infra/modules/mediawiki/default.nix
Benjamin Yule Bädorf 68278ad983
All checks were successful
Flake checks / Check (pull_request) Successful in 5m52s
refactor: use options for config parts
This works towards having reusable modules

* `config.pub-solar-os.networking.domain` is used for the main domain
* `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy
* `config.pub-solar-os.imprintUrl` links towards the imprint
* `config.pub-solar-os.auth.enable` enables the keycloak installation.
  This is needed because `config.pub-solar-os.auth` has to be available
  everywhere, but we do not want to install keycloak everywhere.
* `config.pub-solar-os.auth.realm` sets the keycloak realm name
2024-05-08 19:47:47 +02:00

235 lines
7.3 KiB
Nix

{ flake
, config
, lib
, pkgs
, ...
}:
let
localSettingsPHP = pkgs.writeScript "LocalSettings.php" ''
<?php
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
# error_reporting( -1 );
# ini_set( 'display_errors', 1 );
# $wgShowExceptionDetails = true;
# $wgDBerrorLog = '/dev/stderr';
# $wgDebugLogFile = "/dev/stderr";
$wgSitename = "pub.solar wiki";
$wgMetaNamespace = false;
## The URL base path to the directory containing the wiki;
## defaults for all runtime URL paths are based off of this.
## For more information on customizing the URLs
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
## https://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath = "https://wiki.${config.pub-solar-os.networking.domain}";
## https://www.mediawiki.org/wiki/Manual:Short_URL
## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues
$wgArticlePath = "/index.php/$1";
## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://wiki.${config.pub-solar-os.networking.domain}";
## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath;
## The URL path to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogo = "https://pub.solar/assets/pubsolar.svg";
## UPO means: this is also a user preference option
$wgEnableEmail = true;
$wgEnableUserEmail = true; # UPO
$wgPasswordSender = "admins@pub.solar";
$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
$wgEmailAuthentication = true;
## Database settings
$wgDBtype = "postgres";
$wgDBserver = "host.docker.internal";
$wgDBport = "5432";
$wgDBname = "mediawiki";
$wgDBuser = "mediawiki";
$wgDBpassword = trim(file_get_contents("/run/mediawiki/database-password"));
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = [];
$wgEnableUploads = true;
$wgUploadDirectory = "/var/www/html/uploads";
$wgUploadPath = $wgScriptPath . "/uploads";
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "/usr/bin/convert";
# InstantCommons allows wiki to use images from https://commons.wikimedia.org
$wgUseInstantCommons = true;
# Periodically send a pingback to https://www.mediawiki.org/ with basic data
# about this MediaWiki instance. The Wikimedia Foundation shares this data
# with MediaWiki developers to help guide future development efforts.
$wgPingback = true;
## If you use ImageMagick (or any other shell command) on a
## Linux server, this will need to be set to the name of an
## available UTF-8 locale
$wgShellLocale = "C.UTF-8";
# Site language code, should be one of the list in ./languages/data/Names.php
$wgLanguageCode = "en";
$wgSecretKey = trim(file_get_contents("/run/mediawiki/secret-key"));
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "";
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff = "/usr/bin/diff";
$wgDiff3 = "/usr/bin/diff3";
# Enabled skins.
wfLoadSkin('MonoBook');
wfLoadSkin('Timeless');
wfLoadSkin('Vector');
# Enabled extensions.
wfLoadExtension('OpenIDConnect');
wfLoadExtension('PluggableAuth');
wfLoadExtension('VisualEditor');
wfLoadExtension('TemplateStyles');
# End of automatically generated settings.
# Add more configuration options below.
$wgLogos = [
'svg' => "https://pub.solar/assets/pubsolar.svg",
'icon' => "https://pub.solar/assets/pubsolar.svg",
'wordmark' => [
'src'=> "https://pub.solar/assets/pubsolar.svg",
'width'=> 0,
'height'=> 0,
],
];
$wgFavicon = 'https://pub.solar/assets/pubsolar.svg';
$wgDefaultSkin = 'vector-2022';
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
$wgGroupPermissions['*']['autocreateaccount'] = true;
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
// https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}',
'clientID' => 'mediawiki',
'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
]
];
$wgOpenIDConnect_SingleLogout = true;
$wgOpenIDConnect_MigrateUsersByEmail = true;
'';
uid = 986;
gid = 984;
in
{
age.secrets.mediawiki-database-password = {
file = "${flake.self}/secrets/mediawiki-database-password.age";
path = "/run/mediawiki/database-password";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
age.secrets.mediawiki-oidc-client-secret = {
file = "${flake.self}/secrets/mediawiki-oidc-client-secret.age";
path = "/run/mediawiki/oidc-client-secret";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
age.secrets.mediawiki-secret-key = {
file = "${flake.self}/secrets/mediawiki-secret-key.age";
path = "/run/mediawiki/secret-key";
symlink = false;
mode = "440";
owner = "mediawiki";
group = "mediawiki";
};
services.postgresql = {
authentication = ''
host mediawiki all 172.17.0.0/16 password
'';
};
services.nginx.virtualHosts."wiki.${config.pub-solar-os.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:8293";
};
users.users.mediawiki = {
isSystemUser = true;
group = "mediawiki";
inherit uid;
};
users.groups.mediawiki = { inherit gid; };
virtualisation = {
oci-containers = {
backend = "docker";
containers."mediawiki" = {
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.41.1";
user = "1000:${builtins.toString gid}";
autoStart = true;
ports = [
"127.0.0.1:8293:80"
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
"--pull=always"
];
volumes = [
"/run/mediawiki:/run/mediawiki"
"/var/lib/mediawiki/images:/var/www/html/images"
"/var/lib/mediawiki/uploads:/var/www/html/uploads"
"/var/lib/mediawiki/logs:/var/log/mediawiki"
"${localSettingsPHP}:/var/www/html/LocalSettings.php"
];
};
};
};
}