diff --git a/hosts/containers/mediawiki/default.nix b/hosts/containers/mediawiki/default.nix new file mode 100644 index 00000000..c64b5be2 --- /dev/null +++ b/hosts/containers/mediawiki/default.nix @@ -0,0 +1,200 @@ +{ zentralwerk, config, lib, pkgs, ... }: +let + ourMediawiki = pkgs.mediawiki.overrideAttrs ({pname, ...}: rec { + version = "1.38.1"; + src = with lib; pkgs.fetchurl { + url = "https://releases.wikimedia.org/mediawiki/${versions.majorMinor version}/${pname}-${version}.tar.gz"; + sha256 = "sha256-EXNlUloN7xsgnKUIV9ZXNrYlRbh3p1NIpXqF0SZDezE="; + }; + }); +in { + networking.hostName = "mediawiki"; + networking.interfaces.eth0 = { + ipv4.addresses = [{ + address = config.c3d2.hosts.wiki.ip4; + prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len; + }]; + useDHCP = false; + }; + networking.defaultGateway = "172.20.73.1"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + c3d2.autoUpdate = true; + + services.nginx = { + enable = true; + virtualHosts."wiki.c3d2.de" = { + default = true; + forceSSL = true; + #can only be set after subdomain was changed + enableACME = true; + }; + }; + + boot.isContainer = true; + + # Let 'nixos-version --json' know about the Git revision + # of this flake. + system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev; + + # Network configuration. + networking.useDHCP = false; + networking.firewall.allowedTCPPorts = [ 80 5432 ]; + + services.postgresql = + let + cfg = config.services.mediawiki; + in { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_11; + ensureDatabases = [ cfg.database.name ]; + + ensureUsers = [{ + name = cfg.database.user; + ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; + } + ]; + authentication = lib.mkForce '' + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all 10.233.2.1/32 trust + host all all ::1/128 trust + '';}; + + system.stateVersion = "22.05"; + + services.mediawiki = let + cfg = config.services.mediawiki; + in { + enable = true; + package = ourMediawiki; + virtualHosts."wiki.c3d2.de" = { + default = true; + adminAddr = "root@example.com"; + }; + #skins = { + # Vector = "${ourMediawiki}/share/mediawiki/skins/Vector"; + # Hector = "${ourMediawiki}/share/mediawiki/skins/Hector"; + #}; + name = "C3D2"; + + extraConfig = '' + $wgShowExceptionDetails = true; + $wgDBserver = "${cfg.database.socket}"; + $wgDBmwschema = "mediawiki"; + + $wgLogo = "https://www.c3d2.de/images/ck.png"; + $wgEmergencyContact = "wiki@c3d2.de"; + $wgPasswordSender = "wiki@c3d2.de"; + $wgLanguageCode = "de"; + + $wgGroupPermissions['*']['edit'] = false; + $wgGroupPermissions['user']['edit'] = true; + $wgGroupPermissions['sysop']['interwiki'] = true; + $wgGroupPermissions['sysop']['userrights'] = true; + + define("NS_INTERN", 100); + define("NS_INTERN_TALK", 101); + + $wgExtraNamespaces[NS_INTERN] = "Intern"; + $wgExtraNamespaces[NS_INTERN_TALK] = "Intern_Diskussion"; + + $wgGroupPermissions['intern']['move'] = true; + $wgGroupPermissions['intern']['move-subpages'] = true; + $wgGroupPermissions['intern']['move-rootuserpages'] = true; // can move root userpages + $wgGroupPermissions['intern']['read'] = true; + $wgGroupPermissions['intern']['edit'] = true; + $wgGroupPermissions['intern']['createpage'] = true; + $wgGroupPermissions['intern']['createtalk'] = true; + $wgGroupPermissions['intern']['writeapi'] = true; + $wgGroupPermissions['intern']['upload'] = true; + $wgGroupPermissions['intern']['reupload'] = true; + $wgGroupPermissions['intern']['reupload-shared'] = true; + $wgGroupPermissions['intern']['minoredit'] = true; + $wgGroupPermissions['intern']['purge'] = true; // can use ?action=purge without clicking "ok" + $wgGroupPermissions['intern']['sendemail'] = true; + + $wgNamespacePermissionLockdown[NS_INTERN]['*'] = array('intern'); + $wgNamespacePermissionLockdown[NS_INTERN_TALK]['*'] = array('intern'); + + define("NS_I4R", 102); + define("NS_I4R_TALK", 103); + $wgExtraNamespaces[NS_I4R] = "IT4Refugees"; + $wgExtraNamespaces[NS_I4R_TALK] = "IT4Refugees_Diskussion"; + $wgGroupPermissions['i4r']['move'] = true; + $wgGroupPermissions['i4r']['move-subpages'] = true; + $wgGroupPermissions['i4r']['move-rootuserpages'] = true; // can move root userpages + $wgGroupPermissions['i4r']['read'] = true; + $wgGroupPermissions['i4r']['edit'] = true; + $wgGroupPermissions['i4r']['createpage'] = true; + $wgGroupPermissions['i4r']['createtalk'] = true; + $wgGroupPermissions['i4r']['writeapi'] = true; + $wgGroupPermissions['i4r']['upload'] = true; + $wgGroupPermissions['i4r']['reupload'] = true; + $wgGroupPermissions['i4r']['reupload-shared'] = true; + $wgGroupPermissions['i4r']['minoredit'] = true; + $wgGroupPermissions['i4r']['purge'] = true; // can use ?action=purge without clicking "ok" + $wgGroupPermissions['i4r']['sendemail'] = true; + $wgNamespacePermissionLockdown[NS_I4R]['*'] = array('i4r'); + $wgNamespacePermissionLockdown[NS_I4R_TALK]['*'] = array('i4r'); + + $wgGroupPermissions['sysop']['deletelogentry'] = true; + $wgGroupPermissions['sysop']['deleterevision'] = true; + + $wgEnableAPI = true; + $wgAllowUserCss = true; + $wgUseAjax = true; + $wgEnableMWSuggest = true; + + $wgScribuntoDefaultEngine = 'luastandalone'; + ''; + extensions = { + Interwiki = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/Interwiki-REL1_38-223bbf8.tar.gz"; + sha256 = "sha256-A4tQuISJNzzXPXJXv9N1jMat1VuZ7khYzk2jxoUqzIk="; + }; + Cite = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/Cite-REL1_38-7fdd57d.tar.gz"; + sha256 = "sha256-/s9byrAVjky0EeiokUEchG3ICw+Q2T6HLjbzHnl3uVE="; + }; + ConfirmEdit = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_38-9ae04a5.tar.gz"; + sha256 = "sha256-iiRT98uUmy1gvKzl/5ijheAAjUK3BLewt8IG8qdCHsA="; + }; + CiteThisPage = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_38-157e3bc.tar.gz"; + sha256 = "sha256-q2z4y4Afcq98/Dh6kQqZxeUg9fYFv9ntR+UyelHLDKc="; + }; + ParserFunctions = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/ParserFunctions-REL1_38-c2ccf36.tar.gz"; + sha256 = "sha256-z3Gwl/xzFBUUAm9u6ixgfJgrO5oTopXGuXEpaewUG1Y="; + }; + SyntaxHightlight = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_38-150f839.tar.gz"; + sha256 = "sha256-miXbsf2TdalEkUGiVrh55q3NuEtmnQQbb0f1XBmSilw="; + }; + intersection = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_38-8525097.tar.gz"; + sha256 = "sha256-shgA0XLG6pgikqldOfda40hV9zC1eBp+NalGhevFq2Q="; + }; + Scribunto = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/Scribunto-REL1_38-bd2f615.tar.gz"; + sha256 = "sha256-e70P8/0CsWWftyh2LhFw/Fv3E34Bl8HIZxVszuUl8Pk="; + }; + Lockdown = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_38-1915db4.tar.gz"; + sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA="; + }; + }; + passwordFile = pkgs.writeText "password" "topSecretF0rAll!!!!"; + database = { + type = "postgres"; + socket = "/run/postgresql"; + user = "mediawiki"; + name = "mediawiki"; + }; + uploadsDir = "/var/lib/mediawiki/uploads"; + }; +}