portunus: remove

2024-07-07 14:05:59 +02:00
33 changed files with 373 additions and 1223 deletions
--- a/flake.lock
+++ b/flake.lock
@ -3,17 +3,15 @@
    "course-management": {
      "inputs": {
        "flake-utils": "flake-utils",
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs",
          "nixpkgs"
        ],
        "poetry2nix": "poetry2nix"
      },
      "locked": {
-        "lastModified": 1730751072,
+        "lastModified": 1714117615,
-        "narHash": "sha256-+FQjzCNV3k8U4BfNcFmoZTRf8aO9ufn3s7kkzHj/b7s=",
+        "narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
        "owner": "fsr",
        "repo": "course-management",
-        "rev": "60b7062ce47ee9f0609e701ad5eb5e3e0a857ff2",
+        "rev": "9e5ab11788b926a9a26d2aaa0e0958c3c5865cc9",
        "type": "github"
      },
      "original": {
@ -29,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1730889586,
+        "lastModified": 1698049587,
-        "narHash": "sha256-SLgo7UjWLaFaaUPFqzKbr9DLAGzm5kparfxuJHEpK3w=",
+        "narHash": "sha256-gNxpJdxSrpWMTBSGFO4HfXgr+FiAGtwEXCvxd6W8IUQ=",
        "ref": "refs/heads/main",
-        "rev": "a111147ce5eaea4f1d691afe1203e7529d68522d",
+        "rev": "2d05abcd2b4e59db421c86fa9adaffa3dccb1086",
-        "revCount": 9,
+        "revCount": 7,
        "type": "git",
        "url": "https://git.ifsr.de/ese/manual-website"
      },
@ -42,32 +40,16 @@
        "url": "https://git.ifsr.de/ese/manual-website"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1694529238,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
@ -81,11 +63,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1694529238,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
@ -112,24 +94,6 @@
        "type": "github"
      }
    },
    "flake-utils_4": {
      "inputs": {
        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1681202837,
        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "kpp": {
      "inputs": {
        "nixpkgs": [
@ -137,11 +101,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724255946,
+        "lastModified": 1708628927,
-        "narHash": "sha256-YVT/QE2PCDzx4eq1i3PqOOpQVXJstN18e0sFB/UbAY0=",
+        "narHash": "sha256-1ObvmmEzbW2YjY/jJyfOoxhxIe54zcsOBMzgehnclRg=",
        "owner": "fsr",
        "repo": "kpp",
-        "rev": "ce98b985201a5453aee708a3fc13bbccf2357f8e",
+        "rev": "05e370097af21ddb776bec907942c60e6aebc394",
        "type": "github"
      },
      "original": {
@ -159,11 +123,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1729742964,
+        "lastModified": 1698974481,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
        "type": "github"
      },
      "original": {
@ -179,11 +143,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731209121,
+        "lastModified": 1720334033,
-        "narHash": "sha256-BF7FBh1hIYPDihdUlImHGsQzaJZVLLfYqfDx41wjuF0=",
+        "narHash": "sha256-X9pEvvHTVWJphhbUYqXvlLedOndNqGB7rvhSvL2CIgU=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "896019f04b22ce5db4c0ee4f89978694f44345c3",
+        "rev": "685e40e1348007d2cf76747a201bab43d86b38cb",
        "type": "github"
      },
      "original": {
@ -192,51 +156,29 @@
        "type": "github"
      }
    },
    "nix-minecraft": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731375802,
        "narHash": "sha256-CvWPEzrl2EA3xrtg9X6K8aqV7T5r0SaDz6PLpGA0yIY=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
        "rev": "b873a123366b9a62f9262414ada8d83b03f1f0bf",
        "type": "github"
      },
      "original": {
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731239293,
+        "lastModified": 1701253981,
-        "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=",
+        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884",
+        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1730602179,
+        "lastModified": 1720282526,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
+        "narHash": "sha256-dudRkHPRivMNOhd04YI+v4sWvn2SnN5ODSPIu5IVbco=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
+        "rev": "550ac3e955c30fe96dd8b2223e37e0f5d225c927",
        "type": "github"
      },
      "original": {
@ -247,6 +189,22 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1720244366,
        "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1682134069,
        "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@ -272,11 +230,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1730284601,
+        "lastModified": 1701399357,
-        "narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=",
+        "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
        "owner": "nix-community",
        "repo": "poetry2nix",
-        "rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e",
+        "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
        "type": "github"
      },
      "original": {
@ -311,8 +269,7 @@
        "ese-manual": "ese-manual",
        "kpp": "kpp",
        "nix-index-database": "nix-index-database",
-        "nix-minecraft": "nix-minecraft",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs": "nixpkgs",
        "print-interface": "print-interface",
        "sops-nix": "sops-nix",
        "vscode-server": "vscode-server"
@ -326,11 +283,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1731364708,
+        "lastModified": 1720321395,
-        "narHash": "sha256-HC0anOL+KmUQ2hdRl0AtunbAckasxrkn4VLmxbW/WaA=",
+        "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "4c91d52db103e757fc25b58998b0576ae702d659",
+        "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
        "type": "github"
      },
      "original": {
@ -398,21 +355,6 @@
        "type": "github"
      }
    },
    "systems_5": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
@ -422,11 +364,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1730120726,
+        "lastModified": 1699786194,
-        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
+        "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
+        "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
        "type": "github"
      },
      "original": {
@ -437,15 +379,15 @@
    },
    "vscode-server": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1729422940,
+        "lastModified": 1713958148,
-        "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
+        "narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
        "owner": "nix-community",
        "repo": "nixos-vscode-server",
-        "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
+        "rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -17,10 +17,8 @@
    course-management = {
      url = "github:fsr/course-management";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
    nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs =
    { self
@ -32,14 +30,12 @@
    , vscode-server
    , course-management
    , print-interface
    , nix-minecraft
    , ...
    }@inputs:
    let
      supportedSystems = [ "x86_64-linux" ];
      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
      pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
    in
    {
      packages = forAllSystems (system: rec {
@ -71,7 +67,6 @@
            ese-manual.nixosModules.default
            course-management.nixosModules.default
            vscode-server.nixosModules.default
            nix-minecraft.nixosModules.minecraft-servers
            ./hosts/quitte/configuration.nix
            ./options
@ -82,26 +77,21 @@
            ./modules/courses
            ./modules/wiki
            ./modules/matrix
            ./modules/minecraft
            ./modules/keycloak
            ./modules/monitoring
            ./modules/nix-serve.nix
            ./modules/hedgedoc.nix
            ./modules/padlist.nix
            ./modules/nextcloud.nix
            ./modules/keycloak.nix
            ./modules/monitoring.nix
            ./modules/vaultwarden.nix
            ./modules/forgejo
            ./modules/kanboard.nix
            ./modules/zammad.nix
-            # ./modules/decisions.nix
+            ./modules/decisions.nix
            ./modules/stream.nix
            # ./modules/struktur-bot.nix
            {
-              nixpkgs.overlays = [
+              nixpkgs.overlays = [ self.overlays.default ];
                self.overlays.default
                nix-minecraft.overlay
              ];
              sops.defaultSopsFile = ./secrets/quitte.yaml;
            }
          ];
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
  imports =
@ -16,6 +16,7 @@
  # boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
  boot.loader.efi.canTouchEfiVariables = true;
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  services.zfs = {
    trim.enable = true;
@ -26,17 +27,6 @@
  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "en_US.UTF-8";
  security.sudo.extraRules = [
    {
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
      groups = [ "admins" ];
    }
  ];
  # prevent fork bombs
  security.pam.loginLimits = [
    {
--- a/hosts/quitte/network.nix
+++ b/hosts/quitte/network.nix
@ -2,10 +2,10 @@
 {
  networking = {
    # portunus module does weird things to this, so we force it to some sane values
-    hosts = {
+    # hosts = {
-      "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
+    #   "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
-      "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
+    #   "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
-    };
+    # };
    hostId = "a71c81fc";
    domain = "ifsr.de";
    hostName = "quitte";
--- a/modules/core/bacula.nix
+++ b/modules/core/bacula.nix
@ -14,7 +14,6 @@
    enable = true;
    name = "ifsr-quitte";
    extraClientConfig = ''
      Comm Compression = no
      Maximum Concurrent Jobs = 20
      FDAddress = 141.30.30.169
      PKI Signatures = Yes
--- a/modules/core/base.nix
+++ b/modules/core/base.nix
@ -112,7 +112,6 @@
    eza
    zsh
    unzip
    yazi
  ];
 }
--- a/modules/core/logging.nix
+++ b/modules/core/logging.nix
@ -3,7 +3,6 @@
  services.rsyslogd = {
    enable = true;
    defaultConfig = ''
      $FileCreateMode 0640
      :programname, isequal, "postfix" /var/log/postfix.log
      auth.*                          -/var/log/auth.log
--- a/modules/core/podman.nix
+++ b/modules/core/podman.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
  # From: https://nixos.wiki/wiki/Podman
  virtualisation.containers.enable = true;
--- a/modules/core/postgres.nix
+++ b/modules/core/postgres.nix
@ -5,6 +5,7 @@
    enable = true;
    location = "/var/lib/backup/postgresql";
    databases = [
      "directus_ese"
      "course-management"
      "git"
      "grafana"
--- a/modules/courses/default.nix
+++ b/modules/courses/default.nix
@ -3,6 +3,7 @@ let
  hostName = "kurse.${config.networking.domain}";
 in
 {
  imports = [ ./phil.nix ];
  sops.secrets =
    let inherit (config.services.course-management) user;
    in
--- a/modules/decisions.nix
+++ b/modules/decisions.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
  domain = "decisions.${config.networking.domain}";
 in
--- a/modules/forgejo/actions.nix
+++ b/modules/forgejo/actions.nix
@ -1,30 +0,0 @@
 { config, pkgs, ... }:
 {
  sops.secrets."forgejo/runner-token" = { };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances."quitte" = {
      enable = true;
      labels = [
        # provide a debian base with nodejs for actions
        "debian-latest:docker://node:18-bullseye"
        # fake the ubuntu name, because node provides no ubuntu builds
        "ubuntu-latest:docker://node:18-bullseye"
        # provide native execution on the host
        # "native:host"
      ];
      tokenFile = config.sops.secrets."forgejo/runner-token".path;
      url = "https://git.ifsr.de";
      name = "quitte";
      settings = {
        container = {
          # use podman's default network, otherwise dns was not working for some reason
          network = "podman";
          # don't mount the docker socket into the build containers,
          # this would basically mean root on the host...
          docker_host = "-";
        };
      };
    };
  };
 }
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@ -4,9 +4,9 @@ let
  gitUser = "git";
 in
 {
-  imports = [
+  # imports = [
-    ./actions.nix
+  #   ./actions.nix
-  ];
+  # ];
  sops.secrets.gitea_ldap_search = {
    key = "portunus/search-password";
    owner = config.services.forgejo.user;
@ -22,6 +22,15 @@ in
  services.forgejo = {
    enable = true;
    # package = pkgs.forgejo.overrideAttrs (_old: {
    #   # patches = [
    #   #   # migration fix
    #   #   (pkgs.fetchpatch {
    #   #     url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
    #   #     hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
    #   #   })
    #   # ];
    # });
    user = gitUser;
    group = gitUser;
    lfs.enable = true;
@ -70,25 +79,22 @@ in
        PROVIDER = "db";
      };
      actions.ENABLED = true;
      # federation.ENABLED = true;
      webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
    };
  };
  systemd.services.forgejo.preStart =
    let
      exe = lib.getExe config.services.forgejo.package;
-      portunus = config.services.portunus;
+      basedn = "ou=users,dc=ifsr,dc=de";
      basedn = "ou=users,${portunus.ldap.suffix}";
      ldapConfigArgs = ''
        --name LDAP \
        --active \
        --security-protocol unencrypted \
-        --host '${portunus.domain}' \
+        --host 'auth.ifsr.de' \
        --port 389 \
        --user-search-base '${basedn}' \
        --user-filter '(&(objectClass=posixAccount)(uid=%s))' \
-        --admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \
+        --admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \
        --username-attribute uid \
        --firstname-attribute givenName \
        --surname-attribute sn \
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@ -54,9 +54,9 @@ in
        # ldap auth
        ldap = rec {
          url = "ldap://localhost";
-          searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
+          searchBase = "ou=users,dc=ifsr,dc=de";
          searchFilter = "(uid={{username}})";
-          bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
+          bindDn = "uid=search,${searchBase}";
          bindCredentials = "\${LDAP_CREDENTIALS}";
          useridField = "uid";
          providerName = "iFSR";
--- a/modules/kanboard.nix
+++ b/modules/kanboard.nix
@ -8,7 +8,7 @@ in
  virtualisation.oci-containers = {
    containers.kanboard = {
-      image = "ghcr.io/kanboard/kanboard:v1.2.41";
+      image = "ghcr.io/kanboard/kanboard:v1.2.36";
      volumes = [
        "kanboard_data:/var/www/app/data"
        "kanboard_plugins:/var/www/app/plugins"
--- a/modules/keycloak/default.nix
+++ b/modules/keycloak/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 let
  domain = "sso.${config.networking.domain}";
 in
@ -20,9 +20,6 @@ in
      passwordFile = config.sops.secrets."keycloak/db".path;
    };
    initialAdminPassword = "plschangeme";
    themes = with pkgs ; {
      ifsr = keycloak_ifsr_theme;
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/" = {
--- a/modules/keycloak/theme.nix
+++ b/modules/keycloak/theme.nix
@ -1,15 +0,0 @@
 { stdenv }:
 stdenv.mkDerivation rec {
  name = "keycloak_ifsr_theme";
  version = "1.1";
  src = ./theme;
  nativeBuildInputs = [ ];
  buildInputs = [ ];
  installPhase = ''
    mkdir -p $out
    cp -a login $out
  '';
 }
--- a/modules/keycloak/theme/login/resources/css/login.css
+++ b/modules/keycloak/theme/login/resources/css/login.css
@ -1,772 +0,0 @@
 .login-pf {
    background: none;
 }
 .login-pf body {
    background: url(../img/background.jpg) no-repeat center center fixed;
    background-size: cover;
    height: 100%;
 }
 /*IE compatibility*/
 .pf-c-form-control {
    font-size: 14px;
    font-size: var(--pf-global--FontSize--sm);
    border-width: 1px;
    border-width: var(--pf-global--BorderWidth--sm);;
    border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
    border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
    background-color: #FFFFFF;
    background-color: var(--pf-global--BackgroundColor--100);
    height: 36px;
    height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
    padding: 5px 0.5rem;
    padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
 }
 textarea.pf-c-form-control {
 	height: auto;
 }
 .pf-c-form-control:hover, .pf-c-form-control:focus {
    border-bottom-color: #0066CC;
    border-bottom-color: var(--pf-global--primary-color--100);
    border-bottom-width: 2px;
    border-bottom-width: var(--pf-global--BorderWidth--md);
 }
 .pf-c-form-control[aria-invalid=true] {
    border-bottom-color: #C9190B;
    border-bottom-color: var(--pf-global--danger-color--100);
    border-bottom-width: 2px;
    border-bottom-width: var(--pf-global--BorderWidth--md);
 }
 .pf-c-check__label, .pf-c-radio__label {
 	font-size: 14px;
 	font-size: var(--pf-global--FontSize--sm);
 }
 .pf-c-alert.pf-m-inline {
    margin-bottom: 0.5rem; /* default - IE compatibility */
    margin-bottom: var(--pf-global--spacer--sm);
    padding: 0.25rem;
    padding: var(--pf-global--spacer--xs);
    border: solid #ededed;
    border: solid var(--pf-global--BorderColor--300);
    border-width: 1px;
    border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
    display: -ms-flexbox;
    display: grid;
    -ms-grid-columns: max-content 1fr max-content;
    grid-template-columns:max-content 1fr max-content;
    grid-template-columns: var(--pf-c-alert--grid-template-columns);
    grid-template-rows: 1fr auto;
    grid-template-rows: var(--pf-c-alert--grid-template-rows);
 }
 .pf-c-alert.pf-m-inline::before {
    position: absolute;
    top: -1px;
    top: var(--pf-c-alert--m-inline--before--Top);
    bottom: -1px;
    bottom: var(--pf-c-alert--m-inline--before--Bottom);
    left: 0;
    width: 3px;
    width: var(--pf-c-alert--m-inline--before--Width);
    content: ;
    background-color: #FFFFFF;
    background-color: var(--pf-global--BackgroundColor--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-success::before {
    background-color: #92D400;
    background-color: var(--pf-global--success-color--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-danger::before {
    background-color: #C9190B;
    background-color: var(--pf-global--danger-color--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-warning::before {
    background-color: #F0AB00;
    background-color: var(--pf-global--warning-color--100);
 }
 .pf-c-alert.pf-m-inline .pf-c-alert__icon {
    padding: 1rem 0.5rem 1rem 1rem;
    padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
    font-size: 16px;
    font-size: var(--pf-c-alert--m-inline__icon--FontSize);
 }
 .pf-c-alert.pf-m-success .pf-c-alert__icon {
    color: #92D400;
    color: var(--pf-global--success-color--100);
 }
 .pf-c-alert.pf-m-success .pf-c-alert__title {
    color: #486B00;
    color: var(--pf-global--success-color--200);
 }
 .pf-c-alert.pf-m-danger .pf-c-alert__icon {
    color: #C9190B;
    color: var(--pf-global--danger-color--100);
 }
 .pf-c-alert.pf-m-danger .pf-c-alert__title {
    color: #A30000;
    color: var(--pf-global--danger-color--200);
 }
 .pf-c-alert.pf-m-warning .pf-c-alert__icon {
    color: #F0AB00;
    color: var(--pf-global--warning-color--100);
 }
 .pf-c-alert.pf-m-warning .pf-c-alert__title {
    color: #795600;
    color: var(--pf-global--warning-color--200);
 }
 .pf-c-alert__title {
    font-size: 14px; /* default - IE compatibility */
    font-size: var(--pf-global--FontSize--sm);
    padding: 5px 8px;
    padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
 }
 .pf-c-button{
    padding:0.375rem 1rem;
    padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
 }
 /* default - IE compatibility */
 .pf-m-primary {
    color: #FFFFFF;
    background-color: #0066CC;
    background-color: var(--pf-global--primary-color--100);
 }
 /* default - IE compatibility */
 .pf-m-primary:hover {
    background-color: #004080;
    background-color: var(--pf-global--primary-color--200);
 }
 /* default - IE compatibility */
 .pf-c-button.pf-m-control {
    border: solid 1px;
    border: solid var(--pf-global--BorderWidth--sm);
    border-color: rgba(230, 230, 230, 0.5);
 }
 /*End of IE compatibility*/
 h1#kc-page-title {
    margin-top: 10px;
 }
 #kc-locale ul {
    background-color: #FFF;
    background-color: var(--pf-global--BackgroundColor--100);
    display: none;
    top: 20px;
    min-width: 100px;
    padding: 0;
 }
 #kc-locale-dropdown{
    display: inline-block;
 }
 #kc-locale-dropdown:hover ul {
    display:block;
 }
 /* IE compatibility */
 #kc-locale-dropdown a {
    color: #6A6E73;
    color: var(--pf-global--Color--200);
    text-align: right;
    font-size: 14px;
    font-size: var(--pf-global--FontSize--sm);
 }
 /* IE compatibility */
 a#kc-current-locale-link::after {
    content: 2c5;
    margin-left: 4px;
    margin-left: var(--pf-global--spacer--xs)
 }
 .login-pf .container {
    padding-top: 40px;
 }
 .login-pf a:hover {
    color: #0099d3;
 }
 #kc-logo {
    width: 100%;
 }
 div.kc-logo-text {
    background-image: url(../img/agdsn_logo.png);
    background-repeat: no-repeat;
       background-size: auto;
   position: relative;
    top: 0%;
    left: 25%;
    width: 950px;
  height: 250px;
 }
 div.kc-logo-text span {
    display: none;
 }
 #kc-header {
    color: #ededed;
    overflow: visible;
    white-space: nowrap;
 }
 #kc-header-wrapper {
    font-size: 29px;
    text-transform: uppercase;
    letter-spacing: 3px;
    line-height: 1.2em;
    padding: 62px 10px 20px;
    white-space: normal;
 }
 #kc-content {
    width: 100%;
 }
 #kc-attempted-username {
    font-size: 20px;
    font-family: inherit;
    font-weight: normal;
    padding-right: 10px;
 }
 #kc-username {
    text-align: center;
    margin-bottom:-10px;
 }
 #kc-webauthn-settings-form {
    padding-top: 8px;
 }
 #kc-form-webauthn .select-auth-box-parent {
    pointer-events: none;
 }
 #kc-form-webauthn .select-auth-box-desc {
    color: var(--pf-global--palette--black-600);
 }
 #kc-form-webauthn .select-auth-box-headline {
    color: var(--pf-global--Color--300);
 }
 #kc-form-webauthn .select-auth-box-icon {
    flex: 0 0 3em;
 }
 #kc-form-webauthn .select-auth-box-icon-properties {
    margin-top: 10px;
    font-size: 1.8em;
 }
 #kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
    margin-top: 3px;
 }
 #kc-form-webauthn .pf-l-stack__item {
    margin: -1px 0;
 }
 #kc-content-wrapper {
    margin-top: 20px;
 }
 #kc-form-wrapper {
    margin-top: 10px;
 }
 #kc-info {
    margin: 20px -40px -30px;
 }
 #kc-info-wrapper {
    font-size: 13px;
    padding: 15px 35px;
    background-color: #F0F0F0;
 }
 #kc-form-options span {
    display: block;
 }
 #kc-form-options .checkbox {
    margin-top: 0;
    color: #72767b;
 }
 #kc-terms-text {
    margin-bottom: 20px;
 }
 #kc-registration {
    margin-bottom: 0;
 }
 /* TOTP */
 .subtitle {
    text-align: right;
    margin-top: 30px;
    color: #909090;
 }
 .required {
    color: #A30000; /* default - IE compatibility */
    color: var(--pf-global--danger-color--200);
 }
 ol#kc-totp-settings {
    margin: 0;
    padding-left: 20px;
 }
 ul#kc-totp-supported-apps {
    margin-bottom: 10px;
 }
 #kc-totp-secret-qr-code {
    max-width:150px;
    max-height:150px;
 }
 #kc-totp-secret-key {
    background-color: #fff;
    color: #333333;
    font-size: 16px;
    padding: 10px 0;
 }
 /* OAuth */
 #kc-oauth h3 {
    margin-top: 0;
 }
 #kc-oauth ul {
    list-style: none;
    padding: 0;
    margin: 0;
 }
 #kc-oauth ul li {
    border-top: 1px solid rgba(255, 255, 255, 0.1);
    font-size: 12px;
    padding: 10px 0;
 }
 #kc-oauth ul li:first-of-type {
    border-top: 0;
 }
 #kc-oauth .kc-role {
    display: inline-block;
    width: 50%;
 }
 /* Code */
 #kc-code textarea {
    width: 100%;
    height: 8em;
 }
 /* Social */
 .kc-social-links {
    margin-top: 20px;
 }
 .kc-social-provider-logo {
    font-size: 23px;
    width: 30px;
    height: 25px;
    float: left;
 }
 .kc-social-gray {
    color: #737679; /* default - IE compatibility */
    color: var(--pf-global--Color--200);
 }
 .kc-social-item {
    margin-bottom: 0.5rem; /* default - IE compatibility */
    margin-bottom: var(--pf-global--spacer--sm);
    font-size: 15px;
    text-align: center;
 }
 .kc-social-provider-name {
    position: relative;
    top: 3px;
 }
 .kc-social-icon-text {
    left: -15px;
 }
 .kc-social-grid {
    display:grid;
    grid-column-gap: 10px;
    grid-row-gap: 5px;
    grid-column-end: span 6;
    --pf-l-grid__item--GridColumnEnd: span 6;
 }
 .kc-social-grid .kc-social-icon-text {
    left: -10px;
 }
 .kc-login-tooltip {
    position: relative;
    display: inline-block;
 }
 .kc-social-section {
    text-align: center;
 }
 .kc-social-section hr{
    margin-bottom: 10px
 }
 .kc-login-tooltip .kc-tooltip-text{
    top:-3px;
    left:160%;
    background-color: black;
    visibility: hidden;
    color: #fff;
    min-width:130px;
    text-align: center;
    border-radius: 2px;
    box-shadow:0 1px 8px rgba(0,0,0,0.6);
    padding: 5px;
    position: absolute;
    opacity:0;
    transition:opacity 0.5s;
 }
 /* Show tooltip */
 .kc-login-tooltip:hover .kc-tooltip-text {
    visibility: visible;
    opacity:0.7;
 }
 /* Arrow for tooltip */
 .kc-login-tooltip .kc-tooltip-text::after {
    content:  ;
    position: absolute;
    top: 15px;
    right: 100%;
    margin-top: -5px;
    border-width: 5px;
    border-style: solid;
    border-color: transparent black transparent transparent;
 }
@media (min-width: 768px) {
    #kc-container-wrapper {
        position: absolute;
        width: 100%;
    }
    .login-pf .container {
        padding-right: 80px;
    }
    #kc-locale {
        position: relative;
        text-align: right;
        z-index: 9999;
    }
 }
@media (max-width: 767px) {
    .login-pf body {
        background: white;
    }
    #kc-header {
        padding-left: 15px;
        padding-right: 15px;
        float: none;
        text-align: left;
    }
    #kc-header-wrapper {
        font-size: 16px;
        font-weight: bold;
        padding: 20px 60px 0 0;
        color: #72767b;
        letter-spacing: 0;
    }
    div.kc-logo-text {
        margin: 0;
        width: 150px;
        height: 32px;
        background-size: 100%;
    }
    #kc-form {
        float: none;
    }
    #kc-info-wrapper {
        border-top: 1px solid rgba(255, 255, 255, 0.1);
        background-color: transparent;
    }
    .login-pf .container {
        padding-top: 15px;
        padding-bottom: 15px;
    }
    #kc-locale {
        position: absolute;
        width: 200px;
        top: 20px;
        right: 20px;
        text-align: right;
        z-index: 9999;
    }
 }
@media (min-height: 646px) {
    #kc-container-wrapper {
        bottom: 12%;
    }
 }
@media (max-height: 645px) {
    #kc-container-wrapper {
        padding-top: 50px;
        top: 20%;
    }
 }
 .card-pf form.form-actions .btn {
    float: right;
    margin-left: 10px;
 }
 #kc-form-buttons {
    margin-top: 20px;
 }
 .login-pf-page .login-pf-brand {
    margin-top: 20px;
    max-width: 360px;
    width: 40%;
 }
 /* Internet Explorer 11 compatibility workaround for select-authenticator screen */
@media all and (-ms-high-contrast: none),
 (-ms-high-contrast: active) {
    .select-auth-box-parent {
        border-top: 1px solid #f0f0f0;
        padding-top: 1rem;
        padding-bottom: 1rem;
        cursor: pointer;
    }
    .select-auth-box-headline {
        font-size: 16px;
        color: #06c;
        font-weight: bold;
    }
    .select-auth-box-desc {
        font-size: 14px;
    }
    .pf-l-stack {
        flex-basis: 100%;
    }
 }
 /* End of IE11 workaround for select-authenticator screen */
 .select-auth-box-arrow{
    display: flex;
    align-items: center;
    margin-right: 2rem;
 }
 .select-auth-box-icon{
    display: flex;
    flex: 0 0 2em;
    justify-content: center;
    margin-right: 1rem;
    margin-left: 3rem;
 }
 .select-auth-box-parent{
    border-top: 1px solid var(--pf-global--palette--black-200);
    padding-top: 1rem;
    padding-bottom: 1rem;
    cursor: pointer;
 }
 .select-auth-box-parent:hover{
    background-color: #f7f8f8;
 }
 .select-auth-container {
 }
 .select-auth-box-headline {
    font-size: var(--pf-global--FontSize--md);
    color: var(--pf-global--primary-color--100);
    font-weight: bold;
 }
 .select-auth-box-desc {
    font-size: var(--pf-global--FontSize--sm);
 }
 .select-auth-box-paragraph {
    text-align: center;
    font-size: var(--pf-global--FontSize--md);
    margin-bottom: 5px;
 }
 .card-pf {
    margin: 0 auto;
    box-shadow: var(--pf-global--BoxShadow--lg);
    padding: 0 20px;
    max-width: 500px;
    border-top: 4px solid;
    border-color: #0066CC; /* default - IE compatibility */
    border-color: var(--pf-global--primary-color--100);
 }
 /*phone*/
@media (max-width: 767px) {
    .login-pf-page .card-pf {
        max-width: none;
        margin-left: 0;
        margin-right: 0;
        padding-top: 0;
        border-top: 0;
        box-shadow: 0 0;
    }
    .kc-social-grid {
        grid-column-end: 12;
        --pf-l-grid__item--GridColumnEnd: span 12;
    }
    .kc-social-grid .kc-social-icon-text {
        left: -15px;
    }
 }
 .login-pf-page .login-pf-signup {
    font-size: 15px;
    color: #72767b;
 }
 #kc-content-wrapper .row {
    margin-left: 0;
    margin-right: 0;
 }
 .login-pf-page.login-pf-page-accounts {
    margin-left: auto;
    margin-right: auto;
 }
 .login-pf-page .btn-primary {
    margin-top: 0;
 }
 .login-pf-page .list-view-pf .list-group-item {
    border-bottom: 1px solid #ededed;
 }
 .login-pf-page .list-view-pf-description {
    width: 100%;
 }
 #kc-form-login div.form-group:last-of-type,
 #kc-register-form div.form-group:last-of-type,
 #kc-update-profile-form div.form-group:last-of-type {
    margin-bottom: 0px;
 }
 .no-bottom-margin {
    margin-bottom: 0;
 }
 #kc-back {
    margin-top: 5px;
 }
 /* Recovery codes */
 .kc-recovery-codes-warning {
    margin-bottom: 32px;
 }
 .kc-recovery-codes-warning .pf-c-alert__description p {
    font-size: 0.875rem;
 }
 .kc-recovery-codes-list {
    list-style: none;
    columns: 2;
    margin: 16px 0;
    padding: 16px 16px 8px 16px;
    border: 1px solid #D2D2D2;
 }
 .kc-recovery-codes-list li {
    margin-bottom: 8px;
    font-size: 11px;
 }
 .kc-recovery-codes-list li span {
    color: #6A6E73;
    width: 16px;
    text-align: right;
    display: inline-block;
    margin-right: 1px;
 }
 .kc-recovery-codes-actions {
    margin-bottom: 24px;
 }
 .kc-recovery-codes-actions button {
    padding-left: 0;
 }
 .kc-recovery-codes-actions button i {
    margin-right: 8px;
 }
 .kc-recovery-codes-confirmation {
    align-items: baseline;
    margin-bottom: 16px;
 }
 /* End Recovery codes */
--- a/modules/keycloak/theme/login/resources/img/background.jpg
+++ b/modules/keycloak/theme/login/resources/img/background.jpg
--- a/modules/keycloak/theme/login/theme.properties
+++ b/modules/keycloak/theme/login/theme.properties
@ -1,4 +0,0 @@
 parent=keycloak
 import=common/keycloak
 styles=css/login.css
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@ -1,90 +1,175 @@
-{ config, pkgs, ... }:
+{ config, pkgs, system, ... }:
 let
  domain = "auth.${config.networking.domain}";
-  seedSettings = {
+  # seedSettings = {
-    groups = [
+  #   groups = [
-      {
+  #     {
-        name = "admins";
+  #       name = "admins";
-        long_name = "Portunus Admin";
+  #       long_name = "Portunus Admin";
-        members = [ "admin" ];
+  #       members = [ "admin" ];
-        permissions.portunus.is_admin = true;
+  #       permissions.portunus.is_admin = true;
-      }
+  #     }
-      {
+  #     {
-        name = "search";
+  #       name = "search";
-        long_name = "LDAP search group";
+  #       long_name = "LDAP search group";
-        members = [ "search" ];
+  #       members = [ "search" ];
-        permissions.ldap.can_read = true;
+  #       permissions.ldap.can_read = true;
-      }
+  #     }
-      {
+  #     {
-        name = "fsr";
+  #       name = "fsr";
-        long_name = "Mitglieder des iFSR";
+  #       long_name = "Mitglieder des iFSR";
-      }
+  #     }
-    ];
+  #   ];
-    users = [
+  #   users = [
-      {
+  #     {
-        login_name = "admin";
+  #       login_name = "admin";
-        given_name = "admin";
+  #       given_name = "admin";
-        family_name = "admin";
+  #       family_name = "admin";
-        password.from_command = [
+  #       password.from_command = [
-          "${pkgs.coreutils}/bin/cat"
+  #         "${pkgs.coreutils}/bin/cat"
-          config.sops.secrets."portunus/admin-password".path
+  #         config.sops.secrets."portunus/admin-password".path
-        ];
+  #       ];
-      }
+  #     }
-      {
+  #     {
-        login_name = "search";
+  #       login_name = "search";
-        given_name = "search";
+  #       given_name = "search";
-        family_name = "search";
+  #       family_name = "search";
-        password.from_command = [
+  #       password.from_command = [
-          "${pkgs.coreutils}/bin/cat"
+  #         "${pkgs.coreutils}/bin/cat"
-          config.sops.secrets."portunus/search-password".path
+  #         config.sops.secrets."portunus/search-password".path
-        ];
+  #       ];
-      }
+  #     }
-    ];
+  #   ];
-  };
+  # };
 in
 {
-  sops.secrets = {
+  # sops.secrets = {
-    "portunus/admin-password".owner = config.services.portunus.user;
+  #   "portunus/admin-password".owner = config.services.portunus.user;
-    "portunus/search-password".owner = config.services.portunus.user;
+  #   "portunus/search-password".owner = config.services.portunus.user;
-  };
+  # };
-  services.portunus = {
+  # services.portunus = {
  #   enable = true;
  #   package = pkgs.portunus.overrideAttrs (_old: {
  #     patches = [
  #       ./0001-update-user-validation-regex.patch
  #       ./0002-both-ldap-and-ldaps.patch
  #       ./0003-gecos-ascii-escape.patch
  #       ./0004-make-givenName-optional.patch
  #     ];
  #     doCheck = false; # posix regex related tests break
  #   });
  #   inherit domain seedSettings;
  #   port = 8681;
  #   ldap = {
  #     suffix = "dc=ifsr,dc=de";
  #     searchUserName = "search";
  #     # normally disables port 389 (but not with our patch), use 636 with tls
  #     # `portunus.domain` resolves to localhost
  #     tls = true;
  #   };
  # };
  services.openldap = {
    enable = true;
-    package = pkgs.portunus.overrideAttrs (_old: {
+    urlList = [ "ldap:///" "ldaps:///" ];
-      patches = [
+    settings = {
-        ./0001-update-user-validation-regex.patch
+      attrs = {
-        ./0002-both-ldap-and-ldaps.patch
+        olcLogLevel = "conns";
-        ./0003-gecos-ascii-escape.patch
+
-        ./0004-make-givenName-optional.patch
+        olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem";
        olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem";
        olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem";
        # olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
        olcTLSCRLCheck = "none";
        olcTLSVerifyClient = "never";
        olcTLSProtocolMin = "3.1";
      };
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          # attributetype ( 9999.1.1 NAME 'isMemberOf'
          # DESC 'back-reference to groups this user is a member of'
          # SUP distinguishedName )
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          "${pkgs.openldap}/etc/schema/nis.ldif"
          # "${pkgs.writeText "openssh.schema" ''
          # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
          # 		DESC 'SSH public key used by this user'
          # 		SUP name )
          # ''}"
        ];
      doCheck = false; # posix regex related tests break
    });
-    inherit domain seedSettings;
+        "olcDatabase={1}mdb" = {
-    port = 8681;
+          attrs = {
-    ldap = {
+            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
      suffix = "dc=ifsr,dc=de";
      searchUserName = "search";
-      # normally disables port 389 (but not with our patch), use 636 with tls
+            olcDatabase = "{1}mdb";
-      # `portunus.domain` resolves to localhost
+            olcDbDirectory = "/var/lib/openldap/data";
-      tls = true;
+
            olcSuffix = "dc=ifsr,dc=de";
            /* your admin account, do not use writeText on a production system */
            olcRootDN = "cn=portunus,dc=ifsr,dc=de";
            olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
            olcAccess = [
              /* custom access rules for userPassword attributes */
              ''{0}to attrs=userPassword
                by self write
                by anonymous auth
                by * none''
              /* allow read on anything else */
              ''{1}to *
                 by dn.base="cn=portunus,dc=ifsr,dc=de" write
                 by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read
                 by self read
                 by anonymous auth
            ''
            ];
          };
          children = {
            "olcOverlay={2}memberof".attrs = {
              objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
              olcOverlay = "{2}memberof";
              olcMemberOfRefInt = "TRUE";
              olcMemberOfDangling = "ignore";
              olcMemberOfGroupOC = "groupOfNames";
              olcMemberOfMemberAD = "member";
              olcMemberOfMemberOfAD = "memberOf";
            };
          };
        };
      };
    };
  };
  systemd.services.openldap = {
    wants = [ "acme-${domain}.service" ];
    after = [ "acme-${domain}.service" ];
  };
  # security.acme.defaults.group = "certs";
  # users.groups.certs.members = [ "openldap" ];
  # certificate permissions
  users.users.openldap.extraGroups = [ "nginx" ];
  security.pam.services.sshd.makeHomeDir = true;
  services.nginx = {
    enable = true;
-    virtualHosts."${config.services.portunus.domain}" = {
+    virtualHosts."${domain}" = {
-      locations = {
+      # locations = {
-        "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
+      #   "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
-      };
+      # };
    };
  };
  networking.firewall = {
    extraInputRules = ''
-      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
+      ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
    '';
  };
 }
--- a/modules/mail/postfix.nix
+++ b/modules/mail/postfix.nix
@ -44,9 +44,11 @@ in
        # hostname used in helo command. It is recommended to have this match the reverse dns entry
        smtp_helo_name = config.networking.rDNS;
        smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
-        smtp_tls_security_level = "may";
+        smtp_use_tls = true;
-        smtpd_tls_security_level = "may";
+        # smtp_tls_security_level = "encrypt";
-        smtpd_tls_auth_only = true;
+        smtpd_use_tls = true;
        # smtpd_tls_security_level = lib.mkForce "encrypt";
        # smtpd_tls_auth_only = true;
        smtpd_tls_protocols = [
          "!SSLv2"
          "!SSLv3"
--- a/modules/mail/rspamd.nix
+++ b/modules/mail/rspamd.nix
@ -141,26 +141,22 @@ in
              filter = "email:domain";
              map = "/var/lib/rspamd/whitelist.sender.domain.map";
              action = "accept";
              regexp = true;
            }
            WHITELIST_SENDER_EMAIL {
              type = "from";
              map = "/var/lib/rspamd/whitelist.sender.email.map";
              action = "accept";
              regexp = true;
            }
            BLACKLIST_SENDER_DOMAIN {
              type = "from";
              filter = "email:domain";
              map = "/var/lib/rspamd/blacklist.sender.domain.map";
              action = "reject";
              regexp = true;
            }
            BLACKLIST_SENDER_EMAIL {
              type = "from";
              map = "/var/lib/rspamd/blacklist.sender.email.map";
              action = "reject";
              regexp = true;
            }
            BLACKLIST_SUBJECT_KEYWORDS {
              type = "header";
@ -193,11 +189,6 @@ in
          "/" = {
            proxyPass = "http://127.0.0.1:11334";
            proxyWebsockets = true;
            extraConfig = ''
              allow 141.30.0.0/16;
              allow 141.76.0.0/16;
              deny all;
            '';
          };
        };
      };
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -27,9 +27,6 @@ in
    key = "portunus/search-password";
    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
  };
  nixpkgs.config.permittedInsecurePackages = [
    "olm-3.2.16"
  ];
  services = {
    postgresql = {
@ -99,20 +96,19 @@ in
      extraConfigFiles = [
        (pkgs.writeTextFile {
          name = "matrix-synapse-extra-config.yml";
-          text = let portunus = config.services.portunus; in
+          text = ''
            ''
            modules:
              - module: ldap_auth_provider.LdapAuthProviderModule
                config:
                  enabled: true
                  uri: ldap://localhost
-                    base: ou=users,${portunus.ldap.suffix}
+                  base: ou=users,dc=ifsr,dc=de
                  # taken from kaki config
                  attributes:
                    uid: uid
                    mail: uid
                    name: cn
-                    bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
+                  bind_dn: uid=search,ou=users,dc=ifsr,dc=de
                  bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
          '';
        })
--- a/modules/minecraft/default.nix
+++ b/modules/minecraft/default.nix
@ -1,52 +0,0 @@
 { pkgs, config, lib, ... }:
 {
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "minecraft-server"
  ];
  services.minecraft-servers = {
    enable = true;
    eula = true;
    servers.ifsr = {
      enable = true;
      package = pkgs.fabricServers.fabric-1_21;
      jvmOpts = "-Xmx8192M -Xms8192M";
    };
  };
  services.bluemap = {
    enable = true;
    host = "map.mc.ifsr.de";
    eula = true;
    onCalendar = "hourly";
    defaultWorld = "/srv/minecraft/ifsr/world";
  };
  services.nginx.virtualHosts."map.mc.ifsr.de".extraConfig = ''
    allow 141.30.0.0/16;
    allow 141.76.0.0/16;
    allow 217.160.244.15/32; # jonas uptime kuma
    deny all;
  '';
  networking.firewall = {
    extraInputRules = ''
      ip saddr { 141.30.0.0/16, 141.76.0.0/16, 217.160.244.15/32 } tcp dport 25565 accept comment "Allow minecraft access from TU network and jonas monitoring"
    '';
  };
  users.users.minecraft = {
    isNormalUser = true;
    isSystemUser = lib.mkForce false;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP rouven@thinkpad"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhdjiPvtAo/ZV36RjBBPSlixzeP3VN6cqa4YAmM5uXM ff00005@ff00005-laptop" # malte
    ];
  };
  security.sudo.extraRules = [
    {
      users = [ "minecraft" ];
      commands = [
        { command = "/run/current-system/sw/bin/systemctl restart minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
        { command = "/run/current-system/sw/bin/systemctl start minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
        { command = "/run/current-system/sw/bin/systemctl stop minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
      ];
    }
  ];
 }
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@ -37,8 +37,12 @@ in
        token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token";
        api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo";
        role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
      };
    };
  };
  services.postgresql = {
@ -61,6 +65,10 @@ in
        enabledCollectors = [ "systemd" ];
        port = 9002;
      };
      postfix = {
        enable = true;
        port = 9003;
      };
    };
    scrapeConfigs = [
      {
@ -70,6 +78,13 @@ in
        }];
        scrape_interval = "15s";
      }
      {
        job_name = "postfix";
        static_configs = [{
          targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ];
        }];
        # scrape_interval = "60s";
      }
      {
        job_name = "rspamd";
        static_configs = [{
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -59,7 +59,7 @@ in
      occ = lib.getExe config.services.nextcloud.occ;
      ldapConfig = rec {
        ldapAgentName = "uid=search,ou=users,${ldapBase}";
-        ldapBase = config.services.portunus.ldap.suffix;
+        ldapBase = "dc=ifsr,dc=de";
        ldapBaseGroups = "ou=groups,${ldapBase}";
        ldapBaseUsers = "ou=users,${ldapBase}";
        ldapConfigurationActive = "1";
--- a/modules/web/default.nix
+++ b/modules/web/default.nix
@ -11,6 +11,5 @@
    ./sharepic.nix
    ./userdir.nix
    ./ftp.nix
    ./hyperilo.nix
  ];
 }
--- a/modules/web/ese.nix
+++ b/modules/web/ese.nix
@ -1,34 +1,80 @@
 { config, pkgs, ... }:
 let
  domain = "ese.${config.networking.domain}";
-  webRoot = "/srv/web/ese";
+  cms-domain = "directus-ese.${config.networking.domain}";
 in
 {
  sops.secrets."directus_env" = { };
  environment.systemPackages = [ pkgs.nodejs_22 ];
  virtualisation.oci-containers = {
    containers.directus-ese = {
      image = "directus/directus:latest";
      volumes = [
        "/srv/web/directus-ese/uploads:/directus/uploads"
        "/srv/web/directus-ese/database:/directus/database"
      ];
      extraOptions = [ "--network=host" ];
      environment = {
        "DB_CLIENT" = "pg";
        "DB_HOST" = "localhost";
        "DB_PORT" = "5432";
        "DB_DATABASE" = "directus_ese";
        "DB_USER" = "directus_ese";
        "PUBLIC_URL" = "https://directus-ese.ifsr.de";
        "AUTH_PROVIDERS" = "keycloak";
        "AUTH_KEYCLOAK_DRIVER" = "openid";
        "AUTH_KEYCLOAK_CLIENT_ID" = "directus-ese";
        "AUTH_KEYCLOAK_ISSUER_URL" = "https://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
        "AUTH_KEYCLOAK_IDENTIFIER_KEY" = "email";
        "AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION" = "true";
        "AUTH_KEYCLOAK_DEFAULT_ROLE_ID" = "a6b7a1b6-a6fa-442c-87fd-e37c2a16424b";
      };
      environmentFiles = [
        config.sops.secrets."directus_env".path
      ];
    };
  };
  services.postgresql = {
    enable = true;
    ensureUsers = [
      {
        name = "directus_ese";
        ensureDBOwnership = true;
      }
    ];
    ensureDatabases = [ "directus_ese" ];
  };
  services.nginx = {
    virtualHosts."${cms-domain}" = {
      locations."/" = {
        extraConfig = ''
          if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain; charset=utf-8';
            add_header 'Content-Length' 0;
            return 204;
          }
          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
        '';
        proxyPass = "http://127.0.0.1:8055";
      };
    };
    virtualHosts."${domain}" = {
      locations."= /" = {
-        # temporary redirect, to avoid caching problems
+        return = "301 /2024/";
        return = "302 /2024/";
      };
      locations."/" = {
-        root = webRoot;
+        root = "/srv/web/ese/served";
        tryFiles = "$uri $uri/ =404";
      };
      # cache static assets
      locations."~* \.(?:css|svg|webp|jpg|jpeg|gif|png|ico|mp4|mp3|ogg|ogv|webm|ttf|woff2|woff)$" = {
        root = webRoot;
        extraConfig = ''
          expires 1y;
        '';
    };
  };
  };
  users.users."ese-deploy" = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = [
      ''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWGdTdobZN2oSLsTQmHOahdc9vqyuwUBS0PSk5IQhGV''
    ];
  };
 }
--- a/modules/web/hyperilo.nix
+++ b/modules/web/hyperilo.nix
@ -1,34 +0,0 @@
 { ... }:
 {
  # provide access to iLO of colocated server
  # in case of questions, contact @bennofs
  services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
    forceSSL = true;
    locations."/".proxyPass = "https://192.168.0.120:443";
    locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
    locations."/".extraConfig = ''
      proxy_ssl_verify off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade_capitalized;
    '';
  };
  # HP iLO requires uppercase Upgrade, not lowercase "upgrade"
  services.nginx.commonHttpConfig = ''
    map $http_upgrade $connection_upgrade_capitalized {
      default  Upgrade;
      '''      close;
    }
  '';
  systemd.network.networks."20-hyperilo" = {
    matchConfig.Name = "eno8303";
    address = [ "192.168.0.1/24" ];
    networkConfig.LLDP = true;
    networkConfig.EmitLLDP = "nearest-bridge";
  };
  sops.secrets."hyperilo_htaccess".owner = "nginx";
 }
--- a/modules/wiki/fsr.nix
+++ b/modules/wiki/fsr.nix
@ -77,20 +77,20 @@ in
      extensions = {
        PluggableAuth = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-b92b48e.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-3689731.tar.gz";
-          hash = "sha256-Fv5reEqFVVpSvmb4cy4oZBzeKc/fVddoJIsalnW4wUY=";
+          hash = "sha256-BMA0qV+x+iQt/P9tbl9csEUni9jiQcBtZeuwdjx2QPk=";
        };
        OpenIDConnect = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_41-520f4bf.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-b354cdb.tar.gz";
          hash = "sha256-gLHaveEzfmpqU9fWATZsUU377FJj2yq//raHZUR/VWk=";
        };
        VisualEditor = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_41-1bdb5a0.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-8970b62.tar.gz";
-          hash = "sha256-HtKV9Uru0SRtl61nP3PgMcT9t8okB8jGPKFmtYIV1XM=";
+          hash = "sha256-G+qvKVuF6OCnwS5q2cKfij1/aH1I6lOw84K6fED980s=";
        };
        SyntaxHighlight = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_41-e5818be.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_40-1170e8f.tar.gz";
-          hash = "sha256-dvXfOUlvT2Y8ELx83JlEx0S51oKyW4DDbVyUzyh5zag=";
+          hash = "sha256-75+wwTvHhwPBP1jVLK2fQWBi7vznOvPVgNpY3kzWJtg=";
        };
      };
    };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,7 +1,7 @@
 _final: prev:
 let
  inherit (prev) fetchurl;
-  inherit (prev) callPackage;
+  inherit (prev) fetchFromGitHub;
 in
 {
  # AGDSN is running an outdated version that we have to comply to
@ -12,16 +12,17 @@ in
      sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
    };
  }));
-  # Mailman internal server error fix
+  # (hopefully) fix systemd journal reading
-  # https://gitlab.com/mailman/mailman/-/issues/1137
+  prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
-  # https://github.com/NixOS/nixpkgs/pull/321136
+    patches = [
-  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+      ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
    (_python-final: python-prev: {
      readme-renderer = python-prev.readme-renderer.overridePythonAttrs (_oldAttrs: {
        propagatedBuildInputs = [ python-prev.cmarkgfm ];
      });
    })
    ];
    src = fetchFromGitHub {
      owner = "adangel";
      repo = "postfix_exporter";
      rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
      hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
    };
  });
  keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix { };
 }
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml