bekkalokk: set up idp + mediawiki #25
Labels
No Label
art
backup
big
blocked
bug
crash report
disputed
documentation
duplicate
enhancement
good first issue
logging
nixos
question
salt
security
servers n' hardware
wontfix
No Milestone
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Drift/pvv-nixos-config#25
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "mediawiki-on-bekkalokk"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
🥳
I think this should be good enough to merge now, for testing purposes
AFAIK, both IDP and SP is safe and sound, and mediawiki is running a copy of the original wiki. (and probably safe as well :))))
Further work
@ -0,0 +164,4 @@
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
The issue this mentions is fixed. Is this still needed?
Indeed not needed, will fix
@ -19,0 +20,4 @@
virtualHosts."bekkalokk.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
Why are we doing this? Just as a catch to avoid serving some other random endpoint with the wrong certs?
Initially, i was running mediawiki on
bekkalokk.pvv.ntnu.no
, but it wasliterallyvirtually impossible to debug because of bots (or maybe even humans?) trying to access the git instance on this domain. I set up a permanent redirect in hopes that they would get the point.Closing, assuming it's good?
@ -0,0 +1,66 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
This is pretty funny, hekin web scraper
@ -0,0 +1,178 @@
{ lib
Not needed, can source from
pkgs-unstable
@ -0,0 +26,4 @@
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
It would be nice if we could find a better solution for this. Optimally it should
Maybe it would be possible to use includes and some php magic to merge the two?
ping: @felixalb
Leaving as future issue.
@ -0,0 +100,4 @@
};
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
Note for future:
This is cursed. simplesamlphp supports an extension that can autofetch metadata, but it requires edits to composer.json and the lockfile, which will have to be updated together with the project. Maybe it would be better to maintain this hash together with the package, and make sure to bump it whenever we bump the package version?
Leaving as future issue
@ -0,0 +127,4 @@
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
# wfLoadSkin('Timeless');
yeet
@ -0,0 +89,4 @@
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
Should we make some kind of
services.mediawiki.debug: bool
option? Or evendebug.mediawiki: bool
(as well as the other services)?It's very nice to be able to remember how these options were set whenever we need to debug
Leaving these on for now, since they are considered test setups. Let's leave this as a future issue.
ce3aeb4e08
tof0084c132e
@ -17,2 +17,4 @@
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."bekkalokk.pvv.ntnu.no" = {
Is Gitea a natural redirect here? I suggest using the main website (www.) instead.
See @danio s comment. Up until now, this has been pointing at gitea, so bots (and possibly humans) are trying to access "bekkalokk.pvv.ntnu.no/Projects/<...>/ditt/datt", and filling up the nginx logs with errors, making it completely unreadable. I was hoping that making it a permanent redirect would make the bots change their urls or something
@ -0,0 +62,4 @@
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
Hardcoded IP address in our DHCP range?
What machine is it supposed to be referencing, the KDC or another LDAP host?
Commented stuff from Yorn's days, no idea what the original host was. Presumably LDAP host, considering it's using
ldap_connect
with port389
@ -0,0 +1,135 @@
<?php
Many potentially spooky things in a file like this, but I haven't found any vulnerabilities through manual reviews, snyk or psalm, so I think it's good :)
@ -0,0 +11,4 @@
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
nit: Should/Could we automatically delete these TGTs after authentication? I don't believe they are ever reused.
Sure!
Added
kdestroy
belowf0084c132e
tod54e550b21
Looks Groovy To Me 🚀
@ -0,0 +61,4 @@
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
Cleanup: Remove commented block if not needed
e4652a0c94
tob4437d4e44
b4437d4e44
to02f817145f
503f27ae0c
to16c4d6c8a1
16c4d6c8a1
to66bc408908
66bc408908
to014c9fd5b3
014c9fd5b3
tof5509cebf5
f5509cebf5
tod531419f35