Add skrott

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
   - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
   - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
+  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
 
   # Hosts
   - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
@@ -18,6 +19,7 @@ creation_rules:
       - *host_jokum
       - *user_danio
       - *user_felixalb
+      - *user_eirikwit
       pgp:
       - *user_oysteikt
 
@@ -58,3 +60,9 @@ creation_rules:
       - *user_felixalb
       pgp:
       - *user_oysteikt
+
+  - path_regex: secrets/skrott/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *user_danio
+      - *user_eirikwit

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "dibbler": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1693682284,
+        "narHash": "sha256-FvVCkHH80YyUiqQlnGNr49rZRBniihF6YRpytguEkFQ=",
+        "owner": "Programvareverkstedet",
+        "repo": "dibbler",
+        "rev": "8a6a0c12ba37e239684d2de1be12fd73903cfb2c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Programvareverkstedet",
+        "repo": "dibbler",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709632354,
-        "narHash": "sha256-jxRHwqrtNze51WKFKvxlQ8Inf62UNRl5cFqEQ2V96vE=",
+        "lastModified": 1710169806,
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0d11aa8d6431326e10b8656420f91085c3bd0b12",
+        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
         "type": "github"
       },
       "original": {
@@ -20,6 +41,24 @@
         "type": "github"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1692799911,
+        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "grzegorz": {
       "inputs": {
         "nixpkgs": [
@@ -62,14 +101,16 @@
     },
     "matrix-next": {
       "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1701507532,
-        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
+        "lastModified": 1710311999,
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
         "owner": "dali99",
         "repo": "nixos-matrix-modules",
-        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
         "type": "github"
       },
       "original": {
@@ -80,11 +121,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709565521,
-        "narHash": "sha256-YP3H7Lm3IhOKHIcn+qMCLRINJG313Io5CjvNTJyrnhY=",
+        "lastModified": 1710248792,
+        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9a5f1a573376eeb8c525f936eed32fabfb6e81be",
+        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
         "type": "github"
       },
       "original": {
@@ -93,28 +134,13 @@
         "type": "indirect"
       }
     },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1709428628,
-        "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
+        "lastModified": 1710033658,
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
         "type": "github"
       },
       "original": {
@@ -126,11 +152,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1712963716,
-        "narHash": "sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM=",
+        "lastModified": 1710247538,
+        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cfd6b5fc90b15709b780a5a1619695a88505a176",
+        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
         "type": "github"
       },
       "original": {
@@ -161,6 +187,7 @@
     },
     "root": {
       "inputs": {
+        "dibbler": "dibbler",
         "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
@@ -179,11 +206,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1709591996,
-        "narHash": "sha256-0sQcalXSgqlO6mnxBTXkSQChBHy2GQsokB1XY8r+LpQ=",
+        "lastModified": 1710195194,
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "291aad29b59ceda517a06e59809f35cb0bb17c6b",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
         "type": "github"
       },
       "original": {
@@ -191,6 +218,21 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -15,11 +15,15 @@
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
     matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
     grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    dibbler.url = "github:Programvareverkstedet/dibbler";
+    dibbler.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -114,6 +118,13 @@
           sops-nix.nixosModules.sops
         ];
       };
+      skrott = stableNixosConfig "skrott" {
+        modules = [
+          ./hosts/skrott/configuration.nix
+          inputs.dibbler.nixosModules.default
+          sops-nix.nixosModules.sops
+        ];
+      };
     };
 
     devShells = forAllSystems (system: {
@@ -123,22 +134,12 @@
     packages = {
       "x86_64-linux" = let
         pkgs = nixpkgs.legacyPackages."x86_64-linux";
-        pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
       in rec {
         default = important-machines;
         important-machines = pkgs.linkFarm "important-machines"
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
-	heimdal = pkgs.callPackage hosts/buskerud/containers/salsa/services/heimdal/package.nix {
-          inherit (pkgs.apple_sdk.frameworks)
-            CoreFoundation Security SystemConfiguration;
-	};
-	heimdal-unstable = pkgs-unstable.callPackage hosts/buskerud/containers/salsa/services/heimdal/package.nix {
-          inherit (pkgs.apple_sdk.frameworks)
-            CoreFoundation Security SystemConfiguration;
-	};
-	inherit pkgs pkgs-unstable;
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/services/gitea/gitea-import-users.py

@@ -32,7 +32,6 @@ def add_user(username, name):
             "full_name": name,
             "username": username,
             "login_name": username,
-            "visibility": "public",
             "source_id": 1,  # 1 = SMTP
     }
 
@@ -52,6 +51,7 @@ def add_user(username, name):
         existing_users[username] = user
 
     else:
+        user["visibility"] = existing_users[username]["visibility"]
         r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
                            json=user,
                            headers={'Authorization': 'token ' + API_TOKEN})

hosts/bicep/services/matrix/element.nix

@@ -24,21 +24,26 @@ in {
         features = {
           feature_latex_maths = true;
           feature_pinning = true;
+          feature_render_reaction_images = true;
           feature_state_counters = true;
-          feature_custom_status = false;
+          # element call group calls
+          feature_group_calls = true;
         };
         default_theme = "dark";
+        # Servers in this list should provide some sort of valuable scoping
+        # matrix.org is not useful compared to matrixrooms.info,
+        # because it has so many general members, rooms of all topics are on it.
+        # Something matrixrooms.info is already providing.
         room_directory.servers = [
           "pvv.ntnu.no"
-          "matrix.omegav.no"
-          "matrix.org"
-          "libera.chat"
-          "gitter.im"
-          "mozilla.org"
-          "kde.org"
-          "t2bot.io"
-          "fosdem.org"
-          "dodsorf.as"
+          "matrixrooms.info" # Searches all public room directories
+          "matrix.omegav.no" # Friends
+          "gitter.im" # gitter rooms
+          "mozilla.org" # mozilla and friends
+          "kde.org" # KDE rooms
+          "fosdem.org" # FOSDEM
+          "dodsorf.as" # PVV Member
+          "nani.wtf" # PVV Member
         ];
         enable_presence_by_hs_url = {
           "https://matrix.org" = false;

hosts/buskerud/configuration.nix

@@ -4,8 +4,6 @@
     ./hardware-configuration.nix
     ../../base.nix
     ../../misc/metrics-exporters.nix
-
-    ./containers/salsa/configuration.nix
   ];
 
   # buskerud does not support efi?

hosts/buskerud/containers/salsa/NOTES.md

@@ -1,27 +0,0 @@
-# Misc docs
-
-### Old stuff about storing kerberos state inside LDAP - might not be relevant
-
-- https://wiki.debian.org/LDAP/OpenLDAPSetup#OpenLDAP_as_a_Backend
-- https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend
-- https://forums.freebsd.org/threads/heimdal-and-openldap-integration-some-questions.58422/
-- http://osr507doc.sco.com/cgi-bin/info2html?(heimdal.info.gz)Using%2520LDAP%2520to%2520store%2520the%2520database&lang=en
-- https://bbs.archlinux.org/viewtopic.php?id=54236
-- https://openldap-software.0penldap.narkive.com/Ml6seAGL/ldap-backend-for-heimdal-kerberos
-
-### Heimdal setup
-
-- http://chschneider.eu/linux/server/heimdal.shtml
-- https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/kerberos/heimdal.nix
-- https://itk.samfundet.no/dok/Kerberos (possibly a bit dated)
-
-### OpenLDAP setup with new olc stuff
-
-- https://www.openldap.org/doc/admin26/
-- https://www.openldap.org/doc/admin26/sasl.html#GSSAPI
-- https://www.zytrax.com/books/ldap/
-
-### SASLAUTHD
-
-- https://linux.die.net/man/8/saslauthd
-- https://www.cyrusimap.org/sasl/index.html

hosts/buskerud/containers/salsa/configuration.nix

@@ -1,51 +0,0 @@
-{ config, pkgs, lib, inputs, values, ... }:
-{
-  containers.salsa = {
-    autoStart = true;
-    interfaces = [ "enp6s0f1" ];
-    bindMounts = {
-      "/data" = { hostPath = "/data/salsa"; isReadOnly = false; };
-    };
-    nixpkgs = inputs.nixpkgs-unstable;
-
-    config = { config, pkgs, ... }: let
-      inherit values inputs;
-    in {
-      imports = [
-        inputs.sops-nix.nixosModules.sops
-        ../../../../base.nix
-
-        ./services/heimdal
-        ./services/openldap.nix
-        ./services/saslauthd.nix
-
-	# https://github.com/NixOS/nixpkgs/pull/287611
-	./modules/krb5
-	./modules/kerberos
-      ];
-
-      disabledModules = [
-	"security/krb5"
-	"services/system/kerberos/default.nix"
-      ];
-
-      _module.args = {
-        inherit values inputs;
-      };
-
-      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-      sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-      sops.age.generateKey = true;
-
-      # systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
-      #   matchConfig.Name = "enp6s0f1";
-      #   address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
-      #     ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
-      # };
-
-      networking.useHostResolvConf = lib.mkForce false;
-
-      system.stateVersion = "23.11";
-    };
-  };
-}

hosts/buskerud/containers/salsa/modules/kerberos/default.nix

@@ -1,101 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  inherit (lib) mkOption types;
-  cfg = config.services.kerberos_server;
-  inherit (config.security.krb5) package;
-
-  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
-in
-
-{
-  imports = [
-    (lib.mkRenamedOptionModule [ "services" "kerberos_server" "realms" ] [ "services" "kerberos_server" "settings" "realms" ])
-
-    ./mit.nix
-    ./heimdal.nix
-  ];
-
-  options = {
-    services.kerberos_server = {
-      enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server");
-
-      settings = let
-        aclEntry = types.submodule {
-          options = {
-            principal = mkOption {
-              type = types.str;
-              description = lib.mdDoc "Which principal the rule applies to";
-            };
-            access = mkOption {
-              type = types.either
-                (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
-                (types.enum ["all"]);
-              default = "all";
-              description = lib.mdDoc "The changes the principal is allowed to make.";
-            };
-            target = mkOption {
-              type = types.str;
-              default = "*";
-              description = lib.mdDoc "The principals that 'access' applies to.";
-            };
-          };
-        };
-
-        realm = types.submodule ({ name, ... }: {
-          freeformType = format.sectionType;
-          options = {
-            acl = mkOption {
-              type = types.listOf aclEntry;
-              default = [
-                { principal = "*/admin"; access = "all"; }
-                { principal = "admin"; access = "all"; }
-              ];
-              description = lib.mdDoc ''
-                The privileges granted to a user.
-              '';
-            };
-          };
-        });
-      in mkOption {
-        type = types.submodule (format.type.getSubModules ++ [{
-          options = {
-            realms = mkOption {
-              type = types.attrsOf realm;
-              description = lib.mdDoc ''
-                The realm(s) to serve keys for.
-              '';
-            };
-          };
-        }]);
-        description = ''
-          Settings for the kerberos server of choice.
-
-          See the following documentation:
-          - Heimdal: {manpage}`kdc.conf(5)`
-          - MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>
-        '';
-        default = { };
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    environment.systemPackages = [ package ];
-    assertions = [
-      {
-        assertion = cfg.settings.realms != { };
-        message = "The server needs at least one realm";
-      }
-      {
-        assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
-        message = "Only one realm per server is currently supported.";
-      }
-    ];
-
-    systemd.slices.system-kerberos-server = { };
-    systemd.targets.kerberos-server = {
-      wantedBy = [ "multi-user.target" ];
-    };
-  };
-}

hosts/buskerud/containers/salsa/modules/kerberos/heimdal.nix

@@ -1,87 +0,0 @@
-{ pkgs, config, lib, ... } :
-
-let
-  inherit (lib)  mapAttrs;
-  cfg = config.services.kerberos_server;
-  package = config.security.krb5.package;
-
-  aclConfigs = lib.pipe cfg.settings.realms [
-    (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
-      { principal, access, target, ... }:
-      "${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"
-    ) acl))
-    (lib.mapAttrsToList (name: text:
-      {
-        dbname = "/var/lib/heimdal/heimdal";
-        acl_file = pkgs.writeText "${name}.acl" text;
-      }
-    ))
-  ];
-
-  finalConfig = cfg.settings // {
-    realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });
-    kdc = (cfg.settings.kdc or { }) // {
-      database = aclConfigs;
-    };
-  };
-
-  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
-
-  kdcConfFile = format.generate "kdc.conf" finalConfig;
-in
-
-{
-  config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {
-    environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;
-
-    systemd.tmpfiles.settings."10-heimdal" = let
-      databases = lib.pipe finalConfig.kdc.database [
-        (map (dbAttrs: dbAttrs.dbname or null))
-        (lib.filter (x: x != null))
-        lib.unique
-      ];
-    in lib.genAttrs databases (_: {
-      d = {
-        user = "root";
-        group = "root";
-        mode = "0700";
-      };
-    });
-
-    systemd.services.kadmind = {
-      description = "Kerberos Administration Daemon";
-      partOf = [ "kerberos-server.target" ];
-      wantedBy = [ "kerberos-server.target" ];
-      serviceConfig = {
-        ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
-        Slice = "system-kerberos-server.slice";
-        StateDirectory = "heimdal";
-      };
-      restartTriggers = [ kdcConfFile ];
-    };
-
-    systemd.services.kdc = {
-      description = "Key Distribution Center daemon";
-      partOf = [ "kerberos-server.target" ];
-      wantedBy = [ "kerberos-server.target" ];
-      serviceConfig = {
-        ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
-        Slice = "system-kerberos-server.slice";
-        StateDirectory = "heimdal";
-      };
-      restartTriggers = [ kdcConfFile ];
-    };
-
-    systemd.services.kpasswdd = {
-      description = "Kerberos Password Changing daemon";
-      partOf = [ "kerberos-server.target" ];
-      wantedBy = [ "kerberos-server.target" ];
-      serviceConfig = {
-        ExecStart = "${package}/libexec/kpasswdd";
-        Slice = "system-kerberos-server.slice";
-        StateDirectory = "heimdal";
-      };
-      restartTriggers = [ kdcConfFile ];
-    };
-  };
-}

hosts/buskerud/containers/salsa/modules/kerberos/mit.nix

@@ -1,77 +0,0 @@
-{ pkgs, config, lib, ... } :
-
-let
-  inherit (lib) mapAttrs;
-  cfg = config.services.kerberos_server;
-  package = config.security.krb5.package;
-  PIDFile = "/run/kdc.pid";
-
-  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
-
-  aclMap = {
-    add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";
-    all = "*";
-  };
-
-  aclConfigs = lib.pipe cfg.settings.realms [
-    (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
-      { principal, access, target, ... }: let
-        access_code = map (a: aclMap.${a}) (lib.toList access);
-      in "${principal} ${lib.concatStrings access_code} ${target}"
-    ) acl))
-
-    (lib.concatMapAttrs (name: text: {
-      ${name} = {
-        acl_file = pkgs.writeText "${name}.acl" text;
-      };
-    }))
-  ];
-
-  finalConfig = cfg.settings // {
-    realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });
-  };
-
-  kdcConfFile = format.generate "kdc.conf" finalConfig;
-  env = {
-    # What Debian uses, could possibly link directly to Nix store?
-    KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";
-  };
-in
-
-{
-  config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {
-    environment = {
-      etc."krb5kdc/kdc.conf".source = kdcConfFile;
-      variables = env;
-    };
-
-    systemd.services.kadmind = {
-      description = "Kerberos Administration Daemon";
-      partOf = [ "kerberos-server.target" ];
-      wantedBy = [ "kerberos-server.target" ];
-      serviceConfig = {
-        ExecStart = "${package}/bin/kadmind -nofork";
-        Slice = "system-kerberos-server.slice";
-        StateDirectory = "krb5kdc";
-      };
-      restartTriggers = [ kdcConfFile ];
-      environment = env;
-    };
-
-    systemd.services.kdc = {
-      description = "Key Distribution Center daemon";
-      partOf = [ "kerberos-server.target" ];
-      wantedBy = [ "kerberos-server.target" ];
-      serviceConfig = {
-        Type = "forking";
-        PIDFile = PIDFile;
-        ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";
-        Slice = "system-kerberos-server.slice";
-        StateDirectory = "krb5kdc";
-      };
-      restartTriggers = [ kdcConfFile ];
-      environment = env;
-    };
-  };
-}
-

hosts/buskerud/containers/salsa/modules/krb5/default.nix

@@ -1,104 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
-  inherit (lib.types) bool;
-
-  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
-  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
-    The option `krb5.${name}' has been removed. Use
-    `security.krb5.settings.${name}' for structured configuration.
-  '';
-
-  cfg = config.security.krb5;
-  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
-in {
-  imports = [
-    (mkRemovedOptionModuleCfg "libdefaults")
-    (mkRemovedOptionModuleCfg "realms")
-    (mkRemovedOptionModuleCfg "domain_realm")
-    (mkRemovedOptionModuleCfg "capaths")
-    (mkRemovedOptionModuleCfg "appdefaults")
-    (mkRemovedOptionModuleCfg "plugins")
-    (mkRemovedOptionModuleCfg "config")
-    (mkRemovedOptionModuleCfg "extraConfig")
-    (mkRemovedOptionModule' "kerberos" ''
-      The option `krb5.kerberos' has been moved to `security.krb5.package'.
-    '')
-  ];
-
-  options = {
-    security.krb5 = {
-      enable = mkOption {
-        default = false;
-        description = mdDoc "Enable and configure Kerberos utilities";
-        type = bool;
-      };
-
-      package = mkPackageOption pkgs "krb5" {
-        example = "heimdal";
-      };
-
-      settings = mkOption {
-        default = { };
-        type = format.type;
-        description = mdDoc ''
-          Structured contents of the {file}`krb5.conf` file. See
-          {manpage}`krb5.conf(5)` for details about configuration.
-        '';
-        example = {
-          include = [ "/run/secrets/secret-krb5.conf" ];
-          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
-
-          libdefaults = {
-            default_realm = "ATHENA.MIT.EDU";
-          };
-
-          realms = {
-            "ATHENA.MIT.EDU" = {
-              admin_server = "athena.mit.edu";
-              kdc = [
-                "athena01.mit.edu"
-                "athena02.mit.edu"
-              ];
-            };
-          };
-
-          domain_realm = {
-            "mit.edu" = "ATHENA.MIT.EDU";
-          };
-
-          logging = {
-            kdc = "SYSLOG:NOTICE";
-            admin_server = "SYSLOG:NOTICE";
-            default = "SYSLOG:NOTICE";
-          };
-        };
-      };
-    };
-  };
-
-  config = {
-    assertions = mkIf (cfg.enable || config.services.kerberos_server.enable) [(let
-      implementation = cfg.package.passthru.implementation or "<NOT SET>";
-    in {
-      assertion = lib.elem implementation [ "krb5" "heimdal" ];
-      message = ''
-        `security.krb5.package` must be one of:
-
-          - krb5
-          - heimdal
-	
-	Currently chosen implementation: ${implementation}
-      '';
-    })];
-
-    environment = mkIf cfg.enable {
-      systemPackages = [ cfg.package ];
-      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
-    };
-  };
-
-  meta.maintainers = builtins.attrValues {
-    inherit (lib.maintainers) dblsaiko h7x4;
-  };
-}

hosts/buskerud/containers/salsa/modules/krb5/krb5-conf-format.nix

@@ -1,96 +0,0 @@
-{ pkgs, lib, ... }:
-
-# Based on
-# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
-# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
-
-let
-  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
-    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
-  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
-    str submodule;
-in
-{ }: rec {
-  sectionType = let
-    relation = oneOf [
-      (listOf (attrsOf value))
-      (attrsOf value)
-      value
-    ];
-    value = either (listOf atom) atom;
-    atom = oneOf [int str bool];
-  in attrsOf relation;
-
-  type = submodule {
-    freeformType = attrsOf sectionType;
-    options = {
-      include = mkOption {
-        default = [ ];
-        description = mdDoc ''
-          Files to include in the Kerberos configuration.
-        '';
-        type = coercedTo path singleton (listOf path);
-      };
-      includedir = mkOption {
-        default = [ ];
-        description = mdDoc ''
-          Directories containing files to include in the Kerberos configuration.
-        '';
-        type = coercedTo path singleton (listOf path);
-      };
-      module = mkOption {
-        default = [ ];
-        description = mdDoc ''
-          Modules to obtain Kerberos configuration from.
-        '';
-        type = coercedTo path singleton (listOf path);
-      };
-    };
-  };
-
-  generate = let
-    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
-
-    formatToplevel = args @ {
-      include ? [ ],
-      includedir ? [ ],
-      module ? [ ],
-      ...
-    }: let
-      sections = removeAttrs args [ "include" "includedir" "module" ];
-    in concatStringsSep "\n" (filter (x: x != "") [
-      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
-      (concatMapStringsSep "\n" (m: "module ${m}") module)
-      (concatMapStringsSep "\n" (i: "include ${i}") include)
-      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
-    ]);
-
-    formatSection = name: section: ''
-      [${name}]
-      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
-    '';
-
-    formatRelation = name: relation:
-      if isAttrs relation
-      then ''
-        ${name} = {
-        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
-        }''
-      else if isList relation
-      then
-        concatMapStringsSep "\n" (formatRelation name) relation
-      else formatValue name relation;
-
-    formatValue = name: value:
-      if isList value
-      then concatMapStringsSep "\n" (formatAtom name) value
-      else formatAtom name value;
-
-    formatAtom = name: atom: let
-      v = if isBool atom then boolToString atom else toString atom;
-    in "${name} = ${v}";
-  in
-    name: value: pkgs.writeText name ''
-      ${formatToplevel value}
-    '';
-}

hosts/buskerud/containers/salsa/services/heimdal/default.nix

@@ -1,78 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-
-  realm = "PVV.NTNU.NO";
-
-  cfg = config.security.krb5;
-in
-{
-  security.krb5 = {
-    enable = true;
-
-    # NOTE: This has a small edit that moves an include header to $dev/include.
-    #       It is required in order to build smbk5pwd, because of some nested includes.
-    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
-    #       will do for now.
-    # package = pkgs.heimdal;
-    package = pkgs.callPackage ./package.nix {
-      inherit (pkgs.apple_sdk.frameworks)
-        CoreFoundation Security SystemConfiguration;
-    };
-
-    settings = {
-      logging.kdc = "CONSOLE";
-      realms.${realm} = {
-        admin_server = "localhost";
-        kdc = [ "localhost" ];
-      };
-
-      kadmin.default_keys = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96:pw-salt"
-        "aes128-cts-hmac-sha1-96:pw-salt"
-      ];
-
-      libdefaults.default_etypes = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96"
-        "aes128-cts-hmac-sha1-96"
-      ];
-
-      libdefaults = {
-        default_realm = realm;
-      };
-
-      domain_realm = {
-        "pvv.ntnu.no" = realm;
-        ".pvv.ntnu.no" = realm;
-      };
-    };
-  };
-
-  services.kerberos_server = {
-    enable = true;
-    settings = {
-      realms.${realm} = {
-        dbname = "/var/heimdal/heimdal";
-        mkey = "/var/heimdal/mkey";
-      };
-      # kadmin.default_keys = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96:pw-salt"
-      #   "aes128-cts-hmac-sha1-96:pw-salt"
-      # ];
-
-      # libdefaults.default_etypes = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96"
-      #   "aes128-cts-hmac-sha1-96"
-      # ];
-
-      # password_quality.min_length = 8;
-    };
-  };
-
-  # NOTE: These changes are part of nixpkgs-unstable, but not 23.11.
-  #       The package override needs these changes.
-  # systemd.services = {
-  #   kdc.serviceConfig.ExecStart =      lib.mkForce "${cfg.package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
-  #   kpasswdd.serviceConfig.ExecStart = lib.mkForce "${cfg.package}/libexec/kpasswdd";
-  #   kadmind.serviceConfig.ExecStart =  lib.mkForce "${cfg.package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
-  # };
-}

hosts/buskerud/containers/salsa/services/heimdal/package.nix

@@ -1,180 +0,0 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, autoreconfHook
-, pkg-config
-, python3
-, perl
-, bison
-, flex
-, texinfo
-, perlPackages
-
-, openldap
-, libcap_ng
-, sqlite
-, openssl
-, db
-, libedit
-, pam
-, krb5
-, libmicrohttpd
-, cjson
-
-, CoreFoundation
-, Security
-, SystemConfiguration
-
-, curl
-, jdk
-, unzip
-, which
-
-, nixosTests
-
-, withCJSON ? true
-, withCapNG ? stdenv.isLinux
-# libmicrohttpd should theoretically work for darwin as well, but something is broken.
-# It affects tests check-bx509d and check-httpkadmind.
-, withMicroHTTPD ? stdenv.isLinux
-, withOpenLDAP ? true
-, withOpenLDAPAsHDBModule ? false
-, withOpenSSL ? true
-, withSQLite3 ? true
-}:
-
-assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
-  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
-'';
-
-stdenv.mkDerivation {
-  pname = "heimdal";
-  version = "7.8.0-unstable-2023-11-29";
-
-  src = fetchFromGitHub {
-    owner = "heimdal";
-    repo = "heimdal";
-    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
-    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
-  };
-
-  outputs = [ "out" "dev" "man" "info" ];
-
-  nativeBuildInputs = [
-    autoreconfHook
-    pkg-config
-    python3
-    perl
-    bison
-    flex
-    texinfo
-  ]
-  ++ (with perlPackages; [ JSON ]);
-
-  buildInputs = [ db libedit pam ]
-    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
-    ++ lib.optionals (withCJSON) [ cjson ]
-    ++ lib.optionals (withCapNG) [ libcap_ng ]
-    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
-    ++ lib.optionals (withOpenLDAP) [ openldap ]
-    ++ lib.optionals (withOpenSSL) [ openssl ]
-    ++ lib.optionals (withSQLite3) [ sqlite ];
-
-  doCheck = true;
-  nativeCheckInputs = [
-    curl
-    jdk
-    unzip
-    which
-  ];
-
-  configureFlags = [
-    "--with-libedit-include=${libedit.dev}/include"
-    "--with-libedit-lib=${libedit}/lib"
-    # "--with-berkeley-db-include=${db.dev}/include"
-    "--with-berkeley-db=${db}/lib"
-
-    "--without-x"
-    "--disable-afs-string-to-key"
-  ] ++ lib.optionals (withCapNG) [
-    "--with-capng"
-  ] ++ lib.optionals (withCJSON) [
-    "--with-cjson=${cjson}"
-  ] ++ lib.optionals (withOpenLDAP) [
-    "--with-openldap=${openldap.dev}"
-  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
-    "--enable-hdb-openldap-module"
-  ] ++ lib.optionals (withSQLite3) [
-    "--with-sqlite3=${sqlite.dev}"
-  ];
-
-  # (check-ldap) slapd resides within ${openldap}/libexec,
-  #              which is not part of $PATH by default.
-  # (check-ldap) prepending ${openldap}/bin to the path to avoid
-  #              using the default installation of openldap on unsandboxed darwin systems,
-  #              which does not support the new mdb backend at the moment (2024-01-13).
-  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
-  #              but the heimdal tests still seem to expect bdb as the openldap backend.
-  #              This might be fixed upstream in a future update.
-  patchPhase = ''
-    runHook prePatch
-
-    substituteInPlace tests/ldap/slapd-init.in \
-      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
-    substituteInPlace tests/ldap/check-ldap.in \
-      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
-    substituteInPlace tests/ldap/slapd.conf \
-      --replace 'database	bdb' 'database mdb'
-
-    runHook postPatch
-  '';
-
-  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
-  #           which expects either USER or LOGNAME to be set.
-  preCheck = lib.optionalString (stdenv.isDarwin) ''
-    export USER=nix-builder
-  '';
-
-  # We need to build hcrypt for applications like samba
-  postBuild = ''
-    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
-    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
-  '';
-
-  postInstall = ''
-    # Install hcrypto
-    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
-    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
-
-    mkdir -p $dev/bin
-    mv $out/bin/krb5-config $dev/bin/
-
-    # asn1 compilers, move them to $dev
-    mv $out/libexec/heimdal/* $dev/bin
-    rmdir $out/libexec/heimdal
-
-    cp include/heim_threads.h $dev/include
-
-    # compile_et is needed for cross-compiling this package and samba
-    mv lib/com_err/.libs/compile_et $dev/bin
-  '';
-
-  # Issues with hydra
-  #  In file included from hxtool.c:34:0:
-  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
-  #enableParallelBuilding = true;
-
-  passthru = {
-    implementation = "heimdal";
-    tests.nixos = nixosTests.kerberos.heimdal;
-  };
-
-  meta = with lib; {
-    homepage = "https://www.heimdal.software";
-    changelog = "https://github.com/heimdal/heimdal/releases";
-    description = "An implementation of Kerberos 5 (and some more stuff)";
-    license = licenses.bsd3;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ h7x4 ];
-  };
-}

hosts/buskerud/containers/salsa/services/heimdal/package2.nix

@@ -1,178 +0,0 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, autoreconfHook
-, pkg-config
-, python3
-, perl
-, bison
-, flex
-, texinfo
-, perlPackages
-
-, openldap
-, libcap_ng
-, sqlite
-, openssl
-, db
-, libedit
-, pam
-, krb5
-, libmicrohttpd
-, cjson
-
-, CoreFoundation
-, Security
-, SystemConfiguration
-
-, curl
-, jdk
-, unzip
-, which
-
-, nixosTests
-
-, withCJSON ? true
-, withCapNG ? stdenv.isLinux
-# libmicrohttpd should theoretically work for darwin as well, but something is broken.
-# It affects tests check-bx509d and check-httpkadmind.
-, withMicroHTTPD ? stdenv.isLinux
-, withOpenLDAP ? true
-, withOpenLDAPAsHDBModule ? false
-, withOpenSSL ? true
-, withSQLite3 ? true
-}:
-
-assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
-  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
-'';
-
-stdenv.mkDerivation {
-  pname = "heimdal";
-  version = "7.8.0-unstable-2023-11-29";
-
-  src = fetchFromGitHub {
-    owner = "heimdal";
-    repo = "heimdal";
-    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
-    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
-  };
-
-  outputs = [ "out" "dev" "man" "info" ];
-
-  nativeBuildInputs = [
-    autoreconfHook
-    pkg-config
-    python3
-    perl
-    bison
-    flex
-    texinfo
-  ]
-  ++ (with perlPackages; [ JSON ]);
-
-  buildInputs = [ db libedit pam ]
-    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
-    ++ lib.optionals (withCJSON) [ cjson ]
-    ++ lib.optionals (withCapNG) [ libcap_ng ]
-    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
-    ++ lib.optionals (withOpenLDAP) [ openldap ]
-    ++ lib.optionals (withOpenSSL) [ openssl ]
-    ++ lib.optionals (withSQLite3) [ sqlite ];
-
-  doCheck = true;
-  nativeCheckInputs = [
-    curl
-    jdk
-    unzip
-    which
-  ];
-
-  configureFlags = [
-    "--with-libedit-include=${libedit.dev}/include"
-    "--with-libedit-lib=${libedit}/lib"
-    "--with-berkeley-db-include=${db.dev}/include"
-    "--with-berkeley-db"
-
-    "--without-x"
-    "--disable-afs-string-to-key"
-  ] ++ lib.optionals (withCapNG) [
-    "--with-capng"
-  ] ++ lib.optionals (withCJSON) [
-    "--with-cjson=${cjson}"
-  ] ++ lib.optionals (withOpenLDAP) [
-    "--with-openldap=${openldap.dev}"
-  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
-    "--enable-hdb-openldap-module"
-  ] ++ lib.optionals (withSQLite3) [
-    "--with-sqlite3=${sqlite.dev}"
-  ];
-
-  # (check-ldap) slapd resides within ${openldap}/libexec,
-  #              which is not part of $PATH by default.
-  # (check-ldap) prepending ${openldap}/bin to the path to avoid
-  #              using the default installation of openldap on unsandboxed darwin systems,
-  #              which does not support the new mdb backend at the moment (2024-01-13).
-  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
-  #              but the heimdal tests still seem to expect bdb as the openldap backend.
-  #              This might be fixed upstream in a future update.
-  patchPhase = ''
-    runHook prePatch
-
-    substituteInPlace tests/ldap/slapd-init.in \
-      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
-    substituteInPlace tests/ldap/check-ldap.in \
-      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
-    substituteInPlace tests/ldap/slapd.conf \
-      --replace 'database	bdb' 'database mdb'
-
-    runHook postPatch
-  '';
-
-  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
-  #           which expects either USER or LOGNAME to be set.
-  preCheck = lib.optionalString (stdenv.isDarwin) ''
-    export USER=nix-builder
-  '';
-
-  # We need to build hcrypt for applications like samba
-  postBuild = ''
-    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
-    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
-  '';
-
-  postInstall = ''
-    # Install hcrypto
-    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
-    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
-
-    mkdir -p $dev/bin
-    mv $out/bin/krb5-config $dev/bin/
-
-    # asn1 compilers, move them to $dev
-    mv $out/libexec/heimdal/* $dev/bin
-    rmdir $out/libexec/heimdal
-
-    # compile_et is needed for cross-compiling this package and samba
-    mv lib/com_err/.libs/compile_et $dev/bin
-  '';
-
-  # Issues with hydra
-  #  In file included from hxtool.c:34:0:
-  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
-  #enableParallelBuilding = true;
-
-  passthru = {
-    implementation = "heimdal";
-    tests.nixos = nixosTests.kerberos.heimdal;
-  };
-
-  meta = with lib; {
-    homepage = "https://www.heimdal.software";
-    changelog = "https://github.com/heimdal/heimdal/releases";
-    description = "An implementation of Kerberos 5 (and some more stuff)";
-    license = licenses.bsd3;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ h7x4 ];
-  };
-}

hosts/buskerud/containers/salsa/services/openldap.nix

@@ -1,115 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  services.openldap = let
-    dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no";
-    cfg = config.services.openldap;
-  in {
-    enable = true;
-
-    # NOTE: this is a custom build of openldap with support for
-    #       perl and kerberos.
-    package = pkgs.openldap.overrideAttrs (prev: {
-      # https://github.com/openldap/openldap/blob/master/configure
-      configureFlags = prev.configureFlags ++ [
-        # Connect to slapd via UNIX socket
-        "--enable-local"
-        # Cyrus SASL
-        "--enable-spasswd"
-        # Reverse hostname lookups
-        "--enable-rlookups"
-        # perl
-        "--enable-perl"
-      ];
-
-      buildInputs = prev.buildInputs ++ (with pkgs; [
-        perl
-        config.security.krb5.package
-      ]);
-
-      extraContribModules = prev.extraContribModules ++ [
-        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
-        "smbk5pwd"
-      ];
-    });
-
-    settings = {
-      attrs = {
-        olcLogLevel = [ "stats" "config" "args" ];
-
-        # olcAuthzRegexp = ''
-        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
-        #         "uid=heimdal,${dn2}"
-        # '';
-
-        # olcSaslSecProps = "minssf=0";
-      };
-
-      children = {
-        "cn=schema".includes = let
-          # NOTE: needed for smbk5pwd.so module
-          # schemaToLdif = name: path: pkgs.runCommandNoCC name {
-          #   buildInputs = with pkgs; [ schema2ldif ];
-          # } ''
-          #   schema2ldif "${path}" > $out
-          # '';
-
-          # hdb-ldif = schemaToLdif "hdb.ldif" "${pkgs.heimdal.src}/lib/hdb/hdb.schema";
-          # samba-ldif = schemaToLdif "samba.ldif" "${pkgs.heimdal.src}/tests/ldap/samba.schema";
-        in [
-           "${cfg.package}/etc/schema/core.ldif"
-           "${cfg.package}/etc/schema/cosine.ldif"
-           "${cfg.package}/etc/schema/nis.ldif"
-           "${cfg.package}/etc/schema/inetorgperson.ldif"
-           # "${hdb-ldif}"
-           # "${samba-ldif}"
-        ];
-
-        # NOTE: installation of smbk5pwd.so module
-        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-        # "cn=module{0}".attrs = {
-        #   objectClass = [ "olcModuleList" ];
-        #   olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
-        # };
-
-        # NOTE: activation of smbk5pwd.so module for {1}mdb
-        # "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
-        #   objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
-        #   olcOverlay = "{0}smbk5pwd";
-        #   olcSmbK5PwdEnable = [ "krb5" "samba" ];
-        #   olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30);
-        # };
-
-        "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-
-          olcDatabase = "{1}mdb";
-
-          olcSuffix = dn;
-
-          # TODO: PW is supposed to be a secret, but it's probably fine for testing
-          olcRootDN = "cn=admin,${dn}";
-          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
-
-          olcDbDirectory = "/var/lib/openldap/test-db";
-          olcDbIndex = "objectClass eq";
-
-          olcAccess = [
-            ''{0}to attrs=userPassword,shadowLastChange
-                by dn.exact=cn=admin,${dn} write
-                by self write
-                by anonymous auth
-                by * none''
-
-            ''{1}to dn.base=""
-                by * read''
-
-            /* allow read on anything else */
-            # ''{2}to *
-            #     by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
-            #     by * read''
-          ];
-        };
-      };
-    };
-  };
-}

hosts/buskerud/containers/salsa/services/saslauthd.nix

@@ -1,14 +0,0 @@
-{ ... }:
-{
-  # TODO: This is seemingly required for openldap to authenticate
-  #       against kerberos, but I have no idea how to configure it as
-  #       such. Does it need a keytab? There's a binary "testsaslauthd"
-  #       that follows with `pkgs.cyrus_sasl` that might be useful.
-  services.saslauthd = {
-    enable = true;
-    mechanism = "kerberos5";
-    # config = ''
-
-    # '';
-  };
-}

hosts/skrott/configuration.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, values, ... }:
+{
+  imports = [
+    # Include the results of the hardware scan.
+    # ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+    ./services/dibbler.nix
+  ];
+  
+  sops.defaultSopsFile = ../../secrets/skrott/skrott.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "skrott";
+
+  systemd.network.networks."30-yolo" = values.defaultNetworkConfig // {
+    matchConfig.Name = "*";
+    address = with values.hosts.skrott; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  system.stateVersion = "23.11";
+}

hosts/skrott/services/dibbler.nix

@@ -0,0 +1,11 @@
+{ config, inputs, ... }:
+{
+  sops.secrets = {
+    "dibbler/config" = {
+      owner = "dibbler";
+      group = "dibbler";
+    };
+  };
+  services.dibbler.package = inputs.dibbler.packages.dibbler;
+  services.dibbler.config = config.sops.secrets."dibbler/config".path;
+}

secrets/skrott/skrott.yaml

@@ -0,0 +1,41 @@
+hello: ENC[AES256_GCM,data:KRtCZhcS+LMV5oUivFDBjQo7m9XkaGbHKOW6N/SFRiyZA3eXSkVeltttUHhCrw==,iv:AXlyyW5gQvXu//jV/BVb79ASbKsfu5FFNnRmXNBbfg0=,tag:UVLWNgxtSFh4txCDWl5bPg==,type:str]
+example_key: ENC[AES256_GCM,data:7SpSse4uVUzCwCzbdQ==,iv:zUh9qk/T7LNOXMqToQozn2KeHu9HJtAKarU+Xb5xwi0=,tag:AyO1cflpYraiABPApfjL8A==,type:str]
+#ENC[AES256_GCM,data:NnvbBdwOv5xiqArBdyypGg==,iv:iFCVF8EL8xrKNaDcPOcWp65EoilnG0mN/ph/ZaafLS0=,tag:7pQcs8grVPZbbjr/tze4LQ==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:fd3mltqGVj7bXHEMmcY=,iv:wzTLHEgQ7bDfUlu01qtaU6fe8L1ZTqmDEBJYf1jttxc=,tag:53XJn1OdJBTEC2BvoSIG1A==,type:str]
+    - ENC[AES256_GCM,data:jZffrJgY0C0YuGIwxxk=,iv:PH+x0/4vm40w+YuCO3JlOqw5bdfaBT29m0YjKMRCFXg=,tag:rWSocVW9kimF5Dcs8lBuLQ==,type:str]
+example_number: ENC[AES256_GCM,data:lWYwd7RXk//H/w==,iv:lD62NqHV/o2QJft48l+0MSeoiGRQ1WFKDoD0sXUevqI=,tag:Ov8j/DqbFww27tDJhmaufA==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:QEIQzw==,iv:sGfKE8VMl1uElsfG0Cip647jv/i1+eGE0UxgOM3i4uA=,tag:eWKw678aymRGa1fk8d7RSA==,type:bool]
+    - ENC[AES256_GCM,data:9czVwLg=,iv:OEKALhwOl0OcEJe+k9bhxxdZ/bNd/Xfcvrd40fwAwF8=,tag:CWBuPlcO9WgrSUb0BgfL9g==,type:bool]
+dibbler:
+    config: ENC[AES256_GCM,data:SVTe6MOansry+FKwdu3mDZna4vmu+UMwySfKrfImnGozLz2FYHLW+RvjWaRpa7aGInPfE/icYbSxbHrFIPcIGGlJHTKUlCqQ6km/qYh3UxggKGH1JeUEIgkyvgBXvofym8b5CzyfRXpm35fs+1Io7MWTpeDhmNVk1hVoIU/qR6o6NhOCeH00Gy3cqxCGqi4loJYa51BMNczcUMynwP/9lB2OOb7ogl2TbKXZOK2jwSDCTLJ8FrKcCtUcUnGqUp9VwgktxNrRtFwGohW2gAg2Oq2OR+00dpT2VS+gUtHabrcwft7ioZBmb7rrI4KxpJwG96CYqX90iQiltkwA57BqVByvaYhga4nwdVT48e76MIgBYcQX1WDolL8eEU5QPvhnbmU2mVjdD9SmapoHwBm2qM7LqmsMjqnH8ZHMdtETs6kzt227/QZdh7fc7kaIK1x3Lpxpl3whUMc+mrM8D9xFSjuyxSiF0h7tBH6H,iv:oGd6Dnw655bpwXjqW4niU5dN0RfUDY39hFfiiIc9vhQ=,tag:4CL6iqCiALp/k03Ju6OI/Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUlh2azlDTm9PRjJXQ2hO
+            MDlVbTdEN1RIVHkrbjIyY3pVVVlXY3M4eFNjCmJvZUNobVJHdnBhWjFHVVhmVVdX
+            aFloQVRyUXZsQ2g0bENQald6T2F3cEUKLS0tIGRuQjBXb2lzQnJQdDk0SzYwNUsx
+            SnhWdGZaTTVXbm4waW42ZUE0aWFtdDQKFLiRLCBHLAn43q7EPdc/mmQImltIsA5T
+            5ejVVvsva2wznc/pYvAeLb40yAwtszsNwH02SJ19WDz5wEARaQ8+8w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwd2w1YUtHaFZoNEFxMjF4
+            d1V2OFF4ZjFwNnpBWi9Cc3d1SHdqeVh4RDBzCmNLU3VWeVl4Z0ZPOUUvRjlsYzFZ
+            bjEwRlAweVcvME9nZTY1cmM4VHpXWVUKLS0tIHZJRjIveGoyQm02R0xaT2FEclFv
+            ZjhLdUhWdHp2N2krbkxqcHRoZVB6WkEK7uRAXYfI9LMfBXbHwitEVIyhGe6adIFz
+            9at0KEwLXePpR6bO9PM+T4am9V46Ygdq5iS8bSmX03832sK69pF9CA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-16T22:32:52Z"
+    mac: ENC[AES256_GCM,data:A1kg0QtZN3gMnBz1uqllPK4WI4U/CE8yJh8rHJ9CQ9V2kJQA6Kk7XrESVMsBpIazI6GuN1s33v4hNpeXhns5DMSdpWgQdyz8OM4Kj2nGz5h/JxCYwKT0e3R5qy48e0dcM906SG08DVQCCsiBnXAFWymM9Hs2+dPAAWlCNiR0gME=,iv:SookZTJGT7F5vZU6uDr9gO1A6XuDmL1UXlyphYS2dsI=,tag:8S77OX8aJcCn3efY25k4Dw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

values.nix

@@ -60,6 +60,10 @@ in rec {
       ipv4 = pvv-ipv4 231;
       ipv6 = pvv-ipv6 231;
     };
+    skrott = {
+      ipv4 = pvv-ipv4 235;
+      ipv6 = pvv-ipv6 235;
+    };
   };
 
   defaultNetworkConfig = {