hydra: init
This commit is contained in:
parent
1f450f35f8
commit
d90e705738
4 changed files with 101 additions and 31 deletions
|
@ -15,6 +15,7 @@
|
|||
packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.toplevel;
|
||||
packages."x86_64-linux".default = self.packages."x86_64-linux".quitte;
|
||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
|
||||
hydraJobs."x86-64-linux".quitte = self.packages."x86_64-linux".quitte;
|
||||
|
||||
nixosConfigurations = {
|
||||
quitte = nixpkgs.lib.nixosSystem {
|
||||
|
@ -33,6 +34,7 @@
|
|||
./modules/mail.nix
|
||||
./modules/mailman.nix
|
||||
./modules/nginx.nix
|
||||
./modules/hydra.nix
|
||||
./modules/userdir.nix
|
||||
./modules/hedgedoc.nix
|
||||
./modules/padlist.nix
|
||||
|
|
67
modules/hydra.nix
Normal file
67
modules/hydra.nix
Normal file
|
@ -0,0 +1,67 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
domain = "hydra.ifsr.de";
|
||||
in
|
||||
{
|
||||
sops.secrets."hydra_ldap_search".owner = "hydra";
|
||||
services.hydra = {
|
||||
enable = true;
|
||||
port = 4000;
|
||||
hydraURL = domain;
|
||||
notificationSender = "hydra@localhost";
|
||||
buildMachinesFiles = [ ];
|
||||
useSubstitutes = true;
|
||||
extraConfig = ''
|
||||
ldap>
|
||||
<config>
|
||||
<credential>
|
||||
class = Password
|
||||
password_field = password
|
||||
password_type = self_check
|
||||
</credential>
|
||||
<store>
|
||||
class = LDAP
|
||||
ldap_server = localhost
|
||||
<ldap_server_options>
|
||||
timeout = 30
|
||||
</ldap_server_options>
|
||||
binddn = "cn=search,dc=ifsr,dc=de"
|
||||
include ${config.sops.secrets.hydra_ldap_search.path}
|
||||
start_tls = 0
|
||||
<start_tls_options>
|
||||
verify = none
|
||||
</start_tls_options>
|
||||
user_basedn = "ou=users,dc=ifsr,dc=de"
|
||||
user_filter = "(&(objectClass=posixAccount)(cn=%s))"
|
||||
user_scope = one
|
||||
user_field = cn
|
||||
<user_search_options>
|
||||
deref = always
|
||||
</user_search_options>
|
||||
# Important for role mappings to work:
|
||||
use_roles = 1
|
||||
role_basedn = "ou=groups,dc=ifsr,dc=de"
|
||||
role_filter = "(&(objectClass=groupOfNames)(member=%s))"
|
||||
role_scope = one
|
||||
role_field = cn
|
||||
role_value = dn
|
||||
<role_search_options>
|
||||
deref = always
|
||||
</role_search_options>
|
||||
</config>
|
||||
<role_mapping>
|
||||
# Make all users in the hydra_admin group Hydra admins
|
||||
admins = admin
|
||||
</role_mapping>
|
||||
</ldap>
|
||||
'';
|
||||
|
||||
};
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -38,40 +38,40 @@ in
|
|||
};
|
||||
|
||||
extraConfig = ''
|
||||
$wgSitename = "FSR Wiki";
|
||||
$wgArticlePath = '/$1';
|
||||
$wgSitename = "FSR Wiki";
|
||||
$wgArticlePath = '/$1';
|
||||
|
||||
// $wgLogo = "https://www.c3d2.de/images/ck.png";
|
||||
$wgLanguageCode = "de";
|
||||
// $wgLogo = "https://www.c3d2.de/images/ck.png";
|
||||
$wgLanguageCode = "de";
|
||||
|
||||
$wgGroupPermissions['*']['read'] = false;
|
||||
$wgGroupPermissions['*']['edit'] = false;
|
||||
$wgGroupPermissions['*']['createaccount'] = false;
|
||||
$wgGroupPermissions['*']['autocreateaccount'] = true;
|
||||
$wgGroupPermissions['sysop']['userrights'] = true;
|
||||
$wgGroupPermissions['sysop']['deletelogentry'] = true;
|
||||
$wgGroupPermissions['sysop']['deleterevision'] = true;
|
||||
$wgGroupPermissions['*']['read'] = false;
|
||||
$wgGroupPermissions['*']['edit'] = false;
|
||||
$wgGroupPermissions['*']['createaccount'] = false;
|
||||
$wgGroupPermissions['*']['autocreateaccount'] = true;
|
||||
$wgGroupPermissions['sysop']['userrights'] = true;
|
||||
$wgGroupPermissions['sysop']['deletelogentry'] = true;
|
||||
$wgGroupPermissions['sysop']['deleterevision'] = true;
|
||||
|
||||
$wgEnableAPI = true;
|
||||
$wgAllowUserCss = true;
|
||||
$wgUseAjax = true;
|
||||
$wgEnableMWSuggest = true;
|
||||
$wgDefaultSkin = 'timeless';
|
||||
$wgEnableAPI = true;
|
||||
$wgAllowUserCss = true;
|
||||
$wgUseAjax = true;
|
||||
$wgEnableMWSuggest = true;
|
||||
$wgDefaultSkin = 'timeless';
|
||||
|
||||
//TODO what about $wgUpgradeKey ?
|
||||
//TODO what about $wgUpgradeKey ?
|
||||
|
||||
# Auth
|
||||
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
|
||||
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
|
||||
$wgPluggableAuth_EnableLocalLogin = true;
|
||||
$wgPluggableAuth_Config["iFSR Login"] = [
|
||||
"plugin" => "OpenIDConnect",
|
||||
"data" => [
|
||||
"providerURL" => "${config.services.portunus.domain}/dex",
|
||||
"clientID" => "wiki",
|
||||
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
|
||||
],
|
||||
];
|
||||
# Auth
|
||||
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
|
||||
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
|
||||
$wgPluggableAuth_EnableLocalLogin = true;
|
||||
$wgPluggableAuth_Config["iFSR Login"] = [
|
||||
"plugin" => "OpenIDConnect",
|
||||
"data" => [
|
||||
"providerURL" => "${config.services.portunus.domain}/dex",
|
||||
"clientID" => "wiki",
|
||||
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
|
||||
],
|
||||
];
|
||||
'';
|
||||
|
||||
extensions = {
|
||||
|
|
|
@ -7,6 +7,7 @@ portunus:
|
|||
admin-password: ENC[AES256_GCM,data:9EglcINrzDw1d4VaZALOFy3KddlwAvaWRuUZvXXCmE8=,iv:Z33gf3BqmtvSTNadrAQl0LgU1fZ8fReyO4fFBvy+vlw=,tag:zPTvOeEsc+MvqigesaBMkw==,type:str]
|
||||
search-password: ENC[AES256_GCM,data:Rf69jCganUJJxyR44mbEgB475SitvvqGCmsMXHH5VAw=,iv:ilOVy1r+HAY3t26yJiO6jExtrl7kll8Mi6fqzBcjYRQ=,tag:KyZCbPhlLSkgkxGT2Du5AQ==,type:str]
|
||||
dovecot_ldap_search: ENC[AES256_GCM,data:e19xmqOra7xJPPVnW7FtCV6q1JfTDnzgtvEpAY3SFuxCJ8Ucnt/6c/ZlJEM=,iv:XlYw6XpvENraLCnoGpEnqa2pg7VIuU0WyFZJRqjusmc=,tag:UaPkh/Vtv61kRaW3s1dznw==,type:str]
|
||||
hydra_ldap_search: ENC[AES256_GCM,data:TkaLjcnB1M8/6PiKqzKb2kiv+ix8k5Jn6msV6xQcfcWDA91LUrLlHpIP,iv:N2KSltfWhbn2Csg8chi6DfO6UcIsP8dA+BDQQ7mGPUM=,tag:FyNtOl2WkQ6mi+5gDnjftw==,type:str]
|
||||
rspamd-password: ENC[AES256_GCM,data:mn8UWBlXKG1s7cP/sLW6DWiqbAydEbv8q1rJzX5zNaZEMjpYAxrGj54Md5XmwQ==,iv:C9vvICgL7GbsOsWx5FyFktospIomfZK4qPh8qMqCELo=,tag:stOGL8UmHocAGWjjjRNZVw==,type:str]
|
||||
mediawiki:
|
||||
initial_admin: ENC[AES256_GCM,data:osX7QwHPfmFAJHGuXHY/td7Z+JNzHicixZRvWNLfG+o=,iv:SuKTItyOipoVqx/39+UTDg8npsp0jDaK94k9rPfYdkA=,tag:emNMythpZGwm3Rp8Nx5xCw==,type:str]
|
||||
|
@ -36,8 +37,8 @@ sops:
|
|||
dFpScGZzYlFQZWMyUEErOVhVVjc4SlkK3KUct/NJwDdeGeWrqbZ5eAIb/G8f/ZCI
|
||||
T4gO0Y/fznXkNf1fm5d3JHwTC8yAzxmSSGu2f/LLzKx1oNeAw0Ll4Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-16T11:51:53Z"
|
||||
mac: ENC[AES256_GCM,data:aVF7WJ1MjgLPBN7qv8KO/HQbpyyCLQyW6U8rQCSN/VjSDW7vGf7hU0NtL51/L/daHcPWI5QJqpZtuYO1WZuwYyiDqBdtgQbhUIeIp8N9fIioxV7iW7PXSrwnLsnlIQl5HC3wxWGMsgQmYBz/CijJMRZkf06ITOuiS8llOphd+Ho=,iv:gmO9iGB4qfoeCPMmXBhz0jRymsuz2s2mBgHKrkm5gCc=,tag:kPu9MDFeju3T/OA720NQlg==,type:str]
|
||||
lastmodified: "2023-08-23T14:49:02Z"
|
||||
mac: ENC[AES256_GCM,data:4LI5W+gljlp+ymQmwZWxTf8jeO+uJgJmMzFv6w9fqlZrY577QQTpf8X/dJp7VD+kXVjK4KIMUIcJ8+30fiXkvQp7Uf797m3XDpCbtshlsHwJAJncv7t7bVTUfLQrN7nE2TMl2vKMZs0Vul8laem0aBd0I9FusQoMMufLiwWSIco=,iv:WF8AnRMqxlAGt+HSD0dlB1e836kIpkbuOyvZoVmLKz4=,tag:JxphkiAoXSj/pj8AjDRo8A==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-14T09:07:55Z"
|
||||
enc: |
|
||||
|
|
Loading…
Reference in a new issue