pub-solar/infra
6
1
Fork 3
Code Issues 16 Pull requests 6 Actions Packages Projects 1 Releases Wiki Activity

feat: diesdasnotworkingananas
Some checks failed
Flake checks / Check (push) Failing after 13s
Details

Browse source
This commit is contained in:
Benjamin Bädorf 2023-11-07 01:35:25 +01:00
parent 765cccd2ad
commit 77a2c2a1f1
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
3 changed files with 45 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
hosts/nachtigall/apps/mediawiki.nix
View file

@ -50,12 +50,12 @@
$wgEmailAuthentication = true;
## Database settings
$wgDBtype = "mysql";
$wgDBserver = "mediawiki-db";
$wgDBport = "3306";
$wgDBtype = "postgres";
$wgDBserver = "host.docker.internal";
$wgDBport = "5432";
$wgDBname = "mediawiki";
$wgDBuser = "mediawiki";
$wgDBpassword = file_get_contents("/run/agenix/mediawiki-database-password");
$wgDBpassword = trim(file_get_contents("/run/mediawiki/database-password"));
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
@ -84,7 +84,7 @@
# Site language code, should be one of the list in ./languages/data/Names.php
$wgLanguageCode = "en";
$wgSecretKey = file_get_contents("/run/agenix/mediawiki-secret-key");
$wgSecretKey = trim(file_get_contents("/run/mediawiki/secret-key"));
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "";
@ -132,29 +132,47 @@
'data' => [
'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
'clientID' => 'mediawiki',
'clientsecret' => readfile('/run/agenix/mediawiki-oidc-client-secret')
'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
]
];
$wgOpenIDConnect_SingleLogout = true;
$wgOpenIDConnect_MigrateUsersByEmail = true;
'';
uid = 986;
gid = 984;
in {
age.secrets.mediawiki-database-password = {
file = "${flake.self}/secrets/mediawiki-database-password.age";
mode = "600";
path = "/run/mediawiki/database-password";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
age.secrets.mediawiki-oidc-client-secret = {
file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age";
mode = "600";
path = "/run/mediawiki/oidc-client-secret";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
age.secrets.mediawiki-secret-key = {
file = "${flake.self}/secrets/mediawiki-secret-key.age";
mode = "600";
path = "/run/mediawiki/secret-key";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
services.postgresql = {
authentication = ''
host mediawiki all 172.17.0.0/16 password
'';
};
services.nginx.virtualHosts."wiki.pub.solar" = {
@ -164,23 +182,33 @@ in {
locations."/".proxyPass = "http://127.0.0.1:8293";
};
users.users.mediawiki = {
isSystemUser = true;
group = "mediawiki";
inherit uid;
};
users.groups.mediawiki = { inherit gid; };
virtualisation = {
oci-containers = {
backend = "docker";
containers."mediawiki" = {
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker";
user = "${builtins.toString config.users.users.mediawiki.uid}:www-data";
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:latest";
user = "1000:${builtins.toString gid}";
autoStart = true;
ports = [
"127.0.0.1:8293:80"
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
"--pull=always"
];
volumes = [
"/run/agenix/mediawiki-database-password:/run/agenix/mediawiki-database-password"
"/run/agenix/mediawiki-oidc-client-secret:/run/agenix/mediawiki-oidc-client-secret"
"/run/agenix/mediawiki-secret-key:/run/agenix/mediawiki-secret-key"
"/run/mediawiki:/run/mediawiki"
"/var/lib/mediawiki/images:/var/www/html/images"
"/var/lib/mediawiki/uploads:/var/www/html/uploads"
"/var/lib/mediawiki/logs:/var/log/mediawiki"

2
modules/docker.nix
View file

@ -6,4 +6,6 @@
'';
storageDriver = "zfs";
};
networking.firewall.trustedInterfaces = [ "docker0" ];
}

2
modules/users.nix
View file

@ -2,7 +2,7 @@
users.users.${flake.self.username} = {
name = flake.self.username;
group = flake.self.username;
extraGroups = ["wheel"];
extraGroups = ["wheel" "docker"];
isNormalUser = true;
openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
};