diff --git a/flake.nix b/flake.nix
index 5a75d48..39ad4f9 100755
--- a/flake.nix
+++ b/flake.nix
@@ -15,6 +15,7 @@
packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.toplevel;
packages."x86_64-linux".default = self.packages."x86_64-linux".quitte;
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
+ hydraJobs."x86-64-linux".quitte = self.packages."x86_64-linux".quitte;
nixosConfigurations = {
quitte = nixpkgs.lib.nixosSystem {
@@ -33,6 +34,7 @@
./modules/mail.nix
./modules/mailman.nix
./modules/nginx.nix
+ ./modules/hydra.nix
./modules/userdir.nix
./modules/hedgedoc.nix
./modules/padlist.nix
diff --git a/modules/hydra.nix b/modules/hydra.nix
new file mode 100644
index 0000000..5bc592e
--- /dev/null
+++ b/modules/hydra.nix
@@ -0,0 +1,67 @@
+{ config, ... }:
+let
+ domain = "hydra.ifsr.de";
+in
+{
+ sops.secrets."hydra_ldap_search".owner = "hydra";
+ services.hydra = {
+ enable = true;
+ port = 4000;
+ hydraURL = domain;
+ notificationSender = "hydra@localhost";
+ buildMachinesFiles = [ ];
+ useSubstitutes = true;
+ extraConfig = ''
+ ldap>
+
+
+ class = Password
+ password_field = password
+ password_type = self_check
+
+
+ class = LDAP
+ ldap_server = localhost
+
+ timeout = 30
+
+ binddn = "cn=search,dc=ifsr,dc=de"
+ include ${config.sops.secrets.hydra_ldap_search.path}
+ start_tls = 0
+
+ verify = none
+
+ user_basedn = "ou=users,dc=ifsr,dc=de"
+ user_filter = "(&(objectClass=posixAccount)(cn=%s))"
+ user_scope = one
+ user_field = cn
+
+ deref = always
+
+ # Important for role mappings to work:
+ use_roles = 1
+ role_basedn = "ou=groups,dc=ifsr,dc=de"
+ role_filter = "(&(objectClass=groupOfNames)(member=%s))"
+ role_scope = one
+ role_field = cn
+ role_value = dn
+
+ deref = always
+
+
+
+ # Make all users in the hydra_admin group Hydra admins
+ admins = admin
+
+
+ '';
+
+ };
+ services.nginx.virtualHosts."${domain}" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
+ };
+ };
+}
diff --git a/modules/wiki.nix b/modules/wiki.nix
index 3c29841..65beea9 100644
--- a/modules/wiki.nix
+++ b/modules/wiki.nix
@@ -38,40 +38,40 @@ in
};
extraConfig = ''
- $wgSitename = "FSR Wiki";
- $wgArticlePath = '/$1';
+ $wgSitename = "FSR Wiki";
+ $wgArticlePath = '/$1';
- // $wgLogo = "https://www.c3d2.de/images/ck.png";
- $wgLanguageCode = "de";
+ // $wgLogo = "https://www.c3d2.de/images/ck.png";
+ $wgLanguageCode = "de";
- $wgGroupPermissions['*']['read'] = false;
- $wgGroupPermissions['*']['edit'] = false;
- $wgGroupPermissions['*']['createaccount'] = false;
- $wgGroupPermissions['*']['autocreateaccount'] = true;
- $wgGroupPermissions['sysop']['userrights'] = true;
- $wgGroupPermissions['sysop']['deletelogentry'] = true;
- $wgGroupPermissions['sysop']['deleterevision'] = true;
+ $wgGroupPermissions['*']['read'] = false;
+ $wgGroupPermissions['*']['edit'] = false;
+ $wgGroupPermissions['*']['createaccount'] = false;
+ $wgGroupPermissions['*']['autocreateaccount'] = true;
+ $wgGroupPermissions['sysop']['userrights'] = true;
+ $wgGroupPermissions['sysop']['deletelogentry'] = true;
+ $wgGroupPermissions['sysop']['deleterevision'] = true;
- $wgEnableAPI = true;
- $wgAllowUserCss = true;
- $wgUseAjax = true;
- $wgEnableMWSuggest = true;
- $wgDefaultSkin = 'timeless';
+ $wgEnableAPI = true;
+ $wgAllowUserCss = true;
+ $wgUseAjax = true;
+ $wgEnableMWSuggest = true;
+ $wgDefaultSkin = 'timeless';
- //TODO what about $wgUpgradeKey ?
+ //TODO what about $wgUpgradeKey ?
- # Auth
- # https://www.mediawiki.org/wiki/Extension:PluggableAuth
- # https://www.mediawiki.org/wiki/Extension:OpenID_Connect
- $wgPluggableAuth_EnableLocalLogin = true;
- $wgPluggableAuth_Config["iFSR Login"] = [
- "plugin" => "OpenIDConnect",
- "data" => [
- "providerURL" => "${config.services.portunus.domain}/dex",
- "clientID" => "wiki",
- "clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
- ],
- ];
+ # Auth
+ # https://www.mediawiki.org/wiki/Extension:PluggableAuth
+ # https://www.mediawiki.org/wiki/Extension:OpenID_Connect
+ $wgPluggableAuth_EnableLocalLogin = true;
+ $wgPluggableAuth_Config["iFSR Login"] = [
+ "plugin" => "OpenIDConnect",
+ "data" => [
+ "providerURL" => "${config.services.portunus.domain}/dex",
+ "clientID" => "wiki",
+ "clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
+ ],
+ ];
'';
extensions = {
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index ee2f080..09fdd7a 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -7,6 +7,7 @@ portunus:
admin-password: ENC[AES256_GCM,data:9EglcINrzDw1d4VaZALOFy3KddlwAvaWRuUZvXXCmE8=,iv:Z33gf3BqmtvSTNadrAQl0LgU1fZ8fReyO4fFBvy+vlw=,tag:zPTvOeEsc+MvqigesaBMkw==,type:str]
search-password: ENC[AES256_GCM,data:Rf69jCganUJJxyR44mbEgB475SitvvqGCmsMXHH5VAw=,iv:ilOVy1r+HAY3t26yJiO6jExtrl7kll8Mi6fqzBcjYRQ=,tag:KyZCbPhlLSkgkxGT2Du5AQ==,type:str]
dovecot_ldap_search: ENC[AES256_GCM,data:e19xmqOra7xJPPVnW7FtCV6q1JfTDnzgtvEpAY3SFuxCJ8Ucnt/6c/ZlJEM=,iv:XlYw6XpvENraLCnoGpEnqa2pg7VIuU0WyFZJRqjusmc=,tag:UaPkh/Vtv61kRaW3s1dznw==,type:str]
+hydra_ldap_search: ENC[AES256_GCM,data:TkaLjcnB1M8/6PiKqzKb2kiv+ix8k5Jn6msV6xQcfcWDA91LUrLlHpIP,iv:N2KSltfWhbn2Csg8chi6DfO6UcIsP8dA+BDQQ7mGPUM=,tag:FyNtOl2WkQ6mi+5gDnjftw==,type:str]
rspamd-password: ENC[AES256_GCM,data:mn8UWBlXKG1s7cP/sLW6DWiqbAydEbv8q1rJzX5zNaZEMjpYAxrGj54Md5XmwQ==,iv:C9vvICgL7GbsOsWx5FyFktospIomfZK4qPh8qMqCELo=,tag:stOGL8UmHocAGWjjjRNZVw==,type:str]
mediawiki:
initial_admin: ENC[AES256_GCM,data:osX7QwHPfmFAJHGuXHY/td7Z+JNzHicixZRvWNLfG+o=,iv:SuKTItyOipoVqx/39+UTDg8npsp0jDaK94k9rPfYdkA=,tag:emNMythpZGwm3Rp8Nx5xCw==,type:str]
@@ -36,8 +37,8 @@ sops:
dFpScGZzYlFQZWMyUEErOVhVVjc4SlkK3KUct/NJwDdeGeWrqbZ5eAIb/G8f/ZCI
T4gO0Y/fznXkNf1fm5d3JHwTC8yAzxmSSGu2f/LLzKx1oNeAw0Ll4Q==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-08-16T11:51:53Z"
- mac: ENC[AES256_GCM,data:aVF7WJ1MjgLPBN7qv8KO/HQbpyyCLQyW6U8rQCSN/VjSDW7vGf7hU0NtL51/L/daHcPWI5QJqpZtuYO1WZuwYyiDqBdtgQbhUIeIp8N9fIioxV7iW7PXSrwnLsnlIQl5HC3wxWGMsgQmYBz/CijJMRZkf06ITOuiS8llOphd+Ho=,iv:gmO9iGB4qfoeCPMmXBhz0jRymsuz2s2mBgHKrkm5gCc=,tag:kPu9MDFeju3T/OA720NQlg==,type:str]
+ lastmodified: "2023-08-23T14:49:02Z"
+ mac: ENC[AES256_GCM,data:4LI5W+gljlp+ymQmwZWxTf8jeO+uJgJmMzFv6w9fqlZrY577QQTpf8X/dJp7VD+kXVjK4KIMUIcJ8+30fiXkvQp7Uf797m3XDpCbtshlsHwJAJncv7t7bVTUfLQrN7nE2TMl2vKMZs0Vul8laem0aBd0I9FusQoMMufLiwWSIco=,iv:WF8AnRMqxlAGt+HSD0dlB1e836kIpkbuOyvZoVmLKz4=,tag:JxphkiAoXSj/pj8AjDRo8A==,type:str]
pgp:
- created_at: "2023-08-14T09:07:55Z"
enc: |