WIP: init buskerud/salsa

It's fixed now

README.MD

@@ -26,7 +26,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
 
 som root på maskinen.
 

base.nix

@@ -32,7 +32,7 @@
     flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
       "--update-input" "nixpkgs"
-      "--update-input" "unstable"
+      "--update-input" "nixpkgs-unstable"
       "--no-write-lock-file"
     ];
   };
@@ -71,6 +71,9 @@
 
   users.groups."drift".name = "drift";
 
+  # Trusted users on the nix builder machines
+  users.groups."nix-builder-users".name = "nix-builder-users";
+
   services.openssh = {
     enable = true;
     extraConfig = ''

flake.lock

@@ -1,9 +1,29 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709632354,
+        "narHash": "sha256-jxRHwqrtNze51WKFKvxlQ8Inf62UNRl5cFqEQ2V96vE=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "0d11aa8d6431326e10b8656420f91085c3bd0b12",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "grzegorz": {
       "inputs": {
         "nixpkgs": [
-          "unstable"
+          "nixpkgs-unstable"
         ]
       },
       "locked": {
@@ -45,11 +65,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1697420972,
+        "lastModified": 1701507532,
-        "narHash": "sha256-eFDasOzXAN8VswUntNBBwvKFyVKFvmwRNNVTDfGdB3M=",
+        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "1e370b96223b94d52006249a60033caaea605c65",
+        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
         "type": "github"
       },
       "original": {
@@ -60,18 +80,17 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1697706247,
+        "lastModified": 1709565521,
-        "narHash": "sha256-nWLggeUxn/l8JrcQr9f+RfnCXp8cn0BN568PjMJh9ko=",
+        "narHash": "sha256-YP3H7Lm3IhOKHIcn+qMCLRINJG313Io5CjvNTJyrnhY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4ee5b576ac2861a818950aea99f609d7a6fc02a3",
+        "rev": "9a5f1a573376eeb8c525f936eed32fabfb6e81be",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
-        "ref": "nixos-23.05-small",
+        "ref": "nixos-23.11-small",
-        "repo": "nixpkgs",
+        "type": "indirect"
-        "type": "github"
       }
     },
     "nixpkgs-lib": {
@@ -91,20 +110,35 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1697332183,
+        "lastModified": 1709428628,
-        "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=",
+        "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935",
+        "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1712963716,
+        "narHash": "sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cfd6b5fc90b15709b780a5a1619695a88505a176",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable-small",
+        "type": "indirect"
+      }
+    },
     "pvv-calendar-bot": {
       "inputs": {
         "nixpkgs": [
@@ -127,13 +161,14 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
-        "sops-nix": "sops-nix",
+        "sops-nix": "sops-nix"
-        "unstable": "unstable"
       }
     },
     "sops-nix": {
@@ -144,11 +179,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1697339241,
+        "lastModified": 1709591996,
-        "narHash": "sha256-ITsFtEtRbCBeEH9XrES1dxZBkE1fyNNUfIyQjQ2AYQs=",
+        "narHash": "sha256-0sQcalXSgqlO6mnxBTXkSQChBHy2GQsokB1XY8r+LpQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "51186b8012068c417dac7c31fb12861726577898",
+        "rev": "291aad29b59ceda517a06e59809f35cb0bb17c6b",
         "type": "github"
       },
       "original": {
@@ -156,22 +191,6 @@
         "repo": "sops-nix",
         "type": "github"
       }
-    },
-    "unstable": {
-      "locked": {
-        "lastModified": 1697713104,
-        "narHash": "sha256-DN7YOyKMCpAVeZ44N42LrujtTkoerkS9+kTufQiuntY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "6be2c349a30fcb489a3153dd331e9df387ab6449",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -2,24 +2,27 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
 
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
     matrix-next.url = "github:dali99/nixos-matrix-modules";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "unstable";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -42,7 +45,7 @@
         rec {
           system = "x86_64-linux";
           specialArgs = {
-            inherit unstable inputs;
+            inherit nixpkgs-unstable inputs;
             values = import ./values.nix;
           };
 
@@ -54,10 +57,7 @@
           pkgs = import nixpkgs {
             inherit system;
             overlays = [
-              (final: prev: {
+              inputs.pvv-calendar-bot.overlays.${system}.default
-                mx-puppet-discord = prev.mx-puppet-discord.override { nodejs_14 = final.nodejs_18; };
-              })
-              pvv-calendar-bot.overlays.${system}.default
             ];
           };
         }
@@ -65,18 +65,27 @@
       );
 
       stableNixosConfig = nixosConfig nixpkgs;
-      unstableNixosConfig = nixosConfig unstable;
+      unstableNixosConfig = nixosConfig nixpkgs-unstable;
     in {
       bicep = stableNixosConfig "bicep" {
         modules = [
           ./hosts/bicep/configuration.nix
           sops-nix.nixosModules.sops
 
-          matrix-next.nixosModules.default
+          inputs.matrix-next.nixosModules.default
-          pvv-calendar-bot.nixosModules.default
+          inputs.pvv-calendar-bot.nixosModules.default
         ];
       };
       bekkalokk = stableNixosConfig "bekkalokk" { };
+      bob = stableNixosConfig "bob" {
+        modules = [
+          ./hosts/bob/configuration.nix
+          sops-nix.nixosModules.sops
+
+          disko.nixosModules.disko
+          { disko.devices.disk.disk1.device = "/dev/vda"; }
+        ];
+      };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
@@ -99,6 +108,12 @@
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
+      buskerud = stableNixosConfig "buskerud" {
+        modules = [
+          ./hosts/buskerud/configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
     };
 
     devShells = forAllSystems (system: {
@@ -108,12 +123,22 @@
     packages = {
       "x86_64-linux" = let
         pkgs = nixpkgs.legacyPackages."x86_64-linux";
+        pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
       in rec {
         default = important-machines;
         important-machines = pkgs.linkFarm "important-machines"
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+	heimdal = pkgs.callPackage hosts/buskerud/containers/salsa/services/heimdal/package.nix {
+          inherit (pkgs.apple_sdk.frameworks)
+            CoreFoundation Security SystemConfiguration;
+	};
+	heimdal-unstable = pkgs-unstable.callPackage hosts/buskerud/containers/salsa/services/heimdal/package.nix {
+          inherit (pkgs.apple_sdk.frameworks)
+            CoreFoundation Security SystemConfiguration;
+	};
+	inherit pkgs pkgs-unstable;
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/configuration.nix

@@ -5,14 +5,14 @@
 
     ../../base.nix
     ../../misc/metrics-exporters.nix
-    ../../modules/wackattack-ctf-stockfish
 
     #./services/keycloak.nix
 
     # TODO: set up authentication for the following:
-    ./services/website.nix
+    # ./services/website.nix
-    ./services/nginx.nix
+    ./services/nginx
     ./services/gitea/default.nix
+    ./services/webmail
     # ./services/mediawiki.nix
   ];
 

hosts/bekkalokk/services/nettsiden/default.nix

@@ -1,6 +0,0 @@
-{ pkgs, inputs, ... }:
-let
-in
-{
-  
-}

hosts/bekkalokk/services/nettsiden/package.nix

@@ -1,53 +0,0 @@
-{
-src,
-php82,
-php82Extensions,
-sqlite,
-git,
-...
-}:
-  pkgs.stdenvNoCC.mkDerivation {
-    pname = "nettsiden";
-    version = "0.1.0";
-    inherit src;
-
-    buildInputs = [
-      php82
-      (with php82Extensions; [
-        iconv
-        mbstring
-        pdo_mysql
-        pdo_sqlite
-      ])
-      sqlite
-      git
-    ];
-
-    buildPhase = ''
-      export PHPHOST=localhost
-      export PHPPORT=1080
-      alias runDev='php -S $PHPHOST:$PHPPORT -d error_reporting=E_ALL -d display_errors=1 -t www/'
-
-      # Prepare dev environment with sqlite and config files
-      test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
-      test -e sql_config.php || cp -v dist/sql_config_example.php sql_config.php
-
-      test -e dataporten_config.php || cp -v dist/dataporten_config.php dataporten_config.php
-
-      test -e composer.phar || curl -O https://getcomposer.org/composer.phar
-
-      if [ ! -f lib/OAuth2-Client/OAuth2Client.php ] ; then
-        echo Missing git submodules. Installing...
-        (set -x; git submodule update --init --recursive) || exit $?
-      fi
-
-      if [ ! -d vendor ] ; then
-        php composer.phar install || exit $?
-        cp -v dist/authsources_example.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
-        cp -v dist/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-        cp -v vendor/simplesamlphp/simplesamlphp/config-templates/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
-        sed -e "s/'trusted.url.domains' => array()/'trusted.url.domains' => array(\"$PHPHOST:$PHPPORT\")/g" < vendor/simplesamlphp/simplesamlphp/config-templates/config.php > vendor/simplesamlphp/simplesamlphp/config/config.php
-        ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
-      fi
-    '';
-  };

hosts/bekkalokk/services/nginx/default.nix

@@ -1,5 +1,9 @@
 { pkgs, config, ... }:
 {
+  imports = [
+    ./ingress.nix
+  ];
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "drift@pvv.ntnu.no";

hosts/bekkalokk/services/nginx/ingress.nix

@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+{
+  services.nginx.virtualHosts = {
+    "www2.pvv.ntnu.no" = {
+      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
+      addSSL = true;
+      enableACME = true;
+
+      locations = {
+        # Proxy home directories
+        "/~" = {
+          extraConfig = ''
+            proxy_redirect off;
+            proxy_pass https://tom.pvv.ntnu.no;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+
+        # Redirect old wiki entries
+        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
+        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
+        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
+        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
+        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
+        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
+        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
+        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
+        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
+        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
+        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
+        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
+
+        # TODO: Redirect webmail
+        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
+
+        # Redirect everything else to the main website
+        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
+
+        # Proxy the matrix well-known files
+        # Host has be set before proxy_pass
+        # The header must be set so nginx on the other side routes it to the right place
+        "/.well-known/matrix/" = {
+          extraConfig = ''
+            proxy_set_header Host matrix.pvv.ntnu.no;
+            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          '';
+        };
+      };
+    };
+  };
+}
+

hosts/bekkalokk/services/webmail/default.nix

@@ -0,0 +1,15 @@
+{ config, values, pkgs, lib, ... }:
+{
+  imports = [
+    ./roundcube.nix
+  ];
+
+  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    #locations."/" = lib.mkForce { };
+    locations."= /" = {
+      return = "301 https://www.pvv.ntnu.no/mail/";
+    };
+  };
+}

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -0,0 +1,74 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.services.roundcube;
+  domain = "webmail2.pvv.ntnu.no";
+in 
+{
+  services.roundcube = {
+    enable = true;
+
+    package = pkgs.roundcube.withPlugins (plugins: with plugins; [
+      persistent_login
+      thunderbird_labels
+      contextmenu
+      custom_from
+    ]);
+
+    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
+    maxAttachmentSize = 20;
+    hostName = "roundcubeplaceholder.example.com";
+
+    extraConfig = ''
+      $config['enable_installer'] = false;
+      $config['default_host'] = "ssl://imap.pvv.ntnu.no";
+      $config['default_port'] = 993;
+      $config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
+      $config['smtp_port'] = 465;
+      $config['mail_domain'] = "pvv.ntnu.no";
+      $config['smtp_user'] = "%u";
+      $config['support_url'] = "";
+    '';
+  };
+
+  services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
+
+  services.nginx.virtualHosts.${domain} = {
+    locations."/roundcube" = {
+      tryFiles = "$uri $uri/ =404";
+      index = "index.php";
+      root = pkgs.runCommandLocal "roundcube-dir" { } ''
+        mkdir -p $out
+        ln -s ${cfg.package} $out/roundcube
+      '';
+      extraConfig = ''
+        location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
+        # https://wiki.archlinux.org/title/Roundcube
+        "README"
+        "INSTALL"
+        "LICENSE"
+        "CHANGELOG"
+        "UPGRADING"
+        "bin"
+        "SQL"
+        ".+\\.md"
+        "\\."
+        "config"
+        "temp"
+        "logs"
+        ]})/? {
+          deny all;
+        }
+
+        location ~ ^/roundcube/(.+\.php)(/?.*)$ {
+          fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
+          include ${config.services.nginx.package}/conf/fastcgi_params;
+          include ${config.services.nginx.package}/conf/fastcgi.conf;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
+        }
+      '';
+    };
+  };
+}

hosts/bicep/configuration.nix

@@ -12,7 +12,8 @@
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix
-    ./services/calendar-bot.nix
+    # TODO: fix the calendar bot
+    # ./services/calendar-bot.nix
 
     ./services/matrix
   ];

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -5,6 +5,7 @@ from smtplib import SMTP_SSL as SMTP
 import synapse
 from synapse import module_api
 
+import re
 
 class SMTPAuthProvider:
     def __init__(self, config: dict, api: module_api):
@@ -27,6 +28,10 @@ class SMTPAuthProvider:
         if login_type != "m.login.password":
             return None
 
+        # Convert `@username:server` to `username`
+        match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
+        username = match.group(1) if match else username
+
         result = False
         with SMTP(self.config["smtp_host"]) as smtp:
             password = login_dict.get("password")

hosts/bicep/services/matrix/synapse.nix

@@ -216,7 +216,19 @@ in {
 
   services.redis.servers."".enable = true;
   
-  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
+  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
+  ({
+    locations."/.well-known/matrix/server" = {
+      return = ''
+        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
+      '';
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
+  })
+  ({
     locations = let
       connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
       socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";

hosts/bikkje/configuration.nix

@@ -0,0 +1,44 @@
+{ config, pkgs, values, ... }:
+{
+    networking.nat = {
+    enable = true;
+    internalInterfaces = ["ve-+"];
+    externalInterface = "ens3";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.bikkje = {
+    autoStart = true;
+    config = { config, pkgs, ... }: {
+      #import packages
+      packages = with pkgs; [
+          alpine
+          mutt
+          mutt-ics
+          mutt-wizard
+          weechat
+          weechatScripts.edit
+          hexchat
+          irssi
+          pidgin
+      ];
+
+      networking = {
+        firewall = {
+          enable = true;
+          # Allow SSH and HTTP and ports for email and irc
+          allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+        };
+        # Use systemd-resolved inside the container
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+        useHostResolvConf = mkForce false;
+      };
+      
+      system.stateVersion = "23.11";
+      services.resolved.enable = true;
+    };
+  };
+
+};

hosts/bob/configuration.nix

@@ -0,0 +1,46 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+      ./disks.nix
+
+      ../../misc/builder.nix
+    ];
+
+  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  networking.hostName = "bob"; # Define your hostname.
+
+  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+    matchConfig.Name = "en*";
+    DHCP = "yes";
+    gateway = [ ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/bob/disks.nix

@@ -0,0 +1,39 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/bob/hardware-configuration.nix

@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/brzeczyszczykiewicz/configuration.nix

@@ -6,7 +6,7 @@
       ../../base.nix
       ../../misc/metrics-exporters.nix
 
-      ../../modules/grzegorz.nix
+      ./services/grzegorz.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

hosts/brzeczyszczykiewicz/services/grzegorz.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  imports = [ ../../../modules/grzegorz.nix ];
+
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+    serverAliases = [
+      "bokhylle.pvv.ntnu.no"
+      "bokhylle.pvv.org"
+    ];
+  };
+}

hosts/buskerud/configuration.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+
+    ./containers/salsa/configuration.nix
+  ];
+
+  # buskerud does not support efi?
+  # boot.loader.systemd-boot.enable = true;
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sdb";
+
+  networking.hostName = "buskerud";
+  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
+  networking.tempAddresses = "disabled";
+
+  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp3s0f0";
+    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

hosts/buskerud/containers/salsa/NOTES.md

@@ -0,0 +1,27 @@
+# Misc docs
+
+### Old stuff about storing kerberos state inside LDAP - might not be relevant
+
+- https://wiki.debian.org/LDAP/OpenLDAPSetup#OpenLDAP_as_a_Backend
+- https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend
+- https://forums.freebsd.org/threads/heimdal-and-openldap-integration-some-questions.58422/
+- http://osr507doc.sco.com/cgi-bin/info2html?(heimdal.info.gz)Using%2520LDAP%2520to%2520store%2520the%2520database&lang=en
+- https://bbs.archlinux.org/viewtopic.php?id=54236
+- https://openldap-software.0penldap.narkive.com/Ml6seAGL/ldap-backend-for-heimdal-kerberos
+
+### Heimdal setup
+
+- http://chschneider.eu/linux/server/heimdal.shtml
+- https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/kerberos/heimdal.nix
+- https://itk.samfundet.no/dok/Kerberos (possibly a bit dated)
+
+### OpenLDAP setup with new olc stuff
+
+- https://www.openldap.org/doc/admin26/
+- https://www.openldap.org/doc/admin26/sasl.html#GSSAPI
+- https://www.zytrax.com/books/ldap/
+
+### SASLAUTHD
+
+- https://linux.die.net/man/8/saslauthd
+- https://www.cyrusimap.org/sasl/index.html

hosts/buskerud/containers/salsa/configuration.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, lib, inputs, values, ... }:
+{
+  containers.salsa = {
+    autoStart = true;
+    interfaces = [ "enp6s0f1" ];
+    bindMounts = {
+      "/data" = { hostPath = "/data/salsa"; isReadOnly = false; };
+    };
+    nixpkgs = inputs.nixpkgs-unstable;
+
+    config = { config, pkgs, ... }: let
+      inherit values inputs;
+    in {
+      imports = [
+        inputs.sops-nix.nixosModules.sops
+        ../../../../base.nix
+
+        ./services/heimdal
+        ./services/openldap.nix
+        ./services/saslauthd.nix
+
+	# https://github.com/NixOS/nixpkgs/pull/287611
+	./modules/krb5
+	./modules/kerberos
+      ];
+
+      disabledModules = [
+	"security/krb5"
+	"services/system/kerberos/default.nix"
+      ];
+
+      _module.args = {
+        inherit values inputs;
+      };
+
+      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+      sops.age.generateKey = true;
+
+      # systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
+      #   matchConfig.Name = "enp6s0f1";
+      #   address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
+      #     ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
+      # };
+
+      networking.useHostResolvConf = lib.mkForce false;
+
+      system.stateVersion = "23.11";
+    };
+  };
+}

hosts/buskerud/containers/salsa/modules/kerberos/default.nix

@@ -0,0 +1,101 @@
+{ config, pkgs, lib, ... }:
+
+let
+  inherit (lib) mkOption types;
+  cfg = config.services.kerberos_server;
+  inherit (config.security.krb5) package;
+
+  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
+in
+
+{
+  imports = [
+    (lib.mkRenamedOptionModule [ "services" "kerberos_server" "realms" ] [ "services" "kerberos_server" "settings" "realms" ])
+
+    ./mit.nix
+    ./heimdal.nix
+  ];
+
+  options = {
+    services.kerberos_server = {
+      enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server");
+
+      settings = let
+        aclEntry = types.submodule {
+          options = {
+            principal = mkOption {
+              type = types.str;
+              description = lib.mdDoc "Which principal the rule applies to";
+            };
+            access = mkOption {
+              type = types.either
+                (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
+                (types.enum ["all"]);
+              default = "all";
+              description = lib.mdDoc "The changes the principal is allowed to make.";
+            };
+            target = mkOption {
+              type = types.str;
+              default = "*";
+              description = lib.mdDoc "The principals that 'access' applies to.";
+            };
+          };
+        };
+
+        realm = types.submodule ({ name, ... }: {
+          freeformType = format.sectionType;
+          options = {
+            acl = mkOption {
+              type = types.listOf aclEntry;
+              default = [
+                { principal = "*/admin"; access = "all"; }
+                { principal = "admin"; access = "all"; }
+              ];
+              description = lib.mdDoc ''
+                The privileges granted to a user.
+              '';
+            };
+          };
+        });
+      in mkOption {
+        type = types.submodule (format.type.getSubModules ++ [{
+          options = {
+            realms = mkOption {
+              type = types.attrsOf realm;
+              description = lib.mdDoc ''
+                The realm(s) to serve keys for.
+              '';
+            };
+          };
+        }]);
+        description = ''
+          Settings for the kerberos server of choice.
+
+          See the following documentation:
+          - Heimdal: {manpage}`kdc.conf(5)`
+          - MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>
+        '';
+        default = { };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ package ];
+    assertions = [
+      {
+        assertion = cfg.settings.realms != { };
+        message = "The server needs at least one realm";
+      }
+      {
+        assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
+        message = "Only one realm per server is currently supported.";
+      }
+    ];
+
+    systemd.slices.system-kerberos-server = { };
+    systemd.targets.kerberos-server = {
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+}

hosts/buskerud/containers/salsa/modules/kerberos/heimdal.nix

@@ -0,0 +1,87 @@
+{ pkgs, config, lib, ... } :
+
+let
+  inherit (lib)  mapAttrs;
+  cfg = config.services.kerberos_server;
+  package = config.security.krb5.package;
+
+  aclConfigs = lib.pipe cfg.settings.realms [
+    (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
+      { principal, access, target, ... }:
+      "${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"
+    ) acl))
+    (lib.mapAttrsToList (name: text:
+      {
+        dbname = "/var/lib/heimdal/heimdal";
+        acl_file = pkgs.writeText "${name}.acl" text;
+      }
+    ))
+  ];
+
+  finalConfig = cfg.settings // {
+    realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });
+    kdc = (cfg.settings.kdc or { }) // {
+      database = aclConfigs;
+    };
+  };
+
+  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
+
+  kdcConfFile = format.generate "kdc.conf" finalConfig;
+in
+
+{
+  config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {
+    environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;
+
+    systemd.tmpfiles.settings."10-heimdal" = let
+      databases = lib.pipe finalConfig.kdc.database [
+        (map (dbAttrs: dbAttrs.dbname or null))
+        (lib.filter (x: x != null))
+        lib.unique
+      ];
+    in lib.genAttrs databases (_: {
+      d = {
+        user = "root";
+        group = "root";
+        mode = "0700";
+      };
+    });
+
+    systemd.services.kadmind = {
+      description = "Kerberos Administration Daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "heimdal";
+      };
+      restartTriggers = [ kdcConfFile ];
+    };
+
+    systemd.services.kdc = {
+      description = "Key Distribution Center daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "heimdal";
+      };
+      restartTriggers = [ kdcConfFile ];
+    };
+
+    systemd.services.kpasswdd = {
+      description = "Kerberos Password Changing daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        ExecStart = "${package}/libexec/kpasswdd";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "heimdal";
+      };
+      restartTriggers = [ kdcConfFile ];
+    };
+  };
+}

hosts/buskerud/containers/salsa/modules/kerberos/mit.nix

@@ -0,0 +1,77 @@
+{ pkgs, config, lib, ... } :
+
+let
+  inherit (lib) mapAttrs;
+  cfg = config.services.kerberos_server;
+  package = config.security.krb5.package;
+  PIDFile = "/run/kdc.pid";
+
+  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
+
+  aclMap = {
+    add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";
+    all = "*";
+  };
+
+  aclConfigs = lib.pipe cfg.settings.realms [
+    (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
+      { principal, access, target, ... }: let
+        access_code = map (a: aclMap.${a}) (lib.toList access);
+      in "${principal} ${lib.concatStrings access_code} ${target}"
+    ) acl))
+
+    (lib.concatMapAttrs (name: text: {
+      ${name} = {
+        acl_file = pkgs.writeText "${name}.acl" text;
+      };
+    }))
+  ];
+
+  finalConfig = cfg.settings // {
+    realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });
+  };
+
+  kdcConfFile = format.generate "kdc.conf" finalConfig;
+  env = {
+    # What Debian uses, could possibly link directly to Nix store?
+    KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";
+  };
+in
+
+{
+  config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {
+    environment = {
+      etc."krb5kdc/kdc.conf".source = kdcConfFile;
+      variables = env;
+    };
+
+    systemd.services.kadmind = {
+      description = "Kerberos Administration Daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        ExecStart = "${package}/bin/kadmind -nofork";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "krb5kdc";
+      };
+      restartTriggers = [ kdcConfFile ];
+      environment = env;
+    };
+
+    systemd.services.kdc = {
+      description = "Key Distribution Center daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        Type = "forking";
+        PIDFile = PIDFile;
+        ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "krb5kdc";
+      };
+      restartTriggers = [ kdcConfFile ];
+      environment = env;
+    };
+  };
+}
+

hosts/buskerud/containers/salsa/modules/krb5/default.nix

@@ -0,0 +1,104 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
+  inherit (lib.types) bool;
+
+  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
+  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
+    The option `krb5.${name}' has been removed. Use
+    `security.krb5.settings.${name}' for structured configuration.
+  '';
+
+  cfg = config.security.krb5;
+  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
+in {
+  imports = [
+    (mkRemovedOptionModuleCfg "libdefaults")
+    (mkRemovedOptionModuleCfg "realms")
+    (mkRemovedOptionModuleCfg "domain_realm")
+    (mkRemovedOptionModuleCfg "capaths")
+    (mkRemovedOptionModuleCfg "appdefaults")
+    (mkRemovedOptionModuleCfg "plugins")
+    (mkRemovedOptionModuleCfg "config")
+    (mkRemovedOptionModuleCfg "extraConfig")
+    (mkRemovedOptionModule' "kerberos" ''
+      The option `krb5.kerberos' has been moved to `security.krb5.package'.
+    '')
+  ];
+
+  options = {
+    security.krb5 = {
+      enable = mkOption {
+        default = false;
+        description = mdDoc "Enable and configure Kerberos utilities";
+        type = bool;
+      };
+
+      package = mkPackageOption pkgs "krb5" {
+        example = "heimdal";
+      };
+
+      settings = mkOption {
+        default = { };
+        type = format.type;
+        description = mdDoc ''
+          Structured contents of the {file}`krb5.conf` file. See
+          {manpage}`krb5.conf(5)` for details about configuration.
+        '';
+        example = {
+          include = [ "/run/secrets/secret-krb5.conf" ];
+          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
+
+          libdefaults = {
+            default_realm = "ATHENA.MIT.EDU";
+          };
+
+          realms = {
+            "ATHENA.MIT.EDU" = {
+              admin_server = "athena.mit.edu";
+              kdc = [
+                "athena01.mit.edu"
+                "athena02.mit.edu"
+              ];
+            };
+          };
+
+          domain_realm = {
+            "mit.edu" = "ATHENA.MIT.EDU";
+          };
+
+          logging = {
+            kdc = "SYSLOG:NOTICE";
+            admin_server = "SYSLOG:NOTICE";
+            default = "SYSLOG:NOTICE";
+          };
+        };
+      };
+    };
+  };
+
+  config = {
+    assertions = mkIf (cfg.enable || config.services.kerberos_server.enable) [(let
+      implementation = cfg.package.passthru.implementation or "<NOT SET>";
+    in {
+      assertion = lib.elem implementation [ "krb5" "heimdal" ];
+      message = ''
+        `security.krb5.package` must be one of:
+
+          - krb5
+          - heimdal
+	
+	Currently chosen implementation: ${implementation}
+      '';
+    })];
+
+    environment = mkIf cfg.enable {
+      systemPackages = [ cfg.package ];
+      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
+    };
+  };
+
+  meta.maintainers = builtins.attrValues {
+    inherit (lib.maintainers) dblsaiko h7x4;
+  };
+}

hosts/buskerud/containers/salsa/modules/krb5/krb5-conf-format.nix

@@ -0,0 +1,96 @@
+{ pkgs, lib, ... }:
+
+# Based on
+# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
+# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
+
+let
+  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
+    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
+  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
+    str submodule;
+in
+{ }: rec {
+  sectionType = let
+    relation = oneOf [
+      (listOf (attrsOf value))
+      (attrsOf value)
+      value
+    ];
+    value = either (listOf atom) atom;
+    atom = oneOf [int str bool];
+  in attrsOf relation;
+
+  type = submodule {
+    freeformType = attrsOf sectionType;
+    options = {
+      include = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      includedir = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Directories containing files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      module = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Modules to obtain Kerberos configuration from.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+    };
+  };
+
+  generate = let
+    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
+
+    formatToplevel = args @ {
+      include ? [ ],
+      includedir ? [ ],
+      module ? [ ],
+      ...
+    }: let
+      sections = removeAttrs args [ "include" "includedir" "module" ];
+    in concatStringsSep "\n" (filter (x: x != "") [
+      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
+      (concatMapStringsSep "\n" (m: "module ${m}") module)
+      (concatMapStringsSep "\n" (i: "include ${i}") include)
+      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
+    ]);
+
+    formatSection = name: section: ''
+      [${name}]
+      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
+    '';
+
+    formatRelation = name: relation:
+      if isAttrs relation
+      then ''
+        ${name} = {
+        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
+        }''
+      else if isList relation
+      then
+        concatMapStringsSep "\n" (formatRelation name) relation
+      else formatValue name relation;
+
+    formatValue = name: value:
+      if isList value
+      then concatMapStringsSep "\n" (formatAtom name) value
+      else formatAtom name value;
+
+    formatAtom = name: atom: let
+      v = if isBool atom then boolToString atom else toString atom;
+    in "${name} = ${v}";
+  in
+    name: value: pkgs.writeText name ''
+      ${formatToplevel value}
+    '';
+}

hosts/buskerud/containers/salsa/services/heimdal/default.nix

@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+let
+
+  realm = "PVV.NTNU.NO";
+
+  cfg = config.security.krb5;
+in
+{
+  security.krb5 = {
+    enable = true;
+
+    # NOTE: This has a small edit that moves an include header to $dev/include.
+    #       It is required in order to build smbk5pwd, because of some nested includes.
+    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
+    #       will do for now.
+    # package = pkgs.heimdal;
+    package = pkgs.callPackage ./package.nix {
+      inherit (pkgs.apple_sdk.frameworks)
+        CoreFoundation Security SystemConfiguration;
+    };
+
+    settings = {
+      logging.kdc = "CONSOLE";
+      realms.${realm} = {
+        admin_server = "localhost";
+        kdc = [ "localhost" ];
+      };
+
+      kadmin.default_keys = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96:pw-salt"
+        "aes128-cts-hmac-sha1-96:pw-salt"
+      ];
+
+      libdefaults.default_etypes = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96"
+        "aes128-cts-hmac-sha1-96"
+      ];
+
+      libdefaults = {
+        default_realm = realm;
+      };
+
+      domain_realm = {
+        "pvv.ntnu.no" = realm;
+        ".pvv.ntnu.no" = realm;
+      };
+    };
+  };
+
+  services.kerberos_server = {
+    enable = true;
+    settings = {
+      realms.${realm} = {
+        dbname = "/var/heimdal/heimdal";
+        mkey = "/var/heimdal/mkey";
+      };
+      # kadmin.default_keys = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96:pw-salt"
+      #   "aes128-cts-hmac-sha1-96:pw-salt"
+      # ];
+
+      # libdefaults.default_etypes = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96"
+      #   "aes128-cts-hmac-sha1-96"
+      # ];
+
+      # password_quality.min_length = 8;
+    };
+  };
+
+  # NOTE: These changes are part of nixpkgs-unstable, but not 23.11.
+  #       The package override needs these changes.
+  # systemd.services = {
+  #   kdc.serviceConfig.ExecStart =      lib.mkForce "${cfg.package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
+  #   kpasswdd.serviceConfig.ExecStart = lib.mkForce "${cfg.package}/libexec/kpasswdd";
+  #   kadmind.serviceConfig.ExecStart =  lib.mkForce "${cfg.package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
+  # };
+}

hosts/buskerud/containers/salsa/services/heimdal/package.nix

@@ -0,0 +1,180 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2023-11-29";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+  };
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    # "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db=${db}/lib"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
+    "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    cp include/heim_threads.h $dev/include
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "An implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
+  };
+}

hosts/buskerud/containers/salsa/services/heimdal/package2.nix

@@ -0,0 +1,178 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2023-11-29";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+  };
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
+    "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "An implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
+  };
+}

hosts/buskerud/containers/salsa/services/openldap.nix

@@ -0,0 +1,115 @@
+{ config, pkgs, lib, ... }:
+{
+  services.openldap = let
+    dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no";
+    cfg = config.services.openldap;
+  in {
+    enable = true;
+
+    # NOTE: this is a custom build of openldap with support for
+    #       perl and kerberos.
+    package = pkgs.openldap.overrideAttrs (prev: {
+      # https://github.com/openldap/openldap/blob/master/configure
+      configureFlags = prev.configureFlags ++ [
+        # Connect to slapd via UNIX socket
+        "--enable-local"
+        # Cyrus SASL
+        "--enable-spasswd"
+        # Reverse hostname lookups
+        "--enable-rlookups"
+        # perl
+        "--enable-perl"
+      ];
+
+      buildInputs = prev.buildInputs ++ (with pkgs; [
+        perl
+        config.security.krb5.package
+      ]);
+
+      extraContribModules = prev.extraContribModules ++ [
+        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
+        "smbk5pwd"
+      ];
+    });
+
+    settings = {
+      attrs = {
+        olcLogLevel = [ "stats" "config" "args" ];
+
+        # olcAuthzRegexp = ''
+        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
+        #         "uid=heimdal,${dn2}"
+        # '';
+
+        # olcSaslSecProps = "minssf=0";
+      };
+
+      children = {
+        "cn=schema".includes = let
+          # NOTE: needed for smbk5pwd.so module
+          # schemaToLdif = name: path: pkgs.runCommandNoCC name {
+          #   buildInputs = with pkgs; [ schema2ldif ];
+          # } ''
+          #   schema2ldif "${path}" > $out
+          # '';
+
+          # hdb-ldif = schemaToLdif "hdb.ldif" "${pkgs.heimdal.src}/lib/hdb/hdb.schema";
+          # samba-ldif = schemaToLdif "samba.ldif" "${pkgs.heimdal.src}/tests/ldap/samba.schema";
+        in [
+           "${cfg.package}/etc/schema/core.ldif"
+           "${cfg.package}/etc/schema/cosine.ldif"
+           "${cfg.package}/etc/schema/nis.ldif"
+           "${cfg.package}/etc/schema/inetorgperson.ldif"
+           # "${hdb-ldif}"
+           # "${samba-ldif}"
+        ];
+
+        # NOTE: installation of smbk5pwd.so module
+        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+        # "cn=module{0}".attrs = {
+        #   objectClass = [ "olcModuleList" ];
+        #   olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
+        # };
+
+        # NOTE: activation of smbk5pwd.so module for {1}mdb
+        # "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
+        #   objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
+        #   olcOverlay = "{0}smbk5pwd";
+        #   olcSmbK5PwdEnable = [ "krb5" "samba" ];
+        #   olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30);
+        # };
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+          olcDatabase = "{1}mdb";
+
+          olcSuffix = dn;
+
+          # TODO: PW is supposed to be a secret, but it's probably fine for testing
+          olcRootDN = "cn=admin,${dn}";
+          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
+
+          olcDbDirectory = "/var/lib/openldap/test-db";
+          olcDbIndex = "objectClass eq";
+
+          olcAccess = [
+            ''{0}to attrs=userPassword,shadowLastChange
+                by dn.exact=cn=admin,${dn} write
+                by self write
+                by anonymous auth
+                by * none''
+
+            ''{1}to dn.base=""
+                by * read''
+
+            /* allow read on anything else */
+            # ''{2}to *
+            #     by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
+            #     by * read''
+          ];
+        };
+      };
+    };
+  };
+}

hosts/buskerud/containers/salsa/services/saslauthd.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  # TODO: This is seemingly required for openldap to authenticate
+  #       against kerberos, but I have no idea how to configure it as
+  #       such. Does it need a keytab? There's a binary "testsaslauthd"
+  #       that follows with `pkgs.cyrus_sasl` that might be useful.
+  services.saslauthd = {
+    enable = true;
+    mechanism = "kerberos5";
+    # config = ''
+
+    # '';
+  };
+}

hosts/buskerud/hardware-configuration.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/ildkule/services/metrics/prometheus/mysqld.nix

@@ -1,4 +1,4 @@
-{ config, unstable, ... }: let
+{ config, ... }: let
   cfg = config.services.prometheus;
 in {
   sops.secrets."config/mysqld_exporter" = { };

misc/builder.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  nix.settings.trusted-users = [ "@nix-builder-users" ];
+}

modules/wackattack-ctf-stockfish/chess.py

@@ -1,74 +0,0 @@
-#!/usr/bin/env python3
-from stockfish import *
-from inputimeout import inputimeout
-import time
-from datetime import datetime
-import random
-
-thinking_time = 1000
-
-game = Stockfish(path="./stockfish", depth=15, parameters={"Threads": 1, "Minimum Thinking Time": thinking_time, "UCI_Chess960": True})
-
-def create_random_position():
-    pos = "/pppppppp/8/8/8/8/PPPPPPPP/"
-    rank8 = ["r","r","b","q","k","b","n","n"]
-
-    while rank8.index("k") < [i for i, n in enumerate(rank8) if n == "r"][0] or rank8.index("k") > [i for i, n in enumerate(rank8) if n == "r"][1] or [i for i, n in enumerate(rank8) if n == "b"][0] % 2 == [i for i, n in enumerate(rank8) if n == "b"][1] % 2:
-        random.seed(datetime.now().microsecond)
-        random.shuffle(rank8)
-
-    rank1 = [c.upper() for c in rank8]
-    pos = "".join(rank8) + pos + "".join(rank1) + " w KQkq - 0 1"
-    game.set_fen_position(pos)
-
-def player_won():
-    with open("flag.txt") as file:
-        flag = file.read()
-    print(flag)
-    exit()
-
-def get_fast_player_move():
-    try:
-        time_over = inputimeout(prompt='Your move: ', timeout=5)
-    except Exception:
-        time_over = 'Too slow, you lost!'
-        print(time_over)
-        exit()
-    return time_over
-
-def check_game_status():
-    evaluation = game.get_evaluation()
-    turn = game.get_fen_position().split(" ")[1]
-    if evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "w":
-        print("Wow, you beat me!")
-        player_won()
-    elif evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "b":
-        print("Hah, I won again")
-        exit()
-    if evaluation["type"] == "draw":
-        print("It's a draw!")
-        print("Impressive, but I am still undefeated.")
-        exit()
-
-if __name__ == "__main__":
-    create_random_position()
-    print("Welcome to fischer chess.\nYou get 5 seconds per move. Good luck")
-    print(game.get_board_visual())
-    print("Heres the position for this game, Ill give you a few seconds to look at it before we start.")
-    time.sleep(3)
-    while True:
-        server_move = game.get_best_move_time(thinking_time)
-        game.make_moves_from_current_position([server_move])
-        check_game_status()
-        print(game.get_board_visual())
-        print(f"My move: {server_move}")
-        player_move = get_fast_player_move()
-        if type(player_move) != str or len([player_move]) != 1:
-            print("Illegal input")
-            exit()
-        try:
-            game.make_moves_from_current_position([player_move])
-            check_game_status()
-        except:
-            print("Couldn't comprehend that")
-            exit()

modules/wackattack-ctf-stockfish/default.nix

@@ -1,108 +0,0 @@
-{ config, pkgs, lib, ... }: let
-  stockfish = with pkgs.python3Packages; buildPythonPackage rec {
-    pname = "stockfish";
-    version = "3.28.0";
-    disabled = pythonOlder "3.7";
-
-    src = pkgs.fetchFromGitHub {
-      owner = "zhelyabuzhsky";
-      repo = pname;
-      rev = version;
-      hash = "sha256-XLgVjLV2QXeTYPjP/lwc0LH850LKJsymFlrAMkAn8HU=";
-    };
-
-    format = "setuptools";
-    nativeBuildInputs = [
-      setuptools
-    ];
-
-    propagatedBuildInputs = [
-      pytest-runner
-    ];
-
-    doCheck = false;
-  };
-
-  inputimeout = with pkgs.python3Packages; buildPythonPackage rec {
-    pname = "inputimeout";
-    version = "1.0.4";
-    src = pkgs.fetchFromGitHub {
-      owner = "johejo";
-      repo = pname;
-      rev = "v${version}";
-      hash = "sha256-Fh1CaqJOK58nURt4imkhCmZKG2eJlP/Hi10SarUJ+Fs=";
-    };
-
-    format = "setuptools";
-    nativeBuildInputs = [ setuptools ];
-
-    doCheck = false;
-  };
-
-  script = pkgs.writers.writePython3 "chess" {
-    libraries = [
-      stockfish
-      inputimeout   
-    ];
-
-    # Fy!
-    flakeIgnore = [ "F403" "F405" "E231" "E265" "E302" "E305" "E501" "E722" ];
-  } (builtins.replaceStrings [''path="./stockfish"''] [''path="${pkgs.stockfish}/bin/stockfish"''] (builtins.readFile ./chess.py));
-in
-{
-  sops.secrets."keys/wackattack_ctf/flag" = { };
-
-  systemd.sockets."wackattack-ctf-stockfish" = {
-    description = "Save some azure credit for the rest of us";
-    partOf = [ "wackattack-ctf-stockfish.service" ];
-    wantedBy = [ "sockets.target" ];
-
-    socketConfig = {
-      ListenStream = "0.0.0.0:9999";
-      Accept = true;
-    };
-  };
-
-  systemd.services."wackattack-ctf-stockfish@" = {
-    description = "Save some azure credit for the rest of us";
-    after = [ "network.target" ];
-    requires = [ "wackattack-ctf-stockfish.socket" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "simple";
-      DynamicUser = true;
-      WorkingDirectory = "%d";
-      Restart = "always";
-      StandardInput = "socket";
-      LoadCredential = "flag.txt:${config.sops.secrets."keys/wackattack_ctf/flag".path}";
-
-      Exec = script;
-
-      # systemd hardening go barr
-      ProcSubset = "pid";
-      ProtectProc = "invisible";
-      AmbientCapabilities = "";
-      CapabilityBoundingSet = "";
-      NoNewPrivileges = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      PrivateDevices = true;
-      PrivateUsers = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      RemoveIPC = true;
-      PrivateMounts = true;
-      SystemCallArchitectures = "native";
-    };
-  };
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -13,9 +13,6 @@ mediawiki:
     database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
 keycloak:
     database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
-keys:
-    wackattack_ctf:
-        flag: ENC[AES256_GCM,data:cZCaGb/u/OZgAvXnuJPL3XqmnIa26Rl2IUpWpG/fpt/dJ7+/KssXVa6A5G6ObQhF7deCmTxuoVP8JU+DQzYRr0ftvKhLJ87rgzrE3j+UkA==,iv:3uFkNqXlVj94klU20yPIUd8tIeyUIfp0++2wkdIkiYM=,tag:OZMyEt118u10F5vSUFZE7A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -49,8 +46,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-26T19:59:04Z"
+    lastmodified: "2023-09-17T02:02:24Z"
-    mac: ENC[AES256_GCM,data:uH0RfKBjjbYvxjl4XyoXWvwUpi+W7IQZjBdC5UoslotToTw0xnici2fKxPNZ9aFJsukLMPLC+tsT/shUqW373f/NyhsJt0Vb2YtuozFQyQstZQEpnm4WuVoFR/MEjAra/PaM4ATHSGgDuHa7qrpdKTLnrMOai5ZqxLfFbLws3dA=,iv:47hHzrnfZG5NtCN0HjziZdDBJTr451/kvY95GpB3G2M=,tag:3TCs7DSeWB6NujDUlQVGjA==,type:str]
+    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -73,4 +70,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

shell.nix

@@ -3,5 +3,17 @@ pkgs.mkShell {
   nativeBuildInputs = with pkgs; [
     sops
     gnupg
+    openstackclient
   ];
+
+  shellHook = ''
+    export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
+    export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
+    export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
+    export OS_USER_DOMAIN_NAME="NTNU"
+    export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
+    export OS_REGION_NAME="NTNU-IT"
+    export OS_INTERFACE=public
+    export OS_IDENTITY_API_VERSION=3
+  '';
 }

users/adriangl.nix

@@ -9,7 +9,7 @@
     ];
 
     packages = with pkgs; [
-      exa
+      eza
       neovim
     ];
 

users/danio.nix

@@ -3,7 +3,12 @@
 {
   users.users.danio = {
     isNormalUser = true;
-    extraGroups = [ "drift" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [ "drift" "nix-builder-users" ];
     shell = pkgs.zsh;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpGSDczzDOhTETCj+uB5e3/9QbOCaVW1knM+n1ey0n6LXH7uiPPmzuZiqfzmfbB1z4bjM2zpn3D6Et6zRCrBUjhTZqf/5GoNlvhVA6QYmBmBp98b8oY7juj5cmu55voxD0S5rC1mQMnWAAf8e8OPbkhs9Lt0XlOYdotLNIZQubzWqE2DK45g/h17ELJs+jkNXoalFjLvLXWzE/C+3pYoeNJVGHfVMTIwt7o64E6JXhxuYTYdSIuzd+BjntkSCXzcAzBFMRwkdlFVoBtLUMMcMQl39kcXv7lAQ8pv+8b1j1N9WuQVf1qEAcZguaimI1ifbXP5d841pZPApCj5KXectIEldfTrcwg8rZpd2UfYS/3XCcOuidBGprY7XsU/jz8wHbH68UjUrsLyaOMnG2ChYztnf63vm3gRs3Fc6FqTycpgYOPDeZBVTcMyPGgtiZvhnTeY20xFS5lK6M+dmgaDqH24kPLiwYSpUF2NK+Rg/2bZxvt/GaSr4U6fJGi3FCJOM= root@DanixLaptop"
+    ];
   };
 }

users/eirikwit.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  users.users.eirikwit = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "drift"
+    ];
+
+    packages = with pkgs; [
+      micro
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZusOSiUVSMjrvNdUq4R91Gafq4XVs9C77Zt+LMPhCU eirikw@live.no"
+    ];
+  };
+}

users/jonmro.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}:
+
+{
+  users.users.jonmro = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "drift" "nix-builder-users" ]; 
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
+    ];
+  };
+}

users/oysteikt.nix

@@ -6,11 +6,12 @@
     extraGroups = [
       "wheel"
       "drift"
+      "nix-builder-users"
     ];
 
     packages = with pkgs; [
       bottom
-      exa
+      eza
       neovim
       diskonaut
       ripgrep

values.nix

@@ -37,6 +37,13 @@ in rec {
       ipv4 = pvv-ipv4 209;
       ipv6 = pvv-ipv6 209;
     };
+    bob = {
+      ipv4 = "129.241.152.254";
+      # ipv6 = ;
+    };
+    knutsen = {
+      ipv4 = pvv-ipv4 191;
+    };
     shark = {
       ipv4 = pvv-ipv4 196;
       ipv6 = pvv-ipv6 196;
@@ -49,6 +56,10 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
+    buskerud = {
+      ipv4 = pvv-ipv4 231;
+      ipv6 = pvv-ipv6 231;
+    };
   };
 
   defaultNetworkConfig = {