WIP: Move krb5 realm to pvv.local, make sane ldap structure

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/43

base.nix

@@ -48,9 +48,9 @@
   ** use the same channel the system
   ** was built with
   */
-  nix.registry = {
+  # nix.registry = {
-    nixpkgs.flake = inputs.nixpkgs;
+  #   nixpkgs.flake = inputs.nixpkgs;
-  };
+  # };
   nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
 
   environment.systemPackages = with pkgs; [
@@ -67,7 +67,6 @@
     wget
 
     kitty.terminfo
-    foot.terminfo
   ];
 
   programs.zsh.enable = true;

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715445235,
+        "lastModified": 1720056646,
-        "narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
+        "narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
+        "rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
         "type": "github"
       },
       "original": {
@@ -67,11 +67,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715364232,
+        "lastModified": 1716065905,
-        "narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
+        "narHash": "sha256-08uhxBzfakfhl/ooc+gMzDupWKYvTeyQZwuvB1SBS7A=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz",
-        "rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
+        "rev": "0481aef6553ae9aee86e4edb4ca0ed4f2eba2058",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715384651,
+        "lastModified": 1716115695,
-        "narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
+        "narHash": "sha256-aI65l4x+U5v3i/nfn6N3eW5IZodmf4pyAByE7vTJh8I=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz-clients",
-        "rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
+        "rev": "b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe",
         "type": "github"
       },
       "original": {
@@ -107,15 +107,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1710311999,
+        "lastModified": 1717234745,
-        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
+        "narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "6c9b67974b839740e2a738958512c7a704481157",
+        "rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
         "type": "github"
       },
       "original": {
         "owner": "dali99",
+        "ref": "v0.6.0",
         "repo": "nixos-matrix-modules",
         "type": "github"
       }
@@ -142,42 +143,42 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1715410392,
+        "lastModified": 1720137366,
-        "narHash": "sha256-ltp1jQps9tym0uWNl/lTniHSQngCtNIyzlymu+ZSyts=",
+        "narHash": "sha256-Xn+WAX2t2yjNdgZEyEtjCLvkqjrGPVhKRGsM6ujUf8c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9f8bf7503bd85d5208575f4bd81c8b1fc999a468",
+        "rev": "f2a40608e6b55661cac28e473e28b6208da53c01",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-23.11-small",
+        "ref": "nixos-24.05-small",
         "type": "indirect"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1714858427,
+        "lastModified": 1719720450,
-        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+        "narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+        "rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1715435713,
+        "lastModified": 1720149507,
-        "narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
+        "narHash": "sha256-OFJoD1jjxzFlY1tAsehEWVA88DbU5smzDPQuu9SmnXY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
+        "rev": "d9c0b9d611277e42e6db055636ba0409c59db6d2",
         "type": "github"
       },
       "original": {
@@ -213,11 +214,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716150352,
+        "lastModified": 1718404592,
-        "narHash": "sha256-c13lzYbLmbrcbEdPTYZYtlX2Qsz1W+2sLsIMGShPgwo=",
+        "narHash": "sha256-Ud8pD0mxmbfvwBXKy2q3Yp8r1EofaTcodZtI3fbnfDY=",
         "ref": "refs/heads/master",
-        "rev": "2cab4df4b119e08a1f90ea1c944652cd78b4d478",
+        "rev": "6e4a79ed3ddae8dfc80eb8af1789985d07bcf297",
-        "revCount": 459,
+        "revCount": 463,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -248,11 +249,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1715244550,
+        "lastModified": 1720187017,
-        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
+        "narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
+        "rev": "1b11e208cee97c47677439625dc22e5289dcdead",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,7 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs.url = "nixpkgs/nixos-24.05-small";
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -17,7 +17,7 @@
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
     nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
@@ -109,8 +109,6 @@
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       shark = stableNixosConfig "shark" { };
 
-      elysium = stableNixosConfig "elysium" { };
-
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
           inputs.grzegorz.nixosModules.grzegorz-kiosk
@@ -124,6 +122,7 @@
         ];
       };
       buskerud = stableNixosConfig "buskerud" { };
+      dagali = unstableNixosConfig "dagali" { };
     };
 
     devShells = forAllSystems (system: {

hosts/bekkalokk/services/gitea/default.nix

@@ -1,4 +1,4 @@
-{ config, values, pkgs, ... }:
+{ config, values, pkgs, lib, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.pvv.ntnu.no";
@@ -22,19 +22,19 @@ in {
 
   services.gitea = {
     enable = true;
-    stateDir = "/data/gitea";
     appName = "PVV Git";
 
     database = {
       type = "postgres";
       host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.port;
+      port = config.services.postgresql.settings.port;
       passwordFile = config.sops.secrets."gitea/database".path;
       createDatabase = false;
     };
 
     mailerPasswordFile = config.sops.secrets."gitea/email-password".path;
 
+    # https://docs.gitea.com/administration/config-cheat-sheet
     settings = {
       server = {
         DOMAIN   = domain;
@@ -42,6 +42,7 @@ in {
         PROTOCOL = "http+unix";
         SSH_PORT = sshPort;
         START_SSH_SERVER = true;
+        START_LFS_SERVER = true;
       };
       mailer = {
         ENABLED = true;
@@ -50,11 +51,45 @@ in {
         SMTP_ADDR = "smtp.pvv.ntnu.no";
         SMTP_PORT = 587;
         USER = "gitea@pvv.ntnu.no";
+        SUBJECT_PREFIX = "[pvv-git]";
       };
       indexer.REPO_INDEXER_ENABLED = true;
-      service.DISABLE_REGISTRATION = true;
+      service = {
+        DISABLE_REGISTRATION = true;
+        ENABLE_NOTIFY_MAIL = true;
+      };
       session.COOKIE_SECURE = true;
       database.LOG_SQL = false;
+      repository = {
+        PREFERRED_LICENSES = lib.concatStringsSep "," [
+          "AGPL-3.0-only"
+          "AGPL-3.0-or-later"
+          "Apache-2.0"
+          "BSD-3-Clause"
+          "CC-BY-4.0"
+          "CC-BY-NC-4.0"
+          "CC-BY-NC-ND-4.0"
+          "CC-BY-NC-SA-4.0"
+          "CC-BY-ND-4.0"
+          "CC-BY-SA-4.0"
+          "CC0-1.0"
+          "GPL-2.0-only"
+          "GPL-3.0-only"
+          "GPL-3.0-or-later"
+          "LGPL-3.0-linking-exception"
+          "LGPL-3.0-only"
+          "LGPL-3.0-or-later"
+          "MIT"
+          "MPL-2.0"
+          "Unlicense"
+        ];
+        DEFAULT_REPO_UNITS = lib.concatStringsSep "," [
+          "repo.code"
+          "repo.issues"
+          "repo.pulls"
+          "repo.releases"
+        ];
+      };
       picture = {
         DISABLE_GRAVATAR = true;
         ENABLE_FEDERATED_AVATAR = false;
@@ -99,9 +134,9 @@ in {
       logo-svg = ../../../../assets/logo_blue_regular.svg;
       logo-png = ../../../../assets/logo_blue_regular.png;
     in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/img/logo.svg
+      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/img/logo.png
+      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/img/loading.png
+      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
     '';
   };
 }

hosts/bekkalokk/services/kerberos/default.nix

@@ -1,18 +1,5 @@
 { config, pkgs, lib, ... }:
 {
-  #######################
-  # TODO: remove these once nixos 24.05 gets released
-  #######################
-  imports = [
-    ./krb5.nix
-    ./pam.nix
-  ];
-  disabledModules = [
-    "config/krb5/default.nix"
-    "security/pam.nix"
-  ];
-  #######################
-
   security.krb5 = {
     enable = true;
     settings = {

hosts/buskerud/configuration.nix

@@ -4,6 +4,8 @@
     ./hardware-configuration.nix
     ../../base.nix
     ../../misc/metrics-exporters.nix
+
+    ./services/libvirt.nix
   ];
 
   # buskerud does not support efi?

hosts/buskerud/services/libvirt.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+{
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+  boot.kernelModules = [ "kvm-intel" ];
+
+  # On a gui-enabled machine, connect with:
+  # $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
+}
+

hosts/dagali/TODO.md

@@ -0,0 +1,78 @@
+# Tracking document for new PVV kerberos auth stack
+
+![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
+
+<div align="center">
+  Bensinstasjon på heimdal
+</div>
+
+### TODO:
+
+- [ ] setup heimdal
+  - [x] ensure running with systemd
+  - [x] compile smbk5pwd (part of openldap)
+  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
+  - [ ] fully initialize PVV.NTNU.NO
+    - [x] `kadmin -l init PVV.NTNU.NO`
+    - [x] add oysteikt/admin@PVV.NTNU.NO principal
+    - [x] add oysteikt@PVV.NTNU.NO principal
+    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
+      - why is this needed, and where is it documented?
+      - `kadmin check` seems to work under sudo?
+      - (it is included by default, just included as error message
+         in a weird state)
+
+    - [x] Ensure client is working correctly
+      - [x] Ensure kinit works on darbu
+      - [x] Ensure kpasswd works on darbu
+      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
+
+    - [ ] Ensure kdc is working correctly
+      - [x] Ensure kinit works on dagali
+      - [x] Ensure kpasswd works on dagali
+      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
+
+    - [x] Fix FQDN
+      - https://github.com/NixOS/nixpkgs/issues/94011
+      - https://github.com/NixOS/nixpkgs/issues/261269
+      - Possibly fixed by disabling systemd-resolved
+
+- [ ] setup cyrus sasl
+  - [x] ensure running with systemd 
+  - [x] verify GSSAPI support plugin is installed
+    - `nix-shell -p cyrus_sasl --command pluginviewer`
+  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
+  - [x] verify cyrus sasl is able to talk to heimdal
+    - `sudo testsaslauthd -u oysteikt -p <password>`
+  - [ ] provide ldap principal to cyrus sasl through keytab
+
+- [ ] setup openldap
+  - [x] ensure running with systemd
+  - [ ] verify openldap is able to talk to cyrus sasl
+  - [ ] create user for oysteikt in openldap
+  - [ ] authenticate openldap login through sasl
+    - does this require creating an ldap user?
+
+- [ ] fix smbk5pwd integration
+  - [x] add smbk5pwd schemas to openldap
+  - [x] create openldap db for smbk5pwd with overlays
+  - [ ] test to ensure that user sync is working
+  - [ ] test as user source (replace passwd)
+  - [ ] test as PAM auth source
+  - [ ] test as auth source for 3rd party appliation
+
+- [ ] Set up ldap administration panel
+  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
+
+- [ ] Set up kerberos SRV DNS entry
+
+### Information and URLS
+
+- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
+- Use a keytab: https://kb.iu.edu/d/aumh
+- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
+- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
+- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
+- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
+- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -0,0 +1,51 @@
+
+{ config, pkgs, values, lib, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+
+    ./services/heimdal.nix
+    #./services/openldap.nix
+    ./services/cyrus-sasl.nix
+  ];
+
+  # buskerud does not support efi?
+  # boot.loader.systemd-boot.enable = true;
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  # resolved messes up FQDN coming from nscd
+  services.resolved.enable = false;
+
+  networking.hostName = "dagali";
+  networking.domain = lib.mkForce "pvv.local";
+  networking.hosts = {
+    "129.241.210.185" = [ "dagali.pvv.local" ];
+  };
+  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
+  networking.tempAddresses = "disabled";
+  networking.networkmanager.enable = true;
+
+  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+    # TODO: consider adding to base.nix
+    nix-output-monitor
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/dagali/hardware-configuration.nix

@@ -4,31 +4,22 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  #imports =
-  #  [ (modulesPath + "/profiles/qemu-guest.nix")
-  #  ];
   imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
     ];
 
-
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a";
+    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
       fsType = "ext4";
     };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/CC37-F5FE";
-      fsType = "vfat";
-    };
-
   swapDevices =
-    [ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; }
+    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
     ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

hosts/dagali/services/cyrus-sasl.nix

@@ -0,0 +1,21 @@
+{ config, ... }:
+let
+  cfg = config.services.saslauthd;
+in
+{
+  # TODO: This is seemingly required for openldap to authenticate
+  #       against kerberos, but I have no idea how to configure it as
+  #       such. Does it need a keytab? There's a binary "testsaslauthd"
+  #       that follows with `pkgs.cyrus_sasl` that might be useful.
+  services.saslauthd = {
+    enable = true;
+    mechanism = "kerberos5";
+    config = ''
+      mech_list: gs2-krb5 gssapi
+      keytab: /etc/krb5.keytab
+    '';
+  };
+
+  # TODO: maybe the upstream module should consider doing this?
+  environment.systemPackages = [ cfg.package ];
+}

hosts/dagali/services/heimdal.nix

@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }:
+let
+  realm = "PVV.LOCAL";
+  cfg = config.security.krb5;
+in
+{
+  security.krb5 = {
+    enable = true;
+
+    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
+    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
+    #       will do for now.
+    package = pkgs.heimdal.overrideAttrs (prev: {
+      postInstall = prev.postInstall + ''
+        cp include/heim_threads.h $dev/include
+      '';
+    });
+
+    settings = {
+      realms.${realm} = {
+        kdc = [ "dagali.${lib.toLower realm}" ];
+        admin_server = "dagali.${lib.toLower realm}";
+        kpasswd_server = "dagali.${lib.toLower realm}";
+        default_domain = lib.toLower realm;
+        primary_kdc = "dagali.${lib.toLower realm}";
+      };
+
+      kadmin.default_keys = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96:pw-salt"
+        "aes128-cts-hmac-sha1-96:pw-salt"
+      ];
+
+      libdefaults.default_etypes = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96"
+        "aes128-cts-hmac-sha1-96"
+      ];
+
+      libdefaults = {
+        default_realm = realm;
+        dns_lookup_kdc = false;
+        dns_lookup_realm = false;
+      };
+
+      domain_realm = {
+        "${lib.toLower realm}" = realm;
+        ".${lib.toLower realm}" = realm;
+      };
+
+      logging = {
+        # kdc = "CONSOLE";
+        kdc = "SYSLOG:DEBUG:AUTH";
+        admin_server = "SYSLOG:DEBUG:AUTH";
+        default = "SYSLOG:DEBUG:AUTH";
+      };
+    };
+  };
+
+  services.kerberos_server = {
+    enable = true;
+    settings = {
+      realms.${realm} = {
+        dbname = "/var/lib/heimdal/heimdal";
+        mkey = "/var/lib/heimdal/m-key";
+        acl = [
+          {
+            principal = "kadmin/admin";
+            access = "all";
+          }
+          {
+            principal = "felixalb/admin";
+            access = "all";
+          }
+          {
+            principal = "oysteikt/admin";
+            access = "all";
+          }
+        ];
+      };
+      # kadmin.default_keys = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96:pw-salt"
+      #   "aes128-cts-hmac-sha1-96:pw-salt"
+      # ];
+
+      # libdefaults.default_etypes = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96"
+      #   "aes128-cts-hmac-sha1-96"
+      # ];
+
+      # password_quality.min_length = 8;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
+  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
+
+  networking.hosts = {
+    "127.0.0.2" = lib.mkForce [ ];
+    "::1" = lib.mkForce [ ];
+  };
+}

hosts/dagali/services/openldap.nix

@@ -0,0 +1,121 @@
+{ config, pkgs, lib, ... }:
+{
+  services.openldap = let
+    dn = "dc=pvv,dc=ntnu,dc=no";
+    cfg = config.services.openldap;
+
+    heimdal = config.security.krb5.package;
+  in {
+    enable = true;
+
+    # NOTE: this is a custom build of openldap with support for
+    #       perl and kerberos.
+    package = pkgs.openldap.overrideAttrs (prev: {
+      # https://github.com/openldap/openldap/blob/master/configure
+      configureFlags = prev.configureFlags ++ [
+        # Connect to slapd via UNIX socket
+        "--enable-local"
+        # Cyrus SASL
+        "--enable-spasswd"
+        # Reverse hostname lookups
+        "--enable-rlookups"
+        # perl
+        "--enable-perl"
+      ];
+
+      buildInputs = prev.buildInputs ++ [
+        pkgs.perl
+	# NOTE: do not upstream this, it might not work with
+	#       MIT in the same way
+        heimdal
+      ];
+
+      extraContribModules = prev.extraContribModules ++ [
+        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
+        "smbk5pwd"
+      ];
+    });
+
+    settings = {
+      attrs = {
+        olcLogLevel = [ "stats" "config" "args" ];
+
+        # olcAuthzRegexp = ''
+        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
+        #         "uid=heimdal,${dn2}"
+        # '';
+
+        # olcSaslSecProps = "minssf=0";
+      };
+
+      children = {
+        "cn=schema".includes = let
+          # NOTE: needed for smbk5pwd.so module
+          schemaToLdif = name: path: pkgs.runCommandNoCC name {
+            buildInputs = with pkgs; [ schema2ldif ];
+          } ''
+            schema2ldif "${path}" > $out
+          '';
+
+          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
+          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
+        in [
+           "${cfg.package}/etc/schema/core.ldif"
+           "${cfg.package}/etc/schema/cosine.ldif"
+           "${cfg.package}/etc/schema/nis.ldif"
+           "${cfg.package}/etc/schema/inetorgperson.ldif"
+           "${hdb-ldif}"
+           "${samba-ldif}"
+        ];
+
+        # NOTE: installation of smbk5pwd.so module
+        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+        "cn=module{0}".attrs = {
+          objectClass = [ "olcModuleList" ];
+          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
+        };
+
+        # NOTE: activation of smbk5pwd.so module for {1}mdb
+        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
+          olcOverlay = "{0}smbk5pwd";
+          olcSmbK5PwdEnable = [ "krb5" "samba" ];
+          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
+        };
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+          olcDatabase = "{1}mdb";
+
+          olcSuffix = dn;
+
+          # TODO: PW is supposed to be a secret, but it's probably fine for testing
+          olcRootDN = "cn=users,${dn}";
+
+          # TODO: replace with proper secret
+          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
+
+          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
+          olcDbIndex = "objectClass eq";
+
+          olcAccess = [
+            ''{0}to attrs=userPassword,shadowLastChange
+                by dn.exact=cn=users,${dn} write
+                by self write
+                by anonymous auth
+                by * none''
+
+            ''{1}to dn.base=""
+                by * read''
+
+            /* allow read on anything else */
+            # ''{2}to *
+            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
+            #     by * read''
+          ];
+        };
+      };
+    };
+  };
+}

hosts/elysium/base.nix

@@ -1,133 +0,0 @@
-{ config, lib, pkgs, inputs, values, ... }:
-
-{
-  imports = [
-    ./modules/snakeoil-certs.nix
-  ];
-
-  networking.domain = "pvv.ntnu.no";
-  networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
-
-  systemd.network.enable = true;
-
-  services.resolved = {
-    enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
-  };
-
-  time.timeZone = "Europe/Oslo";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "no";
-  };
-
-  system.autoUpgrade = {
-    enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
-    flags = [
-      "--update-input" "nixpkgs"
-      "--update-input" "nixpkgs-unstable"
-      "--no-write-lock-file"
-    ];
-  };
-  nix.gc.automatic = true;
-  nix.gc.options = "--delete-older-than 2d";
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  /* This makes commandline tools like
-  ** nix run nixpkgs#hello
-  ** and nix-shell -p hello
-  ** use the same channel the system
-  ** was built with
-  */
-  nix.registry = {
-    nixpkgs.flake = inputs.nixpkgs;
-  };
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    ripgrep
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-    foot.terminfo
-  ];
-
-  programs.zsh.enable = true;
-
-  users.groups."drift".name = "drift";
-
-  # Trusted users on the nix builder machines
-  users.groups."nix-builder-users".name = "nix-builder-users";
-
-  services.openssh = {
-    enable = true;
-    extraConfig = ''
-      PubkeyAcceptedAlgorithms=+ssh-rsa
-    '';
-    settings.PermitRootLogin = "yes";
-  };
-
-  # nginx return 444 for all nonexistent virtualhosts
-
-  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
-
-  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
-    "/etc/certs/nginx" = {
-      owner = "nginx";
-      group = "nginx";
-    };
-  };
-
-  services.nginx = {
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes auto;
-      worker_rlimit_nofile 100000;
-    '';
-    eventsConfig = ''
-      worker_connections 2048;
-      use epoll;
-      multi_accept on;
-    '';
-  };
-
-  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
-    LimitNOFILE = 65536;
-  };
-
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
-  };
-
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-}

hosts/elysium/configuration.nix

@@ -1,167 +0,0 @@
-{ config, pkgs, values, ... }:
-{
-  imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ./nvidia.nix
-      ./base.nix
-      ../../misc/metrics-exporters.nix
-    ];
-
-  sops.defaultSopsFile = ../../secrets/elysium/elysium.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "elysium"; # Define your hostname.
-
-  #update this to actual network card.
-  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
-    matchConfig.Name = "ens18";
-    address = with values.hosts.elysium; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-          zsh
-          bash
-          fish
-          tcsh
-
-          alpine
-          mutt
-          mutt-ics
-          mutt-wizard
-          notmuch
-          mailutils
-          procmail
-
-          irssi
-          weechat
-          weechatScripts.edit
-
-          coreutils-full
-          diffutils
-          findutils
-          ripgrep
-          cvs
-          gawk
-          git
-          gnupg
-          gnused
-          groff
-          less
-          p7zip
-          rcs
-          screen
-          tmux
-          tree
-          unzip
-          zip
-
-          emacs
-          helix
-          joe
-          micro
-          nano
-          neovim
-
-          autossh
-          inetutils
-          lynx
-          mosh
-          rsync
-          w3m
-
-          clang
-          gcc
-          guile
-          lua
-          perl
-          php
-          python3
-          (python3.withPackages (ps: with ps; [
-            numpy
-            sympy
-            scipy
-            requests
-            imageio
-            pillow
-            httpx
-            pycryptodome
-            pandas
-            matplotlib
-          ]))
-          ruby
-          tcl
-
-
-          openscad
-          cura
-          where-is-my-sddm-theme
-          firefox
-
-  ];
-
-
-
-
-  fonts.packages = with pkgs; [
-    noto-fonts
-    noto-fonts-cjk
-    noto-fonts-emoji
-    liberation_ttf
-    fira-code
-    fira-code-symbols
-    mplus-outline-fonts.githubRelease
-    dina-font
-    proggyfonts
-    nerdfonts
-    ubuntu_font_family
-
-  ];
-
-  # Enable CUPS to print documents.
-  services.printing.enable = true;
-
-  security.polkit.enable = true;
-  
-  services.displayManager = {
-    enable = true;
-    sessionPackages = with pkgs; [ sway ];
-    sddm = {
-      enable = true;
-      theme = "${pkgs.where-is-my-sddm-theme}";
-      wayland.enable = true;
-      wayland.compositor = "kwin";
-      autoNumlock = true;
-      enableHidpi = true;
-    };
-  };
-
-  services.desktopManager.plasma6.enable = true;
-  services.desktopManager.plasma6.enableQt5Integration = true;
-
-  qt.platformTheme = "kde";
-
-  # Configure keymap in X11
-  services.xserver.xkb = {
-    layout = "us,no";
-    variant = ",";
-  };
-
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
-}

hosts/elysium/nvidia.nix

@@ -1,52 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  # Enable OpenGL
-  hardware.opengl = {
-    enable = true;
-    driSupport = true;
-    driSupport32Bit = true;
-  };
-  
-  # Load nvidia driver for Xorg and Wayland
-  services.xserver.videoDrivers = ["nvidia"];
-  #boot with nvidia kernel module
-  boot.initrd.kernelModules = [ "nvidia" ];
-  hardware.nvidia = {
-    # Modesetting is required.
-    modesetting.enable = true;
-      # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
-      #powerManagement.enable = true;
-      # Fine-grained power management. Turns off GPU when not in use.
-      # Experimental and only works on modern Nvidia GPUs (Turing or newer).
-      #powerManagement.finegrained = true;
-
-      # Use the NVidia open source kernel module (not to be confused with the
-      # independent third-party "nouveau" open source driver).
-      # Support is limited to the Turing and later architectures. Full list of 
-      # supported GPUs is at: 
-      # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus 
-      # Only available from driver 515.43.04+
-      # Currently alpha-quality/buggy, so false is currently the recommended setting.
-      open = false;
-
-      # Enable the Nvidia settings menu,
-      # accessible via `nvidia-settings`.
-      nvidiaSettings = true;
-
-      # Optionally, you may need to select the appropriate driver version for your specific GPU.
-      package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
-    };
-
-
-    # Enable the CUDA toolkit
-    #install packages 
-    environment.systemPackages = with pkgs; [
-      #cudaPackages.cudnn
-      #cudaPackages.cudatoolkit
-      
-      nvtopPackages.nvidia
-      
-    ];
-
-
-  }

hosts/ildkule/services/monitoring/loki.nix

@@ -50,7 +50,6 @@ in {
         boltdb_shipper = {
           active_index_directory = "/var/lib/loki/boltdb-shipper-index";
           cache_location = "/var/lib/loki/boltdb-shipper-cache";
-          shared_store = "filesystem";
           cache_ttl = "24h";
         };
         filesystem = {
@@ -59,14 +58,13 @@ in {
       };
 
       limits_config = {
-        enforce_metric_name = false;
+	allow_structured_metadata = false;
         reject_old_samples = true;
         reject_old_samples_max_age = "72h";
       };
 
       compactor = {
         working_directory = "/var/lib/loki/compactor";
-        shared_store = "filesystem";
       };
 
       # ruler = {

users/felixalb.nix

@@ -1,8 +1,12 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:
 {
   users.users.felixalb = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [
+      "wheel"
+    ] ++ lib.optionals ( config.users.groups ? "libvirtd" ) [
+      "libvirtd"
+    ];
     shell = pkgs.zsh;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"

values.nix

@@ -29,6 +29,10 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
+    dagali = {
+      ipv4 = pvv-ipv4 185;
+      ipv6 = pvv-ipv6 185;
+    };
     ildkule = {
       ipv4 = "10.212.25.209";
       ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";