Compare commits
6 Commits
ce3aeb4e08
...
f0084c132e
Author | SHA1 | Date |
---|---|---|
Oystein Kristoffer Tveit | f0084c132e | |
Oystein Kristoffer Tveit | 5c3dac76d2 | |
Oystein Kristoffer Tveit | b87d9cc86a | |
Oystein Kristoffer Tveit | 9495682f57 | |
Oystein Kristoffer Tveit | d39047b8cb | |
Oystein Kristoffer Tveit | 266ce9ed08 |
14
flake.nix
14
flake.nix
|
@ -42,6 +42,7 @@
|
||||||
];
|
];
|
||||||
in {
|
in {
|
||||||
nixosConfigurations = let
|
nixosConfigurations = let
|
||||||
|
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
|
||||||
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
|
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
|
||||||
rec {
|
rec {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
@ -78,10 +79,7 @@
|
||||||
bekkalokk = stableNixosConfig "bekkalokk" {
|
bekkalokk = stableNixosConfig "bekkalokk" {
|
||||||
overlays = [
|
overlays = [
|
||||||
(final: prev: {
|
(final: prev: {
|
||||||
heimdal = final.callPackage ./packages/heimdal {
|
heimdal = unstablePkgs.heimdal;
|
||||||
inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
|
|
||||||
autoreconfHook = final.buildPackages.autoreconfHook269;
|
|
||||||
};
|
|
||||||
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
|
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
|
||||||
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
|
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
|
||||||
})
|
})
|
||||||
|
@ -126,14 +124,6 @@
|
||||||
all-machines = pkgs.linkFarm "all-machines"
|
all-machines = pkgs.linkFarm "all-machines"
|
||||||
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
|
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
|
||||||
|
|
||||||
#######################
|
|
||||||
# TODO: remove this once nixos 24.05 gets released
|
|
||||||
#######################
|
|
||||||
heimdal = pkgs.callPackage ./packages/heimdal {
|
|
||||||
inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
|
|
||||||
autoreconfHook = pkgs.buildPackages.autoreconfHook269;
|
|
||||||
};
|
|
||||||
|
|
||||||
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
|
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
|
||||||
|
|
||||||
mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
|
mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
|
||||||
|
|
|
@ -33,28 +33,19 @@
|
||||||
in {
|
in {
|
||||||
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
|
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
|
||||||
|
|
||||||
sops.secrets = {
|
sops.secrets = lib.pipe [
|
||||||
"mediawiki/password" = {
|
"mediawiki/password"
|
||||||
|
"mediawiki/postgres_password"
|
||||||
|
"mediawiki/simplesamlphp/postgres_password"
|
||||||
|
"mediawiki/simplesamlphp/cookie_salt"
|
||||||
|
"mediawiki/simplesamlphp/admin_password"
|
||||||
|
] [
|
||||||
|
(map (key: lib.nameValuePair key {
|
||||||
owner = user;
|
owner = user;
|
||||||
group = group;
|
group = group;
|
||||||
};
|
}))
|
||||||
"mediawiki/postgres_password" = {
|
lib.listToAttrs
|
||||||
owner = user;
|
];
|
||||||
group = group;
|
|
||||||
};
|
|
||||||
"mediawiki/simplesamlphp/postgres_password" = {
|
|
||||||
owner = user;
|
|
||||||
group = group;
|
|
||||||
};
|
|
||||||
"mediawiki/simplesamlphp/cookie_salt" = {
|
|
||||||
owner = user;
|
|
||||||
group = group;
|
|
||||||
};
|
|
||||||
"mediawiki/simplesamlphp/admin_password" = {
|
|
||||||
owner = user;
|
|
||||||
group = group;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.mediawiki = {
|
services.mediawiki = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -127,7 +118,6 @@ in {
|
||||||
"2x" => "/PNG/PVV-logo.png",
|
"2x" => "/PNG/PVV-logo.png",
|
||||||
"icon" => "/PNG/PVV-logo.svg",
|
"icon" => "/PNG/PVV-logo.svg",
|
||||||
);
|
);
|
||||||
# wfLoadSkin('Timeless');
|
|
||||||
$wgDefaultSkin = "vector-2022";
|
$wgDefaultSkin = "vector-2022";
|
||||||
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
|
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
|
||||||
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
|
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
|
||||||
|
@ -164,37 +154,6 @@ in {
|
||||||
mode = "0770";
|
mode = "0770";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
|
|
||||||
systemd.services.mediawiki-init.script = let
|
|
||||||
# According to module
|
|
||||||
stateDir = "/var/lib/mediawiki";
|
|
||||||
pkg = cfg.finalPackage;
|
|
||||||
mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
|
|
||||||
inherit (lib) optionalString mkForce;
|
|
||||||
in mkForce ''
|
|
||||||
if ! test -e "${stateDir}/secret.key"; then
|
|
||||||
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
|
|
||||||
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
|
|
||||||
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
|
|
||||||
--confpath /tmp \
|
|
||||||
--scriptpath / \
|
|
||||||
--dbserver "${cfg.database.host}" \
|
|
||||||
--dbport ${toString cfg.database.port} \
|
|
||||||
--dbname ${cfg.database.name} \
|
|
||||||
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
|
|
||||||
--dbuser ${cfg.database.user} \
|
|
||||||
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
|
|
||||||
--passfile ${cfg.passwordFile} \
|
|
||||||
--dbtype ${cfg.database.type} \
|
|
||||||
${cfg.name} \
|
|
||||||
admin
|
|
||||||
|
|
||||||
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
|
|
||||||
'';
|
|
||||||
|
|
||||||
users.groups.mediawiki.members = [ "nginx" ];
|
users.groups.mediawiki.members = [ "nginx" ];
|
||||||
|
|
||||||
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
|
||||||
|
|
|
@ -1,178 +0,0 @@
|
||||||
{ lib
|
|
||||||
, stdenv
|
|
||||||
, fetchFromGitHub
|
|
||||||
, autoreconfHook
|
|
||||||
, pkg-config
|
|
||||||
, python3
|
|
||||||
, perl
|
|
||||||
, bison
|
|
||||||
, flex
|
|
||||||
, texinfo
|
|
||||||
, perlPackages
|
|
||||||
|
|
||||||
, openldap
|
|
||||||
, libcap_ng
|
|
||||||
, sqlite
|
|
||||||
, openssl
|
|
||||||
, db
|
|
||||||
, libedit
|
|
||||||
, pam
|
|
||||||
, krb5
|
|
||||||
, libmicrohttpd
|
|
||||||
, cjson
|
|
||||||
|
|
||||||
, CoreFoundation
|
|
||||||
, Security
|
|
||||||
, SystemConfiguration
|
|
||||||
|
|
||||||
, curl
|
|
||||||
, jdk
|
|
||||||
, unzip
|
|
||||||
, which
|
|
||||||
|
|
||||||
, nixosTests
|
|
||||||
|
|
||||||
, withCJSON ? true
|
|
||||||
, withCapNG ? stdenv.isLinux
|
|
||||||
# libmicrohttpd should theoretically work for darwin as well, but something is broken.
|
|
||||||
# It affects tests check-bx509d and check-httpkadmind.
|
|
||||||
, withMicroHTTPD ? stdenv.isLinux
|
|
||||||
, withOpenLDAP ? true
|
|
||||||
, withOpenLDAPAsHDBModule ? false
|
|
||||||
, withOpenSSL ? true
|
|
||||||
, withSQLite3 ? true
|
|
||||||
}:
|
|
||||||
|
|
||||||
assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
|
|
||||||
OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
|
|
||||||
'';
|
|
||||||
|
|
||||||
stdenv.mkDerivation {
|
|
||||||
pname = "heimdal";
|
|
||||||
version = "7.8.0-unstable-2023-11-29";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "heimdal";
|
|
||||||
repo = "heimdal";
|
|
||||||
rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
|
|
||||||
hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
|
|
||||||
};
|
|
||||||
|
|
||||||
outputs = [ "out" "dev" "man" "info" ];
|
|
||||||
|
|
||||||
nativeBuildInputs = [
|
|
||||||
autoreconfHook
|
|
||||||
pkg-config
|
|
||||||
python3
|
|
||||||
perl
|
|
||||||
bison
|
|
||||||
flex
|
|
||||||
texinfo
|
|
||||||
]
|
|
||||||
++ (with perlPackages; [ JSON ]);
|
|
||||||
|
|
||||||
buildInputs = [ db libedit pam ]
|
|
||||||
++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
|
|
||||||
++ lib.optionals (withCJSON) [ cjson ]
|
|
||||||
++ lib.optionals (withCapNG) [ libcap_ng ]
|
|
||||||
++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
|
|
||||||
++ lib.optionals (withOpenLDAP) [ openldap ]
|
|
||||||
++ lib.optionals (withOpenSSL) [ openssl ]
|
|
||||||
++ lib.optionals (withSQLite3) [ sqlite ];
|
|
||||||
|
|
||||||
doCheck = true;
|
|
||||||
nativeCheckInputs = [
|
|
||||||
curl
|
|
||||||
jdk
|
|
||||||
unzip
|
|
||||||
which
|
|
||||||
];
|
|
||||||
|
|
||||||
configureFlags = [
|
|
||||||
"--with-libedit-include=${libedit.dev}/include"
|
|
||||||
"--with-libedit-lib=${libedit}/lib"
|
|
||||||
"--with-berkeley-db-include=${db.dev}/include"
|
|
||||||
"--with-berkeley-db"
|
|
||||||
|
|
||||||
"--without-x"
|
|
||||||
"--disable-afs-string-to-key"
|
|
||||||
] ++ lib.optionals (withCapNG) [
|
|
||||||
"--with-capng"
|
|
||||||
] ++ lib.optionals (withCJSON) [
|
|
||||||
"--with-cjson=${cjson}"
|
|
||||||
] ++ lib.optionals (withOpenLDAP) [
|
|
||||||
"--with-openldap=${openldap.dev}"
|
|
||||||
] ++ lib.optionals (withOpenLDAPAsHDBModule) [
|
|
||||||
"--enable-hdb-openldap-module"
|
|
||||||
] ++ lib.optionals (withSQLite3) [
|
|
||||||
"--with-sqlite3=${sqlite.dev}"
|
|
||||||
];
|
|
||||||
|
|
||||||
# (check-ldap) slapd resides within ${openldap}/libexec,
|
|
||||||
# which is not part of $PATH by default.
|
|
||||||
# (check-ldap) prepending ${openldap}/bin to the path to avoid
|
|
||||||
# using the default installation of openldap on unsandboxed darwin systems,
|
|
||||||
# which does not support the new mdb backend at the moment (2024-01-13).
|
|
||||||
# (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
|
|
||||||
# but the heimdal tests still seem to expect bdb as the openldap backend.
|
|
||||||
# This might be fixed upstream in a future update.
|
|
||||||
patchPhase = ''
|
|
||||||
runHook prePatch
|
|
||||||
|
|
||||||
substituteInPlace tests/ldap/slapd-init.in \
|
|
||||||
--replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
|
|
||||||
substituteInPlace tests/ldap/check-ldap.in \
|
|
||||||
--replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
|
|
||||||
substituteInPlace tests/ldap/slapd.conf \
|
|
||||||
--replace 'database bdb' 'database mdb'
|
|
||||||
|
|
||||||
runHook postPatch
|
|
||||||
'';
|
|
||||||
|
|
||||||
# (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
|
|
||||||
# which expects either USER or LOGNAME to be set.
|
|
||||||
preCheck = lib.optionalString (stdenv.isDarwin) ''
|
|
||||||
export USER=nix-builder
|
|
||||||
'';
|
|
||||||
|
|
||||||
# We need to build hcrypt for applications like samba
|
|
||||||
postBuild = ''
|
|
||||||
(cd include/hcrypto; make -j $NIX_BUILD_CORES)
|
|
||||||
(cd lib/hcrypto; make -j $NIX_BUILD_CORES)
|
|
||||||
'';
|
|
||||||
|
|
||||||
postInstall = ''
|
|
||||||
# Install hcrypto
|
|
||||||
(cd include/hcrypto; make -j $NIX_BUILD_CORES install)
|
|
||||||
(cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
|
|
||||||
|
|
||||||
mkdir -p $dev/bin
|
|
||||||
mv $out/bin/krb5-config $dev/bin/
|
|
||||||
|
|
||||||
# asn1 compilers, move them to $dev
|
|
||||||
mv $out/libexec/heimdal/* $dev/bin
|
|
||||||
rmdir $out/libexec/heimdal
|
|
||||||
|
|
||||||
# compile_et is needed for cross-compiling this package and samba
|
|
||||||
mv lib/com_err/.libs/compile_et $dev/bin
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Issues with hydra
|
|
||||||
# In file included from hxtool.c:34:0:
|
|
||||||
# hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
|
|
||||||
#enableParallelBuilding = true;
|
|
||||||
|
|
||||||
passthru = {
|
|
||||||
implementation = "heimdal";
|
|
||||||
tests.nixos = nixosTests.kerberos.heimdal;
|
|
||||||
};
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
homepage = "https://www.heimdal.software";
|
|
||||||
changelog = "https://github.com/heimdal/heimdal/releases";
|
|
||||||
description = "An implementation of Kerberos 5 (and some more stuff)";
|
|
||||||
license = licenses.bsd3;
|
|
||||||
platforms = platforms.unix;
|
|
||||||
maintainers = with maintainers; [ h7x4 ];
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in New Issue