diff --git a/modules/wiki.nix b/modules/wiki.nix index ed6ceb9..dedfd34 100644 --- a/modules/wiki.nix +++ b/modules/wiki.nix @@ -1,28 +1,91 @@ { config, pkgs, lib, ... }: { - sops.secrets.postgres_mediawiki.owner = config.users.users.mediawiki.name; - sops.secrets.mediawiki_initial_admin.owner = config.users.users.mediawiki.name; + sops.secrets = { + "mediawiki/postgres".owner = config.users.users.mediawiki.name; + "mediawiki/initial_admin".owner = config.users.users.mediawiki.name; + "mediawiki/ldapprovider".owner = config.users.users.mediawiki.name; + }; + services = { mediawiki = { enable = true; name = "FSR Wiki"; - passwordFile = config.sops.secrets.mediawiki_initial_admin.path; + passwordFile = config.sops.secrets."mediawiki/initial_admin".path; database = { - user = "mediawiki"; type = "postgres"; socket = "/var/run/postgresql"; - port = 5432; + user = "mediawiki"; name = "mediawiki"; - host = "localhost"; - passwordFile = config.sops.secrets.postgres_mediawiki.path; - createLocally = false; }; + virtualHost = { hostName = "wiki.quitte.tassilo-tanneberger.de"; adminAddr = "root@ifsr.de"; forceSSL = true; enableACME = true; }; + + extraConfig = '' + $wgArticlePath = '/$1'; + + $wgShowExceptionDetails = true; + $wgDBserver = "${config.services.mediawiki.database.socket}"; + $wgDBmwschema = "mediawiki"; + + // $wgLogo = "https://www.c3d2.de/images/ck.png"; + $wgEmergencyContact = "root@ifsr.de"; + $wgPasswordSender = "root@ifsr.de"; + $wgLanguageCode = "de"; + + $wgGroupPermissions['*']['edit'] = false; + $wgGroupPermissions['user']['edit'] = true; + $wgGroupPermissions['sysop']['interwiki'] = true; + $wgGroupPermissions['sysop']['userrights'] = true; + + define("NS_INTERN", 100); + define("NS_INTERN_TALK", 101); + + $wgExtraNamespaces[NS_INTERN] = "Intern"; + $wgExtraNamespaces[NS_INTERN_TALK] = "Intern_Diskussion"; + + $wgGroupPermissions['intern']['move'] = true; + $wgGroupPermissions['intern']['move-subpages'] = true; + $wgGroupPermissions['intern']['move-rootuserpages'] = true; // can move root userpages + $wgGroupPermissions['intern']['read'] = true; + $wgGroupPermissions['intern']['edit'] = true; + $wgGroupPermissions['intern']['createpage'] = true; + $wgGroupPermissions['intern']['createtalk'] = true; + $wgGroupPermissions['intern']['writeapi'] = true; + $wgGroupPermissions['intern']['upload'] = true; + $wgGroupPermissions['intern']['reupload'] = true; + $wgGroupPermissions['intern']['reupload-shared'] = true; + $wgGroupPermissions['intern']['minoredit'] = true; + $wgGroupPermissions['intern']['purge'] = true; // can use ?action=purge without clicking "ok" + $wgGroupPermissions['intern']['sendemail'] = true; + + $wgNamespacePermissionLockdown[NS_INTERN]['*'] = array('intern'); + $wgNamespacePermissionLockdown[NS_INTERN_TALK]['*'] = array('intern'); + + $wgGroupPermissions['sysop']['deletelogentry'] = true; + $wgGroupPermissions['sysop']['deleterevision'] = true; + + wfLoadExtension('ConfirmEdit/QuestyCaptcha'); + $wgCaptchaClass = 'QuestyCaptcha'; + $wgCaptchaQuestions[] = array( 'question' => 'How is C3D2 logo in ascii?', 'answer' => '<<>' ); + + $wgEnableAPI = true; + $wgAllowUserCss = true; + $wgUseAjax = true; + $wgEnableMWSuggest = true; + + //TODO what about $wgUpgradeKey ? + + $wgScribuntoDefaultEngine = 'luastandalone'; + + # LDAP + $LDAPProviderDomainConfigs = "${config.sops.secrets."mediawiki/ldapprovider".path}"; + $wgPluggableAuth_EnableLocalLogin = true; + ''; }; postgresql = { enable = true; @@ -36,7 +99,7 @@ path = [ pkgs.sudo config.services.postgresql.package ]; script = '' - sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE mediawiki WITH PASSWORD '$(cat ${config.sops.secrets.postgres_mediawiki.path})'" + sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE mediawiki WITH PASSWORD '$(cat ${config.sops.secrets."mediawiki/postgres".path})'" ''; }; } diff --git a/secrets/durian.yaml b/secrets/durian.yaml index 72000bd..cf1e6be 100644 --- a/secrets/durian.yaml +++ b/secrets/durian.yaml @@ -1,8 +1,10 @@ postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str] postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrUREj0=,iv:fnSs3FOgmFn5/BqKTODpwIq023ZRMF8s/JiDyf2ZqkE=,tag:oit5sHf6QffhYYi/WJk5SQ==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] -postgres_mediawiki: ENC[AES256_GCM,data:abxT4VB9c0YwqHI8OLvfLFjpJoLAoDNNE9ml58BpD2A=,iv:jn7e3oDWtADuK3o8x26uRbwruQ07zglMyXpThBV6uG0=,tag:9NF49KqdXoAgz8U/VWIKsg==,type:str] -mediawiki_initial_admin: ENC[AES256_GCM,data:V62NRMkQaXqHl4Jj69BNsprafEqszeoHiLWurexLuvs=,iv:aSZJLviR0Tt2RCeb22pPP4i/B4APNFvU1l8ipeNvER8=,tag:mWv8fN1RZwJHUqIxQonO8Q==,type:str] +mediawiki: + postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] + initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] + ldapprovider: ENC[AES256_GCM,data:CPsrWmUviUpFIVVN/2a1lRjJCoZCWR9zrHm3T5Tv/YuXSYXStZGfBgXN96zhJUUpZcwiJq95o1sajyit+6itZCcGAPu0BTHSnNXRu1fgifonXE0ghw6rvzwkYpfBS+rfmBcG2wxX+7uZG3ulANYpvvGMxpKgM5IzQjE1sAytRDir6QeMGcFHP2gV4xQAdTNUZK2V+EKOlrcV5vTSzDSy3eXg18TVUgZqdxaQFfwnr2UN0eEEZ4Dn83G3QWsROZ0A7R3tuEmdAzmR8AdWBxfqCcOA8vZaOIOWb1AyobLCUaqQOj/SbGdgehMOQn1UcbRHpYQ2E9mvxD572uc/U5kzy/TbOLM34pkvckNrGfxwvqwbvXZrVP3gONY5CnJpk5XfVdT5Au/uwE5ZRs83ZEx31+85mpK3HecyBWRfWID0z2XS8PAU6G7ASQsXCh6sd5LFhL7zhxBQ4ENjT8pDi0OLYvw9VzPhPrdzooULeMytGitVWRtLsSzCn/D+U4x6EJLivLW6jv9SAIKg54fAjNEBYHh7GuHbr/VGtmiWKj6av2e3/BLgPOIyINzNv+X5QSsopZ2/yamPs+ARTOqAZvSyRgqereYoLZ5ZV15jIWiGc7HVfj/+Bk7cN4+VwFhzSuttp1DmvNNIWueeX69rdSqe41Y2lqKZ4ajOSIJ+YLP/dR0wvrVbd7QSP2OVRAnMugmeekbIuyIKPNsNJ183Z4y1m/ihIdRAzLnjSYuYCdWw3LXl5gM0ZTtGb7K+cIYcyJrS3fcaErDmqyI/LJoXNTo5CJI=,iv:ycKt8/awCo3HoO6Oa8H77GH9+m+xgR4kiXb7Cbf0wSY=,tag:b6pBoZs+E4CP+V9oZXrcoQ==,type:str] sops: kms: [] gcp_kms: [] @@ -18,8 +20,8 @@ sops: bzNnbFZnZnZiY0xsbVlvUStBblBMWGcK7HSz9iFQiH0BJ3etF09opJreBoBtiBZ0 L74EBGuEV4+dNWqY3QwAASmDYJJ8ocQMuAgctjsgstKBKUeOrkhDRg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-06T15:14:55Z" - mac: ENC[AES256_GCM,data:jd8op8K6jIyzUwiCX/6I716EI903rVZIMIRvxM/8w+oxqNVwaKGgY8IwQ3psg9SsGg+Sq+CNrm0Rf58Urz9hUywk2z70k/u/+5qWO7qUUuHNpYDLCLsOQ/BjYN+ZDATVFaD2hC+xYfwNKQXPPRTnnZ8oQ4AgybkSmrnjC13GCyM=,iv:VWKZITb/6wZe5lkru93AL27Pf/o1OCOPC0neNRRY79U=,tag:W3SBWD4ypcJx3mgRdWSNug==,type:str] + lastmodified: "2022-09-06T18:05:20Z" + mac: ENC[AES256_GCM,data:bP3jhxhVuGI1/vAnLDHWRPULUr37NtibK9oGNn8F3sbDkOMR7uMfUzjOxIPABNjwyDU7MttISG71In2PPUK1Z42IOjEH7NBY7vOs498rDojQSf33ndVDqmhs4qOeCD9QtTS6lp4c1YrpKsQt6Ga8uP0pXEqkzegJvD5DFdsQMLE=,iv:bXskhJX52/s8S1Bdppp6PTBvLbKCG46usM+jfAGkUJ0=,tag:dJv6tFtshy4ZiJ5lqsog/Q==,type:str] pgp: - created_at: "2022-08-16T13:01:34Z" enc: |