zammad: disable

authentik is broken

This reverts commit 8930b99a7d.

.sops.yaml

@@ -8,8 +8,8 @@ keys:
   - &fugi BF37903AE6FD294C4C674EE24472A20091BFA792
   - &emmanuel E83F398E6423179FE4F63D4FF085CAD394DE329D
   - &joachim  B1A16011B86BACB56ADB713DB712039D23133661
-  - &jonasga FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB
   - &hendrik FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D
+  - &frieder age1x76ajqw8w4l5vlkwt5s3flz5a5jq5qlxv7uppmnf8ckj9egh9ekqjclzt6
   - &quitte age1wvdnprpnq2rcc4se3zpx2p267n0apxg2jucvlm93e3pfj439ephqh2506t
   - &tomate age18lwgjazaxujqgcc5j0gjllnykhtjn6p0q44jzrsk4au2a5k6nd9s77kd6d
 
@@ -23,9 +23,9 @@ creation_rules:
         - *rouven
         - *fugi
         - *joachim
-        - *jonasga
         - *hendrik
         age:
+        - *frieder
         - *quitte
   - path_regex: secrets/tomate\.yaml$
     key_groups:
@@ -36,9 +36,9 @@ creation_rules:
         - *rouven
         - *fugi
         - *joachim
-        - *jonasga
         - *hendrik
         age:
+        - *frieder
         - *tomate
   - path_regex: secrets/admin\.yaml$
     key_groups:
@@ -49,5 +49,5 @@ creation_rules:
         - *rouven
         - *fugi
         - *joachim
-        - *jonasga
         - *hendrik
+        - *frieder

flake.lock

@@ -1,9 +1,53 @@
 {
   "nodes": {
+    "authentik": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": "nixpkgs",
+        "pyproject-build-systems": "pyproject-build-systems",
+        "pyproject-nix": "pyproject-nix",
+        "systems": "systems",
+        "uv2nix": "uv2nix"
+      },
+      "locked": {
+        "lastModified": 1746294280,
+        "narHash": "sha256-Y8JGnaYXk71ipBYFw83dvS1zKBftppT1RnRT/XsWKIM=",
+        "owner": "MarcelCoding",
+        "repo": "authentik-nix",
+        "rev": "c2a6bb12f90241df93fe2d5553c8bca476dcb52b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "MarcelCoding",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1745954192,
+        "narHash": "sha256-QuIgeu3CN6S44/zSiaj+iIkDz2494mb1MWvD3eYYkVE=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "22412729e2379d645da2ac0c0270a0ac6147945e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2025.4.0",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
     "course-management": {
       "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "poetry2nix": "poetry2nix"
       },
       "locked": {
@@ -40,16 +84,53 @@
         "url": "https://git.ifsr.de/ese/manual-website"
       }
     },
-    "flake-utils": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
       "inputs": {
-        "systems": "systems"
+        "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1743550720,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": [
+          "authentik",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -78,7 +159,25 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_6"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -101,11 +200,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732530918,
+        "lastModified": 1744024964,
-        "narHash": "sha256-O5cmb7xeIq1luKn9FbS3UP4aziP2UuBKARsq/w7CGqs=",
+        "narHash": "sha256-zmYWGZ7/tRSCy/PzghdguMpAdauWiYr6AJnbYCVHBFE=",
         "owner": "fsr",
         "repo": "kpp",
-        "rev": "b867b6b3d4c604c177e1866d2babc7ae5c0f6a9d",
+        "rev": "03e9650edb8d1e9ff424c2c2799736fbae56314b",
         "type": "github"
       },
       "original": {
@@ -114,6 +213,32 @@
         "type": "github"
       }
     },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725806412,
+        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
+        "owner": "willibutz",
+        "repo": "napalm",
+        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "willibutz",
+        "ref": "avoid-foldl-stack-overflow",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
     "nix-github-actions": {
       "inputs": {
         "nixpkgs": [
@@ -143,11 +268,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737861961,
+        "lastModified": 1746330942,
-        "narHash": "sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf+TpE=",
+        "narHash": "sha256-ShizFaJCAST23tSrHHtFFGF0fwd72AG+KhPZFFQX/0o=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523",
+        "rev": "137fd2bd726fff343874f85601b51769b48685cc",
         "type": "github"
       },
       "original": {
@@ -157,6 +282,37 @@
       }
     },
     "nixpkgs": {
+      "locked": {
+        "lastModified": 1746183838,
+        "narHash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "bf3287dac860542719fe7554e21e686108716879",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1743296961,
+        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1730531603,
         "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
@@ -172,13 +328,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs_3": {
       "locked": {
-        "lastModified": 1738023785,
+        "lastModified": 1746557022,
-        "narHash": "sha256-BPHmb3fUwdHkonHyHi1+x89eXB3kA1jffIpwPVJIVys=",
+        "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2b4230bf03deb33103947e2528cac2ed516c5c89",
+        "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860",
         "type": "github"
       },
       "original": {
@@ -188,7 +344,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1682134069,
         "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@@ -202,15 +358,36 @@
         "type": "indirect"
       }
     },
+    "notenrechner": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1742228793,
+        "narHash": "sha256-USud87Uu/ZI6R+4vM0hxLdkOUr6nsJCnAEeIrtSRkCU=",
+        "ref": "refs/heads/main",
+        "rev": "c100e3dba23a089fbdf403d2ba31cf87614ee035",
+        "revCount": 10,
+        "type": "git",
+        "url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git"
+      }
+    },
     "poetry2nix": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_3",
         "nix-github-actions": "nix-github-actions",
         "nixpkgs": [
           "course-management",
           "nixpkgs"
         ],
-        "systems": "systems_3",
+        "systems": "systems_4",
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
@@ -247,13 +424,65 @@
         "type": "github"
       }
     },
+    "pyproject-build-systems": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik",
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "authentik",
+          "uv2nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744599653,
+        "narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=",
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "rev": "7dba6dbc73120e15b558754c26024f6c93015dd7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "type": "github"
+      }
+    },
+    "pyproject-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746146146,
+        "narHash": "sha256-60+mzI2lbgn+G8F5mz+cmkDvHFn4s5oqcOna1SzYy74=",
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "rev": "3e9623bdd86a3c545e82b7f97cfdba5f07232d9a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "authentik": "authentik",
         "course-management": "course-management",
         "ese-manual": "ese-manual",
         "kpp": "kpp",
         "nix-index-database": "nix-index-database",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
+        "notenrechner": "notenrechner",
         "print-interface": "print-interface",
         "sops-nix": "sops-nix",
         "vscode-server": "vscode-server"
@@ -266,11 +495,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737411508,
+        "lastModified": 1746485181,
-        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
+        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
+        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
         "type": "github"
       },
       "original": {
@@ -281,16 +510,16 @@
     },
     "systems": {
       "locked": {
-        "lastModified": 1681028828,
+        "lastModified": 1689347949,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
         "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
         "type": "github"
       }
     },
@@ -310,6 +539,21 @@
       }
     },
     "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -323,7 +567,22 @@
         "type": "indirect"
       }
     },
-    "systems_4": {
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_6": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -360,10 +619,53 @@
         "type": "github"
       }
     },
+    "utils": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "uv2nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik",
+          "pyproject-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746048139,
+        "narHash": "sha256-LdCLyiihLg6P2/mjzP0+W7RtraDSIaJJPTy6SCtW5Ag=",
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "rev": "680e2f8e637bc79b84268949d2f2b2f5e5f1d81c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "type": "github"
+      }
+    },
     "vscode-server": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_4",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_4"
       },
       "locked": {
         "lastModified": 1729422940,

flake.nix

@@ -14,6 +14,15 @@
     ese-manual.url = "git+https://git.ifsr.de/ese/manual-website";
     ese-manual.inputs.nixpkgs.follows = "nixpkgs";
     vscode-server.url = "github:nix-community/nixos-vscode-server";
+    notenrechner.url = "git+https://git.ifsr.de/frieder.hannenheim/notenrechner.git";
+    notenrechner.inputs.nixpkgs.follows = "nixpkgs";
+    authentik = {
+      # change to old one when we are at 25.05
+      # see https://github.com/nix-community/authentik-nix/issues/56 for context
+      url = "github:MarcelCoding/authentik-nix";
+      # url = "github:nix-community/authentik-nix";
+    };
+
 
     course-management = {
       url = "github:fsr/course-management";
@@ -30,6 +39,7 @@
     , vscode-server
     , course-management
     , print-interface
+    , authentik
     , ...
     }@inputs:
     let
@@ -68,10 +78,13 @@
             ese-manual.nixosModules.default
             course-management.nixosModules.default
             vscode-server.nixosModules.default
+            authentik.nixosModules.default
+
             ./hosts/quitte/configuration.nix
             ./options
 
             ./modules/core
+            ./modules/authentik
             ./modules/ldap
             ./modules/mail
             ./modules/web
@@ -80,6 +93,7 @@
             ./modules/matrix
             ./modules/keycloak
             ./modules/monitoring
+            ./modules/unbound
 
             ./modules/nix-serve.nix
             ./modules/hedgedoc.nix
@@ -88,7 +102,7 @@
             ./modules/vaultwarden.nix
             ./modules/forgejo
             ./modules/kanboard.nix
-            ./modules/zammad.nix
+            # ./modules/zammad.nix
             # ./modules/decisions.nix
             ./modules/stream.nix
             # ./modules/struktur-bot.nix

hosts/quitte/network.nix

@@ -15,6 +15,7 @@
 
     firewall = {
       logRefusedConnections = false;
+      trustedInterfaces = [ "podman0" ];
     };
   };
 
@@ -46,10 +47,8 @@
       ];
       networkConfig = {
         DNS = [
-          "9.9.9.9"
+          "127.0.0.1"
-          "149.112.112.112"
+          "::1"
-          "2620:fe::fe"
-          "2620:fe::9"
         ];
         LLDP = true;
         EmitLLDP = "nearest-bridge";

keys/pgp/jonasga.asc

@@ -1,92 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGNNDUkBEADJu4HorNwlrimCfAmf1Sb2iHMoS4xwYn7AaU+U3RVivIfB/qNi
-+ggKF6osggihttIPEQqXqS591jutnIKP+KKvD9n8/jfCsDi5m6Ddwz61rL2NvEad
-bMJSViUzIEIDgQTJT8CByWJpPPND3MoKOuEK/XUQpKmhACT8l+xWSz9UpxPchAUa
-1vI7Q+jt/ik0EI7sH5WFaBzFj4xAwXXyWYuw6G5nP2oW237NLQnMwMFywLOyI7Qm
-+PfY/l4HKrNFYBiuv4ToGU5tAb1a23Rp+IV9faPZsT0IFYdxdkQUuu9s2JZ2UnvV
-VfJ0NWheToCY/R4TZkMDGhNSpotsRLhgdsVJsoBws61ndV/IgrIQbVnMNZrXvn+z
-tOtdlECVflGIICJkbXtBiGtgMRdJMNHnt4a3/2yPtCTG03Kt+38COh0ox5j3+HIg
-87Xxxln7z8zolalRkKi6NbOY7qoITcnbZIF972/8SI3UjYERJ4/ay9ucKIU1WLGv
-Ei97s+IDHt8KXJizc4Z7XfssZ9BcIZ/ekfOopN2Av0U33LCcTKHw9ZVmuoZCfL+u
-L8TDQLHJT75n+4yOTKXu00pYxWqT5FOFS0RMYb98QLDmcIDQ+B7pw82UGF3/3Fx6
-YBNY4IjFqIovVmU1UKt4KdLrdOSN8cQtcCxORqT+89bjIG68DbIzO7iCpQARAQAB
-tDFKb25hcyBHYWZma2UgPGpvbmFzLmdhZmZrZUBtYWlsYm94LnR1LWRyZXNkZW4u
-ZGU+iQJUBBMBCgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE+0TwdG3y
-XwskourlhsiiV8PsgqsFAmS3zscFCQcOW/4ACgkQhsiiV8Psgqvirg/9H+XHvntb
-shbst+vM9x8IKwhaOrH6IwZa/b9v8y8MRmbXoculQUuDyoeN0+RZkdeYZ25cjbnj
-qGzFS2gspWgNcpQ6yH3lOiwFMWG18M8RrXnpe0lOuo1JrqN10xgnbE/XahAdzshq
-riTMd8c2u8xaTQpLajdzPjgn13eDsqq1GfdTUi+p6olIwEhVH+PBxNQsav5EaU/0
-BzVnIC0U/TDeNmZk6NNvxJItDwdGbDW9fIlWSoz112WlnBTaP0cwg9lKVGSXfECc
-HSh+FKhJoaCxXxy2lsSJTz0yvjZp/lKCQ1aOd546CMChoncaN7G+rQZjk2reCoE2
-zMey8zm0o3ik4aVEHLRbPhM7en0wywp1H4NmEq94cvQ2epYS58YB8owrZk/cSlqc
-NH3Jw9wqQx3Wd+WLCYVn/Hoyj1QxeQJ1xvLau4KDE7dTVBXfWX9pv+zUi54R1bxB
-82907uId83VrtC0hGtwNz68wIfFduZJapZ50nIe+aXM3h4/BBqA7R2H/MKBy3VoA
-+pVVcIXk1HHEoZCt141ikHLOYAeUo8A98Dh6BESCuh0tCNa7Xh/3EZnvPIAVmiP4
-twrHYz2ARG6NgIVJCwnmSHyV76gPwT98fuX5KRkGh9Ev19DBL75tvLiwLiqSiR4Y
-liwM4YMa71wqet+CsQ7CAdI7LaGOB1wo7Xe0H0pvbmFzIEdhZmZrZSA8am9uYXNA
-am9uYXNnYS5pbz6JAlQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AW
-IQT7RPB0bfJfCySi6uWGyKJXw+yCqwUCZLfOxwUJBw5b/gAKCRCGyKJXw+yCq0tN
-D/4/sle7D5dGsl12/2hq09rKOYeN2IedzTYtY6EYaMVMGgh35YVUXYRsj0JmIt3c
-m/L68d3rhxkiIxSdaXxZDvVvoOATgAnn4wXuz2LrtxoPpwVb8yREBIDSTymAHKgT
-5IXWl/x2CB6rQ9rlyg00m4sEOJ3newytVK24QtEiSseuDrR+5RGyP85UFjVSKWtE
-kYuIk1Rst+T0XJUJlIMjpMLtTF9Z15FwTRvPUhHfO8wmdp/xfHWdyB0qZI0QdnlA
-4uGP1TaXw7fm1o1frlla6LxIRCIe/Bk4pIPVg70BjO8HDPr8AQhTLqa2+1rI+AXD
-Wp3ROOe5X0fXV3liT/J/lXLBerWbYibVcHZluvEru7cgS3xBrbKP4OCF0i3xvueU
-dZnat1bfNPua6VXxACfoIGP7XYoRH+mx1Pv0tCiGv++5Lr9QGmDRwFEC1IgMnPu3
-YVu3wrTVZhyhyPKlp1golx9ZCemgyimqNNdfDEea0I75UTkoOfLpjwFGHuB2KiOX
-xyfaIxgOLN3/eefT6GYGmI9/it7E2cZhjEMCRRHsqFEa3MSZABIs/VGFctsJVVQy
-ke5hZavElLUGbDeP3GCdAnYb+DG3lP1KuzCqaGwpfZOh9WqlmxhGHnr+SkPDcAwO
-E6FZ63E6da1BW7aqQK9IQIlz1wT2fwLfyyiNTuH0GksA67QkSm9uYXMgR2FmZmtl
-IDxqb25hcy5nYWZma2VAYWdkc24uZGU+iQJUBBMBCgA+AhsDBQsJCAcCBhUKCQgL
-AgQWAgMBAh4BAheAFiEE+0TwdG3yXwskourlhsiiV8PsgqsFAmS3zscFCQcOW/4A
-CgkQhsiiV8PsgqvrihAAryY5C9niS6gXqKVnXWNlf/cesDCRNEs1akOLmwF4S541
-dsbKt9Ox4EWjaGkVC3ucKa7ejRqkOSoVnj+8iEDFaLJbhd2btYjKqWRXm8leuiHq
-SJ8tdsBDXXYodp8riTaPw8q+BV/OIjalTRq06dCon7kJtQiPolSvUr+pz9BIcWCV
-DxVlx/tI5SUuLEfa0cxFjkxVX/PyjijF3NXelMxDGDv4VjXZcZ8/gbHZUQeba4ku
-utfyeUpz8Jk2QcCROtO9XQNvPw8ae9KC+zSmiWOmK8CEMM9UAnHHV3M4nPi8Toef
-Na/W+48uWX7MNsD2DvQPft8Rv71bPnJpdU2sPfND4I8TsV0cjKRapfuhDkBA7QF7
-RxQtDS2QE1pMI2MbLoAJi2vItnXx1GV61ZL40pNbofVylJLfddjSJ2Mt2Vr9CxOJ
-yNk+lq36DzWELcWTbW8wlinEmzg3EPFMQKfPtMGAqQ/c+5e4WCxGPdwYZMpX5CRc
-SevoIWIS7D0lSzxMFnEmSEbV8UTCiQTqOYKvwXpD8APJ0BlJzxSxh6nWOvW63O4q
-hZWU+iNjifongAZ5bHdj9LTnLcMZtNZCUaGOT3JQOfXo9CFCa9CQY45RNHFCyWpj
-jMONEUxh/kSBiNmCQ7hReiMOo0v0DPziZGlU6xOgbO7FY65w/aBG4KzyO54ObtG0
-I0pvbmFzIEdhZmZrZSA8am9uYXMuZ2FmZmtlQGlmc3IuZGU+iQJUBBMBCgA+AhsD
-BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE+0TwdG3yXwskourlhsiiV8PsgqsF
-AmS3zscFCQcOW/4ACgkQhsiiV8Psgqu1uRAAxd4g81gphfrBqh7dQdJxYoj6CWqZ
-+yrqkoFLrHtT2nEc2o/gzJ3NRtUOVVkbZavWm3+U0/kYn0l/2pC/rRh7EzMmqVqV
-tib+F56dWTSiJ/4jwkUIxKiQdUYP9M1HHyYUY+aNU+ob3S19IMy4hvE/jSk7o8y6
-vYx4LsOkxr2/VclsUE+1F9rPUUymbwPzcLCuStP2dHrIvyVTyKFEE2SYv8Vt53sb
-6IFfo1Fef3gVzlfPgYVpprnumF1SDufSIT4xy5NIbKngeUxlLzsXFpgjoAEqGJQM
-XdlAc1JwOL0vB5F8fYVXvCn/xqGdm5XByAQZhZsod0yPvfLr56T57wRQl2KZLDFk
-90FSVgn9Z+mfimixgo5sQ6PJaLmBZl4ZLdnX1RGT8sjXyhX8QRdB8VRk1NEoxBWv
-W7ZvuLZXJ5HuVj8zsrS56PFBwcIure4K9OZyYdWIDLLGDyMWBcXhmbrcHxTsBoCH
-vWIY6xQdpKBwnK/eDeMTcvyxnfbRbg1InvPp9WwUHixiJpFfJg/D3ljKp9DfhG1I
-KZs6kc7rxiUdrxsAul2thrd9OdVWHWc8KZgHH3Lu/+0Ff4BqgTCHOtAQF1WRLGMq
-Bz/ZmkaPpF+bCFL8DIWKpZ0RIroGzRrJ/+HpPrNifgTLppXFeORaERmBKjsvGxk9
-kxs4/YrT7NRJFci5Ag0EY00NSQEQAL2QNEcd2EB7Pxgfywr8FKH5j7pa5LcLPAIQ
-zSQYIcjkNJ2RwCFJ2NRmnlHi1K/Ig2rU/CyHn2AQ5xJirMn08Zfe40L8fLjR8nx8
-8123BxURzC9jOy9/P4XQnVsyA82nyjm1b7ZdYxBKtfuw1p3N5ZBn0VIQ8tcdIkVw
-WB1WWK5kvkhHzjrtJBTKsgFXGreKdy7eSXdJ+GnXRAcGMtvDdLI3FuuqFhSiQk5Z
-8iuG8vbIefC/FvK74qADST3rFi+hKDVx+nMrGMtaNs41ogrgcsOL5kg62MLH562x
-g3/a4xk75374t9j1SuJOz74PuSdpyNuj1Np9nrA7qjCpiXgoD2RKv6nUVdtg2ONT
-2D4HU65gq4/EJhgLm0pybImBmaNV0yQ7c1jvTl5UvDe6eo+PiKSheDJUKt1Yf+qM
-8RGquQ08kYvYSIqGEPmZGWTLfKUrmGdRPP8M1GiavOph5zagRRUvx8fMAZ24YmBD
-NdkrFs4TykfwWpKXxxgnAFfpe/U8qh0Nn3EpMbFVddykGgbu/lp0hlD9sBwMRKSN
-WrjP6EcQxU+2F+iXA7ycnqc0gm2NFbF7hxfq01aeHsAEDYjJ7P3MqhS77eizubnF
-uMmFBN7bX8nSzgBW3EPf/U6MXWgVmBu6AoTlLryDN7FVM/lQROyysAzXAZTpVfdj
-JYvK6Ek7ABEBAAGJAjYEGAEKACAWIQT7RPB0bfJfCySi6uWGyKJXw+yCqwUCY00N
-SQIbDAAKCRCGyKJXw+yCq894EADEaqstXPduTKMdKoI3nA4IzODp89HXEyxZ5w7I
-WBX9QVu6bsI6uIXCb6YTNaleLUoz6XKHKctzCexyNOSChbKeFC5pnCejqjTHZfip
-6bUcuaFYGsbzWUEasIlMxISLs3yHSf5sN7FNU2Oms/3EE5nY/pFZKR4V/bvk7FdG
-UIE6/Pv9Z7Xw/y83CH+W72y83Ugk3iqFjcNcFRQ1JIHASqka5T2k6FTSfTvHlrRG
-yTSsGe9r2Gkh8GkGmaMboIW/drd71w81Wn5wUWDZBWqEP0UMQ5mld/sGCnmiM2u7
-yWbYXSTUvluutHsXZuhlAv8TGp6VkpCtmUquoM1UpmEGRb223YDPtBZdyOl+UnQE
-b8pN0pt+yDlYXX7kMi/i9WgR/vKm6YlAKziJwOdnKG4bP/urZDz602BXJWH8TWim
-/1CT5uMEdSEN5xBjyUt0q6Q1eGtB4Rub9J492yGJmp3IhvzeYoOmKjtmyPKFdDki
-21eBTU/TSPHToYtVW3Xm5afdM9313Y+hB3gyC9cQWWJdDi/rUtVi//j8lQErKxoM
-h97b5VOeFMO21EFXGiTLlPaP+qs7Ngqc4/Y7rGAbr50CVVDJUxawMO0+r32j+M2o
-rBWzVWTKM0uFGTRdVzwWSnYTltU1JoZ0xmV9HGJhLuQHRJ+F+8n7YxIke9wVU1yR
-q0Mleg==
-=M2wX
------END PGP PUBLIC KEY BLOCK-----

keys/ssh/frieder

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH70IC7DaiGBYdftUhuOE9CatcdYj2L50eZfztQA+pVs fried@Frieders-Void-Laptop

keys/ssh/jonasga

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpOQuIl31BL16yXdLlbzSDCle6bjE3WNVXzOV9ibdzEC3PpUufJDTU7FMW3WCO9fnYJ5osPKbV9nou5/10mPuN0g+k1e0NWUZNHbG+5zRqS7QYGFmtDC8EUTx1xnri5zMBMn9jzjNE8BkqvsjGrHcVCtI2T51slwFjE60GFkloQ7izRDrNkge1iM57KhoXz5MeYJtolDqeOh5P7nfAUR4bGT/gGtYVd85oCvbsHcjF9vgDovAfNP+zQhUn51ZOXvGp8+1/MAJVtxLfjC9Ma3LRiiliD6w5zcsksG5cUGcj2Sk9i/7nTm7g5MGo4EKwgPMw/MRzSRzvlZ76oPSPSLKn jonas@T14s

modules/authentik/default.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+let
+  domain = "idm.${config.networking.domain}";
+in
+{
+  sops.secrets."authentik/env" = { };
+  services.authentik = {
+    enable = true;
+    nginx = {
+      enable = true;
+      host = domain;
+      enableACME = true;
+    };
+    environmentFile = config.sops.secrets."authentik/env".path;
+  };
+}

modules/core/base.nix

@@ -64,7 +64,6 @@
       ../../keys/ssh/jannusch
       ../../keys/ssh/jannusch-arch
       ../../keys/ssh/tassilo
-      ../../keys/ssh/jonasga
       ../../keys/ssh/rouven
       ../../keys/ssh/joachim
     ];
@@ -115,6 +114,7 @@
     zsh
     unzip
     yazi
+    imagemagick
   ];
 }
 

modules/core/mysql.nix

@@ -10,7 +10,6 @@
     user = "mysql";
     location = "/var/lib/backup/mysql";
     databases = [
-      "decisions"
       "fsrewsp"
       "nightline"
       "wiki_ese"

modules/kanboard.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 let
   domain = "kanboard.${config.networking.domain}";
   domain_short = "kb.${config.networking.domain}";

modules/ldap/default.nix

@@ -82,9 +82,4 @@ in
       };
     };
   };
-  networking.firewall = {
-    extraInputRules = ''
-      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
-    '';
-  };
 }

modules/mail/rspamd.nix

@@ -184,6 +184,7 @@ in
     redis = {
       vmOverCommit = true;
       servers.rspamd = {
+        port = 0;
         enable = true;
       };
     };

modules/stream.nix

@@ -1,13 +1,12 @@
 { config, ... }:
+let cfg = config.services.owncast;
+in
 {
   services = {
     nginx = {
       virtualHosts = {
         "stream.${config.networking.domain}" = {
           locations."/" =
-            let
-              cfg = config.services.owncast;
-            in
             {
               proxyPass = "http://${toString cfg.listen}:${toString cfg.port}";
               proxyWebsockets = true;
@@ -19,8 +18,12 @@
       enable = true;
       port = 13142;
       listen = "[::ffff:127.0.0.1]";
-      openFirewall = true;
       rtmp-port = 1935;
     };
   };
+  networking.firewall = {
+    extraInputRules = ''
+      ip saddr {141.30.0.0/16, 141.76.0.0/16} tcp dport ${toString cfg.rtmp-port} accept comment "Allow rtmp access from campus nets"
+    '';
+  };
 }

modules/unbound/default.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.resolved.extraConfig = ''
+    DNSStubListener=no
+  '';
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        interface = [ "127.0.0.1" "::1" ];
+      };
+    };
+  };
+}

modules/web/default.nix

@@ -12,5 +12,6 @@
     ./userdir.nix
     ./ftp.nix
     ./hyperilo.nix
+    ./notenrechner.nix
   ];
 }

modules/web/ftp.nix

@@ -11,6 +11,7 @@ in
       fancyindex_exact_size off;
       error_page 403 /403.html;
       fancyindex_localtime on;
+      charset utf-8;
     '';
     locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = ''
       allow 141.30.0.0/16;

modules/web/hyperilo.nix

@@ -12,6 +12,7 @@
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection $connection_upgrade_capitalized;
+      proxy_set_header Authorization ""; # drop the basic auth headers, otherwise remote console doesn't work
     '';
   };
 

modules/web/ifsrde.nix

@@ -60,6 +60,7 @@ in
         "~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
         "/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
         "/kpp".return = "301 https://kpp.ifsr.de";
+        "/mese".return = "301 https://ifsr.de/news/mese-and-welcome-back";
         "/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
         # security
         "~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";

modules/web/notenrechner.nix

@@ -0,0 +1,9 @@
+{ config, specialArgs, ... }:
+let
+  domain = "notenrechner.${config.networking.domain}";
+in
+{
+  services.nginx.virtualHosts."${domain}" = {
+    root = specialArgs.notenrechner.packages."x86_64-linux".default;
+  };
+}

modules/web/sharepic.nix

@@ -1,60 +1,14 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, ... }:
 let
   domain = "sharepic.${config.networking.domain}";
-  user = "sharepic";
-  group = "sharepic";
 in
 {
-  users.users.${user} = {
+  services.nginx.virtualHosts."${domain}" = {
-    group = group;
+    root = pkgs.fetchFromGitHub {
-    isSystemUser = true;
+      owner = "jannikmenzel";
-  };
+      repo = "iFSR-Sharepicgenerator";
-  users.groups.${group} = { };
+      rev = "ac721d5fff2dba1f046939a6d6532b1a8cfceba8";
-
+      hash = "sha256-of+N58TDt2BcbDVEriKn6rjQVl0GdV4ZMEblrdUutZk=";
-  services.phpfpm.pools.sharepic = {
-    user = "sharepic";
-    group = "sharepic";
-    settings = {
-      "listen.owner" = config.services.nginx.user;
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.max_requests" = 500;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 5;
-      "php_admin_value[error_log]" = "stderr";
-      "php_admin_flag[log_errors]" = true;
-      "catch_workers_output" = true;
-    };
-    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
-  };
-
-  services.nginx = {
-    enable = true;
-
-    virtualHosts."${domain}" = {
-      root = "/srv/web/sharepic";
-      extraConfig = ''
-        index index.php index.html;
-      '';
-
-      locations = {
-        "/" = {
-          tryFiles = "$uri $uri/ =404";
-        };
-        "~ \.php$" = {
-          extraConfig = ''
-            try_files $uri =404;
-            fastcgi_pass unix:${config.services.phpfpm.pools.sharepic.socket};
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_index index.php;
-            include ${pkgs.nginx}/conf/fastcgi_params;
-            include ${pkgs.nginx}/conf/fastcgi.conf;
-            fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
-          '';
-        };
-        "/data".return = "403";
-      };
     };
   };
 }

modules/wiki/ese.nix

@@ -6,6 +6,9 @@ let
 in
 {
 
+  system.activationScripts.hacky-mediawiki-convert = ''
+    cp ${pkgs.imagemagick}/bin/convert /srv/web/wiki.ese/convert
+  '';
   users.users.${user} = {
     group = group;
     isSystemUser = true;

modules/wiki/fsr.nix

@@ -38,6 +38,7 @@ in
       };
 
       extraConfig = ''
+        wfLoadSkin( 'MinervaNeue' );
         $wgSitename = "FSR Wiki";
         $wgArticlePath = '/$1';
 
@@ -57,6 +58,7 @@ in
         $wgUseAjax = true;
         $wgEnableMWSuggest = true;
         $wgDefaultSkin = 'timeless';
+        $wgDefaultMobileSkin = 'minerva';
 
         //TODO what about $wgUpgradeKey ?
 
@@ -75,13 +77,15 @@ in
           ],
         ];
       '';
-
       extensions = {
         # some extensions are included and can enabled by passing null
         VisualEditor = null;
         # the dir in the mediawiki-1.42.3.tar.gz inside of the extension folder is called "SyntaxHighlight_GeSHi" not "SyntaxHighlight"
         SyntaxHighlight_GeSHi = null;
-
+        MobileFrontend = pkgs.fetchzip {
+          url = "https://extdist.wmflabs.org/dist/extensions/MobileFrontend-REL1_43-3b4cac8.tar.gz";
+          hash = "sha256-aJOArZl+oO/ADjxIhlFVGS8hGmpSp6nsgC7XkKEk1Ks=";
+        };
         PluggableAuth = pkgs.fetchzip {
           url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_42-1da98f4.tar.gz";
           hash = "sha256-5uBUy7lrr86ApASYPWgF6Wa09mxxP0o+lXLt1gVswlA=";

modules/zammad.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
   domain = "tickets.${config.networking.domain}";
 in
@@ -9,11 +9,18 @@ in
       createLocally = true;
       type = "PostgreSQL";
     };
+    redis.port = 6380;
     port = 8085;
     secretKeyBaseFile = config.sops.secrets."zammad_secret".path;
   };
 
 
+    services.redis = {
+      servers.zammad = {
+        port = lib.mkForce 6380;
+        enable = true;
+      };
+    };
   # disably spammy logs
   systemd.services.zammad-web.preStart = ''
     sed -i -e "s|debug|warn|" ./config/environments/production.rb 

overlays/default.nix

@@ -1,6 +1,7 @@
 _final: prev:
 let
   inherit (prev) fetchurl;
+  inherit (prev) fetchpatch;
   inherit (prev) callPackage;
 in
 {