Update users/jonmro.nix

Added "drift" "nix-builder-users" groups
Merge pull request 'replace-knakelibrak-nginx-reverse-proxy' (#18 ) from replace-knakelibrak-nginx-reverse-proxy into main
2023-12-10 00:25:04 +01:00 · 2023-12-03 07:01:13 +01:00 · 2023-11-28 10:24:18 +01:00 · 2023-11-28 10:24:18 +01:00 · 2023-11-28 10:23:02 +01:00
5 changed files with 85 additions and 95 deletions
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@ -10,10 +10,10 @@
    # TODO: set up authentication for the following:
    # ./services/website.nix
-    ./services/nginx.nix
+    ./services/nginx
    ./services/gitea/default.nix
    ./services/webmail
-    ./services/mediawiki.nix
+    # ./services/mediawiki.nix
  ];
  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
--- a/hosts/bekkalokk/services/mediawiki.nix
+++ b/hosts/bekkalokk/services/mediawiki.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, config, values, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
@ -13,7 +13,7 @@ in {
      owner = user;
      group = group;
    };
-    "mediawiki/database" = {
+    "keys/postgres/mediawiki" = {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
@ -30,7 +30,7 @@ in {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
      port = config.services.postgresql.port;
-      passwordFile = config.sops.secrets."mediawiki/database".path;
+      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
      createLocally = false;
      # TODO: create a normal database and copy over old data when the service is production ready
      name = "mediawiki_test";
@ -61,45 +61,35 @@ in {
    extensions = {
      DeleteBatch = pkgs.fetchzip {
-        name = "mediawiki-delete-batch-source";
+        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
-        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-4fe36dc.tar.gz";
+	sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
 	hash = "sha256-jmRkjHFQR9cjPr1eBHVDLHm0xO4OPn9HYiYwrkBT/aA=";
      };
      UserMerge = pkgs.fetchzip {
-        name = "mediawiki-user-merge-source";
+        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
-        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-7407806.tar.gz";
+	sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
 	hash = "sha256-NHAw79pDxjia46J5DIGV9AoF9UazSahT8DZgUUn/pQE=";
      };
      PluggableAuth = pkgs.fetchzip {
-        name = "mediawiki-pluggable-auth-source";
+        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
-        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-eb10a76.tar.gz";
+	sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
 	hash = "sha256-GFmtQc0SeBpvI+7iHOVw77JR2h+hwPxo8+wZ9RED8a8=";
      };
      SimpleSAMLphp = pkgs.fetchzip {
-        name = "mediawiki-simple-saml-php-source";
+        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
-        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_40-8043943.tar.gz";
+        sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
        hash = "sha256-HJHcrv/FNqPJegrHo4VPVjw0alkyHwetFZiLwjHsf6Y=";
      };
    };
    extraConfig = let
-      SimpleSAMLphpRepo = pkgs-unstable.php.buildComposerProject rec {
+
      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
        pname = "configuredSimpleSAML";
-	version = "2.1.0-rc1";
+	version = "2.0.4";
-        src = pkgs.fetchFromGitHub {
+        src = pkgs.fetchzip {
-          owner = "simplesamlphp";
+          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
-          repo = "simplesamlphp";
+          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
          # name = "simple-saml-php-source";
          # url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
          rev = "v${version}";
          hash = "sha256-E7S6T/EfuhNbe697OiklZ77wMRkOb/ABJXoL5MphMCY=";
        };
-        composerStrictValidation = false;
+	buildPhase = ''
-
+          cat > config/authsources.php << EOF
 	vendorHash = "sha256-vr9mWXN9v6tGNvPtxQ+pgf7OYj8dedzWfxt6Xw1nCm0=";
        configAuthsourcesPhp = ''
          <?php
          $config = array(
            'default-sp' => array(
@ -107,51 +97,11 @@ in {
              'idp' => 'https://idp.pvv.ntnu.no/',
            ),
          );
 	  EOF
 	'';
-        # TODO: this could be fetched automagically with these:
+	installPhase = ''
-        #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
+	  cp -r . $out
        #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
        metadataSaml20IdpRemotePhp = ''
          <?php
          $metadata['https://idp.pvv.ntnu.no/'] = array (
            'metadata-set' => 'saml20-idp-remote',
            'entityid' => 'https://idp.pvv.ntnu.no/',
            'SingleSignOnService' =>
            array (
              0 =>
              array (
                'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
              ),
            ),
            'SingleLogoutService' =>
            array (
              0 =>
              array (
                'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
              ),
            ),
            'certData' => 'pvvcert.pem',
            'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
          );
        '';
        pvvcert = ''
          MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==
        '';
        passAsFile = [
          "configAuthsourcesPhp"
          "metadataSaml20IdpRemotePhp"
          "pvvcert"
        ];
 	postPatch = ''
          install -Dm444 "$configAuthsourcesPhpPath" "config/authsources.php"
          install -Dm444 "$metadataSaml20IdpRemotePhpPath" "metadata/saml20-idp-remote.php"
          install -Dm444 "$pvvcertPath" "cert/pvvcert.pem"
 	'';
      };
@ -222,23 +172,4 @@ in {
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
  '';
  services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
    locations =  {
      "/" = {
        extraConfig = ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
          include ${pkgs.nginx}/conf/fastcgi_params;
          include ${pkgs.nginx}/conf/fastcgi.conf;
        '';
      };
      "/images".root = config.services.mediawiki.uploadsDir;
    };
  };
 }
--- a/hosts/bekkalokk/services/nginx/default.nix
+++ b/hosts/bekkalokk/services/nginx/default.nix
@ -1,5 +1,9 @@
 { pkgs, config, ... }:
 {
  imports = [
    ./ingress.nix
  ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
--- a/hosts/bekkalokk/services/nginx/ingress.nix
+++ b/hosts/bekkalokk/services/nginx/ingress.nix
@ -0,0 +1,55 @@
 { config, lib, ... }:
 {
  services.nginx.virtualHosts = {
    "www2.pvv.ntnu.no" = {
      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
      addSSL = true;
      enableACME = true;
      locations = {
        # Proxy home directories
        "/~" = {
          extraConfig = ''
            proxy_redirect off;
            proxy_pass https://tom.pvv.ntnu.no;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
          '';
        };
        # Redirect old wiki entries
        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
        # TODO: Redirect webmail
        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
        # Redirect everything else to the main website
        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
        # Proxy the matrix well-known files
        # Host has be set before proxy_pass
        # The header must be set so nginx on the other side routes it to the right place
        "/.well-known/matrix/" = {
          extraConfig = ''
            proxy_set_header Host matrix.pvv.ntnu.no;
            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
          '';
        };
      };
    };
  };
 }
--- a/users/jonmro.nix
+++ b/users/jonmro.nix
@ -3,7 +3,7 @@
 {
  users.users.jonmro = {
    isNormalUser = true;
-    extraGroups = [ "wheel" ]; 
+    extraGroups = [ "wheel" "drift" "nix-builder-users" ]; 
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
Author	SHA1	Message	Date
Jon Martinus Rodtang	0c816068fe	Update users/jonmro.nix Added "drift" "nix-builder-users" groups	2023-12-10 00:25:04 +01:00
Daniel Lovbrotte Olsen	d8031ecca1	Merge pull request 'replace-knakelibrak-nginx-reverse-proxy' (#18 ) from replace-knakelibrak-nginx-reverse-proxy into main Reviewed-on: Drift/pvv-nixos-config#18	2023-12-03 07:01:13 +01:00
Daniel Lovbrotte Olsen	1ef033c754	bekkalokk/ingress: proxy matrix well-known files to bicep	2023-11-28 10:24:18 +01:00
Felix Albrigtsen	d900dc1b1b	Redirect subpages like ./well-known, add @-domains	2023-11-28 10:24:18 +01:00
Oystein Kristoffer Tveit	d5985e02f3	Prepare to replace knakelibrak Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>	2023-11-28 10:23:02 +01:00