diff --git a/hosts/containers/mediawiki/default.nix b/hosts/containers/mediawiki/default.nix index 2e8304df..91bd8603 100644 --- a/hosts/containers/mediawiki/default.nix +++ b/hosts/containers/mediawiki/default.nix @@ -1,19 +1,20 @@ { zentralwerk, config, lib, pkgs, ... }: let - ourMediawiki = pkgs.mediawiki.overrideAttrs ({pname, ...}: rec { + ourMediawiki = pkgs.mediawiki.overrideAttrs ({ pname, ... }: rec { version = "1.38.1"; src = with lib; pkgs.fetchurl { url = "https://releases.wikimedia.org/mediawiki/${versions.majorMinor version}/${pname}-${version}.tar.gz"; sha256 = "sha256-EXNlUloN7xsgnKUIV9ZXNrYlRbh3p1NIpXqF0SZDezE="; }; }); -in { +in +{ networking.hostName = "mediawiki"; networking.firewall.allowedTCPPorts = [ 80 443 ]; c3d2.deployment = { server = "server10"; - mounts = [ "etc" "home" "var"]; + mounts = [ "etc" "home" "var" ]; }; services.nginx = { @@ -29,7 +30,8 @@ in { services.postgresql = let cfg = config.services.mediawiki; - in { + in + { enable = true; enableTCPIP = true; package = pkgs.postgresql_11; @@ -38,173 +40,175 @@ in { ensureUsers = [{ name = cfg.database.user; ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; - } - ]; - authentication = lib.mkForce '' - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all 10.233.2.1/32 trust - host all all ::1/128 trust - '';}; + }]; + authentication = lib.mkForce '' + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all 10.233.2.1/32 trust + host all all ::1/128 trust + ''; + }; - system.stateVersion = "22.05"; + system.stateVersion = "22.05"; - sops.secrets = { - "mediawiki/adminPassword" = { - owner = config.systemd.services.mediawiki.serviceConfig.User; - }; - "mediawiki/upgradeKey" = { - owner = config.systemd.services.mediawiki.serviceConfig.User; - }; - "mediawiki/secretKey" = { - owner = config.systemd.services.mediawiki.serviceConfig.User; - path = "/var/lib/mediawiki/secret.key"; - }; - }; + sops.secrets = { + "mediawiki/adminPassword" = { + owner = config.systemd.services.mediawiki.serviceConfig.User; + }; + "mediawiki/upgradeKey" = { + owner = config.systemd.services.mediawiki.serviceConfig.User; + }; + "mediawiki/secretKey" = { + owner = config.systemd.services.mediawiki.serviceConfig.User; + path = "/var/lib/mediawiki/secret.key"; + }; + }; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - services.logrotate.checkConfig = false; + services.logrotate.checkConfig = false; - services.mediawiki = let - cfg = config.services.mediawiki; - in { + services.mediawiki = + let + cfg = config.services.mediawiki; + in + { enable = true; package = ourMediawiki; virtualHost = { hostName = "wiki.c3d2.de"; adminAddr = "root@example.com"; }; - #skins = { - # Vector = "${ourMediawiki}/share/mediawiki/skins/Vector"; - # Hector = "${ourMediawiki}/share/mediawiki/skins/Hector"; - #}; - name = "C3D2"; + #skins = { + # Vector = "${ourMediawiki}/share/mediawiki/skins/Vector"; + # Hector = "${ourMediawiki}/share/mediawiki/skins/Hector"; + #}; + name = "C3D2"; - extraConfig = '' - $wgShowExceptionDetails = true; - $wgDBserver = "${cfg.database.socket}"; - $wgDBmwschema = "mediawiki"; + extraConfig = '' + $wgShowExceptionDetails = true; + $wgDBserver = "${cfg.database.socket}"; + $wgDBmwschema = "mediawiki"; - $wgLogo = "https://www.c3d2.de/images/ck.png"; - $wgEmergencyContact = "wiki@c3d2.de"; - $wgPasswordSender = "wiki@c3d2.de"; - $wgLanguageCode = "de"; + $wgLogo = "https://www.c3d2.de/images/ck.png"; + $wgEmergencyContact = "wiki@c3d2.de"; + $wgPasswordSender = "wiki@c3d2.de"; + $wgLanguageCode = "de"; - $wgGroupPermissions['*']['edit'] = false; - $wgGroupPermissions['user']['edit'] = true; - $wgGroupPermissions['sysop']['interwiki'] = true; - $wgGroupPermissions['sysop']['userrights'] = true; + $wgGroupPermissions['*']['edit'] = false; + $wgGroupPermissions['user']['edit'] = true; + $wgGroupPermissions['sysop']['interwiki'] = true; + $wgGroupPermissions['sysop']['userrights'] = true; - define("NS_INTERN", 100); - define("NS_INTERN_TALK", 101); + define("NS_INTERN", 100); + define("NS_INTERN_TALK", 101); - $wgExtraNamespaces[NS_INTERN] = "Intern"; - $wgExtraNamespaces[NS_INTERN_TALK] = "Intern_Diskussion"; + $wgExtraNamespaces[NS_INTERN] = "Intern"; + $wgExtraNamespaces[NS_INTERN_TALK] = "Intern_Diskussion"; - $wgGroupPermissions['intern']['move'] = true; - $wgGroupPermissions['intern']['move-subpages'] = true; - $wgGroupPermissions['intern']['move-rootuserpages'] = true; // can move root userpages - $wgGroupPermissions['intern']['read'] = true; - $wgGroupPermissions['intern']['edit'] = true; - $wgGroupPermissions['intern']['createpage'] = true; - $wgGroupPermissions['intern']['createtalk'] = true; - $wgGroupPermissions['intern']['writeapi'] = true; - $wgGroupPermissions['intern']['upload'] = true; - $wgGroupPermissions['intern']['reupload'] = true; - $wgGroupPermissions['intern']['reupload-shared'] = true; - $wgGroupPermissions['intern']['minoredit'] = true; - $wgGroupPermissions['intern']['purge'] = true; // can use ?action=purge without clicking "ok" - $wgGroupPermissions['intern']['sendemail'] = true; + $wgGroupPermissions['intern']['move'] = true; + $wgGroupPermissions['intern']['move-subpages'] = true; + $wgGroupPermissions['intern']['move-rootuserpages'] = true; // can move root userpages + $wgGroupPermissions['intern']['read'] = true; + $wgGroupPermissions['intern']['edit'] = true; + $wgGroupPermissions['intern']['createpage'] = true; + $wgGroupPermissions['intern']['createtalk'] = true; + $wgGroupPermissions['intern']['writeapi'] = true; + $wgGroupPermissions['intern']['upload'] = true; + $wgGroupPermissions['intern']['reupload'] = true; + $wgGroupPermissions['intern']['reupload-shared'] = true; + $wgGroupPermissions['intern']['minoredit'] = true; + $wgGroupPermissions['intern']['purge'] = true; // can use ?action=purge without clicking "ok" + $wgGroupPermissions['intern']['sendemail'] = true; - $wgNamespacePermissionLockdown[NS_INTERN]['*'] = array('intern'); - $wgNamespacePermissionLockdown[NS_INTERN_TALK]['*'] = array('intern'); + $wgNamespacePermissionLockdown[NS_INTERN]['*'] = array('intern'); + $wgNamespacePermissionLockdown[NS_INTERN_TALK]['*'] = array('intern'); - define("NS_I4R", 102); - define("NS_I4R_TALK", 103); - $wgExtraNamespaces[NS_I4R] = "IT4Refugees"; - $wgExtraNamespaces[NS_I4R_TALK] = "IT4Refugees_Diskussion"; - $wgGroupPermissions['i4r']['move'] = true; - $wgGroupPermissions['i4r']['move-subpages'] = true; - $wgGroupPermissions['i4r']['move-rootuserpages'] = true; // can move root userpages - $wgGroupPermissions['i4r']['read'] = true; - $wgGroupPermissions['i4r']['edit'] = true; - $wgGroupPermissions['i4r']['createpage'] = true; - $wgGroupPermissions['i4r']['createtalk'] = true; - $wgGroupPermissions['i4r']['writeapi'] = true; - $wgGroupPermissions['i4r']['upload'] = true; - $wgGroupPermissions['i4r']['reupload'] = true; - $wgGroupPermissions['i4r']['reupload-shared'] = true; - $wgGroupPermissions['i4r']['minoredit'] = true; - $wgGroupPermissions['i4r']['purge'] = true; // can use ?action=purge without clicking "ok" - $wgGroupPermissions['i4r']['sendemail'] = true; - $wgNamespacePermissionLockdown[NS_I4R]['*'] = array('i4r'); - $wgNamespacePermissionLockdown[NS_I4R_TALK]['*'] = array('i4r'); + define("NS_I4R", 102); + define("NS_I4R_TALK", 103); + $wgExtraNamespaces[NS_I4R] = "IT4Refugees"; + $wgExtraNamespaces[NS_I4R_TALK] = "IT4Refugees_Diskussion"; + $wgGroupPermissions['i4r']['move'] = true; + $wgGroupPermissions['i4r']['move-subpages'] = true; + $wgGroupPermissions['i4r']['move-rootuserpages'] = true; // can move root userpages + $wgGroupPermissions['i4r']['read'] = true; + $wgGroupPermissions['i4r']['edit'] = true; + $wgGroupPermissions['i4r']['createpage'] = true; + $wgGroupPermissions['i4r']['createtalk'] = true; + $wgGroupPermissions['i4r']['writeapi'] = true; + $wgGroupPermissions['i4r']['upload'] = true; + $wgGroupPermissions['i4r']['reupload'] = true; + $wgGroupPermissions['i4r']['reupload-shared'] = true; + $wgGroupPermissions['i4r']['minoredit'] = true; + $wgGroupPermissions['i4r']['purge'] = true; // can use ?action=purge without clicking "ok" + $wgGroupPermissions['i4r']['sendemail'] = true; + $wgNamespacePermissionLockdown[NS_I4R]['*'] = array('i4r'); + $wgNamespacePermissionLockdown[NS_I4R_TALK]['*'] = array('i4r'); - $wgGroupPermissions['sysop']['deletelogentry'] = true; - $wgGroupPermissions['sysop']['deleterevision'] = true; + $wgGroupPermissions['sysop']['deletelogentry'] = true; + $wgGroupPermissions['sysop']['deleterevision'] = true; - $wgEnableAPI = true; - $wgAllowUserCss = true; - $wgUseAjax = true; - $wgEnableMWSuggest = true; + $wgEnableAPI = true; + $wgAllowUserCss = true; + $wgUseAjax = true; + $wgEnableMWSuggest = true; - //TODO what about $wgUpgradeKey ? + //TODO what about $wgUpgradeKey ? - $wgScribuntoDefaultEngine = 'luastandalone'; - ''; - # see https://extdist.wmflabs.org/dist/extensions/ for list of extensions - # save them on https://web.archive.org/save and copy the final URL below - extensions = { - Interwiki = pkgs.fetchzip { - url = "https://web.archive.org/web/20220617074130/https://extdist.wmflabs.org/dist/extensions/Interwiki-REL1_38-223bbf8.tar.gz"; - sha256 = "sha256-A4tQuISJNzzXPXJXv9N1jMat1VuZ7khYzk2jxoUqzIk="; - }; - Cite = pkgs.fetchzip { - url = "https://web.archive.org/web/20220627203658/https://extdist.wmflabs.org/dist/extensions/Cite-REL1_38-d40993e.tar.gz"; - sha256 = "sha256-dziMo6sH4yMPjnDtt0TXiGBxE5uGRJM+scwdeuer5sM="; - }; - ConfirmEdit = pkgs.fetchzip { - url = "https://web.archive.org/web/20220627203619/https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_38-50f4dfd.tar.gz"; - sha256 = "sha256-babZDzcQDE446TBuGW/olbt2xRbPjk+5o3o9DUFlCxk="; - }; - CiteThisPage = pkgs.fetchzip { - url = "https://web.archive.org/web/20220627203556/https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_38-bb4881c.tar.gz"; - sha256 = "sha256-r1NgrhSratleQ356imxmF7KmAANvWvKpAgnLkm8IdKY="; - }; - ParserFunctions = pkgs.fetchzip { - url = "https://web.archive.org/web/20220627203519/https://extdist.wmflabs.org/dist/extensions/ParserFunctions-REL1_38-bc6a7c6.tar.gz"; - sha256 = "sha256-iDv4VSSFnTKEhvlVQcHHVp2hSWwDbv6jNCq1kOGuswo="; - }; - SyntaxHightlight = pkgs.fetchzip { - url = "https://web.archive.org/web/20220627203440/https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_38-79031cd.tar.gz"; - sha256 = "sha256-r1NgrhSratleQ356imxmF7KmAANvWvKpAgnLkm8IdKY="; - }; - intersection = pkgs.fetchzip { - url = "https://web.archive.org/web/20220627203336/https://extdist.wmflabs.org/dist/extensions/intersection-REL1_38-8525097.tar.gz"; - sha256 = "sha256-shgA0XLG6pgikqldOfda40hV9zC1eBp+NalGhevFq2Q="; - }; - #DynamicPageList = pkgs.fetchzip { - # url = "https://web.archive.org/web/20220627203129/https://extdist.wmflabs.org/dist/extensions/DynamicPageList-REL1_38-3b7a26d.tar.gz"; - # sha256 = "sha256-WjVLks0Q9hSN2poqbKzTJhvOXog7UHJqjY2WJ4Uc64o="; - #}; - Scribunto = pkgs.fetchzip { - url = "https://web.archive.org/web/20220627202748/https://extdist.wmflabs.org/dist/extensions/Scribunto-REL1_38-9b9271a.tar.gz"; - sha256 = "sha256-4sy2ZCnDFzx43WzfS4Enh+I0o0+sFl1RnNV4xGiyU0k="; - }; - Lockdown = pkgs.fetchzip { - url = "https://web.archive.org/web/20220627203048/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_38-1915db4.tar.gz"; - sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA="; - }; + $wgScribuntoDefaultEngine = 'luastandalone'; + ''; + # see https://extdist.wmflabs.org/dist/extensions/ for list of extensions + # save them on https://web.archive.org/save and copy the final URL below + extensions = { + Interwiki = pkgs.fetchzip { + url = "https://web.archive.org/web/20220617074130/https://extdist.wmflabs.org/dist/extensions/Interwiki-REL1_38-223bbf8.tar.gz"; + sha256 = "sha256-A4tQuISJNzzXPXJXv9N1jMat1VuZ7khYzk2jxoUqzIk="; + }; + Cite = pkgs.fetchzip { + url = "https://web.archive.org/web/20220627203658/https://extdist.wmflabs.org/dist/extensions/Cite-REL1_38-d40993e.tar.gz"; + sha256 = "sha256-dziMo6sH4yMPjnDtt0TXiGBxE5uGRJM+scwdeuer5sM="; + }; + ConfirmEdit = pkgs.fetchzip { + url = "https://web.archive.org/web/20220627203619/https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_38-50f4dfd.tar.gz"; + sha256 = "sha256-babZDzcQDE446TBuGW/olbt2xRbPjk+5o3o9DUFlCxk="; + }; + CiteThisPage = pkgs.fetchzip { + url = "https://web.archive.org/web/20220627203556/https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_38-bb4881c.tar.gz"; + sha256 = "sha256-r1NgrhSratleQ356imxmF7KmAANvWvKpAgnLkm8IdKY="; + }; + ParserFunctions = pkgs.fetchzip { + url = "https://web.archive.org/web/20220627203519/https://extdist.wmflabs.org/dist/extensions/ParserFunctions-REL1_38-bc6a7c6.tar.gz"; + sha256 = "sha256-iDv4VSSFnTKEhvlVQcHHVp2hSWwDbv6jNCq1kOGuswo="; + }; + SyntaxHightlight = pkgs.fetchzip { + url = "https://web.archive.org/web/20220627203440/https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_38-79031cd.tar.gz"; + sha256 = "sha256-r1NgrhSratleQ356imxmF7KmAANvWvKpAgnLkm8IdKY="; + }; + intersection = pkgs.fetchzip { + url = "https://web.archive.org/web/20220627203336/https://extdist.wmflabs.org/dist/extensions/intersection-REL1_38-8525097.tar.gz"; + sha256 = "sha256-shgA0XLG6pgikqldOfda40hV9zC1eBp+NalGhevFq2Q="; + }; + #DynamicPageList = pkgs.fetchzip { + # url = "https://web.archive.org/web/20220627203129/https://extdist.wmflabs.org/dist/extensions/DynamicPageList-REL1_38-3b7a26d.tar.gz"; + # sha256 = "sha256-WjVLks0Q9hSN2poqbKzTJhvOXog7UHJqjY2WJ4Uc64o="; + #}; + Scribunto = pkgs.fetchzip { + url = "https://web.archive.org/web/20220627202748/https://extdist.wmflabs.org/dist/extensions/Scribunto-REL1_38-9b9271a.tar.gz"; + sha256 = "sha256-4sy2ZCnDFzx43WzfS4Enh+I0o0+sFl1RnNV4xGiyU0k="; + }; + Lockdown = pkgs.fetchzip { + url = "https://web.archive.org/web/20220627203048/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_38-1915db4.tar.gz"; + sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA="; + }; + }; + passwordFile = config.sops.secrets."mediawiki/adminPassword".path; + database = { + type = "postgres"; + socket = "/run/postgresql"; + user = "mediawiki"; + name = "mediawiki"; + }; + uploadsDir = "/var/lib/mediawiki/uploads"; }; - passwordFile = config.sops.secrets."mediawiki/adminPassword".path; - database = { - type = "postgres"; - socket = "/run/postgresql"; - user = "mediawiki"; - name = "mediawiki"; - }; - uploadsDir = "/var/lib/mediawiki/uploads"; - }; }