WIP: Move krb5 realm to pvv.local, make sane ldap structure

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/43

.sops.yaml

@@ -10,7 +10,6 @@ keys:
   - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
-  - &host_buskerud age1tmn5qahlyf0e579e4camckdyxrexjzffv54hdzdnrw7lzqs7kyqq0f2fr3
 
 creation_rules:
   # Global secrets
@@ -61,10 +60,3 @@ creation_rules:
       - *user_felixalb
       pgp:
       - *user_oysteikt
-
-  - path_regex: secrets/buskerud/[^/]+\.yaml$
-    key_groups:
-    - age:
-      - *host_buskerud
-      - *user_danio
-      - *user_eirikwit

base.nix

@@ -48,9 +48,9 @@
   ** use the same channel the system
   ** was built with
   */
-  nix.registry = {
-    nixpkgs.flake = inputs.nixpkgs;
-  };
+  # nix.registry = {
+  #   nixpkgs.flake = inputs.nixpkgs;
+  # };
   nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
 
   environment.systemPackages = with pkgs; [

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716431128,
-        "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
+        "lastModified": 1720056646,
+        "narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
+        "rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
         "type": "github"
       },
       "original": {
@@ -143,11 +143,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1716586607,
-        "narHash": "sha256-PzpeC/xi0+YTGJS5rdbcOqVgIryuWHkimMVXoCIidgA=",
+        "lastModified": 1720137366,
+        "narHash": "sha256-Xn+WAX2t2yjNdgZEyEtjCLvkqjrGPVhKRGsM6ujUf8c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "03309929e115bba1339308814f8b6e63f250fedf",
+        "rev": "f2a40608e6b55661cac28e473e28b6208da53c01",
         "type": "github"
       },
       "original": {
@@ -158,27 +158,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1716061101,
-        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "lastModified": 1719720450,
+        "narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1716660083,
-        "narHash": "sha256-QO7cdjtDhx72KEw6m0NOtuE5FS4asaRExZ65uFR/q8g=",
+        "lastModified": 1720149507,
+        "narHash": "sha256-OFJoD1jjxzFlY1tAsehEWVA88DbU5smzDPQuu9SmnXY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6de51d98ec2ae46730f11845e221aab9d2470a8a",
+        "rev": "d9c0b9d611277e42e6db055636ba0409c59db6d2",
         "type": "github"
       },
       "original": {
@@ -214,11 +214,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716150352,
-        "narHash": "sha256-c13lzYbLmbrcbEdPTYZYtlX2Qsz1W+2sLsIMGShPgwo=",
+        "lastModified": 1718404592,
+        "narHash": "sha256-Ud8pD0mxmbfvwBXKy2q3Yp8r1EofaTcodZtI3fbnfDY=",
         "ref": "refs/heads/master",
-        "rev": "2cab4df4b119e08a1f90ea1c944652cd78b4d478",
-        "revCount": 459,
+        "rev": "6e4a79ed3ddae8dfc80eb8af1789985d07bcf297",
+        "revCount": 463,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -249,11 +249,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1716400300,
-        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "lastModified": 1720187017,
+        "narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "rev": "1b11e208cee97c47677439625dc22e5289dcdead",
         "type": "github"
       },
       "original": {

flake.nix

@@ -122,6 +122,7 @@
         ];
       };
       buskerud = stableNixosConfig "buskerud" { };
+      dagali = unstableNixosConfig "dagali" { };
     };
 
     devShells = forAllSystems (system: {

hosts/bekkalokk/configuration.nix

@@ -6,13 +6,14 @@
     ../../base.nix
     ../../misc/metrics-exporters.nix
 
-    ./services/website
-    ./services/nginx.nix
     ./services/gitea/default.nix
-    ./services/kerberos
-    ./services/webmail
-    ./services/mediawiki
     ./services/idp-simplesamlphp
+    ./services/kerberos
+    ./services/mediawiki
+    ./services/nginx.nix
+    ./services/vaultwarden.nix
+    ./services/webmail
+    ./services/website
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

hosts/bekkalokk/services/gitea/default.nix

@@ -1,4 +1,4 @@
-{ config, values, pkgs, ... }:
+{ config, values, pkgs, lib, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.pvv.ntnu.no";
@@ -22,7 +22,6 @@ in {
 
   services.gitea = {
     enable = true;
-    stateDir = "/data/gitea";
     appName = "PVV Git";
 
     database = {
@@ -35,6 +34,7 @@ in {
 
     mailerPasswordFile = config.sops.secrets."gitea/email-password".path;
 
+    # https://docs.gitea.com/administration/config-cheat-sheet
     settings = {
       server = {
         DOMAIN   = domain;
@@ -42,6 +42,7 @@ in {
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
         START_SSH_SERVER = true;
+        START_LFS_SERVER = true;
       };
       mailer = {
         ENABLED = true;
@@ -50,11 +51,45 @@ in {
         SMTP_ADDR = "smtp.pvv.ntnu.no";
         SMTP_PORT = 587;
         USER = "gitea@pvv.ntnu.no";
+        SUBJECT_PREFIX = "[pvv-git]";
       };
       indexer.REPO_INDEXER_ENABLED = true;
-      service.DISABLE_REGISTRATION = true;
+      service = {
+        DISABLE_REGISTRATION = true;
+        ENABLE_NOTIFY_MAIL = true;
+      };
       session.COOKIE_SECURE = true;
       database.LOG_SQL = false;
+      repository = {
+        PREFERRED_LICENSES = lib.concatStringsSep "," [
+          "AGPL-3.0-only"
+          "AGPL-3.0-or-later"
+          "Apache-2.0"
+          "BSD-3-Clause"
+          "CC-BY-4.0"
+          "CC-BY-NC-4.0"
+          "CC-BY-NC-ND-4.0"
+          "CC-BY-NC-SA-4.0"
+          "CC-BY-ND-4.0"
+          "CC-BY-SA-4.0"
+          "CC0-1.0"
+          "GPL-2.0-only"
+          "GPL-3.0-only"
+          "GPL-3.0-or-later"
+          "LGPL-3.0-linking-exception"
+          "LGPL-3.0-only"
+          "LGPL-3.0-or-later"
+          "MIT"
+          "MPL-2.0"
+          "Unlicense"
+        ];
+        DEFAULT_REPO_UNITS = lib.concatStringsSep "," [
+          "repo.code"
+          "repo.issues"
+          "repo.pulls"
+          "repo.releases"
+        ];
+      };
       picture = {
         DISABLE_GRAVATAR = true;
         ENABLE_FEDERATED_AVATAR = false;
@@ -99,9 +134,9 @@ in {
       logo-svg = ../../../../assets/logo_blue_regular.svg;
       logo-png = ../../../../assets/logo_blue_regular.png;
     in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/img/logo.svg
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/img/logo.png
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/img/loading.png
+      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
     '';
   };
 }

hosts/bekkalokk/services/kerberos/default.nix

@@ -1,18 +1,5 @@
 { config, pkgs, lib, ... }:
 {
-  #######################
-  # TODO: remove these once nixos 24.05 gets released
-  #######################
-  # imports = [
-  #   ./krb5.nix
-  #   ./pam.nix
-  # ];
-  # disabledModules = [
-  #   "config/krb5/default.nix"
-  #   "security/pam.nix"
-  # ];
-  #######################
-
   security.krb5 = {
     enable = true;
     settings = {

hosts/bekkalokk/services/kerberos/krb5-conf-format.nix

@@ -0,0 +1,88 @@
+{ pkgs, lib, ... }:
+
+# Based on
+# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
+# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
+
+let
+  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
+    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
+  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
+    str submodule;
+in
+{ }: {
+  type = let
+    section = attrsOf relation;
+    relation = either (attrsOf value) value;
+    value = either (listOf atom) atom;
+    atom = oneOf [int str bool];
+  in submodule {
+    freeformType = attrsOf section;
+    options = {
+      include = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      includedir = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Directories containing files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      module = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Modules to obtain Kerberos configuration from.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+    };
+  };
+
+  generate = let
+    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
+
+    formatToplevel = args @ {
+      include ? [ ],
+      includedir ? [ ],
+      module ? [ ],
+      ...
+    }: let
+      sections = removeAttrs args [ "include" "includedir" "module" ];
+    in concatStringsSep "\n" (filter (x: x != "") [
+      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
+      (concatMapStringsSep "\n" (m: "module ${m}") module)
+      (concatMapStringsSep "\n" (i: "include ${i}") include)
+      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
+    ]);
+
+    formatSection = name: section: ''
+      [${name}]
+      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
+    '';
+
+    formatRelation = name: relation:
+      if isAttrs relation
+      then ''
+        ${name} = {
+        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
+        }''
+      else formatValue name relation;
+
+    formatValue = name: value:
+      if isList value
+      then concatMapStringsSep "\n" (formatAtom name) value
+      else formatAtom name value;
+
+    formatAtom = name: atom: let
+      v = if isBool atom then boolToString atom else toString atom;
+    in "${name} = ${v}";
+  in
+    name: value: pkgs.writeText name ''
+      ${formatToplevel value}
+    '';
+}

hosts/bekkalokk/services/kerberos/krb5.nix

@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
+  inherit (lib.types) bool;
+
+  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
+  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
+    The option `krb5.${name}' has been removed. Use
+    `security.krb5.settings.${name}' for structured configuration.
+  '';
+
+  cfg = config.security.krb5;
+  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
+in {
+  imports = [
+    (mkRemovedOptionModuleCfg "libdefaults")
+    (mkRemovedOptionModuleCfg "realms")
+    (mkRemovedOptionModuleCfg "domain_realm")
+    (mkRemovedOptionModuleCfg "capaths")
+    (mkRemovedOptionModuleCfg "appdefaults")
+    (mkRemovedOptionModuleCfg "plugins")
+    (mkRemovedOptionModuleCfg "config")
+    (mkRemovedOptionModuleCfg "extraConfig")
+    (mkRemovedOptionModule' "kerberos" ''
+      The option `krb5.kerberos' has been moved to `security.krb5.package'.
+    '')
+  ];
+
+  options = {
+    security.krb5 = {
+      enable = mkOption {
+        default = false;
+        description = mdDoc "Enable and configure Kerberos utilities";
+        type = bool;
+      };
+
+      package = mkPackageOption pkgs "krb5" {
+        example = "heimdal";
+      };
+
+      settings = mkOption {
+        default = { };
+        type = format.type;
+        description = mdDoc ''
+          Structured contents of the {file}`krb5.conf` file. See
+          {manpage}`krb5.conf(5)` for details about configuration.
+        '';
+        example = {
+          include = [ "/run/secrets/secret-krb5.conf" ];
+          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
+
+          libdefaults = {
+            default_realm = "ATHENA.MIT.EDU";
+          };
+
+          realms = {
+            "ATHENA.MIT.EDU" = {
+              admin_server = "athena.mit.edu";
+              kdc = [
+                "athena01.mit.edu"
+                "athena02.mit.edu"
+              ];
+            };
+          };
+
+          domain_realm = {
+            "mit.edu" = "ATHENA.MIT.EDU";
+          };
+
+          logging = {
+            kdc = "SYSLOG:NOTICE";
+            admin_server = "SYSLOG:NOTICE";
+            default = "SYSLOG:NOTICE";
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment = {
+      systemPackages = [ cfg.package ];
+      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
+    };
+  };
+
+  meta.maintainers = builtins.attrValues {
+    inherit (lib.maintainers) dblsaiko h7x4;
+  };
+}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -86,7 +86,8 @@ in {
     };
 
     extensions = {
-      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
+      #inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
+      inherit (pkgs.mediawiki-extensions) UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
     };
 
     extraConfig = ''

hosts/bekkalokk/services/vaultwarden.nix

@@ -0,0 +1,68 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.vaultwarden;
+  domain = "pw.pvv.ntnu.no";
+  address = "127.0.1.2";
+  port = 3011;
+  wsPort = 3012;
+in {
+  sops.secrets."vaultwarden/environ" = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = config.sops.secrets."vaultwarden/environ".path;
+    config = {
+      domain = "https://${domain}";
+
+      rocketAddress = address;
+      rocketPort = port;
+
+      websocketEnabled = true;
+      websocketAddress = address;
+      websocketPort = wsPort;
+
+      signupsAllowed = true;
+      signupsVerify = true;
+      signupsDomainsWhitelist = "pvv.ntnu.no";
+
+      smtpFrom = "vaultwarden@pvv.ntnu.no";
+      smtpFromName = "VaultWarden PVV";
+
+      smtpHost = "smtp.pvv.ntnu.no";
+      smtpUsername = "vaultwarden";
+      smtpSecurity = "force_tls";
+      smtpAuthMechanism = "Login";
+
+      # Configured in environ:
+      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
+      # smtpPassword = hemli
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    kTLS = true;
+
+    extraConfig = ''
+      client_max_body_size 128M;
+    '';
+
+    locations."/" = {
+      proxyPass = "http://${address}:${toString port}";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub" = {
+      proxyPass = "http://${address}:${toString wsPort}";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub/negotiate" = {
+      proxyPass = "http://${address}:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/buskerud/configuration.nix

@@ -4,14 +4,10 @@
     ./hardware-configuration.nix
     ../../base.nix
     ../../misc/metrics-exporters.nix
+
+    ./services/libvirt.nix
   ];
 
-  sops.defaultSopsFile = ../../secrets/buskerud/buskerud.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-
   # buskerud does not support efi?
   # boot.loader.systemd-boot.enable = true;
   # boot.loader.efi.canTouchEfiVariables = true;

hosts/buskerud/services/bluemap.nix

@@ -1,21 +0,0 @@
-{config, ...}:
-{
-
-  sops.secrets."bluemap_ssh_key" = {
-    owner = "root";
-    mode = "0400";
-  };
-
-  services.bluemap = {
-    enable = true;
-    eula = true;
-    defaultWorld = "/var/lib/bluemap/vanilla";
-    host = "minecraft.pvv.ntnu.no";
-  };
-
-  systemd.services."render-bluemap-maps".preStart = ''
-    rsync -e 'ssh -i ${config.sops.secrets."bluemap_ssh_key".path} -o "StrictHostKeyChecking accept-new"' \
-      root@innovation.pvv.ntnu.no:/var/backups/minecraft/current/ \
-      /var/lib/bluemap/vanilla"
-    '';
-}

hosts/buskerud/services/libvirt.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+{
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+  boot.kernelModules = [ "kvm-intel" ];
+
+  # On a gui-enabled machine, connect with:
+  # $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
+}
+

hosts/dagali/TODO.md

@@ -0,0 +1,78 @@
+# Tracking document for new PVV kerberos auth stack
+
+![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
+
+<div align="center">
+  Bensinstasjon på heimdal
+</div>
+
+### TODO:
+
+- [ ] setup heimdal
+  - [x] ensure running with systemd
+  - [x] compile smbk5pwd (part of openldap)
+  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
+  - [ ] fully initialize PVV.NTNU.NO
+    - [x] `kadmin -l init PVV.NTNU.NO`
+    - [x] add oysteikt/admin@PVV.NTNU.NO principal
+    - [x] add oysteikt@PVV.NTNU.NO principal
+    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
+      - why is this needed, and where is it documented?
+      - `kadmin check` seems to work under sudo?
+      - (it is included by default, just included as error message
+         in a weird state)
+
+    - [x] Ensure client is working correctly
+      - [x] Ensure kinit works on darbu
+      - [x] Ensure kpasswd works on darbu
+      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
+
+    - [ ] Ensure kdc is working correctly
+      - [x] Ensure kinit works on dagali
+      - [x] Ensure kpasswd works on dagali
+      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
+
+    - [x] Fix FQDN
+      - https://github.com/NixOS/nixpkgs/issues/94011
+      - https://github.com/NixOS/nixpkgs/issues/261269
+      - Possibly fixed by disabling systemd-resolved
+
+- [ ] setup cyrus sasl
+  - [x] ensure running with systemd 
+  - [x] verify GSSAPI support plugin is installed
+    - `nix-shell -p cyrus_sasl --command pluginviewer`
+  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
+  - [x] verify cyrus sasl is able to talk to heimdal
+    - `sudo testsaslauthd -u oysteikt -p <password>`
+  - [ ] provide ldap principal to cyrus sasl through keytab
+
+- [ ] setup openldap
+  - [x] ensure running with systemd
+  - [ ] verify openldap is able to talk to cyrus sasl
+  - [ ] create user for oysteikt in openldap
+  - [ ] authenticate openldap login through sasl
+    - does this require creating an ldap user?
+
+- [ ] fix smbk5pwd integration
+  - [x] add smbk5pwd schemas to openldap
+  - [x] create openldap db for smbk5pwd with overlays
+  - [ ] test to ensure that user sync is working
+  - [ ] test as user source (replace passwd)
+  - [ ] test as PAM auth source
+  - [ ] test as auth source for 3rd party appliation
+
+- [ ] Set up ldap administration panel
+  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
+
+- [ ] Set up kerberos SRV DNS entry
+
+### Information and URLS
+
+- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
+- Use a keytab: https://kb.iu.edu/d/aumh
+- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
+- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
+- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
+- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
+- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -0,0 +1,51 @@
+
+{ config, pkgs, values, lib, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+
+    ./services/heimdal.nix
+    #./services/openldap.nix
+    ./services/cyrus-sasl.nix
+  ];
+
+  # buskerud does not support efi?
+  # boot.loader.systemd-boot.enable = true;
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  # resolved messes up FQDN coming from nscd
+  services.resolved.enable = false;
+
+  networking.hostName = "dagali";
+  networking.domain = lib.mkForce "pvv.local";
+  networking.hosts = {
+    "129.241.210.185" = [ "dagali.pvv.local" ];
+  };
+  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
+  networking.tempAddresses = "disabled";
+  networking.networkmanager.enable = true;
+
+  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+    # TODO: consider adding to base.nix
+    nix-output-monitor
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/dagali/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/dagali/services/cyrus-sasl.nix

@@ -0,0 +1,21 @@
+{ config, ... }:
+let
+  cfg = config.services.saslauthd;
+in
+{
+  # TODO: This is seemingly required for openldap to authenticate
+  #       against kerberos, but I have no idea how to configure it as
+  #       such. Does it need a keytab? There's a binary "testsaslauthd"
+  #       that follows with `pkgs.cyrus_sasl` that might be useful.
+  services.saslauthd = {
+    enable = true;
+    mechanism = "kerberos5";
+    config = ''
+      mech_list: gs2-krb5 gssapi
+      keytab: /etc/krb5.keytab
+    '';
+  };
+
+  # TODO: maybe the upstream module should consider doing this?
+  environment.systemPackages = [ cfg.package ];
+}

hosts/dagali/services/heimdal.nix

@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }:
+let
+  realm = "PVV.LOCAL";
+  cfg = config.security.krb5;
+in
+{
+  security.krb5 = {
+    enable = true;
+
+    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
+    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
+    #       will do for now.
+    package = pkgs.heimdal.overrideAttrs (prev: {
+      postInstall = prev.postInstall + ''
+        cp include/heim_threads.h $dev/include
+      '';
+    });
+
+    settings = {
+      realms.${realm} = {
+        kdc = [ "dagali.${lib.toLower realm}" ];
+        admin_server = "dagali.${lib.toLower realm}";
+        kpasswd_server = "dagali.${lib.toLower realm}";
+        default_domain = lib.toLower realm;
+        primary_kdc = "dagali.${lib.toLower realm}";
+      };
+
+      kadmin.default_keys = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96:pw-salt"
+        "aes128-cts-hmac-sha1-96:pw-salt"
+      ];
+
+      libdefaults.default_etypes = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96"
+        "aes128-cts-hmac-sha1-96"
+      ];
+
+      libdefaults = {
+        default_realm = realm;
+        dns_lookup_kdc = false;
+        dns_lookup_realm = false;
+      };
+
+      domain_realm = {
+        "${lib.toLower realm}" = realm;
+        ".${lib.toLower realm}" = realm;
+      };
+
+      logging = {
+        # kdc = "CONSOLE";
+        kdc = "SYSLOG:DEBUG:AUTH";
+        admin_server = "SYSLOG:DEBUG:AUTH";
+        default = "SYSLOG:DEBUG:AUTH";
+      };
+    };
+  };
+
+  services.kerberos_server = {
+    enable = true;
+    settings = {
+      realms.${realm} = {
+        dbname = "/var/lib/heimdal/heimdal";
+        mkey = "/var/lib/heimdal/m-key";
+        acl = [
+          {
+            principal = "kadmin/admin";
+            access = "all";
+          }
+          {
+            principal = "felixalb/admin";
+            access = "all";
+          }
+          {
+            principal = "oysteikt/admin";
+            access = "all";
+          }
+        ];
+      };
+      # kadmin.default_keys = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96:pw-salt"
+      #   "aes128-cts-hmac-sha1-96:pw-salt"
+      # ];
+
+      # libdefaults.default_etypes = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96"
+      #   "aes128-cts-hmac-sha1-96"
+      # ];
+
+      # password_quality.min_length = 8;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
+  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
+
+  networking.hosts = {
+    "127.0.0.2" = lib.mkForce [ ];
+    "::1" = lib.mkForce [ ];
+  };
+}

hosts/dagali/services/openldap.nix

@@ -0,0 +1,121 @@
+{ config, pkgs, lib, ... }:
+{
+  services.openldap = let
+    dn = "dc=pvv,dc=ntnu,dc=no";
+    cfg = config.services.openldap;
+
+    heimdal = config.security.krb5.package;
+  in {
+    enable = true;
+
+    # NOTE: this is a custom build of openldap with support for
+    #       perl and kerberos.
+    package = pkgs.openldap.overrideAttrs (prev: {
+      # https://github.com/openldap/openldap/blob/master/configure
+      configureFlags = prev.configureFlags ++ [
+        # Connect to slapd via UNIX socket
+        "--enable-local"
+        # Cyrus SASL
+        "--enable-spasswd"
+        # Reverse hostname lookups
+        "--enable-rlookups"
+        # perl
+        "--enable-perl"
+      ];
+
+      buildInputs = prev.buildInputs ++ [
+        pkgs.perl
+	# NOTE: do not upstream this, it might not work with
+	#       MIT in the same way
+        heimdal
+      ];
+
+      extraContribModules = prev.extraContribModules ++ [
+        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
+        "smbk5pwd"
+      ];
+    });
+
+    settings = {
+      attrs = {
+        olcLogLevel = [ "stats" "config" "args" ];
+
+        # olcAuthzRegexp = ''
+        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
+        #         "uid=heimdal,${dn2}"
+        # '';
+
+        # olcSaslSecProps = "minssf=0";
+      };
+
+      children = {
+        "cn=schema".includes = let
+          # NOTE: needed for smbk5pwd.so module
+          schemaToLdif = name: path: pkgs.runCommandNoCC name {
+            buildInputs = with pkgs; [ schema2ldif ];
+          } ''
+            schema2ldif "${path}" > $out
+          '';
+
+          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
+          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
+        in [
+           "${cfg.package}/etc/schema/core.ldif"
+           "${cfg.package}/etc/schema/cosine.ldif"
+           "${cfg.package}/etc/schema/nis.ldif"
+           "${cfg.package}/etc/schema/inetorgperson.ldif"
+           "${hdb-ldif}"
+           "${samba-ldif}"
+        ];
+
+        # NOTE: installation of smbk5pwd.so module
+        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+        "cn=module{0}".attrs = {
+          objectClass = [ "olcModuleList" ];
+          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
+        };
+
+        # NOTE: activation of smbk5pwd.so module for {1}mdb
+        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
+          olcOverlay = "{0}smbk5pwd";
+          olcSmbK5PwdEnable = [ "krb5" "samba" ];
+          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
+        };
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+          olcDatabase = "{1}mdb";
+
+          olcSuffix = dn;
+
+          # TODO: PW is supposed to be a secret, but it's probably fine for testing
+          olcRootDN = "cn=users,${dn}";
+
+          # TODO: replace with proper secret
+          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
+
+          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
+          olcDbIndex = "objectClass eq";
+
+          olcAccess = [
+            ''{0}to attrs=userPassword,shadowLastChange
+                by dn.exact=cn=users,${dn} write
+                by self write
+                by anonymous auth
+                by * none''
+
+            ''{1}to dn.base=""
+                by * read''
+
+            /* allow read on anything else */
+            # ''{2}to *
+            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
+            #     by * read''
+          ];
+        };
+      };
+    };
+  };
+}

hosts/ildkule/services/monitoring/loki.nix

@@ -50,7 +50,6 @@ in {
         boltdb_shipper = {
           active_index_directory = "/var/lib/loki/boltdb-shipper-index";
           cache_location = "/var/lib/loki/boltdb-shipper-cache";
-          # shared_store = "filesystem";
           cache_ttl = "24h";
         };
         filesystem = {
@@ -59,15 +58,13 @@ in {
       };
 
       limits_config = {
-        allow_structured_metadata = false;
-        # enforce_metric_name = false;
+	allow_structured_metadata = false;
         reject_old_samples = true;
         reject_old_samples_max_age = "72h";
       };
 
       compactor = {
         working_directory = "/var/lib/loki/compactor";
-        # shared_store = "filesystem";
       };
 
       # ruler = {

secrets/bekkalokk/bekkalokk.yaml

@@ -28,6 +28,8 @@ nettsiden:
         postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str]
         cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
         admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
+vaultwarden:
+    environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -61,8 +63,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-12T00:24:29Z"
-    mac: ENC[AES256_GCM,data:/fh5yc09YTLT62oWVsz2CwW/mhEUI7uRh5fDRgLNeeBc/4bvM3z83xmy9veehmQhhCWjju2/CtYhaihm3bUPN4hu3wVzviIxvrS9lTcBUG+F/AH4SnF5Z1CGWb94Gqi/6OhQRIpA6azjISyv8lTAQ4TCqcOC4fz/c9KjqQ/CiGY=,iv:HjzzMRFz3+kZ4iDLn9kI80BwMDALkRX5gyOHARZSgDA=,tag:1ez7NiIavshfp4CTZNkW/Q==,type:str]
+    lastmodified: "2024-05-26T02:07:41Z"
+    mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |
@@ -86,3 +88,4 @@ sops:
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
     version: 3.8.1
+

secrets/buskerud/buskerud.yaml

@@ -1,39 +0,0 @@
-bluemap_ssh_key: ENC[AES256_GCM,data:2kv/cDEEQMHJdwTmmTxtyxOZz8duggaT61U69IuiOJ2yuwqkujOHZ2gkCtGa1VyFPn6wg4OTiSA/Loz+QmTSKz+8HqvY/Lybks+offDZ1mukL5NiWLUVmNZdfdHaMeEyiZsxiMoWEgFtMiKvgmdMMPa/BCHZCMCxMWFAcuiZgbhGyGukdo0wQd5RcEDaY4JZ7q95ndAn4K7gi9q1K7MLOvI5t2hGibj8DrqriXqg9mahsiFZdKWxjf3tBX0MzS85wAtleQWXmH5FRvECmdOj3OSp92JMqU/WDlQih3xjnw1Ci3L/hdwgGLHZTf/RzuPpGh2OD26A7gUjOFh+M5z2dVVtZ40F8tQFxpQxkkJBsqTNbDKuw7/KPpZUJkn4UYBkhzraG/62md/9sS9+GjTHBhfYQYHbDU8ZbPO5ZSoZfshRDUuP0qYXiQw7cxA5BQIhwYdn26uy2ghiHsP713Tz91ESVjlCZLLduGySWEQNAxSdzFu9yEyp4xdl8l9udlnxVV2/5Xm5kQEdiUMwiBpUhrghdEl6lOzome5h,iv:uiYaQgOnhFvWze/oHGSpAu8+m89l4tGCgRauDzU3ZqE=,tag:eCYgCH+e8hNYpBIFWFOTbA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1tmn5qahlyf0e579e4camckdyxrexjzffv54hdzdnrw7lzqs7kyqq0f2fr3
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvL2dqdHFwWURFSWJEUkVl
-            eXR2cTQyTXpzUEFra0drdUgzRUNmSXA4eGc0CmRoWnp5UUUyQy9kK0dHVjF3WkFp
-            M0loS1RXeWxHSGNTQUljS05jaDBxMDQKLS0tIDhyUGdvcE1iMWxJeWhYb3JFTi9q
-            Y0RrVHNhcVU3WFd2NitlQ3l4Ry9JTkEKALBawjOt7hChok/cHRa38HkB0KVEKvik
-            r2jO26j9AUU5mqjR/dIko3jvfcXoNUNRYrMwaBfRa6AFnNBoN3g0ng==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzV1R0cWxoTXNKNnpsUjE5
-            c01Oc3J5M2F2cDVKOTNma0J3eFVwa0pXQmpjCkdxRjJZTlFWSlh2UFR2emx4OVVY
-            T3gzSWdXNTlyS0VJSXRnTXZweER6V00KLS0tIGdFU3oxZ3lzQTBjU0hyYjV5M2cr
-            VnUvcGZDbEZuZitQS1g1NmRtb3JnNDAKV6otQlYUSF5ScyYL6LlstPU1pkLMY8r0
-            /NEuN9A7l2m9Wy8iItx+ZhwGp9pEPsgdsQLJQtJFfaA6lNuFhbgqfg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbmpMaWhpQTQzR05Cd0cw
-            b3dJRXVoUmFzZGxMeC9tVk9acndMemlrTHhzCkVtMHJ1bE94T25wRmpTZnpHbUdq
-            NzQ4T0pLZW56TEV2emQ5RHVXTDAvdmsKLS0tIFJ0OWxNYkIxOVBVV1hmZDdoeEhm
-            blB3M2JIMmk3Tmh6WjIzQjlHSW9GNDAKB3gdJL9AlF4fsCMujd/6HnieDwhCZnex
-            QDU87yTePHAppnqLp+ZuVdSbqcsnQclmbm92M3S6LuKpoDhGxeHrEw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-08T23:34:34Z"
-    mac: ENC[AES256_GCM,data:CLsz6UgS1LO/5SArmT7utald3TzQUWwEiSRw3dF1RaCwyb0Fc16/5DxJSk0KGLiJRlDXses/ynSjoyaBdTagijJPKQZCpx3fHZFqEJk6Wne4zQ4EoFbY1SpPrkhGVGMYaUg/H/NapoAEiq619YudR9W6GqF8ZkauXE76wls63FM=,iv:I09LFoSkeMAWHmvXtIF4+FURZ4tOQGCXQqbNrKz5t7s=,tag:xauT9sah+26A9pRrwXlsiQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

users/felixalb.nix

@@ -1,8 +1,12 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:
 {
   users.users.felixalb = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [
+      "wheel"
+    ] ++ lib.optionals ( config.users.groups ? "libvirtd" ) [
+      "libvirtd"
+    ];
     shell = pkgs.zsh;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"

values.nix

@@ -29,6 +29,10 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
+    dagali = {
+      ipv4 = pvv-ipv4 185;
+      ipv6 = pvv-ipv6 185;
+    };
     ildkule = {
       ipv4 = "10.212.25.209";
       ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";