updates 2025-01-29

https://c3d2.social/@sandro/113900709169130028

flake.lock

@@ -7,11 +7,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1714117615,
+        "lastModified": 1730751072,
-        "narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
+        "narHash": "sha256-+FQjzCNV3k8U4BfNcFmoZTRf8aO9ufn3s7kkzHj/b7s=",
         "owner": "fsr",
         "repo": "course-management",
-        "rev": "9e5ab11788b926a9a26d2aaa0e0958c3c5865cc9",
+        "rev": "60b7062ce47ee9f0609e701ad5eb5e3e0a857ff2",
         "type": "github"
       },
       "original": {
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698049587,
+        "lastModified": 1730889586,
-        "narHash": "sha256-gNxpJdxSrpWMTBSGFO4HfXgr+FiAGtwEXCvxd6W8IUQ=",
+        "narHash": "sha256-SLgo7UjWLaFaaUPFqzKbr9DLAGzm5kparfxuJHEpK3w=",
         "ref": "refs/heads/main",
-        "rev": "2d05abcd2b4e59db421c86fa9adaffa3dccb1086",
+        "rev": "a111147ce5eaea4f1d691afe1203e7529d68522d",
-        "revCount": 7,
+        "revCount": 9,
         "type": "git",
         "url": "https://git.ifsr.de/ese/manual-website"
       },
@@ -45,11 +45,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1694529238,
+        "lastModified": 1726560853,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -63,11 +63,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1694529238,
+        "lastModified": 1726560853,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708628927,
+        "lastModified": 1732530918,
-        "narHash": "sha256-1ObvmmEzbW2YjY/jJyfOoxhxIe54zcsOBMzgehnclRg=",
+        "narHash": "sha256-O5cmb7xeIq1luKn9FbS3UP4aziP2UuBKARsq/w7CGqs=",
         "owner": "fsr",
         "repo": "kpp",
-        "rev": "05e370097af21ddb776bec907942c60e6aebc394",
+        "rev": "b867b6b3d4c604c177e1866d2babc7ae5c0f6a9d",
         "type": "github"
       },
       "original": {
@@ -123,11 +123,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698974481,
+        "lastModified": 1729742964,
-        "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
         "owner": "nix-community",
         "repo": "nix-github-actions",
-        "rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
         "type": "github"
       },
       "original": {
@@ -143,11 +143,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720334033,
+        "lastModified": 1737861961,
-        "narHash": "sha256-X9pEvvHTVWJphhbUYqXvlLedOndNqGB7rvhSvL2CIgU=",
+        "narHash": "sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf+TpE=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "685e40e1348007d2cf76747a201bab43d86b38cb",
+        "rev": "79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523",
         "type": "github"
       },
       "original": {
@@ -158,11 +158,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1701253981,
+        "lastModified": 1730531603,
-        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
+        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
+        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
         "type": "github"
       },
       "original": {
@@ -172,34 +172,18 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1720282526,
-        "narHash": "sha256-dudRkHPRivMNOhd04YI+v4sWvn2SnN5ODSPIu5IVbco=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "550ac3e955c30fe96dd8b2223e37e0f5d225c927",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1720244366,
+        "lastModified": 1738023785,
-        "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
+        "narHash": "sha256-BPHmb3fUwdHkonHyHi1+x89eXB3kA1jffIpwPVJIVys=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
+        "rev": "2b4230bf03deb33103947e2528cac2ed516c5c89",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -230,11 +214,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1701399357,
+        "lastModified": 1730284601,
-        "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
+        "narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=",
         "owner": "nix-community",
         "repo": "poetry2nix",
-        "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
+        "rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e",
         "type": "github"
       },
       "original": {
@@ -279,15 +263,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
+        ]
-        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1720321395,
+        "lastModified": 1737411508,
-        "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
+        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
+        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
         "type": "github"
       },
       "original": {
@@ -364,11 +347,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699786194,
+        "lastModified": 1730120726,
-        "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
+        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
+        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
         "type": "github"
       },
       "original": {
@@ -383,11 +366,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1713958148,
+        "lastModified": 1729422940,
-        "narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
+        "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
         "owner": "nix-community",
         "repo": "nixos-vscode-server",
-        "rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
+        "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,6 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     nix-index-database.url = "github:nix-community/nix-index-database";
@@ -36,6 +36,7 @@
       supportedSystems = [ "x86_64-linux" ];
       forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
       pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
+
     in
     {
       packages = forAllSystems (system: rec {
@@ -77,21 +78,24 @@
             ./modules/courses
             ./modules/wiki
             ./modules/matrix
+            ./modules/keycloak
+            ./modules/monitoring
 
             ./modules/nix-serve.nix
             ./modules/hedgedoc.nix
             ./modules/padlist.nix
             ./modules/nextcloud.nix
-            ./modules/keycloak.nix
-            ./modules/monitoring.nix
             ./modules/vaultwarden.nix
             ./modules/forgejo
             ./modules/kanboard.nix
             ./modules/zammad.nix
-            ./modules/decisions.nix
+            # ./modules/decisions.nix
+            ./modules/stream.nix
             # ./modules/struktur-bot.nix
             {
-              nixpkgs.overlays = [ self.overlays.default ];
+              nixpkgs.overlays = [
+                self.overlays.default
+              ];
               sops.defaultSopsFile = ./secrets/quitte.yaml;
             }
           ];

hosts/quitte/configuration.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, ... }:
 
 {
   imports =
@@ -16,7 +16,6 @@
   # boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
   boot.loader.efi.canTouchEfiVariables = true;
   boot.supportedFilesystems = [ "zfs" ];
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 
   services.zfs = {
     trim.enable = true;
@@ -27,6 +26,17 @@
   time.timeZone = "Europe/Berlin";
   i18n.defaultLocale = "en_US.UTF-8";
 
+  security.sudo.extraRules = [
+    {
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+      groups = [ "admins" ];
+    }
+  ];
   # prevent fork bombs
   security.pam.loginLimits = [
     {

hosts/quitte/network.nix

@@ -2,10 +2,10 @@
 {
   networking = {
     # portunus module does weird things to this, so we force it to some sane values
-    # hosts = {
+    hosts = {
-    #   "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
+      "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
-    #   "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
+      "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
-    # };
+    };
     hostId = "a71c81fc";
     domain = "ifsr.de";
     hostName = "quitte";
@@ -31,14 +31,26 @@
     networks."10-wired-default" = {
       matchConfig.Name = "enp65s0f0np0";
 
-      address = [ "141.30.30.169/25" ];
+      address = [
+
+        "141.30.30.194/26"
+        "2a13:dd85:b23:1::1337/64"
+      ];
       routes = [
         {
-          routeConfig.Gateway = "141.30.30.129";
+          Gateway = "141.30.30.193";
+        }
+        {
+          Gateway = "fe80::7a24:59ff:fe5e:6e2f";
         }
       ];
       networkConfig = {
-        DNS = "141.30.1.1";
+        DNS = [
+          "9.9.9.9"
+          "149.112.112.112"
+          "2620:fe::fe"
+          "2620:fe::9"
+        ];
         LLDP = true;
         EmitLLDP = "nearest-bridge";
       };

hosts/tomate/configuration.nix

@@ -106,7 +106,6 @@
   };
 
   # Enable sound with pipewire.
-  sound.enable = true;
   hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
   services.pipewire = {

hosts/tomate/network.nix

@@ -27,7 +27,7 @@
       address = [ "141.30.86.196/26" ];
       routes = [
         {
-          routeConfig.Gateway = "141.30.86.193";
+          Gateway = "141.30.86.193";
         }
       ];
       networkConfig = {

modules/core/bacula.nix

@@ -14,8 +14,9 @@
     enable = true;
     name = "ifsr-quitte";
     extraClientConfig = ''
+      Comm Compression = no
       Maximum Concurrent Jobs = 20
-      FDAddress = 141.30.30.169
+      FDAddress = 141.30.30.194
       PKI Signatures = Yes
       PKI Encryption = Yes
       PKI Keypair = ${config.sops.secrets."bacula/keypair".path}

modules/core/base.nix

@@ -73,6 +73,7 @@
   time.timeZone = "Europe/Berlin";
 
   # basic shell & editor
+  programs.vim.enable = true;
   programs.vim.defaultEditor = true;
 
   # List packages installed in system profile. To search, run:
@@ -104,6 +105,7 @@
     ltrace
     strace
     mtr
+    nix-output-monitor
     traceroute
     smartmontools
     sysstat
@@ -112,6 +114,7 @@
     eza
     zsh
     unzip
+    yazi
   ];
 }
 

modules/core/fail2ban.nix

@@ -15,13 +15,14 @@
         enabled = true
         # aggressive mode to add blocking for aborted connections
         filter = dovecot[mode=aggressive]
-        maxretry = 3
+        maxretry = 15
       '';
       postfix = ''
         enabled = true
         filter = postfix[mode=aggressive]
-        maxretry = 3
+        maxretry = 15
       '';
+      sshd.settings.maxretry = 15;
     };
   };
 }

modules/core/logging.nix

@@ -3,7 +3,9 @@
   services.rsyslogd = {
     enable = true;
     defaultConfig = ''
+      $FileCreateMode 0640
       :programname, isequal, "postfix" /var/log/postfix.log
+      :programname, isequal, "portunus" /var/log/portunus.log
 
       auth.*                          -/var/log/auth.log
     '';

modules/core/nginx.nix

@@ -7,10 +7,14 @@
         ({ name, ... }: {
           enableACME = true;
           forceSSL = true;
+          # enable http3 for all hosts
+          quic = true;
+          http3 = true;
           # split up nginx access logs per vhost
           extraConfig = ''
             access_log /var/log/nginx/${name}_access.log;
             error_log /var/log/nginx/${name}_error.log;
+            add_header Alt-Svc 'h3=":443"; ma=86400';
           '';
         })
       );

modules/core/podman.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   # From: https://nixos.wiki/wiki/Podman
   virtualisation.containers.enable = true;

modules/core/postgres.nix

@@ -5,7 +5,6 @@
     enable = true;
     location = "/var/lib/backup/postgresql";
     databases = [
-      "directus_ese"
       "course-management"
       "git"
       "grafana"

modules/courses/default.nix

@@ -3,7 +3,6 @@ let
   hostName = "kurse.${config.networking.domain}";
 in
 {
-  imports = [ ./phil.nix ];
   sops.secrets =
     let inherit (config.services.course-management) user;
     in

modules/decisions.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 let
   domain = "decisions.${config.networking.domain}";
 in

modules/forgejo/actions.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+{
+  sops.secrets."forgejo/runner-token" = { };
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances."quitte" = {
+      enable = true;
+      labels = [
+        # provide a debian base with nodejs for actions
+        "debian-latest:docker://node:18-bullseye"
+        # fake the ubuntu name, because node provides no ubuntu builds
+        "ubuntu-latest:docker://node:18-bullseye"
+        # provide native execution on the host
+        # "native:host"
+      ];
+      tokenFile = config.sops.secrets."forgejo/runner-token".path;
+      url = "https://git.ifsr.de";
+      name = "quitte";
+      settings = {
+        container = {
+          # use podman's default network, otherwise dns was not working for some reason
+          network = "podman";
+          # don't mount the docker socket into the build containers,
+          # this would basically mean root on the host...
+          docker_host = "-";
+        };
+      };
+    };
+  };
+}

modules/forgejo/default.nix

@@ -4,9 +4,9 @@ let
   gitUser = "git";
 in
 {
-  # imports = [
+  imports = [
-  #   ./actions.nix
+    ./actions.nix
-  # ];
+  ];
   sops.secrets.gitea_ldap_search = {
     key = "portunus/search-password";
     owner = config.services.forgejo.user;
@@ -22,17 +22,9 @@ in
 
   services.forgejo = {
     enable = true;
-    # package = pkgs.forgejo.overrideAttrs (_old: {
-    #   # patches = [
-    #   #   # migration fix
-    #   #   (pkgs.fetchpatch {
-    #   #     url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
-    #   #     hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
-    #   #   })
-    #   # ];
-    # });
     user = gitUser;
     group = gitUser;
+    package = pkgs.forgejo;
     lfs.enable = true;
 
     database = {
@@ -79,22 +71,25 @@ in
         PROVIDER = "db";
       };
       actions.ENABLED = true;
+      # federation.ENABLED = true;
+      webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
     };
   };
 
   systemd.services.forgejo.preStart =
     let
       exe = lib.getExe config.services.forgejo.package;
-      basedn = "ou=users,dc=ifsr,dc=de";
+      portunus = config.services.portunus;
+      basedn = "ou=users,${portunus.ldap.suffix}";
       ldapConfigArgs = ''
         --name LDAP \
         --active \
         --security-protocol unencrypted \
-        --host 'auth.ifsr.de' \
+        --host '${portunus.domain}' \
         --port 389 \
         --user-search-base '${basedn}' \
         --user-filter '(&(objectClass=posixAccount)(uid=%s))' \
-        --admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \
+        --admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \
         --username-attribute uid \
         --firstname-attribute givenName \
         --surname-attribute sn \

modules/hedgedoc.nix

@@ -49,14 +49,15 @@ in
         # allow anonymous editing, but not creation of pads
         allowAnonymous = false;
         allowAnonymousEdits = true;
+        allowAnonymousUploads = false;
         defaultPermission = "limited";
         defaultNotePath = builtins.toString template;
         # ldap auth
         ldap = rec {
           url = "ldap://localhost";
-          searchBase = "ou=users,dc=ifsr,dc=de";
+          searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
           searchFilter = "(uid={{username}})";
-          bindDn = "uid=search,${searchBase}";
+          bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
           bindCredentials = "\${LDAP_CREDENTIALS}";
           useridField = "uid";
           providerName = "iFSR";

modules/kanboard.nix

@@ -8,7 +8,7 @@ in
 
   virtualisation.oci-containers = {
     containers.kanboard = {
-      image = "ghcr.io/kanboard/kanboard:v1.2.36";
+      image = "ghcr.io/kanboard/kanboard:v1.2.43";
       volumes = [
         "kanboard_data:/var/www/app/data"
         "kanboard_plugins:/var/www/app/plugins"

modules/keycloak/default.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
   domain = "sso.${config.networking.domain}";
 in
@@ -12,7 +12,9 @@ in
       http-port = 8086;
       https-port = 19000;
       hostname = domain;
-      proxy = "edge";
+      proxy-headers = "xforwarded";
+      http-enabled = true;
+      hostname-strict-https = false;
     };
     # The module requires a password for the DB and works best with its own DB config
     # Does an automatic Postgresql configuration
@@ -20,6 +22,9 @@ in
       passwordFile = config.sops.secrets."keycloak/db".path;
     };
     initialAdminPassword = "plschangeme";
+    themes = with pkgs ; {
+      ifsr = keycloak_ifsr_theme;
+    };
   };
   services.nginx.virtualHosts."${domain}" = {
     locations."/" = {

modules/keycloak/theme.nix

@@ -0,0 +1,15 @@
+{ stdenv }:
+stdenv.mkDerivation rec {
+  name = "keycloak_ifsr_theme";
+  version = "1.1";
+
+  src = ./theme;
+
+  nativeBuildInputs = [ ];
+  buildInputs = [ ];
+
+  installPhase = ''
+    mkdir -p $out
+    cp -a login $out
+  '';
+}

modules/keycloak/theme/login/resources/css/login.css

@@ -0,0 +1,772 @@
+.login-pf {
+    background: none;
+}
+
+.login-pf body {
+    background: url(../img/background.jpg) no-repeat center center fixed;
+    background-size: cover;
+    height: 100%;
+}
+
+/*IE compatibility*/
+.pf-c-form-control {
+    font-size: 14px;
+    font-size: var(--pf-global--FontSize--sm);
+    border-width: 1px;
+    border-width: var(--pf-global--BorderWidth--sm);;
+    border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
+    border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
+    background-color: #FFFFFF;
+    background-color: var(--pf-global--BackgroundColor--100);
+    height: 36px;
+    height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
+    padding: 5px 0.5rem;
+    padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
+}
+
+textarea.pf-c-form-control {
+	height: auto;
+}
+
+.pf-c-form-control:hover, .pf-c-form-control:focus {
+    border-bottom-color: #0066CC;
+    border-bottom-color: var(--pf-global--primary-color--100);
+    border-bottom-width: 2px;
+    border-bottom-width: var(--pf-global--BorderWidth--md);
+}
+
+.pf-c-form-control[aria-invalid=true] {
+    border-bottom-color: #C9190B;
+    border-bottom-color: var(--pf-global--danger-color--100);
+    border-bottom-width: 2px;
+    border-bottom-width: var(--pf-global--BorderWidth--md);
+}
+
+.pf-c-check__label, .pf-c-radio__label {
+	font-size: 14px;
+	font-size: var(--pf-global--FontSize--sm);
+}
+
+.pf-c-alert.pf-m-inline {
+    margin-bottom: 0.5rem; /* default - IE compatibility */
+    margin-bottom: var(--pf-global--spacer--sm);
+    padding: 0.25rem;
+    padding: var(--pf-global--spacer--xs);
+    border: solid #ededed;
+    border: solid var(--pf-global--BorderColor--300);
+    border-width: 1px;
+    border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
+    display: -ms-flexbox;
+    display: grid;
+    -ms-grid-columns: max-content 1fr max-content;
+    grid-template-columns:max-content 1fr max-content;
+    grid-template-columns: var(--pf-c-alert--grid-template-columns);
+    grid-template-rows: 1fr auto;
+    grid-template-rows: var(--pf-c-alert--grid-template-rows);
+}
+
+.pf-c-alert.pf-m-inline::before {
+    position: absolute;
+    top: -1px;
+    top: var(--pf-c-alert--m-inline--before--Top);
+    bottom: -1px;
+    bottom: var(--pf-c-alert--m-inline--before--Bottom);
+    left: 0;
+    width: 3px;
+    width: var(--pf-c-alert--m-inline--before--Width);
+    content: ;
+    background-color: #FFFFFF;
+    background-color: var(--pf-global--BackgroundColor--100);
+}
+
+.pf-c-alert.pf-m-inline.pf-m-success::before {
+    background-color: #92D400;
+    background-color: var(--pf-global--success-color--100);
+}
+
+.pf-c-alert.pf-m-inline.pf-m-danger::before {
+    background-color: #C9190B;
+    background-color: var(--pf-global--danger-color--100);
+}
+
+.pf-c-alert.pf-m-inline.pf-m-warning::before {
+    background-color: #F0AB00;
+    background-color: var(--pf-global--warning-color--100);
+}
+
+.pf-c-alert.pf-m-inline .pf-c-alert__icon {
+    padding: 1rem 0.5rem 1rem 1rem;
+    padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
+    font-size: 16px;
+    font-size: var(--pf-c-alert--m-inline__icon--FontSize);
+}
+
+.pf-c-alert.pf-m-success .pf-c-alert__icon {
+    color: #92D400;
+    color: var(--pf-global--success-color--100);
+}
+
+.pf-c-alert.pf-m-success .pf-c-alert__title {
+    color: #486B00;
+    color: var(--pf-global--success-color--200);
+}
+
+.pf-c-alert.pf-m-danger .pf-c-alert__icon {
+    color: #C9190B;
+    color: var(--pf-global--danger-color--100);
+}
+
+.pf-c-alert.pf-m-danger .pf-c-alert__title {
+    color: #A30000;
+    color: var(--pf-global--danger-color--200);
+}
+
+.pf-c-alert.pf-m-warning .pf-c-alert__icon {
+    color: #F0AB00;
+    color: var(--pf-global--warning-color--100);
+}
+
+.pf-c-alert.pf-m-warning .pf-c-alert__title {
+    color: #795600;
+    color: var(--pf-global--warning-color--200);
+}
+
+.pf-c-alert__title {
+    font-size: 14px; /* default - IE compatibility */
+    font-size: var(--pf-global--FontSize--sm);
+    padding: 5px 8px;
+    padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
+}
+
+.pf-c-button{
+    padding:0.375rem 1rem;
+    padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
+}
+
+/* default - IE compatibility */
+.pf-m-primary {
+    color: #FFFFFF;
+    background-color: #0066CC;
+    background-color: var(--pf-global--primary-color--100);
+}
+
+/* default - IE compatibility */
+.pf-m-primary:hover {
+    background-color: #004080;
+    background-color: var(--pf-global--primary-color--200);
+}
+
+/* default - IE compatibility */
+.pf-c-button.pf-m-control {
+    border: solid 1px;
+    border: solid var(--pf-global--BorderWidth--sm);
+    border-color: rgba(230, 230, 230, 0.5);
+}
+/*End of IE compatibility*/
+h1#kc-page-title {
+    margin-top: 10px;
+}
+
+#kc-locale ul {
+    background-color: #FFF;
+    background-color: var(--pf-global--BackgroundColor--100);
+    display: none;
+    top: 20px;
+    min-width: 100px;
+    padding: 0;
+}
+
+#kc-locale-dropdown{
+    display: inline-block;
+}
+
+#kc-locale-dropdown:hover ul {
+    display:block;
+}
+
+/* IE compatibility */
+#kc-locale-dropdown a {
+    color: #6A6E73;
+    color: var(--pf-global--Color--200);
+    text-align: right;
+    font-size: 14px;
+    font-size: var(--pf-global--FontSize--sm);
+}
+
+/* IE compatibility */
+a#kc-current-locale-link::after {
+    content: 2c5;
+    margin-left: 4px;
+    margin-left: var(--pf-global--spacer--xs)
+}
+
+.login-pf .container {
+    padding-top: 40px;
+}
+
+.login-pf a:hover {
+    color: #0099d3;
+}
+
+#kc-logo {
+    width: 100%;
+}
+
+div.kc-logo-text {
+    background-image: url(../img/agdsn_logo.png);
+    background-repeat: no-repeat;
+       background-size: auto;
+   position: relative;
+    top: 0%;
+    left: 25%;
+    width: 950px;
+  height: 250px;
+ 
+   
+}
+
+div.kc-logo-text span {
+    display: none;
+}
+
+#kc-header {
+    color: #ededed;
+    overflow: visible;
+    white-space: nowrap;
+}
+
+#kc-header-wrapper {
+    font-size: 29px;
+    text-transform: uppercase;
+    letter-spacing: 3px;
+    line-height: 1.2em;
+    padding: 62px 10px 20px;
+    white-space: normal;
+}
+
+#kc-content {
+    width: 100%;
+}
+
+#kc-attempted-username {
+    font-size: 20px;
+    font-family: inherit;
+    font-weight: normal;
+    padding-right: 10px;
+}
+
+#kc-username {
+    text-align: center;
+    margin-bottom:-10px;
+}
+
+#kc-webauthn-settings-form {
+    padding-top: 8px;
+}
+
+#kc-form-webauthn .select-auth-box-parent {
+    pointer-events: none;
+}
+
+#kc-form-webauthn .select-auth-box-desc {
+    color: var(--pf-global--palette--black-600);
+}
+
+#kc-form-webauthn .select-auth-box-headline {
+    color: var(--pf-global--Color--300);
+}
+
+#kc-form-webauthn .select-auth-box-icon {
+    flex: 0 0 3em;
+}
+
+#kc-form-webauthn .select-auth-box-icon-properties {
+    margin-top: 10px;
+    font-size: 1.8em;
+}
+
+#kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
+    margin-top: 3px;
+}
+
+#kc-form-webauthn .pf-l-stack__item {
+    margin: -1px 0;
+}
+
+#kc-content-wrapper {
+    margin-top: 20px;
+}
+
+#kc-form-wrapper {
+    margin-top: 10px;
+}
+
+#kc-info {
+    margin: 20px -40px -30px;
+}
+
+#kc-info-wrapper {
+    font-size: 13px;
+    padding: 15px 35px;
+    background-color: #F0F0F0;
+}
+
+#kc-form-options span {
+    display: block;
+}
+
+#kc-form-options .checkbox {
+    margin-top: 0;
+    color: #72767b;
+}
+
+#kc-terms-text {
+    margin-bottom: 20px;
+}
+
+#kc-registration {
+    margin-bottom: 0;
+}
+
+/* TOTP */
+
+.subtitle {
+    text-align: right;
+    margin-top: 30px;
+    color: #909090;
+}
+
+.required {
+    color: #A30000; /* default - IE compatibility */
+    color: var(--pf-global--danger-color--200);
+}
+
+ol#kc-totp-settings {
+    margin: 0;
+    padding-left: 20px;
+}
+
+ul#kc-totp-supported-apps {
+    margin-bottom: 10px;
+}
+
+#kc-totp-secret-qr-code {
+    max-width:150px;
+    max-height:150px;
+}
+
+#kc-totp-secret-key {
+    background-color: #fff;
+    color: #333333;
+    font-size: 16px;
+    padding: 10px 0;
+}
+
+/* OAuth */
+
+#kc-oauth h3 {
+    margin-top: 0;
+}
+
+#kc-oauth ul {
+    list-style: none;
+    padding: 0;
+    margin: 0;
+}
+
+#kc-oauth ul li {
+    border-top: 1px solid rgba(255, 255, 255, 0.1);
+    font-size: 12px;
+    padding: 10px 0;
+}
+
+#kc-oauth ul li:first-of-type {
+    border-top: 0;
+}
+
+#kc-oauth .kc-role {
+    display: inline-block;
+    width: 50%;
+}
+
+/* Code */
+#kc-code textarea {
+    width: 100%;
+    height: 8em;
+}
+
+/* Social */
+.kc-social-links {
+    margin-top: 20px;
+}
+
+.kc-social-provider-logo {
+    font-size: 23px;
+    width: 30px;
+    height: 25px;
+    float: left;
+}
+
+.kc-social-gray {
+    color: #737679; /* default - IE compatibility */
+    color: var(--pf-global--Color--200);
+}
+
+.kc-social-item {
+    margin-bottom: 0.5rem; /* default - IE compatibility */
+    margin-bottom: var(--pf-global--spacer--sm);
+    font-size: 15px;
+    text-align: center;
+}
+
+.kc-social-provider-name {
+    position: relative;
+    top: 3px;
+}
+
+.kc-social-icon-text {
+    left: -15px;
+}
+
+.kc-social-grid {
+    display:grid;
+    grid-column-gap: 10px;
+    grid-row-gap: 5px;
+    grid-column-end: span 6;
+    --pf-l-grid__item--GridColumnEnd: span 6;
+}
+
+.kc-social-grid .kc-social-icon-text {
+    left: -10px;
+}
+
+.kc-login-tooltip {
+    position: relative;
+    display: inline-block;
+}
+
+.kc-social-section {
+    text-align: center;
+}
+
+.kc-social-section hr{
+    margin-bottom: 10px
+}
+
+.kc-login-tooltip .kc-tooltip-text{
+    top:-3px;
+    left:160%;
+    background-color: black;
+    visibility: hidden;
+    color: #fff;
+
+    min-width:130px;
+    text-align: center;
+    border-radius: 2px;
+    box-shadow:0 1px 8px rgba(0,0,0,0.6);
+    padding: 5px;
+
+    position: absolute;
+    opacity:0;
+    transition:opacity 0.5s;
+}
+
+/* Show tooltip */
+.kc-login-tooltip:hover .kc-tooltip-text {
+    visibility: visible;
+    opacity:0.7;
+}
+
+/* Arrow for tooltip */
+.kc-login-tooltip .kc-tooltip-text::after {
+    content:  ;
+    position: absolute;
+    top: 15px;
+    right: 100%;
+    margin-top: -5px;
+    border-width: 5px;
+    border-style: solid;
+    border-color: transparent black transparent transparent;
+}
+
+@media (min-width: 768px) {
+    #kc-container-wrapper {
+        position: absolute;
+        width: 100%;
+    }
+
+    .login-pf .container {
+        padding-right: 80px;
+    }
+
+    #kc-locale {
+        position: relative;
+        text-align: right;
+        z-index: 9999;
+    }
+}
+
+@media (max-width: 767px) {
+
+    .login-pf body {
+        background: white;
+    }
+
+    #kc-header {
+        padding-left: 15px;
+        padding-right: 15px;
+        float: none;
+        text-align: left;
+    }
+
+    #kc-header-wrapper {
+        font-size: 16px;
+        font-weight: bold;
+        padding: 20px 60px 0 0;
+        color: #72767b;
+        letter-spacing: 0;
+    }
+
+    div.kc-logo-text {
+        margin: 0;
+        width: 150px;
+        height: 32px;
+        background-size: 100%;
+    }
+
+    #kc-form {
+        float: none;
+    }
+
+    #kc-info-wrapper {
+        border-top: 1px solid rgba(255, 255, 255, 0.1);
+        background-color: transparent;
+    }
+
+    .login-pf .container {
+        padding-top: 15px;
+        padding-bottom: 15px;
+    }
+
+    #kc-locale {
+        position: absolute;
+        width: 200px;
+        top: 20px;
+        right: 20px;
+        text-align: right;
+        z-index: 9999;
+    }
+}
+
+@media (min-height: 646px) {
+    #kc-container-wrapper {
+        bottom: 12%;
+    }
+}
+
+@media (max-height: 645px) {
+    #kc-container-wrapper {
+        padding-top: 50px;
+        top: 20%;
+    }
+}
+
+.card-pf form.form-actions .btn {
+    float: right;
+    margin-left: 10px;
+}
+
+#kc-form-buttons {
+    margin-top: 20px;
+}
+
+.login-pf-page .login-pf-brand {
+    margin-top: 20px;
+    max-width: 360px;
+    width: 40%;
+}
+
+/* Internet Explorer 11 compatibility workaround for select-authenticator screen */
+@media all and (-ms-high-contrast: none),
+(-ms-high-contrast: active) {
+    .select-auth-box-parent {
+        border-top: 1px solid #f0f0f0;
+        padding-top: 1rem;
+        padding-bottom: 1rem;
+        cursor: pointer;
+    }
+
+    .select-auth-box-headline {
+        font-size: 16px;
+        color: #06c;
+        font-weight: bold;
+    }
+
+    .select-auth-box-desc {
+        font-size: 14px;
+    }
+
+    .pf-l-stack {
+        flex-basis: 100%;
+    }
+}
+/* End of IE11 workaround for select-authenticator screen */
+
+.select-auth-box-arrow{
+    display: flex;
+    align-items: center;
+    margin-right: 2rem;
+}
+
+.select-auth-box-icon{
+    display: flex;
+    flex: 0 0 2em;
+    justify-content: center;
+    margin-right: 1rem;
+    margin-left: 3rem;
+}
+
+.select-auth-box-parent{
+    border-top: 1px solid var(--pf-global--palette--black-200);
+    padding-top: 1rem;
+    padding-bottom: 1rem;
+    cursor: pointer;
+}
+
+.select-auth-box-parent:hover{
+    background-color: #f7f8f8;
+}
+
+.select-auth-container {
+}
+
+.select-auth-box-headline {
+    font-size: var(--pf-global--FontSize--md);
+    color: var(--pf-global--primary-color--100);
+    font-weight: bold;
+}
+
+.select-auth-box-desc {
+    font-size: var(--pf-global--FontSize--sm);
+}
+
+.select-auth-box-paragraph {
+    text-align: center;
+    font-size: var(--pf-global--FontSize--md);
+    margin-bottom: 5px;
+}
+
+.card-pf {
+    margin: 0 auto;
+    box-shadow: var(--pf-global--BoxShadow--lg);
+    padding: 0 20px;
+    max-width: 500px;
+    border-top: 4px solid;
+    border-color: #0066CC; /* default - IE compatibility */
+    border-color: var(--pf-global--primary-color--100);
+}
+
+/*phone*/
+@media (max-width: 767px) {
+    .login-pf-page .card-pf {
+        max-width: none;
+        margin-left: 0;
+        margin-right: 0;
+        padding-top: 0;
+        border-top: 0;
+        box-shadow: 0 0;
+    }
+
+    .kc-social-grid {
+        grid-column-end: 12;
+        --pf-l-grid__item--GridColumnEnd: span 12;
+    }
+
+    .kc-social-grid .kc-social-icon-text {
+        left: -15px;
+    }
+}
+
+.login-pf-page .login-pf-signup {
+    font-size: 15px;
+    color: #72767b;
+}
+#kc-content-wrapper .row {
+    margin-left: 0;
+    margin-right: 0;
+}
+
+.login-pf-page.login-pf-page-accounts {
+    margin-left: auto;
+    margin-right: auto;
+}
+
+.login-pf-page .btn-primary {
+    margin-top: 0;
+}
+
+.login-pf-page .list-view-pf .list-group-item {
+    border-bottom: 1px solid #ededed;
+}
+
+.login-pf-page .list-view-pf-description {
+    width: 100%;
+}
+
+#kc-form-login div.form-group:last-of-type,
+#kc-register-form div.form-group:last-of-type,
+#kc-update-profile-form div.form-group:last-of-type {
+    margin-bottom: 0px;
+}
+
+.no-bottom-margin {
+    margin-bottom: 0;
+}
+
+#kc-back {
+    margin-top: 5px;
+}
+
+/* Recovery codes */
+.kc-recovery-codes-warning {
+    margin-bottom: 32px;
+}
+.kc-recovery-codes-warning .pf-c-alert__description p {
+    font-size: 0.875rem;
+}
+.kc-recovery-codes-list {
+    list-style: none;
+    columns: 2;
+    margin: 16px 0;
+    padding: 16px 16px 8px 16px;
+    border: 1px solid #D2D2D2;
+}
+.kc-recovery-codes-list li {
+    margin-bottom: 8px;
+    font-size: 11px;
+}
+.kc-recovery-codes-list li span {
+    color: #6A6E73;
+    width: 16px;
+    text-align: right;
+    display: inline-block;
+    margin-right: 1px;
+}
+
+.kc-recovery-codes-actions {
+    margin-bottom: 24px;
+}
+.kc-recovery-codes-actions button {
+    padding-left: 0;
+}
+.kc-recovery-codes-actions button i {
+    margin-right: 8px;
+}
+
+.kc-recovery-codes-confirmation {
+    align-items: baseline;
+    margin-bottom: 16px;
+}
+/* End Recovery codes */
+
+

modules/keycloak/theme/login/theme.properties

@@ -0,0 +1,4 @@
+parent=keycloak
+import=common/keycloak
+
+styles=css/login.css

modules/ldap/default.nix

@@ -1,175 +1,90 @@
-{ config, pkgs, system, ... }:
+{ config, pkgs, ... }:
 let
   domain = "auth.${config.networking.domain}";
-  # seedSettings = {
+  seedSettings = {
-  #   groups = [
+    groups = [
-  #     {
+      {
-  #       name = "admins";
+        name = "admins";
-  #       long_name = "Portunus Admin";
+        long_name = "Portunus Admin";
-  #       members = [ "admin" ];
+        members = [ "admin" ];
-  #       permissions.portunus.is_admin = true;
+        permissions.portunus.is_admin = true;
-  #     }
+      }
-  #     {
+      {
-  #       name = "search";
+        name = "search";
-  #       long_name = "LDAP search group";
+        long_name = "LDAP search group";
-  #       members = [ "search" ];
+        members = [ "search" ];
-  #       permissions.ldap.can_read = true;
+        permissions.ldap.can_read = true;
-  #     }
+      }
-  #     {
+      {
-  #       name = "fsr";
+        name = "fsr";
-  #       long_name = "Mitglieder des iFSR";
+        long_name = "Mitglieder des iFSR";
-  #     }
+      }
-  #   ];
+    ];
-  #   users = [
+    users = [
-  #     {
+      {
-  #       login_name = "admin";
+        login_name = "admin";
-  #       given_name = "admin";
+        given_name = "admin";
-  #       family_name = "admin";
+        family_name = "admin";
-  #       password.from_command = [
+        password.from_command = [
-  #         "${pkgs.coreutils}/bin/cat"
+          "${pkgs.coreutils}/bin/cat"
-  #         config.sops.secrets."portunus/admin-password".path
+          config.sops.secrets."portunus/admin-password".path
-  #       ];
+        ];
-  #     }
+      }
-  #     {
+      {
-  #       login_name = "search";
+        login_name = "search";
-  #       given_name = "search";
+        given_name = "search";
-  #       family_name = "search";
+        family_name = "search";
-  #       password.from_command = [
+        password.from_command = [
-  #         "${pkgs.coreutils}/bin/cat"
+          "${pkgs.coreutils}/bin/cat"
-  #         config.sops.secrets."portunus/search-password".path
+          config.sops.secrets."portunus/search-password".path
-  #       ];
+        ];
-  #     }
+      }
-  #   ];
+    ];
-  # };
+  };
 in
 {
-  # sops.secrets = {
+  sops.secrets = {
-  #   "portunus/admin-password".owner = config.services.portunus.user;
+    "portunus/admin-password".owner = config.services.portunus.user;
-  #   "portunus/search-password".owner = config.services.portunus.user;
+    "portunus/search-password".owner = config.services.portunus.user;
-  # };
+  };
 
-  # services.portunus = {
+  services.portunus = {
-  #   enable = true;
-  #   package = pkgs.portunus.overrideAttrs (_old: {
-  #     patches = [
-  #       ./0001-update-user-validation-regex.patch
-  #       ./0002-both-ldap-and-ldaps.patch
-  #       ./0003-gecos-ascii-escape.patch
-  #       ./0004-make-givenName-optional.patch
-  #     ];
-  #     doCheck = false; # posix regex related tests break
-  #   });
-
-  #   inherit domain seedSettings;
-  #   port = 8681;
-  #   ldap = {
-  #     suffix = "dc=ifsr,dc=de";
-  #     searchUserName = "search";
-
-  #     # normally disables port 389 (but not with our patch), use 636 with tls
-  #     # `portunus.domain` resolves to localhost
-  #     tls = true;
-  #   };
-  # };
-  services.openldap = {
     enable = true;
-    urlList = [ "ldap:///" "ldaps:///" ];
+    package = pkgs.portunus.overrideAttrs (_old: {
-    settings = {
+      patches = [
-      attrs = {
+        ./0001-update-user-validation-regex.patch
-        olcLogLevel = "conns";
+        ./0002-both-ldap-and-ldaps.patch
+        ./0003-gecos-ascii-escape.patch
+        ./0004-make-givenName-optional.patch
+      ];
+      doCheck = false; # posix regex related tests break
+    });
 
-        olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem";
+    inherit domain seedSettings;
-        olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem";
+    port = 8681;
-        olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem";
+    ldap = {
-        # olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+      suffix = "dc=ifsr,dc=de";
-        olcTLSCRLCheck = "none";
+      searchUserName = "search";
-        olcTLSVerifyClient = "never";
-        olcTLSProtocolMin = "3.1";
 
-      };
+      # normally disables port 389 (but not with our patch), use 636 with tls
-      children = {
+      # `portunus.domain` resolves to localhost
-        "cn=schema".includes = [
+      tls = true;
-          "${pkgs.openldap}/etc/schema/core.ldif"
-          # attributetype ( 9999.1.1 NAME 'isMemberOf'
-          # DESC 'back-reference to groups this user is a member of'
-          # SUP distinguishedName )
-          "${pkgs.openldap}/etc/schema/cosine.ldif"
-          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-          "${pkgs.openldap}/etc/schema/nis.ldif"
-          # "${pkgs.writeText "openssh.schema" ''
-          # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
-          # 		DESC 'SSH public key used by this user'
-          # 		SUP name )
-          # ''}"
-        ];
-
-        "olcDatabase={1}mdb" = {
-          attrs = {
-            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-
-            olcDatabase = "{1}mdb";
-            olcDbDirectory = "/var/lib/openldap/data";
-
-            olcSuffix = "dc=ifsr,dc=de";
-
-            /* your admin account, do not use writeText on a production system */
-            olcRootDN = "cn=portunus,dc=ifsr,dc=de";
-            olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
-
-            olcAccess = [
-              /* custom access rules for userPassword attributes */
-              ''{0}to attrs=userPassword
-                by self write
-                by anonymous auth
-                by * none''
-
-              /* allow read on anything else */
-              ''{1}to *
-                 by dn.base="cn=portunus,dc=ifsr,dc=de" write
-                 by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read
-                 by self read
-                 by anonymous auth
-            ''
-            ];
-          };
-          children = {
-            "olcOverlay={2}memberof".attrs = {
-              objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
-              olcOverlay = "{2}memberof";
-              olcMemberOfRefInt = "TRUE";
-              olcMemberOfDangling = "ignore";
-              olcMemberOfGroupOC = "groupOfNames";
-              olcMemberOfMemberAD = "member";
-              olcMemberOfMemberOfAD = "memberOf";
-            };
-          };
-        };
-      };
     };
   };
 
-  systemd.services.openldap = {
-    wants = [ "acme-${domain}.service" ];
-    after = [ "acme-${domain}.service" ];
-  };
-  # security.acme.defaults.group = "certs";
-  # users.groups.certs.members = [ "openldap" ];
-  # certificate permissions
-  users.users.openldap.extraGroups = [ "nginx" ];
-
   security.pam.services.sshd.makeHomeDir = true;
 
   services.nginx = {
     enable = true;
-    virtualHosts."${domain}" = {
+    virtualHosts."${config.services.portunus.domain}" = {
-      # locations = {
+      locations = {
-      #   "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
+        "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
-      # };
+      };
     };
   };
   networking.firewall = {
     extraInputRules = ''
-      ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
+      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
     '';
   };
 }

modules/mail/postfix.nix

@@ -44,11 +44,9 @@ in
         # hostname used in helo command. It is recommended to have this match the reverse dns entry
         smtp_helo_name = config.networking.rDNS;
         smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
-        smtp_use_tls = true;
+        smtp_tls_security_level = "may";
-        # smtp_tls_security_level = "encrypt";
+        smtpd_tls_security_level = "may";
-        smtpd_use_tls = true;
+        smtpd_tls_auth_only = true;
-        # smtpd_tls_security_level = lib.mkForce "encrypt";
-        # smtpd_tls_auth_only = true;
         smtpd_tls_protocols = [
           "!SSLv2"
           "!SSLv3"

modules/mail/rspamd.nix

@@ -141,22 +141,26 @@ in
               filter = "email:domain";
               map = "/var/lib/rspamd/whitelist.sender.domain.map";
               action = "accept";
+              regexp = true;
             }
             WHITELIST_SENDER_EMAIL {
               type = "from";
               map = "/var/lib/rspamd/whitelist.sender.email.map";
               action = "accept";
+              regexp = true;
             }
             BLACKLIST_SENDER_DOMAIN {
               type = "from";
               filter = "email:domain";
               map = "/var/lib/rspamd/blacklist.sender.domain.map";
               action = "reject";
+              regexp = true;
             }
             BLACKLIST_SENDER_EMAIL {
               type = "from";
               map = "/var/lib/rspamd/blacklist.sender.email.map";
               action = "reject";
+              regexp = true;
             }
             BLACKLIST_SUBJECT_KEYWORDS {
               type = "header";
@@ -189,6 +193,11 @@ in
           "/" = {
             proxyPass = "http://127.0.0.1:11334";
             proxyWebsockets = true;
+            extraConfig = ''
+              allow 141.30.0.0/16;
+              allow 141.76.0.0/16;
+              deny all;
+            '';
           };
         };
       };

modules/matrix/default.nix

@@ -27,6 +27,9 @@ in
     key = "portunus/search-password";
     owner = config.systemd.services.matrix-synapse.serviceConfig.User;
   };
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
 
   services = {
     postgresql = {
@@ -96,21 +99,22 @@ in
       extraConfigFiles = [
         (pkgs.writeTextFile {
           name = "matrix-synapse-extra-config.yml";
-          text = ''
+          text = let portunus = config.services.portunus; in
-            modules:
+            ''
-              - module: ldap_auth_provider.LdapAuthProviderModule
+              modules:
-                config:
+                - module: ldap_auth_provider.LdapAuthProviderModule
-                  enabled: true
+                  config:
-                  uri: ldap://localhost
+                    enabled: true
-                  base: ou=users,dc=ifsr,dc=de
+                    uri: ldap://localhost
-                  # taken from kaki config
+                    base: ou=users,${portunus.ldap.suffix}
-                  attributes:
+                    # taken from kaki config
-                    uid: uid
+                    attributes:
-                    mail: uid
+                      uid: uid
-                    name: cn
+                      mail: uid
-                  bind_dn: uid=search,ou=users,dc=ifsr,dc=de
+                      name: cn
-                  bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
+                    bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
-          '';
+                    bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
+            '';
         })
       ];
     };

modules/monitoring/default.nix

@@ -37,12 +37,8 @@ in
         token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token";
         api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo";
         role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
-
       };
-
     };
-
-
   };
 
   services.postgresql = {
@@ -65,10 +61,6 @@ in
         enabledCollectors = [ "systemd" ];
         port = 9002;
       };
-      postfix = {
-        enable = true;
-        port = 9003;
-      };
     };
     scrapeConfigs = [
       {
@@ -78,13 +70,6 @@ in
         }];
         scrape_interval = "15s";
       }
-      {
-        job_name = "postfix";
-        static_configs = [{
-          targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ];
-        }];
-        # scrape_interval = "60s";
-      }
       {
         job_name = "rspamd";
         static_configs = [{
@@ -92,6 +77,13 @@ in
         }];
         scrape_interval = "15s";
       }
+      {
+        job_name = "fabric";
+        static_configs = [{
+          targets = [ "127.0.0.1:25585" ];
+        }];
+        scrape_interval = "60s";
+      }
     ];
   };
 

modules/nextcloud.nix

@@ -15,7 +15,7 @@ in
     nextcloud = {
       enable = true;
       configureRedis = true;
-      package = pkgs.nextcloud29;
+      package = pkgs.nextcloud30;
       hostName = domain;
       https = true; # Use https for all urls
       phpExtraExtensions = all: [
@@ -59,7 +59,7 @@ in
       occ = lib.getExe config.services.nextcloud.occ;
       ldapConfig = rec {
         ldapAgentName = "uid=search,ou=users,${ldapBase}";
-        ldapBase = "dc=ifsr,dc=de";
+        ldapBase = config.services.portunus.ldap.suffix;
         ldapBaseGroups = "ou=groups,${ldapBase}";
         ldapBaseUsers = "ou=users,${ldapBase}";
         ldapConfigurationActive = "1";

modules/padlist.nix

@@ -43,6 +43,7 @@ in
           '';
         };
         "/vendor".return = "403";
+        "/.git".return = "403";
       };
     };
   };

modules/web/default.nix

@@ -11,5 +11,6 @@
     ./sharepic.nix
     ./userdir.nix
     ./ftp.nix
+    ./hyperilo.nix
   ];
 }

modules/web/ese.nix

@@ -1,80 +1,33 @@
 { config, pkgs, ... }:
 let
   domain = "ese.${config.networking.domain}";
-  cms-domain = "directus-ese.${config.networking.domain}";
+  webRoot = "/srv/web/ese";
 in
 {
-  sops.secrets."directus_env" = { };
-  environment.systemPackages = [ pkgs.nodejs_22 ];
-  virtualisation.oci-containers = {
-    containers.directus-ese = {
-      image = "directus/directus:latest";
-      volumes = [
-        "/srv/web/directus-ese/uploads:/directus/uploads"
-        "/srv/web/directus-ese/database:/directus/database"
-      ];
-      extraOptions = [ "--network=host" ];
-      environment = {
-        "DB_CLIENT" = "pg";
-        "DB_HOST" = "localhost";
-        "DB_PORT" = "5432";
-        "DB_DATABASE" = "directus_ese";
-        "DB_USER" = "directus_ese";
-        "PUBLIC_URL" = "https://directus-ese.ifsr.de";
-        "AUTH_PROVIDERS" = "keycloak";
-        "AUTH_KEYCLOAK_DRIVER" = "openid";
-        "AUTH_KEYCLOAK_CLIENT_ID" = "directus-ese";
-        "AUTH_KEYCLOAK_ISSUER_URL" = "https://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
-        "AUTH_KEYCLOAK_IDENTIFIER_KEY" = "email";
-        "AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION" = "true";
-        "AUTH_KEYCLOAK_DEFAULT_ROLE_ID" = "a6b7a1b6-a6fa-442c-87fd-e37c2a16424b";
-      };
-      environmentFiles = [
-        config.sops.secrets."directus_env".path
-      ];
-
-    };
-  };
-  services.postgresql = {
-    enable = true;
-    ensureUsers = [
-      {
-        name = "directus_ese";
-        ensureDBOwnership = true;
-      }
-    ];
-    ensureDatabases = [ "directus_ese" ];
-  };
-
   services.nginx = {
-    virtualHosts."${cms-domain}" = {
-      locations."/" = {
-        extraConfig = ''
-          if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' '*';
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
-            add_header 'Access-Control-Max-Age' 1728000;
-            add_header 'Content-Type' 'text/plain; charset=utf-8';
-            add_header 'Content-Length' 0;
-            return 204;
-          }
-
-          add_header 'Access-Control-Allow-Origin' '*';
-          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-          add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
-        '';
-        proxyPass = "http://127.0.0.1:8055";
-      };
-    };
     virtualHosts."${domain}" = {
       locations."= /" = {
-        return = "301 /2024/";
+        return = "302 /2025/";
       };
       locations."/" = {
-        root = "/srv/web/ese/served";
+        root = webRoot;
         tryFiles = "$uri $uri/ =404";
       };
+      # cache static assets
+      locations."~* \.(?:css|svg|webp|jpg|jpeg|gif|png|ico|mp4|mp3|ogg|ogv|webm|ttf|woff2|woff)$" = {
+        root = webRoot;
+        extraConfig = ''
+          expires 1y;
+        '';
+      };
     };
   };
+
+  users.users."ese-deploy" = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      ''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWGdTdobZN2oSLsTQmHOahdc9vqyuwUBS0PSk5IQhGV''
+    ];
+  };
+
 }

modules/web/ftp.nix

@@ -22,15 +22,137 @@ in
     '';
     locations."=/403.html" = {
       root = pkgs.writeTextDir "403.html" ''
+        <!DOCTYPE html>
         <html>
-          <head>
+        <head>
-            <title>403 Forbidden</title>
+            <meta charset="UTF-8">
-          </head>
+            <meta name="viewport" content="width=device-width, initial-scale=1.0">
-          <body>
+            <title>403 Forbidden - iFSR</title>
-            <center><h1>403 Forbidden</h1></center>
+            <style>
-            <center>Dieser Ordner ist nur aus dem Uni-Netz zug&aumlnglich.</center>
+                body {
-            <center>This directory is only accessible from the TUD network.</center>
+                    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
-          </body>
+                    background-color: #f8f9fa;
+                    margin: 0;
+                    padding: 1rem;
+                    min-height: 100vh;
+                    display: flex;
+                    align-items: center;
+                    justify-content: center;
+                }
+                .container {
+                    background: white;
+                    padding: 2rem;
+                    border-radius: 12px;
+                    box-shadow: 0 2px 15px rgba(0, 0, 0, 0.1);
+                    text-align: center;
+                    max-width: 600px;
+                    width: 100%;
+                }
+                .error-code {
+                    font-size: 3.5rem;
+                    font-weight: bold;
+                    color: #dc3545;
+                    margin: 0;
+                    line-height: 1;
+                }
+                .error-title {
+                    font-size: 1.5rem;
+                    color: #343a40;
+                    margin: 1rem 0;
+                }
+                .error-message {
+                    color: #495057;
+                    margin: 1rem 0;
+                    line-height: 1.6;
+                }
+                .language-section {
+                    padding: 1.5rem;
+                    margin: 1rem 0;
+                    background: #f8f9fa;
+                    border-radius: 8px;
+                    text-align: left;
+                }
+                .language-header {
+                    display: flex;
+                    align-items: center;
+                    gap: 0.5rem;
+                    font-weight: bold;
+                    margin-bottom: 1rem;
+                    color: #343a40;
+                }
+                .help-list {
+                    margin: 0;
+                    padding-left: 1.2rem;
+                    list-style-type: none;
+                }
+                .help-list li {
+                    margin: 0.5rem 0;
+                    position: relative;
+                }
+                .help-list li:before {
+                    content: "•";
+                    position: absolute;
+                    left: -1.2rem;
+                    color: #6c757d;
+                }
+                .logo {
+                    width: 180px;
+                    height: auto;
+                    margin-bottom: 1.5rem;
+                }
+                @media (max-width: 480px) {
+                    .container {
+                        padding: 1.5rem;
+                    }
+                    .language-section {
+                        padding: 1rem;
+                        margin: 0.5rem 0;
+                    }
+                    .error-code {
+                        font-size: 3rem;
+                    }
+                    .error-title {
+                        font-size: 1.25rem;
+                    }
+                    .logo {
+                        width: 150px;
+                    }
+                }
+            </style>
+        </head>
+        <body>
+            <div class="container">
+                <img src="https://ifsr.de/user/themes/ifsr/images/logo.svg" alt="iFSR Logo" class="logo">
+                <h1 class="error-code">403</h1>
+                <h2 class="error-title">Zugriff verweigert / Access Forbidden</h2>
+                
+                <div class="language-section">
+                    <div class="language-header">
+                        🇩🇪 Deutsch
+                    </div>
+                    <p class="error-message">
+                        Dieser Ordner ist nur aus dem Uni-Netz zugänglich.
+                    </p>
+                    <ul class="help-list">
+                        <li>Stellen Sie sicher, dass Sie mit dem TUD-Netzwerk verbunden sind</li>
+                        <li>Oder wählen Sie sich über VPN ein</li>
+                    </ul>
+                </div>
+
+                <div class="language-section">
+                    <div class="language-header">
+                        🇬🇧 English
+                    </div>
+                    <p class="error-message">
+                        This directory is only accessible from the TUD network.
+                    </p>
+                    <ul class="help-list">
+                        <li>Make sure you are connected to the TUD network</li>
+                        <li>Or connect via VPN</li>
+                    </ul>
+                </div>
+            </div>
+        </body>
         </html>
       '';
     };

modules/web/hyperilo.nix

@@ -0,0 +1,34 @@
+{ ... }:
+
+{
+  # provide access to iLO of colocated server
+  # in case of questions, contact @bennofs
+  services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
+    forceSSL = true;
+    locations."/".proxyPass = "https://192.168.0.120:443";
+    locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
+    locations."/".extraConfig = ''
+      proxy_ssl_verify off;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade_capitalized;
+    '';
+  };
+
+  # HP iLO requires uppercase Upgrade, not lowercase "upgrade"
+  services.nginx.commonHttpConfig = ''
+    map $http_upgrade $connection_upgrade_capitalized {
+      default  Upgrade;
+      '''      close;
+    }
+  '';
+
+  systemd.network.networks."20-hyperilo" = {
+    matchConfig.Name = "eno8303";
+    address = [ "192.168.0.1/24" ];
+    networkConfig.LLDP = true;
+    networkConfig.EmitLLDP = "nearest-bridge";
+  };
+
+  sops.secrets."hyperilo_htaccess".owner = "nginx";
+}

modules/wiki/fsr.nix

@@ -64,7 +64,8 @@ in
         # https://www.mediawiki.org/wiki/Extension:PluggableAuth
         # https://www.mediawiki.org/wiki/Extension:OpenID_Connect
         $wgOpenIDConnect_MigrateUsersByEmail = true;
-        $wgPluggableAuth_EnableLocalLogin = true;
+        //$wgOpenIDConnect_MigrateUsersByUserName = true;
+        $wgPluggableAuth_EnableLocalLogin = false;
         $wgPluggableAuth_Config["iFSR Login"] = [
           "plugin" => "OpenIDConnect",
           "data" => [
@@ -76,21 +77,18 @@ in
       '';
 
       extensions = {
+        # some extensions are included and can enabled by passing null
+        VisualEditor = null;
+        # the dir in the mediawiki-1.42.3.tar.gz inside of the extension folder is called "SyntaxHighlight_GeSHi" not "SyntaxHighlight"
+        SyntaxHighlight_GeSHi = null;
+
         PluggableAuth = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-3689731.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_42-1da98f4.tar.gz";
-          hash = "sha256-BMA0qV+x+iQt/P9tbl9csEUni9jiQcBtZeuwdjx2QPk=";
+          hash = "sha256-5uBUy7lrr86ApASYPWgF6Wa09mxxP0o+lXLt1gVswlA=";
         };
         OpenIDConnect = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-b354cdb.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_42-6c28c16.tar.gz";
-          hash = "sha256-gLHaveEzfmpqU9fWATZsUU377FJj2yq//raHZUR/VWk=";
+          hash = "sha256-X5kUuvxINbuXaLMKRcLOl2L3qbnMT72lg2NA3A9Daj8=";
-        };
-        VisualEditor = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-8970b62.tar.gz";
-          hash = "sha256-G+qvKVuF6OCnwS5q2cKfij1/aH1I6lOw84K6fED980s=";
-        };
-        SyntaxHighlight = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_40-1170e8f.tar.gz";
-          hash = "sha256-75+wwTvHhwPBP1jVLK2fQWBi7vznOvPVgNpY3kzWJtg=";
         };
       };
     };

overlays/default.nix

@@ -1,7 +1,7 @@
 _final: prev:
 let
   inherit (prev) fetchurl;
-  inherit (prev) fetchFromGitHub;
+  inherit (prev) callPackage;
 in
 {
   # AGDSN is running an outdated version that we have to comply to
@@ -12,17 +12,32 @@ in
       sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
     };
   }));
-  # (hopefully) fix systemd journal reading
+  # Mailman internal server error fix
-  prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
+  # https://gitlab.com/mailman/mailman/-/issues/1137
-    patches = [
+  # https://github.com/NixOS/nixpkgs/pull/321136
-      ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
+  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
-    ];
+    (_python-final: python-prev: {
-    src = fetchFromGitHub {
+      readme-renderer = python-prev.readme-renderer.overridePythonAttrs (_oldAttrs: {
-      owner = "adangel";
+        propagatedBuildInputs = [ python-prev.cmarkgfm ];
-      repo = "postfix_exporter";
+      });
-      rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
+    })
-      hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
+  ];
-    };
-  });
 
+  keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix { };
+  portunus = callPackage ./portunus.nix { };
+  mediawiki = (prev.mediawiki.overrideAttrs (_old: rec {
+    version = "1.43.0";
+
+    src = fetchurl {
+      url = "https://releases.wikimedia.org/mediawiki/${prev.lib.versions.majorMinor version}/mediawiki-${version}.tar.gz";
+      hash = "sha256-VuCn/i/3jlC5yHs9WJ8tjfW8qwAY5FSypKI5yFhr2O4=";
+    };
+
+  }));
+
+  hedgedoc = prev.hedgedoc.overrideAttrs ({ patches ? [ ], ... }: {
+    patches = patches ++ [
+      ./hedgedoc/0001-anonymous-uploads.patch
+    ];
+  });
 }

overlays/hedgedoc/0001-anonymous-uploads.patch

@@ -0,0 +1,62 @@
+diff --git a/app.js b/app.js
+index d41dbfbd7..faf686cfa 100644
+--- a/app.js
++++ b/app.js
+@@ -203,6 +203,7 @@ app.locals.serverURL = config.serverURL
+ app.locals.sourceURL = config.sourceURL
+ app.locals.allowAnonymous = config.allowAnonymous
+ app.locals.allowAnonymousEdits = config.allowAnonymousEdits
++app.locals.allowAnonymousUploads = config.allowAnonymousUploads
+ app.locals.disableNoteCreation = config.disableNoteCreation
+ app.locals.authProviders = {
+   facebook: config.isFacebookEnable,
+diff --git a/lib/config/default.js b/lib/config/default.js
+index d038e5311..9ab9a6bb1 100644
+--- a/lib/config/default.js
++++ b/lib/config/default.js
+@@ -33,6 +33,7 @@ module.exports = {
+   protocolUseSSL: false,
+   allowAnonymous: true,
+   allowAnonymousEdits: false,
++  allowAnonymousUploads: false,
+   allowFreeURL: false,
+   requireFreeURLAuthentication: false,
+   disableNoteCreation: false,
+diff --git a/lib/config/environment.js b/lib/config/environment.js
+index da50a660d..b74d122f4 100644
+--- a/lib/config/environment.js
++++ b/lib/config/environment.js
+@@ -31,6 +31,7 @@ module.exports = {
+   allowOrigin: toArrayConfig(process.env.CMD_ALLOW_ORIGIN),
+   allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS),
+   allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS),
++  allowAnonymousUploads: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_UPLOADS),
+   allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
+   requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION),
+   disableNoteCreation: toBooleanConfig(process.env.CMD_DISABLE_NOTE_CREATION),
+diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
+index c40ffc961..20c2da83b 100644
+--- a/lib/config/hackmdEnvironment.js
++++ b/lib/config/hackmdEnvironment.js
+@@ -22,6 +22,7 @@ module.exports = {
+   allowOrigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
+   allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
+   allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
++  allowAnonymousUploads: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_UPLOADS),
+   allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
+   defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
+   dbURL: process.env.HMD_DB_URL,
+diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
+index d9964827b..7321bc805 100644
+--- a/lib/web/imageRouter/index.js
++++ b/lib/web/imageRouter/index.js
+@@ -59,8 +59,7 @@ async function checkUploadType (filePath) {
+ imageRouter.post('/uploadimage', function (req, res) {
+   if (
+     !req.isAuthenticated() &&
+-    !config.allowAnonymous &&
+-    !config.allowAnonymousEdits
++    !config.allowAnonymousUploads
+   ) {
+     logger.error(
+       'Image upload error: Anonymous edits and therefore uploads are not allowed'

overlays/portunus.nix

@@ -0,0 +1,32 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, libxcrypt-legacy
+, nixosTests
+}:
+
+buildGoModule rec {
+  pname = "portunus";
+  version = "2.1.1";
+
+  src = fetchFromGitHub {
+    owner = "majewsky";
+    repo = "portunus";
+    rev = "v${version}";
+    sha256 = "sha256-+pMMIutj+OWKZmOYH5NuA4a7aS5CD+33vAEC9bJmyfM=";
+  };
+
+  buildInputs = [ libxcrypt-legacy ];
+
+  vendorHash = null;
+
+  passthru.tests = { inherit (nixosTests) portunus; };
+
+  meta = with lib; {
+    description = "Self-contained user/group management and authentication service";
+    homepage = "https://github.com/majewsky/portunus";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ majewsky ] ++ teams.c3d2.members;
+  };
+}