WIP: idp theme

Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>

.sops.yaml

@@ -7,7 +7,7 @@ keys:
 
   # Hosts
   - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
 

base.nix

@@ -3,7 +3,6 @@
 {
   imports = [
     ./users
-    ./modules/snakeoil-certs.nix
   ];
 
   networking.domain = "pvv.ntnu.no";
@@ -59,7 +58,6 @@
     gnupg
     htop
     nano
-    ripgrep
     rsync
     screen
     tmux
@@ -84,50 +82,5 @@
     settings.PermitRootLogin = "yes";
   };
 
-  # nginx return 444 for all nonexistent virtualhosts
 
-  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
-
-  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
-    "/etc/certs/nginx" = {
-      owner = "nginx";
-      group = "nginx";
-    };
-  };
-
-  services.nginx = {
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes auto;
-      worker_rlimit_nofile 100000;
-    '';
-    eventsConfig = ''
-      worker_connections 2048;
-      use epoll;
-      multi_accept on;
-    '';
-  };
-
-  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
-    LimitNOFILE = 65536;
-  };
-
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
-  };
-
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
 }

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715445235,
+        "lastModified": 1710169806,
-        "narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
+        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
         "type": "github"
       },
       "original": {
@@ -20,58 +20,18 @@
         "type": "github"
       }
     },
-    "fix-python": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "grzegorz",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1713887124,
-        "narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=",
-        "owner": "GuillaumeDesforges",
-        "repo": "fix-python",
-        "rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf",
-        "type": "github"
-      },
-      "original": {
-        "owner": "GuillaumeDesforges",
-        "repo": "fix-python",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1689068808,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
-        "type": "github"
-      },
-      "original": {
-        "id": "flake-utils",
-        "type": "indirect"
-      }
-    },
     "grzegorz": {
       "inputs": {
-        "fix-python": "fix-python",
         "nixpkgs": [
           "nixpkgs-unstable"
         ]
       },
       "locked": {
-        "lastModified": 1715364232,
+        "lastModified": 1696346665,
-        "narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
+        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz",
-        "rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
+        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
         "type": "github"
       },
       "original": {
@@ -87,11 +47,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715384651,
+        "lastModified": 1693864994,
-        "narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
+        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz-clients",
-        "rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
+        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
         "type": "github"
       },
       "original": {
@@ -107,62 +67,41 @@
         ]
       },
       "locked": {
-        "lastModified": 1717234745,
+        "lastModified": 1710311999,
-        "narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
-        "ref": "v0.6.0",
         "repo": "nixos-matrix-modules",
         "type": "github"
       }
     },
-    "nix-gitea-themes": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1714416973,
-        "narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
-        "ref": "refs/heads/main",
-        "rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
-        "revCount": 6,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719520878,
+        "lastModified": 1710248792,
-        "narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
+        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
+        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-24.05-small",
+        "ref": "nixos-23.11-small",
         "type": "indirect"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1714858427,
+        "lastModified": 1710033658,
-        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
         "type": "github"
       },
       "original": {
@@ -174,11 +113,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1715435713,
+        "lastModified": 1710247538,
-        "narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
+        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
+        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
         "type": "github"
       },
       "original": {
@@ -207,38 +146,17 @@
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       }
     },
-    "pvv-nettsiden": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1718404592,
-        "narHash": "sha256-Ud8pD0mxmbfvwBXKy2q3Yp8r1EofaTcodZtI3fbnfDY=",
-        "ref": "refs/heads/master",
-        "rev": "6e4a79ed3ddae8dfc80eb8af1789985d07bcf297",
-        "revCount": 463,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
-      }
-    },
     "root": {
       "inputs": {
         "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
-        "nix-gitea-themes": "nix-gitea-themes",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
-        "pvv-nettsiden": "pvv-nettsiden",
+        "sops-nix": "sops-nix",
-        "sops-nix": "sops-nix"
+        "ssp-theme": "ssp-theme"
       }
     },
     "sops-nix": {
@@ -249,11 +167,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1715244550,
+        "lastModified": 1710195194,
-        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
         "type": "github"
       },
       "original": {
@@ -262,19 +180,20 @@
         "type": "github"
       }
     },
-    "systems": {
+    "ssp-theme": {
+      "flake": false,
       "locked": {
-        "lastModified": 1681028828,
+        "lastModified": 1509201641,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "narHash": "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=",
-        "owner": "nix-systems",
+        "ref": "refs/heads/master",
-        "repo": "default",
+        "rev": "bda4314030be5f81aeaf2fb1927aee582f1194d9",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "revCount": 5,
-        "type": "github"
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
       },
       "original": {
-        "owner": "nix-systems",
+        "type": "git",
-        "repo": "default",
+        "url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
-        "type": "github"
       }
     }
   },

flake.nix

@@ -2,7 +2,7 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -11,25 +11,22 @@
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
-    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
-    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
-
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
+    matrix-next.url = "github:dali99/nixos-matrix-modules";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
-    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
-    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
-
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
     grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    ssp-theme.url = "git+https://git.pvv.ntnu.no/Drift/ssp-theme.git";
+    ssp-theme.flake = false;
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ssp-theme, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -48,7 +45,6 @@
     ];
   in {
     nixosConfigurations = let
-      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
@@ -64,9 +60,7 @@
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [
+            overlays = [ ] ++ config.overlays or [ ];
-              # Global overlays go here
-            ] ++ config.overlays or [ ];
           };
         }
         (removeAttrs config [ "modules" "overlays" ])
@@ -87,16 +81,16 @@
       bekkalokk = stableNixosConfig "bekkalokk" {
         overlays = [
           (final: prev: {
-            heimdal = unstablePkgs.heimdal;
+            heimdal = final.callPackage ./packages/heimdal {
+              inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
+              autoreconfHook = final.buildPackages.autoreconfHook269;
+	    };
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+	    ssp-theme = final.runCommandLocal "ssp-theme" { } ''
+	      ln -s ${ssp-theme} $out
+	    '';
           })
-          inputs.nix-gitea-themes.overlays.default
-          inputs.pvv-nettsiden.overlays.default
-        ];
-        modules = [
-          inputs.nix-gitea-themes.nixosModules.default
-          inputs.pvv-nettsiden.nixosModules.default
         ];
       };
       bob = stableNixosConfig "bob" {
@@ -131,22 +125,29 @@
     packages = {
       "x86_64-linux" = let
         pkgs = nixpkgs.legacyPackages."x86_64-linux";
-      in rec {
+      in {
-        default = important-machines;
+        default = self.packages.x86_64-linux.important-machines;
         important-machines = pkgs.linkFarm "important-machines"
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
 
+        #######################
+        # TODO: remove this once nixos 24.05 gets released
+        #######################
+        heimdal = pkgs.callPackage ./packages/heimdal {
+          inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
+          autoreconfHook = pkgs.buildPackages.autoreconfHook269;
+	};
+
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
-      } //
+        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
-      (nixlib.pipe null [
+
-        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
+	ssp-theme = pkgs.runCommandLocal "ssp-theme" { } ''
-        (nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
+	  ln -s ${ssp-theme} $out
-        (nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
+	'';
-      ])
+      } // nixlib.genAttrs allMachines
-      // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };
   };

hosts/bekkalokk/configuration.nix

@@ -6,14 +6,16 @@
     ../../base.nix
     ../../misc/metrics-exporters.nix
 
+    #./services/keycloak.nix
+
+    # TODO: set up authentication for the following:
+    # ./services/website.nix
+    ./services/nginx
     ./services/gitea/default.nix
-    ./services/idp-simplesamlphp
     ./services/kerberos
-    ./services/mediawiki
-    ./services/nginx.nix
-    ./services/vaultwarden.nix
     ./services/webmail
-    ./services/website
+    ./services/mediawiki
+    ./services/idp-simplesamlphp
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
@@ -24,6 +26,8 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  virtualisation.podman.enable = true;
+
   networking.hostName = "bekkalokk";
 
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {

hosts/bekkalokk/services/gitea/ci.nix

@@ -27,5 +27,4 @@ lib.mkMerge [
   (mkRunner "alpha")
   (mkRunner "beta")
   (mkRunner "epsilon")
-  { virtualisation.podman.enable = true; }
 ]

hosts/bekkalokk/services/gitea/default.nix

@@ -1,4 +1,4 @@
-{ config, values, pkgs, lib, ... }:
+{ config, values, pkgs, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.pvv.ntnu.no";
@@ -6,7 +6,6 @@ let
 in {
   imports = [
     ./ci.nix
-    ./import-users.nix
   ];
 
   sops.secrets = {
@@ -14,27 +13,24 @@ in {
       owner = "gitea";
       group = "gitea";
     };
-    "gitea/email-password" = {
+    "gitea/passwd-ssh-key" = { };
-      owner = "gitea";
+    "gitea/ssh-known-hosts" = { };
-      group = "gitea";
+    "gitea/import-user-env" = { };
-    };
   };
 
   services.gitea = {
     enable = true;
+    stateDir = "/data/gitea";
     appName = "PVV Git";
 
     database = {
       type = "postgres";
       host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.settings.port;
+      port = config.services.postgresql.port;
       passwordFile = config.sops.secrets."gitea/database".path;
       createDatabase = false;
     };
 
-    mailerPasswordFile = config.sops.secrets."gitea/email-password".path;
-
-    # https://docs.gitea.com/administration/config-cheat-sheet
     settings = {
       server = {
         DOMAIN   = domain;
@@ -42,56 +38,11 @@ in {
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
 	      START_SSH_SERVER = true;
-        START_LFS_SERVER = true;
-        LANDING_PAGE = "explore";
-      };
-      mailer = {
-        ENABLED = true;
-        FROM = "gitea@pvv.ntnu.no";
-        PROTOCOL = "smtp";
-        SMTP_ADDR = "smtp.pvv.ntnu.no";
-        SMTP_PORT = 587;
-        USER = "gitea@pvv.ntnu.no";
-        SUBJECT_PREFIX = "[pvv-git]";
       };
       indexer.REPO_INDEXER_ENABLED = true;
-      service = {
+      service.DISABLE_REGISTRATION = true;
-        DISABLE_REGISTRATION = true;
-        ENABLE_NOTIFY_MAIL = true;
-      };
-      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
       session.COOKIE_SECURE = true;
       database.LOG_SQL = false;
-      repository = {
-        PREFERRED_LICENSES = lib.concatStringsSep "," [
-          "AGPL-3.0-only"
-          "AGPL-3.0-or-later"
-          "Apache-2.0"
-          "BSD-3-Clause"
-          "CC-BY-4.0"
-          "CC-BY-NC-4.0"
-          "CC-BY-NC-ND-4.0"
-          "CC-BY-NC-SA-4.0"
-          "CC-BY-ND-4.0"
-          "CC-BY-SA-4.0"
-          "CC0-1.0"
-          "GPL-2.0-only"
-          "GPL-3.0-only"
-          "GPL-3.0-or-later"
-          "LGPL-3.0-linking-exception"
-          "LGPL-3.0-only"
-          "LGPL-3.0-or-later"
-          "MIT"
-          "MPL-2.0"
-          "Unlicense"
-        ];
-        DEFAULT_REPO_UNITS = lib.concatStringsSep "," [
-          "repo.code"
-          "repo.issues"
-          "repo.pulls"
-          "repo.releases"
-        ];
-      };
       picture = {
         DISABLE_GRAVATAR = true;
         ENABLE_FEDERATED_AVATAR = false;
@@ -106,9 +57,9 @@ in {
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
     enableACME = true;
-    kTLS = true;
     locations."/" = {
       proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+      recommendedProxySettings = true;
       extraConfig = ''
         client_max_body_size 512M;
       '';
@@ -117,28 +68,38 @@ in {
 
   networking.firewall.allowedTCPPorts = [ sshPort ];
 
-  # Extra customization
+  # Automatically import users
-
+  systemd.services.gitea-import-users = {
-  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
+    enable = true;
-
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
-  systemd.services.install-gitea-customization = {
-    description = "Install extra customization in gitea's CUSTOM_DIR";
-    wantedBy = [ "gitea.service" ];
-    requiredBy = [ "gitea.service" ];
-
     serviceConfig = {
-      Type = "oneshot";
+      ExecStart = pkgs.writers.writePython3 "gitea-import-users" { libraries = [ pkgs.python3Packages.requests ]; } (builtins.readFile ./gitea-import-users.py);
-      User = cfg.user;
+      LoadCredential=[
-      Group = cfg.group;
+        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
+        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
+      ];
+      DynamicUser="yes";
+      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
+    };
   };
 
-    script = let
+  systemd.timers.gitea-import-users = {
+    requires = [ "gitea.service" ];
+    after = [ "gitea.service" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "*-*-* 02:00:00";
+      Persistent = true;
+      Unit = "gitea-import-users.service";
+    };
+  };
+
+  system.activationScripts.linkGiteaLogo.text = let
     logo-svg = ../../../../assets/logo_blue_regular.svg;
     logo-png = ../../../../assets/logo_blue_regular.png;
   in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+    install -Dm444 ${logo-svg} ${cfg.stateDir}/custom/public/img/logo.svg
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+    install -Dm444 ${logo-png} ${cfg.stateDir}/custom/public/img/logo.png
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+    install -Dm444 ${./loading.apng} ${cfg.stateDir}/custom/public/img/loading.png
   '';
-  };
 }

hosts/bekkalokk/services/gitea/import-users.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.gitea;
-in
-{
-  sops.secrets = {
-    "gitea/passwd-ssh-key" = { };
-    "gitea/ssh-known-hosts" = { };
-    "gitea/import-user-env" = { };
-  };
-
-  systemd.services.gitea-import-users = lib.mkIf cfg.enable {
-    enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
-    serviceConfig = {
-      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
-        libraries = with pkgs.python3Packages; [ requests ];
-      } (builtins.readFile ./gitea-import-users.py);
-      LoadCredential=[
-        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
-        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
-      ];
-      DynamicUser="yes";
-      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
-    };
-  };
-
-  systemd.timers.gitea-import-users = lib.mkIf cfg.enable {
-    requires = [ "gitea.service" ];
-    after = [ "gitea.service" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "*-*-* 02:00:00";
-      Persistent = true;
-      Unit = "gitea-import-users.service";
-    };
-  };
-}

hosts/bekkalokk/services/idp-simplesamlphp/config.php

@@ -556,6 +556,7 @@ $config = [
     'module.enable' => [
         'admin' => true,
 	'authpwauth' => true,
+	'themepvv' => true,
     ],
 
 
@@ -858,7 +859,7 @@ $config = [
     /*
      * Which theme directory should be used?
      */
-    'theme.use' => 'default',
+    'theme.use' => 'themepvv:pvv',
 
     /*
      * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -11,8 +11,7 @@ let
         read -r _
         exit 2
       fi
-      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
+      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
-      kdestroy >/dev/null 2>/dev/null
     '';
   };
 
@@ -22,7 +21,7 @@ let
       # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
       "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
         <?php
-	  $metadata['https://idp.pvv.ntnu.no/'] = array(
+	  $metadata['https://idp2.pvv.ntnu.no/'] = array(
 	    'host' => '__DEFAULT__',
 	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
 	    'certificate' => '${./idp.crt}',
@@ -84,19 +83,21 @@ let
         cp ${./config.php} "$out"
 
         substituteInPlace "$out" \
-          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
+          --replace '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
-          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
-          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
-          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
+          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
-          --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
+          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
-          --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
+          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+      
+      "modules/themepvv" = pkgs.ssp-theme;
     };
   };
 in
@@ -177,10 +178,9 @@ in
       };
     };
 
-    services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
+    services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
       forceSSL = true;
       enableACME = true;
-      kTLS = true;
       root = "${package}/share/php/simplesamlphp/public";
       locations =  {
         # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -198,10 +198,6 @@ in
             }
           '';
         };
-        "^~ /simplesaml/".extraConfig = ''
-	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
-	  return 404;
-	'';
       };
     };
   };

hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix

@@ -1,18 +1,18 @@
 ''
   <?php
-  $metadata['https://idp.pvv.ntnu.no/'] = [
+  $metadata['https://idp2.pvv.ntnu.no/'] = [
       'metadata-set' => 'saml20-idp-hosted',
-      'entityid' => 'https://idp.pvv.ntnu.no/',
+      'entityid' => 'https://idp2.pvv.ntnu.no/',
       'SingleSignOnService' => [
           [
               'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
           ],
       ],
       'SingleLogoutService' => [
           [
               'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
           ],
       ],
       'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],

hosts/bekkalokk/services/kerberos/default.nix

@@ -1,5 +1,18 @@
 { config, pkgs, lib, ... }:
 {
+  #######################
+  # TODO: remove these once nixos 24.05 gets released
+  #######################
+  imports = [
+    ./krb5.nix
+    ./pam.nix
+  ];
+  disabledModules = [
+    "config/krb5/default.nix"
+    "security/pam.nix"
+  ];
+  #######################
+
   security.krb5 = {
     enable = true;
     settings = {

hosts/bekkalokk/services/keycloak.nix

@@ -0,0 +1,24 @@
+{ pkgs, config, values, ... }:
+{
+  sops.secrets."keys/postgres/keycloak" = {
+    owner = "keycloak";
+    group = "keycloak";
+    restartUnits = [ "keycloak.service" ];
+  };
+
+  services.keycloak = {
+    enable = true;
+
+    settings = {
+      hostname = "auth.pvv.ntnu.no";
+      # hostname-strict-backchannel = true;
+    };
+
+    database = {
+      host = values.hosts.bicep.ipv4;
+      createLocally = false;
+      passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
+      caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+    };
+  };
+}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -17,36 +17,44 @@
         cp ${./simplesaml-config.php} "$out"
 
         substituteInPlace "$out" \
-          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
+          --replace '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
-          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
-          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
-          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
+          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
-          --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
+          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
-          --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
+          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
       '';
     };
   };
 in {
-  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
+  services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
 
-  sops.secrets = lib.pipe [
+  sops.secrets = {
-    "mediawiki/password"
+    "mediawiki/password" = {
-    "mediawiki/postgres_password"
-    "mediawiki/simplesamlphp/postgres_password"
-    "mediawiki/simplesamlphp/cookie_salt"
-    "mediawiki/simplesamlphp/admin_password"
-  ] [
-    (map (key: lib.nameValuePair key {
       owner = user;
       group = group;
-      restartUnits = [ "phpfpm-mediawiki.service" ];
+    };
-    }))
+    "mediawiki/postgres_password" = {
-    lib.listToAttrs
+      owner = user;
-  ];
+      group = group;
+    };
+    "mediawiki/simplesamlphp/postgres_password" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/cookie_salt" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/admin_password" = {
+      owner = user;
+      group = group;
+    };
+  };
 
   services.mediawiki = {
     enable = true;
@@ -65,10 +73,12 @@ in {
       name = "mediawiki";
     };
 
-    webserver = "nginx";
+    # Host through nginx
-    nginx.hostName = "wiki.pvv.ntnu.no";
+    webserver = "none";
-
+    poolConfig = let
-    poolConfig = {
+      listenUser = config.services.nginx.user;
+      listenGroup = config.services.nginx.group;
+    in {
       inherit user group;
       "pm" = "dynamic";
       "pm.max_children" = 32;
@@ -76,6 +86,8 @@ in {
       "pm.start_servers" = 2;
       "pm.min_spare_servers" = 2;
       "pm.max_spare_servers" = 4;
+      "listen.owner" = listenUser;
+      "listen.group" = listenGroup;
 
       "catch_workers_output" = true;
       "php_admin_flag[log_errors]" = true;
@@ -86,24 +98,11 @@ in {
     };
 
     extensions = {
-      inherit (pkgs.mediawiki-extensions)
+      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
-        CodeEditor
-        CodeMirror
-        DeleteBatch
-        PluggableAuth
-        Popups
-        Scribunto
-        SimpleSAMLphp
-        TemplateData
-        TemplateStyles
-        UserMerge
-        VisualEditor
-        WikiEditor
-        ;
     };
 
     extraConfig = ''
-      $wgServer = "https://wiki.pvv.ntnu.no";
+      $wgServer = "https://wiki2.pvv.ntnu.no";
       $wgLocaltimezone = "Europe/Oslo";
 
       # Only allow login through SSO
@@ -118,7 +117,9 @@ in {
       $wgGroupPermissions['*']['edit'] = false;
       $wgGroupPermissions['*']['read'] = true;
 
-      # Allow subdirectories in article URLs
+      # Misc. URL rules
+      $wgUsePathInfo = true;
+      $wgScriptExtension = ".php";
       $wgNamespacesWithSubpages[NS_MAIN] = true;
 
       # Styling
@@ -126,6 +127,7 @@ in {
         "2x" => "/PNG/PVV-logo.png",
         "icon" => "/PNG/PVV-logo.svg",
       );
+      # wfLoadSkin('Timeless');
       $wgDefaultSkin = "vector-2022";
       # from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
       $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
@@ -133,27 +135,13 @@ in {
 
       # Misc
       $wgEmergencyContact = "${cfg.passwordSender}";
+      $wgShowIPinHeader = false;
       $wgUseTeX = false;
       $wgLocalInterwiki = $wgSitename;
-      # Fix https://github.com/NixOS/nixpkgs/issues/183097
-      $wgDBserver = "${toString cfg.database.host}";
-      $wgAllowCopyUploads = true;
 
-      # Misc program paths
+      # SimpleSAML
-      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
-      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
-      $wgExiv2Command = '${pkgs.exiv2}/bin/exiv2';
-      # See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
-      $wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran';
-      $wgGitBin = '${pkgs.git}/bin/git';
-
-      # Debugging
-      $wgShowExceptionDetails = false;
-      $wgShowIPinHeader = false;
-
-      # EXT:{SimpleSAML,PluggableAuth}
       $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
-      $wgPluggableAuth_Config['Log in using SAML'] = [
+      $wgPluggableAuth_Config['Log in using my SAML'] = [
         'plugin' => 'SimpleSAMLphp',
         'data' => [
           'authSourceId' => 'default-sp',
@@ -163,12 +151,8 @@ in {
         ]
       ];
 
-      # EXT:Scribunto
+      # Fix https://github.com/NixOS/nixpkgs/issues/183097
-      $wgScribuntoDefaultEngine = 'luastandalone';
+      $wgDBserver = "${toString cfg.database.host}";
-      $wgScribuntoEngineConf['luastandalone']['luaPath'] = '${pkgs.lua}/bin';
-
-      # EXT:WikiEditor
-      $wgWikiEditorRealtimePreview = true;
     '';
   };
 
@@ -180,15 +164,56 @@ in {
     mode = "0770";
   };
 
+  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
+  systemd.services.mediawiki-init.script = let
+    # According to module
+    stateDir = "/var/lib/mediawiki";
+    pkg = cfg.finalPackage;
+    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
+    inherit (lib) optionalString mkForce;
+  in mkForce ''
+    if ! test -e "${stateDir}/secret.key"; then
+      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
+    fi
+
+    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
+      --confpath /tmp \
+      --scriptpath / \
+      --dbserver "${cfg.database.host}" \
+      --dbport ${toString cfg.database.port} \
+      --dbname ${cfg.database.name} \
+      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
+      --dbuser ${cfg.database.user} \
+      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
+      --passfile ${cfg.passwordFile} \
+      --dbtype ${cfg.database.type} \
+      ${cfg.name} \
+      admin
+
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
+  '';
+
   users.groups.mediawiki.members = [ "nginx" ];
 
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
-    kTLS = true;
     forceSSL = true;
     enableACME = true;
+    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
     locations =  {
-      "= /wiki/Main_Page" = lib.mkForce {
+      "/" = {
-        return = "301 /wiki/Programvareverkstedet";
+	index = "index.php";
+      };
+
+      "~ /(.+\\.php)" = {
+        extraConfig = ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
       };
 
       # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -210,6 +235,8 @@ in {
         '';
       };
 
+      "/images/".alias = "${config.services.mediawiki.uploadsDir}/";
+
       "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
       "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
       "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
@@ -226,6 +253,5 @@ in {
 	  $out
       '';
     };
-
   };
 }

hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php

@@ -5,7 +5,7 @@ $config = array(
     ),
     'default-sp' => array(
         'saml:SP',
-        'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
+        'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
-        'idp' => 'https://idp.pvv.ntnu.no/',
+        'idp' => 'https://idp2.pvv.ntnu.no/',
     ),
 );

hosts/bekkalokk/services/nginx.nix

@@ -1,4 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.nginx.enable = true;
-}

hosts/bekkalokk/services/nginx/default.nix

@@ -0,0 +1,28 @@
+{ pkgs, config, ... }:
+{
+  imports = [
+    ./ingress.nix
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    virtualHosts."bekkalokk.pvv.ntnu.no" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}

hosts/bekkalokk/services/nginx/ingress.nix

@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+{
+  services.nginx.virtualHosts = {
+    "www2.pvv.ntnu.no" = {
+      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
+      addSSL = true;
+      enableACME = true;
+
+      locations = {
+        # Proxy home directories
+        "/~" = {
+          extraConfig = ''
+            proxy_redirect off;
+            proxy_pass https://tom.pvv.ntnu.no;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+
+        # Redirect old wiki entries
+        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
+        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
+        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
+        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
+        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
+        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
+        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
+        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
+        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
+        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
+        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
+        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
+
+        # TODO: Redirect webmail
+        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
+
+        # Redirect everything else to the main website
+        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
+
+        # Proxy the matrix well-known files
+        # Host has be set before proxy_pass
+        # The header must be set so nginx on the other side routes it to the right place
+        "/.well-known/matrix/" = {
+          extraConfig = ''
+            proxy_set_header Host matrix.pvv.ntnu.no;
+            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          '';
+        };
+      };
+    };
+  };
+}
+

hosts/bekkalokk/services/openldap.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.openldap = {
+    enable = true;
+  };
+}

hosts/bekkalokk/services/vaultwarden.nix

@@ -1,68 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.vaultwarden;
-  domain = "pw.pvv.ntnu.no";
-  address = "127.0.1.2";
-  port = 3011;
-  wsPort = 3012;
-in {
-  sops.secrets."vaultwarden/environ" = {
-    owner = "vaultwarden";
-    group = "vaultwarden";
-  };
-
-  services.vaultwarden = {
-    enable = true;
-    dbBackend = "postgresql";
-    environmentFile = config.sops.secrets."vaultwarden/environ".path;
-    config = {
-      domain = "https://${domain}";
-
-      rocketAddress = address;
-      rocketPort = port;
-
-      websocketEnabled = true;
-      websocketAddress = address;
-      websocketPort = wsPort;
-
-      signupsAllowed = true;
-      signupsVerify = true;
-      signupsDomainsWhitelist = "pvv.ntnu.no";
-
-      smtpFrom = "vaultwarden@pvv.ntnu.no";
-      smtpFromName = "VaultWarden PVV";
-
-      smtpHost = "smtp.pvv.ntnu.no";
-      smtpUsername = "vaultwarden";
-      smtpSecurity = "force_tls";
-      smtpAuthMechanism = "Login";
-
-      # Configured in environ:
-      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
-      # smtpPassword = hemli
-    };
-  };
-
-  services.nginx.virtualHosts."${domain}" = {
-    forceSSL = true;
-    enableACME = true;
-    kTLS = true;
-
-    extraConfig = ''
-      client_max_body_size 128M;
-    '';
-
-    locations."/" = {
-      proxyPass = "http://${address}:${toString port}";
-      proxyWebsockets = true;
-    };
-    locations."/notifications/hub" = {
-      proxyPass = "http://${address}:${toString wsPort}";
-      proxyWebsockets = true;
-    };
-    locations."/notifications/hub/negotiate" = {
-      proxyPass = "http://${address}:${toString port}";
-      proxyWebsockets = true;
-    };
-  };
-}

hosts/bekkalokk/services/webmail/default.nix

@@ -2,20 +2,14 @@
 {
   imports = [
     ./roundcube.nix
-    ./snappymail.nix
   ];
 
-  services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
     forceSSL = true;
     enableACME = true;
-    kTLS = true;
+    #locations."/" = lib.mkForce { };
-    locations = {
+    locations."= /" = {
-      "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      return = "301 https://www.pvv.ntnu.no/mail/";
-
-      "/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
-      "/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
-      "/rainloop".return = "302 https://snappymail.pvv.ntnu.no/";
-      "/snappymail".return = "302 https://snappymail.pvv.ntnu.no/";
     };
   };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -3,7 +3,7 @@
 with lib;
 let
   cfg = config.services.roundcube;
-  domain = "webmail.pvv.ntnu.no";
+  domain = "webmail2.pvv.ntnu.no";
 in 
 {
   services.roundcube = {
@@ -35,7 +35,6 @@ in
   services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
 
   services.nginx.virtualHosts.${domain} = {
-    kTLS = true;
     locations."/roundcube" = {
       tryFiles = "$uri $uri/ =404";
       index = "index.php";

hosts/bekkalokk/services/webmail/snappymail.nix

@@ -1,18 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.snappymail;
-in {
-  imports = [ ../../../../modules/snappymail.nix ];
-
-  services.snappymail = {
-    enable = true;
-    hostname = "snappymail.pvv.ntnu.no";
-  };
-
-  services.nginx.virtualHosts.${cfg.hostname} = {
-    forceSSL = true;
-    enableACME = true;
-    kTLS = true;
-  };
-}
-

hosts/bekkalokk/services/website.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}

hosts/bekkalokk/services/website/default.nix

@@ -1,131 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  format = pkgs.formats.php { };
-  cfg = config.services.pvv-nettsiden;
-in {
-  imports = [
-    ./fetch-gallery.nix
-  ];
-
-  sops.secrets = lib.genAttrs [
-    "nettsiden/door_secret"
-    "nettsiden/mysql_password"
-    "nettsiden/simplesamlphp/admin_password"
-    "nettsiden/simplesamlphp/cookie_salt"
-  ] (_: {
-    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
-    group = config.services.phpfpm.pools.pvv-nettsiden.group;
-    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
-  });
-
-  services.idp.sp-remote-metadata = [
-    "https://www.pvv.ntnu.no/simplesaml/"
-    "https://pvv.ntnu.no/simplesaml/"
-    "https://www.pvv.org/simplesaml/" 
-    "https://pvv.org/simplesaml/" 
-  ];
-
-  services.pvv-nettsiden = {
-    enable = true;
-
-    package = pkgs.pvv-nettsiden.override {
-      extra_files = {
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
-          <?php
-          $config = array(
-              'admin' => array(
-                'core:AdminPassword'
-              ),
-              'default-sp' => array(
-                  'saml:SP',
-                  'entityID' => 'https://${cfg.domainName}/simplesaml/',
-                  'idp' => 'https://idp.pvv.ntnu.no/',
-              ),
-          );
-	'';
-      };
-    };
-
-    domainName = "www.pvv.ntnu.no";
-
-    settings = let
-      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
-    in {
-      DOOR_SECRET = includeFromSops "door_secret";
-
-      DB = {
-        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
-        USER = "www-data_nettsi";
-        PASS = includeFromSops "mysql_password";
-      };
-
-      # TODO: set up postgres session for simplesamlphp
-      SAML = {
-        COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
-        COOKIE_SECURE = true;
-        ADMIN_NAME = "PVV Drift";
-        ADMIN_EMAIL = "drift@pvv.ntnu.no";
-        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
-        TRUSTED_DOMAINS = [ cfg.domainName ];
-      };
-    };
-  };
-
-  services.phpfpm.pools."pvv-nettsiden".settings = {
-    # "php_admin_value[error_log]" = "stderr";
-    "php_admin_flag[log_errors]" = true;
-    "catch_workers_output" = true;
-  };
-
-  services.nginx.virtualHosts.${cfg.domainName} = {
-    serverAliases = [
-      "pvv.ntnu.no"
-      "www.pvv.org"
-      "pvv.org"
-    ];
-
-    locations = {
-      # Proxy home directories
-      "^~ /~" = {
-        extraConfig = ''
-          proxy_redirect off;
-          proxy_pass https://tom.pvv.ntnu.no;
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-        '';
-      };
-
-      # Redirect the old webmail/wiki paths from spikkjeposche
-      "^~ /webmail".return = "301 https://webmail.pvv.ntnu.no";
-      "~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
-      "= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
-
-      # Redirect old wiki entries
-      "/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
-      "/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
-      "/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
-      "/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
-      "/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
-      "/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
-      "/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
-      "/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
-      "/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
-      "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
-      "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
-      "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
-
-      # Proxy the matrix well-known files
-      # Host has be set before proxy_pass
-      # The header must be set so nginx on the other side routes it to the right place
-      "^~ /.well-known/matrix/" = {
-        extraConfig = ''
-          proxy_set_header Host matrix.pvv.ntnu.no;
-          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-        '';
-      };
-    };
-  };
-}

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -1,67 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
-  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
-in {
-  users.users.${config.services.pvv-nettsiden.user} = {
-    useDefaultShell = true;
-
-    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
-    ];
-  };
-
-  systemd.paths.pvv-nettsiden-gallery-update = {
-    wantedBy = [ "multi-user.target" ];
-    pathConfig = {
-      PathChanged = "${transferDir}/gallery.tar.gz";
-      Unit = "pvv-nettsiden-gallery-update.service";
-      MakeDirectory = true;
-    };
-  };
-
-  systemd.services.pvv-nettsiden-gallery-update = {
-    path = with pkgs; [ imagemagick gnutar gzip ];
-
-    script = ''
-      tar ${lib.cli.toGNUCommandLineShell {} {
-        extract = true;
-        file = "${transferDir}/gallery.tar.gz";
-        directory = ".";
-      }}
-
-      # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
-      while IFS= read fname; do
-        rm -f "$fname" ||:
-        rm -f ".thumbnails/$fname.png" ||:
-      done <<< "$filesToRemove"
-
-      find . -type d -empty -delete
-
-      mkdir -p .thumbnails
-      images=$(find . -type f -not -path "./.thumbnails*")
-
-      while IFS= read fname; do
-        # Skip this file if an up-to-date thumbnail already exists
-        if [ -f ".thumbnails/$fname.png" ] && \
-           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
-        then
-          continue
-        fi
-
-        echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
-        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
-	touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
-      done <<< "$images"
-    '';
-
-    serviceConfig = {
-      WorkingDirectory = galleryDir;
-      User = config.services.pvv-nettsiden.user;
-      Group = config.services.pvv-nettsiden.group;
-    };
-  };
-}

hosts/bicep/services/matrix/element.nix

@@ -5,7 +5,6 @@ in {
   services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
     enableACME = true;
     forceSSL = true;
-    kTLS = true;
 
     root = pkgs.element-web.override {
       conf = {

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -7,9 +7,6 @@ from synapse import module_api
 
 import re
 
-import logging
-logger = logging.getLogger(__name__)
-
 class SMTPAuthProvider:
     def __init__(self, config: dict, api: module_api):
         self.api = api
@@ -46,13 +43,8 @@ class SMTPAuthProvider:
 
         if result == True:
             userid = self.api.get_qualified_user_id(username)
-
+            if not self.api.check_user_exists(userid):
-            userid = await self.api.check_user_exists(userid)
+                self.api.register_user(username)
-            if not userid:
-                logger.info(f"user did not exist, registering {username}")
-                userid = await self.api.register_user(username)
-                logger.info(f"registered userid: {userid}")
             return (userid, None)
         else:
-            logger.info("returning None")
             return None

hosts/bicep/services/matrix/synapse.nix

@@ -134,6 +134,80 @@ in {
         "129.241.0.0/16"
         "2001:700:300::/44"
       ];
+
+      saml2_config = {
+        sp_config.metadata.remote = [
+          { url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
+        ];
+
+        description = [ "Matrix Synapse SP" "en" ];
+        name = [ "Matrix Synapse SP" "en" ];
+
+        ui_info = {
+          display_name = [
+            {
+              lang = "en";
+              text = "PVV Matrix login";
+            }
+          ];
+          description = [
+            {
+              lang = "en";
+              text = "Matrix is a modern free and open federated chat protocol";
+            }
+          ];
+          #information_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          #privacy_statement_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          keywords = [
+            {
+              lang = "en";
+              text = [ "Matrix" "Element" ];
+            }
+          ];
+          #logo = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #    width = "";
+          #    height = "";
+          #  }
+          #];
+        };
+
+        organization = {
+          name = "Programvareverkstedet";
+          display_name = [ "Programvareverkstedet" "en" ];
+          url = "https://www.pvv.ntnu.no";
+        };
+        contact_person = [
+          { given_name = "Drift";
+            sur_name = "King";
+            email_adress = [ "drift@pvv.ntnu.no" ];
+            contact_type = "technical";
+          }
+        ];
+
+        user_mapping_provider = {
+          config = {
+            mxid_source_attribute =  "uid"; # What is this supposed to be?
+            mxid_mapping = "hexencode";
+          };
+        };
+
+        #attribute_requirements = [
+        #  {attribute = "userGroup"; value = "medlem";} # Do we have this?
+        #];
+      };
     };
   };
 
@@ -143,9 +217,6 @@ in {
   services.redis.servers."".enable = true;
   
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
-    kTLS = true;
-  })
   ({
     locations."/.well-known/matrix/server" = {
       return = ''
@@ -170,8 +241,6 @@ in {
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4};
           allow ${values.hosts.ildkule.ipv6};
-          allow ${values.hosts.ildkule.ipv4_global};
-          allow ${values.hosts.ildkule.ipv6_global};
           deny all;
         '';
       }))
@@ -183,8 +252,6 @@ in {
       extraConfig = ''
         allow ${values.hosts.ildkule.ipv4};
         allow ${values.hosts.ildkule.ipv6};
-        allow ${values.hosts.ildkule.ipv4_global};
-        allow ${values.hosts.ildkule.ipv6_global};
         deny all;
       '';
     };

hosts/bicep/services/nginx/default.nix

@@ -1,8 +1,15 @@
 { config, values, ... }:
 {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "danio@pvv.ntnu.no";
+  };
+
   services.nginx = {
     enable = true;
+
     enableReload = true;
+
     defaultListenAddresses = [
       values.hosts.bicep.ipv4
       "[${values.hosts.bicep.ipv6}]"
@@ -11,5 +18,28 @@
       "127.0.0.2"
       "[::1]"
     ];
+
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes 8;
+      worker_rlimit_nofile 8192;
+    '';
+
+    eventsConfig = ''
+      multi_accept on;
+      worker_connections 4096;
+    '';
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.services.nginx.serviceConfig = {
+    LimitNOFILE = 65536;
   };
 }

hosts/buskerud/configuration.nix

@@ -4,8 +4,6 @@
     ./hardware-configuration.nix
     ../../base.nix
     ../../misc/metrics-exporters.nix
-
-    ./services/libvirt.nix
   ];
 
   # buskerud does not support efi?

hosts/buskerud/services/libvirt.nix

@@ -1,10 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  virtualisation.libvirtd.enable = true;
-  programs.dconf.enable = true;
-  boot.kernelModules = [ "kvm-intel" ];
-
-  # On a gui-enabled machine, connect with:
-  # $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
-}
-

hosts/ildkule/configuration.nix

@@ -6,8 +6,8 @@
       ../../base.nix
       ../../misc/metrics-exporters.nix
 
-      ./services/monitoring
       ./services/nginx
+      ./services/metrics
     ];
 
   sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
@@ -15,37 +15,28 @@
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;
 
-  boot.loader.grub.device = "/dev/vda";
+  boot.loader.systemd-boot.enable = true;
-  boot.tmp.cleanOnBoot = true;
+  boot.loader.efi.canTouchEfiVariables = true;
-  zramSwap.enable = true;
 
   networking.hostName = "ildkule"; # Define your hostname.
 
-  # Main connection, using the global/floatig IP, for communications with the world
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
-  systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // {
+    matchConfig.Name = "ens18";
-    matchConfig.Name = "ens4";
+    address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
-
-    # Add the global addresses in addition to the local address learned from DHCP
-    addresses = [
-      { addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; }
-      { addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; }
-    ];
-  };
-
-  # Secondary connection only for use within the university network
-  systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // {
-    matchConfig.Name = "ens3";
-    # Add the ntnu-internal addresses in addition to the local address learned from DHCP
-    addresses = [
-      { addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
-      { addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
-    ];
   };
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
-  system.stateVersion = "23.11"; # Did you read the comment?
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
 
 }

hosts/ildkule/hardware-configuration.nix

@@ -1,9 +1,37 @@
-{ modulesPath, lib, ... }:
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
-{
+# and may be overwritten by future invocations.  Please make changes
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+# to /etc/nixos/configuration.nix instead.
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+{ config, lib, pkgs, modulesPath, ... }:
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
 
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/afe70fe4-681a-4675-8cbd-e5d08cdcf5b5";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B71A-E5CD";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/ildkule/services/metrics/default.nix

@@ -2,9 +2,8 @@
 
 {
   imports = [
+    ./prometheus
     ./grafana.nix
     ./loki.nix
-    ./prometheus
-    ./uptime-kuma.nix
   ];
 }

hosts/ildkule/services/metrics/grafana.nix

@@ -7,6 +7,7 @@ in {
   in {
     "keys/grafana/secret_key" = { inherit owner group; };
     "keys/grafana/admin_password" = { inherit owner group; };
+    "keys/postgres/grafana" = { inherit owner group; };
   };
 
   services.grafana = {
@@ -17,7 +18,7 @@ in {
       secretFile = path: "$__file{${path}}";
     in {
       server = {
-        domain = "grafana.pvv.ntnu.no";
+        domain = "ildkule.pvv.ntnu.no";
         http_port = 2342;
         http_addr = "127.0.0.1";
       };
@@ -26,6 +27,13 @@ in {
         secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
         admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
       };
+
+      database = {
+        type = "postgres";
+        user = "grafana";
+        host = "${values.hosts.bicep.ipv4}:5432";
+        password = secretFile config.sops.secrets."keys/postgres/grafana".path;
+      };
     };
 
     provision = {
@@ -83,7 +91,6 @@ in {
   services.nginx.virtualHosts.${cfg.settings.server.domain} = {
     enableACME = true;
     forceSSL = true;
-    kTLS = true;
     locations = {
       "/" = {
         proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";

hosts/ildkule/services/metrics/loki.nix

@@ -50,6 +50,7 @@ in {
         boltdb_shipper = {
           active_index_directory = "/var/lib/loki/boltdb-shipper-index";
           cache_location = "/var/lib/loki/boltdb-shipper-cache";
+          shared_store = "filesystem";
           cache_ttl = "24h";
         };
         filesystem = {
@@ -58,13 +59,14 @@ in {
       };
 
       limits_config = {
-	allow_structured_metadata = false;
+        enforce_metric_name = false;
         reject_old_samples = true;
         reject_old_samples_max_age = "72h";
       };
 
       compactor = {
         working_directory = "/var/lib/loki/compactor";
+        shared_store = "filesystem";
       };
 
       # ruler = {

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -1,20 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.uptime-kuma;
-  domain = "status.pvv.ntnu.no";
-in {
-  services.uptime-kuma = {
-    enable = true;
-    settings = {
-      PORT = "5059";
-      HOST = "127.0.1.2";
-    };
-  };
-
-  services.nginx.virtualHosts.${domain} = {
-    enableACME = true;
-    forceSSL = true;
-    kTLS = true;
-    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
-  };
-}

hosts/ildkule/services/nginx/default.nix

@@ -1,7 +1,29 @@
 { config, values, ... }:
 {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
   services.nginx = {
     enable = true;
+
     enableReload = true;
+
+    defaultListenAddresses = [
+      values.hosts.ildkule.ipv4
+      "[${values.hosts.ildkule.ipv6}]"
+
+      "127.0.0.1"
+      "127.0.0.2"
+      "[::1]"
+    ];
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
   };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

misc/metrics-exporters.nix

@@ -14,8 +14,6 @@
       "::1"
       values.hosts.ildkule.ipv4
       values.hosts.ildkule.ipv6
-      values.hosts.ildkule.ipv4_global
-      values.hosts.ildkule.ipv6_global
     ];
   };
 

modules/grzegorz.nix

@@ -24,12 +24,15 @@ in {
   services.grzegorz-webui.hostName = "${config.networking.fqdn}";
   services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
 
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
+
   services.nginx.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   services.nginx.virtualHosts."${config.networking.fqdn}" = {
     forceSSL = true;
     enableACME = true;
-    kTLS = true;
     serverAliases = [
       "${config.networking.hostName}.pvv.org"
     ];

modules/snakeoil-certs.nix

@@ -1,83 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.environment.snakeoil-certs;
-in
-{
-  options.environment.snakeoil-certs = lib.mkOption {
-    default = { };
-    description = "Self signed certs, which are rotated regularly";
-    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
-      options = {
-        owner = lib.mkOption {
-          type = lib.types.str;
-          default = "root";
-        };
-        group = lib.mkOption {
-          type = lib.types.str;
-          default = "root";
-        };
-        mode = lib.mkOption {
-          type = lib.types.str;
-          default = "0660";
-        };
-        daysValid = lib.mkOption {
-          type = lib.types.str;
-          default = "90";
-        };
-        extraOpenSSLArgs = lib.mkOption {
-          type = with lib.types; listOf str;
-          default = [ ];
-        };
-        certificate = lib.mkOption {
-          type = lib.types.str;
-          default = "${name}.crt";
-        };
-        certificateKey = lib.mkOption {
-          type = lib.types.str;
-          default = "${name}.key";
-        };
-	subject = lib.mkOption {
-	  type = lib.types.str;
-	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
-	};
-      };
-    }));
-  };
-
-  config = {
-    systemd.services."generate-snakeoil-certs" = {
-      enable = true;
-      serviceConfig.Type = "oneshot";
-      script = let
-        openssl = lib.getExe pkgs.openssl;
-      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
-        then
-           echo "Regenerating '${value.certificate}'"
-           ${openssl} req \
-             -newkey rsa:4096 \
-             -new -x509 \
-             -days "${toString value.daysValid}" \
-             -nodes \
-             -subj "${value.subject}" \
-             -out "${value.certificate}" \
-             -keyout "${value.certificateKey}" \
-             ${lib.escapeShellArgs value.extraOpenSSLArgs}
-        fi
-        chown "${value.owner}:${value.group}" "${value.certificate}"
-        chown "${value.owner}:${value.group}" "${value.certificateKey}"
-        chmod "${value.mode}" "${value.certificate}"
-        chmod "${value.mode}" "${value.certificateKey}"
-      '') (lib.attrsToList cfg);
-    };
-    systemd.timers."generate-snakeoil-certs" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnCalendar = "*-*-* 02:00:00";
-        Persistent = true;
-        Unit = "generate-snakeoil-certs.service";
-      };
-    };
-  };
-}

modules/snappymail.nix

@@ -1,103 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
-
-  cfg = config.services.snappymail;
-  maxUploadSize = "256M";
-in {
-  options.services.snappymail = {
-    enable = mkEnableOption "Snappymail";
-
-    package = mkPackageOption pkgs "snappymail" { };
-
-    dataDir = mkOption {
-      type = types.str;
-      default = "/var/lib/snappymail";
-      description = "State directory for snappymail";
-    };
-
-    hostname = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = "mail.example.com";
-      description = "Enable nginx with this hostname, null disables nginx";
-    };
-
-    user = mkOption {
-      type = types.str;
-      default = "snappymail";
-      description = "System user under which snappymail runs";
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "snappymail";
-      description = "System group under which snappymail runs";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.users = mkIf (cfg.user == "snappymail") {
-      snappymail = {
-        description = "Snappymail service";
-        group = cfg.group;
-        home = cfg.dataDir;
-        isSystemUser = true;
-      };
-    };
-
-    users.groups = mkIf (cfg.group == "snappymail") {
-      snappymail = {};
-    };
-
-    services.phpfpm.pools.snappymail = {
-      user = cfg.user;
-      group = cfg.group;
-      phpOptions = generators.toKeyValue {} {
-        upload_max_filesize = maxUploadSize;
-        post_max_size = maxUploadSize;
-        memory_limit = maxUploadSize;
-      };
-
-      settings = {
-        "listen.owner" = config.services.nginx.user;
-        "listen.group" = config.services.nginx.group;
-        "pm" = "ondemand";
-        "pm.max_children" = 32;
-        "pm.process_idle_timeout" = "10s";
-        "pm.max_requests" = 500;
-      };
-    };
-
-    services.nginx = mkIf (cfg.hostname != null) {
-      virtualHosts."${cfg.hostname}" = {
-        locations."/".extraConfig = ''
-          index index.php;
-          autoindex on;
-          autoindex_exact_size off;
-          autoindex_localtime on;
-        '';
-        locations."^~ /data".extraConfig = ''
-          deny all;
-        '';
-        locations."~ \\.php$".extraConfig = ''
-          include ${config.services.nginx.package}/conf/fastcgi_params;
-
-          fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
-          fastcgi_pass unix:${config.services.phpfpm.pools.snappymail.socket};
-        '';
-        extraConfig = ''
-          client_max_body_size ${maxUploadSize};
-        '';
-
-        root = if (cfg.package == pkgs.snappymail) then
-          pkgs.snappymail.override {
-            dataPath = cfg.dataDir;
-          }
-        else cfg.package;
-      };
-    };
-  };
-}
-

packages/heimdal/default.nix

@@ -0,0 +1,178 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2023-11-29";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+  };
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
+    "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "An implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
+  };
+}

packages/mediawiki-extensions/default.nix

@@ -1,95 +1,7 @@
 { pkgs, lib }:
-let
+lib.makeScope pkgs.newScope (self: {
-  kebab-case-name = project-name: lib.pipe project-name [
+  DeleteBatch = self.callPackage ./delete-batch { };
-    (builtins.replaceStrings
+  PluggableAuth = self.callPackage ./pluggable-auth { };
-      lib.upperChars
+  SimpleSAMLphp = self.callPackage ./simple-saml-php { };
-      (map (x: "-${x}") lib.lowerChars)
+  UserMerge = self.callPackage ./user-merge { };
-    )
+})
-    (lib.removePrefix "-")
-  ];
-
-  mw-ext = {
-    name
-  , commit
-  , hash
-  , tracking-branch ? "REL1_41"
-  , kebab-name ? kebab-case-name name
-  , fetchgit ? pkgs.fetchgit
-  }:
-  {
-    ${name} = (fetchgit {
-      name = "mediawiki-${kebab-name}-source";
-      url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}";
-      rev = commit;
-      inherit hash;
-    }).overrideAttrs (_: {
-      passthru = { inherit name kebab-name tracking-branch; };
-    });
-  };
-in
-# NOTE: to add another extension, you can add an mw-ext expression
-#       with an empty (or even wrong) commit and empty hash, and
-#       run the update script
-lib.mergeAttrsList [
-  (mw-ext {
-    name = "CodeEditor";
-    commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
-    hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
-  })
-  (mw-ext {
-    name = "CodeMirror";
-    commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
-    hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
-  })
-  (mw-ext {
-    name = "DeleteBatch";
-    commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
-    hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
-  })
-  (mw-ext {
-    name = "PluggableAuth";
-    commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
-    hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
-  })
-  (mw-ext {
-    name = "Popups";
-    commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
-    hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
-  })
-  (mw-ext {
-    name = "Scribunto";
-    commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
-    hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
-  })
-  (mw-ext {
-    name = "SimpleSAMLphp";
-    kebab-name = "simple-saml-php";
-    commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
-    hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
-  })
-  (mw-ext {
-    name = "TemplateData";
-    commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
-    hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
-  })
-  (mw-ext {
-    name = "TemplateStyles";
-    commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
-    hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
-  })
-  (mw-ext {
-    name = "UserMerge";
-    commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
-    hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
-  })
-  (mw-ext {
-    name = "VisualEditor";
-    commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
-    hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
-  })
-  (mw-ext {
-    name = "WikiEditor";
-    commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
-    hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
-  })
-]

packages/mediawiki-extensions/delete-batch/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-delete-batch";
+  url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
+  hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
+}

packages/mediawiki-extensions/pluggable-auth/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-pluggable-auth-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
+  hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
+}

packages/mediawiki-extensions/simple-saml-php/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-simple-saml-php-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
+  hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
+}

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])" nix-prefetch-git
+#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
 
 import os
 from pathlib import Path
@@ -7,149 +7,60 @@ import re
 import subprocess
 from collections import defaultdict
 from pprint import pprint
-from dataclasses import dataclass
-from functools import cache
-import json
 
 import bs4
 import requests
 
+BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
 
-BASE_WEB_URL = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions"
+def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
-BASE_GIT_URL = "https://gerrit.wikimedia.org/r/mediawiki/extensions/"
+    content = requests.get(BASE_URL).text
-
+    soup = bs4.BeautifulSoup(content, features="html.parser")
-
+    result = defaultdict(list)
-@dataclass
+    for a in soup.find_all('a'):
-class PluginMetadata:
+        if skip_master and 'master' in a.text:
-    project_name: str
+            continue
-    tracking_branch: str | None
+        split = a.text.split('-')
-    commit: str
+        result[split[0]].append(a.text)
-    hash_: str
-
-
-@cache
-def get_package_listing_path():
-    return Path(__file__).parent / "default.nix"
-
-
-@cache
-def get_global_tracking_branch() -> str:
-    with open(get_package_listing_path()) as file:
-        file_content = file.read()
-    return re.search(r'\btracking-branch\b \? "([^"]+?)"', file_content).group(1)
-
-
-def get_metadata(package_expression: str) -> PluginMetadata | None:
-    project_name_search = re.search(r'\bname\b = "([^"]+?)";', package_expression)
-    tracking_branch_search = re.search(r'\btracking-branch\b = "([^"]+?)";', package_expression)
-    commit_search = re.search(r'\bcommit\b = "([^"]*?)";', package_expression)
-    hash_search = re.search(r'\bhash\b = "([^"]*?)";', package_expression)
-
-    if project_name_search is None:
-        print("Could not find project name in package:")
-        print(package_expression)
-        return None
-
-    tracking_branch = None;
-    if tracking_branch_search is not None:
-        tracking_branch = tracking_branch_search.group(1)
-
-    if commit_search is None:
-        print("Could not find commit in package:")
-        print(package_expression)
-        return None
-
-    if hash_search is None:
-        print("Could not find hash in package:")
-        print(package_expression)
-        return None
-
-    return PluginMetadata(
-        commit = commit_search.group(1),
-        tracking_branch = tracking_branch,
-        project_name = project_name_search.group(1),
-        hash_ = hash_search.group(1),
-    )
-
-
-def update_metadata(package_expression: str, metadata: PluginMetadata) -> str:
-    result = package_expression
-    result = re.sub(r'\bcommit\b = "[^"]*";', f'commit = "{metadata.commit}";', result)
-    result = re.sub(r'\bhash\b = "[^"]*";', f'hash = "{metadata.hash_}";', result)
     return result
 
+def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
+    assert package_file.is_file()
+    with open(package_file) as file:
+        content = file.read()
 
-def get_newest_commit(project_name: str, tracking_branch: str) -> str:
+    tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
-    content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
+    split = tarball.split('-')
-    soup = bs4.BeautifulSoup(content, features="html.parser")
+    updated_tarball = plugin_list[split[0]][-1]
-    try:
-        a = soup.find('li').findChild('a')
-        commit_sha = a['href'].split('/')[-1]
-    except AttributeError:
-        print(f"ERROR: Could not parse page for {project_name}:")
-        print(soup.prettify())
-        exit(1)
-    return commit_sha
 
+    _hash = re.search(f'hash = "(.+?)";', content).group(1)
 
-def get_nix_hash(url: str, commit: str) -> str:
     out, err = subprocess.Popen(
-        ["nix-prefetch-git", "--url", url, "--rev", commit, "--fetch-submodules", "--quiet"],
+        ["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+    out, err = subprocess.Popen(
+        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE
     ).communicate()
 
-    return json.loads(out.decode().strip())['hash']
+    updated_hash = out.decode().strip()
 
-
+    if tarball == updated_tarball and _hash == updated_hash:
-def update_expression(package_expression: str) -> str:
-    old_metadata = get_metadata(package_expression)
-    if old_metadata is None:
-        print("ERROR: could not find metadata for expression:")
-        print(package_expression)
         return
 
-    if old_metadata.commit == "":
+    print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
-        old_metadata.commit = "<none>"
-    if old_metadata.hash_ == "":
-        old_metadata.hash_ = "<none>"
-
-    tracking_branch = old_metadata.tracking_branch
-    if tracking_branch is None:
-        tracking_branch = get_global_tracking_branch()
-
-    new_commit = get_newest_commit(old_metadata.project_name, tracking_branch)
-    new_hash = get_nix_hash(f"{BASE_GIT_URL}/{old_metadata.project_name}", new_commit)
-    if new_hash is None or new_hash == "":
-        print(f"ERROR: could not fetch hash for {old_metadata.project_name}")
-        exit(1)
-
-    print(f"Updating {old_metadata.project_name}[{tracking_branch}]: {old_metadata.commit} -> {new_commit}")
-
-    new_metadata = PluginMetadata(
-        project_name = old_metadata.project_name,
-        tracking_branch = old_metadata.tracking_branch,
-        commit = new_commit,
-        hash_ = new_hash,
-    )
-
-    return update_metadata(package_expression, new_metadata)
-
-
-def update_all_expressions_in_default_nix() -> None:
-    with open(get_package_listing_path()) as file:
-        file_content = file.read()
-
-    new_file_content = re.sub(
-        r"\(mw-ext\s*\{(?:.|\n)+?\}\)",
-        lambda m: update_expression(m.group(0)),
-        file_content,
-        flags = re.MULTILINE,
-    )
-
-    with open(get_package_listing_path(), 'w') as file:
-        file.write(new_file_content)
 
+    updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
+    updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
+    with open(package_file, 'w') as file:
+        file.write(updated_text)
 
 if __name__ == "__main__":
-    update_all_expressions_in_default_nix()
+    plugin_list = fetch_plugin_list()
+
+    for direntry in os.scandir(Path(__file__).parent):
+        if direntry.is_dir():
+            update(Path(direntry) / "default.nix", plugin_list)

packages/mediawiki-extensions/user-merge/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-user-merge-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
+  hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
+}

secrets/bekkalokk/bekkalokk.yaml

@@ -1,7 +1,6 @@
 gitea:
     password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
     database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
-    email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str]
@@ -16,20 +15,13 @@ mediawiki:
         postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
         cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
         admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
+keycloak:
+    database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
 idp:
     cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
     admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
     postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
     privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
-nettsiden:
-    mysql_password: ENC[AES256_GCM,data:Uv74HhWtYRbaFHcfh0Rk/Q==,iv:/lRTaMepwpJKZJWHnwb98Ywa1zP4e2EqYGmwI7BCl1I=,tag:ZnE0u2/65zdkONcoiBGSOQ==,type:str]
-    door_secret: ENC[AES256_GCM,data:t0jEN1WnyEi10KRSg4Dlcd7IuIMBiOU7riOdYSZjvZTQqPijRYIoMEQ6OemIkD1Yg67uISTxnjxP,iv:Ss02VGKRa4oZMubbi8IfQDAjh3h295+n07vOx/IZGBs=,tag:OvdxqIUdYi/cR7IjopSVQQ==,type:str]
-    simplesamlphp:
-        postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str]
-        cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
-        admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
-vaultwarden:
-    environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -63,8 +55,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-26T02:07:41Z"
+    lastmodified: "2024-03-30T21:22:02Z"
-    mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str]
+    mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -88,4 +80,3 @@ sops:
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
     version: 3.8.1
-

secrets/ildkule/ildkule.yaml

@@ -15,6 +15,7 @@ keys:
         secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
         admin_password: ENC[AES256_GCM,data:ttKwfC4WuXeL/6x4,iv:x1X+e3z08CR992GzC62YnFIN7SGrE81/nDNrgcgVzx0=,tag:YajUoy61kYbpeGeC7yNrXQ==,type:str]
     postgres:
+        grafana: ENC[AES256_GCM,data:D6qkg98WZYzKYegSNBb31v8o+KHisGmJ+ab5Ut7EMtsJz36kUup5RS4EbtM=,iv:rfE1uH1QycKMTpSq2p1ntQ2BIvptAh2J3l/QcQhiuLo=,tag:QxmGFcekjFRPf6orN86IxQ==,type:str]
         postgres_exporter_env: ENC[AES256_GCM,data:8MEoikoA6tFNm9qZbk0DFWANd7nRs5QSqrsGLoLKPIc1xykJaXTlyP5v8ywVGR8j7bfPs4p6QfpUIWK8CCnfQ1QhsFPXUMksl8p+K+xuMakYZr9OoWigGqvOHpFb9blfBN1FBdRrk38REXWAMUn74KSRI9v+0i5lpC4=,iv:anpjWVUadKfSAm9XbkeAKu+jAk+LxcpVYQ+gUe5szYw=,tag:4tzb/8B/e1uVoqTsQGlcKA==,type:str]
         postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
@@ -23,55 +24,55 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURkY4WTZhQzJoREpxV1Vr
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrN3lJM2xWTUZ3UkRBaENI
-            aUExZ1dxNkIyMkJtUXpqOWtTT1J0MGpmMkY4ClR4Wm1FTmhKN2pIMENRdERrWVY2
+            VmJiWDlQbHd0VUNYdllPdURyQmUvL3lKMzJzCkZlRFVxbmNLOVNqUFg1akJQQlBP
-            SUlHblpEc3VackMrbFpHUUJwM2ltZHcKLS0tIEovMEtiOWc1L2tzZDh3ekZKbStr
+            VmdOMUdjZ1M4U2lLVEpGaGI5NjNTR2MKLS0tIDRlQUtucEZhZmRYbmpadVdKK01v
-            NEFkcW03ZTRJODNxTlVuUnFlcFFUUncKEZzOeUtRsZiuugTLzG2xU4eJ3XtVuop7
+            cWxCQlBRR1VaZTBDQnkzNGE0WGttWm8KK5s/coWNsdCP5lKQ8LMK7/3ku179+Lg1
-            hhlDBL/YoFn/CO3HjqFdCVv33QoPu7KKMeV52pbVEnv93mvdEeFxVA==
+            4ujTVn4LhvXy6JvgGTWS/UbMmJjJebVxkulzf5St3YMMs2mcIYjOtA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSY3cxSGFvdDdWcFVLRTRy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa25taGsxdlhrUS96cXBi
-            Zng2VnhjZlFkc1RQN0NqUjJGeW02WlFaMlFZCjVZc2x2UXNXS1I2WDBxeHdjNUdr
+            cUo3WDVmdEhKN256THJhS2tHSitDRkVraDJNCmhGZzlFUDFkN0JKNkFWUlVLVzcz
-            WnZGc0l5NlArekUwUGU3Qkdub25EVm8KLS0tIDB2bGo3ZURtZ0pSZjFzcGpOdW5D
+            MjFhcDdmcmpxdTA3V3JRREFNVmNUbEEKLS0tIFNSU2xNZzN2Y1ZzR2hFM0dOK0Zy
-            aTI3aTBUS0d1MzFmMTVMbUlFYTR4VlUKzOvNCAzan1GTXjoRxeySkUYIYtI4Mpvu
+            Tmk4bXd0ZHhPemxDSDREb3IvSjFza1EKsjtC6J3kYGRe8oLAoUZmg1BUmpkMyC98
-            MC0Q8e350SyoOsrF7fUvw+Ru68fDMLW27H6Ly36xP7D3eo/h4eZVXw==
+            uYq+IQmfJt48R/MKDei00j1w3zIK5+E5GU4o8+jILzwfpzYUUZWwiA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+        - recipient: age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbDBYMDNQcWkySC8vN05t
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPb09qTTc4cjRMcjIzRmxu
-            U3hLMjlYVUE3Zms3U2R4R0VnMUtFcmVQclZvClY4aWZEYWZPdkltMElkUWxQeUtP
+            RzZWTDBNTGdvaEc2VFJPakYvakRMK1RnS1FnCktHRVkwZGlUUXl4UTBRcGxMQzdn
-            TEF0a0txbVQ4d3lrelp3cG9TbG5OSkEKLS0tIHR1V3JIVEwwUjM3RVdES2pQUmhP
+            QVBCYVdlWEw5NW9tNytJTGIzRlpwa0UKLS0tIGdDdUtFMUgyT0phMXBxZE41Y1h4
-            T1MwME1tbGQ2NysrOEVNYVZRT1R0YmcKFpfe9GfH7s779CNQswRm/W7zwYO6wK11
+            a2hQVVprakt5NURpNXdQUjREczJKWTgKn60yrLqco9brlqigAolO8rEkww9z3y3u
-            z6IGPxtBlUGdshYiHA1BEz7fMVg3ZolL2D98cTNMM24U89Gssiw9qw==
+            KmefLVZCGfoko+fnKLVE9UKFS/tAowqgPS1qE76u1Mmkk6yqZoG9rg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-20T23:41:59Z"
+    lastmodified: "2023-07-08T12:46:19Z"
-    mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
+    mac: ENC[AES256_GCM,data:bQWG/GgSIv5LdhGTsyx3ENOAywtYVKjzK6nxOnUEZvD+RSi6jxj9Wze7qOhXvgjKWCz/cZj5oSuMQNRyoI8p8xJdxf0+UNdX8uPT05HiKuF7CBcXzprjKri/H6yFp87epOM9fMdn7ZUACn/iT1IZBo+5OuMtDnqVUm/GEmMcsog=,iv:ll/vEeiXsD3crbbxEFsJlxGbm9dZDUPC4GeO95RZZX4=,tag:TGCA721vK9EY3xlY6zIeIg==,type:str]
     pgp:
-        - created_at: "2024-04-20T23:15:17Z"
+        - created_at: "2023-01-21T19:52:08Z"
-          enc: |-
+          enc: |
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+LSTWjii2dblTAkuqHan3uuuRRpt1ppmHEgHYkQZD+RzE
+            hQIMA0av/duuklWYAQ//Sw5EHNbC9iPXcHSULYVmSMOQCAH7GSGvaaFvey/KffPD
-            g+ljNaM/BPqci7Kr1NHFDw+cU2MYm/40Tz63l1cvfE3NEoVefsmoA5voNI3G/bx/
+            5gbFr00vIi1JfjYXmYfn3KKpUfs/mMMo5NzYU2Ou5fWcPsqFLXOwubebuf61X6p7
-            LTAe2aacPwO/TNoLtrCgRkzNyKXluUkM9OoIvkvB5DEGjYbe82+gI5Zi+NbW9N/p
+            7YfLYQMnjgBzkpb972AJl2tWUlcBcOz89tIw3oMi8R5vvXjRjEdDY8Yp+Z2Apj9V
-            5ilr9Cc1jvIivjZMGGPLRgkAc/twOOuyrZlsFd9kddAL9YFO7wpd/dko886y1jE5
+            YJCoSIe6RLBlubMs4I6VIOaTaKIM1DWthg95dozlShXYsEgFTYaJ6FbN9RuZOZPa
-            jz9n9F4SKYOcgLPqZuG1iZ8qaA2zGT2bP2caai/QJAmL90stQCiRWtQgB8KeWugm
+            KzFs2DXtbylXXJtiCArQCHnOgA1Jnp80VvMYLO1ldteQhqGdmnxnqwjETx/uqy4l
-            nRFBm5BLamtoqjXXwzdtXGKbFAhvL5/h+kPxnJDjylfFVbgCpoWJ/fxdE5xxxZtq
+            QE31LcRf2JFKi0BBJdQfEqBGW9LD4Mjfwi6tWbHq4Mn29u8IT6z5HJIB99JRAV/9
-            zCcGCQQsaa85eWkBByhu7TdwyAW7bJCm8z6kfFPGqhNDkS8ifxnEWm6ulgYVokiL
+            RfBPzF7UVLq2baWxDwG/M6TvZlVJPdAyhJ5QqhkVdrWir7D1D108u+cgtJWw+vlS
-            WVBvuQCd1s8KSExs6zNWGcGlqgvcbovHXyVlmLeqZfBA7i/vYqksZtBT47rG7nCS
+            cP3hT73LWCo2bXUrHXxFnrWdDQQSDpew/x2cTHUNvqdqLZgMJWdZgh+mXOQLjzHP
-            YGfHy69yVrMdj4KrLuMXNfjtS92hkQqWmCyl5X5zOSJXqEL2dorMzSZn89gK4nL4
+            xGkjt0ae5/CEnUIse/Qt3SyoKN3rGVKJgoQ4D0AeBFU5z7NEOx7Ebl9t6IgVnJIB
-            V4zOKkKtsj2MqynYn/XAoUf3AfYs2wtRhJiU+r/q+rx9Hx31H8mnUuUerT58yQCY
+            sDJXg+7jJ8A0V1xGan6BP8dFi7m0aAJH0xi8RB9jC1ZRVNxUjFow3Szh0JQ7u2P5
-            mAkjIhTzvZcWIalQo7xnZhos4p1IYaA7MAuGC6HxuWVaOsyiFkRaKwB9svWyZ/DS
+            4jZ3FT4tWzPzLQsgJUd/H41QyKSd3ke4VMf97mEKULJ7prtXdyxQfRDcE93UgVXS
-            XAFID3fQ1xfNyYsW8nvXQmvZubnhE+dAQPaiAFP9ujY4RVXWBFOrV6NAs7y/LID/
+            XAF0u7pIl+O2RlJtki+UvuwVDszPBRSmGmfiQa4vsYfXahO4fmBjhdl2hdLtz82F
-            89lpfWN87JWSJWUk6DCD3AQ+1GiBCFy7uswUJkG4zou1RQBSl7X88ziVDILU
+            dh+dPu+RSD9OKwIhUwsDLtWWlI/4BvIB1yXbQxP2MyjZm3uVf1CtgUHyjWw8
-            =tXkN
+            =rri5
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

users/adriangl.nix

@@ -6,21 +6,15 @@
     extraGroups = [
       "wheel"
       "drift"
-      "nix-builder-users"
     ];
 
     packages = with pkgs; [
+      eza
       neovim
-      htop
-      ripgrep
-      vim
-      foot.terminfo
     ];
 
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf7SlyHR6KgP7+IeFr/Iuiu2lL5vaSlzqPonaO8XU0J gunalx@aragon"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
     ];
   };
 }

users/felixalb.nix

@@ -1,12 +1,8 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, ... }:
 {
   users.users.felixalb = {
     isNormalUser = true;
-    extraGroups = [
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-      "wheel"
-    ] ++ lib.optionals ( config.users.groups ? "libvirtd" ) [
-      "libvirtd"
-    ];
     shell = pkgs.zsh;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"

values.nix

@@ -30,11 +30,8 @@ in rec {
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "10.212.25.209";
+      ipv4 = pvv-ipv4 187;
-      ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
+      ipv6 = pvv-ipv6 "1:187";
-
-      ipv4_global = "129.241.153.213";
-      ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;
@@ -73,25 +70,4 @@ in rec {
     DHCP = "no";
   };
 
-  openstackGlobalNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "yes";
-    dns = [ "129.241.0.200" "129.241.0.201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    DHCP = "yes";
-  };
-
-  openstackLocalNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
-    dns = [ "129.241.0.200" "129.241.0.201" ];
-    domains = [ "pvv.ntnu.no" "pvv.org" ];
-    DHCP = "yes";
-
-    # Only use this network for link-local networking, not global/default routes
-    dhcpV4Config.UseRoutes = "no";
-    routes = [
-      { routeConfig = { Destination = "10.0.0.0/8"; Gateway = "_dhcp4"; }; }
-    ];
-
-    linkConfig.RequiredForOnline = "no";
-  };
 }