Drift/pvv-nixos-config
Drift
/
pvv-nixos-config
16
4
Fork 1
Code Issues Pull Requests 6 Wiki Activity

bekkalokk: set up idp + mediawiki #25

Merged
oysteikt merged 7 commits from mediawiki-on-bekkalokk into main 2024-04-02 00:00:24 +02:00
Conversation 0 Commits 7 Files Changed 25 +5230 -204
oysteikt commented 2024-03-31 05:11:29 +02:00
Owner
Copy Link

🥳

I think this should be good enough to merge now, for testing purposes

AFAIK, both IDP and SP is safe and sound, and mediawiki is running a copy of the original wiki. (and probably safe as well :))))

Further work

# 🥳 I think this should be good enough to merge now, for testing purposes AFAIK, both IDP and SP is safe and sound, and mediawiki is running a copy of the original wiki. (and probably safe as well :)))) ### Further work - The idp is missing it's theme - mediawiki has an issue with funky files being served (https://wiki2.pvv.ntnu.no/composer.json), it should rather not
oysteikt added 7 commits 2024-03-31 05:11:29 +02:00
Eval nix flake / evals (push) Failing after 1m40s Details
Eval nix flake / evals (pull_request) Failing after 1m39s Details
ce3aeb4e08 bekkalokk: init mediawiki 
Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>
oysteikt requested review from danio 2024-03-31 05:11:44 +02:00
oysteikt requested review from felixalb 2024-03-31 05:11:44 +02:00
eirikwit reviewed 2024-03-31 11:25:52 +02:00
hosts/bekkalokk/services/mediawiki/default.nix Outdated
@ -0,0 +164,4 @@
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
eirikwit commented 2024-03-31 11:25:52 +02:00
Owner
Copy Link

The issue this mentions is fixed. Is this still needed?

The issue this mentions is fixed. Is this still needed?
👍 1
oysteikt commented 2024-03-31 15:26:27 +02:00
Author
Owner
Copy Link

Indeed not needed, will fix

Indeed not needed, will fix
oysteikt marked this conversation as resolved
danio approved these changes 2024-03-31 14:01:37 +02:00
hosts/bekkalokk/services/nginx/default.nix Outdated
@ -19,0 +20,4 @@
virtualHosts."bekkalokk.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
danio commented 2024-03-31 13:58:13 +02:00
Owner
Copy Link

Why are we doing this? Just as a catch to avoid serving some other random endpoint with the wrong certs?

Why are we doing this? Just as a catch to avoid serving some other random endpoint with the wrong certs?
oysteikt commented 2024-03-31 15:29:05 +02:00
Author
Owner
Copy Link

Initially, i was running mediawiki on bekkalokk.pvv.ntnu.no, but it was literally virtually impossible to debug because of bots (or maybe even humans?) trying to access the git instance on this domain. I set up a permanent redirect in hopes that they would get the point.

Initially, i was running mediawiki on `bekkalokk.pvv.ntnu.no`, but it was <s>literally</s> virtually impossible to debug because of bots (or maybe even humans?) trying to access the git instance on this domain. I set up a permanent redirect in hopes that they would get the point.
oysteikt commented 2024-04-01 00:41:48 +02:00
Author
Owner
Copy Link

Closing, assuming it's good?

Closing, assuming it's good?
oysteikt marked this conversation as resolved
packages/mediawiki-extensions/update-mediawiki-extensions.py Outdated
@ -0,0 +1,66 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
danio commented 2024-03-31 13:59:13 +02:00
Owner
Copy Link

This is pretty funny, hekin web scraper

This is pretty funny, hekin web scraper
👍 1
danio marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:29:43 +02:00
packages/heimdal/default.nix Outdated
@ -0,0 +1,178 @@
{ lib
oysteikt commented 2024-03-31 15:29:43 +02:00
Author
Owner
Copy Link

Not needed, can source from pkgs-unstable

Not needed, can source from `pkgs-unstable`
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:34:20 +02:00
hosts/bekkalokk/services/mediawiki/default.nix Outdated
@ -0,0 +26,4 @@
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
oysteikt commented 2024-03-31 15:34:20 +02:00
Author
Owner
Copy Link

It would be nice if we could find a better solution for this. Optimally it should

  • Use the upstream config as base
  • Override only specified options
  • Avoid writing a whole php parser in nix
  • Avoid maintaining a nixified copy of the upstream base config

Maybe it would be possible to use includes and some php magic to merge the two?

ping: @felixalb

It would be nice if we could find a better solution for this. Optimally it should - Use the upstream config as base - Override only specified options - Avoid writing a whole php parser in nix - Avoid maintaining a nixified copy of the upstream base config Maybe it would be possible to use includes and some php magic to merge the two? ping: @felixalb
oysteikt commented 2024-04-01 00:53:48 +02:00
Author
Owner
Copy Link

Leaving as future issue.

Leaving as future issue.
👀 1
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:37:45 +02:00
hosts/bekkalokk/services/idp-simplesamlphp/default.nix Outdated
@ -0,0 +100,4 @@
};
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
oysteikt commented 2024-03-31 15:37:45 +02:00
Author
Owner
Copy Link

Note for future:

This is cursed. simplesamlphp supports an extension that can autofetch metadata, but it requires edits to composer.json and the lockfile, which will have to be updated together with the project. Maybe it would be better to maintain this hash together with the package, and make sure to bump it whenever we bump the package version?

Note for future: This is *cursed*. simplesamlphp supports an [extension that can autofetch metadata](https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html), but it requires edits to composer.json and the lockfile, which will have to be updated together with the project. Maybe it would be better to maintain this hash together with the package, and make sure to bump it whenever we bump the package version?
oysteikt commented 2024-04-01 00:46:29 +02:00
Author
Owner
Copy Link

Leaving as future issue

Leaving as future issue
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:41:52 +02:00
hosts/bekkalokk/services/mediawiki/default.nix Outdated
@ -0,0 +127,4 @@
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
# wfLoadSkin('Timeless');
oysteikt commented 2024-03-31 15:41:52 +02:00
Author
Owner
Copy Link

yeet

yeet
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:43:03 +02:00
hosts/bekkalokk/services/mediawiki/default.nix Outdated
@ -0,0 +89,4 @@
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
oysteikt commented 2024-03-31 15:43:03 +02:00
Author
Owner
Copy Link

Should we make some kind of services.mediawiki.debug: bool option? Or even debug.mediawiki: bool (as well as the other services)?

It's very nice to be able to remember how these options were set whenever we need to debug

Should we make some kind of `services.mediawiki.debug: bool` option? Or even `debug.mediawiki: bool` (as well as the other services)? It's very nice to be able to remember how these options were set whenever we need to debug
oysteikt commented 2024-04-01 00:46:02 +02:00
Author
Owner
Copy Link

Leaving these on for now, since they are considered test setups. Let's leave this as a future issue.

Leaving these on for now, since they are considered test setups. Let's leave this as a future issue.
oysteikt marked this conversation as resolved
oysteikt force-pushed mediawiki-on-bekkalokk from ce3aeb4e08 to f0084c132e 2024-04-01 00:41:07 +02:00 Compare
felixalb reviewed 2024-04-01 00:57:36 +02:00
hosts/bekkalokk/services/nginx/default.nix Outdated
@ -17,2 +17,4 @@
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."bekkalokk.pvv.ntnu.no" = {
felixalb commented 2024-04-01 00:57:36 +02:00
Owner
Copy Link

Is Gitea a natural redirect here? I suggest using the main website (www.) instead.

Is Gitea a natural redirect here? I suggest using the main website (www.) instead.
oysteikt commented 2024-04-01 01:00:15 +02:00
Author
Owner
Copy Link

See @danio s comment. Up until now, this has been pointing at gitea, so bots (and possibly humans) are trying to access "bekkalokk.pvv.ntnu.no/Projects/<...>/ditt/datt", and filling up the nginx logs with errors, making it completely unreadable. I was hoping that making it a permanent redirect would make the bots change their urls or something

See @danio s comment. Up until now, this has been pointing at gitea, so bots (and possibly humans) are trying to access "bekkalokk.pvv.ntnu.no/Projects/<...>/ditt/datt", and filling up the nginx logs with errors, making it completely unreadable. I was hoping that making it a permanent redirect would make the bots change their urls or something
felixalb reviewed 2024-04-01 01:05:49 +02:00
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php Outdated
@ -0,0 +62,4 @@
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
felixalb commented 2024-04-01 01:05:49 +02:00
Owner
Copy Link

Hardcoded IP address in our DHCP range?
What machine is it supposed to be referencing, the KDC or another LDAP host?

Hardcoded IP address in our DHCP range? What machine is it supposed to be referencing, the KDC or another LDAP host?
oysteikt commented 2024-04-01 01:11:43 +02:00
Author
Owner
Copy Link

Commented stuff from Yorn's days, no idea what the original host was. Presumably LDAP host, considering it's using ldap_connect with port 389

Commented stuff from Yorn's days, no idea what the original host was. Presumably LDAP host, considering it's using `ldap_connect` with port `389`
felixalb reviewed 2024-04-01 01:22:12 +02:00
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php Outdated
@ -0,0 +1,135 @@
<?php
felixalb commented 2024-04-01 01:22:12 +02:00
Owner
Copy Link

Many potentially spooky things in a file like this, but I haven't found any vulnerabilities through manual reviews, snyk or psalm, so I think it's good :)

Many potentially spooky things in a file like this, but I haven't found any vulnerabilities through manual reviews, snyk or psalm, so I think it's good :)
👍 1
oysteikt marked this conversation as resolved
felixalb reviewed 2024-04-01 01:24:12 +02:00
hosts/bekkalokk/services/idp-simplesamlphp/default.nix Outdated
@ -0,0 +11,4 @@
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
felixalb commented 2024-04-01 01:24:12 +02:00
Owner
Copy Link

nit: Should/Could we automatically delete these TGTs after authentication? I don't believe they are ever reused.

nit: Should/Could we automatically delete these TGTs after authentication? I don't believe they are ever reused.
oysteikt commented 2024-04-01 01:36:20 +02:00
Author
Owner
Copy Link

Sure!

Added kdestroy below

Sure! Added `kdestroy` below
oysteikt marked this conversation as resolved
oysteikt force-pushed mediawiki-on-bekkalokk from f0084c132e to d54e550b21 2024-04-01 01:36:15 +02:00 Compare
felixalb approved these changes 2024-04-01 01:55:53 +02:00
felixalb left a comment
Owner
Copy Link

Looks Groovy To Me 🚀

Looks Groovy To Me 🚀
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php Outdated
@ -0,0 +61,4 @@
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
felixalb commented 2024-04-01 01:54:50 +02:00
Owner
Copy Link

Cleanup: Remove commented block if not needed

Cleanup: Remove commented block if not needed
oysteikt added 1 commit 2024-04-01 13:13:25 +02:00
Eval nix flake / evals (push) Failing after 1m45s Details
Eval nix flake / evals (pull_request) Failing after 1m54s Details
e4652a0c94
add snakeoil certs
oysteikt force-pushed mediawiki-on-bekkalokk from e4652a0c94 to b4437d4e44 2024-04-01 13:18:32 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from b4437d4e44 to 02f817145f 2024-04-01 13:21:11 +02:00 Compare
oysteikt added 1 commit 2024-04-01 18:20:42 +02:00
Eval nix flake / evals (push) Failing after 2m27s Details
Eval nix flake / evals (pull_request) Failing after 2m27s Details
503f27ae0c
rebase: certs nginx stuff
oysteikt force-pushed mediawiki-on-bekkalokk from 503f27ae0c to 16c4d6c8a1 2024-04-01 19:27:44 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 16c4d6c8a1 to 66bc408908 2024-04-01 23:42:28 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 66bc408908 to 014c9fd5b3 2024-04-01 23:50:47 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 014c9fd5b3 to f5509cebf5 2024-04-01 23:51:31 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from f5509cebf5 to d531419f35 2024-04-01 23:57:48 +02:00 Compare
oysteikt merged commit 06bd93e5d1 into main 2024-04-02 00:00:24 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
danio
felixalb
Labels
Clear labels
  
art

The issue needs someone to be creative

  
backup

   
big

No, not bug, **big** - this is gonna take a while

  
blocked

This issue/PR depends on one or more other issues/PRs

  
bug

Something is not working, and it's not the shield hero

  
crash report

Report an oopsie

  
disputed

kranglefanter

  
documentation

Documentation changes required

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
good first issue

Get your hands dirty with a new project here

  
logging

   
nixos

Requires changes to our nixos setup

  
question

More information is needed

  
salt

Requires changes to our salt setup

  
security

Skommel

  
servers n' hardware

Regards hardware, servers or VMs

  
wontfix

This won't be fixed

No Label
art
backup
big
blocked
bug
crash report
disputed
documentation
duplicate
enhancement
good first issue
logging
nixos
question
salt
security
servers n' hardware
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Drift/pvv-nixos-config#25
No description provided.
Delete Branch "mediawiki-on-bekkalokk"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?