updates 2024-11-12

This reverts commit 6416be37f5.

flake.lock

@@ -9,11 +9,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1714117615,
-        "narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
+        "lastModified": 1730751072,
+        "narHash": "sha256-+FQjzCNV3k8U4BfNcFmoZTRf8aO9ufn3s7kkzHj/b7s=",
         "owner": "fsr",
         "repo": "course-management",
-        "rev": "9e5ab11788b926a9a26d2aaa0e0958c3c5865cc9",
+        "rev": "60b7062ce47ee9f0609e701ad5eb5e3e0a857ff2",
         "type": "github"
       },
       "original": {
@@ -29,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698049587,
-        "narHash": "sha256-gNxpJdxSrpWMTBSGFO4HfXgr+FiAGtwEXCvxd6W8IUQ=",
+        "lastModified": 1730889586,
+        "narHash": "sha256-SLgo7UjWLaFaaUPFqzKbr9DLAGzm5kparfxuJHEpK3w=",
         "ref": "refs/heads/main",
-        "rev": "2d05abcd2b4e59db421c86fa9adaffa3dccb1086",
-        "revCount": 7,
+        "rev": "a111147ce5eaea4f1d691afe1203e7529d68522d",
+        "revCount": 9,
         "type": "git",
         "url": "https://git.ifsr.de/ese/manual-website"
       },
@@ -42,16 +42,32 @@
         "url": "https://git.ifsr.de/ese/manual-website"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1694529238,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -65,11 +81,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1694529238,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -96,6 +112,24 @@
         "type": "github"
       }
     },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "kpp": {
       "inputs": {
         "nixpkgs": [
@@ -103,11 +137,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708628927,
-        "narHash": "sha256-1ObvmmEzbW2YjY/jJyfOoxhxIe54zcsOBMzgehnclRg=",
+        "lastModified": 1724255946,
+        "narHash": "sha256-YVT/QE2PCDzx4eq1i3PqOOpQVXJstN18e0sFB/UbAY0=",
         "owner": "fsr",
         "repo": "kpp",
-        "rev": "05e370097af21ddb776bec907942c60e6aebc394",
+        "rev": "ce98b985201a5453aee708a3fc13bbccf2357f8e",
         "type": "github"
       },
       "original": {
@@ -125,11 +159,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698974481,
-        "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
         "owner": "nix-community",
         "repo": "nix-github-actions",
-        "rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
         "type": "github"
       },
       "original": {
@@ -145,11 +179,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713869268,
-        "narHash": "sha256-o3CMQeu/S8/4zU0pMtYg51rd1FWdJsI2Xohzng1Ysdg=",
+        "lastModified": 1731209121,
+        "narHash": "sha256-BF7FBh1hIYPDihdUlImHGsQzaJZVLLfYqfDx41wjuF0=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "dcb6ac44922858ce3a5b46f77a36d6030181460c",
+        "rev": "896019f04b22ce5db4c0ee4f89978694f44345c3",
         "type": "github"
       },
       "original": {
@@ -158,50 +192,56 @@
         "type": "github"
       }
     },
+    "nix-minecraft": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731375802,
+        "narHash": "sha256-CvWPEzrl2EA3xrtg9X6K8aqV7T5r0SaDz6PLpGA0yIY=",
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "rev": "b873a123366b9a62f9262414ada8d83b03f1f0bf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713995372,
-        "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
+        "lastModified": 1731239293,
+        "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
+        "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1713638189,
-        "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=",
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "74574c38577914733b4f7a775dd77d24245081dd",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1713895582,
-        "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -232,11 +272,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1701399357,
-        "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
+        "lastModified": 1730284601,
+        "narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=",
         "owner": "nix-community",
         "repo": "poetry2nix",
-        "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
+        "rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e",
         "type": "github"
       },
       "original": {
@@ -271,8 +311,8 @@
         "ese-manual": "ese-manual",
         "kpp": "kpp",
         "nix-index-database": "nix-index-database",
+        "nix-minecraft": "nix-minecraft",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "print-interface": "print-interface",
         "sops-nix": "sops-nix",
         "vscode-server": "vscode-server"
@@ -286,11 +326,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1713892811,
-        "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
+        "lastModified": 1731364708,
+        "narHash": "sha256-HC0anOL+KmUQ2hdRl0AtunbAckasxrkn4VLmxbW/WaA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
+        "rev": "4c91d52db103e757fc25b58998b0576ae702d659",
         "type": "github"
       },
       "original": {
@@ -358,6 +398,21 @@
         "type": "github"
       }
     },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
@@ -367,11 +422,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699786194,
-        "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
+        "lastModified": 1730120726,
+        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
+        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
         "type": "github"
       },
       "original": {
@@ -382,15 +437,15 @@
     },
     "vscode-server": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_4",
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1713958148,
-        "narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
+        "lastModified": 1729422940,
+        "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
         "owner": "nix-community",
         "repo": "nixos-vscode-server",
-        "rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
+        "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,7 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     nix-index-database.url = "github:nix-community/nix-index-database";
@@ -20,6 +19,8 @@
       url = "github:fsr/course-management";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
+    nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
   };
   outputs =
     { self
@@ -31,12 +32,14 @@
     , vscode-server
     , course-management
     , print-interface
+    , nix-minecraft
     , ...
     }@inputs:
     let
       supportedSystems = [ "x86_64-linux" ];
       forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
       pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
+
     in
     {
       packages = forAllSystems (system: rec {
@@ -68,6 +71,7 @@
             ese-manual.nixosModules.default
             course-management.nixosModules.default
             vscode-server.nixosModules.default
+            nix-minecraft.nixosModules.minecraft-servers
             ./hosts/quitte/configuration.nix
             ./options
 
@@ -78,20 +82,26 @@
             ./modules/courses
             ./modules/wiki
             ./modules/matrix
+            ./modules/minecraft
+            ./modules/keycloak
+            ./modules/monitoring
 
             ./modules/nix-serve.nix
             ./modules/hedgedoc.nix
             ./modules/padlist.nix
             ./modules/nextcloud.nix
-            ./modules/monitoring.nix
             ./modules/vaultwarden.nix
             ./modules/forgejo
             ./modules/kanboard.nix
             ./modules/zammad.nix
-            ./modules/decisions.nix
-            ./modules/struktur-bot.nix
+            # ./modules/decisions.nix
+            ./modules/stream.nix
+            # ./modules/struktur-bot.nix
             {
-              nixpkgs.overlays = [ self.overlays.default ];
+              nixpkgs.overlays = [
+                self.overlays.default
+                nix-minecraft.overlay
+              ];
               sops.defaultSopsFile = ./secrets/quitte.yaml;
             }
           ];

hosts/quitte/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 
 {
   imports =
@@ -16,18 +16,6 @@
   # boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
   boot.loader.efi.canTouchEfiVariables = true;
   boot.supportedFilesystems = [ "zfs" ];
-  # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-  # Pin Kernel Version as 6.6.28 has a broken networking driver
-  boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_6.override {
-    argsOverride = rec {
-      src = pkgs.fetchurl {
-            url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
-            sha256 = "sha256-Y55QBg48jyPtAXyxDP6sxrqI/1WDgSu3aFm0zGoSgpE=";
-      };
-      version = "6.6.27";
-      modDirVersion = "6.6.27";
-      };
-  });
 
   services.zfs = {
     trim.enable = true;
@@ -38,6 +26,17 @@
   time.timeZone = "Europe/Berlin";
   i18n.defaultLocale = "en_US.UTF-8";
 
+  security.sudo.extraRules = [
+    {
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+      groups = [ "admins" ];
+    }
+  ];
   # prevent fork bombs
   security.pam.loginLimits = [
     {
@@ -53,9 +52,6 @@
       value = "10000";
     }
   ];
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-  services.openssh.settings.PermitRootLogin = "yes";
 
   systemd = {
     services.nix-daemon.serviceConfig = {

hosts/tomate/configuration.nix

@@ -50,13 +50,13 @@
   services.xserver.enable = true;
 
   # Enable the KDE Plasma Desktop Environment.
-  services.xserver.displayManager.sddm.enable = true;
+  services.displayManager.sddm.enable = true;
   services.xserver.desktopManager.plasma5.enable = true;
 
   # Configure keymap in X11
   services.xserver = {
-    layout = "de";
-    xkbVariant = "";
+    xkb.layout = "de";
+    xkb.variant = "";
   };
 
   # Configure console keymap
@@ -90,7 +90,7 @@
 
   services.avahi = {
     enable = true;
-    nssmdns = true;
+    nssmdns4 = true;
     openFirewall = true;
     publish = {
       enable = true;

modules/core/bacula.nix

@@ -14,6 +14,7 @@
     enable = true;
     name = "ifsr-quitte";
     extraClientConfig = ''
+      Comm Compression = no
       Maximum Concurrent Jobs = 20
       FDAddress = 141.30.30.169
       PKI Signatures = Yes
@@ -26,7 +27,10 @@
       mailcommand = "${pkgs.bacula}/bin/bsmtp -f \"Bacula <bacula@${config.networking.domain}>\" -s \"Bacula report" %r"
       mail = root+backup = all, !skipped
     '';
-    director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}";
+    director."abel-dir" = {
+      password = "@${config.sops.secrets."bacula/password".path}";
+      tls.enable = false;
+    };
   };
   environment.etc."bacula/bconsole.conf".text = ''
     Director {

modules/core/base.nix

@@ -1,6 +1,5 @@
 { pkgs, config, ... }: {
   nix = {
-    package = pkgs.nixUnstable; # or versioned attributes like nix_2_4
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
@@ -29,7 +28,13 @@
   };
 
   # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "yes";
+      PasswordAuthentication = false;
+    };
+  };
   programs.mosh.enable = true;
 
   # vs code server
@@ -107,6 +112,7 @@
     eza
     zsh
     unzip
+    yazi
   ];
 }
 

modules/core/default.nix

@@ -7,6 +7,7 @@
     ./initrd-ssh.nix
     ./mysql.nix
     ./nginx.nix
+    ./podman.nix
     ./postgres.nix
     ./sssd.nix
     ./zsh.nix

modules/core/initrd-ssh.nix

@@ -6,14 +6,14 @@
 { config, ... }:
 {
   boot.initrd = {
-   availableKernelModules = ["mlx5_core"];
+    availableKernelModules = [ "mlx5_core" ];
     systemd = {
       enable = true;
       network = {
         enable = true;
         networks."10-wired-default" = config.systemd.network.networks."10-wired-default";
       };
-      users.root.shell = "/bin/zfs load-key rpool/nixos";
+      users.root.shell = "/bin/systemd-tty-ask-password-agent";
     };
     network = {
       enable = true;

modules/core/logging.nix

@@ -3,6 +3,7 @@
   services.rsyslogd = {
     enable = true;
     defaultConfig = ''
+      $FileCreateMode 0640
       :programname, isequal, "postfix" /var/log/postfix.log
 
       auth.*                          -/var/log/auth.log

modules/core/nginx.nix

@@ -7,14 +7,10 @@
         ({ name, ... }: {
           enableACME = true;
           forceSSL = true;
-          # enable http3 for all hosts
-          quic = true;
-          http3 = true;
           # split up nginx access logs per vhost
           extraConfig = ''
             access_log /var/log/nginx/${name}_access.log;
             error_log /var/log/nginx/${name}_error.log;
-            add_header Alt-Svc 'h3=":443"; ma=86400';
           '';
         })
       );

modules/core/podman.nix

@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+{
+  # From: https://nixos.wiki/wiki/Podman
+  virtualisation.containers.enable = true;
+  virtualisation = {
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+  virtualisation.oci-containers.backend = "podman";
+
+
+  # Useful otherdevelopment tools
+  environment.systemPackages = with pkgs; [
+    dive # look into docker image layers
+    podman-tui # status of containers in the terminal
+    #docker-compose # start group of containers for dev
+    #podman-compose # start group of containers for dev
+  ];
+}

modules/core/postgres.nix

@@ -5,10 +5,11 @@
     enable = true;
     location = "/var/lib/backup/postgresql";
     databases = [
-      "directus_ese"
       "course-management"
       "git"
+      "grafana"
       "hedgedoc"
+      "keycloak"
       "matrix-synapse"
       "mautrix-telegram"
       "mediawiki"

modules/courses/default.nix

@@ -3,7 +3,6 @@ let
   hostName = "kurse.${config.networking.domain}";
 in
 {
-  imports = [ ./phil.nix ];
   sops.secrets =
     let inherit (config.services.course-management) user;
     in

modules/decisions.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 let
   domain = "decisions.${config.networking.domain}";
 in
@@ -6,14 +6,14 @@ in
   sops.secrets."decisions_env" = { };
   virtualisation.oci-containers = {
     containers.decisions = {
-      image = "decisions";
+      image = "ghcr.io/fsr/decisions";
       volumes = [
         "/var/lib/nextcloud/data/root/files/FSR/protokolle:/protokolle:ro"
       ];
+      extraOptions = [ "--network=host" ];
       environmentFiles = [
         config.sops.secrets."decisions_env".path
       ];
-      extraOptions = [ "--network=host" ];
     };
   };
 
@@ -25,11 +25,6 @@ in
     };
   };
 
-  services.portunus.dex.oidcClients = [{
-    id = "decisions";
-    callbackURL = "https://decisions.ifsr.de/auth";
-  }];
-
   systemd.timers."decisions-to-db" = {
     wantedBy = [ "timers.target" ];
     timerConfig = {
@@ -38,14 +33,14 @@ in
     };
   };
 
-  systemd.services."decisions-to-db" = {
-    script = ''
-      set -eu
-      ${pkgs.docker}/bin/docker exec decisions python tex_to_db.py
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      User = "root";
-    };
-  };
+  # systemd.services."decisions-to-db" = {
+  #   script = ''
+  #     set -eu
+  #     ${pkgs.podman}/bin/podman exec decisions python tex_to_db.py
+  #   '';
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     User = "root";
+  #   };
+  # };
 }

modules/forgejo/actions.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+{
+  sops.secrets."forgejo/runner-token" = { };
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances."quitte" = {
+      enable = true;
+      labels = [
+        # provide a debian base with nodejs for actions
+        "debian-latest:docker://node:18-bullseye"
+        # fake the ubuntu name, because node provides no ubuntu builds
+        "ubuntu-latest:docker://node:18-bullseye"
+        # provide native execution on the host
+        # "native:host"
+      ];
+      tokenFile = config.sops.secrets."forgejo/runner-token".path;
+      url = "https://git.ifsr.de";
+      name = "quitte";
+      settings = {
+        container = {
+          # use podman's default network, otherwise dns was not working for some reason
+          network = "podman";
+          # don't mount the docker socket into the build containers,
+          # this would basically mean root on the host...
+          docker_host = "-";
+        };
+      };
+    };
+  };
+}

modules/forgejo/default.nix

@@ -4,9 +4,9 @@ let
   gitUser = "git";
 in
 {
-  # imports = [
-  #   ./actions.nix
-  # ];
+  imports = [
+    ./actions.nix
+  ];
   sops.secrets.gitea_ldap_search = {
     key = "portunus/search-password";
     owner = config.services.forgejo.user;
@@ -22,15 +22,6 @@ in
 
   services.forgejo = {
     enable = true;
-    package = pkgs.forgejo.overrideAttrs (_old: {
-      patches = [
-        # migration fix
-        (pkgs.fetchpatch {
-          url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
-          hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
-        })
-      ];
-    });
     user = gitUser;
     group = gitUser;
     lfs.enable = true;
@@ -79,6 +70,8 @@ in
         PROVIDER = "db";
       };
       actions.ENABLED = true;
+      # federation.ENABLED = true;
+      webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
     };
   };
 

modules/kanboard.nix

@@ -1,65 +1,33 @@
-{ pkgs, config, lib, ... }:
+{ config, pkgs, ... }:
 let
   domain = "kanboard.${config.networking.domain}";
   domain_short = "kb.${config.networking.domain}";
-  user = "kanboard";
-  group = "kanboard";
 in
 {
-  users.users.${user} = {
-    group = group;
-    isSystemUser = true;
-  };
-  users.groups.${group} = { };
+  sops.secrets."kanboard_env" = { };
 
-  services.phpfpm.pools.kanboard = {
-    user = "kanboard";
-    group = "kanboard";
-    settings = {
-      "listen.owner" = config.services.nginx.user;
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.max_requests" = 500;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 5;
-      "php_admin_value[error_log]" = "stderr";
-      "php_admin_flag[log_errors]" = true;
-      "catch_workers_output" = true;
+  virtualisation.oci-containers = {
+    containers.kanboard = {
+      image = "ghcr.io/kanboard/kanboard:v1.2.41";
+      volumes = [
+        "kanboard_data:/var/www/app/data"
+        "kanboard_plugins:/var/www/app/plugins"
+      ];
+      ports = [ "127.0.0.1:8045:80" ];
+      environmentFiles = [
+        config.sops.secrets."kanboard_env".path
+      ];
     };
-    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
   };
 
-
-
-  services.nginx.enable = true;
   services.nginx = {
     virtualHosts."${domain_short}" = {
       locations."/".return = "301 $scheme://${domain}$request_uri";
     };
 
     virtualHosts."${domain}" = {
-      root = "/srv/web/kanboard";
-      extraConfig = ''
-        index index.html index.php;
-      '';
-
-      locations = {
-        "/" = {
-          tryFiles = "$uri $uri/ =404";
-        };
-        "~ \.php$" = {
-          extraConfig = ''
-            try_files $uri =404;
-            fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket};
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_index index.php;
-            include ${pkgs.nginx}/conf/fastcgi_params;
-            include ${pkgs.nginx}/conf/fastcgi.conf;
-            fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
-          '';
-        };
-        "/data".return = "403";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8045";
       };
     };
   };

modules/keycloak/default.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+let
+  domain = "sso.${config.networking.domain}";
+in
+{
+  sops.secrets."keycloak/db" = { };
+  services.keycloak = {
+    enable = true;
+    # we use unstable as the release in stable is insecure
+    # package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
+    settings = {
+      http-port = 8086;
+      https-port = 19000;
+      hostname = domain;
+      proxy = "edge";
+    };
+    # The module requires a password for the DB and works best with its own DB config
+    # Does an automatic Postgresql configuration
+    database = {
+      passwordFile = config.sops.secrets."keycloak/db".path;
+    };
+    initialAdminPassword = "plschangeme";
+    themes = with pkgs ; {
+      ifsr = keycloak_ifsr_theme;
+    };
+  };
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
+      extraConfig = ''
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
+      '';
+    };
+  };
+}

modules/keycloak/theme.nix

@@ -0,0 +1,15 @@
+{ stdenv }:
+stdenv.mkDerivation rec {
+  name = "keycloak_ifsr_theme";
+  version = "1.1";
+
+  src = ./theme;
+
+  nativeBuildInputs = [ ];
+  buildInputs = [ ];
+
+  installPhase = ''
+    mkdir -p $out
+    cp -a login $out
+  '';
+}

modules/keycloak/theme/login/resources/css/login.css

@@ -0,0 +1,772 @@
+.login-pf {
+    background: none;
+}
+
+.login-pf body {
+    background: url(../img/background.jpg) no-repeat center center fixed;
+    background-size: cover;
+    height: 100%;
+}
+
+/*IE compatibility*/
+.pf-c-form-control {
+    font-size: 14px;
+    font-size: var(--pf-global--FontSize--sm);
+    border-width: 1px;
+    border-width: var(--pf-global--BorderWidth--sm);;
+    border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
+    border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
+    background-color: #FFFFFF;
+    background-color: var(--pf-global--BackgroundColor--100);
+    height: 36px;
+    height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
+    padding: 5px 0.5rem;
+    padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
+}
+
+textarea.pf-c-form-control {
+	height: auto;
+}
+
+.pf-c-form-control:hover, .pf-c-form-control:focus {
+    border-bottom-color: #0066CC;
+    border-bottom-color: var(--pf-global--primary-color--100);
+    border-bottom-width: 2px;
+    border-bottom-width: var(--pf-global--BorderWidth--md);
+}
+
+.pf-c-form-control[aria-invalid=true] {
+    border-bottom-color: #C9190B;
+    border-bottom-color: var(--pf-global--danger-color--100);
+    border-bottom-width: 2px;
+    border-bottom-width: var(--pf-global--BorderWidth--md);
+}
+
+.pf-c-check__label, .pf-c-radio__label {
+	font-size: 14px;
+	font-size: var(--pf-global--FontSize--sm);
+}
+
+.pf-c-alert.pf-m-inline {
+    margin-bottom: 0.5rem; /* default - IE compatibility */
+    margin-bottom: var(--pf-global--spacer--sm);
+    padding: 0.25rem;
+    padding: var(--pf-global--spacer--xs);
+    border: solid #ededed;
+    border: solid var(--pf-global--BorderColor--300);
+    border-width: 1px;
+    border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
+    display: -ms-flexbox;
+    display: grid;
+    -ms-grid-columns: max-content 1fr max-content;
+    grid-template-columns:max-content 1fr max-content;
+    grid-template-columns: var(--pf-c-alert--grid-template-columns);
+    grid-template-rows: 1fr auto;
+    grid-template-rows: var(--pf-c-alert--grid-template-rows);
+}
+
+.pf-c-alert.pf-m-inline::before {
+    position: absolute;
+    top: -1px;
+    top: var(--pf-c-alert--m-inline--before--Top);
+    bottom: -1px;
+    bottom: var(--pf-c-alert--m-inline--before--Bottom);
+    left: 0;
+    width: 3px;
+    width: var(--pf-c-alert--m-inline--before--Width);
+    content: ;
+    background-color: #FFFFFF;
+    background-color: var(--pf-global--BackgroundColor--100);
+}
+
+.pf-c-alert.pf-m-inline.pf-m-success::before {
+    background-color: #92D400;
+    background-color: var(--pf-global--success-color--100);
+}
+
+.pf-c-alert.pf-m-inline.pf-m-danger::before {
+    background-color: #C9190B;
+    background-color: var(--pf-global--danger-color--100);
+}
+
+.pf-c-alert.pf-m-inline.pf-m-warning::before {
+    background-color: #F0AB00;
+    background-color: var(--pf-global--warning-color--100);
+}
+
+.pf-c-alert.pf-m-inline .pf-c-alert__icon {
+    padding: 1rem 0.5rem 1rem 1rem;
+    padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
+    font-size: 16px;
+    font-size: var(--pf-c-alert--m-inline__icon--FontSize);
+}
+
+.pf-c-alert.pf-m-success .pf-c-alert__icon {
+    color: #92D400;
+    color: var(--pf-global--success-color--100);
+}
+
+.pf-c-alert.pf-m-success .pf-c-alert__title {
+    color: #486B00;
+    color: var(--pf-global--success-color--200);
+}
+
+.pf-c-alert.pf-m-danger .pf-c-alert__icon {
+    color: #C9190B;
+    color: var(--pf-global--danger-color--100);
+}
+
+.pf-c-alert.pf-m-danger .pf-c-alert__title {
+    color: #A30000;
+    color: var(--pf-global--danger-color--200);
+}
+
+.pf-c-alert.pf-m-warning .pf-c-alert__icon {
+    color: #F0AB00;
+    color: var(--pf-global--warning-color--100);
+}
+
+.pf-c-alert.pf-m-warning .pf-c-alert__title {
+    color: #795600;
+    color: var(--pf-global--warning-color--200);
+}
+
+.pf-c-alert__title {
+    font-size: 14px; /* default - IE compatibility */
+    font-size: var(--pf-global--FontSize--sm);
+    padding: 5px 8px;
+    padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
+}
+
+.pf-c-button{
+    padding:0.375rem 1rem;
+    padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
+}
+
+/* default - IE compatibility */
+.pf-m-primary {
+    color: #FFFFFF;
+    background-color: #0066CC;
+    background-color: var(--pf-global--primary-color--100);
+}
+
+/* default - IE compatibility */
+.pf-m-primary:hover {
+    background-color: #004080;
+    background-color: var(--pf-global--primary-color--200);
+}
+
+/* default - IE compatibility */
+.pf-c-button.pf-m-control {
+    border: solid 1px;
+    border: solid var(--pf-global--BorderWidth--sm);
+    border-color: rgba(230, 230, 230, 0.5);
+}
+/*End of IE compatibility*/
+h1#kc-page-title {
+    margin-top: 10px;
+}
+
+#kc-locale ul {
+    background-color: #FFF;
+    background-color: var(--pf-global--BackgroundColor--100);
+    display: none;
+    top: 20px;
+    min-width: 100px;
+    padding: 0;
+}
+
+#kc-locale-dropdown{
+    display: inline-block;
+}
+
+#kc-locale-dropdown:hover ul {
+    display:block;
+}
+
+/* IE compatibility */
+#kc-locale-dropdown a {
+    color: #6A6E73;
+    color: var(--pf-global--Color--200);
+    text-align: right;
+    font-size: 14px;
+    font-size: var(--pf-global--FontSize--sm);
+}
+
+/* IE compatibility */
+a#kc-current-locale-link::after {
+    content: 2c5;
+    margin-left: 4px;
+    margin-left: var(--pf-global--spacer--xs)
+}
+
+.login-pf .container {
+    padding-top: 40px;
+}
+
+.login-pf a:hover {
+    color: #0099d3;
+}
+
+#kc-logo {
+    width: 100%;
+}
+
+div.kc-logo-text {
+    background-image: url(../img/agdsn_logo.png);
+    background-repeat: no-repeat;
+       background-size: auto;
+   position: relative;
+    top: 0%;
+    left: 25%;
+    width: 950px;
+  height: 250px;
+ 
+   
+}
+
+div.kc-logo-text span {
+    display: none;
+}
+
+#kc-header {
+    color: #ededed;
+    overflow: visible;
+    white-space: nowrap;
+}
+
+#kc-header-wrapper {
+    font-size: 29px;
+    text-transform: uppercase;
+    letter-spacing: 3px;
+    line-height: 1.2em;
+    padding: 62px 10px 20px;
+    white-space: normal;
+}
+
+#kc-content {
+    width: 100%;
+}
+
+#kc-attempted-username {
+    font-size: 20px;
+    font-family: inherit;
+    font-weight: normal;
+    padding-right: 10px;
+}
+
+#kc-username {
+    text-align: center;
+    margin-bottom:-10px;
+}
+
+#kc-webauthn-settings-form {
+    padding-top: 8px;
+}
+
+#kc-form-webauthn .select-auth-box-parent {
+    pointer-events: none;
+}
+
+#kc-form-webauthn .select-auth-box-desc {
+    color: var(--pf-global--palette--black-600);
+}
+
+#kc-form-webauthn .select-auth-box-headline {
+    color: var(--pf-global--Color--300);
+}
+
+#kc-form-webauthn .select-auth-box-icon {
+    flex: 0 0 3em;
+}
+
+#kc-form-webauthn .select-auth-box-icon-properties {
+    margin-top: 10px;
+    font-size: 1.8em;
+}
+
+#kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
+    margin-top: 3px;
+}
+
+#kc-form-webauthn .pf-l-stack__item {
+    margin: -1px 0;
+}
+
+#kc-content-wrapper {
+    margin-top: 20px;
+}
+
+#kc-form-wrapper {
+    margin-top: 10px;
+}
+
+#kc-info {
+    margin: 20px -40px -30px;
+}
+
+#kc-info-wrapper {
+    font-size: 13px;
+    padding: 15px 35px;
+    background-color: #F0F0F0;
+}
+
+#kc-form-options span {
+    display: block;
+}
+
+#kc-form-options .checkbox {
+    margin-top: 0;
+    color: #72767b;
+}
+
+#kc-terms-text {
+    margin-bottom: 20px;
+}
+
+#kc-registration {
+    margin-bottom: 0;
+}
+
+/* TOTP */
+
+.subtitle {
+    text-align: right;
+    margin-top: 30px;
+    color: #909090;
+}
+
+.required {
+    color: #A30000; /* default - IE compatibility */
+    color: var(--pf-global--danger-color--200);
+}
+
+ol#kc-totp-settings {
+    margin: 0;
+    padding-left: 20px;
+}
+
+ul#kc-totp-supported-apps {
+    margin-bottom: 10px;
+}
+
+#kc-totp-secret-qr-code {
+    max-width:150px;
+    max-height:150px;
+}
+
+#kc-totp-secret-key {
+    background-color: #fff;
+    color: #333333;
+    font-size: 16px;
+    padding: 10px 0;
+}
+
+/* OAuth */
+
+#kc-oauth h3 {
+    margin-top: 0;
+}
+
+#kc-oauth ul {
+    list-style: none;
+    padding: 0;
+    margin: 0;
+}
+
+#kc-oauth ul li {
+    border-top: 1px solid rgba(255, 255, 255, 0.1);
+    font-size: 12px;
+    padding: 10px 0;
+}
+
+#kc-oauth ul li:first-of-type {
+    border-top: 0;
+}
+
+#kc-oauth .kc-role {
+    display: inline-block;
+    width: 50%;
+}
+
+/* Code */
+#kc-code textarea {
+    width: 100%;
+    height: 8em;
+}
+
+/* Social */
+.kc-social-links {
+    margin-top: 20px;
+}
+
+.kc-social-provider-logo {
+    font-size: 23px;
+    width: 30px;
+    height: 25px;
+    float: left;
+}
+
+.kc-social-gray {
+    color: #737679; /* default - IE compatibility */
+    color: var(--pf-global--Color--200);
+}
+
+.kc-social-item {
+    margin-bottom: 0.5rem; /* default - IE compatibility */
+    margin-bottom: var(--pf-global--spacer--sm);
+    font-size: 15px;
+    text-align: center;
+}
+
+.kc-social-provider-name {
+    position: relative;
+    top: 3px;
+}
+
+.kc-social-icon-text {
+    left: -15px;
+}
+
+.kc-social-grid {
+    display:grid;
+    grid-column-gap: 10px;
+    grid-row-gap: 5px;
+    grid-column-end: span 6;
+    --pf-l-grid__item--GridColumnEnd: span 6;
+}
+
+.kc-social-grid .kc-social-icon-text {
+    left: -10px;
+}
+
+.kc-login-tooltip {
+    position: relative;
+    display: inline-block;
+}
+
+.kc-social-section {
+    text-align: center;
+}
+
+.kc-social-section hr{
+    margin-bottom: 10px
+}
+
+.kc-login-tooltip .kc-tooltip-text{
+    top:-3px;
+    left:160%;
+    background-color: black;
+    visibility: hidden;
+    color: #fff;
+
+    min-width:130px;
+    text-align: center;
+    border-radius: 2px;
+    box-shadow:0 1px 8px rgba(0,0,0,0.6);
+    padding: 5px;
+
+    position: absolute;
+    opacity:0;
+    transition:opacity 0.5s;
+}
+
+/* Show tooltip */
+.kc-login-tooltip:hover .kc-tooltip-text {
+    visibility: visible;
+    opacity:0.7;
+}
+
+/* Arrow for tooltip */
+.kc-login-tooltip .kc-tooltip-text::after {
+    content:  ;
+    position: absolute;
+    top: 15px;
+    right: 100%;
+    margin-top: -5px;
+    border-width: 5px;
+    border-style: solid;
+    border-color: transparent black transparent transparent;
+}
+
+@media (min-width: 768px) {
+    #kc-container-wrapper {
+        position: absolute;
+        width: 100%;
+    }
+
+    .login-pf .container {
+        padding-right: 80px;
+    }
+
+    #kc-locale {
+        position: relative;
+        text-align: right;
+        z-index: 9999;
+    }
+}
+
+@media (max-width: 767px) {
+
+    .login-pf body {
+        background: white;
+    }
+
+    #kc-header {
+        padding-left: 15px;
+        padding-right: 15px;
+        float: none;
+        text-align: left;
+    }
+
+    #kc-header-wrapper {
+        font-size: 16px;
+        font-weight: bold;
+        padding: 20px 60px 0 0;
+        color: #72767b;
+        letter-spacing: 0;
+    }
+
+    div.kc-logo-text {
+        margin: 0;
+        width: 150px;
+        height: 32px;
+        background-size: 100%;
+    }
+
+    #kc-form {
+        float: none;
+    }
+
+    #kc-info-wrapper {
+        border-top: 1px solid rgba(255, 255, 255, 0.1);
+        background-color: transparent;
+    }
+
+    .login-pf .container {
+        padding-top: 15px;
+        padding-bottom: 15px;
+    }
+
+    #kc-locale {
+        position: absolute;
+        width: 200px;
+        top: 20px;
+        right: 20px;
+        text-align: right;
+        z-index: 9999;
+    }
+}
+
+@media (min-height: 646px) {
+    #kc-container-wrapper {
+        bottom: 12%;
+    }
+}
+
+@media (max-height: 645px) {
+    #kc-container-wrapper {
+        padding-top: 50px;
+        top: 20%;
+    }
+}
+
+.card-pf form.form-actions .btn {
+    float: right;
+    margin-left: 10px;
+}
+
+#kc-form-buttons {
+    margin-top: 20px;
+}
+
+.login-pf-page .login-pf-brand {
+    margin-top: 20px;
+    max-width: 360px;
+    width: 40%;
+}
+
+/* Internet Explorer 11 compatibility workaround for select-authenticator screen */
+@media all and (-ms-high-contrast: none),
+(-ms-high-contrast: active) {
+    .select-auth-box-parent {
+        border-top: 1px solid #f0f0f0;
+        padding-top: 1rem;
+        padding-bottom: 1rem;
+        cursor: pointer;
+    }
+
+    .select-auth-box-headline {
+        font-size: 16px;
+        color: #06c;
+        font-weight: bold;
+    }
+
+    .select-auth-box-desc {
+        font-size: 14px;
+    }
+
+    .pf-l-stack {
+        flex-basis: 100%;
+    }
+}
+/* End of IE11 workaround for select-authenticator screen */
+
+.select-auth-box-arrow{
+    display: flex;
+    align-items: center;
+    margin-right: 2rem;
+}
+
+.select-auth-box-icon{
+    display: flex;
+    flex: 0 0 2em;
+    justify-content: center;
+    margin-right: 1rem;
+    margin-left: 3rem;
+}
+
+.select-auth-box-parent{
+    border-top: 1px solid var(--pf-global--palette--black-200);
+    padding-top: 1rem;
+    padding-bottom: 1rem;
+    cursor: pointer;
+}
+
+.select-auth-box-parent:hover{
+    background-color: #f7f8f8;
+}
+
+.select-auth-container {
+}
+
+.select-auth-box-headline {
+    font-size: var(--pf-global--FontSize--md);
+    color: var(--pf-global--primary-color--100);
+    font-weight: bold;
+}
+
+.select-auth-box-desc {
+    font-size: var(--pf-global--FontSize--sm);
+}
+
+.select-auth-box-paragraph {
+    text-align: center;
+    font-size: var(--pf-global--FontSize--md);
+    margin-bottom: 5px;
+}
+
+.card-pf {
+    margin: 0 auto;
+    box-shadow: var(--pf-global--BoxShadow--lg);
+    padding: 0 20px;
+    max-width: 500px;
+    border-top: 4px solid;
+    border-color: #0066CC; /* default - IE compatibility */
+    border-color: var(--pf-global--primary-color--100);
+}
+
+/*phone*/
+@media (max-width: 767px) {
+    .login-pf-page .card-pf {
+        max-width: none;
+        margin-left: 0;
+        margin-right: 0;
+        padding-top: 0;
+        border-top: 0;
+        box-shadow: 0 0;
+    }
+
+    .kc-social-grid {
+        grid-column-end: 12;
+        --pf-l-grid__item--GridColumnEnd: span 12;
+    }
+
+    .kc-social-grid .kc-social-icon-text {
+        left: -15px;
+    }
+}
+
+.login-pf-page .login-pf-signup {
+    font-size: 15px;
+    color: #72767b;
+}
+#kc-content-wrapper .row {
+    margin-left: 0;
+    margin-right: 0;
+}
+
+.login-pf-page.login-pf-page-accounts {
+    margin-left: auto;
+    margin-right: auto;
+}
+
+.login-pf-page .btn-primary {
+    margin-top: 0;
+}
+
+.login-pf-page .list-view-pf .list-group-item {
+    border-bottom: 1px solid #ededed;
+}
+
+.login-pf-page .list-view-pf-description {
+    width: 100%;
+}
+
+#kc-form-login div.form-group:last-of-type,
+#kc-register-form div.form-group:last-of-type,
+#kc-update-profile-form div.form-group:last-of-type {
+    margin-bottom: 0px;
+}
+
+.no-bottom-margin {
+    margin-bottom: 0;
+}
+
+#kc-back {
+    margin-top: 5px;
+}
+
+/* Recovery codes */
+.kc-recovery-codes-warning {
+    margin-bottom: 32px;
+}
+.kc-recovery-codes-warning .pf-c-alert__description p {
+    font-size: 0.875rem;
+}
+.kc-recovery-codes-list {
+    list-style: none;
+    columns: 2;
+    margin: 16px 0;
+    padding: 16px 16px 8px 16px;
+    border: 1px solid #D2D2D2;
+}
+.kc-recovery-codes-list li {
+    margin-bottom: 8px;
+    font-size: 11px;
+}
+.kc-recovery-codes-list li span {
+    color: #6A6E73;
+    width: 16px;
+    text-align: right;
+    display: inline-block;
+    margin-right: 1px;
+}
+
+.kc-recovery-codes-actions {
+    margin-bottom: 24px;
+}
+.kc-recovery-codes-actions button {
+    padding-left: 0;
+}
+.kc-recovery-codes-actions button i {
+    margin-right: 8px;
+}
+
+.kc-recovery-codes-confirmation {
+    align-items: baseline;
+    margin-bottom: 16px;
+}
+/* End Recovery codes */
+
+

modules/keycloak/theme/login/theme.properties

@@ -0,0 +1,4 @@
+parent=keycloak
+import=common/keycloak
+
+styles=css/login.css

modules/ldap/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, nixpkgs-unstable, system, ... }:
+{ config, pkgs, ... }:
 let
   domain = "auth.${config.networking.domain}";
   seedSettings = {
@@ -43,19 +43,9 @@ let
   };
 in
 {
-  # Use portunus from unstable branch until 24.05 is here
-  disabledModules = [ "services/misc/portunus.nix" ];
-  imports = [ "${nixpkgs-unstable}/nixos/modules/services/misc/portunus.nix" ];
-  nixpkgs.overlays = [
-    (_self: _super: {
-      inherit (nixpkgs-unstable.legacyPackages.${system}) portunus;
-    })
-  ];
-
   sops.secrets = {
     "portunus/admin-password".owner = config.services.portunus.user;
     "portunus/search-password".owner = config.services.portunus.user;
-    "dex/environment".owner = config.systemd.services.dex.serviceConfig.User;
   };
 
   services.portunus = {
@@ -72,8 +62,6 @@ in
 
     inherit domain seedSettings;
     port = 8681;
-    dex.enable = true;
-
     ldap = {
       suffix = "dc=ifsr,dc=de";
       searchUserName = "search";
@@ -84,30 +72,6 @@ in
     };
   };
 
-  services.dex.settings = {
-    oauth2.skipApprovalScreen = true;
-    frontend = {
-      issuer = "iFSR Schliboleth";
-      logoURL = "https://wiki.ifsr.de/images/3/3b/LogoiFSR.png";
-      theme = "dark";
-    };
-  };
-
-  systemd.services.dex.serviceConfig = {
-    DynamicUser = lib.mkForce false;
-    EnvironmentFile = config.sops.secrets."dex/environment".path;
-    StateDirectory = "dex";
-    User = "dex";
-  };
-
-  users = {
-    users.dex = {
-      group = "dex";
-      isSystemUser = true;
-    };
-    groups.dex = { };
-  };
-
   security.pam.services.sshd.makeHomeDir = true;
 
   services.nginx = {
@@ -115,13 +79,12 @@ in
     virtualHosts."${config.services.portunus.domain}" = {
       locations = {
         "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
-        "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
       };
     };
   };
   networking.firewall = {
     extraInputRules = ''
-      ip saddr { 141.30.86.192/26, 141.76.100.128/25 } tcp dport 636 accept comment "Allow ldaps access from office nets"
+      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
     '';
   };
 }

modules/mail/dovecot2.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ lib, config, pkgs, ... }:
 let
   hostname = "mail.${config.networking.domain}";
   dovecot-ldap-args = pkgs.writeText "ldap-args" ''
@@ -16,40 +16,10 @@ let
 in
 {
   networking.firewall.allowedTCPPorts = [
-    143 # IMAP
     993 # IMAPS
     4190 # Managesieve
   ];
   sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
-  environment.etc = {
-    "dovecot/sieve-pipe/sa-learn-spam.sh" = {
-      text = ''
-        #!/bin/sh
-        ${pkgs.rspamd}/bin/rspamc learn_spam
-      '';
-      mode = "0555";
-    };
-    "dovecot/sieve-pipe/sa-learn-ham.sh" = {
-      text = ''
-        #!/bin/sh
-        ${pkgs.rspamd}/bin/rspamc learn_ham
-      '';
-      mode = "0555";
-    };
-    "dovecot/sieve/report-spam.sieve" = {
-      source = ./report-spam.sieve;
-      user = "dovecot2";
-      group = "dovecot2";
-      mode = "0544";
-    };
-    "dovecot/sieve/report-ham.sieve" = {
-      source = ./report-ham.sieve;
-      user = "dovecot2";
-      group = "dovecot2";
-      mode = "0544";
-    };
-  };
-
   services.dovecot2 = {
     enable = true;
     enableImap = true;
@@ -101,7 +71,18 @@ in
     # set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
     mailUser = "vmail";
     mailGroup = "vmail";
-    sieveScripts = {
+    sieve = {
+      # just pot something in here to prevent empty strings
+      extensions = [ "notify" ];
+      pipeBins = map lib.getExe [
+        (pkgs.writeShellScriptBin "learn-ham.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_ham")
+        (pkgs.writeShellScriptBin "learn-spam.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_spam")
+      ];
+      plugins = [
+        "sieve_imapsieve"
+        "sieve_extprograms"
+      ];
+      scripts = {
         before = pkgs.writeText "spam.sieve" ''
           require "fileinto";
 
@@ -112,6 +93,23 @@ in
           }
         '';
       };
+    };
+    imapsieve.mailbox = [
+      {
+        # Spam: From elsewhere to Spam folder or flag changed in Spam folder
+        name = "Spam";
+        causes = [ "COPY" "APPEND" "FLAG" ];
+        before = ./report-spam.sieve;
+
+      }
+      {
+        # From Junk folder to elsewhere
+        name = "*";
+        from = "Spam";
+        causes = [ "COPY" ];
+        before = ./report-ham.sieve;
+      }
+    ];
     extraConfig = ''
       auth_username_format = %Ln
       passdb {
@@ -152,21 +150,6 @@ in
 
 
       plugin {
-        sieve_plugins = sieve_imapsieve sieve_extprograms
-        sieve_global_extensions = +vnd.dovecot.pipe
-        sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
-
-        # Spam: From elsewhere to Spam folder or flag changed in Spam folder
-        imapsieve_mailbox1_name = Spam
-        imapsieve_mailbox1_causes = COPY APPEND FLAG
-        imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
-
-        # Ham: From Spam folder to elsewhere
-        imapsieve_mailbox2_name = *
-        imapsieve_mailbox2_from = Spam
-        imapsieve_mailbox2_causes = COPY
-        imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
-
         # https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
         listescape_char = "\\"
       }

modules/mail/postfix.nix

@@ -44,11 +44,9 @@ in
         # hostname used in helo command. It is recommended to have this match the reverse dns entry
         smtp_helo_name = config.networking.rDNS;
         smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
-        smtp_use_tls = true;
-        # smtp_tls_security_level = "encrypt";
-        smtpd_use_tls = true;
-        # smtpd_tls_security_level = lib.mkForce "encrypt";
-        # smtpd_tls_auth_only = true;
+        smtp_tls_security_level = "may";
+        smtpd_tls_security_level = "may";
+        smtpd_tls_auth_only = true;
         smtpd_tls_protocols = [
           "!SSLv2"
           "!SSLv3"

modules/mail/report-ham.sieve

@@ -12,4 +12,4 @@ if environment :matches "imap.user" "*" {
   set "username" "${1}";
 }
 
-pipe :copy "sa-learn-ham.sh" [ "${username}" ];
+pipe :copy "learn-ham.sh" [ "${username}" ];

modules/mail/report-spam.sieve

@@ -4,4 +4,4 @@ if environment :matches "imap.user" "*" {
   set "username" "${1}";
 }
 
-pipe :copy "sa-learn-spam.sh" [ "${username}" ];
+pipe :copy "learn-spam.sh" [ "${username}" ];

modules/mail/rspamd.nix

@@ -55,6 +55,74 @@ in
           path = /var/lib/rspamd/dkim/$domain.$selector.key;
 
         '';
+        "reputation.conf".text = ''
+          rules {
+            ip_reputation = {
+              selector "ip" {
+              }
+              backend "redis" {
+                servers = "/run/redis-rspamd/redis.sock";
+              }
+
+              symbol = "IP_REPUTATION";
+            }
+            spf_reputation =  {
+              selector "spf" {
+              }
+              backend "redis" {
+                servers = "/run/redis-rspamd/redis.sock";
+              }
+
+              symbol = "SPF_REPUTATION";
+            }
+            dkim_reputation =  {
+              selector "dkim" {
+              }
+              backend "redis" {
+                servers = "/run/redis-rspamd/redis.sock";
+              }
+
+              symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
+            }
+            generic_reputation =  {
+              selector "generic" {
+                selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html
+              }
+              backend "redis" {
+                servers = "/run/redis-rspamd/redis.sock";
+              }
+
+              symbol = "GENERIC_REPUTATION";
+            }
+          }
+        '';
+        "groups.conf".text = ''
+            group "reputation" {
+              symbols = {
+                  "IP_REPUTATION_HAM" {
+                      weight = 1.0;
+                  }
+                  "IP_REPUTATION_SPAM" {
+                      weight = 4.0;
+                  }
+
+                  "DKIM_REPUTATION" {
+                      weight = 1.0;
+                  }
+
+                  "SPF_REPUTATION_HAM" {
+                      weight = 1.0;
+                  }
+                  "SPF_REPUTATION_SPAM" {
+                      weight = 2.0;
+                  }
+
+                  "GENERIC_REPUTATION" {
+                      weight = 1.0;
+                  }
+              }
+          }
+        '';
 
         "multimap.conf".text =
           let
@@ -73,22 +141,26 @@ in
               filter = "email:domain";
               map = "/var/lib/rspamd/whitelist.sender.domain.map";
               action = "accept";
+              regexp = true;
             }
             WHITELIST_SENDER_EMAIL {
               type = "from";
               map = "/var/lib/rspamd/whitelist.sender.email.map";
               action = "accept";
+              regexp = true;
             }
             BLACKLIST_SENDER_DOMAIN {
               type = "from";
               filter = "email:domain";
               map = "/var/lib/rspamd/blacklist.sender.domain.map";
               action = "reject";
+              regexp = true;
             }
             BLACKLIST_SENDER_EMAIL {
               type = "from";
               map = "/var/lib/rspamd/blacklist.sender.email.map";
               action = "reject";
+              regexp = true;
             }
             BLACKLIST_SUBJECT_KEYWORDS {
               type = "header";
@@ -121,6 +193,11 @@ in
           "/" = {
             proxyPass = "http://127.0.0.1:11334";
             proxyWebsockets = true;
+            extraConfig = ''
+              allow 141.30.0.0/16;
+              allow 141.76.0.0/16;
+              deny all;
+            '';
           };
         };
       };

modules/matrix/default.nix

@@ -27,6 +27,9 @@ in
     key = "portunus/search-password";
     owner = config.systemd.services.matrix-synapse.serviceConfig.User;
   };
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
 
   services = {
     postgresql = {

modules/minecraft/default.nix

@@ -0,0 +1,52 @@
+{ pkgs, config, lib, ... }:
+{
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "minecraft-server"
+  ];
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+    servers.ifsr = {
+      enable = true;
+      package = pkgs.fabricServers.fabric-1_21;
+      jvmOpts = "-Xmx8192M -Xms8192M";
+    };
+  };
+  services.bluemap = {
+    enable = true;
+    host = "map.mc.ifsr.de";
+    eula = true;
+    onCalendar = "hourly";
+    defaultWorld = "/srv/minecraft/ifsr/world";
+  };
+  services.nginx.virtualHosts."map.mc.ifsr.de".extraConfig = ''
+    allow 141.30.0.0/16;
+    allow 141.76.0.0/16;
+    allow 217.160.244.15/32; # jonas uptime kuma
+    deny all;
+  '';
+
+  networking.firewall = {
+    extraInputRules = ''
+      ip saddr { 141.30.0.0/16, 141.76.0.0/16, 217.160.244.15/32 } tcp dport 25565 accept comment "Allow minecraft access from TU network and jonas monitoring"
+    '';
+  };
+  users.users.minecraft = {
+    isNormalUser = true;
+    isSystemUser = lib.mkForce false;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP rouven@thinkpad"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhdjiPvtAo/ZV36RjBBPSlixzeP3VN6cqa4YAmM5uXM ff00005@ff00005-laptop" # malte
+    ];
+  };
+  security.sudo.extraRules = [
+    {
+      users = [ "minecraft" ];
+      commands = [
+        { command = "/run/current-system/sw/bin/systemctl restart minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/systemctl start minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/systemctl stop minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
+      ];
+    }
+  ];
+}

modules/monitoring/default.nix

@@ -1,8 +1,11 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 let
   domain = "monitoring.${config.networking.domain}";
 in
 {
+  sops.secrets."grafana/oidc_secret" = {
+    owner = "grafana";
+  };
   # grafana configuration
   services.grafana = {
     enable = true;
@@ -11,16 +14,31 @@ in
         inherit domain;
         http_addr = "127.0.0.1";
         http_port = 2342;
+        root_url = "https://monitoring.ifsr.de";
       };
       database = {
         type = "postgres";
         user = "grafana";
         host = "/run/postgresql";
       };
+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "iFSR";
+        allow_sign_up = true;
+        client_id = "grafana";
+        client_secret = "$__file{${config.sops.secrets."grafana/oidc_secret".path}}";
+        scopes = "openid email profile offline_access roles";
 
+        email_attribute_path = "email";
+        login_attribute_path = "username";
+        name_attribute_path = "full_name";
+
+        auth_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/auth";
+        token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token";
+        api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo";
+        role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
+      };
     };
-
-
   };
 
   services.postgresql = {
@@ -43,10 +61,6 @@ in
         enabledCollectors = [ "systemd" ];
         port = 9002;
       };
-      postfix = {
-        enable = true;
-        port = 9003;
-      };
     };
     scrapeConfigs = [
       {
@@ -57,11 +71,11 @@ in
         scrape_interval = "15s";
       }
       {
-        job_name = "postfix";
+        job_name = "rspamd";
         static_configs = [{
-          targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ];
+          targets = [ "rspamd.ifsr.de:11334" ];
         }];
-        # scrape_interval = "60s";
+        scrape_interval = "15s";
       }
     ];
   };

modules/nextcloud.nix

@@ -15,7 +15,7 @@ in
     nextcloud = {
       enable = true;
       configureRedis = true;
-      package = pkgs.nextcloud28;
+      package = pkgs.nextcloud29;
       hostName = domain;
       https = true; # Use https for all urls
       phpExtraExtensions = all: [
@@ -30,7 +30,7 @@ in
       database.createLocally = true;
 
       # enable HEIC image preview
-      extraOptions.enabledPreviewProviders = [
+      settings.enabledPreviewProviders = [
         "OC\\Preview\\BMP"
         "OC\\Preview\\GIF"
         "OC\\Preview\\JPEG"

modules/padlist.nix

@@ -46,10 +46,4 @@ in
       };
     };
   };
-
-  services.portunus.dex.oidcClients = [{
-    id = "padlist";
-    callbackURL = "https://list.pad.ifsr.de/callback.php";
-  }];
-
 }

modules/struktur-bot.nix

@@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 {
   sops.secrets."strukturbot_env" = { };
-  virtualisation.docker.daemon.settings.dns = [ "141.30.1.1" "141.76.14.1" ];
+  # virtualisation.docker.daemon.settings.dns = [ "141.30.1.1" "141.76.14.1" ];
   virtualisation.oci-containers = {
     containers.struktur-bot = {
       image = "struktur-bot";

modules/web/default.nix

@@ -11,5 +11,6 @@
     ./sharepic.nix
     ./userdir.nix
     ./ftp.nix
+    ./hyperilo.nix
   ];
 }

modules/web/ese.nix

@@ -1,74 +1,34 @@
 { config, pkgs, ... }:
 let
   domain = "ese.${config.networking.domain}";
-  cms-domain = "directus-ese.${config.networking.domain}";
+  webRoot = "/srv/web/ese";
 in
 {
-  sops.secrets."directus_env" = { };
-  environment.systemPackages = [ pkgs.nodejs_21 ];
-  virtualisation.oci-containers = {
-    backend = "docker";
-    containers.directus-ese = {
-      image = "directus/directus:latest";
-      volumes = [
-        "/srv/web/directus-ese/uploads:/directus/uploads"
-        "/srv/web/directus-ese/database:/directus/database"
-      ];
-      ports = [ "127.0.0.1:8055:8055" ];
-      extraOptions = [ "--network=host" ];
-      environment = {
-        "DB_CLIENT" = "pg";
-        "DB_HOST" = "localhost";
-        "DB_PORT" = "5432";
-        "DB_DATABASE" = "directus_ese";
-        "DB_USER" = "directus_ese";
-      };
-      environmentFiles = [
-        config.sops.secrets."directus_env".path
-      ];
-
-    };
-  };
-  services.postgresql = {
-    enable = true;
-    ensureUsers = [
-      {
-        name = "directus_ese";
-        ensureDBOwnership = true;
-      }
-    ];
-    ensureDatabases = [ "directus_ese" ];
-  };
-
   services.nginx = {
-    virtualHosts."${cms-domain}" = {
-      locations."/" = {
-        extraConfig = ''
-          if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' '*';
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
-            add_header 'Access-Control-Max-Age' 1728000;
-            add_header 'Content-Type' 'text/plain; charset=utf-8';
-            add_header 'Content-Length' 0;
-            return 204;
-          }
-
-          add_header 'Access-Control-Allow-Origin' '*';
-          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-          add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
-        '';
-        proxyPass = "http://127.0.0.1:8055";
-      };
-    };
     virtualHosts."${domain}" = {
       locations."= /" = {
-        return = "301 /2023/";
+        # temporary redirect, to avoid caching problems
+        return = "302 /2024/";
       };
       locations."/" = {
-        root = "/srv/web/ese/served";
+        root = webRoot;
         tryFiles = "$uri $uri/ =404";
       };
+      # cache static assets
+      locations."~* \.(?:css|svg|webp|jpg|jpeg|gif|png|ico|mp4|mp3|ogg|ogv|webm|ttf|woff2|woff)$" = {
+        root = webRoot;
+        extraConfig = ''
+          expires 1y;
+        '';
       };
     };
+  };
+
+  users.users."ese-deploy" = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      ''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWGdTdobZN2oSLsTQmHOahdc9vqyuwUBS0PSk5IQhGV''
+    ];
+  };
+
 }

modules/web/hyperilo.nix

@@ -0,0 +1,34 @@
+{ ... }:
+
+{
+  # provide access to iLO of colocated server
+  # in case of questions, contact @bennofs
+  services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
+    forceSSL = true;
+    locations."/".proxyPass = "https://192.168.0.120:443";
+    locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
+    locations."/".extraConfig = ''
+      proxy_ssl_verify off;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade_capitalized;
+    '';
+  };
+
+  # HP iLO requires uppercase Upgrade, not lowercase "upgrade"
+  services.nginx.commonHttpConfig = ''
+    map $http_upgrade $connection_upgrade_capitalized {
+      default  Upgrade;
+      '''      close;
+    }
+  '';
+
+  systemd.network.networks."20-hyperilo" = {
+    matchConfig.Name = "eno8303";
+    address = [ "192.168.0.1/24" ];
+    networkConfig.LLDP = true;
+    networkConfig.EmitLLDP = "nearest-bridge";
+  };
+
+  sops.secrets."hyperilo_htaccess".owner = "nginx";
+}

modules/web/ifsrde.nix

@@ -60,6 +60,7 @@ in
         "~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
         "/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
         "/kpp".return = "301 https://kpp.ifsr.de";
+        "/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
         # security
         "~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
         # deny running scripts inside core system folders
@@ -72,9 +73,4 @@ in
       };
     };
   };
-
-  services.portunus.dex.oidcClients = [{
-    id = "grav";
-    callbackURL = "https://ifsr.de/admin/task:callback.oauth2";
-  }];
 }

modules/web/userdir.nix

@@ -56,6 +56,7 @@ in
         display_errors=0
         post_max_size = 40M
         upload_max_filesize = 40M
+        extension=sysvsem.so
       '';
     };
   };

modules/wiki/fsr.nix

@@ -63,11 +63,12 @@ in
         # Auth
         # https://www.mediawiki.org/wiki/Extension:PluggableAuth
         # https://www.mediawiki.org/wiki/Extension:OpenID_Connect
+        $wgOpenIDConnect_MigrateUsersByEmail = true;
         $wgPluggableAuth_EnableLocalLogin = true;
         $wgPluggableAuth_Config["iFSR Login"] = [
           "plugin" => "OpenIDConnect",
           "data" => [
-            "providerURL" => "${config.services.portunus.domain}/dex",
+            "providerURL" => "https://sso.ifsr.de/realms/internal",
             "clientID" => "wiki",
             "clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
           ],
@@ -76,29 +77,24 @@ in
 
       extensions = {
         PluggableAuth = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-3689731.tar.gz";
-          hash = "sha256-BMA0qV+x+iQt/P9tbl9csEUni9jiQcBtZeuwdjx2QPk=";
+          url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-b92b48e.tar.gz";
+          hash = "sha256-Fv5reEqFVVpSvmb4cy4oZBzeKc/fVddoJIsalnW4wUY=";
         };
         OpenIDConnect = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-b354cdb.tar.gz";
+          url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_41-520f4bf.tar.gz";
           hash = "sha256-gLHaveEzfmpqU9fWATZsUU377FJj2yq//raHZUR/VWk=";
         };
         VisualEditor = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-8970b62.tar.gz";
-          hash = "sha256-G+qvKVuF6OCnwS5q2cKfij1/aH1I6lOw84K6fED980s=";
+          url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_41-1bdb5a0.tar.gz";
+          hash = "sha256-HtKV9Uru0SRtl61nP3PgMcT9t8okB8jGPKFmtYIV1XM=";
         };
         SyntaxHighlight = pkgs.fetchzip {
-          url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_40-1170e8f.tar.gz";
-          hash = "sha256-75+wwTvHhwPBP1jVLK2fQWBi7vznOvPVgNpY3kzWJtg=";
+          url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_41-e5818be.tar.gz";
+          hash = "sha256-dvXfOUlvT2Y8ELx83JlEx0S51oKyW4DDbVyUzyh5zag=";
         };
       };
     };
 
-    portunus.dex.oidcClients = [{
-      id = "wiki";
-      callbackURL = "https://${domain}/Spezial:PluggableAuthLogin";
-    }];
-
     nginx = {
       recommendedProxySettings = true;
       virtualHosts.${domain} = {

overlays/default.nix

@@ -1,7 +1,7 @@
 _final: prev:
 let
   inherit (prev) fetchurl;
-  inherit (prev) fetchFromGitHub;
+  inherit (prev) callPackage;
 in
 {
   # AGDSN is running an outdated version that we have to comply to
@@ -12,14 +12,16 @@ in
       sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
     };
   }));
-  # (hopefully) fix systemd journal reading
-  prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (old: rec {
-    src = fetchFromGitHub {
-      owner = "adangel";
-      repo = "postfix_exporter";
-      rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
-      hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
-    };
+  # Mailman internal server error fix
+  # https://gitlab.com/mailman/mailman/-/issues/1137
+  # https://github.com/NixOS/nixpkgs/pull/321136
+  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+    (_python-final: python-prev: {
+      readme-renderer = python-prev.readme-renderer.overridePythonAttrs (_oldAttrs: {
+        propagatedBuildInputs = [ python-prev.cmarkgfm ];
       });
+    })
+  ];
 
+  keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix { };
 }

overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch

@@ -0,0 +1,25 @@
+From f4c5dd5628c873981b2d6d6b8f3bbf036b9fd724 Mon Sep 17 00:00:00 2001
+From: Rouven Seifert <rouven.seifert@ifsr.de>
+Date: Thu, 2 May 2024 11:20:27 +0200
+Subject: [PATCH] cleanup: also catch milter-reject
+
+---
+ postfix_exporter.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/postfix_exporter.go b/postfix_exporter.go
+index f20d99c..676d767 100644
+--- a/postfix_exporter.go
++++ b/postfix_exporter.go
+@@ -335,6 +335,8 @@ func (e *PostfixExporter) CollectFromLogLine(line string) {
+ 				e.cleanupProcesses.Inc()
+ 			} else if strings.Contains(remainder, ": reject: ") {
+ 				e.cleanupRejects.Inc()
++			} else if strings.Contains(remainder, ": milter-reject: ") {
++				e.cleanupRejects.Inc()
+ 			} else {
+ 				e.addToUnsupportedLine(line, subprocess, level)
+ 			}
+-- 
+2.44.0
+