jonmro
/
pvv-nixos-config
forked from Drift/pvv-nixos-config
1
0
Fork 0
Code Pull Requests Activity

WIP

This commit is contained in:
Oystein Kristoffer Tveit 2023-09-17 23:18:16 +02:00
parent 5c529a0233
commit 68f4eca6e4
3 changed files with 77 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/bekkalokk/configuration.nix
View File

@ -12,7 +12,7 @@
# ./services/website.nix # ./services/website.nix
./services/nginx.nix ./services/nginx.nix
./services/gitea/default.nix ./services/gitea/default.nix
# ./services/mediawiki.nix ./services/mediawiki.nix
]; ];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

166
hosts/bekkalokk/services/mediawiki.nix
View File

@ -7,17 +7,16 @@
# "mediawiki" # "mediawiki"
group = config.users.users.${user}.group; group = config.users.users.${user}.group;
in { in {
sops.secrets = { sops.secrets = let
"mediawiki/password" = { secret = opts: {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
owner = user; owner = user;
group = group; group = group;
}; } // opts;
"keys/postgres/mediawiki" = { in {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; "mediawiki/password" = secret { };
owner = user; "mediawiki/database" = secret { };
group = group; "mediawiki/oidc/clientsecret" = secret { };
};
}; };
services.mediawiki = { services.mediawiki = {
@ -27,13 +26,12 @@ in {
passwordSender = "drift@pvv.ntnu.no"; passwordSender = "drift@pvv.ntnu.no";
database = { database = {
type = "postgres"; type = "mysql";
host = "postgres.pvv.ntnu.no"; host = "mysql.pvv.ntnu.no";
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
createLocally = false; createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready user = "bekkalokk_mediawiki_test";
name = "mediawiki_test"; name = "bekkalokk_mediawiki_test";
passwordFile = config.sops.secrets."mediawiki/database".path;
}; };
# Host through nginx # Host through nginx
@ -42,70 +40,51 @@ in {
listenUser = config.services.nginx.user; listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group; listenGroup = config.services.nginx.group;
in { in {
inherit user group; # Worker settings
"pm" = "dynamic"; "pm" = "dynamic";
"pm.max_children" = 32; "pm.max_children" = 32;
"pm.max_requests" = 500; "pm.max_requests" = 500;
"pm.start_servers" = 2; "pm.start_servers" = 2;
"pm.min_spare_servers" = 2; "pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4; "pm.max_spare_servers" = 4;
# Socket settings
"listen.owner" = listenUser; "listen.owner" = listenUser;
"listen.group" = listenGroup; "listen.group" = listenGroup;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = "on"; # Misc
"env[PATH]" = lib.makeBinPath [ pkgs.php ]; "env[PATH]" = lib.makeBinPath [ pkgs.php ];
"catch_workers_output" = true;
# to accept *.html file # to accept *.html file
"security.limit_extensions" = ""; "security.limit_extensions" = "";
inherit user group;
# Debug logging
"catch_workers_output" = "yes";
"php_flag[display_errors]" = "on";
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = "on";
}; };
extensions = { extensions = {
DeleteBatch = pkgs.fetchzip { DeleteBatch = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz"; url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-6852fb7.tar.gz";
sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8="; hash = "sha256-m6l8Cs6mFLu1qfovBFO2l8HhtYZXnpZkajWXNob2wbU=";
}; };
UserMerge = pkgs.fetchzip { UserMerge = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz"; url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-56f6dcf.tar.gz";
sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ="; hash = "sha256-zO7ti7fZPlJp3TXSJbYrXPRyElwO57zoU+RH7LBwVGU=";
}; };
PluggableAuth = pkgs.fetchzip { PluggableAuth = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz"; url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-8104ed9.tar.gz";
sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0="; hash = "sha256-fFz9+pJ/Ucdg340I/JWe4S/W05oVSfns9EF84rxN8yI=";
}; };
SimpleSAMLphp = pkgs.fetchzip { OpenIDConnect = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz"; url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-3edc735.tar.gz";
sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ="; hash = "sha256-Osp4m2Sp9uGNt3QEmRsw0LA3KQCQzqJosgy3AFs11hY=";
}; };
}; };
extraConfig = let extraConfig = ''
SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
pname = "configuredSimpleSAML";
version = "2.0.4";
src = pkgs.fetchzip {
url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
};
buildPhase = ''
cat > config/authsources.php << EOF
<?php
$config = array(
'default-sp' => array(
'saml:SP',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);
EOF
'';
installPhase = ''
cp -r . $out
'';
};
in ''
$wgServer = "https://bekkalokk.pvv.ntnu.no"; $wgServer = "https://bekkalokk.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo"; $wgLocaltimezone = "Europe/Oslo";
@ -115,61 +94,60 @@ in {
$wgEmailAuthentication = false; $wgEmailAuthentication = false;
$wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true; $wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableAutoLogin = false;
# SSO config
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://git.pvv.ntnu.no/login/oauth/authorize',
'clientID' => 'be86ec39-d89c-4973-a163-633339539db2',
'clientsecret' => file_get_contents('${config.sops.secrets."mediawiki/oidc/clientsecret".path}')
]
];
# Disable anonymous editing # Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['edit'] = false;
# Styling # Styling
$wgLogo = "/PNG/PVV-logo.png"; $wgLogos = [
'svg' => "${../../../assets/logo_blue_regular.svg}",
];
$wgDefaultSkin = "monobook"; $wgDefaultSkin = "monobook";
# Enable debugging
error_reporting( -1 );
ini_set( 'display_errors', 1 );
# Misc # Misc
$wgEmergencyContact = "${cfg.passwordSender}"; $wgEmergencyContact = "${cfg.passwordSender}";
$wgShowIPinHeader = false; $wgShowIPinHeader = false;
$wgUseTeX = false; $wgUseTeX = false;
$wgLocalInterwiki = $wgSitename; $wgLocalInterwiki = $wgSitename;
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
$wgSimpleSAMLphp_RealNameAttribute = "cn";
$wgSimpleSAMLphp_EmailAttribute = "mail";
$wgSimpleSAMLphp_UsernameAttribute = "uid";
# Fix https://github.com/NixOS/nixpkgs/issues/183097 # Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}"; $wgDBserver = "${toString cfg.database.host}";
''; '';
}; };
# Override because of https://github.com/NixOS/nixpkgs/issues/183097 # services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
systemd.services.mediawiki-init.script = let services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = {
# According to module forceSSL = true;
stateDir = "/var/lib/mediawiki"; enableACME = true;
pkg = cfg.finalPackage; root = "${cfg.finalPackage}/share/mediawiki";
mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG; locations = {
inherit (lib) optionalString mkForce; "/" = {
in mkForce '' recommendedProxySettings = true;
if ! test -e "${stateDir}/secret.key"; then extraConfig = ''
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key fastcgi_split_path_info ^(.+\.php)(/.+)$;
fi fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \ include ${pkgs.nginx}/conf/fastcgi_params;
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \ include ${pkgs.nginx}/conf/fastcgi.conf;
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \ '';
--confpath /tmp \ };
--scriptpath / \ "/images".root = config.services.mediawiki.uploadsDir;
--dbserver "${cfg.database.host}" \ };
--dbport ${toString cfg.database.port} \
--dbname ${cfg.database.name} \ };
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
--dbuser ${cfg.database.user} \
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
--passfile ${cfg.passwordFile} \
--dbtype ${cfg.database.type} \
${cfg.name} \
admin
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
'';
} }

6
secrets/bekkalokk/bekkalokk.yaml
View File

@ -11,6 +11,8 @@ gitea:
mediawiki: mediawiki:
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str] password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str] database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str]
oidc:
clientsecret: ENC[AES256_GCM,data:bh016Qlijs5hoNY1iYsx6uEa5oEG9aX4T9BMiqnDRhSh7iVXpj9A6glcr8OGmWN7Om7yXE4AdlY=,iv:BnZjxbK6oB1eALx3RidpkwzU8xz1x0luwZC7ioqTjQE=,tag:HX8uUevimnAcqBH8NaMQXA==,type:str]
keycloak: keycloak:
database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str] database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
sops: sops:
@ -46,8 +48,8 @@ sops:
akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ== GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-17T02:02:24Z" lastmodified: "2023-09-17T21:12:05Z"
mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str] mac: ENC[AES256_GCM,data:wfq3FTwwJh2eHbw5PW32IEp4jWeSQLaBLJzrbgfXUPP8VuPK3Q7puQtchsQ3Xrv2+c9FI536luhwaUPfgn+/JE8rn8KEhabMPrX2lYMVH8I4OkCYEivpbWNfmm3gfNU2SrEFZ2jBBLLCWDgBAA7SfyApiQiyZ3qpJ2aZCfgaUoM=,iv:5/R2tnjiQ6BPgU+eAChm2EsWuGurqumnzl4pfjZclLw=,tag:xdECs8muNv9c/68IRbWzCw==,type:str]
pgp: pgp:
- created_at: "2023-05-21T00:28:40Z" - created_at: "2023-05-21T00:28:40Z"
enc: | enc: |