pub-solar/infra
6
1
Fork 3
Code Issues 16 Pull requests 6 Actions Packages Projects 1 Releases Wiki Activity

feat: diesdasnotworkingananas
All checks were successful
Flake checks / Check (pull_request) Successful in 17m30s
Details

Browse source
This commit is contained in:
Benjamin Bädorf 2023-11-07 01:35:25 +01:00 committed by teutat3s
parent 3b61fd0ebc
commit 8b3c63bd7b
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
3 changed files with 45 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
hosts/nachtigall/apps/mediawiki.nix
View file

@ -50,12 +50,12 @@
$wgEmailAuthentication = true; $wgEmailAuthentication = true;
## Database settings ## Database settings
$wgDBtype = "mysql"; $wgDBtype = "postgres";
$wgDBserver = "mediawiki-db"; $wgDBserver = "host.docker.internal";
$wgDBport = "3306"; $wgDBport = "5432";
$wgDBname = "mediawiki"; $wgDBname = "mediawiki";
$wgDBuser = "mediawiki"; $wgDBuser = "mediawiki";
$wgDBpassword = file_get_contents("/run/agenix/mediawiki-database-password"); $wgDBpassword = trim(file_get_contents("/run/mediawiki/database-password"));
## Shared memory settings ## Shared memory settings
$wgMainCacheType = CACHE_NONE; $wgMainCacheType = CACHE_NONE;
@ -84,7 +84,7 @@
# Site language code, should be one of the list in ./languages/data/Names.php # Site language code, should be one of the list in ./languages/data/Names.php
$wgLanguageCode = "en"; $wgLanguageCode = "en";
$wgSecretKey = file_get_contents("/run/agenix/mediawiki-secret-key"); $wgSecretKey = trim(file_get_contents("/run/mediawiki/secret-key"));
# Changing this will log out all existing sessions. # Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = ""; $wgAuthenticationTokenVersion = "";
@ -132,29 +132,47 @@
'data' => [ 'data' => [
'providerURL' => 'https://auth.pub.solar/realms/pub.solar', 'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
'clientID' => 'mediawiki', 'clientID' => 'mediawiki',
'clientsecret' => readfile('/run/agenix/mediawiki-oidc-client-secret') 'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
] ]
]; ];
$wgOpenIDConnect_SingleLogout = true; $wgOpenIDConnect_SingleLogout = true;
$wgOpenIDConnect_MigrateUsersByEmail = true; $wgOpenIDConnect_MigrateUsersByEmail = true;
''; '';
uid = 986;
gid = 984;
in { in {
age.secrets.mediawiki-database-password = { age.secrets.mediawiki-database-password = {
file = "${flake.self}/secrets/mediawiki-database-password.age"; file = "${flake.self}/secrets/mediawiki-database-password.age";
mode = "600"; path = "/run/mediawiki/database-password";
symlink = false;
mode = "440";
owner = "mediawiki"; owner = "mediawiki";
group = "mediawiki";
}; };
age.secrets.mediawiki-oidc-client-secret = { age.secrets.mediawiki-oidc-client-secret = {
file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age"; file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age";
mode = "600"; path = "/run/mediawiki/oidc-client-secret";
symlink = false;
mode = "440";
owner = "mediawiki"; owner = "mediawiki";
group = "mediawiki";
}; };
age.secrets.mediawiki-secret-key = { age.secrets.mediawiki-secret-key = {
file = "${flake.self}/secrets/mediawiki-secret-key.age"; file = "${flake.self}/secrets/mediawiki-secret-key.age";
mode = "600"; path = "/run/mediawiki/secret-key";
symlink = false;
mode = "440";
owner = "mediawiki"; owner = "mediawiki";
group = "mediawiki";
};
services.postgresql = {
authentication = ''
host mediawiki all 172.17.0.0/16 password
'';
}; };
services.nginx.virtualHosts."wiki.pub.solar" = { services.nginx.virtualHosts."wiki.pub.solar" = {
@ -164,23 +182,33 @@ in {
locations."/".proxyPass = "http://127.0.0.1:8293"; locations."/".proxyPass = "http://127.0.0.1:8293";
}; };
users.users.mediawiki = {
isSystemUser = true;
group = "mediawiki";
inherit uid;
};
users.groups.mediawiki = { inherit gid; };
virtualisation = { virtualisation = {
oci-containers = { oci-containers = {
backend = "docker"; backend = "docker";
containers."mediawiki" = { containers."mediawiki" = {
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker"; image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:latest";
user = "${builtins.toString config.users.users.mediawiki.uid}:www-data"; user = "1000:${builtins.toString gid}";
autoStart = true; autoStart = true;
ports = [ ports = [
"127.0.0.1:8293:80" "127.0.0.1:8293:80"
]; ];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
"--pull=always"
];
volumes = [ volumes = [
"/run/agenix/mediawiki-database-password:/run/agenix/mediawiki-database-password" "/run/mediawiki:/run/mediawiki"
"/run/agenix/mediawiki-oidc-client-secret:/run/agenix/mediawiki-oidc-client-secret"
"/run/agenix/mediawiki-secret-key:/run/agenix/mediawiki-secret-key"
"/var/lib/mediawiki/images:/var/www/html/images" "/var/lib/mediawiki/images:/var/www/html/images"
"/var/lib/mediawiki/uploads:/var/www/html/uploads" "/var/lib/mediawiki/uploads:/var/www/html/uploads"
"/var/lib/mediawiki/logs:/var/log/mediawiki" "/var/lib/mediawiki/logs:/var/log/mediawiki"

2
modules/docker.nix
View file

@ -6,4 +6,6 @@
''; '';
storageDriver = "zfs"; storageDriver = "zfs";
}; };
networking.firewall.trustedInterfaces = [ "docker0" ];
} }

2
modules/users.nix
View file

@ -2,7 +2,7 @@
users.users.${flake.self.username} = { users.users.${flake.self.username} = {
name = flake.self.username; name = flake.self.username;
group = flake.self.username; group = flake.self.username;
extraGroups = ["wheel"]; extraGroups = ["wheel" "docker"];
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = flake.self.publicKeys.admins; openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
}; };