bekkalokk: init mediawiki

Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>

flake.nix

@@ -42,6 +42,7 @@
     ];
   in {
     nixosConfigurations = let
+      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
@@ -78,10 +79,7 @@
       bekkalokk = stableNixosConfig "bekkalokk" {
         overlays = [
           (final: prev: {
-            heimdal = final.callPackage ./packages/heimdal {
+            heimdal = unstablePkgs.heimdal;
-              inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
-              autoreconfHook = final.buildPackages.autoreconfHook269;
-	    };
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
           })
@@ -126,14 +124,6 @@
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
 
-        #######################
-        # TODO: remove this once nixos 24.05 gets released
-        #######################
-        heimdal = pkgs.callPackage ./packages/heimdal {
-          inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
-          autoreconfHook = pkgs.buildPackages.autoreconfHook269;
-	};
-
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
         mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };

hosts/bekkalokk/services/mediawiki/default.nix

@@ -33,28 +33,19 @@
 in {
   services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
 
-  sops.secrets = {
+  sops.secrets = lib.pipe [
-    "mediawiki/password" = {
+    "mediawiki/password"
+    "mediawiki/postgres_password"
+    "mediawiki/simplesamlphp/postgres_password"
+    "mediawiki/simplesamlphp/cookie_salt"
+    "mediawiki/simplesamlphp/admin_password"
+  ] [
+    (map (key: lib.nameValuePair key {
       owner = user;
       group = group;
-    };
+    }))
-    "mediawiki/postgres_password" = {
+    lib.listToAttrs
-      owner = user;
+  ];
-      group = group;
-    };
-    "mediawiki/simplesamlphp/postgres_password" = {
-      owner = user;
-      group = group;
-    };
-    "mediawiki/simplesamlphp/cookie_salt" = {
-      owner = user;
-      group = group;
-    };
-    "mediawiki/simplesamlphp/admin_password" = {
-      owner = user;
-      group = group;
-    };
-  };
 
   services.mediawiki = {
     enable = true;
@@ -127,7 +118,6 @@ in {
         "2x" => "/PNG/PVV-logo.png",
         "icon" => "/PNG/PVV-logo.svg",
       );
-      # wfLoadSkin('Timeless');
       $wgDefaultSkin = "vector-2022";
       # from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
       $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
@@ -164,37 +154,6 @@ in {
     mode = "0770";
   };
 
-  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
-  systemd.services.mediawiki-init.script = let
-    # According to module
-    stateDir = "/var/lib/mediawiki";
-    pkg = cfg.finalPackage;
-    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
-    inherit (lib) optionalString mkForce;
-  in mkForce ''
-    if ! test -e "${stateDir}/secret.key"; then
-      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
-    fi
-
-    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
-      --confpath /tmp \
-      --scriptpath / \
-      --dbserver "${cfg.database.host}" \
-      --dbport ${toString cfg.database.port} \
-      --dbname ${cfg.database.name} \
-      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
-      --dbuser ${cfg.database.user} \
-      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
-      --passfile ${cfg.passwordFile} \
-      --dbtype ${cfg.database.type} \
-      ${cfg.name} \
-      admin
-
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
-  '';
-
   users.groups.mediawiki.members = [ "nginx" ];
 
   services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {

packages/heimdal/default.nix

@@ -1,178 +0,0 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, autoreconfHook
-, pkg-config
-, python3
-, perl
-, bison
-, flex
-, texinfo
-, perlPackages
-
-, openldap
-, libcap_ng
-, sqlite
-, openssl
-, db
-, libedit
-, pam
-, krb5
-, libmicrohttpd
-, cjson
-
-, CoreFoundation
-, Security
-, SystemConfiguration
-
-, curl
-, jdk
-, unzip
-, which
-
-, nixosTests
-
-, withCJSON ? true
-, withCapNG ? stdenv.isLinux
-# libmicrohttpd should theoretically work for darwin as well, but something is broken.
-# It affects tests check-bx509d and check-httpkadmind.
-, withMicroHTTPD ? stdenv.isLinux
-, withOpenLDAP ? true
-, withOpenLDAPAsHDBModule ? false
-, withOpenSSL ? true
-, withSQLite3 ? true
-}:
-
-assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
-  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
-'';
-
-stdenv.mkDerivation {
-  pname = "heimdal";
-  version = "7.8.0-unstable-2023-11-29";
-
-  src = fetchFromGitHub {
-    owner = "heimdal";
-    repo = "heimdal";
-    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
-    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
-  };
-
-  outputs = [ "out" "dev" "man" "info" ];
-
-  nativeBuildInputs = [
-    autoreconfHook
-    pkg-config
-    python3
-    perl
-    bison
-    flex
-    texinfo
-  ]
-  ++ (with perlPackages; [ JSON ]);
-
-  buildInputs = [ db libedit pam ]
-    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
-    ++ lib.optionals (withCJSON) [ cjson ]
-    ++ lib.optionals (withCapNG) [ libcap_ng ]
-    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
-    ++ lib.optionals (withOpenLDAP) [ openldap ]
-    ++ lib.optionals (withOpenSSL) [ openssl ]
-    ++ lib.optionals (withSQLite3) [ sqlite ];
-
-  doCheck = true;
-  nativeCheckInputs = [
-    curl
-    jdk
-    unzip
-    which
-  ];
-
-  configureFlags = [
-    "--with-libedit-include=${libedit.dev}/include"
-    "--with-libedit-lib=${libedit}/lib"
-    "--with-berkeley-db-include=${db.dev}/include"
-    "--with-berkeley-db"
-
-    "--without-x"
-    "--disable-afs-string-to-key"
-  ] ++ lib.optionals (withCapNG) [
-    "--with-capng"
-  ] ++ lib.optionals (withCJSON) [
-    "--with-cjson=${cjson}"
-  ] ++ lib.optionals (withOpenLDAP) [
-    "--with-openldap=${openldap.dev}"
-  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
-    "--enable-hdb-openldap-module"
-  ] ++ lib.optionals (withSQLite3) [
-    "--with-sqlite3=${sqlite.dev}"
-  ];
-
-  # (check-ldap) slapd resides within ${openldap}/libexec,
-  #              which is not part of $PATH by default.
-  # (check-ldap) prepending ${openldap}/bin to the path to avoid
-  #              using the default installation of openldap on unsandboxed darwin systems,
-  #              which does not support the new mdb backend at the moment (2024-01-13).
-  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
-  #              but the heimdal tests still seem to expect bdb as the openldap backend.
-  #              This might be fixed upstream in a future update.
-  patchPhase = ''
-    runHook prePatch
-
-    substituteInPlace tests/ldap/slapd-init.in \
-      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
-    substituteInPlace tests/ldap/check-ldap.in \
-      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
-    substituteInPlace tests/ldap/slapd.conf \
-      --replace 'database	bdb' 'database mdb'
-
-    runHook postPatch
-  '';
-
-  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
-  #           which expects either USER or LOGNAME to be set.
-  preCheck = lib.optionalString (stdenv.isDarwin) ''
-    export USER=nix-builder
-  '';
-
-  # We need to build hcrypt for applications like samba
-  postBuild = ''
-    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
-    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
-  '';
-
-  postInstall = ''
-    # Install hcrypto
-    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
-    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
-
-    mkdir -p $dev/bin
-    mv $out/bin/krb5-config $dev/bin/
-
-    # asn1 compilers, move them to $dev
-    mv $out/libexec/heimdal/* $dev/bin
-    rmdir $out/libexec/heimdal
-
-    # compile_et is needed for cross-compiling this package and samba
-    mv lib/com_err/.libs/compile_et $dev/bin
-  '';
-
-  # Issues with hydra
-  #  In file included from hxtool.c:34:0:
-  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
-  #enableParallelBuilding = true;
-
-  passthru = {
-    implementation = "heimdal";
-    tests.nixos = nixosTests.kerberos.heimdal;
-  };
-
-  meta = with lib; {
-    homepage = "https://www.heimdal.software";
-    changelog = "https://github.com/heimdal/heimdal/releases";
-    description = "An implementation of Kerberos 5 (and some more stuff)";
-    license = licenses.bsd3;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ h7x4 ];
-  };
-}