WIP: bekkalokk: setup nettsiden

README.MD

@@ -26,7 +26,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
 
 som root på maskinen.
 

base.nix

@@ -32,7 +32,7 @@
     flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
       "--update-input" "nixpkgs"
-      "--update-input" "nixpkgs-unstable"
+      "--update-input" "unstable"
       "--no-write-lock-file"
     ];
   };
@@ -71,9 +71,6 @@
 
   users.groups."drift".name = "drift";
 
-  # Trusted users on the nix builder machines
-  users.groups."nix-builder-users".name = "nix-builder-users";
-
   services.openssh = {
     enable = true;
     extraConfig = ''

flake.lock

@@ -1,29 +1,9 @@
 {
   "nodes": {
-    "disko": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1700927249,
-        "narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
     "grzegorz": {
       "inputs": {
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "unstable"
         ]
       },
       "locked": {
@@ -65,33 +45,33 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1697936579,
-        "narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=",
+        "lastModified": 1697420972,
+        "narHash": "sha256-eFDasOzXAN8VswUntNBBwvKFyVKFvmwRNNVTDfGdB3M=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
+        "rev": "1e370b96223b94d52006249a60033caaea605c65",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1701362232,
-        "narHash": "sha256-GVdzxL0lhEadqs3hfRLuj+L1OJFGiL/L7gCcelgBlsw=",
+        "lastModified": 1697706247,
+        "narHash": "sha256-nWLggeUxn/l8JrcQr9f+RfnCXp8cn0BN568PjMJh9ko=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d2332963662edffacfddfad59ff4f709dde80ffe",
+        "rev": "4ee5b576ac2861a818950aea99f609d7a6fc02a3",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "NixOS",
         "ref": "nixos-23.05-small",
-        "type": "indirect"
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-lib": {
@@ -111,11 +91,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1700905716,
-        "narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=",
+        "lastModified": 1697332183,
+        "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dfb95385d21475da10b63da74ae96d89ab352431",
+        "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935",
         "type": "github"
       },
       "original": {
@@ -125,21 +105,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1701368325,
-        "narHash": "sha256-3OqZyi2EdopJxpxwrySPyCTuCvfBY4oXTLVgQ4B6qDg=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3934dbde4f4a0e266825348bc4ad1bdd00a8d6a3",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable-small",
-        "type": "indirect"
-      }
-    },
     "pvv-calendar-bot": {
       "inputs": {
         "nixpkgs": [
@@ -162,14 +127,13 @@
     },
     "root": {
       "inputs": {
-        "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "unstable": "unstable"
       }
     },
     "sops-nix": {
@@ -180,11 +144,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1701127353,
-        "narHash": "sha256-qVNX0wOl0b7+I35aRu78xUphOyELh+mtUp1KBx89K1Q=",
+        "lastModified": 1697339241,
+        "narHash": "sha256-ITsFtEtRbCBeEH9XrES1dxZBkE1fyNNUfIyQjQ2AYQs=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b1edbf5c0464b4cced90a3ba6f999e671f0af631",
+        "rev": "51186b8012068c417dac7c31fb12861726577898",
         "type": "github"
       },
       "original": {
@@ -192,6 +156,22 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "unstable": {
+      "locked": {
+        "lastModified": 1697713104,
+        "narHash": "sha256-DN7YOyKMCpAVeZ44N42LrujtTkoerkS9+kTufQiuntY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "6be2c349a30fcb489a3153dd331e9df387ab6449",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -2,28 +2,24 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.05-small";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
+    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
 
-    disko.url = "github:nix-community/disko";
-    disko.inputs.nixpkgs.follows = "nixpkgs";
-
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    # Last release compatible with 23.05
-    matrix-next.url = "github:dali99/nixos-matrix-modules/e09814657187c8ed1a5fe1646df6d8da1eb2dee9";
+    matrix-next.url = "github:dali99/nixos-matrix-modules";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    grzegorz.inputs.nixpkgs.follows = "unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -46,7 +42,7 @@
         rec {
           system = "x86_64-linux";
           specialArgs = {
-            inherit nixpkgs-unstable inputs;
+            inherit unstable inputs;
             values = import ./values.nix;
           };
 
@@ -61,7 +57,7 @@
               (final: prev: {
                 mx-puppet-discord = prev.mx-puppet-discord.override { nodejs_14 = final.nodejs_18; };
               })
-              inputs.pvv-calendar-bot.overlays.${system}.default
+              pvv-calendar-bot.overlays.${system}.default
             ];
           };
         }
@@ -69,27 +65,18 @@
       );
 
       stableNixosConfig = nixosConfig nixpkgs;
-      unstableNixosConfig = nixosConfig nixpkgs-unstable;
+      unstableNixosConfig = nixosConfig unstable;
     in {
       bicep = stableNixosConfig "bicep" {
         modules = [
           ./hosts/bicep/configuration.nix
           sops-nix.nixosModules.sops
 
-          inputs.matrix-next.nixosModules.default
-          inputs.pvv-calendar-bot.nixosModules.default
+          matrix-next.nixosModules.default
+          pvv-calendar-bot.nixosModules.default
         ];
       };
       bekkalokk = stableNixosConfig "bekkalokk" { };
-      bob = stableNixosConfig "bob" {
-        modules = [
-          ./hosts/bob/configuration.nix
-          sops-nix.nixosModules.sops
-
-          disko.nixosModules.disko
-          { disko.devices.disk.disk1.device = "/dev/vda"; }
-        ];
-      };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
@@ -112,12 +99,6 @@
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
-      buskerud = stableNixosConfig "buskerud" {
-        modules = [
-          ./hosts/buskerud/configuration.nix
-          sops-nix.nixosModules.sops
-        ];
-      };
     };
 
     devShells = forAllSystems (system: {

hosts/bekkalokk/configuration.nix

@@ -5,14 +5,14 @@
 
     ../../base.nix
     ../../misc/metrics-exporters.nix
+    ../../modules/wackattack-ctf-stockfish
 
     #./services/keycloak.nix
 
     # TODO: set up authentication for the following:
-    # ./services/website.nix
-    ./services/nginx
+    ./services/website.nix
+    ./services/nginx.nix
     ./services/gitea/default.nix
-    ./services/webmail
     # ./services/mediawiki.nix
   ];
 

hosts/bekkalokk/services/nettsiden/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, inputs, ... }:
+let
+in
+{
+  
+}

hosts/bekkalokk/services/nettsiden/package.nix

@@ -0,0 +1,53 @@
+{
+src,
+php82,
+php82Extensions,
+sqlite,
+git,
+...
+}:
+  pkgs.stdenvNoCC.mkDerivation {
+    pname = "nettsiden";
+    version = "0.1.0";
+    inherit src;
+
+    buildInputs = [
+      php82
+      (with php82Extensions; [
+        iconv
+        mbstring
+        pdo_mysql
+        pdo_sqlite
+      ])
+      sqlite
+      git
+    ];
+
+    buildPhase = ''
+      export PHPHOST=localhost
+      export PHPPORT=1080
+      alias runDev='php -S $PHPHOST:$PHPPORT -d error_reporting=E_ALL -d display_errors=1 -t www/'
+
+      # Prepare dev environment with sqlite and config files
+      test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
+      test -e sql_config.php || cp -v dist/sql_config_example.php sql_config.php
+
+      test -e dataporten_config.php || cp -v dist/dataporten_config.php dataporten_config.php
+
+      test -e composer.phar || curl -O https://getcomposer.org/composer.phar
+
+      if [ ! -f lib/OAuth2-Client/OAuth2Client.php ] ; then
+        echo Missing git submodules. Installing...
+        (set -x; git submodule update --init --recursive) || exit $?
+      fi
+
+      if [ ! -d vendor ] ; then
+        php composer.phar install || exit $?
+        cp -v dist/authsources_example.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
+        cp -v dist/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
+        cp -v vendor/simplesamlphp/simplesamlphp/config-templates/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
+        sed -e "s/'trusted.url.domains' => array()/'trusted.url.domains' => array(\"$PHPHOST:$PHPPORT\")/g" < vendor/simplesamlphp/simplesamlphp/config-templates/config.php > vendor/simplesamlphp/simplesamlphp/config/config.php
+        ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
+      fi
+    '';
+  };

hosts/bekkalokk/services/nginx.nix

@@ -1,9 +1,5 @@
 { pkgs, config, ... }:
 {
-  imports = [
-    ./ingress.nix
-  ];
-
   security.acme = {
     acceptTerms = true;
     defaults.email = "drift@pvv.ntnu.no";

hosts/bekkalokk/services/nginx/ingress.nix

@@ -1,55 +0,0 @@
-{ config, lib, ... }:
-{
-  services.nginx.virtualHosts = {
-    "www2.pvv.ntnu.no" = {
-      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
-      addSSL = true;
-      enableACME = true;
-
-      locations = {
-        # Proxy home directories
-        "/~" = {
-          extraConfig = ''
-            proxy_redirect off;
-            proxy_pass https://tom.pvv.ntnu.no;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-          '';
-        };
-
-        # Redirect old wiki entries
-        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
-        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
-        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
-        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
-        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
-        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
-        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
-        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
-        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
-        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
-        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
-        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
-
-        # TODO: Redirect webmail
-        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
-
-        # Redirect everything else to the main website
-        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
-
-        # Proxy the matrix well-known files
-        # Host has be set before proxy_pass
-        # The header must be set so nginx on the other side routes it to the right place
-        "/.well-known/matrix/" = {
-          extraConfig = ''
-            proxy_set_header Host matrix.pvv.ntnu.no;
-            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-          '';
-        };
-      };
-    };
-  };
-}
-

hosts/bekkalokk/services/webmail/default.nix

@@ -1,15 +0,0 @@
-{ config, values, pkgs, lib, ... }:
-{
-  imports = [
-    ./roundcube.nix
-  ];
-
-  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
-    forceSSL = true;
-    enableACME = true;
-    #locations."/" = lib.mkForce { };
-    locations."= /" = {
-      return = "301 https://www.pvv.ntnu.no/mail/";
-    };
-  };
-}

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -1,74 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-let
-  cfg = config.services.roundcube;
-  domain = "webmail2.pvv.ntnu.no";
-in 
-{
-  services.roundcube = {
-    enable = true;
-
-    package = pkgs.roundcube.withPlugins (plugins: with plugins; [
-      persistent_login
-      thunderbird_labels
-      contextmenu
-      custom_from
-    ]);
-
-    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
-    maxAttachmentSize = 20;
-    hostName = "roundcubeplaceholder.example.com";
-
-    extraConfig = ''
-      $config['enable_installer'] = false;
-      $config['default_host'] = "ssl://imap.pvv.ntnu.no";
-      $config['default_port'] = 993;
-      $config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
-      $config['smtp_port'] = 465;
-      $config['mail_domain'] = "pvv.ntnu.no";
-      $config['smtp_user'] = "%u";
-      $config['support_url'] = "";
-    '';
-  };
-
-  services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
-
-  services.nginx.virtualHosts.${domain} = {
-    locations."/roundcube" = {
-      tryFiles = "$uri $uri/ =404";
-      index = "index.php";
-      root = pkgs.runCommandLocal "roundcube-dir" { } ''
-        mkdir -p $out
-        ln -s ${cfg.package} $out/roundcube
-      '';
-      extraConfig = ''
-        location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
-        # https://wiki.archlinux.org/title/Roundcube
-        "README"
-        "INSTALL"
-        "LICENSE"
-        "CHANGELOG"
-        "UPGRADING"
-        "bin"
-        "SQL"
-        ".+\\.md"
-        "\\."
-        "config"
-        "temp"
-        "logs"
-        ]})/? {
-          deny all;
-        }
-
-        location ~ ^/roundcube/(.+\.php)(/?.*)$ {
-          fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
-          include ${config.services.nginx.package}/conf/fastcgi_params;
-          include ${config.services.nginx.package}/conf/fastcgi.conf;
-          fastcgi_index index.php;
-          fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
-        }
-      '';
-    };
-  };
-}

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -5,7 +5,6 @@ from smtplib import SMTP_SSL as SMTP
 import synapse
 from synapse import module_api
 
-import re
 
 class SMTPAuthProvider:
     def __init__(self, config: dict, api: module_api):
@@ -28,10 +27,6 @@ class SMTPAuthProvider:
         if login_type != "m.login.password":
             return None
 
-        # Convert `@username:server` to `username`
-        match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
-        username = match.group(1) if match else username
-
         result = False
         with SMTP(self.config["smtp_host"]) as smtp:
             password = login_dict.get("password")

hosts/bicep/services/matrix/synapse.nix

@@ -216,19 +216,7 @@ in {
 
   services.redis.servers."".enable = true;
   
-  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
-    locations."/.well-known/matrix/server" = {
-      return = ''
-        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
-      '';
-      extraConfig = ''
-        default_type application/json;
-        add_header Access-Control-Allow-Origin *;
-      '';
-    };
-  })
-  ({
+  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
     locations = let
       connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
       socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";

hosts/bob/configuration.nix

@@ -1,46 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-  imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../base.nix
-      ../../misc/metrics-exporters.nix
-      ./disks.nix
-
-      ../../misc/builder.nix
-    ];
-
-  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = true;
-    efiInstallAsRemovable = true;
-  };
-
-  networking.hostName = "bob"; # Define your hostname.
-
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
-    matchConfig.Name = "en*";
-    DHCP = "yes";
-    gateway = [ ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
-}

hosts/bob/disks.nix

@@ -1,39 +0,0 @@
-# Example to create a bios compatible gpt partition
-{ lib, ... }:
-{
-  disko.devices = {
-    disk.disk1 = {
-      device = lib.mkDefault "/dev/sda";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "ESP";
-            size = "500M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              type = "filesystem";
-              format = "ext4";
-              mountpoint = "/";
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/bob/hardware-configuration.nix

@@ -1,24 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

hosts/brzeczyszczykiewicz/configuration.nix

@@ -6,7 +6,7 @@
       ../../base.nix
       ../../misc/metrics-exporters.nix
 
-      ./services/grzegorz.nix
+      ../../modules/grzegorz.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

hosts/brzeczyszczykiewicz/services/grzegorz.nix

@@ -1,11 +0,0 @@
-{ config, ... }:
-{
-  imports = [ ../../../modules/grzegorz.nix ];
-
-  services.nginx.virtualHosts."${config.networking.fqdn}" = {
-    serverAliases = [
-      "bokhylle.pvv.ntnu.no"
-      "bokhylle.pvv.org"
-    ];
-  };
-}

hosts/buskerud/configuration.nix

@@ -1,50 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-  imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../base.nix
-      ../../misc/metrics-exporters.nix
-
-      ./services/openvpn-client.nix
-    ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  networking.hostName = "buskerud";
-  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-
-  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
-    matchConfig.Name = "enp3s0f0";
-    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # Buskerud should use the default gateway received from DHCP
-  networking.interfaces.enp14s0f1.useDHCP = true;
-
-  # networking.interfaces.tun = {
-  #   virtual = true;
-  #   ipv4.adresses = [ {address="129.241.210.252"; prefixLength=25; } ];
-  # };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
-}

hosts/buskerud/hardware-configuration.nix

@@ -1,37 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/buskerud/services/openvpn-client.nix

@@ -1,109 +0,0 @@
-{ lib, values, ... }:
-{
-  services.openvpn.servers."ov-tunnel" = {
-    config = let
-      conf = {
-        # TODO: use aliases
-        client = true;
-        dev = "tap";
-        proto = "udp";
-        #remote = "129.241.210.253 1194";
-        remote = "129.241.210.191 1194";
-
-        resolv-retry = "infinite";
-        nobind = true;
-
-        ca = "/etc/openvpn/ca.pem";
-        cert = "/etc/openvpn/crt.pem";
-        key = "/etc/openvpn/key.pem";
-        remote-cert-tls = "server";
-        cipher = "none";
-
-        user = "nobody";
-        group = "nobody";
-
-        status = "/var/log/openvpn-status.log";
-
-        persist-key = true;
-        persist-tun = true;
-
-        verb = 5;
-
-        # script-security = 2;
-        # up = "systemctl restart rwhod";
-      };
-    in lib.pipe conf [
-      (lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
-      (builtins.mapAttrs (_: value:
-        if builtins.isList value then builtins.concatStringsSep " " (map toString value)
-        else if value == true then value
-        else if builtins.any (f: f value) [
-          builtins.isString
-          builtins.isInt
-          builtins.isFloat
-          lib.isPath
-          lib.isDerivation
-        ] then toString value
-        else throw "Unknown value in buskerud openvpn config, deading now\n${value}"
-      ))
-      (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
-      (builtins.concatStringsSep "\n")
-      (x: x + "\n\n")
-    ];
-  };
-
-  systemd.network.networks."enp14s0f1" = {
-    matchConfig.Name = "enp14s0f1";
-    networkConfig = {
-      DefaultRouteOnDevice = true;
-    };
-    routes = [
-      { routeConfig = {
-          Type = "unicast";
-          Destination = values.hosts.knutsen.ipv4 + "/32";
-          Metric = 50;
-        };
-      }
-    ];
-  };
-
-  systemd.network.netdevs."br0" = {
-    netdevConfig = {
-      Kind = "bridge";
-      Name = "br0";
-    };
-  };
-
-  systemd.network.networks."br0" = {
-    matchConfig.Name = "br0";
-    routes = [
-      { routeConfig = {
-          Type = "unicast";
-          Destination = values.ipv4-space;
-          Metric = 100;
-        };
-      }
-    ];
-  };
-
-  systemd.network.networks."enp3s0f0" = {
-    matchConfig.Name = "enp3s0f0";
-    networkConfig.DefaultRouteOnDevice = false;
-  };
-
-  systemd.network.networks."enp3s0f1" = {
-    matchConfig.Name = "enp3s0f1";
-    bridge = [ "br0" ];
-  };
-
-  systemd.network.networks."tap0" = {
-    matchConfig.Name = "tap0";
-    bridge = [ "br0" ];
-  };
-
-  #networking.nat = {
-  #  enable = true;
-  #  externalInterface = "enp14s0f1";
-  #  internalInterfaces  = [ "tun" ];
-  #};
-}

hosts/ildkule/services/metrics/prometheus/mysqld.nix

@@ -1,4 +1,4 @@
-{ config, ... }: let
+{ config, unstable, ... }: let
   cfg = config.services.prometheus;
 in {
   sops.secrets."config/mysqld_exporter" = { };

misc/builder.nix

@@ -1,5 +0,0 @@
-{ ... }:
-
-{
-  nix.settings.trusted-users = [ "@nix-builder-users" ];
-}

modules/wackattack-ctf-stockfish/chess.py

@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+from stockfish import *
+from inputimeout import inputimeout
+import time
+from datetime import datetime
+import random
+
+thinking_time = 1000
+
+game = Stockfish(path="./stockfish", depth=15, parameters={"Threads": 1, "Minimum Thinking Time": thinking_time, "UCI_Chess960": True})
+
+def create_random_position():
+    pos = "/pppppppp/8/8/8/8/PPPPPPPP/"
+    rank8 = ["r","r","b","q","k","b","n","n"]
+
+    while rank8.index("k") < [i for i, n in enumerate(rank8) if n == "r"][0] or rank8.index("k") > [i for i, n in enumerate(rank8) if n == "r"][1] or [i for i, n in enumerate(rank8) if n == "b"][0] % 2 == [i for i, n in enumerate(rank8) if n == "b"][1] % 2:
+        random.seed(datetime.now().microsecond)
+        random.shuffle(rank8)
+
+    rank1 = [c.upper() for c in rank8]
+    pos = "".join(rank8) + pos + "".join(rank1) + " w KQkq - 0 1"
+    game.set_fen_position(pos)
+
+def player_won():
+    with open("flag.txt") as file:
+        flag = file.read()
+    print(flag)
+    exit()
+
+def get_fast_player_move():
+    try:
+        time_over = inputimeout(prompt='Your move: ', timeout=5)
+    except Exception:
+        time_over = 'Too slow, you lost!'
+        print(time_over)
+        exit()
+    return time_over
+
+def check_game_status():
+    evaluation = game.get_evaluation()
+    turn = game.get_fen_position().split(" ")[1]
+    if evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "w":
+        print("Wow, you beat me!")
+        player_won()
+    elif evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "b":
+        print("Hah, I won again")
+        exit()
+    if evaluation["type"] == "draw":
+        print("It's a draw!")
+        print("Impressive, but I am still undefeated.")
+        exit()
+
+if __name__ == "__main__":
+    create_random_position()
+    print("Welcome to fischer chess.\nYou get 5 seconds per move. Good luck")
+    print(game.get_board_visual())
+    print("Heres the position for this game, Ill give you a few seconds to look at it before we start.")
+    time.sleep(3)
+    while True:
+        server_move = game.get_best_move_time(thinking_time)
+        game.make_moves_from_current_position([server_move])
+        check_game_status()
+        print(game.get_board_visual())
+        print(f"My move: {server_move}")
+        player_move = get_fast_player_move()
+        if type(player_move) != str or len([player_move]) != 1:
+            print("Illegal input")
+            exit()
+        try:
+            game.make_moves_from_current_position([player_move])
+            check_game_status()
+        except:
+            print("Couldn't comprehend that")
+            exit()

modules/wackattack-ctf-stockfish/default.nix

@@ -0,0 +1,108 @@
+{ config, pkgs, lib, ... }: let
+  stockfish = with pkgs.python3Packages; buildPythonPackage rec {
+    pname = "stockfish";
+    version = "3.28.0";
+    disabled = pythonOlder "3.7";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "zhelyabuzhsky";
+      repo = pname;
+      rev = version;
+      hash = "sha256-XLgVjLV2QXeTYPjP/lwc0LH850LKJsymFlrAMkAn8HU=";
+    };
+
+    format = "setuptools";
+    nativeBuildInputs = [
+      setuptools
+    ];
+
+    propagatedBuildInputs = [
+      pytest-runner
+    ];
+
+    doCheck = false;
+  };
+
+  inputimeout = with pkgs.python3Packages; buildPythonPackage rec {
+    pname = "inputimeout";
+    version = "1.0.4";
+    src = pkgs.fetchFromGitHub {
+      owner = "johejo";
+      repo = pname;
+      rev = "v${version}";
+      hash = "sha256-Fh1CaqJOK58nURt4imkhCmZKG2eJlP/Hi10SarUJ+Fs=";
+    };
+
+    format = "setuptools";
+    nativeBuildInputs = [ setuptools ];
+
+    doCheck = false;
+  };
+
+  script = pkgs.writers.writePython3 "chess" {
+    libraries = [
+      stockfish
+      inputimeout   
+    ];
+
+    # Fy!
+    flakeIgnore = [ "F403" "F405" "E231" "E265" "E302" "E305" "E501" "E722" ];
+  } (builtins.replaceStrings [''path="./stockfish"''] [''path="${pkgs.stockfish}/bin/stockfish"''] (builtins.readFile ./chess.py));
+in
+{
+  sops.secrets."keys/wackattack_ctf/flag" = { };
+
+  systemd.sockets."wackattack-ctf-stockfish" = {
+    description = "Save some azure credit for the rest of us";
+    partOf = [ "wackattack-ctf-stockfish.service" ];
+    wantedBy = [ "sockets.target" ];
+
+    socketConfig = {
+      ListenStream = "0.0.0.0:9999";
+      Accept = true;
+    };
+  };
+
+  systemd.services."wackattack-ctf-stockfish@" = {
+    description = "Save some azure credit for the rest of us";
+    after = [ "network.target" ];
+    requires = [ "wackattack-ctf-stockfish.socket" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      DynamicUser = true;
+      WorkingDirectory = "%d";
+      Restart = "always";
+      StandardInput = "socket";
+      LoadCredential = "flag.txt:${config.sops.secrets."keys/wackattack_ctf/flag".path}";
+
+      Exec = script;
+
+      # systemd hardening go barr
+      ProcSubset = "pid";
+      ProtectProc = "invisible";
+      AmbientCapabilities = "";
+      CapabilityBoundingSet = "";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      PrivateUsers = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RemoveIPC = true;
+      PrivateMounts = true;
+      SystemCallArchitectures = "native";
+    };
+  };
+}

secrets/bekkalokk/bekkalokk.yaml

@@ -13,6 +13,9 @@ mediawiki:
     database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
 keycloak:
     database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
+keys:
+    wackattack_ctf:
+        flag: ENC[AES256_GCM,data:cZCaGb/u/OZgAvXnuJPL3XqmnIa26Rl2IUpWpG/fpt/dJ7+/KssXVa6A5G6ObQhF7deCmTxuoVP8JU+DQzYRr0ftvKhLJ87rgzrE3j+UkA==,iv:3uFkNqXlVj94klU20yPIUd8tIeyUIfp0++2wkdIkiYM=,tag:OZMyEt118u10F5vSUFZE7A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -46,8 +49,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-17T02:02:24Z"
-    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
+    lastmodified: "2023-10-26T19:59:04Z"
+    mac: ENC[AES256_GCM,data:uH0RfKBjjbYvxjl4XyoXWvwUpi+W7IQZjBdC5UoslotToTw0xnici2fKxPNZ9aFJsukLMPLC+tsT/shUqW373f/NyhsJt0Vb2YtuozFQyQstZQEpnm4WuVoFR/MEjAra/PaM4ATHSGgDuHa7qrpdKTLnrMOai5ZqxLfFbLws3dA=,iv:47hHzrnfZG5NtCN0HjziZdDBJTr451/kvY95GpB3G2M=,tag:3TCs7DSeWB6NujDUlQVGjA==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -70,4 +73,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

shell.nix

@@ -3,17 +3,5 @@ pkgs.mkShell {
   nativeBuildInputs = with pkgs; [
     sops
     gnupg
-    openstackclient
   ];
-
-  shellHook = ''
-    export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
-    export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
-    export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
-    export OS_USER_DOMAIN_NAME="NTNU"
-    export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
-    export OS_REGION_NAME="NTNU-IT"
-    export OS_INTERFACE=public
-    export OS_IDENTITY_API_VERSION=3
-  '';
 }

users/danio.nix

@@ -3,12 +3,7 @@
 {
   users.users.danio = {
     isNormalUser = true;
-    extraGroups = [ "drift" "nix-builder-users" ];
+    extraGroups = [ "drift" ]; # Enable ‘sudo’ for the user.
     shell = pkgs.zsh;
-
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl"
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpGSDczzDOhTETCj+uB5e3/9QbOCaVW1knM+n1ey0n6LXH7uiPPmzuZiqfzmfbB1z4bjM2zpn3D6Et6zRCrBUjhTZqf/5GoNlvhVA6QYmBmBp98b8oY7juj5cmu55voxD0S5rC1mQMnWAAf8e8OPbkhs9Lt0XlOYdotLNIZQubzWqE2DK45g/h17ELJs+jkNXoalFjLvLXWzE/C+3pYoeNJVGHfVMTIwt7o64E6JXhxuYTYdSIuzd+BjntkSCXzcAzBFMRwkdlFVoBtLUMMcMQl39kcXv7lAQ8pv+8b1j1N9WuQVf1qEAcZguaimI1ifbXP5d841pZPApCj5KXectIEldfTrcwg8rZpd2UfYS/3XCcOuidBGprY7XsU/jz8wHbH68UjUrsLyaOMnG2ChYztnf63vm3gRs3Fc6FqTycpgYOPDeZBVTcMyPGgtiZvhnTeY20xFS5lK6M+dmgaDqH24kPLiwYSpUF2NK+Rg/2bZxvt/GaSr4U6fJGi3FCJOM= root@DanixLaptop"
-    ];
   };
 }

users/jonmro.nix

@@ -1,12 +0,0 @@
-{pkgs, ...}:
-
-{
-  users.users.jonmro = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" "drift" "nix-builder-users" ]; 
-    shell = pkgs.zsh;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
-    ];
-  };
-}

users/oysteikt.nix

@@ -6,7 +6,6 @@
     extraGroups = [
       "wheel"
       "drift"
-      "nix-builder-users"
     ];
 
     packages = with pkgs; [

values.nix

@@ -37,13 +37,6 @@ in rec {
       ipv4 = pvv-ipv4 209;
       ipv6 = pvv-ipv6 209;
     };
-    bob = {
-      ipv4 = "129.241.152.254";
-      # ipv6 = ;
-    };
-    knutsen = {
-      ipv4 = pvv-ipv4 191;
-    };
     shark = {
       ipv4 = pvv-ipv4 196;
       ipv6 = pvv-ipv6 196;
@@ -56,10 +49,6 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
-    buskerud = {
-      ipv4 = pvv-ipv4 231;
-      ipv6 = pvv-ipv6 231;
-    };
   };
 
   defaultNetworkConfig = {