Compare commits

..

1 Commits

Author SHA1 Message Date
2f9bda6fd6 WIP: bekkalokk: setup nettsiden 2023-11-04 23:39:16 +01:00
31 changed files with 300 additions and 625 deletions

View File

@ -26,7 +26,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
som root på maskinen.

View File

@ -32,7 +32,7 @@
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--update-input" "nixpkgs"
"--update-input" "nixpkgs-unstable"
"--update-input" "unstable"
"--no-write-lock-file"
];
};
@ -71,9 +71,6 @@
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
services.openssh = {
enable = true;
extraConfig = ''

88
flake.lock generated
View File

@ -1,29 +1,9 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1700927249,
"narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=",
"owner": "nix-community",
"repo": "disko",
"rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"grzegorz": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
"unstable"
]
},
"locked": {
@ -65,33 +45,33 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1697936579,
"narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=",
"lastModified": 1697420972,
"narHash": "sha256-eFDasOzXAN8VswUntNBBwvKFyVKFvmwRNNVTDfGdB3M=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
"rev": "1e370b96223b94d52006249a60033caaea605c65",
"type": "github"
},
"original": {
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1701362232,
"narHash": "sha256-GVdzxL0lhEadqs3hfRLuj+L1OJFGiL/L7gCcelgBlsw=",
"lastModified": 1697706247,
"narHash": "sha256-nWLggeUxn/l8JrcQr9f+RfnCXp8cn0BN568PjMJh9ko=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d2332963662edffacfddfad59ff4f709dde80ffe",
"rev": "4ee5b576ac2861a818950aea99f609d7a6fc02a3",
"type": "github"
},
"original": {
"id": "nixpkgs",
"owner": "NixOS",
"ref": "nixos-23.05-small",
"type": "indirect"
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
@ -111,11 +91,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1700905716,
"narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=",
"lastModified": 1697332183,
"narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dfb95385d21475da10b63da74ae96d89ab352431",
"rev": "0e1cff585c1a85aeab059d3109f66134a8f76935",
"type": "github"
},
"original": {
@ -125,21 +105,6 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1701368325,
"narHash": "sha256-3OqZyi2EdopJxpxwrySPyCTuCvfBY4oXTLVgQ4B6qDg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3934dbde4f4a0e266825348bc4ad1bdd00a8d6a3",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable-small",
"type": "indirect"
}
},
"pvv-calendar-bot": {
"inputs": {
"nixpkgs": [
@ -162,14 +127,13 @@
},
"root": {
"inputs": {
"disko": "disko",
"grzegorz": "grzegorz",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
"sops-nix": "sops-nix"
"sops-nix": "sops-nix",
"unstable": "unstable"
}
},
"sops-nix": {
@ -180,11 +144,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1701127353,
"narHash": "sha256-qVNX0wOl0b7+I35aRu78xUphOyELh+mtUp1KBx89K1Q=",
"lastModified": 1697339241,
"narHash": "sha256-ITsFtEtRbCBeEH9XrES1dxZBkE1fyNNUfIyQjQ2AYQs=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b1edbf5c0464b4cced90a3ba6f999e671f0af631",
"rev": "51186b8012068c417dac7c31fb12861726577898",
"type": "github"
},
"original": {
@ -192,6 +156,22 @@
"repo": "sops-nix",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1697713104,
"narHash": "sha256-DN7YOyKMCpAVeZ44N42LrujtTkoerkS9+kTufQiuntY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6be2c349a30fcb489a3153dd331e9df387ab6449",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
}
},
"root": "root",

View File

@ -2,28 +2,24 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "nixpkgs/nixos-23.05-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
# Last release compatible with 23.05
matrix-next.url = "github:dali99/nixos-matrix-modules/e09814657187c8ed1a5fe1646df6d8da1eb2dee9";
matrix-next.url = "github:dali99/nixos-matrix-modules";
grzegorz.url = "github:Programvareverkstedet/grzegorz";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz.inputs.nixpkgs.follows = "unstable";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
let
nixlib = nixpkgs.lib;
systems = [
@ -46,7 +42,7 @@
rec {
system = "x86_64-linux";
specialArgs = {
inherit nixpkgs-unstable inputs;
inherit unstable inputs;
values = import ./values.nix;
};
@ -61,7 +57,7 @@
(final: prev: {
mx-puppet-discord = prev.mx-puppet-discord.override { nodejs_14 = final.nodejs_18; };
})
inputs.pvv-calendar-bot.overlays.${system}.default
pvv-calendar-bot.overlays.${system}.default
];
};
}
@ -69,27 +65,18 @@
);
stableNixosConfig = nixosConfig nixpkgs;
unstableNixosConfig = nixosConfig nixpkgs-unstable;
unstableNixosConfig = nixosConfig unstable;
in {
bicep = stableNixosConfig "bicep" {
modules = [
./hosts/bicep/configuration.nix
sops-nix.nixosModules.sops
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
matrix-next.nixosModules.default
pvv-calendar-bot.nixosModules.default
];
};
bekkalokk = stableNixosConfig "bekkalokk" { };
bob = stableNixosConfig "bob" {
modules = [
./hosts/bob/configuration.nix
sops-nix.nixosModules.sops
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/vda"; }
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
@ -112,12 +99,6 @@
inputs.grzegorz-clients.nixosModules.grzegorz-webui
];
};
buskerud = stableNixosConfig "buskerud" {
modules = [
./hosts/buskerud/configuration.nix
sops-nix.nixosModules.sops
];
};
};
devShells = forAllSystems (system: {

View File

@ -5,14 +5,14 @@
../../base.nix
../../misc/metrics-exporters.nix
../../modules/wackattack-ctf-stockfish
#./services/keycloak.nix
# TODO: set up authentication for the following:
# ./services/website.nix
./services/nginx
./services/website.nix
./services/nginx.nix
./services/gitea/default.nix
./services/webmail
# ./services/mediawiki.nix
];

View File

@ -0,0 +1,6 @@
{ pkgs, inputs, ... }:
let
in
{
}

View File

@ -0,0 +1,53 @@
{
src,
php82,
php82Extensions,
sqlite,
git,
...
}:
pkgs.stdenvNoCC.mkDerivation {
pname = "nettsiden";
version = "0.1.0";
inherit src;
buildInputs = [
php82
(with php82Extensions; [
iconv
mbstring
pdo_mysql
pdo_sqlite
])
sqlite
git
];
buildPhase = ''
export PHPHOST=localhost
export PHPPORT=1080
alias runDev='php -S $PHPHOST:$PHPPORT -d error_reporting=E_ALL -d display_errors=1 -t www/'
# Prepare dev environment with sqlite and config files
test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
test -e sql_config.php || cp -v dist/sql_config_example.php sql_config.php
test -e dataporten_config.php || cp -v dist/dataporten_config.php dataporten_config.php
test -e composer.phar || curl -O https://getcomposer.org/composer.phar
if [ ! -f lib/OAuth2-Client/OAuth2Client.php ] ; then
echo Missing git submodules. Installing...
(set -x; git submodule update --init --recursive) || exit $?
fi
if [ ! -d vendor ] ; then
php composer.phar install || exit $?
cp -v dist/authsources_example.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
cp -v dist/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
cp -v vendor/simplesamlphp/simplesamlphp/config-templates/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
sed -e "s/'trusted.url.domains' => array()/'trusted.url.domains' => array(\"$PHPHOST:$PHPPORT\")/g" < vendor/simplesamlphp/simplesamlphp/config-templates/config.php > vendor/simplesamlphp/simplesamlphp/config/config.php
ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
fi
'';
};

View File

@ -1,9 +1,5 @@
{ pkgs, config, ... }:
{
imports = [
./ingress.nix
];
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";

View File

@ -1,55 +0,0 @@
{ config, lib, ... }:
{
services.nginx.virtualHosts = {
"www2.pvv.ntnu.no" = {
serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
addSSL = true;
enableACME = true;
locations = {
# Proxy home directories
"/~" = {
extraConfig = ''
proxy_redirect off;
proxy_pass https://tom.pvv.ntnu.no;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
# Redirect old wiki entries
"/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
"/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
"/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
"/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
"/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
"/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
"/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
"/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
"/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
"/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
"/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
"/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
# TODO: Redirect webmail
"/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
# Redirect everything else to the main website
"/".return = "301 https://www.pvv.ntnu.no$request_uri";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"/.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
};
}

View File

@ -1,15 +0,0 @@
{ config, values, pkgs, lib, ... }:
{
imports = [
./roundcube.nix
];
services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
#locations."/" = lib.mkForce { };
locations."= /" = {
return = "301 https://www.pvv.ntnu.no/mail/";
};
};
}

View File

@ -1,74 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.roundcube;
domain = "webmail2.pvv.ntnu.no";
in
{
services.roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins (plugins: with plugins; [
persistent_login
thunderbird_labels
contextmenu
custom_from
]);
dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";
extraConfig = ''
$config['enable_installer'] = false;
$config['default_host'] = "ssl://imap.pvv.ntnu.no";
$config['default_port'] = 993;
$config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
$config['smtp_port'] = 465;
$config['mail_domain'] = "pvv.ntnu.no";
$config['smtp_user'] = "%u";
$config['support_url'] = "";
'';
};
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
services.nginx.virtualHosts.${domain} = {
locations."/roundcube" = {
tryFiles = "$uri $uri/ =404";
index = "index.php";
root = pkgs.runCommandLocal "roundcube-dir" { } ''
mkdir -p $out
ln -s ${cfg.package} $out/roundcube
'';
extraConfig = ''
location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
# https://wiki.archlinux.org/title/Roundcube
"README"
"INSTALL"
"LICENSE"
"CHANGELOG"
"UPGRADING"
"bin"
"SQL"
".+\\.md"
"\\."
"config"
"temp"
"logs"
]})/? {
deny all;
}
location ~ ^/roundcube/(.+\.php)(/?.*)$ {
fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
include ${config.services.nginx.package}/conf/fastcgi_params;
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
}
'';
};
};
}

View File

@ -5,7 +5,6 @@ from smtplib import SMTP_SSL as SMTP
import synapse
from synapse import module_api
import re
class SMTPAuthProvider:
def __init__(self, config: dict, api: module_api):
@ -28,10 +27,6 @@ class SMTPAuthProvider:
if login_type != "m.login.password":
return None
# Convert `@username:server` to `username`
match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
username = match.group(1) if match else username
result = False
with SMTP(self.config["smtp_host"]) as smtp:
password = login_dict.get("password")

View File

@ -216,19 +216,7 @@ in {
services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
({
locations."/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
'';
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
})
({
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";

View File

@ -1,46 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./disks.nix
../../misc/builder.nix
];
sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "bob"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
DHCP = "yes";
gateway = [ ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

View File

@ -1,39 +0,0 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

View File

@ -1,24 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View File

@ -6,7 +6,7 @@
../../base.nix
../../misc/metrics-exporters.nix
./services/grzegorz.nix
../../modules/grzegorz.nix
];
boot.loader.systemd-boot.enable = true;

View File

@ -1,11 +0,0 @@
{ config, ... }:
{
imports = [ ../../../modules/grzegorz.nix ];
services.nginx.virtualHosts."${config.networking.fqdn}" = {
serverAliases = [
"bokhylle.pvv.ntnu.no"
"bokhylle.pvv.org"
];
};
}

View File

@ -1,50 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/openvpn-client.nix
];
# buskerud does not support efi?
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "buskerud";
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp3s0f0";
address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# Buskerud should use the default gateway received from DHCP
networking.interfaces.enp14s0f1.useDHCP = true;
# networking.interfaces.tun = {
# virtual = true;
# ipv4.adresses = [ {address="129.241.210.252"; prefixLength=25; } ];
# };
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

View File

@ -1,37 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@ -1,109 +0,0 @@
{ lib, values, ... }:
{
services.openvpn.servers."ov-tunnel" = {
config = let
conf = {
# TODO: use aliases
client = true;
dev = "tap";
proto = "udp";
#remote = "129.241.210.253 1194";
remote = "129.241.210.191 1194";
resolv-retry = "infinite";
nobind = true;
ca = "/etc/openvpn/ca.pem";
cert = "/etc/openvpn/crt.pem";
key = "/etc/openvpn/key.pem";
remote-cert-tls = "server";
cipher = "none";
user = "nobody";
group = "nobody";
status = "/var/log/openvpn-status.log";
persist-key = true;
persist-tun = true;
verb = 5;
# script-security = 2;
# up = "systemctl restart rwhod";
};
in lib.pipe conf [
(lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
(builtins.mapAttrs (_: value:
if builtins.isList value then builtins.concatStringsSep " " (map toString value)
else if value == true then value
else if builtins.any (f: f value) [
builtins.isString
builtins.isInt
builtins.isFloat
lib.isPath
lib.isDerivation
] then toString value
else throw "Unknown value in buskerud openvpn config, deading now\n${value}"
))
(lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
(builtins.concatStringsSep "\n")
(x: x + "\n\n")
];
};
systemd.network.networks."enp14s0f1" = {
matchConfig.Name = "enp14s0f1";
networkConfig = {
DefaultRouteOnDevice = true;
};
routes = [
{ routeConfig = {
Type = "unicast";
Destination = values.hosts.knutsen.ipv4 + "/32";
Metric = 50;
};
}
];
};
systemd.network.netdevs."br0" = {
netdevConfig = {
Kind = "bridge";
Name = "br0";
};
};
systemd.network.networks."br0" = {
matchConfig.Name = "br0";
routes = [
{ routeConfig = {
Type = "unicast";
Destination = values.ipv4-space;
Metric = 100;
};
}
];
};
systemd.network.networks."enp3s0f0" = {
matchConfig.Name = "enp3s0f0";
networkConfig.DefaultRouteOnDevice = false;
};
systemd.network.networks."enp3s0f1" = {
matchConfig.Name = "enp3s0f1";
bridge = [ "br0" ];
};
systemd.network.networks."tap0" = {
matchConfig.Name = "tap0";
bridge = [ "br0" ];
};
#networking.nat = {
# enable = true;
# externalInterface = "enp14s0f1";
# internalInterfaces = [ "tun" ];
#};
}

View File

@ -1,4 +1,4 @@
{ config, ... }: let
{ config, unstable, ... }: let
cfg = config.services.prometheus;
in {
sops.secrets."config/mysqld_exporter" = { };

View File

@ -1,5 +0,0 @@
{ ... }:
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
}

View File

@ -0,0 +1,74 @@
#!/usr/bin/env python3
from stockfish import *
from inputimeout import inputimeout
import time
from datetime import datetime
import random
thinking_time = 1000
game = Stockfish(path="./stockfish", depth=15, parameters={"Threads": 1, "Minimum Thinking Time": thinking_time, "UCI_Chess960": True})
def create_random_position():
pos = "/pppppppp/8/8/8/8/PPPPPPPP/"
rank8 = ["r","r","b","q","k","b","n","n"]
while rank8.index("k") < [i for i, n in enumerate(rank8) if n == "r"][0] or rank8.index("k") > [i for i, n in enumerate(rank8) if n == "r"][1] or [i for i, n in enumerate(rank8) if n == "b"][0] % 2 == [i for i, n in enumerate(rank8) if n == "b"][1] % 2:
random.seed(datetime.now().microsecond)
random.shuffle(rank8)
rank1 = [c.upper() for c in rank8]
pos = "".join(rank8) + pos + "".join(rank1) + " w KQkq - 0 1"
game.set_fen_position(pos)
def player_won():
with open("flag.txt") as file:
flag = file.read()
print(flag)
exit()
def get_fast_player_move():
try:
time_over = inputimeout(prompt='Your move: ', timeout=5)
except Exception:
time_over = 'Too slow, you lost!'
print(time_over)
exit()
return time_over
def check_game_status():
evaluation = game.get_evaluation()
turn = game.get_fen_position().split(" ")[1]
if evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "w":
print("Wow, you beat me!")
player_won()
elif evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "b":
print("Hah, I won again")
exit()
if evaluation["type"] == "draw":
print("It's a draw!")
print("Impressive, but I am still undefeated.")
exit()
if __name__ == "__main__":
create_random_position()
print("Welcome to fischer chess.\nYou get 5 seconds per move. Good luck")
print(game.get_board_visual())
print("Heres the position for this game, Ill give you a few seconds to look at it before we start.")
time.sleep(3)
while True:
server_move = game.get_best_move_time(thinking_time)
game.make_moves_from_current_position([server_move])
check_game_status()
print(game.get_board_visual())
print(f"My move: {server_move}")
player_move = get_fast_player_move()
if type(player_move) != str or len([player_move]) != 1:
print("Illegal input")
exit()
try:
game.make_moves_from_current_position([player_move])
check_game_status()
except:
print("Couldn't comprehend that")
exit()

View File

@ -0,0 +1,108 @@
{ config, pkgs, lib, ... }: let
stockfish = with pkgs.python3Packages; buildPythonPackage rec {
pname = "stockfish";
version = "3.28.0";
disabled = pythonOlder "3.7";
src = pkgs.fetchFromGitHub {
owner = "zhelyabuzhsky";
repo = pname;
rev = version;
hash = "sha256-XLgVjLV2QXeTYPjP/lwc0LH850LKJsymFlrAMkAn8HU=";
};
format = "setuptools";
nativeBuildInputs = [
setuptools
];
propagatedBuildInputs = [
pytest-runner
];
doCheck = false;
};
inputimeout = with pkgs.python3Packages; buildPythonPackage rec {
pname = "inputimeout";
version = "1.0.4";
src = pkgs.fetchFromGitHub {
owner = "johejo";
repo = pname;
rev = "v${version}";
hash = "sha256-Fh1CaqJOK58nURt4imkhCmZKG2eJlP/Hi10SarUJ+Fs=";
};
format = "setuptools";
nativeBuildInputs = [ setuptools ];
doCheck = false;
};
script = pkgs.writers.writePython3 "chess" {
libraries = [
stockfish
inputimeout
];
# Fy!
flakeIgnore = [ "F403" "F405" "E231" "E265" "E302" "E305" "E501" "E722" ];
} (builtins.replaceStrings [''path="./stockfish"''] [''path="${pkgs.stockfish}/bin/stockfish"''] (builtins.readFile ./chess.py));
in
{
sops.secrets."keys/wackattack_ctf/flag" = { };
systemd.sockets."wackattack-ctf-stockfish" = {
description = "Save some azure credit for the rest of us";
partOf = [ "wackattack-ctf-stockfish.service" ];
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = "0.0.0.0:9999";
Accept = true;
};
};
systemd.services."wackattack-ctf-stockfish@" = {
description = "Save some azure credit for the rest of us";
after = [ "network.target" ];
requires = [ "wackattack-ctf-stockfish.socket" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
DynamicUser = true;
WorkingDirectory = "%d";
Restart = "always";
StandardInput = "socket";
LoadCredential = "flag.txt:${config.sops.secrets."keys/wackattack_ctf/flag".path}";
Exec = script;
# systemd hardening go barr
ProcSubset = "pid";
ProtectProc = "invisible";
AmbientCapabilities = "";
CapabilityBoundingSet = "";
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
SystemCallArchitectures = "native";
};
};
}

View File

@ -13,6 +13,9 @@ mediawiki:
database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
keycloak:
database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
keys:
wackattack_ctf:
flag: ENC[AES256_GCM,data:cZCaGb/u/OZgAvXnuJPL3XqmnIa26Rl2IUpWpG/fpt/dJ7+/KssXVa6A5G6ObQhF7deCmTxuoVP8JU+DQzYRr0ftvKhLJ87rgzrE3j+UkA==,iv:3uFkNqXlVj94klU20yPIUd8tIeyUIfp0++2wkdIkiYM=,tag:OZMyEt118u10F5vSUFZE7A==,type:str]
sops:
kms: []
gcp_kms: []
@ -46,8 +49,8 @@ sops:
akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-17T02:02:24Z"
mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
lastmodified: "2023-10-26T19:59:04Z"
mac: ENC[AES256_GCM,data:uH0RfKBjjbYvxjl4XyoXWvwUpi+W7IQZjBdC5UoslotToTw0xnici2fKxPNZ9aFJsukLMPLC+tsT/shUqW373f/NyhsJt0Vb2YtuozFQyQstZQEpnm4WuVoFR/MEjAra/PaM4ATHSGgDuHa7qrpdKTLnrMOai5ZqxLfFbLws3dA=,iv:47hHzrnfZG5NtCN0HjziZdDBJTr451/kvY95GpB3G2M=,tag:3TCs7DSeWB6NujDUlQVGjA==,type:str]
pgp:
- created_at: "2023-05-21T00:28:40Z"
enc: |
@ -70,4 +73,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.7.3
version: 3.8.1

View File

@ -3,17 +3,5 @@ pkgs.mkShell {
nativeBuildInputs = with pkgs; [
sops
gnupg
openstackclient
];
shellHook = ''
export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
export OS_USER_DOMAIN_NAME="NTNU"
export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
export OS_REGION_NAME="NTNU-IT"
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
'';
}

View File

@ -3,12 +3,7 @@
{
users.users.danio = {
isNormalUser = true;
extraGroups = [ "drift" "nix-builder-users" ];
extraGroups = [ "drift" ]; # Enable sudo for the user.
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpGSDczzDOhTETCj+uB5e3/9QbOCaVW1knM+n1ey0n6LXH7uiPPmzuZiqfzmfbB1z4bjM2zpn3D6Et6zRCrBUjhTZqf/5GoNlvhVA6QYmBmBp98b8oY7juj5cmu55voxD0S5rC1mQMnWAAf8e8OPbkhs9Lt0XlOYdotLNIZQubzWqE2DK45g/h17ELJs+jkNXoalFjLvLXWzE/C+3pYoeNJVGHfVMTIwt7o64E6JXhxuYTYdSIuzd+BjntkSCXzcAzBFMRwkdlFVoBtLUMMcMQl39kcXv7lAQ8pv+8b1j1N9WuQVf1qEAcZguaimI1ifbXP5d841pZPApCj5KXectIEldfTrcwg8rZpd2UfYS/3XCcOuidBGprY7XsU/jz8wHbH68UjUrsLyaOMnG2ChYztnf63vm3gRs3Fc6FqTycpgYOPDeZBVTcMyPGgtiZvhnTeY20xFS5lK6M+dmgaDqH24kPLiwYSpUF2NK+Rg/2bZxvt/GaSr4U6fJGi3FCJOM= root@DanixLaptop"
];
};
}

View File

@ -1,12 +0,0 @@
{pkgs, ...}:
{
users.users.jonmro = {
isNormalUser = true;
extraGroups = [ "wheel" "drift" "nix-builder-users" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
];
};
}

View File

@ -6,7 +6,6 @@
extraGroups = [
"wheel"
"drift"
"nix-builder-users"
];
packages = with pkgs; [

View File

@ -37,13 +37,6 @@ in rec {
ipv4 = pvv-ipv4 209;
ipv6 = pvv-ipv6 209;
};
bob = {
ipv4 = "129.241.152.254";
# ipv6 = ;
};
knutsen = {
ipv4 = pvv-ipv4 191;
};
shark = {
ipv4 = pvv-ipv4 196;
ipv6 = pvv-ipv6 196;
@ -56,10 +49,6 @@ in rec {
ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
};
buskerud = {
ipv4 = pvv-ipv4 231;
ipv6 = pvv-ipv6 231;
};
};
defaultNetworkConfig = {