perf: 0 perf mediawiki will never run

2023-10-30 14:54:41 +01:00 · 2023-10-30 14:54:41 +01:00 · 6b2e8cfae1
parent 04b7041ce0
commit 6b2e8cfae1
5 changed files with 189 additions and 95 deletions
--- a/hosts/nachtigall/apps/mediawiki.nix
+++ b/hosts/nachtigall/apps/mediawiki.nix
@ -4,46 +4,141 @@
  lib,
  pkgs,
  ...
-}: let
+}: let 
-  OpenIDConnectPHP = pkgs.fetchzip {
+  localSettingsPHP = pkgs.writeScript "LocalSettings.php" ''
-    url = "https://github.com/jumbojett/OpenID-Connect-PHP/archive/refs/tags/v0.9.10.tar.gz";
+<?php
-    sha256 = "sha256-ezAUq/BgA1CITnO/tmUkvro7VRNAstnEdUp9WksOL7w=";
+  # Protect against web entry
-  };
+  if ( !defined( 'MEDIAWIKI' ) ) {
    exit;
  }
-  phpseclib = pkgs.fetchzip {
+  error_reporting( -1 );
-    url = "https://github.com/phpseclib/phpseclib/archive/refs/tags/3.0.33.tar.gz";
+  ini_set( 'display_errors', 1 );
-    sha256 = "sha256-d/9Jg1kzhkWwy/YrVq+JbTWplwICqnifMu34ns+JjL4=";
+  $wgDBerrorLog = '/var/log/mediawiki/dberror.log';
-  };
+  $wgDebugLogFile = "/var/log/mediawiki/debug.log";
  $wgShowExceptionDetails = true;
-  constant_time_encoding = pkgs.fetchzip {
+  $wgSitename = "pub.solar wiki";
-    url = "https://github.com/paragonie/constant_time_encoding/archive/refs/tags/v2.6.3.tar.gz";
+  $wgMetaNamespace = false;
    sha256 = "sha256-S8d2YQIBmC9q2Jscw6XflaxQ4e+XE7ukQDuwXStyKGQ=";
  };
-  mediawikiWithComposer = pkgs.stdenv.mkDerivation {
+  ## The URL base path to the directory containing the wiki;
-    name = "mediawiki-oidc";
+  ## defaults for all runtime URL paths are based off of this.
-    src = pkgs.mediawiki;
+  ## For more information on customizing the URLs
-    version = pkgs.mediawiki.version;
+  ## (like /w/index.php/Page_title to /wiki/Page_title) please see:
  ## https://www.mediawiki.org/wiki/Manual:Short_URL
  $wgScriptPath = "https://wiki.pub.solar";
-    installPhase = ''
+  ## The protocol and server name to use in fully-qualified URLs
-      mkdir -p $out
+  $wgServer = "https://wiki.pub.solar";
      cp -r * $out
-      mkdir -p $out/share/mediawiki/vendor/jumbojett
+  ## The URL path to static resources (images, scripts, etc.)
-      cp -r ${OpenIDConnectPHP} $out/share/mediawiki/vendor/jumbojett/OpenID-Connect-PHP
+  $wgResourceBasePath = $wgScriptPath;
-      mkdir -p $out/share/mediawiki/vendor/phpseclib
+
-      cp -r ${phpseclib} $out/share/mediawiki/vendor/phpseclib/phpseclib
+  ## The URL path to the logo.  Make sure you change this from the default,
-      mkdir -p $out/share/mediawiki/vendor/paragonie
+  ## or else you'll overwrite your logo when you upgrade!
-      cp -r ${constant_time_encoding} $out/share/mediawiki/vendor/paragonie/constant_time_encoding
+  $wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
-    '';
+
-  };
+  ## UPO means: this is also a user preference option
  $wgEnableEmail = true;
  $wgEnableUserEmail = true; # UPO
  $wgPasswordSender = "admins@pub.solar";
  $wgEnotifUserTalk = false; # UPO
  $wgEnotifWatchlist = false; # UPO
  $wgEmailAuthentication = true;
  ## Database settings
  $wgDBtype = "mysql";
  $wgDBserver = "mediawiki-db";
  $wgDBport = "3306";
  $wgDBname = "mediawiki";
  $wgDBuser = "mediawiki";
  $wgDBpassword = file_get_contents("/run/agenix/mediawiki-database-password");
  ## Shared memory settings
  $wgMainCacheType = CACHE_NONE;
  $wgMemCachedServers = [];
  $wgEnableUploads = true;
  $wgUploadDirectory = "/var/www/html/uploads";
  $wgUseImageMagick = true;
  $wgImageMagickConvertCommand = "/usr/bin/convert";
  # InstantCommons allows wiki to use images from https://commons.wikimedia.org
  $wgUseInstantCommons = false;
  # Periodically send a pingback to https://www.mediawiki.org/ with basic data
  # about this MediaWiki instance. The Wikimedia Foundation shares this data
  # with MediaWiki developers to help guide future development efforts.
  $wgPingback = true;
  ## If you use ImageMagick (or any other shell command) on a
  ## Linux server, this will need to be set to the name of an
  ## available UTF-8 locale
  $wgShellLocale = "C.UTF-8";
  # Site language code, should be one of the list in ./languages/data/Names.php
  $wgLanguageCode = "en";
  $wgSecretKey = file_get_contents("/run/agenix/mediawiki-secret-key");
  # Changing this will log out all existing sessions.
  $wgAuthenticationTokenVersion = "";
  ## For attaching licensing metadata to pages, and displaying an
  ## appropriate copyright notice / icon. GNU Free Documentation
  ## License and Creative Commons licenses are supported so far.
  $wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
  $wgRightsUrl = "";
  $wgRightsText = "";
  $wgRightsIcon = "";
  # Path to the GNU diff3 utility. Used for conflict resolution.
  $wgDiff = "/usr/bin/diff";
  $wgDiff3 = "/usr/bin/diff3";
  # Enabled skins.
  wfLoadSkin('MonoBook');
  wfLoadSkin('Timeless');
  wfLoadSkin('Vector');
  # Enabled extensions.
  wfLoadExtension('OpenIDConnect');
  wfLoadExtension('PluggableAuth');
  wfLoadExtension('VisualEditor');
  # End of automatically generated settings.
  # Add more configuration options below.
  // $wgLogos = 'https://pub.solar/assets/pubsolar.svg';
  $wgDefaultSkin = 'vector-2022';
  // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
  $wgGroupPermissions['*']['autocreateaccount'] = true;
  // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
  $wgPluggableAuth_EnableAutoLogin = true;
  $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
  // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
  $wgPluggableAuth_Config[] = [
      'plugin' => 'OpenIDConnect',
      'data' => [
          'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
          'clientID' => 'mediawiki',
          'clientsecret' => readfile('/run/agenix/mediawiki-oidc-client-secret')
      ]
  ];
  $wgOpenIDConnect_SingleLogout = true;
  $wgOpenIDConnect_MigrateUsersByEmail = true;
  '';
 in {
  age.secrets.mediawiki-admin-password = {
    file = "${flake.self}/secrets/mediawiki-admin-password.age";
    mode = "600";
    owner = "mediawiki";
  };
  age.secrets.mediawiki-database-password = {
    file = "${flake.self}/secrets/mediawiki-database-password.age";
    mode = "600";
@ -56,6 +151,12 @@ in {
    owner = "mediawiki";
  };
  age.secrets.mediawiki-secret-key = {
    file = "${flake.self}/secrets/mediawiki-secret-key.age";
    mode = "600";
    owner = "mediawiki";
  };
  services.nginx.virtualHosts."wiki.pub.solar" = {
    enableACME = true;
    forceSSL = true;
@ -63,69 +164,28 @@ in {
    locations."/".proxyPass = "http://127.0.0.1:8293";
  };
-  services.mediawiki = {
+  virtualisation = {
-    enable = true;
+    oci-containers = {
-    url = "https://wiki.pub.solar";
+      backend = "docker";
    name = "pub.solar wiki";
    package = mediawikiWithComposer;
    passwordFile = config.age.secrets.mediawiki-admin-password.path;
-    httpd.virtualHost = {
+      containers."mediawiki" = {
-      hostName = "wiki.pub.solar";
+        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker";
-      adminAddr = "admins@pub.solar";
+        user = "${builtins.toString config.users.users.mediawiki.uid}:www-data";
-      listen = [{ ip = "127.0.0.1"; port = 8293; }];
+        autoStart = true;
    };
-    database = {
+        ports = [
-      type = "postgres";
+          "127.0.0.1:8293:80"
-      user = "mediawiki";
+        ];
      name = "mediawiki";
      passwordFile = config.age.secrets.mediawiki-database-password.path;
      socket = "/run/postgresql";
      createLocally = false;
    };
-    extraConfig = ''
+        volumes = [
-      error_reporting( -1 );
+          "/run/agenix/mediawiki-database-password:/run/agenix/mediawiki-database-password"
-      ini_set( 'display_errors', 1 );
+          "/run/agenix/mediawiki-oidc-client-secret:/run/agenix/mediawiki-oidc-client-secret"
-      $wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log";
+          "/run/agenix/mediawiki-secret-key:/run/agenix/mediawiki-secret-key"
-
+          "/var/lib/mediawiki/images:/var/www/html/images"
-      // $wgLogos = 'https://pub.solar/assets/pubsolar.svg';
+          "/var/lib/mediawiki/uploads:/var/www/html/uploads"
-
+          "/var/lib/mediawiki/logs:/var/log/mediawiki"
-      $wgDefaultSkin = 'vector-2022'; 
+          "${localSettingsPHP}:/var/www/html/LocalSettings.php"
-
+        ];
      // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
      $wgGroupPermissions['*']['autocreateaccount'] = true;
      // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
      $wgPluggableAuth_EnableAutoLogin = true;
      $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
      // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
      $wgPluggableAuth_Config[] = [
          'plugin' => 'OpenIDConnect',
          'data' => [
              'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
              'clientID' => 'mediawiki',
              'clientsecret' => readfile('${config.age.secrets.mediawiki-oidc-client-secret.path}')
          ]
      ];
      $wgOpenIDConnect_SingleLogout = true;
      $wgOpenIDConnect_MigrateUsersByEmail = true;
    '';
    extensions = {
      # some extensions are included and can enabled by passing null
      VisualEditor = null;
      PluggableAuth = pkgs.fetchzip {
        url = "https://github.com/wikimedia/mediawiki-extensions-PluggableAuth/archive/master.tar.gz";
        sha256 = "sha256-S8d2YQIBmC9q2Jscw6XflaxQ4e+XE7ukQDuwXStyKGQ=";
      };
      OpenIDConnect = pkgs.fetchzip {
        url = "https://github.com/wikimedia/mediawiki-extensions-OpenIDConnect/archive/master.tar.gz";
        sha256 = "sha256-mFPunUr50tRrEUcqu1p7xWt+eTbvBVamuP34Bhffx+0=";
      };
    };
  };
--- a/hosts/nachtigall/apps/postgresql.nix
+++ b/hosts/nachtigall/apps/postgresql.nix
@ -1,7 +1,11 @@
 { ... }:
 {
-  services.postgresql.enable = true;
+  services.postgresql = {
    enable = true;
    enableTCPIP = true;
  };
  systemd.services.postgresql = {
    after = [
      "var-lib-postgresql.mount"
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -9,6 +9,7 @@
        nixpkgs.overlays = [
          (final: prev: {
            mastodon = inputs.mastodon-fork.legacyPackages.${prev.system}.mastodon;
            mediawiki = inputs.unstable.legacyPackages.${prev.system}.mediawiki;
          })
        ];
      });
--- a/secrets/mediawiki-secret-key.age
+++ b/secrets/mediawiki-secret-key.age
@ -0,0 +1,28 @@
 age-encryption.org/v1
 -> ssh-ed25519 iDKjwg MGfeCP81T9itCIgFoOcDoJfLtvfOb1dEtx4SjRfQMDU
 QJcTZDMx6qZfTtQxRpDAb5oA7PWqAgVDiZ5m9PeD3OU
 -> ssh-ed25519 uYcDNw 3uX4IxJVdepJ/258XhKUEOeX00nbKQ3+8WskCE/Oex0
 WaTAvd0zrcyFFwz7QWwaEsBrtp08g3wbANJvoL+hkfc
 -> ssh-rsa kFDS0A
 kgdsJuX6ZiMPJx5OjJuu0pjLqIr7vmw6SSRAWVR2RgxUbZ2L0khOUCOSbeHExpju
 RtadRLVKgxGkGAYqaivcUj0fu71RbxAfsCkY6hwrXGAwWLLcviTeZpRJUcVWWdkW
 DkZKVukqq2XeB33CqVcTanEVgTmwfuASVb5WL/FBrDpITV0oTcyJB5k57Qor7utC
 9PBYJmkq8ZDbpcZQM210XYCJdOhK4J4j0Rbq3Er6a9mlxVWuGUiBUUXluwDBN7iG
 sEha1Y6GvWfaqy3Y0Y+XxkNx3KsRnRvT3h9lmCM/RVaIGIeOTgF/ZRSKoUuMZ9nY
 +XCXTGOhUZZBb/d0Edh+0EF7JCNOHA0Uygu+8RjxxNTMxLDV2eR5N+yYH4tbPuQj
 QI3Wo8H5iDwwCnyDwmXwkRWd9aEhfG16S3NqbyCfEA/xIUgQnIEx7DEjLJwDrb4v
 IVL6cxqSU/GCV2x7HyHf4syZBSQ6oC2Cy5sEJ5WV1m7+S35Vh5UQcxh+oNk1Gxji
 Y6yhem70RFLauzxldNcpI/xKTsj+mfrI21+fb6InVSHzlME0ggcMdz5mp799TEeg
 GYO+lIlfKIPWcQYI6Ci+Qbs1bGZ8kJy82C6arW6rooPQTdqnOgJE++1lj9dZO6bx
 W9oEdGnkIN/QH8RWVLi9bgznVmlzLLpYqM/d+bpEA+k
 -> ssh-ed25519 YFSOsg ccuBr0eGaJ/t2lWMhKNP/c2TtpmGYaenxQSQI9DJv3c
 uLGi3j4gt5xRj3MOsLUjkkA9dCS12feyLQf1YZtDvgg
 -> ssh-ed25519 iHV63A GHevWTk7/M0TtlIo/uZnCn84jq9I2jP9ehkt6PxRgEc
 nF5O/yCV/3zduBtGw6VbwPS2jFHJlUgHiSytDOPSzaU
 -> ssh-ed25519 BVsyTA Tw/06YNSoYYlrtfocjh0pitrWJc8zNAr8RLc42mMjWI
 RaA9t5VwYWYHFquZuXmNrGVkdDOJDh3dgVG+31UxhM8
 -> %zh9-grease 6 rETV7H
 1TID2TYG2RCwwRws8vOvdfDM0zQcqRTDqfJbZsbOAiZQnOU3Lt8g+rwcSgOB7kX4
 lx5lPRHxCa+86NljA+tW5l5u1JZurA
 --- wBDm8U0KDrRkdoeUfQq0Zk81611Im9hlSo96NE4FB9w
 È•<EFBFBD>µ7ø¨]åDB³¼ÑžÜ³ïD[DCàÙá±Ë«JØJrE+Ý¿‚pàÙè3xát¼JªLÓ²©ƒ1
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -44,4 +44,5 @@ in {
  "mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
  "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
  "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
  "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
 }