pvv-nixos-config/hosts/bekkalokk/services/mediawiki.nix

{ pkgs, lib, config, values, ... }: let
  cfg = config.services.mediawiki;

  # "mediawiki"
  user = config.systemd.services.mediawiki-init.serviceConfig.User;

  # "mediawiki"
  group = config.users.users.${user}.group;
in {
  sops.secrets = let
    secret = opts: {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
    } // opts;
  in {
    "mediawiki/password" = secret { };
    "mediawiki/database" = secret { };
    "mediawiki/oidc/clientsecret" = secret { };
  };

  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
    passwordFile = config.sops.secrets."mediawiki/password".path;
    passwordSender = "drift@pvv.ntnu.no";

    database = {
      type = "mysql";
      host = "mysql.pvv.ntnu.no";
      createLocally = false;
      user = "bekkalokk_mediawiki_test";
      name = "bekkalokk_mediawiki_test";
      passwordFile = config.sops.secrets."mediawiki/database".path;
    };

    # Host through nginx
    webserver = "none";
    poolConfig = let
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
      # Worker settings
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;

      # Socket settings
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;

      # Misc
      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
      # to accept *.html file
      "security.limit_extensions" = "";
      inherit user group;

      # Debug logging
      "catch_workers_output" = "yes";
      "php_flag[display_errors]" = "on";
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = "on";
    };

    extensions = {
      DeleteBatch = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-6852fb7.tar.gz";
        hash = "sha256-m6l8Cs6mFLu1qfovBFO2l8HhtYZXnpZkajWXNob2wbU=";
      };
      UserMerge = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-56f6dcf.tar.gz";
        hash = "sha256-zO7ti7fZPlJp3TXSJbYrXPRyElwO57zoU+RH7LBwVGU=";
      };
      PluggableAuth = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-8104ed9.tar.gz";
        hash = "sha256-fFz9+pJ/Ucdg340I/JWe4S/W05oVSfns9EF84rxN8yI=";
      };
      OpenIDConnect = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-3edc735.tar.gz";
        hash = "sha256-Osp4m2Sp9uGNt3QEmRsw0LA3KQCQzqJosgy3AFs11hY=";
      };
    };

    extraConfig = ''
      $wgServer = "https://bekkalokk.pvv.ntnu.no";
      $wgLocaltimezone = "Europe/Oslo";

      # Only allow login through SSO
      $wgEnableEmail = false;
      $wgEnableUserEmail = false;
      $wgEmailAuthentication = false;
      $wgGroupPermissions['*']['createaccount'] = false;
      $wgGroupPermissions['*']['autocreateaccount'] = true;
      $wgPluggableAuth_EnableAutoLogin = false;

      # SSO config
      $wgPluggableAuth_Config[] = [
          'plugin' => 'OpenIDConnect',
          'data' => [
              'providerURL' => 'https://git.pvv.ntnu.no/login/oauth/authorize',
              'clientID' => 'be86ec39-d89c-4973-a163-633339539db2',
              'clientsecret' => file_get_contents('${config.sops.secrets."mediawiki/oidc/clientsecret".path}')
          ]
      ];

      # Disable anonymous editing
      $wgGroupPermissions['*']['edit'] = false;

      # Styling
      $wgLogos = [
        'svg' => "${../../../assets/logo_blue_regular.svg}",
      ];
      $wgDefaultSkin = "monobook";

      # Enable debugging
      error_reporting( -1 );
      ini_set( 'display_errors', 1 );

      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;

      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
    '';
  };

  # services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
  services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    root = "${cfg.finalPackage}/share/mediawiki";
    locations = {
      "/" = {
        recommendedProxySettings = true;
        extraConfig = ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
          include ${pkgs.nginx}/conf/fastcgi_params;
          include ${pkgs.nginx}/conf/fastcgi.conf;
        '';
      };
      "/images".root = config.services.mediawiki.uploadsDir;
    };
    
  };
}