wurzel/fruitbasket
9
1
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

hydra: init

Browse source
This commit is contained in:
Rouven Seifert 2023-08-23 16:53:43 +02:00
parent 1f450f35f8
commit d90e705738
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
4 changed files with 101 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -15,6 +15,7 @@
packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.toplevel; packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.toplevel;
packages."x86_64-linux".default = self.packages."x86_64-linux".quitte; packages."x86_64-linux".default = self.packages."x86_64-linux".quitte;
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
hydraJobs."x86-64-linux".quitte = self.packages."x86_64-linux".quitte;
nixosConfigurations = { nixosConfigurations = {
quitte = nixpkgs.lib.nixosSystem { quitte = nixpkgs.lib.nixosSystem {
@ -33,6 +34,7 @@
./modules/mail.nix ./modules/mail.nix
./modules/mailman.nix ./modules/mailman.nix
./modules/nginx.nix ./modules/nginx.nix
./modules/hydra.nix
./modules/userdir.nix ./modules/userdir.nix
./modules/hedgedoc.nix ./modules/hedgedoc.nix
./modules/padlist.nix ./modules/padlist.nix

67
modules/hydra.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, ... }:
let
domain = "hydra.ifsr.de";
in
{
sops.secrets."hydra_ldap_search".owner = "hydra";
services.hydra = {
enable = true;
port = 4000;
hydraURL = domain;
notificationSender = "hydra@localhost";
buildMachinesFiles = [ ];
useSubstitutes = true;
extraConfig = ''
ldap>
<config>
<credential>
class = Password
password_field = password
password_type = self_check
</credential>
<store>
class = LDAP
ldap_server = localhost
<ldap_server_options>
timeout = 30
</ldap_server_options>
binddn = "cn=search,dc=ifsr,dc=de"
include ${config.sops.secrets.hydra_ldap_search.path}
start_tls = 0
<start_tls_options>
verify = none
</start_tls_options>
user_basedn = "ou=users,dc=ifsr,dc=de"
user_filter = "(&(objectClass=posixAccount)(cn=%s))"
user_scope = one
user_field = cn
<user_search_options>
deref = always
</user_search_options>
# Important for role mappings to work:
use_roles = 1
role_basedn = "ou=groups,dc=ifsr,dc=de"
role_filter = "(&(objectClass=groupOfNames)(member=%s))"
role_scope = one
role_field = cn
role_value = dn
<role_search_options>
deref = always
</role_search_options>
</config>
<role_mapping>
# Make all users in the hydra_admin group Hydra admins
admins = admin
</role_mapping>
</ldap>
'';
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
};
};
}

58
modules/wiki.nix
View file

@ -38,40 +38,40 @@ in
}; };
extraConfig = '' extraConfig = ''
$wgSitename = "FSR Wiki"; $wgSitename = "FSR Wiki";
$wgArticlePath = '/$1'; $wgArticlePath = '/$1';
// $wgLogo = "https://www.c3d2.de/images/ck.png"; // $wgLogo = "https://www.c3d2.de/images/ck.png";
$wgLanguageCode = "de"; $wgLanguageCode = "de";
$wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true; $wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['sysop']['userrights'] = true; $wgGroupPermissions['sysop']['userrights'] = true;
$wgGroupPermissions['sysop']['deletelogentry'] = true; $wgGroupPermissions['sysop']['deletelogentry'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true; $wgGroupPermissions['sysop']['deleterevision'] = true;
$wgEnableAPI = true; $wgEnableAPI = true;
$wgAllowUserCss = true; $wgAllowUserCss = true;
$wgUseAjax = true; $wgUseAjax = true;
$wgEnableMWSuggest = true; $wgEnableMWSuggest = true;
$wgDefaultSkin = 'timeless'; $wgDefaultSkin = 'timeless';
//TODO what about $wgUpgradeKey ? //TODO what about $wgUpgradeKey ?
# Auth # Auth
# https://www.mediawiki.org/wiki/Extension:PluggableAuth # https://www.mediawiki.org/wiki/Extension:PluggableAuth
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect # https://www.mediawiki.org/wiki/Extension:OpenID_Connect
$wgPluggableAuth_EnableLocalLogin = true; $wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_Config["iFSR Login"] = [ $wgPluggableAuth_Config["iFSR Login"] = [
"plugin" => "OpenIDConnect", "plugin" => "OpenIDConnect",
"data" => [ "data" => [
"providerURL" => "${config.services.portunus.domain}/dex", "providerURL" => "${config.services.portunus.domain}/dex",
"clientID" => "wiki", "clientID" => "wiki",
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'), "clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
], ],
]; ];
''; '';
extensions = { extensions = {

5
secrets/quitte.yaml
View file

@ -7,6 +7,7 @@ portunus:
admin-password: ENC[AES256_GCM,data:9EglcINrzDw1d4VaZALOFy3KddlwAvaWRuUZvXXCmE8=,iv:Z33gf3BqmtvSTNadrAQl0LgU1fZ8fReyO4fFBvy+vlw=,tag:zPTvOeEsc+MvqigesaBMkw==,type:str] admin-password: ENC[AES256_GCM,data:9EglcINrzDw1d4VaZALOFy3KddlwAvaWRuUZvXXCmE8=,iv:Z33gf3BqmtvSTNadrAQl0LgU1fZ8fReyO4fFBvy+vlw=,tag:zPTvOeEsc+MvqigesaBMkw==,type:str]
search-password: ENC[AES256_GCM,data:Rf69jCganUJJxyR44mbEgB475SitvvqGCmsMXHH5VAw=,iv:ilOVy1r+HAY3t26yJiO6jExtrl7kll8Mi6fqzBcjYRQ=,tag:KyZCbPhlLSkgkxGT2Du5AQ==,type:str] search-password: ENC[AES256_GCM,data:Rf69jCganUJJxyR44mbEgB475SitvvqGCmsMXHH5VAw=,iv:ilOVy1r+HAY3t26yJiO6jExtrl7kll8Mi6fqzBcjYRQ=,tag:KyZCbPhlLSkgkxGT2Du5AQ==,type:str]
dovecot_ldap_search: ENC[AES256_GCM,data:e19xmqOra7xJPPVnW7FtCV6q1JfTDnzgtvEpAY3SFuxCJ8Ucnt/6c/ZlJEM=,iv:XlYw6XpvENraLCnoGpEnqa2pg7VIuU0WyFZJRqjusmc=,tag:UaPkh/Vtv61kRaW3s1dznw==,type:str] dovecot_ldap_search: ENC[AES256_GCM,data:e19xmqOra7xJPPVnW7FtCV6q1JfTDnzgtvEpAY3SFuxCJ8Ucnt/6c/ZlJEM=,iv:XlYw6XpvENraLCnoGpEnqa2pg7VIuU0WyFZJRqjusmc=,tag:UaPkh/Vtv61kRaW3s1dznw==,type:str]
hydra_ldap_search: ENC[AES256_GCM,data:TkaLjcnB1M8/6PiKqzKb2kiv+ix8k5Jn6msV6xQcfcWDA91LUrLlHpIP,iv:N2KSltfWhbn2Csg8chi6DfO6UcIsP8dA+BDQQ7mGPUM=,tag:FyNtOl2WkQ6mi+5gDnjftw==,type:str]
rspamd-password: ENC[AES256_GCM,data:mn8UWBlXKG1s7cP/sLW6DWiqbAydEbv8q1rJzX5zNaZEMjpYAxrGj54Md5XmwQ==,iv:C9vvICgL7GbsOsWx5FyFktospIomfZK4qPh8qMqCELo=,tag:stOGL8UmHocAGWjjjRNZVw==,type:str] rspamd-password: ENC[AES256_GCM,data:mn8UWBlXKG1s7cP/sLW6DWiqbAydEbv8q1rJzX5zNaZEMjpYAxrGj54Md5XmwQ==,iv:C9vvICgL7GbsOsWx5FyFktospIomfZK4qPh8qMqCELo=,tag:stOGL8UmHocAGWjjjRNZVw==,type:str]
mediawiki: mediawiki:
initial_admin: ENC[AES256_GCM,data:osX7QwHPfmFAJHGuXHY/td7Z+JNzHicixZRvWNLfG+o=,iv:SuKTItyOipoVqx/39+UTDg8npsp0jDaK94k9rPfYdkA=,tag:emNMythpZGwm3Rp8Nx5xCw==,type:str] initial_admin: ENC[AES256_GCM,data:osX7QwHPfmFAJHGuXHY/td7Z+JNzHicixZRvWNLfG+o=,iv:SuKTItyOipoVqx/39+UTDg8npsp0jDaK94k9rPfYdkA=,tag:emNMythpZGwm3Rp8Nx5xCw==,type:str]
@ -36,8 +37,8 @@ sops:
dFpScGZzYlFQZWMyUEErOVhVVjc4SlkK3KUct/NJwDdeGeWrqbZ5eAIb/G8f/ZCI dFpScGZzYlFQZWMyUEErOVhVVjc4SlkK3KUct/NJwDdeGeWrqbZ5eAIb/G8f/ZCI
T4gO0Y/fznXkNf1fm5d3JHwTC8yAzxmSSGu2f/LLzKx1oNeAw0Ll4Q== T4gO0Y/fznXkNf1fm5d3JHwTC8yAzxmSSGu2f/LLzKx1oNeAw0Ll4Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-16T11:51:53Z" lastmodified: "2023-08-23T14:49:02Z"
mac: ENC[AES256_GCM,data:aVF7WJ1MjgLPBN7qv8KO/HQbpyyCLQyW6U8rQCSN/VjSDW7vGf7hU0NtL51/L/daHcPWI5QJqpZtuYO1WZuwYyiDqBdtgQbhUIeIp8N9fIioxV7iW7PXSrwnLsnlIQl5HC3wxWGMsgQmYBz/CijJMRZkf06ITOuiS8llOphd+Ho=,iv:gmO9iGB4qfoeCPMmXBhz0jRymsuz2s2mBgHKrkm5gCc=,tag:kPu9MDFeju3T/OA720NQlg==,type:str] mac: ENC[AES256_GCM,data:4LI5W+gljlp+ymQmwZWxTf8jeO+uJgJmMzFv6w9fqlZrY577QQTpf8X/dJp7VD+kXVjK4KIMUIcJ8+30fiXkvQp7Uf797m3XDpCbtshlsHwJAJncv7t7bVTUfLQrN7nE2TMl2vKMZs0Vul8laem0aBd0I9FusQoMMufLiwWSIco=,iv:WF8AnRMqxlAGt+HSD0dlB1e836kIpkbuOyvZoVmLKz4=,tag:JxphkiAoXSj/pj8AjDRo8A==,type:str]
pgp: pgp:
- created_at: "2023-08-14T09:07:55Z" - created_at: "2023-08-14T09:07:55Z"
enc: | enc: |