2024-02-02 21:08:30 +01:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
let
|
|
|
|
domain = "wiki.${config.networking.domain}";
|
|
|
|
listenPort = 8080;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
sops.secrets = {
|
|
|
|
"mediawiki/initial_admin".owner = config.users.users.mediawiki.name;
|
|
|
|
"mediawiki/oidc_secret".owner = config.users.users.mediawiki.name;
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.mediawiki-init.after = [ "postgresql.service" ];
|
|
|
|
services = {
|
|
|
|
mediawiki = {
|
|
|
|
enable = true;
|
|
|
|
passwordFile = config.sops.secrets."mediawiki/initial_admin".path;
|
|
|
|
database.type = "postgres";
|
|
|
|
url = "https://${domain}";
|
|
|
|
|
|
|
|
httpd.virtualHost = {
|
|
|
|
adminAddr = "root@ifsr.de";
|
|
|
|
listen = [{
|
|
|
|
ip = "127.0.0.1";
|
|
|
|
port = listenPort;
|
|
|
|
ssl = false;
|
|
|
|
}];
|
|
|
|
# Short url support (e.g. https://wiki.ifsr.de/Page instead of .../index.php?title=Page)
|
|
|
|
# Recommended config taken from https://www.mediawiki.org/wiki/Manual:Short_URL/Apache
|
|
|
|
# See paragraph "If you are using a root url ..."
|
|
|
|
extraConfig = ''
|
|
|
|
RewriteEngine On
|
|
|
|
RewriteCond %{REQUEST_URI} !^/rest\.php
|
|
|
|
RewriteCond %{REQUEST_URI} !^/images
|
|
|
|
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
|
|
|
|
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
|
|
|
|
RewriteRule ^(.*)$ %{DOCUMENT_ROOT}/index.php [L]
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
extraConfig = ''
|
|
|
|
$wgSitename = "FSR Wiki";
|
|
|
|
$wgArticlePath = '/$1';
|
|
|
|
|
|
|
|
$wgLogo = "/images/3/3b/LogoiFSR.png";
|
|
|
|
$wgLanguageCode = "de";
|
|
|
|
|
|
|
|
$wgGroupPermissions['*']['read'] = false;
|
|
|
|
$wgGroupPermissions['*']['edit'] = false;
|
|
|
|
$wgGroupPermissions['*']['createaccount'] = false;
|
|
|
|
$wgGroupPermissions['*']['autocreateaccount'] = true;
|
|
|
|
$wgGroupPermissions['sysop']['userrights'] = true;
|
|
|
|
$wgGroupPermissions['sysop']['deletelogentry'] = true;
|
|
|
|
$wgGroupPermissions['sysop']['deleterevision'] = true;
|
|
|
|
|
|
|
|
$wgEnableAPI = true;
|
|
|
|
$wgAllowUserCss = true;
|
|
|
|
$wgUseAjax = true;
|
|
|
|
$wgEnableMWSuggest = true;
|
|
|
|
$wgDefaultSkin = 'timeless';
|
|
|
|
|
|
|
|
//TODO what about $wgUpgradeKey ?
|
|
|
|
|
|
|
|
# Auth
|
|
|
|
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
|
|
|
|
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
|
2024-05-08 12:29:07 +02:00
|
|
|
$wgOpenIDConnect_MigrateUsersByEmail = true;
|
2024-02-02 21:08:30 +01:00
|
|
|
$wgPluggableAuth_EnableLocalLogin = true;
|
|
|
|
$wgPluggableAuth_Config["iFSR Login"] = [
|
|
|
|
"plugin" => "OpenIDConnect",
|
|
|
|
"data" => [
|
2024-05-08 11:47:07 +02:00
|
|
|
"providerURL" => "https://sso.ifsr.de/realms/internal",
|
2024-02-02 21:08:30 +01:00
|
|
|
"clientID" => "wiki",
|
|
|
|
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
|
|
|
|
],
|
|
|
|
];
|
|
|
|
'';
|
|
|
|
|
|
|
|
extensions = {
|
|
|
|
PluggableAuth = pkgs.fetchzip {
|
2024-03-28 15:56:38 +01:00
|
|
|
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-3689731.tar.gz";
|
|
|
|
hash = "sha256-BMA0qV+x+iQt/P9tbl9csEUni9jiQcBtZeuwdjx2QPk=";
|
2024-02-02 21:08:30 +01:00
|
|
|
};
|
|
|
|
OpenIDConnect = pkgs.fetchzip {
|
2024-03-28 15:56:38 +01:00
|
|
|
url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-b354cdb.tar.gz";
|
|
|
|
hash = "sha256-gLHaveEzfmpqU9fWATZsUU377FJj2yq//raHZUR/VWk=";
|
2024-02-02 21:08:30 +01:00
|
|
|
};
|
|
|
|
VisualEditor = pkgs.fetchzip {
|
2024-03-28 15:56:38 +01:00
|
|
|
url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-8970b62.tar.gz";
|
|
|
|
hash = "sha256-G+qvKVuF6OCnwS5q2cKfij1/aH1I6lOw84K6fED980s=";
|
2024-02-02 21:08:30 +01:00
|
|
|
};
|
|
|
|
SyntaxHighlight = pkgs.fetchzip {
|
2024-03-28 15:56:38 +01:00
|
|
|
url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_40-1170e8f.tar.gz";
|
|
|
|
hash = "sha256-75+wwTvHhwPBP1jVLK2fQWBi7vznOvPVgNpY3kzWJtg=";
|
2024-02-02 21:08:30 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
nginx = {
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
virtualHosts.${domain} = {
|
2024-03-06 20:59:11 +01:00
|
|
|
locations."/robots.txt" = {
|
|
|
|
extraConfig = ''
|
|
|
|
add_header Content-Type text/plain;
|
|
|
|
return 200 "User-agent: *\nDisallow: /\n";
|
|
|
|
'';
|
|
|
|
};
|
2024-02-02 21:08:30 +01:00
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:${toString listenPort}";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
locations."~ ^/ese(/?[^\\n|\\r]*)$".return = "301 https://wiki.ese.ifsr.de$1";
|
|
|
|
locations."~ ^/fsr(/?[^\\n|\\r]*)$".return = "301 https://wiki.ifsr.de$1";
|
|
|
|
locations."~ ^/vernetzung(/?[^\\n|\\r]*)$".return = "301 https://vernetzung.ifsr.de$1";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|