diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index 358c43eb..d08c91fa 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -13,7 +13,7 @@ ./services/nginx.nix ./services/gitea/default.nix ./services/webmail - # ./services/mediawiki.nix + ./services/mediawiki.nix ]; sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; diff --git a/hosts/bekkalokk/services/mediawiki.nix b/hosts/bekkalokk/services/mediawiki.nix index 1caea970..ee751999 100644 --- a/hosts/bekkalokk/services/mediawiki.nix +++ b/hosts/bekkalokk/services/mediawiki.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, values, ... }: let +{ pkgs, lib, config, values, pkgs-unstable, ... }: let cfg = config.services.mediawiki; # "mediawiki" @@ -13,7 +13,7 @@ in { owner = user; group = group; }; - "keys/postgres/mediawiki" = { + "mediawiki/database" = { restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; owner = user; group = group; @@ -30,7 +30,7 @@ in { type = "postgres"; host = "postgres.pvv.ntnu.no"; port = config.services.postgresql.port; - passwordFile = config.sops.secrets."keys/postgres/mediawiki".path; + passwordFile = config.sops.secrets."mediawiki/database".path; createLocally = false; # TODO: create a normal database and copy over old data when the service is production ready name = "mediawiki_test"; @@ -61,35 +61,45 @@ in { extensions = { DeleteBatch = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_39-995ea6f.tar.gz"; - sha256 = "sha256-0F4GLCy2f5WcWIY2YgF1tVxgYbglR0VOsj/pMrW93b8="; + name = "mediawiki-delete-batch-source"; + url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-4fe36dc.tar.gz"; + hash = "sha256-jmRkjHFQR9cjPr1eBHVDLHm0xO4OPn9HYiYwrkBT/aA="; }; UserMerge = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_39-b10d50e.tar.gz"; - sha256 = "sha256-bXhj1+OlOUJDbvEuc8iwqb1LLEu6cN6+C/7cAvnWPOQ="; + name = "mediawiki-user-merge-source"; + url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-7407806.tar.gz"; + hash = "sha256-NHAw79pDxjia46J5DIGV9AoF9UazSahT8DZgUUn/pQE="; }; PluggableAuth = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz"; - sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0="; + name = "mediawiki-pluggable-auth-source"; + url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-eb10a76.tar.gz"; + hash = "sha256-GFmtQc0SeBpvI+7iHOVw77JR2h+hwPxo8+wZ9RED8a8="; }; SimpleSAMLphp = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_39-dcf0acb.tar.gz"; - sha256 = "sha256-tCvFmb2+q2rxms+lRo5pgoI3h6GjCwXAR8XisPg03TQ="; + name = "mediawiki-simple-saml-php-source"; + url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_40-8043943.tar.gz"; + hash = "sha256-HJHcrv/FNqPJegrHo4VPVjw0alkyHwetFZiLwjHsf6Y="; }; }; extraConfig = let - - SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec { + SimpleSAMLphpRepo = pkgs-unstable.php.buildComposerProject rec { pname = "configuredSimpleSAML"; - version = "2.0.4"; - src = pkgs.fetchzip { - url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz"; - sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE="; + version = "2.1.0-rc1"; + src = pkgs.fetchFromGitHub { + owner = "simplesamlphp"; + repo = "simplesamlphp"; + # name = "simple-saml-php-source"; + # url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz"; + rev = "v${version}"; + hash = "sha256-E7S6T/EfuhNbe697OiklZ77wMRkOb/ABJXoL5MphMCY="; }; - buildPhase = '' - cat > config/authsources.php << EOF + composerStrictValidation = false; + + vendorHash = "sha256-vr9mWXN9v6tGNvPtxQ+pgf7OYj8dedzWfxt6Xw1nCm0="; + + configAuthsourcesPhp = '' array( @@ -97,11 +107,51 @@ in { 'idp' => 'https://idp.pvv.ntnu.no/', ), ); - EOF - ''; + ''; - installPhase = '' - cp -r . $out + # TODO: this could be fetched automagically with these: + # - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html + # - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php + metadataSaml20IdpRemotePhp = '' + 'saml20-idp-remote', + 'entityid' => 'https://idp.pvv.ntnu.no/', + 'SingleSignOnService' => + array ( + 0 => + array ( + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php', + ), + ), + 'SingleLogoutService' => + array ( + 0 => + array ( + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php', + ), + ), + 'certData' => 'pvvcert.pem', + 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', + ); + ''; + + pvvcert = '' + MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA== + ''; + + passAsFile = [ + "configAuthsourcesPhp" + "metadataSaml20IdpRemotePhp" + "pvvcert" + ]; + + postPatch = '' + install -Dm444 "$configAuthsourcesPhpPath" "config/authsources.php" + install -Dm444 "$metadataSaml20IdpRemotePhpPath" "metadata/saml20-idp-remote.php" + install -Dm444 "$pvvcertPath" "cert/pvvcert.pem" ''; }; @@ -172,4 +222,23 @@ in { ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick ''; + + services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = { + forceSSL = true; + enableACME = true; + root = "${config.services.mediawiki.finalPackage}/share/mediawiki"; + locations = { + "/" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + ''; + }; + + "/images".root = config.services.mediawiki.uploadsDir; + }; + }; }