{ pkgs, lib, config, values, ... }: let cfg = config.services.mediawiki; # "mediawiki" user = config.systemd.services.mediawiki-init.serviceConfig.User; # "mediawiki" group = config.users.users.${user}.group; in { sops.secrets = let secret = opts: { restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ]; owner = user; group = group; } // opts; in { "mediawiki/password" = secret { }; "mediawiki/database" = secret { }; "mediawiki/oidc/clientsecret" = secret { }; }; services.mediawiki = { enable = true; name = "Programvareverkstedet"; passwordFile = config.sops.secrets."mediawiki/password".path; passwordSender = "drift@pvv.ntnu.no"; database = { type = "mysql"; host = "mysql.pvv.ntnu.no"; createLocally = false; user = "bekkalokk_mediawiki_test"; name = "bekkalokk_mediawiki_test"; passwordFile = config.sops.secrets."mediawiki/database".path; }; # Host through nginx webserver = "none"; poolConfig = let listenUser = config.services.nginx.user; listenGroup = config.services.nginx.group; in { # Worker settings "pm" = "dynamic"; "pm.max_children" = 32; "pm.max_requests" = 500; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 4; # Socket settings "listen.owner" = listenUser; "listen.group" = listenGroup; # Misc "env[PATH]" = lib.makeBinPath [ pkgs.php ]; # to accept *.html file "security.limit_extensions" = ""; inherit user group; # Debug logging "catch_workers_output" = "yes"; "php_flag[display_errors]" = "on"; "php_admin_value[error_log]" = "stderr"; "php_admin_flag[log_errors]" = "on"; }; extensions = { DeleteBatch = pkgs.fetchzip { url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-6852fb7.tar.gz"; hash = "sha256-m6l8Cs6mFLu1qfovBFO2l8HhtYZXnpZkajWXNob2wbU="; }; UserMerge = pkgs.fetchzip { url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-56f6dcf.tar.gz"; hash = "sha256-zO7ti7fZPlJp3TXSJbYrXPRyElwO57zoU+RH7LBwVGU="; }; PluggableAuth = pkgs.fetchzip { url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-8104ed9.tar.gz"; hash = "sha256-fFz9+pJ/Ucdg340I/JWe4S/W05oVSfns9EF84rxN8yI="; }; OpenIDConnect = pkgs.fetchzip { url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-3edc735.tar.gz"; hash = "sha256-Osp4m2Sp9uGNt3QEmRsw0LA3KQCQzqJosgy3AFs11hY="; }; }; extraConfig = '' $wgServer = "https://bekkalokk.pvv.ntnu.no"; $wgLocaltimezone = "Europe/Oslo"; # Only allow login through SSO $wgEnableEmail = false; $wgEnableUserEmail = false; $wgEmailAuthentication = false; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['autocreateaccount'] = true; $wgPluggableAuth_EnableAutoLogin = false; # SSO config $wgPluggableAuth_Config[] = [ 'plugin' => 'OpenIDConnect', 'data' => [ 'providerURL' => 'https://git.pvv.ntnu.no/login/oauth/authorize', 'clientID' => 'be86ec39-d89c-4973-a163-633339539db2', 'clientsecret' => file_get_contents('${config.sops.secrets."mediawiki/oidc/clientsecret".path}') ] ]; # Disable anonymous editing $wgGroupPermissions['*']['edit'] = false; # Styling $wgLogos = [ 'svg' => "${../../../assets/logo_blue_regular.svg}", ]; $wgDefaultSkin = "monobook"; # Enable debugging error_reporting( -1 ); ini_set( 'display_errors', 1 ); # Misc $wgEmergencyContact = "${cfg.passwordSender}"; $wgShowIPinHeader = false; $wgUseTeX = false; $wgLocalInterwiki = $wgSitename; # Fix https://github.com/NixOS/nixpkgs/issues/183097 $wgDBserver = "${toString cfg.database.host}"; ''; }; # services.nginx.virtualHosts."wiki.pvv.ntnu.no" = { services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = { forceSSL = true; enableACME = true; root = "${cfg.finalPackage}/share/mediawiki"; locations = { "/" = { recommendedProxySettings = true; extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; ''; }; "/images".root = config.services.mediawiki.uploadsDir; }; }; }