{ pkgs, lib, config, values, pkgs-unstable, ... }: let cfg = config.services.mediawiki; # "mediawiki" user = config.systemd.services.mediawiki-init.serviceConfig.User; # "mediawiki" group = config.users.users.${user}.group; simplesamlphp = pkgs.simplesamlphp.override { authsourcesFile = ./simplesamlphp/authsources.php; saml20-idp-remoteFile = ./simplesamlphp/saml20-idp-remote.php; configFile = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } '' cp ${./simplesamlphp/config.php} "$out" substituteInPlace "$out" \ --replace '$SAML_COOKIE_SECURE' 'true' \ --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \ --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \ --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' ''; }; in { sops.secrets = { "mediawiki/password" = { restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; owner = user; group = group; }; "mediawiki/database" = { restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; owner = user; group = group; }; }; services.mediawiki = { enable = true; name = "Programvareverkstedet"; passwordFile = config.sops.secrets."mediawiki/password".path; passwordSender = "drift@pvv.ntnu.no"; database = { type = "postgres"; host = "postgres.pvv.ntnu.no"; port = config.services.postgresql.port; passwordFile = config.sops.secrets."mediawiki/database".path; createLocally = false; # TODO: create a normal database and copy over old data when the service is production ready name = "mediawiki_test"; }; # Host through nginx webserver = "none"; poolConfig = let listenUser = config.services.nginx.user; listenGroup = config.services.nginx.group; in { inherit user group; "pm" = "dynamic"; "pm.max_children" = 32; "pm.max_requests" = 500; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 4; "listen.owner" = listenUser; "listen.group" = listenGroup; "env[PATH]" = lib.makeBinPath [ pkgs.php ]; "catch_workers_output" = true; "php_admin_flag[log_errors]" = true; # "php_admin_value[error_log]" = "stderr"; # to accept *.html file "security.limit_extensions" = ""; }; extensions = { inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp; }; extraConfig = '' $wgServer = "https://wiki2.pvv.ntnu.no"; $wgLocaltimezone = "Europe/Oslo"; # Only allow login through SSO $wgEnableEmail = false; $wgEnableUserEmail = false; $wgEmailAuthentication = false; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['autocreateaccount'] = true; $wgPluggableAuth_EnableAutoLogin = true; # Disable anonymous editing $wgGroupPermissions['*']['edit'] = false; # Styling $wgLogo = "/PNG/PVV-logo.png"; $wgDefaultSkin = "monobook"; # Misc $wgEmergencyContact = "${cfg.passwordSender}"; $wgShowIPinHeader = false; $wgUseTeX = false; $wgLocalInterwiki = $wgSitename; # SimpleSAML $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/"; $wgSimpleSAMLphp_AuthSourceId = "default-sp"; $wgSimpleSAMLphp_RealNameAttribute = "cn"; $wgSimpleSAMLphp_EmailAttribute = "mail"; $wgSimpleSAMLphp_UsernameAttribute = "uid"; $wgPluggableAuth_Config['Log in using my SAML'] = [ 'plugin' => 'SimpleSAMLphp', 'data' => [ 'authSourceId' => 'default-sp', ] ]; # Fix https://github.com/NixOS/nixpkgs/issues/183097 $wgDBserver = "${toString cfg.database.host}"; ''; }; # 'usernameAttribute' => 'username', # 'realNameAttribute' => 'name', # 'emailAttribute' => 'email' # Cache directory for simplesamlphp # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp"; systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp/core".d = { user = "mediawiki"; group = "mediawiki"; mode = "0770"; }; # Override because of https://github.com/NixOS/nixpkgs/issues/183097 systemd.services.mediawiki-init.script = let # According to module stateDir = "/var/lib/mediawiki"; pkg = cfg.finalPackage; mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG; inherit (lib) optionalString mkForce; in mkForce '' if ! test -e "${stateDir}/secret.key"; then tr -dc A-Za-z0-9 /dev/null | head -c 64 > ${stateDir}/secret.key fi echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \ ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \ ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \ --confpath /tmp \ --scriptpath / \ --dbserver "${cfg.database.host}" \ --dbport ${toString cfg.database.port} \ --dbname ${cfg.database.name} \ ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \ --dbuser ${cfg.database.user} \ ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \ --passfile ${cfg.passwordFile} \ --dbtype ${cfg.database.type} \ ${cfg.name} \ admin ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick ''; services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = { forceSSL = true; enableACME = true; root = "${config.services.mediawiki.finalPackage}/share/mediawiki"; locations = { "/" = { index = "index.php"; }; "~ /(.+\\.php)" = { extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; ''; }; # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx "^~ /simplesaml/" = { alias = "${simplesamlphp}/share/php/simplesamlphp/public/"; index = "index.php"; extraConfig = '' location ~ ^/simplesaml/(?.+?\.php)(?/.*)?$ { include ${pkgs.nginx}/conf/fastcgi_params; fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile; # Must be prepended with the baseurlpath fastcgi_param SCRIPT_NAME /simplesaml/$phpfile; fastcgi_param PATH_INFO $pathinfo if_not_empty; } ''; }; "/images".root = config.services.mediawiki.uploadsDir; "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png; # Redirects from gitea "/Projects".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "^~ /Projects/(.+\\.php)".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "/oysteikt".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "/Drift".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "/felixalb".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "/adriangl".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "/danio".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "/pederbs".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "/jonmro".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; "/explore".return = "301 $scheme://git.pvv.ntnu.no$request_uri"; }; }; }