WIP: modules/debug-locations

Reviewed-on: Drift/pvv-nixos-config#25

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
   - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
   - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
 
   # Hosts
   - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
@@ -16,8 +17,13 @@ creation_rules:
     key_groups:
     - age:
       - *host_jokum
+      - *host_ildkule
+      - *host_bekkalokk
+      - *host_bicep
+
       - *user_danio
       - *user_felixalb
+      - *user_eirikwit
       pgp:
       - *user_oysteikt
 

README.MD

@@ -26,7 +26,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
 
 som root på maskinen.
 

base.nix

@@ -3,6 +3,8 @@
 {
   imports = [
     ./users
+    ./modules/snakeoil-certs.nix
+    ./modules/debug-locations.nix
   ];
 
   networking.domain = "pvv.ntnu.no";
@@ -32,7 +34,7 @@
     flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
     flags = [
       "--update-input" "nixpkgs"
-      "--update-input" "unstable"
+      "--update-input" "nixpkgs-unstable"
       "--no-write-lock-file"
     ];
   };
@@ -58,6 +60,7 @@
     gnupg
     htop
     nano
+    ripgrep
     rsync
     screen
     tmux
@@ -71,6 +74,9 @@
 
   users.groups."drift".name = "drift";
 
+  # Trusted users on the nix builder machines
+  users.groups."nix-builder-users".name = "nix-builder-users";
+
   services.openssh = {
     enable = true;
     extraConfig = ''
@@ -79,5 +85,27 @@
     settings.PermitRootLogin = "yes";
   };
 
+  sops.age = {
+    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    keyFile = "/var/lib/sops-nix/key.txt";
+    generateKey = true;
+  };
 
+  # nginx return 444 for all nonexistent virtualhosts
+
+  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
+
+  environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
+    "/etc/certs/nginx" = {
+      owner = "nginx";
+      group = "nginx";
+    };
+  };
+
+  services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
+    sslCertificate = "/etc/certs/nginx.crt";
+    sslCertificateKey = "/etc/certs/nginx.key";
+    addSSL = true;
+    extraConfig = "return 444;";
+  };
 }

flake.lock

@@ -1,9 +1,29 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1710169806,
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "grzegorz": {
       "inputs": {
         "nixpkgs": [
-          "unstable"
+          "nixpkgs-unstable"
         ]
       },
       "locked": {
@@ -42,14 +62,16 @@
     },
     "matrix-next": {
       "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1697420972,
-        "narHash": "sha256-eFDasOzXAN8VswUntNBBwvKFyVKFvmwRNNVTDfGdB3M=",
+        "lastModified": 1710311999,
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "1e370b96223b94d52006249a60033caaea605c65",
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
         "type": "github"
       },
       "original": {
@@ -60,51 +82,50 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1697706247,
-        "narHash": "sha256-nWLggeUxn/l8JrcQr9f+RfnCXp8cn0BN568PjMJh9ko=",
+        "lastModified": 1710248792,
+        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4ee5b576ac2861a818950aea99f609d7a6fc02a3",
+        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.05-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
+        "id": "nixpkgs",
+        "ref": "nixos-23.11-small",
+        "type": "indirect"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1697332183,
-        "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=",
+        "lastModified": 1710033658,
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1710247538,
+        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable-small",
+        "type": "indirect"
+      }
+    },
     "pvv-calendar-bot": {
       "inputs": {
         "nixpkgs": [
@@ -127,13 +148,14 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
-        "sops-nix": "sops-nix",
-        "unstable": "unstable"
+        "sops-nix": "sops-nix"
       }
     },
     "sops-nix": {
@@ -144,11 +166,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1697339241,
-        "narHash": "sha256-ITsFtEtRbCBeEH9XrES1dxZBkE1fyNNUfIyQjQ2AYQs=",
+        "lastModified": 1710195194,
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "51186b8012068c417dac7c31fb12861726577898",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
         "type": "github"
       },
       "original": {
@@ -156,22 +178,6 @@
         "repo": "sops-nix",
         "type": "github"
       }
-    },
-    "unstable": {
-      "locked": {
-        "lastModified": 1697713104,
-        "narHash": "sha256-DN7YOyKMCpAVeZ44N42LrujtTkoerkS9+kTufQiuntY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "6be2c349a30fcb489a3153dd331e9df387ab6449",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -2,24 +2,28 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
 
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
     matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "unstable";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -38,67 +42,72 @@
     ];
   in {
     nixosConfigurations = let
+      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
           specialArgs = {
-            inherit unstable inputs;
+            inherit nixpkgs-unstable inputs;
             values = import ./values.nix;
           };
 
           modules = [
             ./hosts/${name}/configuration.nix
             sops-nix.nixosModules.sops
-          ];
+          ] ++ config.modules or [];
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [
-              (final: prev: {
-                mx-puppet-discord = prev.mx-puppet-discord.override { nodejs_14 = final.nodejs_18; };
-              })
-              pvv-calendar-bot.overlays.${system}.default
-            ];
+            overlays = [ ] ++ config.overlays or [ ];
           };
         }
-        config
+        (removeAttrs config [ "modules" "overlays" ])
       );
 
       stableNixosConfig = nixosConfig nixpkgs;
-      unstableNixosConfig = nixosConfig unstable;
+      unstableNixosConfig = nixosConfig nixpkgs-unstable;
     in {
       bicep = stableNixosConfig "bicep" {
         modules = [
-          ./hosts/bicep/configuration.nix
-          sops-nix.nixosModules.sops
-
-          matrix-next.nixosModules.default
-          pvv-calendar-bot.nixosModules.default
+          inputs.matrix-next.nixosModules.default
+          inputs.pvv-calendar-bot.nixosModules.default
+        ];
+        overlays = [
+          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
+        ];
+      };
+      bekkalokk = stableNixosConfig "bekkalokk" {
+        overlays = [
+          (final: prev: {
+            heimdal = unstablePkgs.heimdal;
+            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
+            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+          })
+        ];
+      };
+      bob = stableNixosConfig "bob" {
+        modules = [
+          disko.nixosModules.disko
+          { disko.devices.disk.disk1.device = "/dev/vda"; }
         ];
       };
-      bekkalokk = stableNixosConfig "bekkalokk" { };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
 
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
-          ./hosts/brzeczyszczykiewicz/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.grzegorz.nixosModules.grzegorz-kiosk
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
       georg = stableNixosConfig "georg" {
         modules = [
-          ./hosts/georg/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.grzegorz.nixosModules.grzegorz-kiosk
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
+      buskerud = stableNixosConfig "buskerud" { };
     };
 
     devShells = forAllSystems (system: {
@@ -114,6 +123,10 @@
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+
+        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+
+        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/configuration.nix

@@ -5,15 +5,17 @@
 
     ../../base.nix
     ../../misc/metrics-exporters.nix
-    ../../modules/wackattack-ctf-stockfish
 
     #./services/keycloak.nix
 
     # TODO: set up authentication for the following:
-    ./services/website.nix
-    ./services/nginx.nix
+    # ./services/website.nix
+    ./services/nginx
     ./services/gitea/default.nix
-    # ./services/mediawiki.nix
+    ./services/kerberos
+    ./services/webmail
+    ./services/mediawiki
+    ./services/idp-simplesamlphp
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

hosts/bekkalokk/services/gitea/gitea-import-users.py

@@ -32,7 +32,6 @@ def add_user(username, name):
             "full_name": name,
             "username": username,
             "login_name": username,
-            "visibility": "public",
             "source_id": 1,  # 1 = SMTP
     }
 
@@ -52,6 +51,7 @@ def add_user(username, name):
         existing_users[username] = user
 
     else:
+        user["visibility"] = existing_users[username]["visibility"]
         r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
                            json=user,
                            headers={'Authorization': 'token ' + API_TOKEN})

hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php

@@ -0,0 +1,135 @@
+<?php
+
+/**
+ * Authenticate using HTTP login.
+ *
+ * @author Yorn de Jong
+ * @author Oystein Kristoffer Tveit
+ * @package simpleSAMLphp
+ */
+
+namespace SimpleSAML\Module\authpwauth\Auth\Source;
+
+class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
+{
+    protected $pwauth_bin_path;
+    protected $mail_domain;
+
+    public function __construct(array $info, array &$config) {
+            assert('is_array($info)');
+            assert('is_array($config)');
+
+            /* Call the parent constructor first, as required by the interface. */
+            parent::__construct($info, $config);
+
+            $this->pwauth_bin_path = $config['pwauth_bin_path'];
+            if (array_key_exists('mail_domain', $config)) {
+                    $this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
+            }
+    }
+
+    public function login(string $username, string $password): array {
+            $username = strtolower( $username );
+
+	    if (!file_exists($this->pwauth_bin_path)) {
+                    die("Could not find pwauth binary");
+                    return false;
+	    }
+
+	    if (!is_executable($this->pwauth_bin_path)) {
+                    die("pwauth binary is not executable");
+                    return false;
+	    }
+
+            $handle = popen($this->pwauth_bin_path, 'w');
+            if ($handle === FALSE) {
+                    die("Error opening pipe to pwauth");
+                    return false;
+            }
+
+            $data = "$username\n$password\n";
+            if (fwrite($handle, $data) !== strlen($data)) {
+                    die("Error writing to pwauth pipe");
+                    return false;
+            }
+
+            # Is the password valid?
+            $result = pclose( $handle );
+            if ($result !== 0) {
+                    if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
+                            die("pwauth returned $result for username $username");
+                    }
+                    throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
+            }
+            /*
+            $ldap = ldap_connect('129.241.210.159', 389);
+            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+            ldap_start_tls($ldap);
+            ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
+            $search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
+            $entry = ldap_first_entry($ldap, $search);
+            $dn = ldap_get_dn($ldap, $entry);
+            $newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
+            ldap_modify_batch($ldap, $dn, [
+                    #[
+                    #       'modtype' => LDAP_MODIFY_BATCH_REMOVE,
+                    #       'attrib' => 'unicodePwd',
+                    #       'values' => [$password],
+                    #],
+                    [
+                            #'modtype' => LDAP_MODIFY_BATCH_ADD,
+                            'modtype' => LDAP_MODIFY_BATCH_REPLACE,
+                            'attrib' => 'unicodePwd',
+                            'values' => [$newpassword],
+                    ],
+            ]);
+            */
+
+            #0  -  Login OK.
+            #1  -  Nonexistant login or (for some configurations) incorrect password.
+            #2  -  Incorrect password (for some configurations).
+            #3  -  Uid number is below MIN_UNIX_UID value configured in config.h.
+            #4  -  Login ID has expired.
+            #5  -  Login's password has expired.
+            #6  -  Logins to system have been turned off (usually by /etc/nologin file).
+            #7  -  Limit on number of bad logins exceeded.
+            #50 -  pwauth was not run with real uid SERVER_UID.  If you get this
+            #      this error code, you probably have SERVER_UID set incorrectly
+            #      in pwauth's config.h file.
+            #51 -  pwauth was not given a login & password to check.  The means
+            #      the passing of data from mod_auth_external to pwauth is messed
+            #      up.  Most likely one is trying to pass data via environment
+            #      variables, while the other is trying to pass data via a pipe.
+            #52 -  one of several possible internal errors occured.
+
+
+            $uid = $username;
+	    # TODO: Reinstate this code once passwd is working...
+	    /*
+            $cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
+
+            $groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
+            array_shift($groups);
+            array_shift($groups);
+            array_pop($groups);
+	    
+            $info = posix_getpwnam($uid);
+            $group = $info['gid'];
+            if (!in_array($group, $groups)) {
+                    $groups[] = $group;
+            }
+	    */
+	    $cn = "Unknown McUnknown";
+	    $groups = array();
+
+            $result = array(
+                    'uid' => array($uid),
+                    'cn' => array($cn),
+                    'group' => $groups,
+            );
+            if (isset($this->mail_domain)) {
+                    $result['mail'] = array($uid.$this->mail_domain);
+            }
+            return $result;
+    }
+}

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -0,0 +1,203 @@
+{ config, pkgs, lib, ... }:
+let
+  pwAuthScript = pkgs.writeShellApplication {
+    name = "pwauth";
+    runtimeInputs = with pkgs; [ coreutils heimdal ];
+    text = ''
+      read -r user1
+      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
+      if test "$user1" != "$user2"
+      then
+        read -r _
+        exit 2
+      fi
+      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
+      kdestroy >/dev/null 2>/dev/null
+    '';
+  };
+
+  package = pkgs.simplesamlphp.override {
+    extra_files = {
+      # NOTE: Using self signed certificate created 30. march 2024, with command:
+      # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
+      "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
+        <?php
+	  $metadata['https://idp2.pvv.ntnu.no/'] = array(
+	    'host' => '__DEFAULT__',
+	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
+	    'certificate' => '${./idp.crt}',
+	    'auth' => 'pwauth',
+	  );
+	?>
+      '';
+
+      "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
+        <?php
+	  ${ lib.pipe config.services.idp.sp-remote-metadata [
+             (map (url: ''
+               $metadata['${url}'] = [
+                   'SingleLogoutService' => [
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                       ],
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                       ],
+                   ],
+                   'AssertionConsumerService' => [
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                           'index' => 0,
+                       ],
+                       [
+                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
+                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                           'index' => 1,
+                       ],
+                   ],
+               ];
+	     ''))
+	     (lib.concatStringsSep "\n")
+	  ]}
+	?>
+      '';
+
+      "config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
+        <?php
+          $config = array(
+	    'admin' => array(
+	      'core:AdminPassword'
+	    ),
+            'pwauth' => array(
+               'authpwauth:PwAuth',
+               'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
+               'mail_domain' => '@pvv.ntnu.no',
+            ),
+          );
+	?>
+      '';
+
+      "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
+        cp ${./config.php} "$out"
+
+        substituteInPlace "$out" \
+          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
+          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
+          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
+          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
+      '';
+
+      "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+    };
+  };
+in
+{
+  options.services.idp.sp-remote-metadata = lib.mkOption {
+    type = with lib.types; listOf str;
+    default = [ ];
+    description = ''
+      List of urls point to (simplesamlphp) service profiders, which the idp should trust.
+
+      :::{.note}
+	Make sure the url ends with a `/`
+      :::
+    '';
+  };
+
+  config = {
+    sops.secrets = {
+      "idp/privatekey" = {
+        owner = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+      "idp/admin_password" = {
+        owner = "idp";
+        group = "idp";
+      };
+      "idp/postgres_password" = {
+        owner = "idp";
+        group = "idp";
+      };
+      "idp/cookie_salt" = {
+        owner = "idp";
+        group = "idp";
+      };
+    };  
+
+    users.groups."idp" = { };
+    users.users."idp" = {
+      description = "PVV Identity Provider Service User";
+      group = "idp";
+      createHome = false;
+      isSystemUser = true;
+    };
+
+    systemd.tmpfiles.settings."10-idp" = {
+      "/var/cache/idp".d = {
+        user = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+      "/var/lib/idp".d = {
+        user = "idp";
+        group = "idp";
+        mode = "0770";
+      };
+    };
+
+    services.phpfpm.pools.idp = {
+      user = "idp";
+      group = "idp";
+      settings = let
+        listenUser = config.services.nginx.user;
+        listenGroup = config.services.nginx.group;
+      in {
+        "pm" = "dynamic";
+        "pm.max_children" = 32;
+        "pm.max_requests" = 500;
+        "pm.start_servers" = 2;
+        "pm.min_spare_servers" = 2;
+        "pm.max_spare_servers" = 4;
+        "listen.owner" = listenUser;
+        "listen.group" = listenGroup;
+
+        "catch_workers_output" = true;
+        "php_admin_flag[log_errors]" = true;
+        # "php_admin_value[error_log]" = "stderr";
+      };
+    };
+
+    services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "${package}/share/php/simplesamlphp/public";
+      locations =  {
+        # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+        "/" = {
+          alias = "${package}/share/php/simplesamlphp/public/";
+          index = "index.php";
+
+          extraConfig = ''
+            location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+              include ${pkgs.nginx}/conf/fastcgi_params;
+              fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
+              fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
+              fastcgi_param SCRIPT_NAME /$phpfile;
+              fastcgi_param PATH_INFO $pathinfo if_not_empty;
+            }
+          '';
+        };
+      };
+    };
+  };
+}

hosts/bekkalokk/services/idp-simplesamlphp/idp.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
+BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
+FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
+Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
+VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
+cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
+JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
+xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
+dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
+Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
+Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
++8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
+rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
+oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
+sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
+Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
+BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
+xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
+2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
+DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
+2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
+EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
+fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
+T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
+TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
+W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
+HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
+88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
+UxTpf01QJnZkMqf5NQ==
+-----END CERTIFICATE-----

hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix

@@ -0,0 +1,22 @@
+''
+  <?php
+  $metadata['https://idp2.pvv.ntnu.no/'] = [
+      'metadata-set' => 'saml20-idp-hosted',
+      'entityid' => 'https://idp2.pvv.ntnu.no/',
+      'SingleSignOnService' => [
+          [
+              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
+          ],
+      ],
+      'SingleLogoutService' => [
+          [
+              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
+          ],
+      ],
+      'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
+      'certificate' => '${./idp.crt}',
+  ];
+  ?>
+''

hosts/bekkalokk/services/kerberos/default.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+{
+  #######################
+  # TODO: remove these once nixos 24.05 gets released
+  #######################
+  imports = [
+    ./krb5.nix
+    ./pam.nix
+  ];
+  disabledModules = [
+    "config/krb5/default.nix"
+    "security/pam.nix"
+  ];
+  #######################
+
+  security.krb5 = {
+    enable = true;
+    settings = {
+      libdefaults = {
+        default_realm = "PVV.NTNU.NO";
+        dns_lookup_realm = "yes";
+        dns_lookup_kdc = "yes";
+      };
+      realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
+    };
+  };
+}

hosts/bekkalokk/services/kerberos/krb5-conf-format.nix

@@ -0,0 +1,88 @@
+{ pkgs, lib, ... }:
+
+# Based on
+# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
+# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
+
+let
+  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
+    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
+  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
+    str submodule;
+in
+{ }: {
+  type = let
+    section = attrsOf relation;
+    relation = either (attrsOf value) value;
+    value = either (listOf atom) atom;
+    atom = oneOf [int str bool];
+  in submodule {
+    freeformType = attrsOf section;
+    options = {
+      include = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      includedir = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Directories containing files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      module = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Modules to obtain Kerberos configuration from.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+    };
+  };
+
+  generate = let
+    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
+
+    formatToplevel = args @ {
+      include ? [ ],
+      includedir ? [ ],
+      module ? [ ],
+      ...
+    }: let
+      sections = removeAttrs args [ "include" "includedir" "module" ];
+    in concatStringsSep "\n" (filter (x: x != "") [
+      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
+      (concatMapStringsSep "\n" (m: "module ${m}") module)
+      (concatMapStringsSep "\n" (i: "include ${i}") include)
+      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
+    ]);
+
+    formatSection = name: section: ''
+      [${name}]
+      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
+    '';
+
+    formatRelation = name: relation:
+      if isAttrs relation
+      then ''
+        ${name} = {
+        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
+        }''
+      else formatValue name relation;
+
+    formatValue = name: value:
+      if isList value
+      then concatMapStringsSep "\n" (formatAtom name) value
+      else formatAtom name value;
+
+    formatAtom = name: atom: let
+      v = if isBool atom then boolToString atom else toString atom;
+    in "${name} = ${v}";
+  in
+    name: value: pkgs.writeText name ''
+      ${formatToplevel value}
+    '';
+}

hosts/bekkalokk/services/kerberos/krb5.nix

@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
+  inherit (lib.types) bool;
+
+  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
+  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
+    The option `krb5.${name}' has been removed. Use
+    `security.krb5.settings.${name}' for structured configuration.
+  '';
+
+  cfg = config.security.krb5;
+  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
+in {
+  imports = [
+    (mkRemovedOptionModuleCfg "libdefaults")
+    (mkRemovedOptionModuleCfg "realms")
+    (mkRemovedOptionModuleCfg "domain_realm")
+    (mkRemovedOptionModuleCfg "capaths")
+    (mkRemovedOptionModuleCfg "appdefaults")
+    (mkRemovedOptionModuleCfg "plugins")
+    (mkRemovedOptionModuleCfg "config")
+    (mkRemovedOptionModuleCfg "extraConfig")
+    (mkRemovedOptionModule' "kerberos" ''
+      The option `krb5.kerberos' has been moved to `security.krb5.package'.
+    '')
+  ];
+
+  options = {
+    security.krb5 = {
+      enable = mkOption {
+        default = false;
+        description = mdDoc "Enable and configure Kerberos utilities";
+        type = bool;
+      };
+
+      package = mkPackageOption pkgs "krb5" {
+        example = "heimdal";
+      };
+
+      settings = mkOption {
+        default = { };
+        type = format.type;
+        description = mdDoc ''
+          Structured contents of the {file}`krb5.conf` file. See
+          {manpage}`krb5.conf(5)` for details about configuration.
+        '';
+        example = {
+          include = [ "/run/secrets/secret-krb5.conf" ];
+          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
+
+          libdefaults = {
+            default_realm = "ATHENA.MIT.EDU";
+          };
+
+          realms = {
+            "ATHENA.MIT.EDU" = {
+              admin_server = "athena.mit.edu";
+              kdc = [
+                "athena01.mit.edu"
+                "athena02.mit.edu"
+              ];
+            };
+          };
+
+          domain_realm = {
+            "mit.edu" = "ATHENA.MIT.EDU";
+          };
+
+          logging = {
+            kdc = "SYSLOG:NOTICE";
+            admin_server = "SYSLOG:NOTICE";
+            default = "SYSLOG:NOTICE";
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment = {
+      systemPackages = [ cfg.package ];
+      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
+    };
+  };
+
+  meta.maintainers = builtins.attrValues {
+    inherit (lib.maintainers) dblsaiko h7x4;
+  };
+}

hosts/bekkalokk/services/mediawiki.nix

@@ -1,175 +0,0 @@
-{ pkgs, lib, config, values, ... }: let
-  cfg = config.services.mediawiki;
-
-  # "mediawiki"
-  user = config.systemd.services.mediawiki-init.serviceConfig.User;
-
-  # "mediawiki"
-  group = config.users.users.${user}.group;
-in {
-  sops.secrets = {
-    "mediawiki/password" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
-    "keys/postgres/mediawiki" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
-  };
-
-  services.mediawiki = {
-    enable = true;
-    name = "Programvareverkstedet";
-    passwordFile = config.sops.secrets."mediawiki/password".path;
-    passwordSender = "drift@pvv.ntnu.no";
-
-    database = {
-      type = "postgres";
-      host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.port;
-      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
-      createLocally = false;
-      # TODO: create a normal database and copy over old data when the service is production ready
-      name = "mediawiki_test";
-    };
-
-    # Host through nginx
-    webserver = "none";
-    poolConfig = let
-      listenUser = config.services.nginx.user;
-      listenGroup = config.services.nginx.group;
-    in {
-      inherit user group;
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.max_requests" = 500;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 4;
-      "listen.owner" = listenUser;
-      "listen.group" = listenGroup;
-      "php_admin_value[error_log]" = "stderr";
-      "php_admin_flag[log_errors]" = "on";
-      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
-      "catch_workers_output" = true;
-      # to accept *.html file
-      "security.limit_extensions" = "";
-    };
-
-    extensions = {
-      DeleteBatch = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
-	sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
-      };
-      UserMerge = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
-	sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
-      };
-      PluggableAuth = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
-	sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
-      };
-      SimpleSAMLphp = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
-        sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
-      };
-    };
-
-    extraConfig = let
-
-      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
-        pname = "configuredSimpleSAML";
-	version = "2.0.4";
-        src = pkgs.fetchzip {
-          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
-          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
-        };
-
-	buildPhase = ''
-          cat > config/authsources.php << EOF
-          <?php
-          $config = array(
-            'default-sp' => array(
-              'saml:SP',
-              'idp' => 'https://idp.pvv.ntnu.no/',
-            ),
-          );
-	  EOF
-	'';
-
-	installPhase = ''
-	  cp -r . $out
-	'';
-      };
-
-    in ''
-      $wgServer = "https://bekkalokk.pvv.ntnu.no";
-      $wgLocaltimezone = "Europe/Oslo";
-
-      # Only allow login through SSO
-      $wgEnableEmail = false;
-      $wgEnableUserEmail = false;
-      $wgEmailAuthentication = false;
-      $wgGroupPermissions['*']['createaccount'] = false;
-      $wgGroupPermissions['*']['autocreateaccount'] = true;
-      $wgPluggableAuth_EnableAutoLogin = true;
-
-      # Disable anonymous editing
-      $wgGroupPermissions['*']['edit'] = false;
-
-      # Styling
-      $wgLogo = "/PNG/PVV-logo.png";
-      $wgDefaultSkin = "monobook";
-
-      # Misc
-      $wgEmergencyContact = "${cfg.passwordSender}";
-      $wgShowIPinHeader = false;
-      $wgUseTeX = false;
-      $wgLocalInterwiki = $wgSitename;
-
-      # SimpleSAML
-      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
-      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
-      $wgSimpleSAMLphp_RealNameAttribute = "cn";
-      $wgSimpleSAMLphp_EmailAttribute = "mail";
-      $wgSimpleSAMLphp_UsernameAttribute = "uid";
-
-      # Fix https://github.com/NixOS/nixpkgs/issues/183097
-      $wgDBserver = "${toString cfg.database.host}";
-    '';
-  };
-
-  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
-  systemd.services.mediawiki-init.script = let
-    # According to module
-    stateDir = "/var/lib/mediawiki";
-    pkg = cfg.finalPackage;
-    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
-    inherit (lib) optionalString mkForce;
-  in mkForce ''
-    if ! test -e "${stateDir}/secret.key"; then
-      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
-    fi
-
-    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
-      --confpath /tmp \
-      --scriptpath / \
-      --dbserver "${cfg.database.host}" \
-      --dbport ${toString cfg.database.port} \
-      --dbname ${cfg.database.name} \
-      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
-      --dbuser ${cfg.database.user} \
-      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
-      --passfile ${cfg.passwordFile} \
-      --dbtype ${cfg.database.type} \
-      ${cfg.name} \
-      admin
-
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
-  '';
-}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -0,0 +1,216 @@
+{ pkgs, lib, config, values, pkgs-unstable, ... }: let
+  cfg = config.services.mediawiki;
+
+  # "mediawiki"
+  user = config.systemd.services.mediawiki-init.serviceConfig.User;
+
+  # "mediawiki"
+  group = config.users.users.${user}.group;
+
+  simplesamlphp = pkgs.simplesamlphp.override {
+    extra_files = {
+      "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+
+      "config/authsources.php" = ./simplesaml-authsources.php;
+
+      "config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
+        cp ${./simplesaml-config.php} "$out"
+
+        substituteInPlace "$out" \
+          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
+          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
+          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
+          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
+      '';
+    };
+  };
+in {
+  services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
+
+  sops.secrets = lib.pipe [
+    "mediawiki/password"
+    "mediawiki/postgres_password"
+    "mediawiki/simplesamlphp/postgres_password"
+    "mediawiki/simplesamlphp/cookie_salt"
+    "mediawiki/simplesamlphp/admin_password"
+  ] [
+    (map (key: lib.nameValuePair key {
+      owner = user;
+      group = group;
+    }))
+    lib.listToAttrs
+  ];
+
+  services.mediawiki = {
+    enable = true;
+    name = "Programvareverkstedet";
+    passwordFile = config.sops.secrets."mediawiki/password".path;
+    passwordSender = "drift@pvv.ntnu.no";
+
+    database = {
+      type = "mysql";
+      host = "mysql.pvv.ntnu.no";
+      port = 3306;
+      user = "mediawiki";
+      passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
+      createLocally = false;
+      # TODO: create a normal database and copy over old data when the service is production ready
+      name = "mediawiki";
+    };
+
+    # Host through nginx
+    webserver = "none";
+    poolConfig = let
+      listenUser = config.services.nginx.user;
+      listenGroup = config.services.nginx.group;
+    in {
+      inherit user group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "listen.owner" = listenUser;
+      "listen.group" = listenGroup;
+
+      "catch_workers_output" = true;
+      "php_admin_flag[log_errors]" = true;
+      # "php_admin_value[error_log]" = "stderr";
+
+      # to accept *.html file
+      "security.limit_extensions" = "";
+    };
+
+    extensions = {
+      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
+    };
+
+    extraConfig = ''
+      $wgServer = "https://wiki2.pvv.ntnu.no";
+      $wgLocaltimezone = "Europe/Oslo";
+
+      # Only allow login through SSO
+      $wgEnableEmail = false;
+      $wgEnableUserEmail = false;
+      $wgEmailAuthentication = false;
+      $wgGroupPermissions['*']['createaccount'] = false;
+      $wgGroupPermissions['*']['autocreateaccount'] = true;
+      $wgPluggableAuth_EnableAutoLogin = false;
+
+      # Misc. permissions
+      $wgGroupPermissions['*']['edit'] = false;
+      $wgGroupPermissions['*']['read'] = true;
+
+      # Misc. URL rules
+      $wgUsePathInfo = true;
+      $wgScriptExtension = ".php";
+      $wgNamespacesWithSubpages[NS_MAIN] = true;
+
+      # Styling
+      $wgLogos = array(
+        "2x" => "/PNG/PVV-logo.png",
+        "icon" => "/PNG/PVV-logo.svg",
+      );
+      $wgDefaultSkin = "vector-2022";
+      # from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
+      $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
+      $wgVectorResponsive = true;
+
+      # Misc
+      $wgEmergencyContact = "${cfg.passwordSender}";
+      $wgShowIPinHeader = false;
+      $wgUseTeX = false;
+      $wgLocalInterwiki = $wgSitename;
+
+      # SimpleSAML
+      $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
+      $wgPluggableAuth_Config['Log in using my SAML'] = [
+        'plugin' => 'SimpleSAMLphp',
+        'data' => [
+          'authSourceId' => 'default-sp',
+          'usernameAttribute' => 'uid',
+          'emailAttribute' => 'mail',
+          'realNameAttribute' => 'cn',
+        ]
+      ];
+
+      # Fix https://github.com/NixOS/nixpkgs/issues/183097
+      $wgDBserver = "${toString cfg.database.host}";
+    '';
+  };
+
+  # Cache directory for simplesamlphp
+  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+    user = "mediawiki";
+    group = "mediawiki";
+    mode = "0770";
+  };
+
+  users.groups.mediawiki.members = [ "nginx" ];
+
+  services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
+    locations =  {
+      "/" = {
+	index = "index.php";
+      };
+
+      "~ /(.+\\.php)" = {
+        extraConfig = ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
+      };
+
+      # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+      "^~ /simplesaml/" = {
+        alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
+        index = "index.php";
+
+        extraConfig = ''
+          location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
+            fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
+
+            # Must be prepended with the baseurlpath
+            fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
+
+            fastcgi_param PATH_INFO $pathinfo if_not_empty;
+          }
+        '';
+      };
+
+      "/images/".alias = "${config.services.mediawiki.uploadsDir}/";
+
+      "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
+      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
+      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
+        buildInputs = with pkgs; [ imagemagick ];
+      } ''
+        convert \
+	  -resize x64 \
+	  -gravity center \
+	  -crop 64x64+0+0 \
+	  ${../../../../assets/logo_blue_regular.png} \
+	  -flatten \
+	  -colors 256 \
+	  -background transparent \
+	  $out
+      '';
+    };
+  };
+}

hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php

@@ -0,0 +1,11 @@
+<?php
+$config = array(
+    'admin' => array(
+      'core:AdminPassword'
+    ),
+    'default-sp' => array(
+        'saml:SP',
+        'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
+        'idp' => 'https://idp2.pvv.ntnu.no/',
+    ),
+);

hosts/bekkalokk/services/nettsiden/default.nix

@@ -1,6 +0,0 @@
-{ pkgs, inputs, ... }:
-let
-in
-{
-  
-}

hosts/bekkalokk/services/nettsiden/package.nix

@@ -1,53 +0,0 @@
-{
-src,
-php82,
-php82Extensions,
-sqlite,
-git,
-...
-}:
-  pkgs.stdenvNoCC.mkDerivation {
-    pname = "nettsiden";
-    version = "0.1.0";
-    inherit src;
-
-    buildInputs = [
-      php82
-      (with php82Extensions; [
-        iconv
-        mbstring
-        pdo_mysql
-        pdo_sqlite
-      ])
-      sqlite
-      git
-    ];
-
-    buildPhase = ''
-      export PHPHOST=localhost
-      export PHPPORT=1080
-      alias runDev='php -S $PHPHOST:$PHPPORT -d error_reporting=E_ALL -d display_errors=1 -t www/'
-
-      # Prepare dev environment with sqlite and config files
-      test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
-      test -e sql_config.php || cp -v dist/sql_config_example.php sql_config.php
-
-      test -e dataporten_config.php || cp -v dist/dataporten_config.php dataporten_config.php
-
-      test -e composer.phar || curl -O https://getcomposer.org/composer.phar
-
-      if [ ! -f lib/OAuth2-Client/OAuth2Client.php ] ; then
-        echo Missing git submodules. Installing...
-        (set -x; git submodule update --init --recursive) || exit $?
-      fi
-
-      if [ ! -d vendor ] ; then
-        php composer.phar install || exit $?
-        cp -v dist/authsources_example.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
-        cp -v dist/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-        cp -v vendor/simplesamlphp/simplesamlphp/config-templates/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
-        sed -e "s/'trusted.url.domains' => array()/'trusted.url.domains' => array(\"$PHPHOST:$PHPPORT\")/g" < vendor/simplesamlphp/simplesamlphp/config-templates/config.php > vendor/simplesamlphp/simplesamlphp/config/config.php
-        ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
-      fi
-    '';
-  };

hosts/bekkalokk/services/nginx/default.nix

@@ -1,5 +1,9 @@
 { pkgs, config, ... }:
 {
+  imports = [
+    ./ingress.nix
+  ];
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "drift@pvv.ntnu.no";

hosts/bekkalokk/services/nginx/ingress.nix

@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+{
+  services.nginx.virtualHosts = {
+    "www2.pvv.ntnu.no" = {
+      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
+      addSSL = true;
+      enableACME = true;
+
+      locations = {
+        # Proxy home directories
+        "/~" = {
+          extraConfig = ''
+            proxy_redirect off;
+            proxy_pass https://tom.pvv.ntnu.no;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+
+        # Redirect old wiki entries
+        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
+        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
+        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
+        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
+        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
+        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
+        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
+        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
+        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
+        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
+        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
+        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
+
+        # TODO: Redirect webmail
+        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
+
+        # Redirect everything else to the main website
+        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
+
+        # Proxy the matrix well-known files
+        # Host has be set before proxy_pass
+        # The header must be set so nginx on the other side routes it to the right place
+        "/.well-known/matrix/" = {
+          extraConfig = ''
+            proxy_set_header Host matrix.pvv.ntnu.no;
+            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          '';
+        };
+      };
+    };
+  };
+}
+

hosts/bekkalokk/services/webmail/default.nix

@@ -0,0 +1,15 @@
+{ config, values, pkgs, lib, ... }:
+{
+  imports = [
+    ./roundcube.nix
+  ];
+
+  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    #locations."/" = lib.mkForce { };
+    locations."= /" = {
+      return = "301 https://www.pvv.ntnu.no/mail/";
+    };
+  };
+}

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -0,0 +1,74 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.services.roundcube;
+  domain = "webmail2.pvv.ntnu.no";
+in 
+{
+  services.roundcube = {
+    enable = true;
+
+    package = pkgs.roundcube.withPlugins (plugins: with plugins; [
+      persistent_login
+      thunderbird_labels
+      contextmenu
+      custom_from
+    ]);
+
+    dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
+    maxAttachmentSize = 20;
+    hostName = "roundcubeplaceholder.example.com";
+
+    extraConfig = ''
+      $config['enable_installer'] = false;
+      $config['default_host'] = "ssl://imap.pvv.ntnu.no";
+      $config['default_port'] = 993;
+      $config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
+      $config['smtp_port'] = 465;
+      $config['mail_domain'] = "pvv.ntnu.no";
+      $config['smtp_user'] = "%u";
+      $config['support_url'] = "";
+    '';
+  };
+
+  services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
+
+  services.nginx.virtualHosts.${domain} = {
+    locations."/roundcube" = {
+      tryFiles = "$uri $uri/ =404";
+      index = "index.php";
+      root = pkgs.runCommandLocal "roundcube-dir" { } ''
+        mkdir -p $out
+        ln -s ${cfg.package} $out/roundcube
+      '';
+      extraConfig = ''
+        location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
+        # https://wiki.archlinux.org/title/Roundcube
+        "README"
+        "INSTALL"
+        "LICENSE"
+        "CHANGELOG"
+        "UPGRADING"
+        "bin"
+        "SQL"
+        ".+\\.md"
+        "\\."
+        "config"
+        "temp"
+        "logs"
+        ]})/? {
+          deny all;
+        }
+
+        location ~ ^/roundcube/(.+\.php)(/?.*)$ {
+          fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
+          include ${config.services.nginx.package}/conf/fastcgi_params;
+          include ${config.services.nginx.package}/conf/fastcgi.conf;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
+        }
+      '';
+    };
+  };
+}

hosts/bicep/configuration.nix

@@ -12,7 +12,8 @@
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix
-    ./services/calendar-bot.nix
+    # TODO: fix the calendar bot
+    # ./services/calendar-bot.nix
 
     ./services/matrix
   ];

hosts/bicep/services/matrix/element.nix

@@ -24,21 +24,26 @@ in {
         features = {
           feature_latex_maths = true;
           feature_pinning = true;
+          feature_render_reaction_images = true;
           feature_state_counters = true;
-          feature_custom_status = false;
+          # element call group calls
+          feature_group_calls = true;
         };
         default_theme = "dark";
+        # Servers in this list should provide some sort of valuable scoping
+        # matrix.org is not useful compared to matrixrooms.info,
+        # because it has so many general members, rooms of all topics are on it.
+        # Something matrixrooms.info is already providing.
         room_directory.servers = [
           "pvv.ntnu.no"
-          "matrix.omegav.no"
-          "matrix.org"
-          "libera.chat"
-          "gitter.im"
-          "mozilla.org"
-          "kde.org"
-          "t2bot.io"
-          "fosdem.org"
-          "dodsorf.as"
+          "matrixrooms.info" # Searches all public room directories
+          "matrix.omegav.no" # Friends
+          "gitter.im" # gitter rooms
+          "mozilla.org" # mozilla and friends
+          "kde.org" # KDE rooms
+          "fosdem.org" # FOSDEM
+          "dodsorf.as" # PVV Member
+          "nani.wtf" # PVV Member
         ];
         enable_presence_by_hs_url = {
           "https://matrix.org" = false;

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -5,6 +5,7 @@ from smtplib import SMTP_SSL as SMTP
 import synapse
 from synapse import module_api
 
+import re
 
 class SMTPAuthProvider:
     def __init__(self, config: dict, api: module_api):
@@ -27,6 +28,10 @@ class SMTPAuthProvider:
         if login_type != "m.login.password":
             return None
 
+        # Convert `@username:server` to `username`
+        match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
+        username = match.group(1) if match else username
+
         result = False
         with SMTP(self.config["smtp_host"]) as smtp:
             password = login_dict.get("password")

hosts/bicep/services/matrix/synapse.nix

@@ -216,7 +216,19 @@ in {
 
   services.redis.servers."".enable = true;
   
-  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
+  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
+  ({
+    locations."/.well-known/matrix/server" = {
+      return = ''
+        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
+      '';
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
+  })
+  ({
     locations = let
       connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
       socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";

hosts/bikkje/configuration.nix

@@ -0,0 +1,44 @@
+{ config, pkgs, values, ... }:
+{
+    networking.nat = {
+    enable = true;
+    internalInterfaces = ["ve-+"];
+    externalInterface = "ens3";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.bikkje = {
+    autoStart = true;
+    config = { config, pkgs, ... }: {
+      #import packages
+      packages = with pkgs; [
+          alpine
+          mutt
+          mutt-ics
+          mutt-wizard
+          weechat
+          weechatScripts.edit
+          hexchat
+          irssi
+          pidgin
+      ];
+
+      networking = {
+        firewall = {
+          enable = true;
+          # Allow SSH and HTTP and ports for email and irc
+          allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+        };
+        # Use systemd-resolved inside the container
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+        useHostResolvConf = mkForce false;
+      };
+      
+      system.stateVersion = "23.11";
+      services.resolved.enable = true;
+    };
+  };
+
+};

hosts/bob/configuration.nix

@@ -0,0 +1,46 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../base.nix
+      ../../misc/metrics-exporters.nix
+      ./disks.nix
+
+      ../../misc/builder.nix
+    ];
+
+  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  networking.hostName = "bob"; # Define your hostname.
+
+  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+    matchConfig.Name = "en*";
+    DHCP = "yes";
+    gateway = [ ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/bob/disks.nix

@@ -0,0 +1,39 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/bob/hardware-configuration.nix

@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/brzeczyszczykiewicz/configuration.nix

@@ -6,7 +6,7 @@
       ../../base.nix
       ../../misc/metrics-exporters.nix
 
-      ../../modules/grzegorz.nix
+      ./services/grzegorz.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

hosts/brzeczyszczykiewicz/services/grzegorz.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  imports = [ ../../../modules/grzegorz.nix ];
+
+  services.nginx.virtualHosts."${config.networking.fqdn}" = {
+    serverAliases = [
+      "bokhylle.pvv.ntnu.no"
+      "bokhylle.pvv.org"
+    ];
+  };
+}

hosts/buskerud/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+  ];
+
+  # buskerud does not support efi?
+  # boot.loader.systemd-boot.enable = true;
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sdb";
+
+  networking.hostName = "buskerud";
+  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
+  networking.tempAddresses = "disabled";
+
+  systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp3s0f0";
+    address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

hosts/buskerud/hardware-configuration.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/ildkule/services/metrics/prometheus/mysqld.nix

@@ -1,4 +1,4 @@
-{ config, unstable, ... }: let
+{ config, ... }: let
   cfg = config.services.prometheus;
 in {
   sops.secrets."config/mysqld_exporter" = { };

misc/builder.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  nix.settings.trusted-users = [ "@nix-builder-users" ];
+}

modules/debug-locations.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+let
+  cfg = config.environment.debug-locations;
+in
+{
+  options.environment.debug-locations = lib.mkOption {
+    description = "Paths and derivations to symlink in `/etc/debug`";
+    type = with lib.types; attrsOf path;
+    default = { };
+  };
+
+  config.environment.etc = lib.mapAttrs' (k: v: lib.nameValuePair "debug/${k}" { source = v; }) cfg;
+}

modules/snakeoil-certs.nix

@@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.environment.snakeoil-certs;
+in
+{
+  options.environment.snakeoil-certs = lib.mkOption {
+    default = { };
+    description = "Self signed certs, which are rotated regularly";
+    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
+      options = {
+        owner = lib.mkOption {
+          type = lib.types.str;
+          default = "root";
+        };
+        group = lib.mkOption {
+          type = lib.types.str;
+          default = "root";
+        };
+        mode = lib.mkOption {
+          type = lib.types.str;
+          default = "0660";
+        };
+        daysValid = lib.mkOption {
+          type = lib.types.str;
+          default = "90";
+        };
+        extraOpenSSLArgs = lib.mkOption {
+          type = with lib.types; listOf str;
+          default = [ ];
+        };
+        certificate = lib.mkOption {
+          type = lib.types.str;
+          default = "${name}.crt";
+        };
+        certificateKey = lib.mkOption {
+          type = lib.types.str;
+          default = "${name}.key";
+        };
+	subject = lib.mkOption {
+	  type = lib.types.str;
+	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+	};
+      };
+    }));
+  };
+
+  config = {
+    systemd.services."generate-snakeoil-certs" = {
+      enable = true;
+      serviceConfig.Type = "oneshot";
+      script = let
+        openssl = lib.getExe pkgs.openssl;
+      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
+        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
+        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+        then
+           echo "Regenerating '${value.certificate}'"
+           ${openssl} req \
+             -newkey rsa:4096 \
+             -new -x509 \
+             -days "${toString value.daysValid}" \
+             -nodes \
+             -subj "${value.subject}" \
+             -out "${value.certificate}" \
+             -keyout "${value.certificateKey}" \
+             ${lib.escapeShellArgs value.extraOpenSSLArgs}
+        fi
+        chown "${value.owner}:${value.group}" "${value.certificate}"
+        chown "${value.owner}:${value.group}" "${value.certificateKey}"
+        chmod "${value.mode}" "${value.certificate}"
+        chmod "${value.mode}" "${value.certificateKey}"
+      '') (lib.attrsToList cfg);
+    };
+    systemd.timers."generate-snakeoil-certs" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*-*-* 02:00:00";
+        Persistent = true;
+        Unit = "generate-snakeoil-certs.service";
+      };
+    };
+  };
+}

modules/wackattack-ctf-stockfish/chess.py

@@ -1,74 +0,0 @@
-#!/usr/bin/env python3
-from stockfish import *
-from inputimeout import inputimeout
-import time
-from datetime import datetime
-import random
-
-thinking_time = 1000
-
-game = Stockfish(path="./stockfish", depth=15, parameters={"Threads": 1, "Minimum Thinking Time": thinking_time, "UCI_Chess960": True})
-
-def create_random_position():
-    pos = "/pppppppp/8/8/8/8/PPPPPPPP/"
-    rank8 = ["r","r","b","q","k","b","n","n"]
-
-    while rank8.index("k") < [i for i, n in enumerate(rank8) if n == "r"][0] or rank8.index("k") > [i for i, n in enumerate(rank8) if n == "r"][1] or [i for i, n in enumerate(rank8) if n == "b"][0] % 2 == [i for i, n in enumerate(rank8) if n == "b"][1] % 2:
-        random.seed(datetime.now().microsecond)
-        random.shuffle(rank8)
-
-    rank1 = [c.upper() for c in rank8]
-    pos = "".join(rank8) + pos + "".join(rank1) + " w KQkq - 0 1"
-    game.set_fen_position(pos)
-
-def player_won():
-    with open("flag.txt") as file:
-        flag = file.read()
-    print(flag)
-    exit()
-
-def get_fast_player_move():
-    try:
-        time_over = inputimeout(prompt='Your move: ', timeout=5)
-    except Exception:
-        time_over = 'Too slow, you lost!'
-        print(time_over)
-        exit()
-    return time_over
-
-def check_game_status():
-    evaluation = game.get_evaluation()
-    turn = game.get_fen_position().split(" ")[1]
-    if evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "w":
-        print("Wow, you beat me!")
-        player_won()
-    elif evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "b":
-        print("Hah, I won again")
-        exit()
-    if evaluation["type"] == "draw":
-        print("It's a draw!")
-        print("Impressive, but I am still undefeated.")
-        exit()
-
-if __name__ == "__main__":
-    create_random_position()
-    print("Welcome to fischer chess.\nYou get 5 seconds per move. Good luck")
-    print(game.get_board_visual())
-    print("Heres the position for this game, Ill give you a few seconds to look at it before we start.")
-    time.sleep(3)
-    while True:
-        server_move = game.get_best_move_time(thinking_time)
-        game.make_moves_from_current_position([server_move])
-        check_game_status()
-        print(game.get_board_visual())
-        print(f"My move: {server_move}")
-        player_move = get_fast_player_move()
-        if type(player_move) != str or len([player_move]) != 1:
-            print("Illegal input")
-            exit()
-        try:
-            game.make_moves_from_current_position([player_move])
-            check_game_status()
-        except:
-            print("Couldn't comprehend that")
-            exit()

modules/wackattack-ctf-stockfish/default.nix

@@ -1,108 +0,0 @@
-{ config, pkgs, lib, ... }: let
-  stockfish = with pkgs.python3Packages; buildPythonPackage rec {
-    pname = "stockfish";
-    version = "3.28.0";
-    disabled = pythonOlder "3.7";
-
-    src = pkgs.fetchFromGitHub {
-      owner = "zhelyabuzhsky";
-      repo = pname;
-      rev = version;
-      hash = "sha256-XLgVjLV2QXeTYPjP/lwc0LH850LKJsymFlrAMkAn8HU=";
-    };
-
-    format = "setuptools";
-    nativeBuildInputs = [
-      setuptools
-    ];
-
-    propagatedBuildInputs = [
-      pytest-runner
-    ];
-
-    doCheck = false;
-  };
-
-  inputimeout = with pkgs.python3Packages; buildPythonPackage rec {
-    pname = "inputimeout";
-    version = "1.0.4";
-    src = pkgs.fetchFromGitHub {
-      owner = "johejo";
-      repo = pname;
-      rev = "v${version}";
-      hash = "sha256-Fh1CaqJOK58nURt4imkhCmZKG2eJlP/Hi10SarUJ+Fs=";
-    };
-
-    format = "setuptools";
-    nativeBuildInputs = [ setuptools ];
-
-    doCheck = false;
-  };
-
-  script = pkgs.writers.writePython3 "chess" {
-    libraries = [
-      stockfish
-      inputimeout   
-    ];
-
-    # Fy!
-    flakeIgnore = [ "F403" "F405" "E231" "E265" "E302" "E305" "E501" "E722" ];
-  } (builtins.replaceStrings [''path="./stockfish"''] [''path="${pkgs.stockfish}/bin/stockfish"''] (builtins.readFile ./chess.py));
-in
-{
-  sops.secrets."keys/wackattack_ctf/flag" = { };
-
-  systemd.sockets."wackattack-ctf-stockfish" = {
-    description = "Save some azure credit for the rest of us";
-    partOf = [ "wackattack-ctf-stockfish.service" ];
-    wantedBy = [ "sockets.target" ];
-
-    socketConfig = {
-      ListenStream = "0.0.0.0:9999";
-      Accept = true;
-    };
-  };
-
-  systemd.services."wackattack-ctf-stockfish@" = {
-    description = "Save some azure credit for the rest of us";
-    after = [ "network.target" ];
-    requires = [ "wackattack-ctf-stockfish.socket" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "simple";
-      DynamicUser = true;
-      WorkingDirectory = "%d";
-      Restart = "always";
-      StandardInput = "socket";
-      LoadCredential = "flag.txt:${config.sops.secrets."keys/wackattack_ctf/flag".path}";
-
-      Exec = script;
-
-      # systemd hardening go barr
-      ProcSubset = "pid";
-      ProtectProc = "invisible";
-      AmbientCapabilities = "";
-      CapabilityBoundingSet = "";
-      NoNewPrivileges = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      PrivateDevices = true;
-      PrivateUsers = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      RemoveIPC = true;
-      PrivateMounts = true;
-      SystemCallArchitectures = "native";
-    };
-  };
-}

packages/mediawiki-extensions/default.nix

@@ -0,0 +1,7 @@
+{ pkgs, lib }:
+lib.makeScope pkgs.newScope (self: {
+  DeleteBatch = self.callPackage ./delete-batch { };
+  PluggableAuth = self.callPackage ./pluggable-auth { };
+  SimpleSAMLphp = self.callPackage ./simple-saml-php { };
+  UserMerge = self.callPackage ./user-merge { };
+})

packages/mediawiki-extensions/delete-batch/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-delete-batch";
+  url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
+  hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
+}

packages/mediawiki-extensions/pluggable-auth/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-pluggable-auth-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
+  hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
+}

packages/mediawiki-extensions/simple-saml-php/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-simple-saml-php-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
+  hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
+}

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
+
+import os
+from pathlib import Path
+import re
+import subprocess
+from collections import defaultdict
+from pprint import pprint
+
+import bs4
+import requests
+
+BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
+
+def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
+    content = requests.get(BASE_URL).text
+    soup = bs4.BeautifulSoup(content, features="html.parser")
+    result = defaultdict(list)
+    for a in soup.find_all('a'):
+        if skip_master and 'master' in a.text:
+            continue
+        split = a.text.split('-')
+        result[split[0]].append(a.text)
+    return result
+
+def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
+    assert package_file.is_file()
+    with open(package_file) as file:
+        content = file.read()
+
+    tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
+    split = tarball.split('-')
+    updated_tarball = plugin_list[split[0]][-1]
+
+    _hash = re.search(f'hash = "(.+?)";', content).group(1)
+
+    out, err = subprocess.Popen(
+        ["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+    out, err = subprocess.Popen(
+        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+
+    updated_hash = out.decode().strip()
+
+    if tarball == updated_tarball and _hash == updated_hash:
+        return
+
+    print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
+
+    updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
+    updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
+    with open(package_file, 'w') as file:
+        file.write(updated_text)
+
+if __name__ == "__main__":
+    plugin_list = fetch_plugin_list()
+
+    for direntry in os.scandir(Path(__file__).parent):
+        if direntry.is_dir():
+            update(Path(direntry) / "default.nix", plugin_list)

packages/mediawiki-extensions/user-merge/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-user-merge-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
+  hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
+}

packages/simplesamlphp/default.nix

@@ -0,0 +1,38 @@
+{ lib
+, php
+, writeText
+, fetchFromGitHub
+, extra_files ? { }
+
+}:
+
+php.buildComposerProject rec {
+  pname = "simplesamlphp";
+  version = "2.2.1";
+
+  src = fetchFromGitHub {
+    owner = "simplesamlphp";
+    repo = "simplesamlphp";
+    rev = "v${version}";
+    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
+  };
+
+  composerStrictValidation = false;
+
+  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
+
+  # TODO: metadata could be fetched automagically with these:
+  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
+  #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
+  postPatch = lib.pipe extra_files [
+    (lib.mapAttrsToList (target_path: source_path: ''
+      mkdir -p $(dirname "${target_path}")
+      cp -r "${source_path}" "${target_path}"
+    ''))
+    (lib.concatStringsSep "\n")
+  ];
+
+  postInstall = ''
+    ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
+  '';
+}

secrets/bekkalokk/bekkalokk.yaml

@@ -10,12 +10,18 @@ gitea:
         epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
 mediawiki:
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
-    database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
+    postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
+    simplesamlphp:
+        postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
+        cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
+        admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
 keycloak:
     database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
-keys:
-    wackattack_ctf:
-        flag: ENC[AES256_GCM,data:cZCaGb/u/OZgAvXnuJPL3XqmnIa26Rl2IUpWpG/fpt/dJ7+/KssXVa6A5G6ObQhF7deCmTxuoVP8JU+DQzYRr0ftvKhLJ87rgzrE3j+UkA==,iv:3uFkNqXlVj94klU20yPIUd8tIeyUIfp0++2wkdIkiYM=,tag:OZMyEt118u10F5vSUFZE7A==,type:str]
+idp:
+    cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
+    admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
+    postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
+    privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -49,8 +55,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-26T19:59:04Z"
-    mac: ENC[AES256_GCM,data:uH0RfKBjjbYvxjl4XyoXWvwUpi+W7IQZjBdC5UoslotToTw0xnici2fKxPNZ9aFJsukLMPLC+tsT/shUqW373f/NyhsJt0Vb2YtuozFQyQstZQEpnm4WuVoFR/MEjAra/PaM4ATHSGgDuHa7qrpdKTLnrMOai5ZqxLfFbLws3dA=,iv:47hHzrnfZG5NtCN0HjziZdDBJTr451/kvY95GpB3G2M=,tag:3TCs7DSeWB6NujDUlQVGjA==,type:str]
+    lastmodified: "2024-03-30T21:22:02Z"
+    mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |

shell.nix

@@ -3,5 +3,17 @@ pkgs.mkShell {
   nativeBuildInputs = with pkgs; [
     sops
     gnupg
+    openstackclient
   ];
+
+  shellHook = ''
+    export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
+    export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
+    export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
+    export OS_USER_DOMAIN_NAME="NTNU"
+    export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
+    export OS_REGION_NAME="NTNU-IT"
+    export OS_INTERFACE=public
+    export OS_IDENTITY_API_VERSION=3
+  '';
 }

users/adriangl.nix

@@ -9,7 +9,7 @@
     ];
 
     packages = with pkgs; [
-      exa
+      eza
       neovim
     ];
 

users/danio.nix

@@ -3,7 +3,12 @@
 {
   users.users.danio = {
     isNormalUser = true;
-    extraGroups = [ "drift" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [ "drift" "nix-builder-users" ];
     shell = pkgs.zsh;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpGSDczzDOhTETCj+uB5e3/9QbOCaVW1knM+n1ey0n6LXH7uiPPmzuZiqfzmfbB1z4bjM2zpn3D6Et6zRCrBUjhTZqf/5GoNlvhVA6QYmBmBp98b8oY7juj5cmu55voxD0S5rC1mQMnWAAf8e8OPbkhs9Lt0XlOYdotLNIZQubzWqE2DK45g/h17ELJs+jkNXoalFjLvLXWzE/C+3pYoeNJVGHfVMTIwt7o64E6JXhxuYTYdSIuzd+BjntkSCXzcAzBFMRwkdlFVoBtLUMMcMQl39kcXv7lAQ8pv+8b1j1N9WuQVf1qEAcZguaimI1ifbXP5d841pZPApCj5KXectIEldfTrcwg8rZpd2UfYS/3XCcOuidBGprY7XsU/jz8wHbH68UjUrsLyaOMnG2ChYztnf63vm3gRs3Fc6FqTycpgYOPDeZBVTcMyPGgtiZvhnTeY20xFS5lK6M+dmgaDqH24kPLiwYSpUF2NK+Rg/2bZxvt/GaSr4U6fJGi3FCJOM= root@DanixLaptop"
+    ];
   };
 }

users/eirikwit.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  users.users.eirikwit = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "drift"
+    ];
+
+    packages = with pkgs; [
+      micro
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZusOSiUVSMjrvNdUq4R91Gafq4XVs9C77Zt+LMPhCU eirikw@live.no"
+    ];
+  };
+}

users/jonmro.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}:
+
+{
+  users.users.jonmro = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "drift" "nix-builder-users" ]; 
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
+    ];
+  };
+}

users/oysteikt.nix

@@ -6,11 +6,12 @@
     extraGroups = [
       "wheel"
       "drift"
+      "nix-builder-users"
     ];
 
     packages = with pkgs; [
       bottom
-      exa
+      eza
       neovim
       diskonaut
       ripgrep

values.nix

@@ -37,6 +37,13 @@ in rec {
       ipv4 = pvv-ipv4 209;
       ipv6 = pvv-ipv6 209;
     };
+    bob = {
+      ipv4 = "129.241.152.254";
+      # ipv6 = ;
+    };
+    knutsen = {
+      ipv4 = pvv-ipv4 191;
+    };
     shark = {
       ipv4 = pvv-ipv4 196;
       ipv6 = pvv-ipv6 196;
@@ -49,6 +56,10 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
+    buskerud = {
+      ipv4 = pvv-ipv4 231;
+      ipv6 = pvv-ipv6 231;
+    };
   };
 
   defaultNetworkConfig = {