WIP: bekkalokk: init mediawiki
Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>
This commit is contained in:
parent
a1d0fed204
commit
f492280940
|
@ -14,7 +14,7 @@
|
||||||
./services/gitea/default.nix
|
./services/gitea/default.nix
|
||||||
./services/kerberos
|
./services/kerberos
|
||||||
./services/webmail
|
./services/webmail
|
||||||
# ./services/mediawiki.nix
|
./services/mediawiki
|
||||||
./services/idp-simplesamlphp
|
./services/idp-simplesamlphp
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
* Authenticate using HTTP login.
|
* Authenticate using HTTP login.
|
||||||
*
|
*
|
||||||
* @author Yorn de Jong
|
* @author Yorn de Jong
|
||||||
|
* @author Oystein Kristoffer Tveit
|
||||||
* @package simpleSAMLphp
|
* @package simpleSAMLphp
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ pkgs, lib, config, values, ... }: let
|
{ pkgs, lib, config, values, pkgs-unstable, ... }: let
|
||||||
cfg = config.services.mediawiki;
|
cfg = config.services.mediawiki;
|
||||||
|
|
||||||
# "mediawiki"
|
# "mediawiki"
|
||||||
|
@ -6,14 +6,38 @@
|
||||||
|
|
||||||
# "mediawiki"
|
# "mediawiki"
|
||||||
group = config.users.users.${user}.group;
|
group = config.users.users.${user}.group;
|
||||||
|
|
||||||
|
simplesamlphp = pkgs.simplesamlphp.override {
|
||||||
|
extra_files = {
|
||||||
|
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
|
||||||
|
|
||||||
|
"config/authsources.php" = ./simplesaml-authsources.php;
|
||||||
|
|
||||||
|
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
|
||||||
|
cp ${./simplesaml-config.php} "$out"
|
||||||
|
|
||||||
|
substituteInPlace "$out" \
|
||||||
|
--replace '$SAML_COOKIE_SECURE' 'true' \
|
||||||
|
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
|
||||||
|
--replace '$SAML_ADMIN_NAME' '"Drift"' \
|
||||||
|
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
|
||||||
|
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
|
||||||
|
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
|
||||||
|
--replace '$STATE_DIRECTORY' '/var/lib/mediawiki' \
|
||||||
|
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
|
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
|
||||||
|
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
"mediawiki/password" = {
|
"mediawiki/password" = {
|
||||||
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
|
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
|
||||||
owner = user;
|
owner = user;
|
||||||
group = group;
|
group = group;
|
||||||
};
|
};
|
||||||
"keys/postgres/mediawiki" = {
|
"mediawiki/database" = {
|
||||||
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
|
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
|
||||||
owner = user;
|
owner = user;
|
||||||
group = group;
|
group = group;
|
||||||
|
@ -30,7 +54,7 @@ in {
|
||||||
type = "postgres";
|
type = "postgres";
|
||||||
host = "postgres.pvv.ntnu.no";
|
host = "postgres.pvv.ntnu.no";
|
||||||
port = config.services.postgresql.port;
|
port = config.services.postgresql.port;
|
||||||
passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
|
passwordFile = config.sops.secrets."mediawiki/database".path;
|
||||||
createLocally = false;
|
createLocally = false;
|
||||||
# TODO: create a normal database and copy over old data when the service is production ready
|
# TODO: create a normal database and copy over old data when the service is production ready
|
||||||
name = "mediawiki_test";
|
name = "mediawiki_test";
|
||||||
|
@ -51,10 +75,11 @@ in {
|
||||||
"pm.max_spare_servers" = 4;
|
"pm.max_spare_servers" = 4;
|
||||||
"listen.owner" = listenUser;
|
"listen.owner" = listenUser;
|
||||||
"listen.group" = listenGroup;
|
"listen.group" = listenGroup;
|
||||||
"php_admin_value[error_log]" = "stderr";
|
|
||||||
"php_admin_flag[log_errors]" = "on";
|
|
||||||
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
|
|
||||||
"catch_workers_output" = true;
|
"catch_workers_output" = true;
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
# "php_admin_value[error_log]" = "stderr";
|
||||||
|
|
||||||
# to accept *.html file
|
# to accept *.html file
|
||||||
"security.limit_extensions" = "";
|
"security.limit_extensions" = "";
|
||||||
};
|
};
|
||||||
|
@ -63,35 +88,8 @@ in {
|
||||||
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
|
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = let
|
extraConfig = ''
|
||||||
|
$wgServer = "https://wiki2.pvv.ntnu.no";
|
||||||
SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
|
|
||||||
pname = "configuredSimpleSAML";
|
|
||||||
version = "2.0.4";
|
|
||||||
src = pkgs.fetchzip {
|
|
||||||
url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
|
|
||||||
sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
|
|
||||||
};
|
|
||||||
|
|
||||||
buildPhase = ''
|
|
||||||
cat > config/authsources.php << EOF
|
|
||||||
<?php
|
|
||||||
$config = array(
|
|
||||||
'default-sp' => array(
|
|
||||||
'saml:SP',
|
|
||||||
'idp' => 'https://idp.pvv.ntnu.no/',
|
|
||||||
),
|
|
||||||
);
|
|
||||||
EOF
|
|
||||||
'';
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
cp -r . $out
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
in ''
|
|
||||||
$wgServer = "https://bekkalokk.pvv.ntnu.no";
|
|
||||||
$wgLocaltimezone = "Europe/Oslo";
|
$wgLocaltimezone = "Europe/Oslo";
|
||||||
|
|
||||||
# Only allow login through SSO
|
# Only allow login through SSO
|
||||||
|
@ -106,7 +104,10 @@ in {
|
||||||
$wgGroupPermissions['*']['edit'] = false;
|
$wgGroupPermissions['*']['edit'] = false;
|
||||||
|
|
||||||
# Styling
|
# Styling
|
||||||
$wgLogo = "/PNG/PVV-logo.png";
|
$wgLogos = array(
|
||||||
|
"2x" => "/PNG/PVV-logo.png",
|
||||||
|
"svg" => "/PNG/PVV-logo.svg",
|
||||||
|
);
|
||||||
$wgDefaultSkin = "monobook";
|
$wgDefaultSkin = "monobook";
|
||||||
|
|
||||||
# Misc
|
# Misc
|
||||||
|
@ -116,17 +117,30 @@ in {
|
||||||
$wgLocalInterwiki = $wgSitename;
|
$wgLocalInterwiki = $wgSitename;
|
||||||
|
|
||||||
# SimpleSAML
|
# SimpleSAML
|
||||||
$wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
|
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
|
||||||
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
|
$wgPluggableAuth_Config['Log in using my SAML'] = [
|
||||||
$wgSimpleSAMLphp_RealNameAttribute = "cn";
|
'plugin' => 'SimpleSAMLphp',
|
||||||
$wgSimpleSAMLphp_EmailAttribute = "mail";
|
'data' => [
|
||||||
$wgSimpleSAMLphp_UsernameAttribute = "uid";
|
'authSourceId' => 'default-sp',
|
||||||
|
'usernameAttribute' => 'uid',
|
||||||
|
'emailAttribute' => 'mail',
|
||||||
|
'realNameAttribute' => 'cn',
|
||||||
|
]
|
||||||
|
];
|
||||||
|
|
||||||
# Fix https://github.com/NixOS/nixpkgs/issues/183097
|
# Fix https://github.com/NixOS/nixpkgs/issues/183097
|
||||||
$wgDBserver = "${toString cfg.database.host}";
|
$wgDBserver = "${toString cfg.database.host}";
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Cache directory for simplesamlphp
|
||||||
|
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
|
||||||
|
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
|
||||||
|
user = "mediawiki";
|
||||||
|
group = "mediawiki";
|
||||||
|
mode = "0770";
|
||||||
|
};
|
||||||
|
|
||||||
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
|
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
|
||||||
systemd.services.mediawiki-init.script = let
|
systemd.services.mediawiki-init.script = let
|
||||||
# According to module
|
# According to module
|
||||||
|
@ -157,4 +171,49 @@ in {
|
||||||
|
|
||||||
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
|
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
index = "index.php";
|
||||||
|
};
|
||||||
|
|
||||||
|
"~ /(.+\\.php)" = {
|
||||||
|
extraConfig = ''
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
|
||||||
|
"^~ /simplesaml/" = {
|
||||||
|
alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
|
||||||
|
index = "index.php";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
|
||||||
|
fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
|
||||||
|
|
||||||
|
# Must be prepended with the baseurlpath
|
||||||
|
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
|
||||||
|
|
||||||
|
fastcgi_param PATH_INFO $pathinfo if_not_empty;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
"/images".root = config.services.mediawiki.uploadsDir;
|
||||||
|
|
||||||
|
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
|
||||||
|
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
|
@ -0,0 +1,12 @@
|
||||||
|
<?php
|
||||||
|
$config = array(
|
||||||
|
'admin' => array(
|
||||||
|
'core:AdminPassword'
|
||||||
|
),
|
||||||
|
'default-sp' => array(
|
||||||
|
'saml:SP',
|
||||||
|
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
|
||||||
|
# 'entityID' => 'https://idp2.pvv.ntnu.no/',
|
||||||
|
'idp' => 'https://idp2.pvv.ntnu.no/',
|
||||||
|
),
|
||||||
|
);
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue