bekkalokk: set up idp + mediawiki #25

Merged
oysteikt merged 7 commits from mediawiki-on-bekkalokk into main 2024-04-02 00:00:24 +02:00
Owner

🥳

I think this should be good enough to merge now, for testing purposes

AFAIK, both IDP and SP is safe and sound, and mediawiki is running a copy of the original wiki. (and probably safe as well :))))

Further work

# 🥳 I think this should be good enough to merge now, for testing purposes AFAIK, both IDP and SP is safe and sound, and mediawiki is running a copy of the original wiki. (and probably safe as well :)))) ### Further work - The idp is missing it's theme - mediawiki has an issue with funky files being served (https://wiki2.pvv.ntnu.no/composer.json), it should rather not
oysteikt added 7 commits 2024-03-31 05:11:29 +02:00
oysteikt requested review from danio 2024-03-31 05:11:44 +02:00
oysteikt requested review from felixalb 2024-03-31 05:11:44 +02:00
eirikwit reviewed 2024-03-31 11:25:52 +02:00
@ -0,0 +164,4 @@
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
Owner

The issue this mentions is fixed. Is this still needed?

The issue this mentions is fixed. Is this still needed?
Author
Owner

Indeed not needed, will fix

Indeed not needed, will fix
oysteikt marked this conversation as resolved
danio approved these changes 2024-03-31 14:01:37 +02:00
@ -19,0 +20,4 @@
virtualHosts."bekkalokk.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
Owner

Why are we doing this? Just as a catch to avoid serving some other random endpoint with the wrong certs?

Why are we doing this? Just as a catch to avoid serving some other random endpoint with the wrong certs?
Author
Owner

Initially, i was running mediawiki on bekkalokk.pvv.ntnu.no, but it was literally virtually impossible to debug because of bots (or maybe even humans?) trying to access the git instance on this domain. I set up a permanent redirect in hopes that they would get the point.

Initially, i was running mediawiki on `bekkalokk.pvv.ntnu.no`, but it was <s>literally</s> virtually impossible to debug because of bots (or maybe even humans?) trying to access the git instance on this domain. I set up a permanent redirect in hopes that they would get the point.
Author
Owner

Closing, assuming it's good?

Closing, assuming it's good?
oysteikt marked this conversation as resolved
@ -0,0 +1,66 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
Owner

This is pretty funny, hekin web scraper

This is pretty funny, hekin web scraper
danio marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:29:43 +02:00
@ -0,0 +1,178 @@
{ lib
Author
Owner

Not needed, can source from pkgs-unstable

Not needed, can source from `pkgs-unstable`
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:34:20 +02:00
@ -0,0 +26,4 @@
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
Author
Owner

It would be nice if we could find a better solution for this. Optimally it should

  • Use the upstream config as base
  • Override only specified options
  • Avoid writing a whole php parser in nix
  • Avoid maintaining a nixified copy of the upstream base config

Maybe it would be possible to use includes and some php magic to merge the two?

ping: @felixalb

It would be nice if we could find a better solution for this. Optimally it should - Use the upstream config as base - Override only specified options - Avoid writing a whole php parser in nix - Avoid maintaining a nixified copy of the upstream base config Maybe it would be possible to use includes and some php magic to merge the two? ping: @felixalb
Author
Owner

Leaving as future issue.

Leaving as future issue.
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:37:45 +02:00
@ -0,0 +100,4 @@
};
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
Author
Owner

Note for future:

This is cursed. simplesamlphp supports an extension that can autofetch metadata, but it requires edits to composer.json and the lockfile, which will have to be updated together with the project. Maybe it would be better to maintain this hash together with the package, and make sure to bump it whenever we bump the package version?

Note for future: This is *cursed*. simplesamlphp supports an [extension that can autofetch metadata](https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html), but it requires edits to composer.json and the lockfile, which will have to be updated together with the project. Maybe it would be better to maintain this hash together with the package, and make sure to bump it whenever we bump the package version?
Author
Owner

Leaving as future issue

Leaving as future issue
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:41:52 +02:00
@ -0,0 +127,4 @@
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
# wfLoadSkin('Timeless');
Author
Owner

yeet

yeet
oysteikt marked this conversation as resolved
oysteikt reviewed 2024-03-31 15:43:03 +02:00
@ -0,0 +89,4 @@
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
Author
Owner

Should we make some kind of services.mediawiki.debug: bool option? Or even debug.mediawiki: bool (as well as the other services)?

It's very nice to be able to remember how these options were set whenever we need to debug

Should we make some kind of `services.mediawiki.debug: bool` option? Or even `debug.mediawiki: bool` (as well as the other services)? It's very nice to be able to remember how these options were set whenever we need to debug
Author
Owner

Leaving these on for now, since they are considered test setups. Let's leave this as a future issue.

Leaving these on for now, since they are considered test setups. Let's leave this as a future issue.
oysteikt marked this conversation as resolved
oysteikt force-pushed mediawiki-on-bekkalokk from ce3aeb4e08 to f0084c132e 2024-04-01 00:41:07 +02:00 Compare
felixalb reviewed 2024-04-01 00:57:36 +02:00
@ -17,2 +17,4 @@
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."bekkalokk.pvv.ntnu.no" = {
Owner

Is Gitea a natural redirect here? I suggest using the main website (www.) instead.

Is Gitea a natural redirect here? I suggest using the main website (www.) instead.
Author
Owner

See @danio s comment. Up until now, this has been pointing at gitea, so bots (and possibly humans) are trying to access "bekkalokk.pvv.ntnu.no/Projects/<...>/ditt/datt", and filling up the nginx logs with errors, making it completely unreadable. I was hoping that making it a permanent redirect would make the bots change their urls or something

See @danio s comment. Up until now, this has been pointing at gitea, so bots (and possibly humans) are trying to access "bekkalokk.pvv.ntnu.no/Projects/<...>/ditt/datt", and filling up the nginx logs with errors, making it completely unreadable. I was hoping that making it a permanent redirect would make the bots change their urls or something
felixalb reviewed 2024-04-01 01:05:49 +02:00
@ -0,0 +62,4 @@
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
Owner

Hardcoded IP address in our DHCP range?
What machine is it supposed to be referencing, the KDC or another LDAP host?

Hardcoded IP address in our DHCP range? What machine is it supposed to be referencing, the KDC or another LDAP host?
Author
Owner

Commented stuff from Yorn's days, no idea what the original host was. Presumably LDAP host, considering it's using ldap_connect with port 389

Commented stuff from Yorn's days, no idea what the original host was. Presumably LDAP host, considering it's using `ldap_connect` with port `389`
felixalb reviewed 2024-04-01 01:22:12 +02:00
@ -0,0 +1,135 @@
<?php
Owner

Many potentially spooky things in a file like this, but I haven't found any vulnerabilities through manual reviews, snyk or psalm, so I think it's good :)

Many potentially spooky things in a file like this, but I haven't found any vulnerabilities through manual reviews, snyk or psalm, so I think it's good :)
oysteikt marked this conversation as resolved
felixalb reviewed 2024-04-01 01:24:12 +02:00
@ -0,0 +11,4 @@
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
Owner

nit: Should/Could we automatically delete these TGTs after authentication? I don't believe they are ever reused.

nit: Should/Could we automatically delete these TGTs after authentication? I don't believe they are ever reused.
Author
Owner

Sure!

Added kdestroy below

Sure! Added `kdestroy` below
oysteikt marked this conversation as resolved
oysteikt force-pushed mediawiki-on-bekkalokk from f0084c132e to d54e550b21 2024-04-01 01:36:15 +02:00 Compare
felixalb approved these changes 2024-04-01 01:55:53 +02:00
felixalb left a comment
Owner

Looks Groovy To Me 🚀

Looks Groovy To Me 🚀
@ -0,0 +61,4 @@
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
Owner

Cleanup: Remove commented block if not needed

Cleanup: Remove commented block if not needed
oysteikt added 1 commit 2024-04-01 13:13:25 +02:00
add snakeoil certs
Some checks failed
Eval nix flake / evals (push) Failing after 1m45s
Eval nix flake / evals (pull_request) Failing after 1m54s
e4652a0c94
oysteikt force-pushed mediawiki-on-bekkalokk from e4652a0c94 to b4437d4e44 2024-04-01 13:18:32 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from b4437d4e44 to 02f817145f 2024-04-01 13:21:11 +02:00 Compare
oysteikt added 1 commit 2024-04-01 18:20:42 +02:00
rebase: certs nginx stuff
Some checks failed
Eval nix flake / evals (push) Failing after 2m27s
Eval nix flake / evals (pull_request) Failing after 2m27s
503f27ae0c
oysteikt force-pushed mediawiki-on-bekkalokk from 503f27ae0c to 16c4d6c8a1 2024-04-01 19:27:44 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 16c4d6c8a1 to 66bc408908 2024-04-01 23:42:28 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 66bc408908 to 014c9fd5b3 2024-04-01 23:50:47 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from 014c9fd5b3 to f5509cebf5 2024-04-01 23:51:31 +02:00 Compare
oysteikt force-pushed mediawiki-on-bekkalokk from f5509cebf5 to d531419f35 2024-04-01 23:57:48 +02:00 Compare
oysteikt merged commit 06bd93e5d1 into main 2024-04-02 00:00:24 +02:00
Sign in to join this conversation.
No description provided.