNIX_UID value configured in config.h.
+            #4  -  Login ID has expired.
+            #5  -  Login's password has expired.
+            #6  -  Logins to system have been turned off (usually by /etc/nologin file).
+            #7  -  Limit on number of bad logins exceeded.
+            #50 -  pwauth was not run with real uid SERVER_UID.  If you get this
+            #      this error code, you probably have SERVER_UID set incorrectly
+            #      in pwauth's config.h file.
+            #51 -  pwauth was not given a login & password to check.  The means
+            #      the passing of data from mod_auth_external to pwauth is messed
+            #      up.  Most likely one is trying to pass data via environment
+            #      variables, while the other is trying to pass data via a pipe.
+            #52 -  one of several possible internal errors occured.
+
+
+            $uid = $username;
+	    # TODO: Reinstate this code once passwd is working...
+	    /*
+            $cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
+
+            $groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
+            array_shift($groups);
+            array_shift($groups);
+            array_pop($groups);
+	    
+            $info = posix_getpwnam($uid);
+            $group = $info['gid'];
+            if (!in_array($group, $groups)) {
+                    $groups[] = $group;
+            }
+	    */
+	    $cn = "Unknown McUnknown";
+	    $groups = array();
+
+            $result = array(
+                    'uid' => array($uid),
+                    'cn' => array($cn),
+                    'group' => $groups,
+            );
+            if (isset($this->mail_domain)) {
+                    $result['mail'] = array($uid.$this->mail_domain);
+            }
+            return $result;
+    }
+}

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -0,0 +1,208 @@
+{ config, pkgs, lib, ... }:
+let
+  pwAuthScript = pkgs.writeShellApplication {
+    name = "pwauth";
+    runtimeInputs = with pkgs; [ coreutils heimdal ];
+    text = ''
+      read -r user1
+      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
+      if test "$user1" != "$user2"
+      then
+        read -r _
+        exit 2
+      fi
+      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
+      kdestroy >/dev/null 2>/dev/null
+    '';
+  };
+
+  package = pkgs.simplesamlphp.override {
+    extra_files = {
+      # NOTE: Using self signed certificate created 30. march 2024, with command:
+      # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
+      "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
+        <?php
+	  $metadata['https://idp.pvv.ntnu.no/'] = array(
+	    'host' => '__DEFAULT__',
+	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
+	    'certificate' => '${./idp.crt}',
+	    'auth' => 'pwauth',
+	  );
+	?>
+      '';
+
+      "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
+        <?php
+	  ${ lib.pipe config.services.idp.sp-remote-metadata [
+             (map (url: ''
+               $metadata['${url}'] = [
+                   'SingleLogoutService' => [
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                       ],
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                       ],
+                   ],
+                   'AssertionConsumerService' => [
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                           'index' => 0,
+                       ],
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
+                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                           'index' => 1,
+                       ],
+                   ],
+               ];
+	     ''))
+	     (lib.concatStringsSep "\n")
+	  ]}
+	?>
+      '';
+
+      "config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
+        <?php
+          $config = array(
+	    'admin' => array(
+	      'core:AdminPassword'
+	    ),
+            'pwauth' => array(
+               'authpwauth:PwAuth',
+               'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
+               'mail_domain' => '@pvv.ntnu.no',
+            ),
+          );
+	?>
+      '';
+
+      "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
+        cp ${./config.php} "$out"
+
+        substituteInPlace "$out" \
+          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
+          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
+          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
+          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
+      '';
+
+      "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+    };
+  };
+in
+{
+  options.services.idp.sp-remote-metadata = lib.mkOption {
+    type = with lib.types; listOf str;
+    default = [ ];
+    description = ''
+      List of urls point to (simplesamlphp) service profiders, which the idp should trust.
+
+      :::{.note}
+	Make sure the url ends with a `/`
+      :::
+    '';
+  };
+
+  config = {
+    sops.secrets = {
+      "idp/privatekey" = {
+        owner = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+      "idp/admin_password" = {
+        owner = "idp";
+        group = "idp";
+      };
+      "idp/postgres_password" = {
+        owner = "idp";
+        group = "idp";
+      };
+      "idp/cookie_salt" = {
+        owner = "idp";
+        group = "idp";
+      };
+    };  
+
+    users.groups."idp" = { };
+    users.users."idp" = {
+      description = "PVV Identity Provider Service User";
+      group = "idp";
+      createHome = false;
+      isSystemUser = true;
+    };
+
+    systemd.tmpfiles.settings."10-idp" = {
+      "/var/cache/idp".d = {
+        user = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+      "/var/lib/idp".d = {
+        user = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+    };
+
+    services.phpfpm.pools.idp = {
+      user = "idp";
+      group = "idp";
+      settings = let
+        listenUser = config.services.nginx.user;
+        listenGroup = config.services.nginx.group;
+      in {
+        "pm" = "dynamic";
+        "pm.max_children" = 32;
+        "pm.max_requests" = 500;
+        "pm.start_servers" = 2;
+        "pm.min_spare_servers" = 2;
+        "pm.max_spare_servers" = 4;
+        "listen.owner" = listenUser;
+        "listen.group" = listenGroup;
+
+        "catch_workers_output" = true;
+        "php_admin_flag[log_errors]" = true;
+        # "php_admin_value[error_log]" = "stderr";
+      };
+    };
+
+    services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
+      forceSSL = true;
+      enableACME = true;
+      kTLS = true;
+      root = "${package}/share/php/simplesamlphp/public";
+      locations =  {
+        # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+        "/" = {
+          alias = "${package}/share/php/simplesamlphp/public/";
+          index = "index.php";
+
+          extraConfig = ''
+            location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+              include ${pkgs.nginx}/conf/fastcgi_params;
+              fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
+              fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
+              fastcgi_param SCRIPT_NAME /$phpfile;
+              fastcgi_param PATH_INFO $pathinfo if_not_empty;
+            }
+          '';
+        };
+        "^~ /simplesaml/".extraConfig = ''
+	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
+	  return 404;
+	'';
+      };
+    };
+  };
+}

hosts/bekkalokk/services/idp-simplesamlphp/idp.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
+BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
+FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
+Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
+VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
+cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
+JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
+xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
+dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
+Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
+Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
++8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
+rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
+oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
+sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
+Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
+BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
+xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
+2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
+DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
+2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
+EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
+fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
+T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
+TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
+W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
+HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
+88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
+UxTpf01QJnZkMqf5NQ==
+-----END CERTIFICATE-----

hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix

@@ -0,0 +1,22 @@
+''
+  <?php
+  $metadata['https://idp.pvv.ntnu.no/'] = [
+      'metadata-set' => 'saml20-idp-hosted',
+      'entityid' => 'https://idp.pvv.ntnu.no/',
+      'SingleSignOnService' => [
+          [
+              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
+          ],
+      ],
+      'SingleLogoutService' => [
+          [
+              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
+          ],
+      ],
+      'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
+      'certificate' => '${./idp.crt}',
+  ];
+  ?>
+''

hosts/bekkalokk/services/kerberos/default.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+{
+  #######################
+  # TODO: remove these once nixos 24.05 gets released
+  #######################
+  imports = [
+    ./krb5.nix
+    ./pam.nix
+  ];
+  disabledModules = [
+    "config/krb5/default.nix"
+    "security/pam.nix"
+  ];
+  #######################
+
+  security.krb5 = {
+    enable = true;
+    settings = {
+      libdefaults = {
+        default_realm = "PVV.NTNU.NO";
+        dns_lookup_realm = "yes";
+        dns_lookup_kdc = "yes";
+      };
+      realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
+    };
+  };
+}

hosts/bekkalokk/services/kerberos/krb5-conf-format.nix

@@ -0,0 +1,88 @@
+{ pkgs, lib, ... }:
+
+# Based on
+# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
+# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
+
+let
+  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
+    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
+  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
+    str submodule;
+in
+{ }: {
+  type = let
+    section = attrsOf relation;
+    relation = either (attrsOf value) value;
+    value = either (listOf atom) atom;
+    atom = oneOf [int str bool];
+  in submodule {
+    freeformType = attrsOf section;
+    options = {
+      include = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      includedir = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Directories containing files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      module = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Modules to obtain Kerberos configuration from.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+    };
+  };
+
+  generate = let
+    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
+
+    formatToplevel = args @ {
+      include ? [ ],
+      includedir ? [ ],
+      module ? [ ],
+      ...
+    }: let
+      sections = removeAttrs args [ "include" "includedir" "module" ];
+    in concatStringsSep "\n" (filter (x: x != "") [
+      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
+      (concatMapStringsSep "\n" (m: "module ${m}") module)
+      (concatMapStringsSep "\n" (i: "include ${i}") include)
+      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
+    ]);
+
+    formatSection = name: section: ''
+      [${name}]
+      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
+    '';
+
+    formatRelation = name: relation:
+      if isAttrs relation
+      then ''
+        ${name} = {
+        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
+        }''
+      else formatValue name relation;
+
+    formatValue = name: value:
+      if isList value
+      then concatMapStringsSep "\n" (formatAtom name) value
+      else formatAtom name value;
+
+    formatAtom = name: atom: let
+      v = if isBool atom then boolToString atom else toString atom;
+    in "${name} = ${v}";
+  in
+    name: value: pkgs.writeText name ''
+      ${formatToplevel value}
+    '';
+}

hosts/bekkalokk/services/kerberos/krb5.nix

@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
+  inherit (lib.types) bool;
+
+  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
+  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
+    The option `krb5.${name}' has been removed. Use
+    `security.krb5.settings.${name}' for structured configuration.
+  '';
+
+  cfg = config.security.krb5;
+  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
+in {
+  imports = [
+    (mkRemovedOptionModuleCfg "libdefaults")
+    (mkRemovedOptionModuleCfg "realms")
+    (mkRemovedOptionModuleCfg "domain_realm")
+    (mkRemovedOptionModuleCfg "capaths")
+    (mkRemovedOptionModuleCfg "appdefaults")
+    (mkRemovedOptionModuleCfg "plugins")
+    (mkRemovedOptionModuleCfg "config")
+    (mkRemovedOptionModuleCfg "extraConfig")
+    (mkRemovedOptionModule' "kerberos" ''
+      The option `krb5.kerberos' has been moved to `security.krb5.package'.
+    '')
+  ];
+
+  options = {
+    security.krb5 = {
+      enable = mkOption {
+        default = false;
+        description = mdDoc "Enable and configure Kerberos utilities";
+        type = bool;
+      };
+
+      package = mkPackageOption pkgs "krb5" {
+        example = "heimdal";
+      };
+
+      settings = mkOption {
+        default = { };
+        type = format.type;
+        description = mdDoc ''
+          Structured contents of the {file}`krb5.conf` file. See
+          {manpage}`krb5.conf(5)` for details about configuration.
+        '';
+        example = {
+          include = [ "/run/secrets/secret-krb5.conf" ];
+          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
+
+          libdefaults = {
+            default_realm = "ATHENA.MIT.EDU";
+          };
+
+          realms = {
+            "ATHENA.MIT.EDU" = {
+              admin_server = "athena.mit.edu";
+              kdc = [
+                "athena01.mit.edu"
+                "athena02.mit.edu"
+              ];
+            };
+          };
+
+          domain_realm = {
+            "mit.edu" = "ATHENA.MIT.EDU";
+          };
+
+          logging = {
+            kdc = "SYSLOG:NOTICE";
+            admin_server = "SYSLOG:NOTICE";
+            default = "SYSLOG:NOTICE";
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment = {
+      systemPackages = [ cfg.package ];
+      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
+    };
+  };
+
+  meta.maintainers = builtins.attrValues {
+    inherit (lib.maintainers) dblsaiko h7x4;
+  };
+}

hosts/bekkalokk/services/mediawiki.nix

@@ -1,175 +0,0 @@
-{ pkgs, lib, config, values, ... }: let
-  cfg = config.services.mediawiki;
-
-  # "mediawiki"
-  user = config.systemd.services.mediawiki-init.serviceConfig.User;
-
-  # "mediawiki"
-  group = config.users.users.${user}.group;
-in {
-  sops.secrets = {
-    "mediawiki/password" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
-    "keys/postgres/mediawiki" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
-  };
-
-  services.mediawiki = {
-    enable = true;
-    name = "Programvareverkstedet";
-    passwordFile = config.sops.secrets."mediawiki/password".path;
-    passwordSender = "drift@pvv.ntnu.no";
-
-    database = {
-      type = "postgres";
-      host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.port;
-      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
-      createLocally = false;
-      # TODO: create a normal database and copy over old data when the service is production ready
-      name = "mediawiki_test";
-    };
-
-    # Host through nginx
-    webserver = "none";
-    poolConfig = let
-      listenUser = config.services.nginx.user;
-      listenGroup = config.services.nginx.group;
-    in {
-      inherit user group;
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.max_requests" = 500;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 4;
-      "listen.owner" = listenUser;
-      "listen.group" = listenGroup;
-      "php_admin_value[error_log]" = "stderr";
-      "php_admin_flag[log_errors]" = "on";
-      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
-      "catch_workers_output" = true;
-      # to accept *.html file
-      "security.limit_extensions" = "";
-    };
-
-    extensions = {
-      DeleteBatch = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
-	sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
-      };
-      UserMerge = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
-	sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
-      };
-      PluggableAuth = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
-	sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
-      };
-      SimpleSAMLphp = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
-        sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
-      };
-    };
-
-    extraConfig = let
-
-      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
-        pname = "configuredSimpleSAML";
-	version = "2.0.4";
-        src = pkgs.fetchzip {
-          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
-          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
-        };
-
-	buildPhase = ''
-          cat > config/authsources.php << EOF
-          <?php
-          $config = array(
-            'default-sp' => array(
-              'saml:SP',
-              'idp' => 'https://idp.pvv.ntnu.no/',
-            ),
-          );
-	  EOF
-	'';
-
-	installPhase = ''
-	  cp -r . $out
-	'';
-      };
-
-    in ''
-      $wgServer = "https://bekkalokk.pvv.ntnu.no";
-      $wgLocaltimezone = "Europe/Oslo";
-
-      # Only allow login through SSO
-      $wgEnableEmail = false;
-      $wgEnableUserEmail = false;
-      $wgEmailAuthentication = false;
-      $wgGroupPermissions['*']['createaccount'] = false;
-      $wgGroupPermissions['*']['autocreateaccount'] = true;
-      $wgPluggableAuth_EnableAutoLogin = true;
-
-      # Disable anonymous editing
-      $wgGroupPermissions['*']['edit'] = false;
-
-      # Styling
-      $wgLogo = "/PNG/PVV-logo.png";
-      $wgDefaultSkin = "monobook";
-
-      # Misc
-      $wgEmergencyContact = "${cfg.passwordSender}";
-      $wgShowIPinHeader = false;
-      $wgUseTeX = false;
-      $wgLocalInterwiki = $wgSitename;
-
-      # SimpleSAML
-      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
-      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
-      $wgSimpleSAMLphp_RealNameAttribute = "cn";
-      $wgSimpleSAMLphp_EmailAttribute = "mail";
-      $wgSimpleSAMLphp_UsernameAttribute = "uid";
-
-      # Fix https://github.com/NixOS/nixpkgs/issues/183097
-      $wgDBserver = "${toString cfg.database.host}";
-    '';
-  };
-
-  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
-  systemd.services.mediawiki-init.script = let
-    # According to module
-    stateDir = "/var/lib/mediawiki";
-    pkg = cfg.finalPackage;
-    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
-    inherit (lib) optionalString mkForce;
-  in mkForce ''
-    if ! test -e "${stateDir}/secret.key"; then
-      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
-    fi
-
-    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
-      --confpath /tmp \
-      --scriptpath / \
-      --dbserver "${cfg.database.host}" \
-      --dbport ${toString cfg.database.port} \
-      --dbname ${cfg.database.name} \
-      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
-      --dbuser ${cfg.database.user} \
-      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
-      --passfile ${cfg.passwordFile} \
-      --dbtype ${cfg.database.type} \
-      ${cfg.name} \
-      admin
-
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
-  '';
-}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -0,0 +1,200 @@
+{ pkgs, lib, config, values, pkgs-unstable, ... }: let
+  cfg = config.services.mediawiki;
+
+  # "mediawiki"
+  user = config.systemd.services.mediawiki-init.serviceConfig.User;
+
+  # "mediawiki"
+  group = config.users.users.${user}.group;
+
+  simplesamlphp = pkgs.simplesamlphp.override {
+    extra_files = {
+      "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+
+      "config/authsources.php" = ./simplesaml-authsources.php;
+
+      "config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
+        cp ${./simplesaml-config.php} "$out"
+
+        substituteInPlace "$out" \
+          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
+          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
+          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
+          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
+      '';
+    };
+  };
+in {
+  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
+
+  sops.secrets = lib.pipe [
+    "mediawiki/password"
+    "mediawiki/postgres_password"
+    "mediawiki/simplesamlphp/postgres_password"
+    "mediawiki/simplesamlphp/cookie_salt"
+    "mediawiki/simplesamlphp/admin_password"
+  ] [
+    (map (key: lib.nameValuePair key {
+      owner = user;
+      group = group;
+      restartUnits = [ "phpfpm-mediawiki.service" ];
+    }))
+    lib.listToAttrs
+  ];
+
+  services.mediawiki = {
+    enable = true;
+    name = "Programvareverkstedet";
+    passwordFile = config.sops.secrets."mediawiki/password".path;
+    passwordSender = "drift@pvv.ntnu.no";
+
+    database = {
+      type = "mysql";
+      host = "mysql.pvv.ntnu.no";
+      port = 3306;
+      user = "mediawiki";
+      passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
+      createLocally = false;
+      # TODO: create a normal database and copy over old data when the service is production ready
+      name = "mediawiki";
+    };
+
+    webserver = "nginx";
+    nginx.hostName = "wiki.pvv.ntnu.no";
+
+    poolConfig = {
+      inherit user group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+
+      "catch_workers_output" = true;
+      "php_admin_flag[log_errors]" = true;
+      # "php_admin_value[error_log]" = "stderr";
+
+      # to accept *.html file
+      "security.limit_extensions" = "";
+    };
+
+    extensions = {
+      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
+    };
+
+    extraConfig = ''
+      $wgServer = "https://wiki.pvv.ntnu.no";
+      $wgLocaltimezone = "Europe/Oslo";
+
+      # Only allow login through SSO
+      $wgEnableEmail = false;
+      $wgEnableUserEmail = false;
+      $wgEmailAuthentication = false;
+      $wgGroupPermissions['*']['createaccount'] = false;
+      $wgGroupPermissions['*']['autocreateaccount'] = true;
+      $wgPluggableAuth_EnableAutoLogin = false;
+
+      # Misc. permissions
+      $wgGroupPermissions['*']['edit'] = false;
+      $wgGroupPermissions['*']['read'] = true;
+
+      # Allow subdirectories in article URLs
+      $wgNamespacesWithSubpages[NS_MAIN] = true;
+
+      # Styling
+      $wgLogos = array(
+        "2x" => "/PNG/PVV-logo.png",
+        "icon" => "/PNG/PVV-logo.svg",
+      );
+      $wgDefaultSkin = "vector-2022";
+      # from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
+      $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
+      $wgVectorResponsive = true;
+
+      # Misc
+      $wgEmergencyContact = "${cfg.passwordSender}";
+      $wgShowIPinHeader = false;
+      $wgUseTeX = false;
+      $wgLocalInterwiki = $wgSitename;
+
+      # SimpleSAML
+      $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
+      $wgPluggableAuth_Config['Log in using my SAML'] = [
+        'plugin' => 'SimpleSAMLphp',
+        'data' => [
+          'authSourceId' => 'default-sp',
+          'usernameAttribute' => 'uid',
+          'emailAttribute' => 'mail',
+          'realNameAttribute' => 'cn',
+        ]
+      ];
+
+      # Fix https://github.com/NixOS/nixpkgs/issues/183097
+      $wgDBserver = "${toString cfg.database.host}";
+    '';
+  };
+
+  # Cache directory for simplesamlphp
+  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+    user = "mediawiki";
+    group = "mediawiki";
+    mode = "0770";
+  };
+
+  users.groups.mediawiki.members = [ "nginx" ];
+
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+    kTLS = true;
+    forceSSL = true;
+    enableACME = true;
+    locations =  {
+      "= /wiki/Main_Page" = lib.mkForce {
+        return = "301 /wiki/Programvareverkstedet";
+      };
+
+      # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+      "^~ /simplesaml/" = {
+        alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
+        index = "index.php";
+
+        extraConfig = ''
+          location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
+            fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
+
+            # Must be prepended with the baseurlpath
+            fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
+
+            fastcgi_param PATH_INFO $pathinfo if_not_empty;
+          }
+        '';
+      };
+
+      "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
+      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
+      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
+        buildInputs = with pkgs; [ imagemagick ];
+      } ''
+        convert \
+          -resize x64 \
+          -gravity center \
+          -crop 64x64+0+0 \
+          ${../../../../assets/logo_blue_regular.png} \
+          -flatten \
+          -colors 256 \
+          -background transparent \
+          $out
+      '';
+    };
+
+  };
+}

hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php

@@ -0,0 +1,11 @@
+<?php
+$config = array(
+    'admin' => array(
+      'core:AdminPassword'
+    ),
+    'default-sp' => array(
+        'saml:SP',
+        'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
+        'idp' => 'https://idp.pvv.ntnu.no/',
+    ),
+);

hosts/bekkalokk/services/nginx.nix

@@ -0,0 +1,4 @@
+{ pkgs, config, ... }:
+{
+  services.nginx.enable = true;
+}

hosts/bekkalokk/services/nginx/default.nix

@@ -1,22 +0,0 @@
-{ pkgs, config, ... }:
-{
-  imports = [
-    ./ingress.nix
-  ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-
-  services.nginx = {
-    enable = true;
-
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-}

hosts/bekkalokk/services/nginx/ingress.nix

@@ -1,55 +0,0 @@
-{ config, lib, ... }:
-{
-  services.nginx.virtualHosts = {
-    "www2.pvv.ntnu.no" = {
-      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
-      addSSL = true;
-      enableACME = true;
-
-      locations = {
-        # Proxy home directories
-        "/~" = {
-          extraConfig = ''
-            proxy_redirect off;
-            proxy_pass https://tom.pvv.ntnu.no;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-          '';
-        };
-
-        # Redirect old wiki entries
-        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
-        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
-        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
-        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
-        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
-        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
-        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
-        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
-        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
-        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
-        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
-        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
-
-        # TODO: Redirect webmail
-        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
-
-        # Redirect everything else to the main website
-        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
-
-        # Proxy the matrix well-known files
-        # Host has be set before proxy_pass
-        # The header must be set so nginx on the other side routes it to the right place
-        "/.well-known/matrix/" = {
-          extraConfig = ''
-            proxy_set_header Host matrix.pvv.ntnu.no;
-            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-          '';
-        };
-      };
-    };
-  };
-}
-

hosts/bekkalokk/services/webmail/default.nix

@@ -4,12 +4,15 @@
     ./roundcube.nix
   ];
 
-  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
     forceSSL = true;
     enableACME = true;
-    #locations."/" = lib.mkForce { };
-    locations."= /" = {
-      return = "301 https://www.pvv.ntnu.no/mail/";
+    kTLS = true;
+    locations = {
+      "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      "/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      "/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      "/rainloop".return = "302 https://webmail.pvv.ntnu.no/roundcube";
     };
   };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -3,7 +3,7 @@
 with lib;
 let
   cfg = config.services.roundcube;
-  domain = "webmail2.pvv.ntnu.no";
+  domain = "webmail.pvv.ntnu.no";
 in 
 {
   services.roundcube = {
@@ -35,6 +35,7 @@ in
   services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
 
   services.nginx.virtualHosts.${domain} = {
+    kTLS = true;
     locations."/roundcube" = {
       tryFiles = "$uri $uri/ =404";
       index = "index.php";

hosts/bekkalokk/services/website.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-
-}

hosts/bekkalokk/services/website/default.nix

@@ -0,0 +1,126 @@
+{ pkgs, lib, config, ... }:
+let
+  format = pkgs.formats.php { };
+  cfg = config.services.pvv-nettsiden;
+in {
+  imports = [
+    ./fetch-gallery.nix
+  ];
+
+  sops.secrets = lib.genAttrs [
+    "nettsiden/door_secret"
+    "nettsiden/mysql_password"
+    "nettsiden/simplesamlphp/admin_password"
+    "nettsiden/simplesamlphp/cookie_salt"
+  ] (_: {
+    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
+    group = config.services.phpfpm.pools.pvv-nettsiden.group;
+    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
+  });
+
+  services.idp.sp-remote-metadata = [ "https://${cfg.domainName}/simplesaml/" ];
+
+  services.pvv-nettsiden = {
+    enable = true;
+
+    package = pkgs.pvv-nettsiden.override {
+      extra_files = {
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
+          <?php
+          $config = array(
+              'admin' => array(
+                'core:AdminPassword'
+              ),
+              'default-sp' => array(
+                  'saml:SP',
+                  'entityID' => 'https://${cfg.domainName}/simplesaml/',
+                  'idp' => 'https://idp.pvv.ntnu.no/',
+              ),
+          );
+	'';
+      };
+    };
+
+    domainName = "www.pvv.ntnu.no";
+
+    settings = let
+      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
+    in {
+      DOOR_SECRET = includeFromSops "door_secret";
+
+      DB = {
+        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
+        USER = "www-data_nettsi";
+        PASS = includeFromSops "mysql_password";
+      };
+
+      # TODO: set up postgres session for simplesamlphp
+      SAML = {
+        COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
+        COOKIE_SECURE = true;
+        ADMIN_NAME = "PVV Drift";
+        ADMIN_EMAIL = "drift@pvv.ntnu.no";
+        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
+        TRUSTED_DOMAINS = [ cfg.domainName ];
+      };
+    };
+  };
+
+  services.phpfpm.pools."pvv-nettsiden".settings = {
+    # "php_admin_value[error_log]" = "stderr";
+    "php_admin_flag[log_errors]" = true;
+    "catch_workers_output" = true;
+  };
+
+  services.nginx.virtualHosts.${cfg.domainName} = {
+    serverAliases = [
+      "pvv.ntnu.no"
+      "www.pvv.org"
+      "pvv.org"
+    ];
+
+    locations = {
+      # Proxy home directories
+      "^~ /~" = {
+        extraConfig = ''
+          proxy_redirect off;
+          proxy_pass https://tom.pvv.ntnu.no;
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+        '';
+      };
+
+      # Redirect the old webmail/wiki paths from spikkjeposche
+      "^~ /webmail".return = "301 https://webmail.pvv.ntnu.no";
+      "~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
+      "= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
+
+      # Redirect old wiki entries
+      "/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
+      "/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
+      "/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
+      "/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
+      "/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
+      "/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
+      "/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
+      "/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
+      "/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
+      "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
+      "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
+      "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
+
+      # Proxy the matrix well-known files
+      # Host has be set before proxy_pass
+      # The header must be set so nginx on the other side routes it to the right place
+      "^~ /.well-known/matrix/" = {
+        extraConfig = ''
+          proxy_set_header Host matrix.pvv.ntnu.no;
+          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+        '';
+      };
+    };
+  };
+}

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -0,0 +1,61 @@
+{ pkgs, lib, config, ... }:
+let
+  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
+  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
+in {
+  users.users.${config.services.pvv-nettsiden.user} = {
+    useDefaultShell = true;
+
+    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
+    openssh.authorizedKeys.keys = [
+    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
+    ];
+  };
+
+  systemd.paths.pvv-nettsiden-gallery-update = {
+    wantedBy = [ "multi-user.target" ];
+    pathConfig = {
+      PathChanged = "${transferDir}/gallery.tar.gz";
+      Unit = "pvv-nettsiden-gallery-update.service";
+      MakeDirectory = true;
+    };
+  };
+
+  systemd.services.pvv-nettsiden-gallery-update = {
+    path = with pkgs; [ imagemagick gnutar gzip ];
+
+    script = ''
+      tar ${lib.cli.toGNUCommandLineShell {} {
+        extract = true;
+        file = "${transferDir}/gallery.tar.gz";
+        directory = ".";
+      }}
+
+      # Delete files and directories that exists in the gallery that don't exist in the tarball
+      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+      while IFS= read fname; do
+        rm -f $fname ||:
+        rm -f .thumbnails/$fname.png ||:
+      done <<< "$filesToRemove"
+
+      find . -type d -empty -delete
+
+      mkdir -p .thumbnails
+      images=$(find . -type f -not -path "./.thumbnails*")
+
+      while IFS= read fname; do
+        [ -f ".thumbnails/$fname.png" ] && continue ||:
+
+        echo "Creating thumbnail for $fname"
+        mkdir -p $(dirname ".thumbnails/$fname")
+        convert -define jpeg:size=200x200 "$fname" -thumbnail 500 -auto-orient ".thumbnails/$fname.png" ||:
+      done <<< "$images"
+    '';
+
+    serviceConfig = {
+      WorkingDirectory = galleryDir;
+      User = config.services.pvv-nettsiden.user;
+      Group = config.services.pvv-nettsiden.group;
+    };
+  };
+}

hosts/bicep/configuration.nix

@@ -12,7 +12,8 @@
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix
-    ./services/calendar-bot.nix
+    # TODO: fix the calendar bot
+    # ./services/calendar-bot.nix
 
     ./services/matrix
   ];

hosts/bicep/services/matrix/element.nix

@@ -5,6 +5,7 @@ in {
   services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
     enableACME = true;
     forceSSL = true;
+    kTLS = true;
 
     root = pkgs.element-web.override {
       conf = {
@@ -24,21 +25,26 @@ in {
         features = {
           feature_latex_maths = true;
           feature_pinning = true;
+          feature_render_reaction_images = true;
           feature_state_counters = true;
-          feature_custom_status = false;
+          # element call group calls
+          feature_group_calls = true;
         };
         default_theme = "dark";
+        # Servers in this list should provide some sort of valuable scoping
+        # matrix.org is not useful compared to matrixrooms.info,
+        # because it has so many general members, rooms of all topics are on it.
+        # Something matrixrooms.info is already providing.
         room_directory.servers = [
           "pvv.ntnu.no"
-          "matrix.omegav.no"
-          "matrix.org"
-          "libera.chat"
-          "gitter.im"
-          "mozilla.org"
-          "kde.org"
-          "t2bot.io"
-          "fosdem.org"
-          "dodsorf.as"
+          "matrixrooms.info" # Searches all public room directories
+          "matrix.omegav.no" # Friends
+          "gitter.im" # gitter rooms
+          "mozilla.org" # mozilla and friends
+          "kde.org" # KDE rooms
+          "fosdem.org" # FOSDEM
+          "dodsorf.as" # PVV Member
+          "nani.wtf" # PVV Member
         ];
         enable_presence_by_hs_url = {
           "https://matrix.org" = false;

hosts/bicep/services/matrix/synapse.nix

@@ -217,6 +217,9 @@ in {
   services.redis.servers."".enable = true;
   
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
+  ({
+    kTLS = true;
+  })
   ({
     locations."/.well-known/matrix/server" = {
       return = ''

hosts/bicep/services/nginx/default.nix

@@ -1,15 +1,8 @@
 { config, values, ... }:
 {
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "danio@pvv.ntnu.no";
-  };
-
   services.nginx = {
     enable = true;
-
     enableReload = true;
-
     defaultListenAddresses = [
       values.hosts.bicep.ipv4
       "[${values.hosts.bicep.ipv6}]"
@@ -20,7 +13,6 @@
     ];
 
     appendConfig = ''
-      pcre_jit on;
       worker_processes 8;
       worker_rlimit_nofile 8192;
     '';
@@ -29,17 +21,5 @@
       multi_accept on;
       worker_connections 4096;
     '';
-
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-    recommendedOptimisation = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  systemd.services.nginx.serviceConfig = {
-    LimitNOFILE = 65536;
   };
 }

hosts/bikkje/configuration.nix

@@ -0,0 +1,44 @@
+{ config, pkgs, values, ... }:
+{
+    networking.nat = {
+    enable = true;
+    internalInterfaces = ["ve-+"];
+    externalInterface = "ens3";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.bikkje = {
+    autoStart = true;
+    config = { config, pkgs, ... }: {
+      #import packages
+      packages = with pkgs; [
+          alpine
+          mutt
+          mutt-ics
+          mutt-wizard
+          weechat
+          weechatScripts.edit
+          hexchat
+          irssi
+          pidgin
+      ];
+
+      networking = {
+        firewall = {
+          enable = true;
+          # Allow SSH and HTTP and ports for email and irc
+          allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+        };
+        # Use systemd-resolved inside the container
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+        useHostResolvConf = mkForce false;
+      };
+      
+      system.stateVersion = "23.11";
+      services.resolved.enable = true;
+    };
+  };
+
+};

hosts/buskerud/configuration.nix

@@ -1,19 +1,16 @@
 { config, pkgs, values, ... }:
 {
   imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../base.nix
-      ../../misc/metrics-exporters.nix
-
-      ./services/openvpn-client.nix
-    ];
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+  ];
 
   # buskerud does not support efi?
   # boot.loader.systemd-boot.enable = true;
   # boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.device = "/dev/sdb";
 
   networking.hostName = "buskerud";
   networking.search = [ "pvv.ntnu.no" "pvv.org" ];
@@ -25,20 +22,10 @@
     address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # Buskerud should use the default gateway received from DHCP
-  networking.interfaces.enp14s0f1.useDHCP = true;
-
-  # networking.interfaces.tun = {
-  #   virtual = true;
-  #   ipv4.adresses = [ {address="129.241.210.252"; prefixLength=25; } ];
-  # };
-
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
-  # List services that you want to enable:
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
@@ -46,5 +33,4 @@
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "23.05"; # Did you read the comment?
-
 }

hosts/buskerud/services/openvpn-client.nix

@@ -1,109 +0,0 @@
-{ lib, values, ... }:
-{
-  services.openvpn.servers."ov-tunnel" = {
-    config = let
-      conf = {
-        # TODO: use aliases
-        client = true;
-        dev = "tap";
-        proto = "udp";
-        #remote = "129.241.210.253 1194";
-        remote = "129.241.210.191 1194";
-
-        resolv-retry = "infinite";
-        nobind = true;
-
-        ca = "/etc/openvpn/ca.pem";
-        cert = "/etc/openvpn/crt.pem";
-        key = "/etc/openvpn/key.pem";
-        remote-cert-tls = "server";
-        cipher = "none";
-
-        user = "nobody";
-        group = "nobody";
-
-        status = "/var/log/openvpn-status.log";
-
-        persist-key = true;
-        persist-tun = true;
-
-        verb = 5;
-
-        # script-security = 2;
-        # up = "systemctl restart rwhod";
-      };
-    in lib.pipe conf [
-      (lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
-      (builtins.mapAttrs (_: value:
-        if builtins.isList value then builtins.concatStringsSep " " (map toString value)
-        else if value == true then value
-        else if builtins.any (f: f value) [
-          builtins.isString
-          builtins.isInt
-          builtins.isFloat
-          lib.isPath
-          lib.isDerivation
-        ] then toString value
-        else throw "Unknown value in buskerud openvpn config, deading now\n${value}"
-      ))
-      (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
-      (builtins.concatStringsSep "\n")
-      (x: x + "\n\n")
-    ];
-  };
-
-  systemd.network.networks."enp14s0f1" = {
-    matchConfig.Name = "enp14s0f1";
-    networkConfig = {
-      DefaultRouteOnDevice = true;
-    };
-    routes = [
-      { routeConfig = {
-          Type = "unicast";
-          Destination = values.hosts.knutsen.ipv4 + "/32";
-          Metric = 50;
-        };
-      }
-    ];
-  };
-
-  systemd.network.netdevs."br0" = {
-    netdevConfig = {
-      Kind = "bridge";
-      Name = "br0";
-    };
-  };
-
-  systemd.network.networks."br0" = {
-    matchConfig.Name = "br0";
-    routes = [
-      { routeConfig = {
-          Type = "unicast";
-          Destination = values.ipv4-space;
-          Metric = 100;
-        };
-      }
-    ];
-  };
-
-  systemd.network.networks."enp3s0f0" = {
-    matchConfig.Name = "enp3s0f0";
-    networkConfig.DefaultRouteOnDevice = false;
-  };
-
-  systemd.network.networks."enp3s0f1" = {
-    matchConfig.Name = "enp3s0f1";
-    bridge = [ "br0" ];
-  };
-
-  systemd.network.networks."tap0" = {
-    matchConfig.Name = "tap0";
-    bridge = [ "br0" ];
-  };
-
-  #networking.nat = {
-  #  enable = true;
-  #  externalInterface = "enp14s0f1";
-  #  internalInterfaces  = [ "tun" ];
-  #};
-}

hosts/ildkule/services/metrics/grafana.nix

@@ -91,6 +91,7 @@ in {
   services.nginx.virtualHosts.${cfg.settings.server.domain} = {
     enableACME = true;
     forceSSL = true;
+    kTLS = true;
     locations = {
       "/" = {
         proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";

hosts/ildkule/services/metrics/prometheus/gitea.nix

@@ -0,0 +1,12 @@
+{ values, ... }:
+{
+  # Gitea already exports at /metrics
+  services.prometheus.scrapeConfigs = [{
+    job_name = "gitea";
+    scrape_interval = "15s";
+    metrics_path = "/metrics/gitea";
+    static_configs = [{
+      targets = [ "git.pvv.ntnu.no:443" ];
+    }];
+  }];
+}

hosts/ildkule/services/nginx/default.nix

@@ -1,15 +1,8 @@
 { config, values, ... }:
 {
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-
   services.nginx = {
     enable = true;
-
     enableReload = true;
-
     defaultListenAddresses = [
       values.hosts.ildkule.ipv4
       "[${values.hosts.ildkule.ipv6}]"
@@ -18,12 +11,5 @@
       "127.0.0.2"
       "[::1]"
     ];
-
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
   };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

modules/grzegorz.nix

@@ -24,15 +24,12 @@ in {
   services.grzegorz-webui.hostName = "${config.networking.fqdn}";
   services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
-
   services.nginx.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   services.nginx.virtualHosts."${config.networking.fqdn}" = {
     forceSSL = true;
     enableACME = true;
+    kTLS = true;
     serverAliases = [
       "${config.networking.hostName}.pvv.org"
     ];

modules/snakeoil-certs.nix

@@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.environment.snakeoil-certs;
+in
+{
+  options.environment.snakeoil-certs = lib.mkOption {
+    default = { };
+    description = "Self signed certs, which are rotated regularly";
+    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
+      options = {
+        owner = lib.mkOption {
+          type = lib.types.str;
+          default = "root";
+        };
+        group = lib.mkOption {
+          type = lib.types.str;
+          default = "root";
+        };
+        mode = lib.mkOption {
+          type = lib.types.str;
+          default = "0660";
+        };
+        daysValid = lib.mkOption {
+          type = lib.types.str;
+          default = "90";
+        };
+        extraOpenSSLArgs = lib.mkOption {
+          type = with lib.types; listOf str;
+          default = [ ];
+        };
+        certificate = lib.mkOption {
+          type = lib.types.str;
+          default = "${name}.crt";
+        };
+        certificateKey = lib.mkOption {
+          type = lib.types.str;
+          default = "${name}.key";
+        };
+	subject = lib.mkOption {
+	  type = lib.types.str;
+	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+	};
+      };
+    }));
+  };
+
+  config = {
+    systemd.services."generate-snakeoil-certs" = {
+      enable = true;
+      serviceConfig.Type = "oneshot";
+      script = let
+        openssl = lib.getExe pkgs.openssl;
+      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
+        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
+        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+        then
+           echo "Regenerating '${value.certificate}'"
+           ${openssl} req \
+             -newkey rsa:4096 \
+             -new -x509 \
+             -days "${toString value.daysValid}" \
+             -nodes \
+             -subj "${value.subject}" \
+             -out "${value.certificate}" \
+             -keyout "${value.certificateKey}" \
+             ${lib.escapeShellArgs value.extraOpenSSLArgs}
+        fi
+        chown "${value.owner}:${value.group}" "${value.certificate}"
+        chown "${value.owner}:${value.group}" "${value.certificateKey}"
+        chmod "${value.mode}" "${value.certificate}"
+        chmod "${value.mode}" "${value.certificateKey}"
+      '') (lib.attrsToList cfg);
+    };
+    systemd.timers."generate-snakeoil-certs" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*-*-* 02:00:00";
+        Persistent = true;
+        Unit = "generate-snakeoil-certs.service";
+      };
+    };
+  };
+}

packages/mediawiki-extensions/default.nix

@@ -0,0 +1,8 @@
+{ pkgs, lib }:
+lib.makeScope pkgs.newScope (self: {
+  DeleteBatch = self.callPackage ./delete-batch { };
+  PluggableAuth = self.callPackage ./pluggable-auth { };
+  SimpleSAMLphp = self.callPackage ./simple-saml-php { };
+  UserMerge = self.callPackage ./user-merge { };
+  VisualEditor = self.callPackage ./visual-editor { };
+})

packages/mediawiki-extensions/delete-batch/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-delete-batch";
+  url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
+  hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
+}

packages/mediawiki-extensions/pluggable-auth/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-pluggable-auth-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
+  hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
+}

packages/mediawiki-extensions/simple-saml-php/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-simple-saml-php-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
+  hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
+}

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
+
+import os
+from pathlib import Path
+import re
+import subprocess
+from collections import defaultdict
+from pprint import pprint
+
+import bs4
+import requests
+
+BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
+
+def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
+    content = requests.get(BASE_URL).text
+    soup = bs4.BeautifulSoup(content, features="html.parser")
+    result = defaultdict(list)
+    for a in soup.find_all('a'):
+        if skip_master and 'master' in a.text:
+            continue
+        split = a.text.split('-')
+        result[split[0]].append(a.text)
+    return result
+
+def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
+    assert package_file.is_file()
+    with open(package_file) as file:
+        content = file.read()
+
+    tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
+    split = tarball.split('-')
+    updated_tarball = plugin_list[split[0]][-1]
+
+    _hash = re.search(f'hash = "(.+?)";', content).group(1)
+
+    out, err = subprocess.Popen(
+        ["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+    out, err = subprocess.Popen(
+        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+
+    updated_hash = out.decode().strip()
+
+    if tarball == updated_tarball and _hash == updated_hash:
+        return
+
+    print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
+
+    updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
+    updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
+    with open(package_file, 'w') as file:
+        file.write(updated_text)
+
+if __name__ == "__main__":
+    plugin_list = fetch_plugin_list()
+
+    for direntry in os.scandir(Path(__file__).parent):
+        if direntry.is_dir():
+            update(Path(direntry) / "default.nix", plugin_list)

packages/mediawiki-extensions/user-merge/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-user-merge-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
+  hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
+}

packages/mediawiki-extensions/visual-editor/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-visual-editor-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-5f8c97e.tar.gz";
+  hash = "sha256-oBMmEDKsFxrD0tpN2dy264IXK164BrZWrNK3v3FNX6w=";
+}

packages/simplesamlphp/default.nix

@@ -0,0 +1,38 @@
+{ lib
+, php
+, writeText
+, fetchFromGitHub
+, extra_files ? { }
+
+}:
+
+php.buildComposerProject rec {
+  pname = "simplesamlphp";
+  version = "2.2.1";
+
+  src = fetchFromGitHub {
+    owner = "simplesamlphp";
+    repo = "simplesamlphp";
+    rev = "v${version}";
+    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
+  };
+
+  composerStrictValidation = false;
+
+  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
+
+  # TODO: metadata could be fetched automagically with these:
+  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
+  #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
+  postPatch = lib.pipe extra_files [
+    (lib.mapAttrsToList (target_path: source_path: ''
+      mkdir -p $(dirname "${target_path}")
+      cp -r "${source_path}" "${target_path}"
+    ''))
+    (lib.concatStringsSep "\n")
+  ];
+
+  postInstall = ''
+    ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
+  '';
+}

secrets/bekkalokk/bekkalokk.yaml

@@ -10,9 +10,25 @@ gitea:
         epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
 mediawiki:
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
-    database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
+    postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
+    simplesamlphp:
+        postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
+        cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
+        admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
 keycloak:
     database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
+idp:
+    cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
+    admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
+    postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
+    privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
+nettsiden:
+    mysql_password: ENC[AES256_GCM,data:Uv74HhWtYRbaFHcfh0Rk/Q==,iv:/lRTaMepwpJKZJWHnwb98Ywa1zP4e2EqYGmwI7BCl1I=,tag:ZnE0u2/65zdkONcoiBGSOQ==,type:str]
+    door_secret: ENC[AES256_GCM,data:t0jEN1WnyEi10KRSg4Dlcd7IuIMBiOU7riOdYSZjvZTQqPijRYIoMEQ6OemIkD1Yg67uISTxnjxP,iv:Ss02VGKRa4oZMubbi8IfQDAjh3h295+n07vOx/IZGBs=,tag:OvdxqIUdYi/cR7IjopSVQQ==,type:str]
+    simplesamlphp:
+        postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str]
+        cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
+        admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -46,8 +62,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-17T02:02:24Z"
-    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
+    lastmodified: "2024-04-08T20:36:13Z"
+    mac: ENC[AES256_GCM,data:IObBR2H3cPIvBNWSo7A5xwyKeg2HbFkfxcU1U5BpRx2gvNb9/h7lextQ6IWPHOS/LZRXY+lZdhX6zLf6aLQjxTATZcrcF2BIu6YM5wppXOjVxhy3dkItU5TGPuxBdZEZ1bEpFu3B1Ooc1UdWvEWqZz2Mcn2akoX53Mj2vU8WGO8=,iv:fHvPHO33y6y3OSbVkojw2+XnpCNHO1AnCm2RnuwxPVA=,tag:m44YZd4Q4DEHCoDCoayqsg==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -70,4 +86,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

users/adriangl.nix

@@ -6,15 +6,21 @@
     extraGroups = [
       "wheel"
       "drift"
+      "nix-builder-users"
     ];
 
     packages = with pkgs; [
-      exa
       neovim
+      htop
+      ripgrep
+      vim
+      foot.terminfo
     ];
 
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf7SlyHR6KgP7+IeFr/Iuiu2lL5vaSlzqPonaO8XU0J gunalx@aragon"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
     ];
   };
 }

users/eirikwit.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  users.users.eirikwit = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "drift"
+    ];
+
+    packages = with pkgs; [
+      micro
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZusOSiUVSMjrvNdUq4R91Gafq4XVs9C77Zt+LMPhCU eirikw@live.no"
+    ];
+  };
+}

users/oysteikt.nix

@@ -11,7 +11,7 @@
 
     packages = with pkgs; [
       bottom
-      exa
+      eza
       neovim
       diskonaut
       ripgrep