WIP: mediawiki
Eval nix flake / evals (push) Failing after 1m50s
Details
Eval nix flake / evals (push) Failing after 1m50s
Details
This commit is contained in:
parent
6a9c457ef7
commit
a77e62a2e9
|
@ -13,7 +13,7 @@
|
||||||
./services/nginx
|
./services/nginx
|
||||||
./services/gitea/default.nix
|
./services/gitea/default.nix
|
||||||
./services/webmail
|
./services/webmail
|
||||||
./services/mediawiki.nix
|
./services/mediawiki
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
|
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
|
||||||
|
|
|
@ -6,6 +6,42 @@
|
||||||
|
|
||||||
# "mediawiki"
|
# "mediawiki"
|
||||||
group = config.users.users.${user}.group;
|
group = config.users.users.${user}.group;
|
||||||
|
|
||||||
|
SimpleSAMLphpRepo = pkgs.php.buildComposerProject rec {
|
||||||
|
pname = "configuredSimpleSAML";
|
||||||
|
version = "2.2.1";
|
||||||
|
src = pkgs.fetchFromGitHub {
|
||||||
|
owner = "simplesamlphp";
|
||||||
|
repo = "simplesamlphp";
|
||||||
|
# name = "simple-saml-php-source";
|
||||||
|
# url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
|
||||||
|
};
|
||||||
|
|
||||||
|
composerStrictValidation = false;
|
||||||
|
|
||||||
|
vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
|
||||||
|
|
||||||
|
# TODO: metadata could be fetched automagically with these:
|
||||||
|
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
|
||||||
|
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
|
||||||
|
postPatch = ''
|
||||||
|
install -Dm444 "${./simplesamlphp/authsources.php}" "config/authsources.php"
|
||||||
|
install -Dm444 "${./simplesamlphp/saml20-idp-remote.php}" "metadata/saml20-idp-remote.php"
|
||||||
|
install -Dm444 "${./simplesamlphp/config.php}" "config/config.php"
|
||||||
|
|
||||||
|
substituteInPlace config/config.php \
|
||||||
|
--replace '$SAML_COOKIE_SECURE' 'true' \
|
||||||
|
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
|
||||||
|
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
|
||||||
|
--replace '$SAML_TRUSTED_DOMAINS' 'array( "bekkalokk.pvv.ntnu.no" )'
|
||||||
|
'';
|
||||||
|
|
||||||
|
postInstall = ''
|
||||||
|
ln -sr $out/share/php/configuredSimpleSAML/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/configuredSimpleSAML/public/assets/base
|
||||||
|
'';
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
"mediawiki/password" = {
|
"mediawiki/password" = {
|
||||||
|
@ -51,10 +87,12 @@ in {
|
||||||
"pm.max_spare_servers" = 4;
|
"pm.max_spare_servers" = 4;
|
||||||
"listen.owner" = listenUser;
|
"listen.owner" = listenUser;
|
||||||
"listen.group" = listenGroup;
|
"listen.group" = listenGroup;
|
||||||
"php_admin_value[error_log]" = "stderr";
|
|
||||||
"php_admin_flag[log_errors]" = "on";
|
|
||||||
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
|
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
|
||||||
|
|
||||||
"catch_workers_output" = true;
|
"catch_workers_output" = true;
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
# "php_admin_value[error_log]" = "stderr";
|
||||||
|
|
||||||
# to accept *.html file
|
# to accept *.html file
|
||||||
"security.limit_extensions" = "";
|
"security.limit_extensions" = "";
|
||||||
};
|
};
|
||||||
|
@ -63,80 +101,7 @@ in {
|
||||||
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
|
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = let
|
extraConfig = ''
|
||||||
SimpleSAMLphpRepo = pkgs.php.buildComposerProject rec {
|
|
||||||
pname = "configuredSimpleSAML";
|
|
||||||
version = "2.1.0-rc1";
|
|
||||||
src = pkgs.fetchFromGitHub {
|
|
||||||
owner = "simplesamlphp";
|
|
||||||
repo = "simplesamlphp";
|
|
||||||
# name = "simple-saml-php-source";
|
|
||||||
# url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-E7S6T/EfuhNbe697OiklZ77wMRkOb/ABJXoL5MphMCY=";
|
|
||||||
};
|
|
||||||
|
|
||||||
composerStrictValidation = false;
|
|
||||||
|
|
||||||
vendorHash = "sha256-vr9mWXN9v6tGNvPtxQ+pgf7OYj8dedzWfxt6Xw1nCm0=";
|
|
||||||
|
|
||||||
configAuthsourcesPhp = ''
|
|
||||||
<?php
|
|
||||||
$config = array(
|
|
||||||
'default-sp' => array(
|
|
||||||
'saml:SP',
|
|
||||||
'idp' => 'https://idp.pvv.ntnu.no/',
|
|
||||||
),
|
|
||||||
);
|
|
||||||
'';
|
|
||||||
|
|
||||||
# TODO: this could be fetched automagically with these:
|
|
||||||
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
|
|
||||||
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
|
|
||||||
metadataSaml20IdpRemotePhp = ''
|
|
||||||
<?php
|
|
||||||
$metadata['https://idp.pvv.ntnu.no/'] = array (
|
|
||||||
'metadata-set' => 'saml20-idp-remote',
|
|
||||||
'entityid' => 'https://idp.pvv.ntnu.no/',
|
|
||||||
'SingleSignOnService' =>
|
|
||||||
array (
|
|
||||||
0 =>
|
|
||||||
array (
|
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
|
||||||
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
|
|
||||||
),
|
|
||||||
),
|
|
||||||
'SingleLogoutService' =>
|
|
||||||
array (
|
|
||||||
0 =>
|
|
||||||
array (
|
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
|
||||||
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
|
|
||||||
),
|
|
||||||
),
|
|
||||||
'certData' => 'pvvcert.pem',
|
|
||||||
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
|
|
||||||
);
|
|
||||||
'';
|
|
||||||
|
|
||||||
pvvcert = ''
|
|
||||||
MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==
|
|
||||||
'';
|
|
||||||
|
|
||||||
passAsFile = [
|
|
||||||
"configAuthsourcesPhp"
|
|
||||||
"metadataSaml20IdpRemotePhp"
|
|
||||||
"pvvcert"
|
|
||||||
];
|
|
||||||
|
|
||||||
postPatch = ''
|
|
||||||
install -Dm444 "$configAuthsourcesPhpPath" "config/authsources.php"
|
|
||||||
install -Dm444 "$metadataSaml20IdpRemotePhpPath" "metadata/saml20-idp-remote.php"
|
|
||||||
install -Dm444 "$pvvcertPath" "cert/pvvcert.pem"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
in ''
|
|
||||||
$wgServer = "https://bekkalokk.pvv.ntnu.no";
|
$wgServer = "https://bekkalokk.pvv.ntnu.no";
|
||||||
$wgLocaltimezone = "Europe/Oslo";
|
$wgLocaltimezone = "Europe/Oslo";
|
||||||
|
|
||||||
|
@ -162,17 +127,36 @@ in {
|
||||||
$wgLocalInterwiki = $wgSitename;
|
$wgLocalInterwiki = $wgSitename;
|
||||||
|
|
||||||
# SimpleSAML
|
# SimpleSAML
|
||||||
$wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
|
$wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/";
|
||||||
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
|
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
|
||||||
$wgSimpleSAMLphp_RealNameAttribute = "cn";
|
$wgSimpleSAMLphp_RealNameAttribute = "cn";
|
||||||
$wgSimpleSAMLphp_EmailAttribute = "mail";
|
$wgSimpleSAMLphp_EmailAttribute = "mail";
|
||||||
$wgSimpleSAMLphp_UsernameAttribute = "uid";
|
$wgSimpleSAMLphp_UsernameAttribute = "uid";
|
||||||
|
|
||||||
|
$wgPluggableAuth_Config['Log in using my SAML'] = [
|
||||||
|
'plugin' => 'SimpleSAMLphp',
|
||||||
|
'data' => [
|
||||||
|
'authSourceId' => 'default-sp',
|
||||||
|
]
|
||||||
|
];
|
||||||
|
|
||||||
# Fix https://github.com/NixOS/nixpkgs/issues/183097
|
# Fix https://github.com/NixOS/nixpkgs/issues/183097
|
||||||
$wgDBserver = "${toString cfg.database.host}";
|
$wgDBserver = "${toString cfg.database.host}";
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# 'usernameAttribute' => 'username',
|
||||||
|
# 'realNameAttribute' => 'name',
|
||||||
|
# 'emailAttribute' => 'email'
|
||||||
|
|
||||||
|
# Cache directory for simplesamlphp
|
||||||
|
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
|
||||||
|
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp/core".d = {
|
||||||
|
user = "mediawiki";
|
||||||
|
group = "mediawiki";
|
||||||
|
mode = "0770";
|
||||||
|
};
|
||||||
|
|
||||||
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
|
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
|
||||||
systemd.services.mediawiki-init.script = let
|
systemd.services.mediawiki-init.script = let
|
||||||
# According to module
|
# According to module
|
||||||
|
@ -210,6 +194,10 @@ in {
|
||||||
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
|
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
|
index = "index.php";
|
||||||
|
};
|
||||||
|
|
||||||
|
"~ /(.+\\.php)" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
@ -219,7 +207,40 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
|
||||||
|
"^~ /simplesaml/" = {
|
||||||
|
alias = "${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/public/";
|
||||||
|
index = "index.php";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
|
||||||
|
fastcgi_param SCRIPT_FILENAME ${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/public/$phpfile;
|
||||||
|
|
||||||
|
# Must be prepended with the baseurlpath
|
||||||
|
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
|
||||||
|
|
||||||
|
fastcgi_param PATH_INFO $pathinfo if_not_empty;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
"/images".root = config.services.mediawiki.uploadsDir;
|
"/images".root = config.services.mediawiki.uploadsDir;
|
||||||
|
|
||||||
|
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
|
||||||
|
|
||||||
|
# Redirects from gitea
|
||||||
|
"/Projects".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"^~ /Projects/(.+\\.php)".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/oysteikt".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/Drift".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/felixalb".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/adriangl".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/danio".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/pederbs".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/jonmro".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/explore".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
<?php
|
||||||
|
$config = array(
|
||||||
|
|
||||||
|
/* This is the name of this authentication source, and will be used to access it later. */
|
||||||
|
'default-sp' => array(
|
||||||
|
'saml:SP',
|
||||||
|
# 'entityID' => 'https://wiki.pvv.ntnu.no/',
|
||||||
|
'entityID' => 'https://bekkalokk.pvv.ntnu.no/',
|
||||||
|
'idp' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
),
|
||||||
|
);
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,23 @@
|
||||||
|
<?php
|
||||||
|
$metadata['https://idp.pvv.ntnu.no/'] = array (
|
||||||
|
'metadata-set' => 'saml20-idp-remote',
|
||||||
|
'entityid' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
'SingleSignOnService' =>
|
||||||
|
array (
|
||||||
|
0 =>
|
||||||
|
array (
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
'SingleLogoutService' =>
|
||||||
|
array (
|
||||||
|
0 =>
|
||||||
|
array (
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
|
||||||
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
|
||||||
|
);
|
Loading…
Reference in New Issue