1
0
Fork 0
forked from pub-solar/infra

Merge pull request 'mediawiki' (#51) from mediawiki into main

Reviewed-on: pub-solar/infra#51
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
This commit is contained in:
teutat3s 2023-11-15 20:54:05 +00:00
commit 3104253b89
Signed by: pub.solar gitea
GPG key ID: F0332B04B7054873
14 changed files with 365 additions and 4 deletions

View file

@ -7,7 +7,7 @@
}: {
age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "700";
mode = "600";
#owner = "keycloak";
};

View file

@ -0,0 +1,232 @@
{
flake,
config,
lib,
pkgs,
...
}: let
localSettingsPHP = pkgs.writeScript "LocalSettings.php" ''
<?php
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
# error_reporting( -1 );
# ini_set( 'display_errors', 1 );
# $wgShowExceptionDetails = true;
$wgDBerrorLog = '/dev/stderr';
$wgDebugLogFile = "/dev/stderr";
$wgSitename = "pub.solar wiki";
$wgMetaNamespace = false;
## The URL base path to the directory containing the wiki;
## defaults for all runtime URL paths are based off of this.
## For more information on customizing the URLs
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
## https://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath = "https://wiki.pub.solar";
## https://www.mediawiki.org/wiki/Manual:Short_URL
## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues
$wgArticlePath = "/index.php/$1";
## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://wiki.pub.solar";
## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath;
## The URL path to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
## UPO means: this is also a user preference option
$wgEnableEmail = true;
$wgEnableUserEmail = true; # UPO
$wgPasswordSender = "admins@pub.solar";
$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
$wgEmailAuthentication = true;
## Database settings
$wgDBtype = "postgres";
$wgDBserver = "host.docker.internal";
$wgDBport = "5432";
$wgDBname = "mediawiki";
$wgDBuser = "mediawiki";
$wgDBpassword = trim(file_get_contents("/run/mediawiki/database-password"));
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = [];
$wgEnableUploads = true;
$wgUploadDirectory = "/var/www/html/uploads";
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "/usr/bin/convert";
# InstantCommons allows wiki to use images from https://commons.wikimedia.org
$wgUseInstantCommons = false;
# Periodically send a pingback to https://www.mediawiki.org/ with basic data
# about this MediaWiki instance. The Wikimedia Foundation shares this data
# with MediaWiki developers to help guide future development efforts.
$wgPingback = true;
## If you use ImageMagick (or any other shell command) on a
## Linux server, this will need to be set to the name of an
## available UTF-8 locale
$wgShellLocale = "C.UTF-8";
# Site language code, should be one of the list in ./languages/data/Names.php
$wgLanguageCode = "en";
$wgSecretKey = trim(file_get_contents("/run/mediawiki/secret-key"));
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "";
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff = "/usr/bin/diff";
$wgDiff3 = "/usr/bin/diff3";
# Enabled skins.
wfLoadSkin('MonoBook');
wfLoadSkin('Timeless');
wfLoadSkin('Vector');
# Enabled extensions.
wfLoadExtension('OpenIDConnect');
wfLoadExtension('PluggableAuth');
wfLoadExtension('VisualEditor');
# End of automatically generated settings.
# Add more configuration options below.
$wgLogo = "https://pub.solar/assets/pubsolar.svg";
$wgLogos = [
'svg' => "https://pub.solar/assets/pubsolar.svg",
'icon' => "https://pub.solar/assets/pubsolar.svg",
'wordmark' => [
'src'=> "https://pub.solar/assets/pubsolar.svg",
'width'=> 0,
'height'=> 0,
],
];
$wgFavicon = 'https://pub.solar/assets/pubsolar.svg';
$wgDefaultSkin = 'vector-2022';
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
$wgGroupPermissions['*']['autocreateaccount'] = true;
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
// https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
'clientID' => 'mediawiki',
'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
]
];
$wgOpenIDConnect_SingleLogout = true;
$wgOpenIDConnect_MigrateUsersByEmail = true;
'';
uid = 986;
gid = 984;
in {
age.secrets.mediawiki-database-password = {
file = "${flake.self}/secrets/mediawiki-database-password.age";
path = "/run/mediawiki/database-password";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
age.secrets.mediawiki-oidc-client-secret = {
file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age";
path = "/run/mediawiki/oidc-client-secret";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
age.secrets.mediawiki-secret-key = {
file = "${flake.self}/secrets/mediawiki-secret-key.age";
path = "/run/mediawiki/secret-key";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
services.postgresql = {
authentication = ''
host mediawiki all 172.17.0.0/16 password
'';
};
services.nginx.virtualHosts."wiki.pub.solar" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:8293";
};
users.users.mediawiki = {
isSystemUser = true;
group = "mediawiki";
inherit uid;
};
users.groups.mediawiki = { inherit gid; };
virtualisation = {
oci-containers = {
backend = "docker";
containers."mediawiki" = {
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:latest";
user = "1000:${builtins.toString gid}";
autoStart = true;
ports = [
"127.0.0.1:8293:80"
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
"--pull=always"
];
volumes = [
"/run/mediawiki:/run/mediawiki"
"/var/lib/mediawiki/images:/var/www/html/images"
"/var/lib/mediawiki/uploads:/var/www/html/uploads"
"/var/lib/mediawiki/logs:/var/log/mediawiki"
"${localSettingsPHP}:/var/www/html/LocalSettings.php"
];
};
};
};
}

View file

@ -1,7 +1,11 @@
{ ... }:
{
services.postgresql.enable = true;
services.postgresql = {
enable = true;
enableTCPIP = true;
};
systemd.services.postgresql = {
after = [
"var-lib-postgresql.mount"

View file

@ -8,7 +8,7 @@
{
age.secrets.searx-environment = {
file = "${flake.self}/secrets/searx-environment.age";
mode = "700";
mode = "600";
};
services.nginx.virtualHosts."search.pub.solar" = {

View file

@ -15,6 +15,7 @@
./apps/keycloak.nix
./apps/mailman.nix
./apps/mastodon.nix
./apps/mediawiki.nix
./apps/nextcloud.nix
./apps/owncast.nix
./apps/nginx-mastodon.nix

View file

@ -6,4 +6,6 @@
'';
storageDriver = "zfs";
};
networking.firewall.trustedInterfaces = [ "docker0" ];
}

View file

@ -2,7 +2,7 @@
users.users.${flake.self.username} = {
name = flake.self.username;
group = flake.self.username;
extraGroups = ["wheel"];
extraGroups = ["wheel" "docker"];
isNormalUser = true;
openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
};

View file

@ -10,6 +10,8 @@
(final: prev: {
mastodon = inputs.mastodon-fork.legacyPackages.${prev.system}.mastodon;
forgejo-actions-runner = inputs.unstable.legacyPackages.${prev.system}.forgejo-actions-runner;
mediawiki = inputs.unstable.legacyPackages.${prev.system}.mediawiki;
})
];
});

View file

@ -0,0 +1,27 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg LcyG6l8PyH97exah393jsbCvMiPglSUdE9+xgiuxj24
+iL2WJUShBHg3Phy20pj6Ey7+CbW0kePMpRr0IFGMow
-> ssh-ed25519 uYcDNw 2aoZ0g9M/dy+JN+XGijHbSER9C2WnGcbfiH8qamDTHk
uJvrHKDoKGFMTDYIoI1R+9GsRHbwOi+lncga7n+MZIY
-> ssh-rsa kFDS0A
XaTAfhahB+pcCodZp7lh3tGH7JRyvErDWPCgL2Uz7Z/MTeLqsqc/bWHHodGMvvba
gizm978vCp5jC7gz7Gior9y9//QlIC3nLklOXPtGRALMWxI72aYeWXuz6NclTfmB
8ADxCFJ/t+DHlphNvmYTm4OYbSd0rLUR2uhPB9bfcrs+Xn28IglP/3CnWtb0bKgU
xFu5ghqmzaZwYEsk1rBkslSpjClfsrAuptahAeAoP6ZB3UAcyGxYTl1JWZ8NsGx5
wciyUdaMKernsAM9GOFFmA7ax6QtR70u57KCcsV9CyhBaB8W6vTlVomTGuxvA0tR
jM518FxK/R4DQ+DXyYy2t6k7AolN6owu04cxJQZIlplwBYA1jaqNUkbSs7OdnKqz
IQfmJ6EIJRqr+FAV4g4JrhfU9RMJiZsxN1sCIpUEH38RLY2VU0JTFhR5rFqLEaYH
q1phO0NBtEKbjZBH3WNdeaOl2420WTebMZXu8i+wwA9ApLAdmh9BdiJCRgxwXuxo
7vj5/QdRAtGZwscCol58s9fOtLz4euTSvEMp58uiQUg0Tlx8UTG+PIGYlIXQ2VuU
jbZiHU5u4yFIkQqlqwo9ffQtn6gH8GT7P5tdFKMucsrwZF7ui6FfuDCLk+TBWhGS
Y5k9Y7u3tXnIATksKUV+SfOEwqDyNU58Y0MA6M/HaU0
-> ssh-ed25519 YFSOsg +3UYmfhtMlKT3bodpFR9S52lmpN3Cu7wT/lwm4kZrC8
VtlMr493XZe7O6QsYf9rwq58JPox/wQvnGLXJN5CB5I
-> ssh-ed25519 iHV63A 9uadUaJT6jEsyMFMEfohMCUgxSXB7bsa++70P1a0LFM
BW99xSdQTBBjFkEmlNTB1N3jxmGY+0oYnps8RoidUvw
-> ssh-ed25519 BVsyTA Iuixq7laf7fN20bXYoc1O89cJWExzSxD/XkOg6BjKSc
Bq3+y48SSkaDnuYmp38yGXNkp93qUNJemfTxtVnpUD0
-> 4-grease ($vN N
b6PMSRSIUZMlLXQx9xaM9KMlk1kzMotNwC1L
--- AKDHmogRbZ+hiS/5jYlvBFRG0vfY31lMbH/vqAlTfLY
-m ó™Îé8…ÉšüAºq¯ëÉAf—hÆ]DváâÐ.ðhœüWþS¸ëŒÈ~È«p'œË.&-Éȇ_

View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg z0obMnCseK5QoAge88uhbvcI5fk07UOBZk/rEXQCagU
RtYb7D5diitYmAh+K0TbPlF2ps2LaBeVeQ8iabUA/3U
-> ssh-ed25519 uYcDNw xy8dFpnQszNlQernP7dkw/VIF1++KiTsIGDJsDHusSQ
l82JxR2oJ71rRSZYPeXvNZyuEa2o2/uxDCJawOj9m4k
-> ssh-rsa kFDS0A
NKl5eefpdKltFPeg5bO8vw4xa6qVo5nRMF4xTO7t6wcRagADcDWYp0ZfYoHABOFH
yBL1YQ2VXAMmbchJKrIy4N9oy26cGifxzFBgkPlnKOxUUXuaXgv2vMTTOUUB5mlp
gax7uq+J1qLtkc/yfvt/OOWv9qRf9vHhIWuG6/vbv+8ATWbMANLZB6GPBlW5dWJG
A4ZV88Zd/zenB3d+bo5Gh9/RxazGfb98GwMFoHv67WUn/W542IDZyywTz/8cQB7I
8POfee3cuiQ1K19vn4rbHldVxYCmbESS3KR6gzPk0HAi6KFxW29NqHsX//ObPkL3
wYsKyYtsJLOy1gAKIcHG/6kysh3MstFq3Q977kuskk79JXIjiiPNFfQOh/WZKXvl
EwuaTTvyzzXuPBRSaTMYUv3NwlT7IBeZ1D/hOmmmN4GmbE0qIp9hDQbwSrf4+3Z3
irVMOee5SmLYwsj5cZPU7AdNs3Q1o0C2ooTA/WYFMdUKeI1ZhtNAekbuXseH2zr4
N/j+XMSx7KAIB0Pb5yqkI/DliZpacG5DT6f+qgDYyEh0XEf7Eazn02EnquayB1Sr
sgdZ7SO+ntPzc2l/JbhFN5SpH6iQJVohwkjBXQUQyJuLZBYdh4M0x4KF0P6xVO+P
iBGM3/9jm86AOa6yhlfh8Z6h9ckKk5DNkMTJn+2fQc4
-> ssh-ed25519 YFSOsg ZpPUH11hi+hg1Euil1aJNXqrOKjQrucI8Mi9KVrMnwE
xPoiMVzjfWUpUUC3EZUiogLJZfKWs2/jwGZfsx27CKQ
-> ssh-ed25519 iHV63A t4j7mr+hoW5fR9+ry3/tqKvQERZs/h7Qn9LEeeSWFhc
XZjUNUWkWnJG7l8vahfppxZ/kjH1VRf8YNpt8x2H67M
-> ssh-ed25519 BVsyTA SztbpuYbTH+FkumMGCAQ4fQ/rRRZgGg2yCPHjS8qtTI
F98vVoeITz/WJnJamw1I4zLHBcF46FYxKibwmbInFoA
-> %R9cvM-grease 8#EQ8Q l:Yu\
VBsYA1Kyd/sz6RVeZNHBMvKlYmwKcuvWKyGOLzzcaz6C6kzHNgtWXcLRC0A9wMDt
xQkX8fYdijHTcclcGerWUa8iqnpd7rAgo8RjG5e5JzhW
--- k9Ai5b4pxmq4DnN/3a6UyllvEzFaEFv0ePExwfUpplA
đŔ5ć<–…lEÚN ĺŮWՀϢ%bě<÷±ŰńĹ"aš)™šň8ąđ*ĆĹ”c<E2809D>ÓC¶0|V§qvSŮ

View file

@ -0,0 +1,27 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg wNZLc0SqLieSDPQzQEcJML08uiCKPLJoI95maDa4a3E
KXWlP0ZPWl3WiSX04UKtwHdhezMdLT3nskLl7E7OSHs
-> ssh-ed25519 uYcDNw yA4rP44m2CJgvuSG4NrRFY1BWAXbdzov5AK/eYDu42Q
vfZ6m1Vw0WNsnCmXe4jOtSvHMHXVxRBvP2Fkqki/xK8
-> ssh-rsa kFDS0A
Milr41weYJCyX92mWcSBSJEeUetq76tzjwsCjJtfpvG5ASsiu/Wj7jtngOO9wER2
8kgh3DVQVlZV9kwHoC8zM3C+qYU4HQf74Sr9TXXcZko9HBZA17O3I5IBnp5cmVsq
ZBE1gpuT+J/xSA14w4Kf7LbobNpYuMrEGoquWAH9ESjPt7HY067rGe8nBy2RoAM5
FyXQ8uoPw6wDB5Ak6HGT3pdzazjtDugJdaO/9CT07lI+XvSAD5CBvtfjoWAdTphC
+6S1t9gcNZrd+oQ3LZ1mSnvjVc+O4YHjzy56zo3Zh1KJLxMbdkO1st72fsNTNXjI
gj3ZYmodz/lfTxQABreQdo9AUCBBQkoyGv2uilYbJPTTeUxCXUnGGkDqW4e0p/8z
ukHiqeeMw4XqPXAduVlNIpsvW1s0sDB3Kx8t+KJirr4PHfIIulHbnjPxKQyXaj86
nzSYSuzftOquAz8CIokgRyFhgJtRD2lzNhXbt6GvU4VLagtmbFQmhyqVJzzvmnE3
7cu6Fcc07IiA7CuhweAmWA8/vjBtbyQMqVAHVn+ijT4WKb7gDfcL/w/MZaq5XOa0
9zyoTa7y7ttC3AqzDWlfOEK9TC+ysKB6LgTwktNS3u0Msh2DYNqLsyN+ktDyb27F
YzT4Wu5ZoYcCkgNwvAyU2hPfYzv66mQo1I0BXKYaiQg
-> ssh-ed25519 YFSOsg BJMjSn6gwtaOheT9Fnes45QZ5BSBGnhhGTPFO5DJIU0
cyhAM4/waWjH/N6WWy/8w4M4PQt+QzpgMy+7M5DBTj0
-> ssh-ed25519 iHV63A JTvN/gJpphteU1WpESnZ9iTeePj986kuYxI2poVYdxc
kJCBRrqzEW7c/Y6HiiJLmBzlsBtvZsK++NsEVoZHScs
-> ssh-ed25519 BVsyTA 9cJBL0f0XAQWat68M3mMVSAKpnKNNzAqAmcuQ8fJiic
TSA6SRwonr8e1kMrGyf89F/TPmU2S1SmOlH2KbJmFTc
-> *OkMh]47-grease ,|3o ^Ai N WuMh
YpKgkp1VxwVinaiFO0pFDw
--- 4278uiwRYOTQM1T7Cs/1Hzn3AiRkyvXuqtE+9wyfD+A
Õ<C4lûU÷tOXÍLºið•Ö´¿¶8x<1A>Ö˜ <0A>|PY•w<E280A2>nt-ÇËnªÅ®u™™zôg¤øuHpq½j™

View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg MGfeCP81T9itCIgFoOcDoJfLtvfOb1dEtx4SjRfQMDU
QJcTZDMx6qZfTtQxRpDAb5oA7PWqAgVDiZ5m9PeD3OU
-> ssh-ed25519 uYcDNw 3uX4IxJVdepJ/258XhKUEOeX00nbKQ3+8WskCE/Oex0
WaTAvd0zrcyFFwz7QWwaEsBrtp08g3wbANJvoL+hkfc
-> ssh-rsa kFDS0A
kgdsJuX6ZiMPJx5OjJuu0pjLqIr7vmw6SSRAWVR2RgxUbZ2L0khOUCOSbeHExpju
RtadRLVKgxGkGAYqaivcUj0fu71RbxAfsCkY6hwrXGAwWLLcviTeZpRJUcVWWdkW
DkZKVukqq2XeB33CqVcTanEVgTmwfuASVb5WL/FBrDpITV0oTcyJB5k57Qor7utC
9PBYJmkq8ZDbpcZQM210XYCJdOhK4J4j0Rbq3Er6a9mlxVWuGUiBUUXluwDBN7iG
sEha1Y6GvWfaqy3Y0Y+XxkNx3KsRnRvT3h9lmCM/RVaIGIeOTgF/ZRSKoUuMZ9nY
+XCXTGOhUZZBb/d0Edh+0EF7JCNOHA0Uygu+8RjxxNTMxLDV2eR5N+yYH4tbPuQj
QI3Wo8H5iDwwCnyDwmXwkRWd9aEhfG16S3NqbyCfEA/xIUgQnIEx7DEjLJwDrb4v
IVL6cxqSU/GCV2x7HyHf4syZBSQ6oC2Cy5sEJ5WV1m7+S35Vh5UQcxh+oNk1Gxji
Y6yhem70RFLauzxldNcpI/xKTsj+mfrI21+fb6InVSHzlME0ggcMdz5mp799TEeg
GYO+lIlfKIPWcQYI6Ci+Qbs1bGZ8kJy82C6arW6rooPQTdqnOgJE++1lj9dZO6bx
W9oEdGnkIN/QH8RWVLi9bgznVmlzLLpYqM/d+bpEA+k
-> ssh-ed25519 YFSOsg ccuBr0eGaJ/t2lWMhKNP/c2TtpmGYaenxQSQI9DJv3c
uLGi3j4gt5xRj3MOsLUjkkA9dCS12feyLQf1YZtDvgg
-> ssh-ed25519 iHV63A GHevWTk7/M0TtlIo/uZnCn84jq9I2jP9ehkt6PxRgEc
nF5O/yCV/3zduBtGw6VbwPS2jFHJlUgHiSytDOPSzaU
-> ssh-ed25519 BVsyTA Tw/06YNSoYYlrtfocjh0pitrWJc8zNAr8RLc42mMjWI
RaA9t5VwYWYHFquZuXmNrGVkdDOJDh3dgVG+31UxhM8
-> %zh9-grease 6 rETV7H
1TID2TYG2RCwwRws8vOvdfDM0zQcqRTDqfJbZsbOAiZQnOU3Lt8g+rwcSgOB7kX4
lx5lPRHxCa+86NljA+tW5l5u1JZurA
--- wBDm8U0KDrRkdoeUfQq0Zk81611Im9hlSo96NE4FB9w
È•<EFBFBD>µ7ø¨]åD¼ÑžÜ³ïD[DCàÙá±Ë «JØJrE+Ý¿pàÙè3xát¼JªLÓ²©ƒ1

View file

@ -54,4 +54,9 @@ in {
"drone-db-secrets.age".publicKeys = flora6Keys ++ baseKeys;
"drone-secrets.age".publicKeys = flora6Keys ++ baseKeys;
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
}

View file

@ -118,6 +118,11 @@ resource "namecheap_domain_records" "pub-solar" {
type = "CNAME"
address = "nachtigall.pub.solar."
}
record {
hostname = "wiki"
type = "CNAME"
address = "nachtigall.pub.solar."
}
record {
hostname = "mastodon"
type = "CNAME"