Added back old ssphp login theme

hosts/bekkalokk/services/idp-simplesamlphp/config.php

@@ -556,6 +556,7 @@ $config = [
     'module.enable' => [
         'admin' => true,
 	'authpwauth' => true,
+	'themepvv' => true,
     ],
 
 
@@ -858,7 +859,7 @@ $config = [
     /*
      * Which theme directory should be used?
      */
-    'theme.use' => 'default',
+    'theme.use' => 'themepvv:pvv',
 
     /*
      * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -1,8 +1,24 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
+  themePvv = pkgs.fetchFromGitea {
+    domain = "git.pvv.ntnu.no";
+    owner = "Drift";
+    repo = "ssp-theme";
+    rev = "bda4314030be5f81aeaf2fb1927aee582f1194d9";
+    hash = "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=";
+  };
+
   pwAuthScript = pkgs.writeShellApplication {
     name = "pwauth";
-    runtimeInputs = with pkgs; [ coreutils heimdal ];
+    runtimeInputs = with pkgs; [
+      coreutils
+      heimdal
+    ];
     text = ''
       read -r user1
       user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -33,7 +49,7 @@ let
 
       "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
         <?php
-          ${ lib.pipe config.services.idp.sp-remote-metadata [
+          ${lib.pipe config.services.idp.sp-remote-metadata [
             (map (url: ''
               $metadata['${url}'] = [
                 'SingleLogoutService' => [
@@ -85,18 +101,27 @@ let
 
         substituteInPlace "$out" \
           --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+            config.sops.secrets."idp/cookie_salt".path
+          }")' \
           --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
           --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+            config.sops.secrets."idp/admin_password".path
+          }")' \
           --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
           --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
           --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+            config.sops.secrets."idp/postgres_password".path
+          }")' \
           --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+
+      # PVV theme module (themepvv).
+      "modules/themepvv" = themePvv;
     };
   };
 in
@@ -158,23 +183,25 @@ in
     services.phpfpm.pools.idp = {
       user = "idp";
       group = "idp";
-      settings = let
-        listenUser = config.services.nginx.user;
-        listenGroup = config.services.nginx.group;
-      in {
-        "pm" = "dynamic";
-        "pm.max_children" = 32;
-        "pm.max_requests" = 500;
-        "pm.start_servers" = 2;
-        "pm.min_spare_servers" = 2;
-        "pm.max_spare_servers" = 4;
-        "listen.owner" = listenUser;
-        "listen.group" = listenGroup;
+      settings =
+        let
+          listenUser = config.services.nginx.user;
+          listenGroup = config.services.nginx.group;
+        in
+        {
+          "pm" = "dynamic";
+          "pm.max_children" = 32;
+          "pm.max_requests" = 500;
+          "pm.start_servers" = 2;
+          "pm.min_spare_servers" = 2;
+          "pm.max_spare_servers" = 4;
+          "listen.owner" = listenUser;
+          "listen.group" = listenGroup;
 
-        "catch_workers_output" = true;
-        "php_admin_flag[log_errors]" = true;
-        # "php_admin_value[error_log]" = "stderr";
-      };
+          "catch_workers_output" = true;
+          "php_admin_flag[log_errors]" = true;
+          # "php_admin_value[error_log]" = "stderr";
+        };
     };
 
     services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
@@ -182,7 +209,7 @@ in
       enableACME = true;
       kTLS = true;
       root = "${package}/share/php/simplesamlphp/public";
-      locations =  {
+      locations = {
         # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
         "/" = {
           alias = "${package}/share/php/simplesamlphp/public/";

hosts/gluttony/configuration.nix

@@ -10,8 +10,6 @@
     (fp /base)
   ];
 
-  boot.loader.systemd-boot.enable = false;
-
   systemd.network.enable = lib.mkForce false;
   networking =
     let

hosts/skrott/configuration.nix

@@ -1,10 +1,12 @@
-{ config, pkgs, lib, fp, ... }: {
+{ config, pkgs, lib, fp, values, ... }: {
   imports = [
     # ./hardware-configuration.nix
 
     (fp /base)
   ];
 
+  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
+
   boot = {
     consoleLogLevel = 0;
     enableContainers = false;
@@ -36,7 +38,11 @@
     interfaces.eth0 = {
       useDHCP = false;
       ipv4.addresses = [{
-        address = "129.241.210.235";
+        address = values.hosts.skrott.ipv4;
+        prefixLength = 25;
+      }];
+      ipv6.addresses = [{
+        address = values.hosts.skrott.ipv6;
         prefixLength = 25;
       }];
     };

hosts/temmie/configuration.nix

@@ -1,18 +1,21 @@
 { config, fp, pkgs, values, ... }:
 {
   imports = [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      (fp /base)
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    (fp /base)
 
-      ./services/nfs-mounts.nix
-    ];
+    ./services/nfs-mounts.nix
+    ./services/userweb.nix
+  ];
 
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  services.nginx.enable = false;
+
   services.qemuGuest.enable = true;
 
   # Don't change (even during upgrades) unless you know what you are doing.

hosts/temmie/services/nfs-mounts.nix

@@ -1,21 +1,60 @@
-{ pkgs, lib, ... }:
+{ lib, values, ... }:
+let
+  # See microbel:/etc/exports
+  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+in
 {
-  fileSystems = let
-    # See microbel:/etc/exports
-    shorthandAreas = lib.listToAttrs (map
-      (l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
-      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]);
-  in { }
-  //
-  (lib.mapAttrs (_: device: {
-    inherit device;
-    fsType = "nfs";
-    options = [
+  systemd.targets."pvv-homedirs" = {
+    description = "PVV Homedir Partitions";
+  };
+
+  systemd.mounts = map (l: {
+    description = "PVV Homedir Partition ${l}";
+
+    before = [ "remote-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+    requiredBy = [ "pvv-homedirs.target" ];
+
+    type = "nfs";
+    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
+    where = "/run/pvv-home-mounts/${l}";
+
+    options = lib.concatStringsSep "," [
       "nfsvers=3"
-      "noauto"
+
+      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
+      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
+      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
       "proto=tcp"
-      "x-systemd.automount"
-      "x-systemd.idle-timeout=300"
+      "addr=${values.hosts.microbel.ipv4}"
+      "mountproto=tcp"
+      "mounthost=${values.hosts.microbel.ipv4}"
+      "port=2049"
+
+      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
+      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
+      #       quite sure how to fix it. Living life on dangerous mode for now.
+      "nolock"
+
+      # Don't wait on every read/write
+      "async"
+
+      # Always keep mounted
+      "noauto"
+
+      # We don't want to update access time constantly
+      "noatime"
+
+      # No SUID/SGID, no special devices
+      "nosuid"
+      "nodev"
+
+      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
+      # "ro"
+      "rw"
+
+      # TODO: can we enable this and still run cgi stuff?
+      # "noexec"
     ];
-  }) shorthandAreas);
+  }) letters;
 }

hosts/temmie/services/userweb.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  services.httpd = {
+    enable = true;
+
+    # extraModules = [];
+
+    # virtualHosts."userweb.pvv.ntnu.no" = {
+    virtualHosts."temmie.pvv.ntnu.no" = {
+
+      forceSSL = true;
+      enableACME = true;
+    };
+  };
+
+  systemd.services.httpd = {
+    after = [ "pvv-homedirs.target" ];
+    requires = [ "pvv-homedirs.target" ];
+
+    serviceConfig = {
+      ProtectHome = "tmpfs";
+      BindPaths = let
+        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
+    };
+  };
+
+  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
+}

topology/default.nix

@@ -53,7 +53,7 @@ in {
   nodes.ntnu-pvv-router = mkRouter "NTNU PVV Gateway" {
     interfaceGroups = [ ["wan1"] ["eth1"] ];
     connections.eth1 = mkConnection "knutsen" "em1";
-    interfaces.eth1.network = "pvv";
+    interfaces.eth1.network = "ntnu";
   };
 
   nodes.knutsen = mkRouter "knutsen" {
@@ -82,6 +82,8 @@ in {
         (mkConnection "buskerud" "eth1")
         # (mkConnection "knutsen" "eth1")
         (mkConnection "powerpuff-cluster" "eth1")
+        (mkConnection "powerpuff-cluster" "eth2")
+        (mkConnection "powerpuff-cluster" "eth3")
         (mkConnection "lupine-1" "enp0s31f6")
         (mkConnection "lupine-2" "enp0s31f6")
         (mkConnection "lupine-3" "enp0s31f6")
@@ -139,7 +141,7 @@ in {
 
     hardware.info = "Dell PowerEdge R730 x 3";
 
-    interfaceGroups = [ [ "eth1" ] ];
+    interfaceGroups = [ [ "eth1" "eth2" "eth3" ] ];
 
     services = {
       proxmox = {
@@ -167,6 +169,13 @@ in {
     interfaces.ens18.network = "pvv";
   };
 
+  nodes.temmie = {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+
+    interfaces.ens18.network = "pvv";
+  };
+
   nodes.ustetind = {
     guestType = "proxmox LXC";
     parent = config.nodes.powerpuff-cluster.id;
@@ -219,7 +228,7 @@ in {
         (mkConnection "demiurgen" "eno1")
         (mkConnection "sanctuary" "ethernet_0")
         (mkConnection "torskas" "eth0")
-        (mkConnection "skrott" "eth0")
+        (mkConnection "skrot" "eth0")
         (mkConnection "homeassistant" "eth0")
         (mkConnection "orchid" "eth0")
         (mkConnection "principal" "em0")
@@ -249,6 +258,12 @@ in {
 
     interfaces.ens4.network = "ntnu";
   };
+  nodes.gluttony = {
+    guestType = "openstack";
+    parent = config.nodes.stackit.id;
+
+    interfaces.ens3.network = "ntnu";
+  };
   nodes.wenche = {
     guestType = "openstack";
     parent = config.nodes.stackit.id;

topology/non-nixos-machines.nix

@@ -290,21 +290,6 @@ in {
     };
   };
 
-  nodes.skrott = mkDevice "skrott" {
-    # TODO: the interface name is likely wrong
-    interfaceGroups = [ [ "eth0" ] ];
-    interfaces.eth0 = {
-      # mac = "";
-      addresses = [
-        "129.241.210.235"
-      ];
-      gateways = [
-        values.hosts.gateway
-        values.hosts.gateway6
-      ];
-    };
-  };
-
   nodes.torskas = mkDevice "torskas" {
     deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/arch_linux.svg";
 

values.nix

@@ -69,10 +69,18 @@ in rec {
       ipv4 = pvv-ipv4 223;
       ipv6 = pvv-ipv6 223;
     };
+    microbel = {
+      ipv4 = pvv-ipv4 179;
+      ipv6 = pvv-ipv6 "1:2";
+    };
     ustetind = {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;
     };
+    skrott = {
+      ipv4 = pvv-ipv4 235;
+      ipv6 = pvv-ipv6 235;
+    };
     temmie = {
       ipv4 = pvv-ipv4 167;
       ipv6 = pvv-ipv6 167;