WIP: bekkalokk: init mediawiki

bekkalokk: package mediawiki extensions outside of module
packages: init simplesamlphp
2024-03-29 01:56:21 +01:00 · 2024-03-29 01:53:47 +01:00 · 2024-03-29 01:51:37 +01:00 · 2024-03-29 01:51:37 +01:00 · 2024-03-29 01:51:37 +01:00
19 changed files with 3662 additions and 200 deletions
--- a/flake.nix
+++ b/flake.nix
@ -53,16 +53,14 @@
          modules = [
            ./hosts/${name}/configuration.nix
            sops-nix.nixosModules.sops
-          ];
+          ] ++ config.modules or [];
          pkgs = import nixpkgs {
            inherit system;
-            overlays = [
+            overlays = [ ] ++ config.overlays or [ ];
              inputs.pvv-calendar-bot.overlays.${system}.default
            ];
          };
        }
-        config
+        (removeAttrs config [ "modules" "overlays" ])
      );
      stableNixosConfig = nixosConfig nixpkgs;
@ -70,19 +68,23 @@
    in {
      bicep = stableNixosConfig "bicep" {
        modules = [
          ./hosts/bicep/configuration.nix
          sops-nix.nixosModules.sops
          inputs.matrix-next.nixosModules.default
          inputs.pvv-calendar-bot.nixosModules.default
        ];
        overlays = [
          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" {
        overlays = [
          (final: prev: {
            heimdal = final.callPackage ./packages/heimdal { };
            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
          })
        ];
      };
      bekkalokk = stableNixosConfig "bekkalokk" { };
      bob = stableNixosConfig "bob" {
        modules = [
          ./hosts/bob/configuration.nix
          sops-nix.nixosModules.sops
          disko.nixosModules.disko
          { disko.devices.disk.disk1.device = "/dev/vda"; }
        ];
@ -93,28 +95,17 @@
      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
        modules = [
          ./hosts/brzeczyszczykiewicz/configuration.nix
          sops-nix.nixosModules.sops
          inputs.grzegorz.nixosModules.grzegorz-kiosk
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
        ];
      };
      georg = stableNixosConfig "georg" {
        modules = [
          ./hosts/georg/configuration.nix
          sops-nix.nixosModules.sops
          inputs.grzegorz.nixosModules.grzegorz-kiosk
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
        ];
      };
-      buskerud = stableNixosConfig "buskerud" {
+      buskerud = stableNixosConfig "buskerud" { };
        modules = [
          ./hosts/buskerud/configuration.nix
          sops-nix.nixosModules.sops
        ];
      };
    };
    devShells = forAllSystems (system: {
@ -130,6 +121,15 @@
          (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
        all-machines = pkgs.linkFarm "all-machines"
          (nixlib.getAttrs allMachines self.packages.x86_64-linux);
        #######################
        # TODO: remove this once nixos 24.05 gets released
        #######################
        heimdal = pkgs.callPackage ./packages/heimdal { };
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
      } // nixlib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
    };
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@ -12,8 +12,9 @@
    # ./services/website.nix
    ./services/nginx
    ./services/gitea/default.nix
    ./services/kerberos
    ./services/webmail
-    # ./services/mediawiki.nix
+    ./services/mediawiki
  ];
  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
--- a/hosts/bekkalokk/services/kerberos/default.nix
+++ b/hosts/bekkalokk/services/kerberos/default.nix
@ -0,0 +1,27 @@
 { config, pkgs, lib, ... }:
 {
  #######################
  # TODO: remove these once nixos 24.05 gets released
  #######################
  imports = [
    ./krb5.nix
    ./pam.nix
  ];
  disabledModules = [
    "config/krb5/default.nix"
    "security/pam.nix"
  ];
  #######################
  security.krb5 = {
    enable = true;
    settings = {
      libdefaults = {
        default_realm = "PVV.NTNU.NO";
        dns_lookup_realm = "yes";
        dns_lookup_kdc = "yes";
      };
      realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
    };
  };
 }
--- a/hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
+++ b/hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
@ -0,0 +1,88 @@
 { pkgs, lib, ... }:
 # Based on
 # - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
 # - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
 let
  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
    str submodule;
 in
 { }: {
  type = let
    section = attrsOf relation;
    relation = either (attrsOf value) value;
    value = either (listOf atom) atom;
    atom = oneOf [int str bool];
  in submodule {
    freeformType = attrsOf section;
    options = {
      include = mkOption {
        default = [ ];
        description = mdDoc ''
          Files to include in the Kerberos configuration.
        '';
        type = coercedTo path singleton (listOf path);
      };
      includedir = mkOption {
        default = [ ];
        description = mdDoc ''
          Directories containing files to include in the Kerberos configuration.
        '';
        type = coercedTo path singleton (listOf path);
      };
      module = mkOption {
        default = [ ];
        description = mdDoc ''
          Modules to obtain Kerberos configuration from.
        '';
        type = coercedTo path singleton (listOf path);
      };
    };
  };
  generate = let
    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
    formatToplevel = args @ {
      include ? [ ],
      includedir ? [ ],
      module ? [ ],
      ...
    }: let
      sections = removeAttrs args [ "include" "includedir" "module" ];
    in concatStringsSep "\n" (filter (x: x != "") [
      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
      (concatMapStringsSep "\n" (m: "module ${m}") module)
      (concatMapStringsSep "\n" (i: "include ${i}") include)
      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
    ]);
    formatSection = name: section: ''
      [${name}]
      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
    '';
    formatRelation = name: relation:
      if isAttrs relation
      then ''
        ${name} = {
        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
        }''
      else formatValue name relation;
    formatValue = name: value:
      if isList value
      then concatMapStringsSep "\n" (formatAtom name) value
      else formatAtom name value;
    formatAtom = name: atom: let
      v = if isBool atom then boolToString atom else toString atom;
    in "${name} = ${v}";
  in
    name: value: pkgs.writeText name ''
      ${formatToplevel value}
    '';
 }
--- a/hosts/bekkalokk/services/kerberos/krb5.nix
+++ b/hosts/bekkalokk/services/kerberos/krb5.nix
@ -0,0 +1,90 @@
 { config, lib, pkgs, ... }:
 let
  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
  inherit (lib.types) bool;
  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
    The option `krb5.${name}' has been removed. Use
    `security.krb5.settings.${name}' for structured configuration.
  '';
  cfg = config.security.krb5;
  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
 in {
  imports = [
    (mkRemovedOptionModuleCfg "libdefaults")
    (mkRemovedOptionModuleCfg "realms")
    (mkRemovedOptionModuleCfg "domain_realm")
    (mkRemovedOptionModuleCfg "capaths")
    (mkRemovedOptionModuleCfg "appdefaults")
    (mkRemovedOptionModuleCfg "plugins")
    (mkRemovedOptionModuleCfg "config")
    (mkRemovedOptionModuleCfg "extraConfig")
    (mkRemovedOptionModule' "kerberos" ''
      The option `krb5.kerberos' has been moved to `security.krb5.package'.
    '')
  ];
  options = {
    security.krb5 = {
      enable = mkOption {
        default = false;
        description = mdDoc "Enable and configure Kerberos utilities";
        type = bool;
      };
      package = mkPackageOption pkgs "krb5" {
        example = "heimdal";
      };
      settings = mkOption {
        default = { };
        type = format.type;
        description = mdDoc ''
          Structured contents of the {file}`krb5.conf` file. See
          {manpage}`krb5.conf(5)` for details about configuration.
        '';
        example = {
          include = [ "/run/secrets/secret-krb5.conf" ];
          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
          libdefaults = {
            default_realm = "ATHENA.MIT.EDU";
          };
          realms = {
            "ATHENA.MIT.EDU" = {
              admin_server = "athena.mit.edu";
              kdc = [
                "athena01.mit.edu"
                "athena02.mit.edu"
              ];
            };
          };
          domain_realm = {
            "mit.edu" = "ATHENA.MIT.EDU";
          };
          logging = {
            kdc = "SYSLOG:NOTICE";
            admin_server = "SYSLOG:NOTICE";
            default = "SYSLOG:NOTICE";
          };
        };
      };
    };
  };
  config = mkIf cfg.enable {
    environment = {
      systemPackages = [ cfg.package ];
      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
    };
  };
  meta.maintainers = builtins.attrValues {
    inherit (lib.maintainers) dblsaiko h7x4;
  };
 }
--- a/hosts/bekkalokk/services/kerberos/pam.nix
+++ b/hosts/bekkalokk/services/kerberos/pam.nix
--- a/hosts/bekkalokk/services/mediawiki.nix
+++ b/hosts/bekkalokk/services/mediawiki.nix
@ -1,175 +0,0 @@
 { pkgs, lib, config, values, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
  user = config.systemd.services.mediawiki-init.serviceConfig.User;
  # "mediawiki"
  group = config.users.users.${user}.group;
 in {
  sops.secrets = {
    "mediawiki/password" = {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
    };
    "keys/postgres/mediawiki" = {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
    };
  };
  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
    passwordFile = config.sops.secrets."mediawiki/password".path;
    passwordSender = "drift@pvv.ntnu.no";
    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
      port = config.services.postgresql.port;
      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
      createLocally = false;
      # TODO: create a normal database and copy over old data when the service is production ready
      name = "mediawiki_test";
    };
    # Host through nginx
    webserver = "none";
    poolConfig = let
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
      inherit user group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = "on";
      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
      "catch_workers_output" = true;
      # to accept *.html file
      "security.limit_extensions" = "";
    };
    extensions = {
      DeleteBatch = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
 	sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
      };
      UserMerge = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
 	sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
      };
      PluggableAuth = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
 	sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
      };
      SimpleSAMLphp = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
        sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
      };
    };
    extraConfig = let
      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
        pname = "configuredSimpleSAML";
 	version = "2.0.4";
        src = pkgs.fetchzip {
          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
        };
 	buildPhase = ''
          cat > config/authsources.php << EOF
          <?php
          $config = array(
            'default-sp' => array(
              'saml:SP',
              'idp' => 'https://idp.pvv.ntnu.no/',
            ),
          );
 	  EOF
 	'';
 	installPhase = ''
 	  cp -r . $out
 	'';
      };
    in ''
      $wgServer = "https://bekkalokk.pvv.ntnu.no";
      $wgLocaltimezone = "Europe/Oslo";
      # Only allow login through SSO
      $wgEnableEmail = false;
      $wgEnableUserEmail = false;
      $wgEmailAuthentication = false;
      $wgGroupPermissions['*']['createaccount'] = false;
      $wgGroupPermissions['*']['autocreateaccount'] = true;
      $wgPluggableAuth_EnableAutoLogin = true;
      # Disable anonymous editing
      $wgGroupPermissions['*']['edit'] = false;
      # Styling
      $wgLogo = "/PNG/PVV-logo.png";
      $wgDefaultSkin = "monobook";
      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;
      # SimpleSAML
      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
      $wgSimpleSAMLphp_RealNameAttribute = "cn";
      $wgSimpleSAMLphp_EmailAttribute = "mail";
      $wgSimpleSAMLphp_UsernameAttribute = "uid";
      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
    '';
  };
  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
  systemd.services.mediawiki-init.script = let
    # According to module
    stateDir = "/var/lib/mediawiki";
    pkg = cfg.finalPackage;
    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
    inherit (lib) optionalString mkForce;
  in mkForce ''
    if ! test -e "${stateDir}/secret.key"; then
      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
    fi
    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
      --confpath /tmp \
      --scriptpath / \
      --dbserver "${cfg.database.host}" \
      --dbport ${toString cfg.database.port} \
      --dbname ${cfg.database.name} \
      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
      --dbuser ${cfg.database.user} \
      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
      --passfile ${cfg.passwordFile} \
      --dbtype ${cfg.database.type} \
      ${cfg.name} \
      admin
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
  '';
 }
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@ -0,0 +1,246 @@
 { pkgs, lib, config, values, pkgs-unstable, ... }: let
  cfg = config.services.mediawiki;
  # "mediawiki"
  user = config.systemd.services.mediawiki-init.serviceConfig.User;
  # "mediawiki"
  group = config.users.users.${user}.group;
  SimpleSAMLphpRepo = pkgs.php.buildComposerProject rec {
    pname = "configuredSimpleSAML";
    version = "2.2.1";
    src = pkgs.fetchFromGitHub {
      owner = "simplesamlphp";
      repo = "simplesamlphp";
      # name = "simple-saml-php-source";
      # url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
      rev = "v${version}";
      hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
    };
    composerStrictValidation = false;
    vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
    # TODO: metadata could be fetched automagically with these:
    #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
    #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
    postPatch = ''
      install -Dm444 "${./simplesamlphp/authsources.php}" "config/authsources.php"
      install -Dm444 "${./simplesamlphp/saml20-idp-remote.php}" "metadata/saml20-idp-remote.php"
      install -Dm444 "${./simplesamlphp/config.php}" "config/config.php"
      substituteInPlace config/config.php \
        --replace '$SAML_COOKIE_SECURE' 'true' \
        --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
        --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
        --replace '$SAML_TRUSTED_DOMAINS' 'array( "bekkalokk.pvv.ntnu.no" )'
    '';
    postInstall = ''
      ln -sr $out/share/php/configuredSimpleSAML/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/configuredSimpleSAML/public/assets/base
    '';
  };
 in {
  sops.secrets = {
    "mediawiki/password" = {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
    };
    "mediawiki/database" = {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
    };
  };
  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
    passwordFile = config.sops.secrets."mediawiki/password".path;
    passwordSender = "drift@pvv.ntnu.no";
    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
      port = config.services.postgresql.port;
      passwordFile = config.sops.secrets."mediawiki/database".path;
      createLocally = false;
      # TODO: create a normal database and copy over old data when the service is production ready
      name = "mediawiki_test";
    };
    # Host through nginx
    webserver = "none";
    poolConfig = let
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
      inherit user group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;
      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
      "catch_workers_output" = true;
      "php_admin_flag[log_errors]" = true;
      # "php_admin_value[error_log]" = "stderr";
      # to accept *.html file
      "security.limit_extensions" = "";
    };
    extensions = {
      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
    };
    extraConfig = ''
      $wgServer = "https://bekkalokk.pvv.ntnu.no";
      $wgLocaltimezone = "Europe/Oslo";
      # Only allow login through SSO
      $wgEnableEmail = false;
      $wgEnableUserEmail = false;
      $wgEmailAuthentication = false;
      $wgGroupPermissions['*']['createaccount'] = false;
      $wgGroupPermissions['*']['autocreateaccount'] = true;
      $wgPluggableAuth_EnableAutoLogin = true;
      # Disable anonymous editing
      $wgGroupPermissions['*']['edit'] = false;
      # Styling
      $wgLogo = "/PNG/PVV-logo.png";
      $wgDefaultSkin = "monobook";
      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;
      # SimpleSAML
      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/";
      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
      $wgSimpleSAMLphp_RealNameAttribute = "cn";
      $wgSimpleSAMLphp_EmailAttribute = "mail";
      $wgSimpleSAMLphp_UsernameAttribute = "uid";
      $wgPluggableAuth_Config['Log in using my SAML'] = [
        'plugin' => 'SimpleSAMLphp',
        'data' => [
          'authSourceId' => 'default-sp',
        ]
      ];
      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
    '';
  };
          # 'usernameAttribute' => 'username',
          # 'realNameAttribute' => 'name',
          # 'emailAttribute' => 'email'
  # Cache directory for simplesamlphp
  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp/core".d = {
    user = "mediawiki";
    group = "mediawiki";
    mode = "0770";
  };
  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
  systemd.services.mediawiki-init.script = let
    # According to module
    stateDir = "/var/lib/mediawiki";
    pkg = cfg.finalPackage;
    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
    inherit (lib) optionalString mkForce;
  in mkForce ''
    if ! test -e "${stateDir}/secret.key"; then
      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
    fi
    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
      --confpath /tmp \
      --scriptpath / \
      --dbserver "${cfg.database.host}" \
      --dbport ${toString cfg.database.port} \
      --dbname ${cfg.database.name} \
      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
      --dbuser ${cfg.database.user} \
      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
      --passfile ${cfg.passwordFile} \
      --dbtype ${cfg.database.type} \
      ${cfg.name} \
      admin
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
  '';
  services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
    locations =  {
      "/" = {
 	index = "index.php";
      };
      "~ /(.+\\.php)" = {
        extraConfig = ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
          include ${pkgs.nginx}/conf/fastcgi_params;
          include ${pkgs.nginx}/conf/fastcgi.conf;
        '';
      };
      # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
      "^~ /simplesaml/" = {
        alias = "${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/public/";
        index = "index.php";
        extraConfig = ''
          location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
            include ${pkgs.nginx}/conf/fastcgi_params;
            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
            fastcgi_param SCRIPT_FILENAME ${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/public/$phpfile;
            # Must be prepended with the baseurlpath
            fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
            fastcgi_param PATH_INFO $pathinfo if_not_empty;
          }
        '';
      };
      "/images".root = config.services.mediawiki.uploadsDir;
      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
      # Redirects from gitea
      "/Projects".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "^~ /Projects/(.+\\.php)".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "/oysteikt".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "/Drift".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "/felixalb".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "/adriangl".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "/danio".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "/pederbs".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "/jonmro".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
      "/explore".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
    };
  };
 }
--- a/hosts/bekkalokk/services/mediawiki/simplesamlphp/authsources.php
+++ b/hosts/bekkalokk/services/mediawiki/simplesamlphp/authsources.php
@ -0,0 +1,11 @@
 <?php
 $config = array(
    /* This is the name of this authentication source, and will be used to access it later. */
    'default-sp' => array(
        'saml:SP',
        # 'entityID' => 'https://wiki.pvv.ntnu.no/',
        'entityID' => 'https://bekkalokk.pvv.ntnu.no/',
        'idp' => 'https://idp.pvv.ntnu.no/',
    ),
 );
--- a/hosts/bekkalokk/services/mediawiki/simplesamlphp/config.php
+++ b/hosts/bekkalokk/services/mediawiki/simplesamlphp/config.php
--- a/hosts/bekkalokk/services/mediawiki/simplesamlphp/saml20-idp-remote.php
+++ b/hosts/bekkalokk/services/mediawiki/simplesamlphp/saml20-idp-remote.php
@ -0,0 +1,23 @@
 <?php
 $metadata['https://idp.pvv.ntnu.no/'] = array (
  'metadata-set' => 'saml20-idp-remote',
  'entityid' => 'https://idp.pvv.ntnu.no/',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
    ),
  ),
  'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
 );
--- a/packages/heimdal/default.nix
+++ b/packages/heimdal/default.nix
@ -0,0 +1,178 @@
 { lib
 , stdenv
 , fetchFromGitHub
 , autoreconfHook
 , pkg-config
 , python3
 , perl
 , bison
 , flex
 , texinfo
 , perlPackages
 , openldap
 , libcap_ng
 , sqlite
 , openssl
 , db
 , libedit
 , pam
 , krb5
 , libmicrohttpd
 , cjson
 , CoreFoundation
 , Security
 , SystemConfiguration
 , curl
 , jdk
 , unzip
 , which
 , nixosTests
 , withCJSON ? true
 , withCapNG ? stdenv.isLinux
 # libmicrohttpd should theoretically work for darwin as well, but something is broken.
 # It affects tests check-bx509d and check-httpkadmind.
 , withMicroHTTPD ? stdenv.isLinux
 , withOpenLDAP ? true
 , withOpenLDAPAsHDBModule ? false
 , withOpenSSL ? true
 , withSQLite3 ? true
 }:
 assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
 '';
 stdenv.mkDerivation {
  pname = "heimdal";
  version = "7.8.0-unstable-2023-11-29";
  src = fetchFromGitHub {
    owner = "heimdal";
    repo = "heimdal";
    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
  };
  outputs = [ "out" "dev" "man" "info" ];
  nativeBuildInputs = [
    autoreconfHook
    pkg-config
    python3
    perl
    bison
    flex
    texinfo
  ]
  ++ (with perlPackages; [ JSON ]);
  buildInputs = [ db libedit pam ]
    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
    ++ lib.optionals (withCJSON) [ cjson ]
    ++ lib.optionals (withCapNG) [ libcap_ng ]
    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
    ++ lib.optionals (withOpenLDAP) [ openldap ]
    ++ lib.optionals (withOpenSSL) [ openssl ]
    ++ lib.optionals (withSQLite3) [ sqlite ];
  doCheck = true;
  nativeCheckInputs = [
    curl
    jdk
    unzip
    which
  ];
  configureFlags = [
    "--with-libedit-include=${libedit.dev}/include"
    "--with-libedit-lib=${libedit}/lib"
    "--with-berkeley-db-include=${db.dev}/include"
    "--with-berkeley-db"
    "--without-x"
    "--disable-afs-string-to-key"
  ] ++ lib.optionals (withCapNG) [
    "--with-capng"
  ] ++ lib.optionals (withCJSON) [
    "--with-cjson=${cjson}"
  ] ++ lib.optionals (withOpenLDAP) [
    "--with-openldap=${openldap.dev}"
  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
    "--enable-hdb-openldap-module"
  ] ++ lib.optionals (withSQLite3) [
    "--with-sqlite3=${sqlite.dev}"
  ];
  # (check-ldap) slapd resides within ${openldap}/libexec,
  #              which is not part of $PATH by default.
  # (check-ldap) prepending ${openldap}/bin to the path to avoid
  #              using the default installation of openldap on unsandboxed darwin systems,
  #              which does not support the new mdb backend at the moment (2024-01-13).
  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
  #              but the heimdal tests still seem to expect bdb as the openldap backend.
  #              This might be fixed upstream in a future update.
  patchPhase = ''
    runHook prePatch
    substituteInPlace tests/ldap/slapd-init.in \
      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
    substituteInPlace tests/ldap/check-ldap.in \
      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
    substituteInPlace tests/ldap/slapd.conf \
      --replace 'database	bdb' 'database mdb'
    runHook postPatch
  '';
  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
  #           which expects either USER or LOGNAME to be set.
  preCheck = lib.optionalString (stdenv.isDarwin) ''
    export USER=nix-builder
  '';
  # We need to build hcrypt for applications like samba
  postBuild = ''
    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
  '';
  postInstall = ''
    # Install hcrypto
    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
    mkdir -p $dev/bin
    mv $out/bin/krb5-config $dev/bin/
    # asn1 compilers, move them to $dev
    mv $out/libexec/heimdal/* $dev/bin
    rmdir $out/libexec/heimdal
    # compile_et is needed for cross-compiling this package and samba
    mv lib/com_err/.libs/compile_et $dev/bin
  '';
  # Issues with hydra
  #  In file included from hxtool.c:34:0:
  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
  #enableParallelBuilding = true;
  passthru = {
    implementation = "heimdal";
    tests.nixos = nixosTests.kerberos.heimdal;
  };
  meta = with lib; {
    homepage = "https://www.heimdal.software";
    changelog = "https://github.com/heimdal/heimdal/releases";
    description = "An implementation of Kerberos 5 (and some more stuff)";
    license = licenses.bsd3;
    platforms = platforms.unix;
    maintainers = with maintainers; [ h7x4 ];
  };
 }
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@ -0,0 +1,7 @@
 { pkgs, lib }:
 lib.makeScope pkgs.newScope (self: {
  DeleteBatch = self.callPackage ./delete-batch { };
  PluggableAuth = self.callPackage ./pluggable-auth { };
  SimpleSAMLphp = self.callPackage ./simple-saml-php { };
  UserMerge = self.callPackage ./user-merge { };
 })
--- a/packages/mediawiki-extensions/delete-batch/default.nix
+++ b/packages/mediawiki-extensions/delete-batch/default.nix
@ -0,0 +1,7 @@
 { fetchzip }:
 fetchzip {
  name = "mediawiki-delete-batch";
  url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
  hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
 }
--- a/packages/mediawiki-extensions/pluggable-auth/default.nix
+++ b/packages/mediawiki-extensions/pluggable-auth/default.nix
@ -0,0 +1,7 @@
 { fetchzip }:
 fetchzip {
  name = "mediawiki-pluggable-auth-source";
  url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
  hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
 }
--- a/packages/mediawiki-extensions/simple-saml-php/default.nix
+++ b/packages/mediawiki-extensions/simple-saml-php/default.nix
@ -0,0 +1,7 @@
 { fetchzip }:
 fetchzip {
  name = "mediawiki-simple-saml-php-source";
  url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
  hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
 }
--- a/packages/mediawiki-extensions/update-mediawiki-extensions.py
+++ b/packages/mediawiki-extensions/update-mediawiki-extensions.py
@ -0,0 +1,66 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
 import os
 from pathlib import Path
 import re
 import subprocess
 from collections import defaultdict
 from pprint import pprint
 import bs4
 import requests
 BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
 def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
    content = requests.get(BASE_URL).text
    soup = bs4.BeautifulSoup(content, features="html.parser")
    result = defaultdict(list)
    for a in soup.find_all('a'):
        if skip_master and 'master' in a.text:
            continue
        split = a.text.split('-')
        result[split[0]].append(a.text)
    return result
 def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
    assert package_file.is_file()
    with open(package_file) as file:
        content = file.read()
    tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
    split = tarball.split('-')
    updated_tarball = plugin_list[split[0]][-1]
    _hash = re.search(f'hash = "(.+?)";', content).group(1)
    out, err = subprocess.Popen(
        ["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE
    ).communicate()
    out, err = subprocess.Popen(
        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE
    ).communicate()
    updated_hash = out.decode().strip()
    if tarball == updated_tarball and _hash == updated_hash:
        return
    print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
    updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
    updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
    with open(package_file, 'w') as file:
        file.write(updated_text)
 if __name__ == "__main__":
    plugin_list = fetch_plugin_list()
    for direntry in os.scandir(Path(__file__).parent):
        if direntry.is_dir():
            update(Path(direntry) / "default.nix", plugin_list)
--- a/packages/mediawiki-extensions/user-merge/default.nix
+++ b/packages/mediawiki-extensions/user-merge/default.nix
@ -0,0 +1,7 @@
 { fetchzip }:
 fetchzip {
  name = "mediawiki-user-merge-source";
  url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
  hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
 }
--- a/packages/simplesamlphp/default.nix
+++ b/packages/simplesamlphp/default.nix
@ -0,0 +1,36 @@
 { php
 , writeText
 , fetchFromGitHub
 , configFile ? "config/config.php.dist"
 , authsourcesFile ? "config/authsources.php.dist"
 , saml20-idp-remoteFile ? writeText "saml20-idp-remote.php" "<?php ?>"
 }:
 php.buildComposerProject rec {
  pname = "simplesamlphp";
  version = "2.2.1";
  src = fetchFromGitHub {
    owner = "simplesamlphp";
    repo = "simplesamlphp";
    rev = "v${version}";
    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
  };
  composerStrictValidation = false;
  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
  # TODO: metadata could be fetched automagically with these:
  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
  #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
  postPatch = ''
    install -Dm444 "${configFile}" "config/config.php"
    install -Dm444 "${authsourcesFile}" "config/authsources.php"
    install -Dm444 "${saml20-idp-remoteFile}" "metadata/saml20-idp-remote.php"
  '';
  postInstall = ''
    ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
  '';
 }
Author	SHA1	Message	Date
Oystein Kristoffer Tveit	c6ad8ee059	WIP: bekkalokk: init mediawiki Eval nix flake / evals (push) Failing after 1m56s Details	2024-03-29 01:56:21 +01:00
Oystein Kristoffer Tveit	01a9d60398	bekkalokk: package mediawiki extensions outside of module	2024-03-29 01:53:47 +01:00
Oystein Kristoffer Tveit	b185ac3e9d	packages: init simplesamlphp	2024-03-29 01:51:37 +01:00
Oystein Kristoffer Tveit	b0f8bd7bfa	bekkalokk: set up kerberos client	2024-03-29 01:51:37 +01:00
Oystein Kristoffer Tveit	64c7e3e365	flake.nix: fix usage of common nixos module/overlay list	2024-03-29 01:51:37 +01:00