Benjamin Yule Bädorf
68278ad983
All checks were successful
Flake checks / Check (pull_request) Successful in 5m52s
This works towards having reusable modules * `config.pub-solar-os.networking.domain` is used for the main domain * `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy * `config.pub-solar-os.imprintUrl` links towards the imprint * `config.pub-solar-os.auth.enable` enables the keycloak installation. This is needed because `config.pub-solar-os.auth` has to be available everywhere, but we do not want to install keycloak everywhere. * `config.pub-solar-os.auth.realm` sets the keycloak realm name
235 lines
7.3 KiB
Nix
235 lines
7.3 KiB
Nix
{ flake
|
|
, config
|
|
, lib
|
|
, pkgs
|
|
, ...
|
|
}:
|
|
let
|
|
localSettingsPHP = pkgs.writeScript "LocalSettings.php" ''
|
|
<?php
|
|
# Protect against web entry
|
|
if ( !defined( 'MEDIAWIKI' ) ) {
|
|
exit;
|
|
}
|
|
|
|
# error_reporting( -1 );
|
|
# ini_set( 'display_errors', 1 );
|
|
# $wgShowExceptionDetails = true;
|
|
# $wgDBerrorLog = '/dev/stderr';
|
|
# $wgDebugLogFile = "/dev/stderr";
|
|
|
|
$wgSitename = "pub.solar wiki";
|
|
$wgMetaNamespace = false;
|
|
|
|
## The URL base path to the directory containing the wiki;
|
|
## defaults for all runtime URL paths are based off of this.
|
|
## For more information on customizing the URLs
|
|
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
|
|
## https://www.mediawiki.org/wiki/Manual:Short_URL
|
|
$wgScriptPath = "https://wiki.${config.pub-solar-os.networking.domain}";
|
|
|
|
## https://www.mediawiki.org/wiki/Manual:Short_URL
|
|
## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues
|
|
$wgArticlePath = "/index.php/$1";
|
|
|
|
## The protocol and server name to use in fully-qualified URLs
|
|
$wgServer = "https://wiki.${config.pub-solar-os.networking.domain}";
|
|
|
|
## The URL path to static resources (images, scripts, etc.)
|
|
$wgResourceBasePath = $wgScriptPath;
|
|
|
|
## The URL path to the logo. Make sure you change this from the default,
|
|
## or else you'll overwrite your logo when you upgrade!
|
|
$wgLogo = "https://pub.solar/assets/pubsolar.svg";
|
|
|
|
## UPO means: this is also a user preference option
|
|
|
|
$wgEnableEmail = true;
|
|
$wgEnableUserEmail = true; # UPO
|
|
|
|
$wgPasswordSender = "admins@pub.solar";
|
|
|
|
$wgEnotifUserTalk = false; # UPO
|
|
$wgEnotifWatchlist = false; # UPO
|
|
$wgEmailAuthentication = true;
|
|
|
|
## Database settings
|
|
$wgDBtype = "postgres";
|
|
$wgDBserver = "host.docker.internal";
|
|
$wgDBport = "5432";
|
|
$wgDBname = "mediawiki";
|
|
$wgDBuser = "mediawiki";
|
|
$wgDBpassword = trim(file_get_contents("/run/mediawiki/database-password"));
|
|
|
|
## Shared memory settings
|
|
$wgMainCacheType = CACHE_NONE;
|
|
$wgMemCachedServers = [];
|
|
|
|
$wgEnableUploads = true;
|
|
$wgUploadDirectory = "/var/www/html/uploads";
|
|
$wgUploadPath = $wgScriptPath . "/uploads";
|
|
|
|
$wgUseImageMagick = true;
|
|
$wgImageMagickConvertCommand = "/usr/bin/convert";
|
|
|
|
# InstantCommons allows wiki to use images from https://commons.wikimedia.org
|
|
$wgUseInstantCommons = true;
|
|
|
|
# Periodically send a pingback to https://www.mediawiki.org/ with basic data
|
|
# about this MediaWiki instance. The Wikimedia Foundation shares this data
|
|
# with MediaWiki developers to help guide future development efforts.
|
|
$wgPingback = true;
|
|
|
|
## If you use ImageMagick (or any other shell command) on a
|
|
## Linux server, this will need to be set to the name of an
|
|
## available UTF-8 locale
|
|
$wgShellLocale = "C.UTF-8";
|
|
|
|
# Site language code, should be one of the list in ./languages/data/Names.php
|
|
$wgLanguageCode = "en";
|
|
|
|
$wgSecretKey = trim(file_get_contents("/run/mediawiki/secret-key"));
|
|
|
|
# Changing this will log out all existing sessions.
|
|
$wgAuthenticationTokenVersion = "";
|
|
|
|
## For attaching licensing metadata to pages, and displaying an
|
|
## appropriate copyright notice / icon. GNU Free Documentation
|
|
## License and Creative Commons licenses are supported so far.
|
|
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
|
|
$wgRightsUrl = "";
|
|
$wgRightsText = "";
|
|
$wgRightsIcon = "";
|
|
|
|
# Path to the GNU diff3 utility. Used for conflict resolution.
|
|
$wgDiff = "/usr/bin/diff";
|
|
$wgDiff3 = "/usr/bin/diff3";
|
|
|
|
# Enabled skins.
|
|
wfLoadSkin('MonoBook');
|
|
wfLoadSkin('Timeless');
|
|
wfLoadSkin('Vector');
|
|
|
|
# Enabled extensions.
|
|
wfLoadExtension('OpenIDConnect');
|
|
wfLoadExtension('PluggableAuth');
|
|
wfLoadExtension('VisualEditor');
|
|
wfLoadExtension('TemplateStyles');
|
|
|
|
# End of automatically generated settings.
|
|
# Add more configuration options below.
|
|
|
|
$wgLogos = [
|
|
'svg' => "https://pub.solar/assets/pubsolar.svg",
|
|
'icon' => "https://pub.solar/assets/pubsolar.svg",
|
|
'wordmark' => [
|
|
'src'=> "https://pub.solar/assets/pubsolar.svg",
|
|
'width'=> 0,
|
|
'height'=> 0,
|
|
],
|
|
];
|
|
$wgFavicon = 'https://pub.solar/assets/pubsolar.svg';
|
|
|
|
$wgDefaultSkin = 'vector-2022';
|
|
|
|
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
|
|
$wgGroupPermissions['*']['autocreateaccount'] = true;
|
|
|
|
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
|
|
$wgPluggableAuth_EnableAutoLogin = false;
|
|
$wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
|
|
|
|
// https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
|
|
$wgPluggableAuth_Config[] = [
|
|
'plugin' => 'OpenIDConnect',
|
|
'data' => [
|
|
'providerURL' => 'https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}',
|
|
'clientID' => 'mediawiki',
|
|
'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
|
|
]
|
|
];
|
|
$wgOpenIDConnect_SingleLogout = true;
|
|
$wgOpenIDConnect_MigrateUsersByEmail = true;
|
|
'';
|
|
|
|
uid = 986;
|
|
gid = 984;
|
|
in
|
|
{
|
|
age.secrets.mediawiki-database-password = {
|
|
file = "${flake.self}/secrets/mediawiki-database-password.age";
|
|
path = "/run/mediawiki/database-password";
|
|
symlink = false;
|
|
mode = "440";
|
|
owner = "mediawiki";
|
|
group = "mediawiki";
|
|
};
|
|
|
|
age.secrets.mediawiki-oidc-client-secret = {
|
|
file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age";
|
|
path = "/run/mediawiki/oidc-client-secret";
|
|
symlink = false;
|
|
mode = "440";
|
|
owner = "mediawiki";
|
|
group = "mediawiki";
|
|
};
|
|
|
|
age.secrets.mediawiki-secret-key = {
|
|
file = "${flake.self}/secrets/mediawiki-secret-key.age";
|
|
path = "/run/mediawiki/secret-key";
|
|
symlink = false;
|
|
mode = "440";
|
|
owner = "mediawiki";
|
|
group = "mediawiki";
|
|
};
|
|
|
|
services.postgresql = {
|
|
authentication = ''
|
|
host mediawiki all 172.17.0.0/16 password
|
|
'';
|
|
};
|
|
|
|
services.nginx.virtualHosts."wiki.${config.pub-solar-os.networking.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/".proxyPass = "http://127.0.0.1:8293";
|
|
};
|
|
|
|
users.users.mediawiki = {
|
|
isSystemUser = true;
|
|
group = "mediawiki";
|
|
inherit uid;
|
|
};
|
|
users.groups.mediawiki = { inherit gid; };
|
|
|
|
virtualisation = {
|
|
oci-containers = {
|
|
backend = "docker";
|
|
|
|
containers."mediawiki" = {
|
|
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.41.1";
|
|
user = "1000:${builtins.toString gid}";
|
|
autoStart = true;
|
|
|
|
ports = [
|
|
"127.0.0.1:8293:80"
|
|
];
|
|
|
|
extraOptions = [
|
|
"--add-host=host.docker.internal:host-gateway"
|
|
"--pull=always"
|
|
];
|
|
|
|
volumes = [
|
|
"/run/mediawiki:/run/mediawiki"
|
|
"/var/lib/mediawiki/images:/var/www/html/images"
|
|
"/var/lib/mediawiki/uploads:/var/www/html/uploads"
|
|
"/var/lib/mediawiki/logs:/var/log/mediawiki"
|
|
"${localSettingsPHP}:/var/www/html/LocalSettings.php"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|