WIP: bekkalokk: init mediawiki

flake.nix

@@ -53,16 +53,14 @@
           modules = [
             ./hosts/${name}/configuration.nix
             sops-nix.nixosModules.sops
-          ];
+          ] ++ config.modules or [];
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [
-              inputs.pvv-calendar-bot.overlays.${system}.default
-            ];
+            overlays = [ ] ++ config.overlays or [ ];
           };
         }
-        config
+        (removeAttrs config [ "modules" "overlays" ])
       );
 
       stableNixosConfig = nixosConfig nixpkgs;
@@ -70,19 +68,23 @@
     in {
       bicep = stableNixosConfig "bicep" {
         modules = [
-          ./hosts/bicep/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.matrix-next.nixosModules.default
           inputs.pvv-calendar-bot.nixosModules.default
         ];
+        overlays = [
+          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
+        ];
+      };
+      bekkalokk = stableNixosConfig "bekkalokk" {
+        overlays = [
+          (final: prev: {
+            heimdal = final.callPackage ./packages/heimdal { };
+            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
+          })
+        ];
       };
-      bekkalokk = stableNixosConfig "bekkalokk" { };
       bob = stableNixosConfig "bob" {
         modules = [
-          ./hosts/bob/configuration.nix
-          sops-nix.nixosModules.sops
-
           disko.nixosModules.disko
           { disko.devices.disk.disk1.device = "/dev/vda"; }
         ];
@@ -93,28 +95,17 @@
 
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
-          ./hosts/brzeczyszczykiewicz/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.grzegorz.nixosModules.grzegorz-kiosk
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
       georg = stableNixosConfig "georg" {
         modules = [
-          ./hosts/georg/configuration.nix
-          sops-nix.nixosModules.sops
-
           inputs.grzegorz.nixosModules.grzegorz-kiosk
           inputs.grzegorz-clients.nixosModules.grzegorz-webui
         ];
       };
-      buskerud = stableNixosConfig "buskerud" {
-        modules = [
-          ./hosts/buskerud/configuration.nix
-          sops-nix.nixosModules.sops
-        ];
-      };
+      buskerud = stableNixosConfig "buskerud" { };
     };
 
     devShells = forAllSystems (system: {
@@ -130,6 +121,15 @@
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+
+        #######################
+        # TODO: remove this once nixos 24.05 gets released
+        #######################
+        heimdal = pkgs.callPackage ./packages/heimdal { };
+
+        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+
+        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/configuration.nix

@@ -12,8 +12,9 @@
     # ./services/website.nix
     ./services/nginx
     ./services/gitea/default.nix
+    ./services/kerberos
     ./services/webmail
-    # ./services/mediawiki.nix
+    ./services/mediawiki
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

hosts/bekkalokk/services/kerberos/default.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+{
+  #######################
+  # TODO: remove these once nixos 24.05 gets released
+  #######################
+  imports = [
+    ./krb5.nix
+    ./pam.nix
+  ];
+  disabledModules = [
+    "config/krb5/default.nix"
+    "security/pam.nix"
+  ];
+  #######################
+
+  security.krb5 = {
+    enable = true;
+    settings = {
+      libdefaults = {
+        default_realm = "PVV.NTNU.NO";
+        dns_lookup_realm = "yes";
+        dns_lookup_kdc = "yes";
+      };
+      realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
+    };
+  };
+}

hosts/bekkalokk/services/kerberos/krb5-conf-format.nix

@@ -0,0 +1,88 @@
+{ pkgs, lib, ... }:
+
+# Based on
+# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
+# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
+
+let
+  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
+    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
+  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
+    str submodule;
+in
+{ }: {
+  type = let
+    section = attrsOf relation;
+    relation = either (attrsOf value) value;
+    value = either (listOf atom) atom;
+    atom = oneOf [int str bool];
+  in submodule {
+    freeformType = attrsOf section;
+    options = {
+      include = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      includedir = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Directories containing files to include in the Kerberos configuration.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+      module = mkOption {
+        default = [ ];
+        description = mdDoc ''
+          Modules to obtain Kerberos configuration from.
+        '';
+        type = coercedTo path singleton (listOf path);
+      };
+    };
+  };
+
+  generate = let
+    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
+
+    formatToplevel = args @ {
+      include ? [ ],
+      includedir ? [ ],
+      module ? [ ],
+      ...
+    }: let
+      sections = removeAttrs args [ "include" "includedir" "module" ];
+    in concatStringsSep "\n" (filter (x: x != "") [
+      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
+      (concatMapStringsSep "\n" (m: "module ${m}") module)
+      (concatMapStringsSep "\n" (i: "include ${i}") include)
+      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
+    ]);
+
+    formatSection = name: section: ''
+      [${name}]
+      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
+    '';
+
+    formatRelation = name: relation:
+      if isAttrs relation
+      then ''
+        ${name} = {
+        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
+        }''
+      else formatValue name relation;
+
+    formatValue = name: value:
+      if isList value
+      then concatMapStringsSep "\n" (formatAtom name) value
+      else formatAtom name value;
+
+    formatAtom = name: atom: let
+      v = if isBool atom then boolToString atom else toString atom;
+    in "${name} = ${v}";
+  in
+    name: value: pkgs.writeText name ''
+      ${formatToplevel value}
+    '';
+}

hosts/bekkalokk/services/kerberos/krb5.nix

@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
+  inherit (lib.types) bool;
+
+  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
+  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
+    The option `krb5.${name}' has been removed. Use
+    `security.krb5.settings.${name}' for structured configuration.
+  '';
+
+  cfg = config.security.krb5;
+  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
+in {
+  imports = [
+    (mkRemovedOptionModuleCfg "libdefaults")
+    (mkRemovedOptionModuleCfg "realms")
+    (mkRemovedOptionModuleCfg "domain_realm")
+    (mkRemovedOptionModuleCfg "capaths")
+    (mkRemovedOptionModuleCfg "appdefaults")
+    (mkRemovedOptionModuleCfg "plugins")
+    (mkRemovedOptionModuleCfg "config")
+    (mkRemovedOptionModuleCfg "extraConfig")
+    (mkRemovedOptionModule' "kerberos" ''
+      The option `krb5.kerberos' has been moved to `security.krb5.package'.
+    '')
+  ];
+
+  options = {
+    security.krb5 = {
+      enable = mkOption {
+        default = false;
+        description = mdDoc "Enable and configure Kerberos utilities";
+        type = bool;
+      };
+
+      package = mkPackageOption pkgs "krb5" {
+        example = "heimdal";
+      };
+
+      settings = mkOption {
+        default = { };
+        type = format.type;
+        description = mdDoc ''
+          Structured contents of the {file}`krb5.conf` file. See
+          {manpage}`krb5.conf(5)` for details about configuration.
+        '';
+        example = {
+          include = [ "/run/secrets/secret-krb5.conf" ];
+          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
+
+          libdefaults = {
+            default_realm = "ATHENA.MIT.EDU";
+          };
+
+          realms = {
+            "ATHENA.MIT.EDU" = {
+              admin_server = "athena.mit.edu";
+              kdc = [
+                "athena01.mit.edu"
+                "athena02.mit.edu"
+              ];
+            };
+          };
+
+          domain_realm = {
+            "mit.edu" = "ATHENA.MIT.EDU";
+          };
+
+          logging = {
+            kdc = "SYSLOG:NOTICE";
+            admin_server = "SYSLOG:NOTICE";
+            default = "SYSLOG:NOTICE";
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment = {
+      systemPackages = [ cfg.package ];
+      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
+    };
+  };
+
+  meta.maintainers = builtins.attrValues {
+    inherit (lib.maintainers) dblsaiko h7x4;
+  };
+}

hosts/bekkalokk/services/mediawiki.nix

@@ -1,175 +0,0 @@
-{ pkgs, lib, config, values, ... }: let
-  cfg = config.services.mediawiki;
-
-  # "mediawiki"
-  user = config.systemd.services.mediawiki-init.serviceConfig.User;
-
-  # "mediawiki"
-  group = config.users.users.${user}.group;
-in {
-  sops.secrets = {
-    "mediawiki/password" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
-    "keys/postgres/mediawiki" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
-  };
-
-  services.mediawiki = {
-    enable = true;
-    name = "Programvareverkstedet";
-    passwordFile = config.sops.secrets."mediawiki/password".path;
-    passwordSender = "drift@pvv.ntnu.no";
-
-    database = {
-      type = "postgres";
-      host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.port;
-      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
-      createLocally = false;
-      # TODO: create a normal database and copy over old data when the service is production ready
-      name = "mediawiki_test";
-    };
-
-    # Host through nginx
-    webserver = "none";
-    poolConfig = let
-      listenUser = config.services.nginx.user;
-      listenGroup = config.services.nginx.group;
-    in {
-      inherit user group;
-      "pm" = "dynamic";
-      "pm.max_children" = 32;
-      "pm.max_requests" = 500;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 2;
-      "pm.max_spare_servers" = 4;
-      "listen.owner" = listenUser;
-      "listen.group" = listenGroup;
-      "php_admin_value[error_log]" = "stderr";
-      "php_admin_flag[log_errors]" = "on";
-      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
-      "catch_workers_output" = true;
-      # to accept *.html file
-      "security.limit_extensions" = "";
-    };
-
-    extensions = {
-      DeleteBatch = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
-	sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
-      };
-      UserMerge = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
-	sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
-      };
-      PluggableAuth = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
-	sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
-      };
-      SimpleSAMLphp = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
-        sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
-      };
-    };
-
-    extraConfig = let
-
-      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
-        pname = "configuredSimpleSAML";
-	version = "2.0.4";
-        src = pkgs.fetchzip {
-          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
-          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
-        };
-
-	buildPhase = ''
-          cat > config/authsources.php << EOF
-          <?php
-          $config = array(
-            'default-sp' => array(
-              'saml:SP',
-              'idp' => 'https://idp.pvv.ntnu.no/',
-            ),
-          );
-	  EOF
-	'';
-
-	installPhase = ''
-	  cp -r . $out
-	'';
-      };
-
-    in ''
-      $wgServer = "https://bekkalokk.pvv.ntnu.no";
-      $wgLocaltimezone = "Europe/Oslo";
-
-      # Only allow login through SSO
-      $wgEnableEmail = false;
-      $wgEnableUserEmail = false;
-      $wgEmailAuthentication = false;
-      $wgGroupPermissions['*']['createaccount'] = false;
-      $wgGroupPermissions['*']['autocreateaccount'] = true;
-      $wgPluggableAuth_EnableAutoLogin = true;
-
-      # Disable anonymous editing
-      $wgGroupPermissions['*']['edit'] = false;
-
-      # Styling
-      $wgLogo = "/PNG/PVV-logo.png";
-      $wgDefaultSkin = "monobook";
-
-      # Misc
-      $wgEmergencyContact = "${cfg.passwordSender}";
-      $wgShowIPinHeader = false;
-      $wgUseTeX = false;
-      $wgLocalInterwiki = $wgSitename;
-
-      # SimpleSAML
-      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
-      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
-      $wgSimpleSAMLphp_RealNameAttribute = "cn";
-      $wgSimpleSAMLphp_EmailAttribute = "mail";
-      $wgSimpleSAMLphp_UsernameAttribute = "uid";
-
-      # Fix https://github.com/NixOS/nixpkgs/issues/183097
-      $wgDBserver = "${toString cfg.database.host}";
-    '';
-  };
-
-  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
-  systemd.services.mediawiki-init.script = let
-    # According to module
-    stateDir = "/var/lib/mediawiki";
-    pkg = cfg.finalPackage;
-    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
-    inherit (lib) optionalString mkForce;
-  in mkForce ''
-    if ! test -e "${stateDir}/secret.key"; then
-      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
-    fi
-
-    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
-      --confpath /tmp \
-      --scriptpath / \
-      --dbserver "${cfg.database.host}" \
-      --dbport ${toString cfg.database.port} \
-      --dbname ${cfg.database.name} \
-      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
-      --dbuser ${cfg.database.user} \
-      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
-      --passfile ${cfg.passwordFile} \
-      --dbtype ${cfg.database.type} \
-      ${cfg.name} \
-      admin
-
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
-  '';
-}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -0,0 +1,246 @@
+{ pkgs, lib, config, values, pkgs-unstable, ... }: let
+  cfg = config.services.mediawiki;
+
+  # "mediawiki"
+  user = config.systemd.services.mediawiki-init.serviceConfig.User;
+
+  # "mediawiki"
+  group = config.users.users.${user}.group;
+
+  SimpleSAMLphpRepo = pkgs.php.buildComposerProject rec {
+    pname = "configuredSimpleSAML";
+    version = "2.2.1";
+    src = pkgs.fetchFromGitHub {
+      owner = "simplesamlphp";
+      repo = "simplesamlphp";
+      # name = "simple-saml-php-source";
+      # url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
+      rev = "v${version}";
+      hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
+    };
+
+    composerStrictValidation = false;
+
+    vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
+
+    # TODO: metadata could be fetched automagically with these:
+    #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
+    #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
+    postPatch = ''
+      install -Dm444 "${./simplesamlphp/authsources.php}" "config/authsources.php"
+      install -Dm444 "${./simplesamlphp/saml20-idp-remote.php}" "metadata/saml20-idp-remote.php"
+      install -Dm444 "${./simplesamlphp/config.php}" "config/config.php"
+
+      substituteInPlace config/config.php \
+        --replace '$SAML_COOKIE_SECURE' 'true' \
+        --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
+        --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
+        --replace '$SAML_TRUSTED_DOMAINS' 'array( "bekkalokk.pvv.ntnu.no" )'
+    '';
+
+    postInstall = ''
+      ln -sr $out/share/php/configuredSimpleSAML/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/configuredSimpleSAML/public/assets/base
+    '';
+  };
+in {
+  sops.secrets = {
+    "mediawiki/password" = {
+      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
+      owner = user;
+      group = group;
+    };
+    "mediawiki/database" = {
+      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
+      owner = user;
+      group = group;
+    };
+  };
+
+  services.mediawiki = {
+    enable = true;
+    name = "Programvareverkstedet";
+    passwordFile = config.sops.secrets."mediawiki/password".path;
+    passwordSender = "drift@pvv.ntnu.no";
+
+    database = {
+      type = "postgres";
+      host = "postgres.pvv.ntnu.no";
+      port = config.services.postgresql.port;
+      passwordFile = config.sops.secrets."mediawiki/database".path;
+      createLocally = false;
+      # TODO: create a normal database and copy over old data when the service is production ready
+      name = "mediawiki_test";
+    };
+
+    # Host through nginx
+    webserver = "none";
+    poolConfig = let
+      listenUser = config.services.nginx.user;
+      listenGroup = config.services.nginx.group;
+    in {
+      inherit user group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "listen.owner" = listenUser;
+      "listen.group" = listenGroup;
+      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
+
+      "catch_workers_output" = true;
+      "php_admin_flag[log_errors]" = true;
+      # "php_admin_value[error_log]" = "stderr";
+
+      # to accept *.html file
+      "security.limit_extensions" = "";
+    };
+
+    extensions = {
+      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
+    };
+
+    extraConfig = ''
+      $wgServer = "https://bekkalokk.pvv.ntnu.no";
+      $wgLocaltimezone = "Europe/Oslo";
+
+      # Only allow login through SSO
+      $wgEnableEmail = false;
+      $wgEnableUserEmail = false;
+      $wgEmailAuthentication = false;
+      $wgGroupPermissions['*']['createaccount'] = false;
+      $wgGroupPermissions['*']['autocreateaccount'] = true;
+      $wgPluggableAuth_EnableAutoLogin = true;
+
+      # Disable anonymous editing
+      $wgGroupPermissions['*']['edit'] = false;
+
+      # Styling
+      $wgLogo = "/PNG/PVV-logo.png";
+      $wgDefaultSkin = "monobook";
+
+      # Misc
+      $wgEmergencyContact = "${cfg.passwordSender}";
+      $wgShowIPinHeader = false;
+      $wgUseTeX = false;
+      $wgLocalInterwiki = $wgSitename;
+
+      # SimpleSAML
+      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/";
+      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
+      $wgSimpleSAMLphp_RealNameAttribute = "cn";
+      $wgSimpleSAMLphp_EmailAttribute = "mail";
+      $wgSimpleSAMLphp_UsernameAttribute = "uid";
+
+      $wgPluggableAuth_Config['Log in using my SAML'] = [
+        'plugin' => 'SimpleSAMLphp',
+        'data' => [
+          'authSourceId' => 'default-sp',
+        ]
+      ];
+
+      # Fix https://github.com/NixOS/nixpkgs/issues/183097
+      $wgDBserver = "${toString cfg.database.host}";
+    '';
+  };
+
+          # 'usernameAttribute' => 'username',
+          # 'realNameAttribute' => 'name',
+          # 'emailAttribute' => 'email'
+
+  # Cache directory for simplesamlphp
+  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp/core".d = {
+    user = "mediawiki";
+    group = "mediawiki";
+    mode = "0770";
+  };
+
+  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
+  systemd.services.mediawiki-init.script = let
+    # According to module
+    stateDir = "/var/lib/mediawiki";
+    pkg = cfg.finalPackage;
+    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
+    inherit (lib) optionalString mkForce;
+  in mkForce ''
+    if ! test -e "${stateDir}/secret.key"; then
+      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
+    fi
+
+    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
+      --confpath /tmp \
+      --scriptpath / \
+      --dbserver "${cfg.database.host}" \
+      --dbport ${toString cfg.database.port} \
+      --dbname ${cfg.database.name} \
+      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
+      --dbuser ${cfg.database.user} \
+      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
+      --passfile ${cfg.passwordFile} \
+      --dbtype ${cfg.database.type} \
+      ${cfg.name} \
+      admin
+
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
+  '';
+
+  services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
+    locations =  {
+      "/" = {
+	index = "index.php";
+      };
+
+      "~ /(.+\\.php)" = {
+        extraConfig = ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
+      };
+
+      # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+      "^~ /simplesaml/" = {
+        alias = "${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/public/";
+        index = "index.php";
+
+        extraConfig = ''
+          location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
+            fastcgi_param SCRIPT_FILENAME ${SimpleSAMLphpRepo}/share/php/configuredSimpleSAML/public/$phpfile;
+
+            # Must be prepended with the baseurlpath
+            fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
+
+            fastcgi_param PATH_INFO $pathinfo if_not_empty;
+          }
+        '';
+      };
+
+      "/images".root = config.services.mediawiki.uploadsDir;
+
+      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
+
+      # Redirects from gitea
+      "/Projects".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "^~ /Projects/(.+\\.php)".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/oysteikt".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/Drift".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/felixalb".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/adriangl".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/danio".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/pederbs".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/jonmro".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/explore".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+    };
+  };
+}

hosts/bekkalokk/services/mediawiki/simplesamlphp/authsources.php

@@ -0,0 +1,11 @@
+<?php
+$config = array(
+
+    /* This is the name of this authentication source, and will be used to access it later. */
+    'default-sp' => array(
+        'saml:SP',
+        # 'entityID' => 'https://wiki.pvv.ntnu.no/',
+        'entityID' => 'https://bekkalokk.pvv.ntnu.no/',
+        'idp' => 'https://idp.pvv.ntnu.no/',
+    ),
+);

hosts/bekkalokk/services/mediawiki/simplesamlphp/saml20-idp-remote.php

@@ -0,0 +1,23 @@
+<?php
+$metadata['https://idp.pvv.ntnu.no/'] = array (
+  'metadata-set' => 'saml20-idp-remote',
+  'entityid' => 'https://idp.pvv.ntnu.no/',
+  'SingleSignOnService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
+    ),
+  ),
+  'SingleLogoutService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
+    ),
+  ),
+  'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
+  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+);

packages/heimdal/default.nix

@@ -0,0 +1,178 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2023-11-29";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+  };
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
+    "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "An implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
+  };
+}

packages/mediawiki-extensions/default.nix

@@ -0,0 +1,7 @@
+{ pkgs, lib }:
+lib.makeScope pkgs.newScope (self: {
+  DeleteBatch = self.callPackage ./delete-batch { };
+  PluggableAuth = self.callPackage ./pluggable-auth { };
+  SimpleSAMLphp = self.callPackage ./simple-saml-php { };
+  UserMerge = self.callPackage ./user-merge { };
+})

packages/mediawiki-extensions/delete-batch/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-delete-batch";
+  url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
+  hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
+}

packages/mediawiki-extensions/pluggable-auth/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-pluggable-auth-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
+  hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
+}

packages/mediawiki-extensions/simple-saml-php/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-simple-saml-php-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
+  hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
+}

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
+
+import os
+from pathlib import Path
+import re
+import subprocess
+from collections import defaultdict
+from pprint import pprint
+
+import bs4
+import requests
+
+BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
+
+def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
+    content = requests.get(BASE_URL).text
+    soup = bs4.BeautifulSoup(content, features="html.parser")
+    result = defaultdict(list)
+    for a in soup.find_all('a'):
+        if skip_master and 'master' in a.text:
+            continue
+        split = a.text.split('-')
+        result[split[0]].append(a.text)
+    return result
+
+def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
+    assert package_file.is_file()
+    with open(package_file) as file:
+        content = file.read()
+
+    tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
+    split = tarball.split('-')
+    updated_tarball = plugin_list[split[0]][-1]
+
+    _hash = re.search(f'hash = "(.+?)";', content).group(1)
+
+    out, err = subprocess.Popen(
+        ["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+    out, err = subprocess.Popen(
+        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+
+    updated_hash = out.decode().strip()
+
+    if tarball == updated_tarball and _hash == updated_hash:
+        return
+
+    print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
+
+    updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
+    updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
+    with open(package_file, 'w') as file:
+        file.write(updated_text)
+
+if __name__ == "__main__":
+    plugin_list = fetch_plugin_list()
+
+    for direntry in os.scandir(Path(__file__).parent):
+        if direntry.is_dir():
+            update(Path(direntry) / "default.nix", plugin_list)

packages/mediawiki-extensions/user-merge/default.nix

@@ -0,0 +1,7 @@
+{ fetchzip }:
+
+fetchzip {
+  name = "mediawiki-user-merge-source";
+  url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
+  hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
+}

packages/simplesamlphp/default.nix

@@ -0,0 +1,36 @@
+{ php
+, writeText
+, fetchFromGitHub
+, configFile ? "config/config.php.dist"
+, authsourcesFile ? "config/authsources.php.dist"
+, saml20-idp-remoteFile ? writeText "saml20-idp-remote.php" "<?php ?>"
+}:
+
+php.buildComposerProject rec {
+  pname = "simplesamlphp";
+  version = "2.2.1";
+
+  src = fetchFromGitHub {
+    owner = "simplesamlphp";
+    repo = "simplesamlphp";
+    rev = "v${version}";
+    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
+  };
+
+  composerStrictValidation = false;
+
+  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
+
+  # TODO: metadata could be fetched automagically with these:
+  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
+  #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
+  postPatch = ''
+    install -Dm444 "${configFile}" "config/config.php"
+    install -Dm444 "${authsourcesFile}" "config/authsources.php"
+    install -Dm444 "${saml20-idp-remoteFile}" "metadata/saml20-idp-remote.php"
+  '';
+
+  postInstall = ''
+    ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
+  '';
+}