frieder.hannenheim/fruitbasket
1
0
Fork 0
forked from wurzel/fruitbasket
Code Pull requests Activity

hydra: init

Browse source
This commit is contained in:
Rouven Seifert 2023-08-23 16:53:43 +02:00
parent 1f450f35f8
commit d90e705738
Signed by untrusted user: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
4 changed files with 101 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

67
modules/hydra.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, ... }:
let
domain = "hydra.ifsr.de";
in
{
sops.secrets."hydra_ldap_search".owner = "hydra";
services.hydra = {
enable = true;
port = 4000;
hydraURL = domain;
notificationSender = "hydra@localhost";
buildMachinesFiles = [ ];
useSubstitutes = true;
extraConfig = ''
ldap>
<config>
<credential>
class = Password
password_field = password
password_type = self_check
</credential>
<store>
class = LDAP
ldap_server = localhost
<ldap_server_options>
timeout = 30
</ldap_server_options>
binddn = "cn=search,dc=ifsr,dc=de"
include ${config.sops.secrets.hydra_ldap_search.path}
start_tls = 0
<start_tls_options>
verify = none
</start_tls_options>
user_basedn = "ou=users,dc=ifsr,dc=de"
user_filter = "(&(objectClass=posixAccount)(cn=%s))"
user_scope = one
user_field = cn
<user_search_options>
deref = always
</user_search_options>
# Important for role mappings to work:
use_roles = 1
role_basedn = "ou=groups,dc=ifsr,dc=de"
role_filter = "(&(objectClass=groupOfNames)(member=%s))"
role_scope = one
role_field = cn
role_value = dn
<role_search_options>
deref = always
</role_search_options>
</config>
<role_mapping>
# Make all users in the hydra_admin group Hydra admins
admins = admin
</role_mapping>
</ldap>
'';
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
};
};
}

58
modules/wiki.nix
View file

@ -38,40 +38,40 @@ in
};
extraConfig = ''
$wgSitename = "FSR Wiki";
$wgArticlePath = '/$1';
$wgSitename = "FSR Wiki";
$wgArticlePath = '/$1';
// $wgLogo = "https://www.c3d2.de/images/ck.png";
$wgLanguageCode = "de";
// $wgLogo = "https://www.c3d2.de/images/ck.png";
$wgLanguageCode = "de";
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['sysop']['userrights'] = true;
$wgGroupPermissions['sysop']['deletelogentry'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['sysop']['userrights'] = true;
$wgGroupPermissions['sysop']['deletelogentry'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true;
$wgEnableAPI = true;
$wgAllowUserCss = true;
$wgUseAjax = true;
$wgEnableMWSuggest = true;
$wgDefaultSkin = 'timeless';
$wgEnableAPI = true;
$wgAllowUserCss = true;
$wgUseAjax = true;
$wgEnableMWSuggest = true;
$wgDefaultSkin = 'timeless';
//TODO what about $wgUpgradeKey ?
//TODO what about $wgUpgradeKey ?
# Auth
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
$wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_Config["iFSR Login"] = [
"plugin" => "OpenIDConnect",
"data" => [
"providerURL" => "${config.services.portunus.domain}/dex",
"clientID" => "wiki",
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
],
];
# Auth
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
$wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_Config["iFSR Login"] = [
"plugin" => "OpenIDConnect",
"data" => [
"providerURL" => "${config.services.portunus.domain}/dex",
"clientID" => "wiki",
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
],
];
'';
extensions = {