pub-solar/infra
6
1
Fork 3
Code Issues 16 Pull requests 6 Actions Packages Projects 1 Releases Wiki Activity

perf: 0 perf mediawiki will never run
Some checks failed
Flake checks / Check (push) Failing after 52s
Details

Browse source
This commit is contained in:
Benjamin Bädorf 2023-10-30 14:54:41 +01:00
parent 04b7041ce0
commit 6b2e8cfae1
No known key found for this signature in database
GPG key ID: 1B7BF5B77A521346
5 changed files with 189 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

248
hosts/nachtigall/apps/mediawiki.nix
View file

@ -4,46 +4,141 @@
lib,
pkgs,
...
}: let
OpenIDConnectPHP = pkgs.fetchzip {
url = "https://github.com/jumbojett/OpenID-Connect-PHP/archive/refs/tags/v0.9.10.tar.gz";
sha256 = "sha256-ezAUq/BgA1CITnO/tmUkvro7VRNAstnEdUp9WksOL7w=";
};
}: let
localSettingsPHP = pkgs.writeScript "LocalSettings.php" ''
<?php
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
phpseclib = pkgs.fetchzip {
url = "https://github.com/phpseclib/phpseclib/archive/refs/tags/3.0.33.tar.gz";
sha256 = "sha256-d/9Jg1kzhkWwy/YrVq+JbTWplwICqnifMu34ns+JjL4=";
};
error_reporting( -1 );
ini_set( 'display_errors', 1 );
$wgDBerrorLog = '/var/log/mediawiki/dberror.log';
$wgDebugLogFile = "/var/log/mediawiki/debug.log";
$wgShowExceptionDetails = true;
constant_time_encoding = pkgs.fetchzip {
url = "https://github.com/paragonie/constant_time_encoding/archive/refs/tags/v2.6.3.tar.gz";
sha256 = "sha256-S8d2YQIBmC9q2Jscw6XflaxQ4e+XE7ukQDuwXStyKGQ=";
};
$wgSitename = "pub.solar wiki";
$wgMetaNamespace = false;
mediawikiWithComposer = pkgs.stdenv.mkDerivation {
name = "mediawiki-oidc";
src = pkgs.mediawiki;
version = pkgs.mediawiki.version;
## The URL base path to the directory containing the wiki;
## defaults for all runtime URL paths are based off of this.
## For more information on customizing the URLs
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
## https://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath = "https://wiki.pub.solar";
installPhase = ''
mkdir -p $out
cp -r * $out
## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://wiki.pub.solar";
mkdir -p $out/share/mediawiki/vendor/jumbojett
cp -r ${OpenIDConnectPHP} $out/share/mediawiki/vendor/jumbojett/OpenID-Connect-PHP
mkdir -p $out/share/mediawiki/vendor/phpseclib
cp -r ${phpseclib} $out/share/mediawiki/vendor/phpseclib/phpseclib
mkdir -p $out/share/mediawiki/vendor/paragonie
cp -r ${constant_time_encoding} $out/share/mediawiki/vendor/paragonie/constant_time_encoding
'';
};
## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath;
## The URL path to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
## UPO means: this is also a user preference option
$wgEnableEmail = true;
$wgEnableUserEmail = true; # UPO
$wgPasswordSender = "admins@pub.solar";
$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
$wgEmailAuthentication = true;
## Database settings
$wgDBtype = "mysql";
$wgDBserver = "mediawiki-db";
$wgDBport = "3306";
$wgDBname = "mediawiki";
$wgDBuser = "mediawiki";
$wgDBpassword = file_get_contents("/run/agenix/mediawiki-database-password");
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = [];
$wgEnableUploads = true;
$wgUploadDirectory = "/var/www/html/uploads";
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "/usr/bin/convert";
# InstantCommons allows wiki to use images from https://commons.wikimedia.org
$wgUseInstantCommons = false;
# Periodically send a pingback to https://www.mediawiki.org/ with basic data
# about this MediaWiki instance. The Wikimedia Foundation shares this data
# with MediaWiki developers to help guide future development efforts.
$wgPingback = true;
## If you use ImageMagick (or any other shell command) on a
## Linux server, this will need to be set to the name of an
## available UTF-8 locale
$wgShellLocale = "C.UTF-8";
# Site language code, should be one of the list in ./languages/data/Names.php
$wgLanguageCode = "en";
$wgSecretKey = file_get_contents("/run/agenix/mediawiki-secret-key");
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "";
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff = "/usr/bin/diff";
$wgDiff3 = "/usr/bin/diff3";
# Enabled skins.
wfLoadSkin('MonoBook');
wfLoadSkin('Timeless');
wfLoadSkin('Vector');
# Enabled extensions.
wfLoadExtension('OpenIDConnect');
wfLoadExtension('PluggableAuth');
wfLoadExtension('VisualEditor');
# End of automatically generated settings.
# Add more configuration options below.
// $wgLogos = 'https://pub.solar/assets/pubsolar.svg';
$wgDefaultSkin = 'vector-2022';
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
$wgGroupPermissions['*']['autocreateaccount'] = true;
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
// https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
'clientID' => 'mediawiki',
'clientsecret' => readfile('/run/agenix/mediawiki-oidc-client-secret')
]
];
$wgOpenIDConnect_SingleLogout = true;
$wgOpenIDConnect_MigrateUsersByEmail = true;
'';
in {
age.secrets.mediawiki-admin-password = {
file = "${flake.self}/secrets/mediawiki-admin-password.age";
mode = "600";
owner = "mediawiki";
};
age.secrets.mediawiki-database-password = {
file = "${flake.self}/secrets/mediawiki-database-password.age";
mode = "600";
@ -56,6 +151,12 @@ in {
owner = "mediawiki";
};
age.secrets.mediawiki-secret-key = {
file = "${flake.self}/secrets/mediawiki-secret-key.age";
mode = "600";
owner = "mediawiki";
};
services.nginx.virtualHosts."wiki.pub.solar" = {
enableACME = true;
forceSSL = true;
@ -63,69 +164,28 @@ in {
locations."/".proxyPass = "http://127.0.0.1:8293";
};
services.mediawiki = {
enable = true;
url = "https://wiki.pub.solar";
name = "pub.solar wiki";
package = mediawikiWithComposer;
passwordFile = config.age.secrets.mediawiki-admin-password.path;
virtualisation = {
oci-containers = {
backend = "docker";
httpd.virtualHost = {
hostName = "wiki.pub.solar";
adminAddr = "admins@pub.solar";
listen = [{ ip = "127.0.0.1"; port = 8293; }];
};
containers."mediawiki" = {
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker";
user = "${builtins.toString config.users.users.mediawiki.uid}:www-data";
autoStart = true;
database = {
type = "postgres";
user = "mediawiki";
name = "mediawiki";
passwordFile = config.age.secrets.mediawiki-database-password.path;
socket = "/run/postgresql";
createLocally = false;
};
ports = [
"127.0.0.1:8293:80"
];
extraConfig = ''
error_reporting( -1 );
ini_set( 'display_errors', 1 );
$wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log";
// $wgLogos = 'https://pub.solar/assets/pubsolar.svg';
$wgDefaultSkin = 'vector-2022';
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
$wgGroupPermissions['*']['autocreateaccount'] = true;
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
// https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
'clientID' => 'mediawiki',
'clientsecret' => readfile('${config.age.secrets.mediawiki-oidc-client-secret.path}')
]
];
$wgOpenIDConnect_SingleLogout = true;
$wgOpenIDConnect_MigrateUsersByEmail = true;
'';
extensions = {
# some extensions are included and can enabled by passing null
VisualEditor = null;
PluggableAuth = pkgs.fetchzip {
url = "https://github.com/wikimedia/mediawiki-extensions-PluggableAuth/archive/master.tar.gz";
sha256 = "sha256-S8d2YQIBmC9q2Jscw6XflaxQ4e+XE7ukQDuwXStyKGQ=";
};
OpenIDConnect = pkgs.fetchzip {
url = "https://github.com/wikimedia/mediawiki-extensions-OpenIDConnect/archive/master.tar.gz";
sha256 = "sha256-mFPunUr50tRrEUcqu1p7xWt+eTbvBVamuP34Bhffx+0=";
volumes = [
"/run/agenix/mediawiki-database-password:/run/agenix/mediawiki-database-password"
"/run/agenix/mediawiki-oidc-client-secret:/run/agenix/mediawiki-oidc-client-secret"
"/run/agenix/mediawiki-secret-key:/run/agenix/mediawiki-secret-key"
"/var/lib/mediawiki/images:/var/www/html/images"
"/var/lib/mediawiki/uploads:/var/www/html/uploads"
"/var/lib/mediawiki/logs:/var/log/mediawiki"
"${localSettingsPHP}:/var/www/html/LocalSettings.php"
];
};
};
};

6
hosts/nachtigall/apps/postgresql.nix
View file

@ -1,7 +1,11 @@
{ ... }:
{
services.postgresql.enable = true;
services.postgresql = {
enable = true;
enableTCPIP = true;
};
systemd.services.postgresql = {
after = [
"var-lib-postgresql.mount"

1
overlays/default.nix
View file

@ -9,6 +9,7 @@
nixpkgs.overlays = [
(final: prev: {
mastodon = inputs.mastodon-fork.legacyPackages.${prev.system}.mastodon;
mediawiki = inputs.unstable.legacyPackages.${prev.system}.mediawiki;
})
];
});

28
secrets/mediawiki-secret-key.age Normal file
View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg MGfeCP81T9itCIgFoOcDoJfLtvfOb1dEtx4SjRfQMDU
QJcTZDMx6qZfTtQxRpDAb5oA7PWqAgVDiZ5m9PeD3OU
-> ssh-ed25519 uYcDNw 3uX4IxJVdepJ/258XhKUEOeX00nbKQ3+8WskCE/Oex0
WaTAvd0zrcyFFwz7QWwaEsBrtp08g3wbANJvoL+hkfc
-> ssh-rsa kFDS0A
kgdsJuX6ZiMPJx5OjJuu0pjLqIr7vmw6SSRAWVR2RgxUbZ2L0khOUCOSbeHExpju
RtadRLVKgxGkGAYqaivcUj0fu71RbxAfsCkY6hwrXGAwWLLcviTeZpRJUcVWWdkW
DkZKVukqq2XeB33CqVcTanEVgTmwfuASVb5WL/FBrDpITV0oTcyJB5k57Qor7utC
9PBYJmkq8ZDbpcZQM210XYCJdOhK4J4j0Rbq3Er6a9mlxVWuGUiBUUXluwDBN7iG
sEha1Y6GvWfaqy3Y0Y+XxkNx3KsRnRvT3h9lmCM/RVaIGIeOTgF/ZRSKoUuMZ9nY
+XCXTGOhUZZBb/d0Edh+0EF7JCNOHA0Uygu+8RjxxNTMxLDV2eR5N+yYH4tbPuQj
QI3Wo8H5iDwwCnyDwmXwkRWd9aEhfG16S3NqbyCfEA/xIUgQnIEx7DEjLJwDrb4v
IVL6cxqSU/GCV2x7HyHf4syZBSQ6oC2Cy5sEJ5WV1m7+S35Vh5UQcxh+oNk1Gxji
Y6yhem70RFLauzxldNcpI/xKTsj+mfrI21+fb6InVSHzlME0ggcMdz5mp799TEeg
GYO+lIlfKIPWcQYI6Ci+Qbs1bGZ8kJy82C6arW6rooPQTdqnOgJE++1lj9dZO6bx
W9oEdGnkIN/QH8RWVLi9bgznVmlzLLpYqM/d+bpEA+k
-> ssh-ed25519 YFSOsg ccuBr0eGaJ/t2lWMhKNP/c2TtpmGYaenxQSQI9DJv3c
uLGi3j4gt5xRj3MOsLUjkkA9dCS12feyLQf1YZtDvgg
-> ssh-ed25519 iHV63A GHevWTk7/M0TtlIo/uZnCn84jq9I2jP9ehkt6PxRgEc
nF5O/yCV/3zduBtGw6VbwPS2jFHJlUgHiSytDOPSzaU
-> ssh-ed25519 BVsyTA Tw/06YNSoYYlrtfocjh0pitrWJc8zNAr8RLc42mMjWI
RaA9t5VwYWYHFquZuXmNrGVkdDOJDh3dgVG+31UxhM8
-> %zh9-grease 6 rETV7H
1TID2TYG2RCwwRws8vOvdfDM0zQcqRTDqfJbZsbOAiZQnOU3Lt8g+rwcSgOB7kX4
lx5lPRHxCa+86NljA+tW5l5u1JZurA
--- wBDm8U0KDrRkdoeUfQq0Zk81611Im9hlSo96NE4FB9w
È•<EFBFBD>µ7ø¨]åD¼ÑžÜ³ïD[DCàÙá±Ë «JØJrE+Ý¿pàÙè3xát¼JªLÓ²©ƒ1

1
secrets/secrets.nix
View file

@ -44,4 +44,5 @@ in {
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
}