From 8509611e9d797813e5d41cd8ee605555dd92d956 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
Date: Mon, 30 Oct 2023 01:40:52 +0100
Subject: [PATCH] feat: add mediawiki

---
 hosts/nachtigall/apps/mediawiki.nix      | 121 +++++++++++++++++++++++
 hosts/nachtigall/apps/searx.nix          |   2 +-
 hosts/nachtigall/default.nix             |   1 +
 secrets/mediawiki-admin-password.age     |  27 +++++
 secrets/mediawiki-database-password.age  |  28 ++++++
 secrets/mediawiki-oidc-client-secret.age |  28 ++++++
 secrets/secrets.nix                      |   4 +
 7 files changed, 210 insertions(+), 1 deletion(-)
 create mode 100644 hosts/nachtigall/apps/mediawiki.nix
 create mode 100644 secrets/mediawiki-admin-password.age
 create mode 100644 secrets/mediawiki-database-password.age
 create mode 100644 secrets/mediawiki-oidc-client-secret.age

diff --git a/hosts/nachtigall/apps/mediawiki.nix b/hosts/nachtigall/apps/mediawiki.nix
new file mode 100644
index 0000000..91332c0
--- /dev/null
+++ b/hosts/nachtigall/apps/mediawiki.nix
@@ -0,0 +1,121 @@
+{
+  flake,
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  OpenIDConnectPHP = pkgs.fetchzip {
+    url = "https://github.com/jumbojett/OpenID-Connect-PHP/archive/refs/tags/v0.9.10.tar.gz";
+    sha256 = "sha256-ezAUq/BgA1CITnO/tmUkvro7VRNAstnEdUp9WksOL7w=";
+  };
+
+  phpseclib = pkgs.fetchzip {
+    url = "https://github.com/phpseclib/phpseclib/archive/refs/tags/3.0.33.tar.gz";
+    sha256 = "sha256-d/9Jg1kzhkWwy/YrVq+JbTWplwICqnifMu34ns+JjL4=";
+  };
+
+  constant_time_encoding = pkgs.fetchzip {
+    url = "https://github.com/paragonie/constant_time_encoding/archive/refs/tags/v2.6.3.tar.gz";
+    sha256 = "sha256-S8d2YQIBmC9q2Jscw6XflaxQ4e+XE7ukQDuwXStyKGQ=";
+  };
+
+  mediawikiWithComposer = pkgs.stdenv.mkDerivation {
+    name = "mediawiki-oidc";
+    src = pkgs.mediawiki;
+    version = pkgs.mediawiki.version;
+
+    installPhase = ''
+      mkdir -p $out/share/mediawiki/vendor/jumbojett
+      cp -r ${OpenIDConnectPHP} $out/share/mediawiki/vendor/jumbojett/OpenID-Connect-PHP
+      mkdir -p $out/share/mediawiki/vendor/phpseclib
+      cp -r ${phpseclib} $out/share/mediawiki/vendor/phpseclib/phpseclib
+      mkdir -p $out/share/mediawiki/vendor/paragonie
+      cp -r ${constant_time_encoding} $out/share/mediawiki/vendor/paragonie/constant_time_encoding
+    '';
+  };
+in {
+  age.secrets.mediawiki-admin-password = {
+    file = "${flake.self}/secrets/mediawiki-admin-password.age";
+    mode = "600";
+  };
+
+  age.secrets.mediawiki-database-password = {
+    file = "${flake.self}/secrets/mediawiki-database-password.age";
+    mode = "600";
+  };
+
+  age.secrets.mediawiki-oidc-client-secret = {
+    file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age";
+    mode = "600";
+  };
+
+  services.nginx.virtualHosts."wiki.pub.solar" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/".extraConfig = ''
+      uwsgi_pass unix:/run/searx/searx.sock;
+    '';
+  };
+
+  users.users.nginx.extraGroups = [ "searx" ];
+
+  services.mediawiki = {
+    enable = true;
+    url = "https://wiki.pub.solar";
+    name = "pub.solar wiki";
+    package = mediawikiWithComposer;
+    passwordFile = config.age.secrets.mediawiki-admin-password.path;
+
+    httpd.virtualHost = {
+      hostName = "wiki.pub.solar";
+      adminAddr = "admins@pub.solar";
+    };
+
+    database = {
+      type = "postgres";
+      user = "mediawiki";
+      name = "mediawiki";
+      passwordFile = config.age.secrets.mediawiki-database-password.path;
+      socket = "/run/mysqld/mysqld.sock";
+      createLocally = false;
+    };
+
+    extraConfig = ''
+      // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
+      $wgGroupPermissions['*']['autocreateaccount'] = true;
+
+      // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
+      $wgPluggableAuth_EnableAutoLogin = true;
+      $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
+
+      // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
+      $wgPluggableAuth_Config[] = [
+          'plugin' => 'OpenIDConnect',
+          'data' => [
+              'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
+              'clientID' => 'mediawiki',
+              'clientsecret' => readfile(${config.age.secrets.mediawiki-oidc-client-secret.path})
+          ]
+      ];
+      $wgOpenIDConnect_SingleLogout = true;
+      $wgOpenIDConnect_MigrateUsersByEmail = true;
+    '';
+
+    extensions = {
+      # some extensions are included and can enabled by passing null
+      VisualEditor = null;
+
+      PluggableAuth = pkgs.fetchzip {
+        url = "https://github.com/wikimedia/mediawiki-extensions-PluggableAuth/archive/master.tar.gz";
+        sha256 = "sha256-S8d2YQIBmC9q2Jscw6XflaxQ4e+XE7ukQDuwXStyKGQ=";
+      };
+
+      OpenIDConnect = pkgs.fetchzip {
+        url = "https://github.com/wikimedia/mediawiki-extensions-OpenIDConnect/archive/master.tar.gz";
+        sha256 = "sha256-mFPunUr50tRrEUcqu1p7xWt+eTbvBVamuP34Bhffx+0=";
+      };
+    };
+  };
+}
diff --git a/hosts/nachtigall/apps/searx.nix b/hosts/nachtigall/apps/searx.nix
index 5785b9f..d97a012 100644
--- a/hosts/nachtigall/apps/searx.nix
+++ b/hosts/nachtigall/apps/searx.nix
@@ -8,7 +8,7 @@
 {
   age.secrets.searx-environment = {
     file = "${flake.self}/secrets/searx-environment.age";
-    mode = "700";
+    mode = "600";
   };
 
   services.nginx.virtualHosts."search.pub.solar" = {
diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix
index 4780506..85ed49e 100644
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@@ -15,6 +15,7 @@
       ./apps/keycloak.nix
       ./apps/mailman.nix
       ./apps/mastodon.nix
+      ./apps/mediawiki.nix
       ./apps/nextcloud.nix
       ./apps/owncast.nix
       ./apps/nginx-mastodon.nix
diff --git a/secrets/mediawiki-admin-password.age b/secrets/mediawiki-admin-password.age
new file mode 100644
index 0000000..5efb88c
--- /dev/null
+++ b/secrets/mediawiki-admin-password.age
@@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg LcyG6l8PyH97exah393jsbCvMiPglSUdE9+xgiuxj24
++iL2WJUShBHg3Phy20pj6Ey7+CbW0kePMpRr0IFGMow
+-> ssh-ed25519 uYcDNw 2aoZ0g9M/dy+JN+XGijHbSER9C2WnGcbfiH8qamDTHk
+uJvrHKDoKGFMTDYIoI1R+9GsRHbwOi+lncga7n+MZIY
+-> ssh-rsa kFDS0A
+XaTAfhahB+pcCodZp7lh3tGH7JRyvErDWPCgL2Uz7Z/MTeLqsqc/bWHHodGMvvba
+gizm978vCp5jC7gz7Gior9y9//QlIC3nLklOXPtGRALMWxI72aYeWXuz6NclTfmB
+8ADxCFJ/t+DHlphNvmYTm4OYbSd0rLUR2uhPB9bfcrs+Xn28IglP/3CnWtb0bKgU
+xFu5ghqmzaZwYEsk1rBkslSpjClfsrAuptahAeAoP6ZB3UAcyGxYTl1JWZ8NsGx5
+wciyUdaMKernsAM9GOFFmA7ax6QtR70u57KCcsV9CyhBaB8W6vTlVomTGuxvA0tR
+jM518FxK/R4DQ+DXyYy2t6k7AolN6owu04cxJQZIlplwBYA1jaqNUkbSs7OdnKqz
+IQfmJ6EIJRqr+FAV4g4JrhfU9RMJiZsxN1sCIpUEH38RLY2VU0JTFhR5rFqLEaYH
+q1phO0NBtEKbjZBH3WNdeaOl2420WTebMZXu8i+wwA9ApLAdmh9BdiJCRgxwXuxo
+7vj5/QdRAtGZwscCol58s9fOtLz4euTSvEMp58uiQUg0Tlx8UTG+PIGYlIXQ2VuU
+jbZiHU5u4yFIkQqlqwo9ffQtn6gH8GT7P5tdFKMucsrwZF7ui6FfuDCLk+TBWhGS
+Y5k9Y7u3tXnIATksKUV+SfOEwqDyNU58Y0MA6M/HaU0
+-> ssh-ed25519 YFSOsg +3UYmfhtMlKT3bodpFR9S52lmpN3Cu7wT/lwm4kZrC8
+VtlMr493XZe7O6QsYf9rwq58JPox/wQvnGLXJN5CB5I
+-> ssh-ed25519 iHV63A 9uadUaJT6jEsyMFMEfohMCUgxSXB7bsa++70P1a0LFM
+BW99xSdQTBBjFkEmlNTB1N3jxmGY+0oYnps8RoidUvw
+-> ssh-ed25519 BVsyTA Iuixq7laf7fN20bXYoc1O89cJWExzSxD/XkOg6BjKSc
+Bq3+y48SSkaDnuYmp38yGXNkp93qUNJemfTxtVnpUD0
+-> 4-grease ($vN N
+b6PMSRSIUZMlLXQx9xaM9KMlk1kzMotNwC1L
+--- AKDHmogRbZ+hiS/5jYlvBFRG0vfY31lMbH/vqAlTfLY
+-m ó™Îé8…ÉšüAºq¯ëÉAf—hÃ†]DváâÐ.ðhœüWþS¸ëŒÈ~È«p'œË.&-ÉÈ‡_
\ No newline at end of file
diff --git a/secrets/mediawiki-database-password.age b/secrets/mediawiki-database-password.age
new file mode 100644
index 0000000..cb436a7
--- /dev/null
+++ b/secrets/mediawiki-database-password.age
@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg z0obMnCseK5QoAge88uhbvcI5fk07UOBZk/rEXQCagU
+RtYb7D5diitYmAh+K0TbPlF2ps2LaBeVeQ8iabUA/3U
+-> ssh-ed25519 uYcDNw xy8dFpnQszNlQernP7dkw/VIF1++KiTsIGDJsDHusSQ
+l82JxR2oJ71rRSZYPeXvNZyuEa2o2/uxDCJawOj9m4k
+-> ssh-rsa kFDS0A
+NKl5eefpdKltFPeg5bO8vw4xa6qVo5nRMF4xTO7t6wcRagADcDWYp0ZfYoHABOFH
+yBL1YQ2VXAMmbchJKrIy4N9oy26cGifxzFBgkPlnKOxUUXuaXgv2vMTTOUUB5mlp
+gax7uq+J1qLtkc/yfvt/OOWv9qRf9vHhIWuG6/vbv+8ATWbMANLZB6GPBlW5dWJG
+A4ZV88Zd/zenB3d+bo5Gh9/RxazGfb98GwMFoHv67WUn/W542IDZyywTz/8cQB7I
+8POfee3cuiQ1K19vn4rbHldVxYCmbESS3KR6gzPk0HAi6KFxW29NqHsX//ObPkL3
+wYsKyYtsJLOy1gAKIcHG/6kysh3MstFq3Q977kuskk79JXIjiiPNFfQOh/WZKXvl
+EwuaTTvyzzXuPBRSaTMYUv3NwlT7IBeZ1D/hOmmmN4GmbE0qIp9hDQbwSrf4+3Z3
+irVMOee5SmLYwsj5cZPU7AdNs3Q1o0C2ooTA/WYFMdUKeI1ZhtNAekbuXseH2zr4
+N/j+XMSx7KAIB0Pb5yqkI/DliZpacG5DT6f+qgDYyEh0XEf7Eazn02EnquayB1Sr
+sgdZ7SO+ntPzc2l/JbhFN5SpH6iQJVohwkjBXQUQyJuLZBYdh4M0x4KF0P6xVO+P
+iBGM3/9jm86AOa6yhlfh8Z6h9ckKk5DNkMTJn+2fQc4
+-> ssh-ed25519 YFSOsg ZpPUH11hi+hg1Euil1aJNXqrOKjQrucI8Mi9KVrMnwE
+xPoiMVzjfWUpUUC3EZUiogLJZfKWs2/jwGZfsx27CKQ
+-> ssh-ed25519 iHV63A t4j7mr+hoW5fR9+ry3/tqKvQERZs/h7Qn9LEeeSWFhc
+XZjUNUWkWnJG7l8vahfppxZ/kjH1VRf8YNpt8x2H67M
+-> ssh-ed25519 BVsyTA SztbpuYbTH+FkumMGCAQ4fQ/rRRZgGg2yCPHjS8qtTI
+F98vVoeITz/WJnJamw1I4zLHBcF46FYxKibwmbInFoA
+-> %R9cvM-grease 8#EQ8Q l:Yu\
+VBsYA1Kyd/sz6RVeZNHBMvKlYmwKcuvWKyGOLzzcaz6C6kzHNgtWXcLRC0A9wMDt
+xQkX8fYdijHTcclcGerWUa8iqnpd7rAgo8RjG5e5JzhW
+--- k9Ai5b4pxmq4DnN/3a6UyllvEzFaEFv0ePExwfUpplA
+ðÀ5æ<–…lEÚNåÙWÕ€Ï¢%bì<÷±ÛñÅ"aš)™‚šò8¹ð*ÆÅ”cÓC¶0|V§qvSÙ
\ No newline at end of file
diff --git a/secrets/mediawiki-oidc-client-secret.age b/secrets/mediawiki-oidc-client-secret.age
new file mode 100644
index 0000000..90b5a38
--- /dev/null
+++ b/secrets/mediawiki-oidc-client-secret.age
@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg tg3ltwXFSRyIajjOf6IkNiwWmVo7aqznL18SZuWtBkI
+HWOHGsPyd6YP1axJulRzGMnfyaE/IsNP07n+vDeauq0
+-> ssh-ed25519 uYcDNw u4SsEiGvGb1FszMlipuTEhVjaY1nfVOAc9VbV73j21E
+yq2sydDWrUI2Kcy3DVG+P4u03lj4CQIQCV3h8I5C7zw
+-> ssh-rsa kFDS0A
+SdVWMuqmiLnboD4hQTUBYSPyBCznqKytYIQe//VnpTaUHeOlnfQeDLNs/Tiqx8Qq
+gLAsGyyY3DwRJiENbplPGvkYyY6nzzx6tIj7oVvVqjUi4563K2PMyBV0kDBgDtuE
+YOb5dZOLE4zar3prtaCY1RCh1RPqSNgp5dwwp4KtskYYCRioP2mM2NYYdlh4YmG7
+SdxdhXWNj2qGzOklV1QL73cUNIy+qbv0PNpdSEUEDdVtaf7tPkR86c75mbC6ktn4
+zDTYXoc7aTtluWY0GXOLFP4UoBvNjApYpxuIc+F3SKOHsEouzBPCRv0ZjCyJMCt7
+hg4JehN/cQCIxmck5iTo2iJw9cOdhA5zUR/AGLHTdxqvjn9pdxbLE7i2klCbDiCw
+4iV2/Vrqog6sffa0pNLBTV/V3+I8Fsv8SwnDja6Q8Rvz7xOccwiAQweTiyLjHznZ
+F1hlWXoLjKqfkbh15vOedU9YM7a34xaMr6eN4Xn28o6vYy3twbYrOPZ1qCVmi6Da
+onFt7Fvu1T4yTc0nlBnifMfJYpJ4H79VtBx23kZzuNuwcmfPNN/j/9dONrC/CSDM
+UatqKmmis7tYUhlrx8MY/laYIdGRqhtIqABKDAhiTWmho2EKUskv6qD7ZuduU3aX
+HpAAiVAf8DfXIGShGda6akO1niS9eBF02lm5lnBWcQs
+-> ssh-ed25519 YFSOsg SChexNNQyPLdPRsCFgYZFSRC/KgCcbM/ArfXS5woKyU
+lGF+ttGHa3D9xoe0o+KWl4YFEsq2HV4kmAYlIRUwMY8
+-> ssh-ed25519 iHV63A opYm+eq5781ggiOzuASwLPIeOVxOlq8jgbSNIXVL010
+R3hhUfWq5kmGbvRIAAjXtCbvIIGnfBx1jHjNaBR6gIc
+-> ssh-ed25519 BVsyTA /bWN++yXbaPFb8Q06RgImILWVzoCtqhomggKRZaRbWM
+fWMX0zX/PFq1wJBGR9XbPbLN2JkL4m46gGYM/s03qkc
+-> *rvVIlaT-grease T=C@?06?
+tRxiwZdbPDQbLn2jnKNRtkJdcZxtd1oVqKCGHdB2
+--- ifjAMRTPxaL0FEvYCn2q0/K6nRuJO9pGevN8ZT9eu8E
+
+ºç¦]`†ÖóårÕ7úVùÙ«îU(þÝÝÊoù_€
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4690924..4a41652 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -40,4 +40,8 @@ in {
   "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;
 
   "searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys;
+
+  "mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
 }