From 8b3c63bd7b0a21c5ee96f78be50cb7903d636ff8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
Date: Tue, 7 Nov 2023 01:35:25 +0100
Subject: [PATCH] feat: diesdasnotworkingananas

---
 hosts/nachtigall/apps/mediawiki.nix | 56 +++++++++++++++++++++--------
 modules/docker.nix                  |  2 ++
 modules/users.nix                   |  2 +-
 3 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/hosts/nachtigall/apps/mediawiki.nix b/hosts/nachtigall/apps/mediawiki.nix
index ac1268d..b9f08ec 100644
--- a/hosts/nachtigall/apps/mediawiki.nix
+++ b/hosts/nachtigall/apps/mediawiki.nix
@@ -50,12 +50,12 @@
   $wgEmailAuthentication = true;
 
   ## Database settings
-  $wgDBtype = "mysql";
-  $wgDBserver = "mediawiki-db";
-  $wgDBport = "3306";
+  $wgDBtype = "postgres";
+  $wgDBserver = "host.docker.internal";
+  $wgDBport = "5432";
   $wgDBname = "mediawiki";
   $wgDBuser = "mediawiki";
-  $wgDBpassword = file_get_contents("/run/agenix/mediawiki-database-password");
+  $wgDBpassword = trim(file_get_contents("/run/mediawiki/database-password"));
 
   ## Shared memory settings
   $wgMainCacheType = CACHE_NONE;
@@ -84,7 +84,7 @@
   # Site language code, should be one of the list in ./languages/data/Names.php
   $wgLanguageCode = "en";
 
-  $wgSecretKey = file_get_contents("/run/agenix/mediawiki-secret-key");
+  $wgSecretKey = trim(file_get_contents("/run/mediawiki/secret-key"));
 
   # Changing this will log out all existing sessions.
   $wgAuthenticationTokenVersion = "";
@@ -132,29 +132,47 @@
       'data' => [
           'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
           'clientID' => 'mediawiki',
-          'clientsecret' => readfile('/run/agenix/mediawiki-oidc-client-secret')
+          'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
       ]
   ];
   $wgOpenIDConnect_SingleLogout = true;
   $wgOpenIDConnect_MigrateUsersByEmail = true;
   '';
+
+  uid = 986;
+  gid = 984;
 in {
   age.secrets.mediawiki-database-password = {
     file = "${flake.self}/secrets/mediawiki-database-password.age";
-    mode = "600";
+    path = "/run/mediawiki/database-password";
+    symlink = false;
+    mode = "440";
     owner = "mediawiki";
+    group = "mediawiki";
   };
 
   age.secrets.mediawiki-oidc-client-secret = {
     file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age";
-    mode = "600";
+    path = "/run/mediawiki/oidc-client-secret";
+    symlink = false;
+    mode = "440";
     owner = "mediawiki";
+    group = "mediawiki";
   };
 
   age.secrets.mediawiki-secret-key = {
     file = "${flake.self}/secrets/mediawiki-secret-key.age";
-    mode = "600";
+    path = "/run/mediawiki/secret-key";
+    symlink = false;
+    mode = "440";
     owner = "mediawiki";
+    group = "mediawiki";
+  };
+
+  services.postgresql = {
+    authentication = ''
+      host mediawiki all 172.17.0.0/16 password
+    '';
   };
 
   services.nginx.virtualHosts."wiki.pub.solar" = {
@@ -164,23 +182,33 @@ in {
     locations."/".proxyPass = "http://127.0.0.1:8293";
   };
 
+  users.users.mediawiki = {
+    isSystemUser = true;
+    group = "mediawiki";
+    inherit uid;
+  };
+  users.groups.mediawiki = { inherit gid; };
+
   virtualisation = {
     oci-containers = {
       backend = "docker";
 
       containers."mediawiki" = {
-        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker";
-        user = "${builtins.toString config.users.users.mediawiki.uid}:www-data";
+        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:latest";
+        user = "1000:${builtins.toString gid}";
         autoStart = true;
 
         ports = [
           "127.0.0.1:8293:80"
         ];
 
+        extraOptions = [
+          "--add-host=host.docker.internal:host-gateway"
+          "--pull=always"
+        ];
+
         volumes = [
-          "/run/agenix/mediawiki-database-password:/run/agenix/mediawiki-database-password"
-          "/run/agenix/mediawiki-oidc-client-secret:/run/agenix/mediawiki-oidc-client-secret"
-          "/run/agenix/mediawiki-secret-key:/run/agenix/mediawiki-secret-key"
+          "/run/mediawiki:/run/mediawiki"
           "/var/lib/mediawiki/images:/var/www/html/images"
           "/var/lib/mediawiki/uploads:/var/www/html/uploads"
           "/var/lib/mediawiki/logs:/var/log/mediawiki"
diff --git a/modules/docker.nix b/modules/docker.nix
index 8021dad..5cb9023 100644
--- a/modules/docker.nix
+++ b/modules/docker.nix
@@ -6,4 +6,6 @@
     '';
     storageDriver = "zfs";
   };
+
+  networking.firewall.trustedInterfaces = [ "docker0" ];
 }
diff --git a/modules/users.nix b/modules/users.nix
index 5f8b43c..a2e4ca7 100644
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -2,7 +2,7 @@
   users.users.${flake.self.username} = {
     name = flake.self.username;
     group = flake.self.username;
-    extraGroups = ["wheel"];
+    extraGroups = ["wheel" "docker"];
     isNormalUser = true;
     openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
   };