test if evals

.gitea/workflows/eval.yml

@@ -1,13 +0,0 @@
-name: "Eval nix flake"
-on:
-  pull_request:
-  push:
-jobs:
-  evals:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - run: apt-get update && apt-get -y install sudo
-    - uses: https://github.com/cachix/install-nix-action@v23
-    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
-    - run: nix flake check

.gitea/workflows/test.yml

@@ -0,0 +1,28 @@
+name: "Test"
+on:
+  pull_request:
+  push:
+jobs:
+  evals:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - run: apt-get update && apt-get -y install sudo
+    - uses: https://github.com/cachix/install-nix-action@v23
+    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+    - run: nix flake check
+  builds:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - run: apt-get update && apt-get -y install sudo
+    - run: su node
+    - run: whoami
+    - uses: https://github.com/cachix/install-nix-action@v23
+    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+    - run: nix build --keep-going .#nixosConfigurations.bekkalokk.config.system.build.toplevel || exit 0
+    # - run: nix build --keep-going .#nixosConfigurations.bicep.config.system.build.toplevel || exit 0
+    # - run: nix build --keep-going .#nixosConfigurations.brzeczyszczykiewicz.config.system.build.toplevel || exit 0
+    # - run: nix build --keep-going .#nixosConfigurations.georg.config.system.build.toplevel || exit 0
+    # - run: nix build --keep-going .#nixosConfigurations.ildkule.config.system.build.toplevel || exit 0
+    # - run: nix build --keep-going .#nixosConfigurations.shark.config.system.build.toplevel || exit 0

hosts/bekkalokk/configuration.nix

@@ -5,7 +5,6 @@
 
     ../../base.nix
     ../../misc/metrics-exporters.nix
-    ../../modules/wackattack-ctf-stockfish
 
     #./services/keycloak.nix
 
@@ -13,7 +12,6 @@
     # ./services/website.nix
     ./services/nginx.nix
     ./services/gitea/default.nix
-    ./services/webmail
     # ./services/mediawiki.nix
   ];
 

hosts/bekkalokk/services/webmail/default.nix

@@ -1,6 +0,0 @@
-{ config, values, pkgs, ... }:
-{
-  imports = [
-    ./roundcube.nix
-  ];
-}

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -1,34 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-let
-  cfg = config.services.roundcube;
-  domain = "roundcube.pvv.ntnu.no";
-in 
-{
-  services.roundcube = {
-      enable = true;
-      package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login plugins.thunderbird_labels plugins.contextmenu plugins.custom_from]);
-      dicts = with pkgs.aspellDicts; [ en en-science en-computers nb  nn fr de it];
-      maxAttachmentSize = 20;
-      # this is the url of the vhost, not necessarily the same as the fqdn of the mailserver
-      hostName = domain;
-
-      extraConfig = ''
-        # starttls needed for authentication, so the fqdn required to match
-        # the certificate
-        $config['enable_installer'] = false;
-        $config['default_host'] = "ssl://imap.pvv.ntnu.no";
-        $config['default_port'] = 993;
-        #$config['smtp_server'] = "tls://smtp.pvv.ntnu.no";
-        #$config['smtp_port'] = 25;
-        $config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
-        $config['smtp_port'] = 465;
-        # $config['smtp_user'] = "%u@pvv.ntnu.no";
-        $config['mail_domain'] = "pvv.ntnu.no";
-        $config['smtp_user'] = "%u";
-        # $config['smtp_pass'] = "%p";
-        $config['support_url'] = "";
-      '';
-  };  
-}

hosts/bicep/services/matrix/smtp-authenticator/default.nix

@@ -1,17 +0,0 @@
-{ lib, buildPythonPackage, fetchFromGitHub }:
-
-buildPythonPackage rec {
-  pname = "matrix-synapse-smtp-auth";
-  version = "0.1.0";
-
-  src = ./.;
-
-  doCheck = false;
-
-  meta = with lib; {
-    description = "An SMTP auth provider for Synapse";
-    homepage = "pvv.ntnu.no";
-    license = licenses.agpl3Only;
-    maintainers = with maintainers; [ dandellion ];
-  };
-}

hosts/bicep/services/matrix/smtp-authenticator/setup.py

@@ -1,11 +0,0 @@
-from setuptools import setup
-
-setup(
-    name="matrix-synapse-smtp-auth",
-    version="0.1.0",
-    py_modules=['smtp_auth_provider'],
-    author="Daniel Løvbrøtte Olsen",
-    author_email="danio@pvv.ntnu.no",
-    description="An SMTP auth provider for Synapse",
-    license="AGPL-3.0-only"
-)

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -1,45 +0,0 @@
-from typing import Awaitable, Callable, Optional, Tuple
-
-from smtplib import SMTP_SSL as SMTP
-
-import synapse
-from synapse import module_api
-
-
-class SMTPAuthProvider:
-    def __init__(self, config: dict, api: module_api):
-        self.api = api
-
-        self.config = config
-
-        api.register_password_auth_provider_callbacks(
-            auth_checkers={
-                ("m.login.password", ("password",)): self.check_pass,
-            },
-        )
-
-    async def check_pass(
-        self,
-        username: str,
-        login_type: str,
-        login_dict: "synapse.module_api.JsonDict",
-    ):
-        if login_type != "m.login.password":
-            return None
-
-        result = False
-        with SMTP(self.config["smtp_host"]) as smtp:
-            password = login_dict.get("password")
-            try:
-                smtp.login(username, password)
-                result = True
-            except:
-                return None
-
-        if result == True:
-            userid = self.api.get_qualified_user_id(username)
-            if not self.api.check_user_exists(userid):
-                self.api.register_user(username)
-            return (userid, None)
-        else:
-            return None

hosts/bicep/services/matrix/synapse.nix

@@ -22,18 +22,9 @@ in {
     group = config.users.users.matrix-synapse.group;
   };
 
-  sops.secrets."matrix/sliding-sync/env" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
-    key = "sliding-sync/env";
-  };
-
   services.matrix-synapse-next = {
     enable = true;
 
-    plugins = [
-      (pkgs.python3Packages.callPackage ./smtp-authenticator { })
-    ];
-
     dataDir = "/data/synapse";
 
     workers.federationSenders = 2;
@@ -43,8 +34,6 @@ in {
     workers.eventPersisters = 2;
     workers.useUserDirectoryWorker = true;
 
-    enableSlidingSync = true;
-
     enableNginx = true;
 
     settings = {
@@ -92,15 +81,7 @@ in {
       enable_registration = false;
       registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
 
-      password_config.enabled = true;
+      password_config.enabled = lib.mkForce false;
-
-      modules = [
-        { module = "smtp_auth_provider.SMTPAuthProvider";
-          config = {
-            smtp_host = "smtp.pvv.ntnu.no";
-          };
-        }
-      ];
 
       trusted_key_servers = [
         { server_name = "matrix.org"; }
@@ -211,9 +192,6 @@ in {
     };
   };
 
-  services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
-
-
   services.redis.servers."".enable = true;
   
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({

modules/wackattack-ctf-stockfish/chess.py

@@ -1,74 +0,0 @@
-#!/usr/bin/env python3
-from stockfish import *
-from inputimeout import inputimeout
-import time
-from datetime import datetime
-import random
-
-thinking_time = 1000
-
-game = Stockfish(path="./stockfish", depth=15, parameters={"Threads": 1, "Minimum Thinking Time": thinking_time, "UCI_Chess960": True})
-
-def create_random_position():
-    pos = "/pppppppp/8/8/8/8/PPPPPPPP/"
-    rank8 = ["r","r","b","q","k","b","n","n"]
-
-    while rank8.index("k") < [i for i, n in enumerate(rank8) if n == "r"][0] or rank8.index("k") > [i for i, n in enumerate(rank8) if n == "r"][1] or [i for i, n in enumerate(rank8) if n == "b"][0] % 2 == [i for i, n in enumerate(rank8) if n == "b"][1] % 2:
-        random.seed(datetime.now().microsecond)
-        random.shuffle(rank8)
-
-    rank1 = [c.upper() for c in rank8]
-    pos = "".join(rank8) + pos + "".join(rank1) + " w KQkq - 0 1"
-    game.set_fen_position(pos)
-
-def player_won():
-    with open("flag.txt") as file:
-        flag = file.read()
-    print(flag)
-    exit()
-
-def get_fast_player_move():
-    try:
-        time_over = inputimeout(prompt='Your move: ', timeout=5)
-    except Exception:
-        time_over = 'Too slow, you lost!'
-        print(time_over)
-        exit()
-    return time_over
-
-def check_game_status():
-    evaluation = game.get_evaluation()
-    turn = game.get_fen_position().split(" ")[1]
-    if evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "w":
-        print("Wow, you beat me!")
-        player_won()
-    elif evaluation["type"] == "mate" and evaluation["value"] == 0 and turn == "b":
-        print("Hah, I won again")
-        exit()
-    if evaluation["type"] == "draw":
-        print("It's a draw!")
-        print("Impressive, but I am still undefeated.")
-        exit()
-
-if __name__ == "__main__":
-    create_random_position()
-    print("Welcome to fischer chess.\nYou get 5 seconds per move. Good luck")
-    print(game.get_board_visual())
-    print("Heres the position for this game, Ill give you a few seconds to look at it before we start.")
-    time.sleep(3)
-    while True:
-        server_move = game.get_best_move_time(thinking_time)
-        game.make_moves_from_current_position([server_move])
-        check_game_status()
-        print(game.get_board_visual())
-        print(f"My move: {server_move}")
-        player_move = get_fast_player_move()
-        if type(player_move) != str or len([player_move]) != 1:
-            print("Illegal input")
-            exit()
-        try:
-            game.make_moves_from_current_position([player_move])
-            check_game_status()
-        except:
-            print("Couldn't comprehend that")
-            exit()

modules/wackattack-ctf-stockfish/default.nix

@@ -1,108 +0,0 @@
-{ config, pkgs, lib, ... }: let
-  stockfish = with pkgs.python3Packages; buildPythonPackage rec {
-    pname = "stockfish";
-    version = "3.28.0";
-    disabled = pythonOlder "3.7";
-
-    src = pkgs.fetchFromGitHub {
-      owner = "zhelyabuzhsky";
-      repo = pname;
-      rev = version;
-      hash = "sha256-XLgVjLV2QXeTYPjP/lwc0LH850LKJsymFlrAMkAn8HU=";
-    };
-
-    format = "setuptools";
-    nativeBuildInputs = [
-      setuptools
-    ];
-
-    propagatedBuildInputs = [
-      pytest-runner
-    ];
-
-    doCheck = false;
-  };
-
-  inputimeout = with pkgs.python3Packages; buildPythonPackage rec {
-    pname = "inputimeout";
-    version = "1.0.4";
-    src = pkgs.fetchFromGitHub {
-      owner = "johejo";
-      repo = pname;
-      rev = "v${version}";
-      hash = "sha256-Fh1CaqJOK58nURt4imkhCmZKG2eJlP/Hi10SarUJ+Fs=";
-    };
-
-    format = "setuptools";
-    nativeBuildInputs = [ setuptools ];
-
-    doCheck = false;
-  };
-
-  script = pkgs.writers.writePython3 "chess" {
-    libraries = [
-      stockfish
-      inputimeout   
-    ];
-
-    # Fy!
-    flakeIgnore = [ "F403" "F405" "E231" "E265" "E302" "E305" "E501" "E722" ];
-  } (builtins.replaceStrings [''path="./stockfish"''] [''path="${pkgs.stockfish}/bin/stockfish"''] (builtins.readFile ./chess.py));
-in
-{
-  sops.secrets."keys/wackattack_ctf/flag" = { };
-
-  systemd.sockets."wackattack-ctf-stockfish" = {
-    description = "Save some azure credit for the rest of us";
-    partOf = [ "wackattack-ctf-stockfish.service" ];
-    wantedBy = [ "sockets.target" ];
-
-    socketConfig = {
-      ListenStream = "0.0.0.0:9999";
-      Accept = true;
-    };
-  };
-
-  systemd.services."wackattack-ctf-stockfish@" = {
-    description = "Save some azure credit for the rest of us";
-    after = [ "network.target" ];
-    requires = [ "wackattack-ctf-stockfish.socket" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "simple";
-      DynamicUser = true;
-      WorkingDirectory = "%d";
-      Restart = "always";
-      StandardInput = "socket";
-      LoadCredential = "flag.txt:${config.sops.secrets."keys/wackattack_ctf/flag".path}";
-
-      Exec = script;
-
-      # systemd hardening go barr
-      ProcSubset = "pid";
-      ProtectProc = "invisible";
-      AmbientCapabilities = "";
-      CapabilityBoundingSet = "";
-      NoNewPrivileges = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      PrivateDevices = true;
-      PrivateUsers = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      RemoveIPC = true;
-      PrivateMounts = true;
-      SystemCallArchitectures = "native";
-    };
-  };
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -13,9 +13,6 @@ mediawiki:
     database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
 keycloak:
     database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
-keys:
-    wackattack_ctf:
-        flag: ENC[AES256_GCM,data:cZCaGb/u/OZgAvXnuJPL3XqmnIa26Rl2IUpWpG/fpt/dJ7+/KssXVa6A5G6ObQhF7deCmTxuoVP8JU+DQzYRr0ftvKhLJ87rgzrE3j+UkA==,iv:3uFkNqXlVj94klU20yPIUd8tIeyUIfp0++2wkdIkiYM=,tag:OZMyEt118u10F5vSUFZE7A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -49,8 +46,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-26T19:59:04Z"
+    lastmodified: "2023-09-17T02:02:24Z"
-    mac: ENC[AES256_GCM,data:uH0RfKBjjbYvxjl4XyoXWvwUpi+W7IQZjBdC5UoslotToTw0xnici2fKxPNZ9aFJsukLMPLC+tsT/shUqW373f/NyhsJt0Vb2YtuozFQyQstZQEpnm4WuVoFR/MEjAra/PaM4ATHSGgDuHa7qrpdKTLnrMOai5ZqxLfFbLws3dA=,iv:47hHzrnfZG5NtCN0HjziZdDBJTr451/kvY95GpB3G2M=,tag:3TCs7DSeWB6NujDUlQVGjA==,type:str]
+    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -73,4 +70,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

secrets/bicep/matrix.yaml

@@ -2,8 +2,6 @@ synapse:
     turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
     user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
     signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
-sliding-sync:
-    env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
 coturn:
     static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
 mjolnir:
@@ -43,8 +41,8 @@ sops:
             cGxZVnFhdXRka2drTGdkVk1iM0pFL1kK2ry7b2cLYPfntWi/BV3K2O+mHt3242Ef
             sI2JLLQYHeAhxjFdCzP1RDR+Wu/pRxZje6xuTZ9I9TKNmm+LhAXHQw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-22T00:31:46Z"
+    lastmodified: "2023-09-15T04:40:21Z"
-    mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
+    mac: ENC[AES256_GCM,data:ZJVHLbpSu/nIzl5FJfRdg2ymRN5M+zJXNUpi1hBt2MBmvK+1ed2ElhMe5x7pyasSDdaUtXDo7ghkUF7vE46Wo6Z9dvlAvhwWm7Y2AWfUe5SFVwzqlOCjSKRPFrQrL7PcDBtMj4twtwhc4XsfJoUSuigWW2m21BKtEZSuuxLRqLA=,iv:ufFbfMaNHydbkwq6lxN1dQJldkAbtqais/CZFkoDhb4=,tag:uMj0LaiU0obIlw/+HJJdKg==,type:str]
     pgp:
         - created_at: "2023-05-06T21:31:39Z"
           enc: |

users/richarah.nix

@@ -1,19 +0,0 @@
-{ pkgs, ... }:
-{
-  users.users.richarah = {
-    isNormalUser = true;
-    description = "";
-    extraGroups = [
-      "wheel"
-      "drift"
-    ];
-
-    packages = with pkgs; [
-      docker
-    ];
-
-    openssh.authorizedKeys.keys = [
-      ""
-    ];
-  };
-}