diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index 795e0dbc..74595bca 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -12,7 +12,7 @@ # ./services/website.nix ./services/nginx.nix ./services/gitea/default.nix - # ./services/mediawiki.nix + ./services/mediawiki.nix ]; sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; diff --git a/hosts/bekkalokk/services/mediawiki.nix b/hosts/bekkalokk/services/mediawiki.nix index 1caea970..f0cfae95 100644 --- a/hosts/bekkalokk/services/mediawiki.nix +++ b/hosts/bekkalokk/services/mediawiki.nix @@ -7,17 +7,16 @@ # "mediawiki" group = config.users.users.${user}.group; in { - sops.secrets = { - "mediawiki/password" = { + sops.secrets = let + secret = opts: { restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; owner = user; group = group; - }; - "keys/postgres/mediawiki" = { - restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; - owner = user; - group = group; - }; + } // opts; + in { + "mediawiki/password" = secret { }; + "mediawiki/database" = secret { }; + "mediawiki/oidc/clientsecret" = secret { }; }; services.mediawiki = { @@ -27,13 +26,12 @@ in { passwordSender = "drift@pvv.ntnu.no"; database = { - type = "postgres"; - host = "postgres.pvv.ntnu.no"; - port = config.services.postgresql.port; - passwordFile = config.sops.secrets."keys/postgres/mediawiki".path; + type = "mysql"; + host = "mysql.pvv.ntnu.no"; createLocally = false; - # TODO: create a normal database and copy over old data when the service is production ready - name = "mediawiki_test"; + user = "bekkalokk_mediawiki_test"; + name = "bekkalokk_mediawiki_test"; + passwordFile = config.sops.secrets."mediawiki/database".path; }; # Host through nginx @@ -42,70 +40,51 @@ in { listenUser = config.services.nginx.user; listenGroup = config.services.nginx.group; in { - inherit user group; + # Worker settings "pm" = "dynamic"; "pm.max_children" = 32; "pm.max_requests" = 500; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 4; + + # Socket settings "listen.owner" = listenUser; "listen.group" = listenGroup; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = "on"; + + # Misc "env[PATH]" = lib.makeBinPath [ pkgs.php ]; - "catch_workers_output" = true; # to accept *.html file "security.limit_extensions" = ""; + inherit user group; + + # Debug logging + "catch_workers_output" = "yes"; + "php_flag[display_errors]" = "on"; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = "on"; }; extensions = { DeleteBatch = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz"; - sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8="; + url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-6852fb7.tar.gz"; + hash = "sha256-m6l8Cs6mFLu1qfovBFO2l8HhtYZXnpZkajWXNob2wbU="; }; UserMerge = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz"; - sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ="; + url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-56f6dcf.tar.gz"; + hash = "sha256-zO7ti7fZPlJp3TXSJbYrXPRyElwO57zoU+RH7LBwVGU="; }; PluggableAuth = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz"; - sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0="; + url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-8104ed9.tar.gz"; + hash = "sha256-fFz9+pJ/Ucdg340I/JWe4S/W05oVSfns9EF84rxN8yI="; }; - SimpleSAMLphp = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz"; - sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ="; + OpenIDConnect = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-3edc735.tar.gz"; + hash = "sha256-Osp4m2Sp9uGNt3QEmRsw0LA3KQCQzqJosgy3AFs11hY="; }; }; - extraConfig = let - - SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec { - pname = "configuredSimpleSAML"; - version = "2.0.4"; - src = pkgs.fetchzip { - url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz"; - sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE="; - }; - - buildPhase = '' - cat > config/authsources.php << EOF - array( - 'saml:SP', - 'idp' => 'https://idp.pvv.ntnu.no/', - ), - ); - EOF - ''; - - installPhase = '' - cp -r . $out - ''; - }; - - in '' + extraConfig = '' $wgServer = "https://bekkalokk.pvv.ntnu.no"; $wgLocaltimezone = "Europe/Oslo"; @@ -115,61 +94,60 @@ in { $wgEmailAuthentication = false; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['autocreateaccount'] = true; - $wgPluggableAuth_EnableAutoLogin = true; + $wgPluggableAuth_EnableAutoLogin = false; + + # SSO config + $wgPluggableAuth_Config[] = [ + 'plugin' => 'OpenIDConnect', + 'data' => [ + 'providerURL' => 'https://git.pvv.ntnu.no/login/oauth/authorize', + 'clientID' => 'be86ec39-d89c-4973-a163-633339539db2', + 'clientsecret' => file_get_contents('${config.sops.secrets."mediawiki/oidc/clientsecret".path}') + ] + ]; # Disable anonymous editing $wgGroupPermissions['*']['edit'] = false; # Styling - $wgLogo = "/PNG/PVV-logo.png"; + $wgLogos = [ + 'svg' => "${../../../assets/logo_blue_regular.svg}", + ]; $wgDefaultSkin = "monobook"; + # Enable debugging + error_reporting( -1 ); + ini_set( 'display_errors', 1 ); + # Misc $wgEmergencyContact = "${cfg.passwordSender}"; $wgShowIPinHeader = false; $wgUseTeX = false; $wgLocalInterwiki = $wgSitename; - # SimpleSAML - $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}"; - $wgSimpleSAMLphp_AuthSourceId = "default-sp"; - $wgSimpleSAMLphp_RealNameAttribute = "cn"; - $wgSimpleSAMLphp_EmailAttribute = "mail"; - $wgSimpleSAMLphp_UsernameAttribute = "uid"; - # Fix https://github.com/NixOS/nixpkgs/issues/183097 $wgDBserver = "${toString cfg.database.host}"; ''; }; - # Override because of https://github.com/NixOS/nixpkgs/issues/183097 - systemd.services.mediawiki-init.script = let - # According to module - stateDir = "/var/lib/mediawiki"; - pkg = cfg.finalPackage; - mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG; - inherit (lib) optionalString mkForce; - in mkForce '' - if ! test -e "${stateDir}/secret.key"; then - tr -dc A-Za-z0-9 /dev/null | head -c 64 > ${stateDir}/secret.key - fi - - echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \ - ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \ - ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \ - --confpath /tmp \ - --scriptpath / \ - --dbserver "${cfg.database.host}" \ - --dbport ${toString cfg.database.port} \ - --dbname ${cfg.database.name} \ - ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \ - --dbuser ${cfg.database.user} \ - ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \ - --passfile ${cfg.passwordFile} \ - --dbtype ${cfg.database.type} \ - ${cfg.name} \ - admin - - ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick - ''; + # services.nginx.virtualHosts."wiki.pvv.ntnu.no" = { + services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = { + forceSSL = true; + enableACME = true; + root = "${cfg.finalPackage}/share/mediawiki"; + locations = { + "/" = { + recommendedProxySettings = true; + extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + ''; + }; + "/images".root = config.services.mediawiki.uploadsDir; + }; + + }; } diff --git a/secrets/bekkalokk/bekkalokk.yaml b/secrets/bekkalokk/bekkalokk.yaml index ca9dc315..a793d676 100644 --- a/secrets/bekkalokk/bekkalokk.yaml +++ b/secrets/bekkalokk/bekkalokk.yaml @@ -11,6 +11,8 @@ gitea: mediawiki: password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str] database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str] + oidc: + clientsecret: ENC[AES256_GCM,data:bh016Qlijs5hoNY1iYsx6uEa5oEG9aX4T9BMiqnDRhSh7iVXpj9A6glcr8OGmWN7Om7yXE4AdlY=,iv:BnZjxbK6oB1eALx3RidpkwzU8xz1x0luwZC7ioqTjQE=,tag:HX8uUevimnAcqBH8NaMQXA==,type:str] keycloak: database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str] sops: @@ -46,8 +48,8 @@ sops: akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-17T02:02:24Z" - mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str] + lastmodified: "2023-09-17T21:12:05Z" + mac: ENC[AES256_GCM,data:wfq3FTwwJh2eHbw5PW32IEp4jWeSQLaBLJzrbgfXUPP8VuPK3Q7puQtchsQ3Xrv2+c9FI536luhwaUPfgn+/JE8rn8KEhabMPrX2lYMVH8I4OkCYEivpbWNfmm3gfNU2SrEFZ2jBBLLCWDgBAA7SfyApiQiyZ3qpJ2aZCfgaUoM=,iv:5/R2tnjiQ6BPgU+eAChm2EsWuGurqumnzl4pfjZclLw=,tag:xdECs8muNv9c/68IRbWzCw==,type:str] pgp: - created_at: "2023-05-21T00:28:40Z" enc: |