WIP: bekkalokk: init mediawiki

Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>
This commit is contained in:
Oystein Kristoffer Tveit 2023-11-04 23:16:15 +01:00
parent a1d0fed204
commit f492280940
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
5 changed files with 1407 additions and 42 deletions

View File

@ -14,7 +14,7 @@
./services/gitea/default.nix ./services/gitea/default.nix
./services/kerberos ./services/kerberos
./services/webmail ./services/webmail
# ./services/mediawiki.nix ./services/mediawiki
./services/idp-simplesamlphp ./services/idp-simplesamlphp
]; ];

View File

@ -4,6 +4,7 @@
* Authenticate using HTTP login. * Authenticate using HTTP login.
* *
* @author Yorn de Jong * @author Yorn de Jong
* @author Oystein Kristoffer Tveit
* @package simpleSAMLphp * @package simpleSAMLphp
*/ */

View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, values, ... }: let { pkgs, lib, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki; cfg = config.services.mediawiki;
# "mediawiki" # "mediawiki"
@ -6,14 +6,38 @@
# "mediawiki" # "mediawiki"
group = config.users.users.${user}.group; group = config.users.users.${user}.group;
simplesamlphp = pkgs.simplesamlphp.override {
extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"config/authsources.php" = ./simplesaml-authsources.php;
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
cp ${./simplesaml-config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
--replace '$STATE_DIRECTORY' '/var/lib/mediawiki' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
};
in { in {
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = { sops.secrets = {
"mediawiki/password" = { "mediawiki/password" = {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
owner = user; owner = user;
group = group; group = group;
}; };
"keys/postgres/mediawiki" = { "mediawiki/database" = {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
owner = user; owner = user;
group = group; group = group;
@ -30,7 +54,7 @@ in {
type = "postgres"; type = "postgres";
host = "postgres.pvv.ntnu.no"; host = "postgres.pvv.ntnu.no";
port = config.services.postgresql.port; port = config.services.postgresql.port;
passwordFile = config.sops.secrets."keys/postgres/mediawiki".path; passwordFile = config.sops.secrets."mediawiki/database".path;
createLocally = false; createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready # TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki_test"; name = "mediawiki_test";
@ -51,10 +75,11 @@ in {
"pm.max_spare_servers" = 4; "pm.max_spare_servers" = 4;
"listen.owner" = listenUser; "listen.owner" = listenUser;
"listen.group" = listenGroup; "listen.group" = listenGroup;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = "on";
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
"catch_workers_output" = true; "catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
# to accept *.html file # to accept *.html file
"security.limit_extensions" = ""; "security.limit_extensions" = "";
}; };
@ -63,35 +88,8 @@ in {
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp; inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
}; };
extraConfig = let extraConfig = ''
$wgServer = "https://wiki2.pvv.ntnu.no";
SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
pname = "configuredSimpleSAML";
version = "2.0.4";
src = pkgs.fetchzip {
url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
};
buildPhase = ''
cat > config/authsources.php << EOF
<?php
$config = array(
'default-sp' => array(
'saml:SP',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);
EOF
'';
installPhase = ''
cp -r . $out
'';
};
in ''
$wgServer = "https://bekkalokk.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo"; $wgLocaltimezone = "Europe/Oslo";
# Only allow login through SSO # Only allow login through SSO
@ -106,7 +104,10 @@ in {
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['edit'] = false;
# Styling # Styling
$wgLogo = "/PNG/PVV-logo.png"; $wgLogos = array(
"2x" => "/PNG/PVV-logo.png",
"svg" => "/PNG/PVV-logo.svg",
);
$wgDefaultSkin = "monobook"; $wgDefaultSkin = "monobook";
# Misc # Misc
@ -116,17 +117,30 @@ in {
$wgLocalInterwiki = $wgSitename; $wgLocalInterwiki = $wgSitename;
# SimpleSAML # SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}"; $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
$wgSimpleSAMLphp_AuthSourceId = "default-sp"; $wgPluggableAuth_Config['Log in using my SAML'] = [
$wgSimpleSAMLphp_RealNameAttribute = "cn"; 'plugin' => 'SimpleSAMLphp',
$wgSimpleSAMLphp_EmailAttribute = "mail"; 'data' => [
$wgSimpleSAMLphp_UsernameAttribute = "uid"; 'authSourceId' => 'default-sp',
'usernameAttribute' => 'uid',
'emailAttribute' => 'mail',
'realNameAttribute' => 'cn',
]
];
# Fix https://github.com/NixOS/nixpkgs/issues/183097 # Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}"; $wgDBserver = "${toString cfg.database.host}";
''; '';
}; };
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097 # Override because of https://github.com/NixOS/nixpkgs/issues/183097
systemd.services.mediawiki-init.script = let systemd.services.mediawiki-init.script = let
# According to module # According to module
@ -157,4 +171,49 @@ in {
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
''; '';
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
locations = {
"/" = {
index = "index.php";
};
"~ /(.+\\.php)" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
};
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"^~ /simplesaml/" = {
alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
# Must be prepended with the baseurlpath
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
"/images".root = config.services.mediawiki.uploadsDir;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
};
};
} }

View File

@ -0,0 +1,12 @@
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
# 'entityID' => 'https://idp2.pvv.ntnu.no/',
'idp' => 'https://idp2.pvv.ntnu.no/',
),
);

File diff suppressed because it is too large Load Diff