{ flake, config, lib, pkgs, ... }: let localSettingsPHP = pkgs.writeScript "LocalSettings.php" '' "https://pub.solar/assets/pubsolar.svg", 'icon' => "https://pub.solar/assets/pubsolar.svg", 'wordmark' => [ 'src'=> "https://pub.solar/assets/pubsolar.svg", 'width'=> 0, 'height'=> 0, ], ]; $wgFavicon = 'https://pub.solar/assets/pubsolar.svg'; $wgDefaultSkin = 'vector-2022'; // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation $wgGroupPermissions['*']['autocreateaccount'] = true; // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration $wgPluggableAuth_EnableAutoLogin = false; $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID'; // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak $wgPluggableAuth_Config[] = [ 'plugin' => 'OpenIDConnect', 'data' => [ 'providerURL' => 'https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}', 'clientID' => 'mediawiki', 'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret')) ] ]; $wgOpenIDConnect_SingleLogout = true; $wgOpenIDConnect_MigrateUsersByEmail = true; ''; uid = 986; gid = 984; in { age.secrets.mediawiki-database-password = { file = "${flake.self}/secrets/mediawiki-database-password.age"; path = "/run/mediawiki/database-password"; symlink = false; mode = "440"; owner = "mediawiki"; group = "mediawiki"; }; age.secrets.mediawiki-oidc-client-secret = { file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age"; path = "/run/mediawiki/oidc-client-secret"; symlink = false; mode = "440"; owner = "mediawiki"; group = "mediawiki"; }; age.secrets.mediawiki-secret-key = { file = "${flake.self}/secrets/mediawiki-secret-key.age"; path = "/run/mediawiki/secret-key"; symlink = false; mode = "440"; owner = "mediawiki"; group = "mediawiki"; }; age.secrets.restic-repo-garage-mediawiki = { file = "${flake.self}/secrets/restic-repo-garage-mediawiki.age"; mode = "400"; owner = "root"; }; age.secrets.restic-repo-garage-mediawiki-env = { file = "${flake.self}/secrets/restic-repo-garage-mediawiki-env.age"; mode = "400"; owner = "root"; }; services.postgresql = { authentication = '' host mediawiki all 172.17.0.0/16 password ''; }; services.nginx.virtualHosts."wiki.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:8293"; }; users.users.mediawiki = { isSystemUser = true; group = "mediawiki"; inherit uid; }; users.groups.mediawiki = { inherit gid; }; virtualisation = { oci-containers = { backend = "docker"; containers."mediawiki" = { image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.1"; user = "1000:${builtins.toString gid}"; autoStart = true; ports = [ "127.0.0.1:8293:80" ]; extraOptions = [ "--add-host=host.docker.internal:host-gateway" "--pull=always" ]; volumes = [ "/run/mediawiki:/run/mediawiki" "/var/lib/mediawiki/images:/var/www/html/images" "/var/lib/mediawiki/uploads:/var/www/html/uploads" "/var/lib/mediawiki/logs:/var/log/mediawiki" "${localSettingsPHP}:/var/www/html/LocalSettings.php" ]; }; }; }; services.restic.backups.mediawiki-garage = { paths = [ "/var/lib/mediawiki/images" "/var/lib/mediawiki/uploads" "/tmp/mediawiki-backup.sql" ]; timerConfig = { OnCalendar = "*-*-* 00:30:00 Etc/UTC"; }; initialize = true; passwordFile = config.age.secrets."restic-repo-garage-mediawiki".path; environmentFile = config.age.secrets."restic-repo-garage-mediawiki-env".path; repository = "s3:https://buckets.pub.solar/mediawiki-backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mediawiki > /tmp/mediawiki-backup.sql ''; backupCleanupCommand = '' rm /tmp/mediawiki-backup.sql ''; pruneOpts = [ "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 3" ]; }; }