WIP

2023-09-17 23:18:16 +02:00
3 changed files with 77 additions and 97 deletions
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -12,7 +12,7 @@
    # ./services/website.nix
    ./services/nginx.nix
    ./services/gitea/default.nix
-    # ./services/mediawiki.nix
+    ./services/mediawiki.nix
  ];

  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
--- a/hosts/bekkalokk/services/mediawiki.nix
+++ b/hosts/bekkalokk/services/mediawiki.nix
@@ -7,17 +7,16 @@
  # "mediawiki"
  group = config.users.users.${user}.group;
 in {
-  sops.secrets = {
-    "mediawiki/password" = {
+  sops.secrets = let
+    secret = opts: {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
-    };
-    "keys/postgres/mediawiki" = {
-      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
-      owner = user;
-      group = group;
-    };
+    } // opts;
+  in {
+    "mediawiki/password" = secret { };
+    "mediawiki/database" = secret { };
+    "mediawiki/oidc/clientsecret" = secret { };
  };

  services.mediawiki = {
@@ -27,13 +26,12 @@ in {
    passwordSender = "drift@pvv.ntnu.no";

    database = {
-      type = "postgres";
-      host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.port;
-      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
+      type = "mysql";
+      host = "mysql.pvv.ntnu.no";
      createLocally = false;
-      # TODO: create a normal database and copy over old data when the service is production ready
-      name = "mediawiki_test";
+      user = "bekkalokk_mediawiki_test";
+      name = "bekkalokk_mediawiki_test";
+      passwordFile = config.sops.secrets."mediawiki/database".path;
    };

    # Host through nginx
@@ -42,70 +40,51 @@ in {
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
-      inherit user group;
+      # Worker settings
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
+
+      # Socket settings
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;
-      "php_admin_value[error_log]" = "stderr";
-      "php_admin_flag[log_errors]" = "on";
+
+      # Misc
      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
-      "catch_workers_output" = true;
      # to accept *.html file
      "security.limit_extensions" = "";
+      inherit user group;
+
+      # Debug logging
+      "catch_workers_output" = "yes";
+      "php_flag[display_errors]" = "on";
+      "php_admin_value[error_log]" = "stderr";
+      "php_admin_flag[log_errors]" = "on";
    };

    extensions = {
      DeleteBatch = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz";
-	sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8=";
+        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-6852fb7.tar.gz";
+        hash = "sha256-m6l8Cs6mFLu1qfovBFO2l8HhtYZXnpZkajWXNob2wbU=";
      };
      UserMerge = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz";
-	sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ=";
+        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-56f6dcf.tar.gz";
+        hash = "sha256-zO7ti7fZPlJp3TXSJbYrXPRyElwO57zoU+RH7LBwVGU=";
      };
      PluggableAuth = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
-	sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
+        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-8104ed9.tar.gz";
+        hash = "sha256-fFz9+pJ/Ucdg340I/JWe4S/W05oVSfns9EF84rxN8yI=";
      };
-      SimpleSAMLphp = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz";
-        sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ=";
+      OpenIDConnect = pkgs.fetchzip {
+        url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-3edc735.tar.gz";
+        hash = "sha256-Osp4m2Sp9uGNt3QEmRsw0LA3KQCQzqJosgy3AFs11hY=";
      };
    };

-    extraConfig = let
-
-      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
-        pname = "configuredSimpleSAML";
-	version = "2.0.4";
-        src = pkgs.fetchzip {
-          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
-          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
-        };
-
-	buildPhase = ''
-          cat > config/authsources.php << EOF
-          <?php
-          $config = array(
-            'default-sp' => array(
-              'saml:SP',
-              'idp' => 'https://idp.pvv.ntnu.no/',
-            ),
-          );
-	  EOF
-	'';
-
-	installPhase = ''
-	  cp -r . $out
-	'';
-      };
-
-    in ''
+    extraConfig = ''
      $wgServer = "https://bekkalokk.pvv.ntnu.no";
      $wgLocaltimezone = "Europe/Oslo";

@@ -115,61 +94,60 @@ in {
      $wgEmailAuthentication = false;
      $wgGroupPermissions['*']['createaccount'] = false;
      $wgGroupPermissions['*']['autocreateaccount'] = true;
-      $wgPluggableAuth_EnableAutoLogin = true;
+      $wgPluggableAuth_EnableAutoLogin = false;
+
+      # SSO config
+      $wgPluggableAuth_Config[] = [
+          'plugin' => 'OpenIDConnect',
+          'data' => [
+              'providerURL' => 'https://git.pvv.ntnu.no/login/oauth/authorize',
+              'clientID' => 'be86ec39-d89c-4973-a163-633339539db2',
+              'clientsecret' => file_get_contents('${config.sops.secrets."mediawiki/oidc/clientsecret".path}')
+          ]
+      ];

      # Disable anonymous editing
      $wgGroupPermissions['*']['edit'] = false;

      # Styling
-      $wgLogo = "/PNG/PVV-logo.png";
+      $wgLogos = [
+        'svg' => "${../../../assets/logo_blue_regular.svg}",
+      ];
      $wgDefaultSkin = "monobook";

+      # Enable debugging
+      error_reporting( -1 );
+      ini_set( 'display_errors', 1 );
+
      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;

-      # SimpleSAML
-      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
-      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
-      $wgSimpleSAMLphp_RealNameAttribute = "cn";
-      $wgSimpleSAMLphp_EmailAttribute = "mail";
-      $wgSimpleSAMLphp_UsernameAttribute = "uid";
-
      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
    '';
  };

-  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
-  systemd.services.mediawiki-init.script = let
-    # According to module
-    stateDir = "/var/lib/mediawiki";
-    pkg = cfg.finalPackage;
-    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
-    inherit (lib) optionalString mkForce;
-  in mkForce ''
-    if ! test -e "${stateDir}/secret.key"; then
-      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
-    fi
-
-    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
-      --confpath /tmp \
-      --scriptpath / \
-      --dbserver "${cfg.database.host}" \
-      --dbport ${toString cfg.database.port} \
-      --dbname ${cfg.database.name} \
-      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
-      --dbuser ${cfg.database.user} \
-      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
-      --passfile ${cfg.passwordFile} \
-      --dbtype ${cfg.database.type} \
-      ${cfg.name} \
-      admin
-
-    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
-  '';
+  # services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "${cfg.finalPackage}/share/mediawiki";
+    locations = {
+      "/" = {
+        recommendedProxySettings = true;
+        extraConfig = ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
+      };
+      "/images".root = config.services.mediawiki.uploadsDir;
+    };
+    
+  };
 }
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@@ -11,6 +11,8 @@ gitea:
 mediawiki:
    password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
    database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
+    oidc:
+        clientsecret: ENC[AES256_GCM,data:bh016Qlijs5hoNY1iYsx6uEa5oEG9aX4T9BMiqnDRhSh7iVXpj9A6glcr8OGmWN7Om7yXE4AdlY=,iv:BnZjxbK6oB1eALx3RidpkwzU8xz1x0luwZC7ioqTjQE=,tag:HX8uUevimnAcqBH8NaMQXA==,type:str]
 keycloak:
    database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
 sops:
@@ -46,8 +48,8 @@ sops:
            akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
            GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-17T02:02:24Z"
-    mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str]
+    lastmodified: "2023-09-17T21:12:05Z"
+    mac: ENC[AES256_GCM,data:wfq3FTwwJh2eHbw5PW32IEp4jWeSQLaBLJzrbgfXUPP8VuPK3Q7puQtchsQ3Xrv2+c9FI536luhwaUPfgn+/JE8rn8KEhabMPrX2lYMVH8I4OkCYEivpbWNfmm3gfNU2SrEFZ2jBBLLCWDgBAA7SfyApiQiyZ3qpJ2aZCfgaUoM=,iv:5/R2tnjiQ6BPgU+eAChm2EsWuGurqumnzl4pfjZclLw=,tag:xdECs8muNv9c/68IRbWzCw==,type:str]
    pgp:
        - created_at: "2023-05-21T00:28:40Z"
          enc: |