Drift/pvv-nixos-config
17
5
Fork 1
Code Issues Pull Requests 7 Actions Wiki Activity

bekkalokk: set up idp + mediawiki #25

Merged
oysteikt merged 7 commits from mediawiki-on-bekkalokk into main 2024-04-02 00:00:24 +02:00
Conversation 12 Commits 7 Files Changed 25 +5230 -204
oysteikt commented 2024-03-31 05:11:29 +02:00
Owner
Copy Link

🥳

I think this should be good enough to merge now, for testing purposes

AFAIK, both IDP and SP is safe and sound, and mediawiki is running a copy of the original wiki. (and probably safe as well :))))

Further work

# 🥳 I think this should be good enough to merge now, for testing purposes AFAIK, both IDP and SP is safe and sound, and mediawiki is running a copy of the original wiki. (and probably safe as well :)))) ### Further work - The idp is missing it's theme - mediawiki has an issue with funky files being served (https://wiki2.pvv.ntnu.no/composer.json), it should rather not
oysteikt added 7 commits 2024-03-31 05:11:29 +02:00
flake.nix: fix usage of common nixos module/overlay list 64c7e3e365
bekkalokk: set up kerberos client 1262bc7125
packages: init simplesamlphp 50df317a26
bekkalokk: package mediawiki extensions outside of module e0b3ce9378
bekkalokk: redirect bekkalokk.pvv.ntnu.no to git.pvv.ntnu.no 4c1966365b
bekkalokk: init idp-simplesamlphp 49a0b1a5f7
bekkalokk: init mediawiki
Some checks failed
Eval nix flake / evals (push) Failing after 1m40s
Details
Eval nix flake / evals (pull_request) Failing after 1m39s
Details
ce3aeb4e08 
Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>
oysteikt requested review from danio 2024-03-31 05:11:44 +02:00
oysteikt requested review from felixalb 2024-03-31 05:11:44 +02:00
eirikwit reviewed 2024-03-31 11:25:52 +02:00
hosts/bekkalokk/services/mediawiki/default.nix Outdated
@@ -0,0 +164,4 @@
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
eirikwit commented 2024-03-31 11:25:52 +02:00
Owner
Copy Link

The issue this mentions is fixed. Is this still needed?

The issue this mentions is fixed. Is this still needed?
👍 1
oysteikt commented 2024-03-31 15:26:27 +02:00
Author
Owner
Copy Link

Indeed not needed, will fix

Indeed not needed, will fix
oysteikt marked this conversation as resolved
danio approved these changes 2024-03-31 14:01:37 +02:00
hosts/bekkalokk/services/nginx/default.nix Outdated
@@ -19,0 +20,4 @@
virtualHosts."bekkalokk.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
danio commented 2024-03-31 13:58:13 +02:00
Owner
Copy Link

Why are we doing this? Just as a catch to avoid serving some other random endpoint with the wrong certs?

Why are we doing this? Just as a catch to avoid serving some other random endpoint with the wrong certs?
oysteikt commented 2024-03-31 15:29:05 +02:00
Author
Owner
Copy Link

Initially, i was running mediawiki on bekkalokk.pvv.ntnu.no, but it was literally virtually impossible to debug because of bots (or maybe even humans?) trying to access the git instance on this domain. I set up a permanent redirect in hopes that they would get the point.

Initially, i was running mediawiki on `bekkalokk.pvv.ntnu.no`, but it was <s>literally</s> virtually impossible to debug because of bots (or maybe even humans?) trying to access the git instance on this domain. I set up a permanent redirect in hopes that they would get the point.
oysteikt commented 2024-04-01 00:41:48 +02:00
Author
Owner
Copy Link

Closing, assuming it's good?

Closing, assuming it's good?
oysteikt marked this conversation as resolved
packages/mediawiki-extensions/update-mediawiki-extensions.py Outdated
@@ -0,0 +1,66 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
danio commented 2024-03-31 13:59:13 +02:00
Owner
Copy Link

This is pretty funny, hekin web scraper

This is pretty funny, hekin web scraper
👍 1
danio marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:29:43 +02:00
packages/heimdal/default.nix Outdated
@@ -0,0 +1,178 @@
{ lib
oysteikt commented 2024-03-31 15:29:43 +02:00
Author
Owner
Copy Link

Not needed, can source from pkgs-unstable

Not needed, can source from `pkgs-unstable`
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:34:20 +02:00
hosts/bekkalokk/services/mediawiki/default.nix Outdated
@@ -0,0 +26,4 @@
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
oysteikt commented 2024-03-31 15:34:20 +02:00
Author
Owner
Copy Link

It would be nice if we could find a better solution for this. Optimally it should

  • Use the upstream config as base
  • Override only specified options
  • Avoid writing a whole php parser in nix
  • Avoid maintaining a nixified copy of the upstream base config

Maybe it would be possible to use includes and some php magic to merge the two?

ping: @felixalb

It would be nice if we could find a better solution for this. Optimally it should - Use the upstream config as base - Override only specified options - Avoid writing a whole php parser in nix - Avoid maintaining a nixified copy of the upstream base config Maybe it would be possible to use includes and some php magic to merge the two? ping: @felixalb
oysteikt commented 2024-04-01 00:53:48 +02:00
Author
Owner
Copy Link

Leaving as future issue.

Leaving as future issue.
👀 1
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:37:45 +02:00
hosts/bekkalokk/services/idp-simplesamlphp/default.nix Outdated
@@ -0,0 +100,4 @@
};
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
oysteikt commented 2024-03-31 15:37:45 +02:00
Author
Owner
Copy Link

Note for future:

This is cursed. simplesamlphp supports an extension that can autofetch metadata, but it requires edits to composer.json and the lockfile, which will have to be updated together with the project. Maybe it would be better to maintain this hash together with the package, and make sure to bump it whenever we bump the package version?

Note for future: This is *cursed*. simplesamlphp supports an [extension that can autofetch metadata](https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html), but it requires edits to composer.json and the lockfile, which will have to be updated together with the project. Maybe it would be better to maintain this hash together with the package, and make sure to bump it whenever we bump the package version?
oysteikt commented 2024-04-01 00:46:29 +02:00
Author
Owner
Copy Link

Leaving as future issue

Leaving as future issue
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:41:52 +02:00
hosts/bekkalokk/services/mediawiki/default.nix Outdated
@@ -0,0 +127,4 @@
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
# wfLoadSkin('Timeless');
oysteikt commented 2024-03-31 15:41:52 +02:00
Author
Owner
Copy Link

yeet

yeet
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:43:03 +02:00
hosts/bekkalokk/services/mediawiki/default.nix Outdated
@@ -0,0 +89,4 @@
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
oysteikt commented 2024-03-31 15:43:03 +02:00
Author
Owner
Copy Link

Should we make some kind of services.mediawiki.debug: bool option? Or even debug.mediawiki: bool (as well as the other services)?

It's very nice to be able to remember how these options were set whenever we need to debug

Should we make some kind of `services.mediawiki.debug: bool` option? Or even `debug.mediawiki: bool` (as well as the other services)? It's very nice to be able to remember how these options were set whenever we need to debug
oysteikt commented 2024-04-01 00:46:02 +02:00
Author
Owner
Copy Link

Leaving these on for now, since they are considered test setups. Let's leave this as a future issue.

Leaving these on for now, since they are considered test setups. Let's leave this as a future issue.
oysteikt marked this conversation as resolved
oysteikt force-pushed mediawiki-on-bekkalokk from ce3aeb4e08 to f0084c132e 2024-04-01 00:41:07 +02:00 Compare
felixalb reviewed 2024-04-01 00:57:36 +02:00
hosts/bekkalokk/services/nginx/default.nix Outdated
@@ -17,2 +17,4 @@
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."bekkalokk.pvv.ntnu.no" = {
felixalb commented 2024-04-01 00:57:36 +02:00
Owner
Copy Link

Is Gitea a natural redirect here? I suggest using the main website (www.) instead.

Is Gitea a natural redirect here? I suggest using the main website (www.) instead.
oysteikt commented 2024-04-01 01:00:15 +02:00
Author
Owner
Copy Link

See @danio s comment. Up until now, this has been pointing at gitea, so bots (and possibly humans) are trying to access "bekkalokk.pvv.ntnu.no/Projects/<...>/ditt/datt", and filling up the nginx logs with errors, making it completely unreadable. I was hoping that making it a permanent redirect would make the bots change their urls or something

See @danio s comment. Up until now, this has been pointing at gitea, so bots (and possibly humans) are trying to access "bekkalokk.pvv.ntnu.no/Projects/<...>/ditt/datt", and filling up the nginx logs with errors, making it completely unreadable. I was hoping that making it a permanent redirect would make the bots change their urls or something
felixalb reviewed 2024-04-01 01:05:49 +02:00
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php Outdated
@@ -0,0 +62,4 @@
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
felixalb commented 2024-04-01 01:05:49 +02:00
Owner
Copy Link

Hardcoded IP address in our DHCP range?
What machine is it supposed to be referencing, the KDC or another LDAP host?

Hardcoded IP address in our DHCP range? What machine is it supposed to be referencing, the KDC or another LDAP host?
oysteikt commented 2024-04-01 01:11:43 +02:00
Author
Owner
Copy Link

Commented stuff from Yorn's days, no idea what the original host was. Presumably LDAP host, considering it's using ldap_connect with port 389

Commented stuff from Yorn's days, no idea what the original host was. Presumably LDAP host, considering it's using `ldap_connect` with port `389`
felixalb reviewed 2024-04-01 01:22:12 +02:00
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php Outdated
@@ -0,0 +1,135 @@
<?php
felixalb commented 2024-04-01 01:22:12 +02:00
Owner
Copy Link

Many potentially spooky things in a file like this, but I haven't found any vulnerabilities through manual reviews, snyk or psalm, so I think it's good :)

Many potentially spooky things in a file like this, but I haven't found any vulnerabilities through manual reviews, snyk or psalm, so I think it's good :)
👍 1
oysteikt marked this conversation as resolved
felixalb reviewed 2024-04-01 01:24:12 +02:00
hosts/bekkalokk/services/idp-simplesamlphp/default.nix Outdated
@@ -0,0 +11,4 @@
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
felixalb commented 2024-04-01 01:24:12 +02:00
Owner
Copy Link

nit: Should/Could we automatically delete these TGTs after authentication? I don't believe they are ever reused.

nit: Should/Could we automatically delete these TGTs after authentication? I don't believe they are ever reused.
oysteikt commented 2024-04-01 01:36:20 +02:00
Author
Owner
Copy Link

Sure!

Added kdestroy below

Sure! Added `kdestroy` below
oysteikt marked this conversation as resolved
oysteikt force-pushed mediawiki-on-bekkalokk from f0084c132e to d54e550b21 2024-04-01 01:36:15 +02:00 Compare
felixalb approved these changes 2024-04-01 01:55:53 +02:00
felixalb left a comment
Owner
Copy Link

Looks Groovy To Me 🚀

Looks Groovy To Me 🚀
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php Outdated
@@ -0,0 +61,4 @@
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
felixalb commented 2024-04-01 01:54:50 +02:00
Owner
Copy Link

Cleanup: Remove commented block if not needed

Cleanup: Remove commented block if not needed
oysteikt force-pushed mediawiki-on-bekkalokk from e4652a0c94 to b4437d4e44 2024-04-01 13:18:32 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from b4437d4e44 to 02f817145f 2024-04-01 13:21:11 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 503f27ae0c to 16c4d6c8a1 2024-04-01 19:27:44 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 16c4d6c8a1 to 66bc408908 2024-04-01 23:42:28 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 66bc408908 to 014c9fd5b3 2024-04-01 23:50:47 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 014c9fd5b3 to f5509cebf5 2024-04-01 23:51:31 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from f5509cebf5 to d531419f35 2024-04-01 23:57:48 +02:00 Compare
oysteikt merged commit 06bd93e5d1 into main 2024-04-02 00:00:24 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
eirikwit
danio
oysteikt
felixalb
Labels
Clear labels
art
The issue needs someone to be creative
 backup
big
No, not bug, **big** - this is gonna take a while
 blocked
This issue/PR depends on one or more other issues/PRs
 bug
Something is not working, and it's not the shield hero
 crash report
Report an oopsie
 disputed
kranglefanter
 documentation
Documentation changes required
 duplicate
This issue or pull request already exists
 enhancement
New feature
 good first issue
Get your hands dirty with a new project here
 logging
networking
TTM4100
 nixos
Requires changes to our nixos setup
 question
More information is needed
 salt
Requires changes to our salt setup
 security
Skommel
 servers n' hardware
Regards hardware, servers or VMs
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
adriangl albertba alfhj amalieem bjornoka chrisfjo chrivi danio davidk dungby eirikwit felixalb frero jonmro jovre karolds knuta krisleri larshhan oysteikt pederbs root torsteno yorinad
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Drift/pvv-nixos-config#25
Delete Branch "mediawiki-on-bekkalokk"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?