WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox

base/default.nix

@@ -84,8 +84,6 @@
 
   # users.mutableUsers = lib.mkDefault false;
 
-  users.users.root.initialHashedPassword = "$y$j9T$ahP6GAdttD17OMBo7Yqeh.$Ad7qBcFvTL7HrJ9uTtrQzksN3220Nj9t/CrP6DwgK34"; # generated using mkpasswd, see huttiheita root on vaultwarden
-
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/services/acme.nix

@@ -8,5 +8,6 @@
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
   virtualisation.vmVariant = {
     security.acme.defaults.server = "https://127.0.0.1";
+    users.users.root.initialPassword = "root";
   };
 }

flake.lock

@@ -232,11 +232,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778407980,
+        "lastModified": 1777808420,
-        "narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=",
+        "narHash": "sha256-hh9XBz0K1ypZ+neezgIPCSsnWFKEq8VfV/1aUSPu3OA=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc",
+        "rev": "28e9dc901ff38a8fa2d24bccd5f89511d6d8324e",
         "type": "github"
       },
       "original": {
@@ -248,11 +248,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1778544512,
+        "lastModified": 1778125667,
-        "narHash": "sha256-VIsPgfIpZ/01XUO6WN+o1NZbP5iKPKPHdHPWqfm4XIg=",
+        "narHash": "sha256-swcxqlW+XrZFBqjcV3AV8AR64/eI234AZRFKs6q4DFo=",
-        "rev": "c417517f9d525181ee5619c683419d308ee29fe8",
+        "rev": "75636a69ad3115ff64d4cb3090e66c8275dda9c2",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10745.c417517f9d52/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10534.75636a69ad31/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -276,11 +276,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1778586796,
+        "lastModified": 1778157832,
-        "narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=",
+        "narHash": "sha256-lSl05j1UzI5MioSJWUa7oUp5a88zzv3sXMwWC4d1N70=",
-        "rev": "b25e938b89759b5f9466fc53c4a970244f84dc39",
+        "rev": "ec299c6a33eee9baf5b4d72881ca2f15c06b4f01",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre993859.ec299c6a33ee/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -315,11 +315,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778960428,
+        "lastModified": 1769009806,
-        "narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
+        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
         "ref": "main",
-        "rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
+        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
-        "revCount": 583,
+        "revCount": 575,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -380,17 +380,17 @@
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
-        "lastModified": 1778600367,
+        "lastModified": 1777418851,
-        "narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=",
+        "narHash": "sha256-M6LntO3jkxwgcKkaa9de1Vqu+LsV12Yz8Bv3/9/k018=",
         "ref": "main",
-        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
+        "rev": "16b2bc5c2759e20ecb952374509f1e1f9d6c06e7",
-        "revCount": 91,
+        "revCount": 83,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
       },
       "original": {
         "ref": "main",
-        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
+        "rev": "16b2bc5c2759e20ecb952374509f1e1f9d6c06e7",
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
       }

flake.nix

@@ -32,7 +32,7 @@
     minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
     minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
 
-    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939";
+    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=16b2bc5c2759e20ecb952374509f1e1f9d6c06e7";
     roowho2.inputs.nixpkgs.follows = "nixpkgs";
 
     greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
@@ -49,14 +49,8 @@
     qotd.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = {
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
-    self,
+  let
-    nixpkgs,
-    nixpkgs-unstable,
-    sops-nix,
-    disko,
-    ...
-  } @ inputs: let
     inherit (nixpkgs) lib;
     systems = [
       "x86_64-linux"
@@ -77,11 +71,9 @@
   in {
     inputs = lib.mapAttrs (_: src: src.outPath) inputs;
 
-    pkgs = forAllSystems (system:
+    pkgs = forAllSystems (system: import nixpkgs {
-      import nixpkgs {
       inherit system;
-        config.allowUnfreePredicate = pkg:
+      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-          builtins.elem (lib.getName pkg)
         [
           "nvidia-x11"
           "nvidia-settings"
@@ -89,7 +81,11 @@
     });
 
     nixosConfigurations = let
-      nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
+      nixosConfig =
+        nixpkgs:
+        name:
+        configurationPath:
+        extraArgs@{
           localSystem ? "x86_64-linux", # buildPlatform
           crossSystem ? "x86_64-linux", # hostPlatform
           specialArgs ? { },
@@ -97,62 +93,48 @@
           overlays ? [ ],
           enableDefaults ? true,
           ...
-      }: let
+        }:
-        commonPkgsConfig =
+        let
-          {
+          commonPkgsConfig = {
-            config.allowUnfreePredicate = pkg:
+            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
-              builtins.elem (lib.getName pkg)
               [
                 "nvidia-x11"
                 "nvidia-settings"
               ];
-            overlays =
+            overlays = (lib.optionals enableDefaults [
-              (lib.optionals enableDefaults [
               # Global overlays go here
               inputs.roowho2.overlays.default
-              ])
+            ]) ++ overlays;
-              ++ overlays;
+          } // (if localSystem != crossSystem then {
-          }
-          // (
-            if localSystem != crossSystem
-            then {
             inherit localSystem crossSystem;
-            }
+          } else {
-            else {
             system = crossSystem;
-            }
+          });
-          );
           pkgs = import nixpkgs commonPkgsConfig;
           unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
         in
-        lib.nixosSystem (
+        lib.nixosSystem (lib.recursiveUpdate
-          lib.recursiveUpdate
         {
           system = crossSystem;
 
           inherit pkgs;
 
-            specialArgs =
+          specialArgs = {
-              {
             inherit inputs unstablePkgs;
             values = import ./values.nix;
             fp = path: ./${path};
-              }
+          } // specialArgs;
-              // specialArgs;
 
-            modules =
+          modules = [
-              [
             {
               networking.hostName = lib.mkDefault name;
             }
             configurationPath
-              ]
+          ] ++ (lib.optionals enableDefaults [
-              ++ (lib.optionals enableDefaults [
             sops-nix.nixosModules.sops
             inputs.roowho2.nixosModules.default
             self.nixosModules.rsync-pull-targets
-              ])
+          ]) ++ modules;
-              ++ modules;
         }
         (builtins.removeAttrs extraArgs [
           "localSystem"
@@ -166,8 +148,7 @@
 
       stableNixosConfig = name: extraArgs:
           nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
-    in
+    in {
-      {
       bicep = stableNixosConfig "bicep" {
         modules = [
           inputs.matrix-next.nixosModules.default
@@ -200,11 +181,7 @@
           inputs.qotd.nixosModules.default
         ];
       };
-        ildkule = stableNixosConfig "ildkule" {
+      ildkule = stableNixosConfig "ildkule" { };
-          modules = [
-            inputs.disko.nixosModules.disko
-          ];
-        };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
       skrot = stableNixosConfig "skrot" {
         modules = [
@@ -257,13 +234,12 @@
         ];
       };
     }
-      // (let
+    //
+    (let
       machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
       stableLupineNixosConfig = name: extraArgs:
           nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
-      in
+    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
-        lib.genAttrs machineNames (name:
-          stableLupineNixosConfig name {
       modules = [{ networking.hostName = name; }];
       specialArgs.lupineName = name;
     }));
@@ -288,8 +264,7 @@
             })
           ];
         };
-      in
+      in pkgs.callPackage ./shell.nix { };
-        pkgs.callPackage ./shell.nix {};
       cuda = let
         cuda-pkgs = import nixpkgs-unstable {
           inherit system;
@@ -298,22 +273,18 @@
             cudaSupport = true;
           };
         };
-      in
+      in cuda-pkgs.callPackage ./shells/cuda.nix { };
-        cuda-pkgs.callPackage ./shells/cuda.nix {};
     });
 
     packages = {
       "x86_64-linux" = let
         system = "x86_64-linux";
         pkgs = nixpkgs.legacyPackages.${system};
-      in
+      in rec {
-        rec {
         default = important-machines;
-          important-machines =
+        important-machines = pkgs.linkFarm "important-machines"
-            pkgs.linkFarm "important-machines"
           (lib.getAttrs importantMachines self.packages.${system});
-          all-machines =
+        all-machines = pkgs.linkFarm "all-machines"
-            pkgs.linkFarm "all-machines"
           (lib.getAttrs allMachines self.packages.${system});
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
@@ -354,8 +325,7 @@
           modules = [
             ./topology
             {
-                nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
+              nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
-                  nixosCfg.extendModules {
                 modules = [
                   inputs.nix-topology.nixosModules.default
                   ./topology/service-extractors/greg-ng.nix
@@ -363,15 +333,13 @@
                   ./topology/service-extractors/mysql.nix
                   ./topology/service-extractors/gitea-runners.nix
                 ];
-                  })
+              }) self.nixosConfigurations;
-                self.nixosConfigurations;
             }
           ];
         };
       in {
         topology = topology'.config.output;
-          topology-png =
+        topology-png = pkgs.runCommand "pvv-config-topology-png" {
-            pkgs.runCommand "pvv-config-topology-png" {
           nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
         } ''
           mkdir -p "$out"

hosts/bekkalokk/services/website/default.nix

@@ -80,40 +80,9 @@ in {
   };
 
   services.phpfpm.pools."pvv-nettsiden".settings = {
-    "php_admin_value[error_log]" = "syslog";
+    # "php_admin_value[error_log]" = "stderr";
     "php_admin_flag[log_errors]" = true;
     "catch_workers_output" = true;
-
-    "php_admin_value[max_execution_time]" = "30";
-    "request_terminate_timeout" = "60s";
-
-    "php_admin_value[sendmail_path]" = let
-      fakeSendmail = pkgs.writeShellApplication {
-        name = "fake-sendmail";
-        text = ''
-          TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
-          (
-            echo "SENDMAIL ARGS:"
-            echo "$@"
-            echo "SENDMAIL STDIN:"
-            cat -
-          ) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
-        '';
-      };
-    in lib.getExe fakeSendmail;
-
-    "php_admin_value[disable_functions]" = lib.concatStringsSep "," [
-      "curl_exec"
-      "curl_multi_exec"
-      "exec"
-      "parse_ini_file"
-      "passthru"
-      "popen"
-      "proc_open"
-      "shell_exec"
-      "show_source"
-      "system"
-    ];
   };
 
   services.nginx.virtualHosts."pvv.ntnu.no" = {

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -40,7 +40,7 @@ in {
     path = with pkgs; [ imagemagick gnutar gzip ];
 
     script = ''
-      tar ${lib.cli.toCommandLineShellGNU { } {
+      tar ${lib.cli.toGNUCommandLineShell {} {
         extract = true;
         file = "${transferDir}/gallery.tar.gz";
         directory = ".";

hosts/ildkule/configuration.nix

@@ -1,14 +1,8 @@
+{ config, fp, pkgs, lib, values, ... }:
 {
-  config,
-  fp,
-  pkgs,
-  lib,
-  values,
-  ...
-}: {
   imports = [
+      # Include the results of the hardware scan.
       ./hardware-configuration.nix
-    ./disks.nix
       (fp /base)
 
       ./services/monitoring
@@ -16,8 +10,8 @@
       ./services/journald-remote.nix
     ];
 
-  boot.loader.grub.enable = true;
+  boot.loader.systemd-boot.enable = false;
-  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub.device = "/dev/vda";
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
@@ -33,22 +27,13 @@
     nameservers = values.defaultNetworkConfig.dns;
     defaultGateway.address = hostConf.ipv4_internal_gw;
 
-    interfaces."ens3" = {
+    interfaces."ens4" = {
       ipv4.addresses = [
-        {
+        { address = hostConf.ipv4;          prefixLength = 32; }
-          address = hostConf.ipv4;
+        { address = hostConf.ipv4_internal; prefixLength = 24; }
-          prefixLength = 32;
-        }
-        {
-          address = hostConf.ipv4_internal;
-          prefixLength = 24;
-        }
       ];
       ipv6.addresses = [
-        {
+        { address = hostConf.ipv6;          prefixLength = 64; }
-          address = hostConf.ipv6;
-          prefixLength = 64;
-        }
       ];
     };
   };

hosts/ildkule/disks.nix

@@ -1,27 +0,0 @@
-{
-  disko.devices = {
-    disk = {
-      sda = {
-        device = "/dev/sda";
-        type = "disk";
-        content = {
-          type = "gpt";
-          partitions = {
-            bios = {
-              size = "1M";
-              type = "EF02";
-            };
-            root = {
-              size = "100%";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/";
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/ildkule/hardware-configuration.nix

@@ -1,24 +1,16 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+{ modulesPath, lib, ... }:
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-    ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
+    fsType = "ext4";
+  };
+  fileSystems."/data" = {
+    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
+    fsType = "ext4";
+  };
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }

hosts/kommode/services/gitea/default.nix

@@ -134,6 +134,9 @@ in {
         ALLOW_FORK_INTO_SAME_OWNER = true;
       };
       picture = {
+        DISABLE_GRAVATAR = true;
+        ENABLE_FEDERATED_AVATAR = false;
+
         AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
         # NOTE: go any bigger than this, and gitea will freeze your gif >:(
         AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
@@ -214,7 +217,7 @@ in {
 
   systemd.services.gitea-dump = {
     serviceConfig.ExecStart = let
-      args = lib.cli.toCommandLineShellGNU { } {
+      args = lib.cli.toGNUCommandLineShell { } {
         type = cfg.dump.type;
 
         # This should be declarative on nixos, no need to backup.

hosts/kommode/services/gitea/web-secret-provider/default.nix

@@ -53,7 +53,7 @@ in
       Slice = "system-giteaweb.slice";
       Type = "oneshot";
       ExecStart = let
-        args = lib.cli.toCommandLineShellGNU { } {
+        args = lib.cli.toGNUCommandLineShell { } {
           org = "%i";
           token-path = "%d/token";
           api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";

hosts/temmie/services/userweb/default.nix

@@ -4,13 +4,6 @@ let
 
   homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
 
-  phpOptions = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k} = ${v}"){
-    display_errors = "Off";
-    display_startup_errors = "Off";
-    post_max_size = "40M";
-    upload_max_filesize = "40M";
-  });
-
   # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
   phpEnv = pkgs.php.buildEnv {
     extensions = { all, ... }: with all; [
@@ -36,7 +29,11 @@ let
       pdo_sqlite
     ];
 
-    extraConfig = phpOptions;
+    extraConfig = ''
+      display_errors=0
+      post_max_size = 40M
+      upload_max_filesize = 40M
+    '';
   };
 
   perlEnv = pkgs.perl.withPackages (ps: with ps; [
@@ -73,9 +70,9 @@ let
     text = ''
       args=("$@")
 
-      if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
+      if [[ "''${PWD:-}" =~ ^/home/pvv/[^/]+/([^/]+) ]] && [[ "''${BASH_REMATCH[1]}" != "pvv" ]]; then
           # Prepend -fusername to the argument list, so bounces go to the user
-          args=("-f$USERDIR_USER" "''${args[@]}")
+          args=("-f''${BASH_REMATCH[1]}" "''${args[@]}")
       fi
 
       exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
@@ -176,7 +173,6 @@ in
 
     enablePHP = true;
     phpPackage = phpEnv;
-    inherit phpOptions;
 
     enablePerl = true;
 
@@ -213,7 +209,6 @@ in
         UserDir disabled root
         AddHandler cgi-script .cgi
         DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
-        SetEnvIf Request_URI "^/~([^/]+)" USERDIR_USER=$1
 
         <Directory "/home/pvv/?/*/web-docs">
           Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec

hosts/temmie/services/userweb/mail.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
   services.postfix.enable = lib.mkForce false;
 
@@ -9,4 +9,26 @@
       remotes = "mail.pvv.ntnu.no smtp --port=25";
     };
   };
+
+  systemd.sockets.userweb-sendmail-sandbox-proxy = {
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
+    socketConfig = {
+      # Accept = true;
+      SocketUser = "httpd";
+      SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
+      SocketMode = "0660";
+    };
+  };
+
+  systemd.services.userweb-sendmail-sandbox-proxy = {
+    serviceConfig = {
+      User = "root";
+      Group = "root";
+      Sockets = [
+        "userweb-sendmail-sandbox-proxy.socket"
+      ];
+      ExecStart = "${lib.getExe pkgs.hello}";
+    };
+  };
 }

packages/mediawiki-extensions/default.nix

@@ -33,63 +33,63 @@ in
 lib.mergeAttrsList [
   (mw-ext {
     name = "CodeEditor";
-    commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a";
+    commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
-    hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A=";
+    hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441";
+    commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
-    hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ=";
+    hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "1b947c0f80249cf052b58138f830b379edf080bc";
+    commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
-    hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI=";
+    hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1";
+    commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
-    hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0=";
+    hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
   })
   (mw-ext {
     name = "Popups";
-    commit = "6732d8d195bd8312779d8514e92bad372ef63096";
+    commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
-    hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU=";
+    hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d";
+    commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
-    hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk=";
+    hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "4c615a9203860bb908f2476a5467573e3287d224";
+    commit = "a2f77374713473d594e368de24539aebcc1a800a";
-    hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE=";
+    hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3";
+    commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
-    hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ=";
+    hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab";
+    commit = "7de60a8da6576d7930f293d19ef83529abf52704";
-    hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs=";
+    hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "6c138ffc65991766fd58ff4739fcb7febf097146";
+    commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
-    hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU=";
+    hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9";
+    commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
-    hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4=";
+    hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780";
+    commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
-    hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI=";
+    hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
   })
 ]

packages/simplesamlphp/default.nix

@@ -8,18 +8,18 @@
 
 php.buildComposerProject rec {
   pname = "simplesamlphp";
-  version = "2.5.0";
+  version = "2.4.3";
 
   src = fetchFromGitHub {
     owner = "simplesamlphp";
     repo = "simplesamlphp";
     tag = "v${version}";
-    hash = "sha256-Md07vWhB/5MDUH+SPQEs8PYiUrkEgAyqQl+LO+ap0Sw=";
+    hash = "sha256-vv4gzcnPfMapd8gER2Vsng1SBloHKWrJJltnw2HUnX4=";
   };
 
   composerStrictValidation = false;
 
-  vendorHash = "sha256-GrEoGJXEyI1Ib+06GIuo5eRwxQ0UMKeX5RswShu2CHM=";
+  vendorHash = "sha256-vu3Iz6fRk3Gnh9Psn46jgRYKkmqGte+5xHBRmvdgKG4=";
 
   # TODO: metadata could be fetched automagically with these:
   #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html

values.nix

@@ -37,10 +37,10 @@ in rec {
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "129.241.100.145";
+      ipv4 = "129.241.153.213";
-      ipv4_internal = "192.168.1.17";
+      ipv4_internal = "192.168.12.209";
-      ipv4_internal_gw = "192.168.1.1";
+      ipv4_internal_gw = "192.168.12.1";
-      ipv6 = "2001:700:305:8a0f:f816:3eff:fef5:e400";
+      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;