{ config, pkgs, lib, ... }: { sops.secrets = { "mediawiki/postgres".owner = config.users.users.mediawiki.name; "mediawiki/initial_admin".owner = config.users.users.mediawiki.name; "mediawiki/ldapprovider".owner = config.users.users.mediawiki.name; }; # users.users.mediawiki.extraGroups = [ "postgres" ]; nixpkgs.overlays = [ (final: prev: { final.config.systemd.services.mediawiki-init.script = '' ''; }) ]; services = { mediawiki = { enable = true; name = "FSR Wiki"; passwordFile = config.sops.secrets."mediawiki/initial_admin".path; database = { type = "postgres"; # socket = "/run/postgresql"; user = "mediawiki"; name = "mediawiki"; host = "localhost"; port = 5432; passwordFile = config.sops.secrets."mediawiki/postgres".path; }; # virtualHost = { # hostName = "wiki.quitte.tassilo-tanneberger.de"; # adminAddr = "root@ifsr.de"; # forceSSL = true; # enableACME = true; # }; virtualHost = { hostName = "wiki.quitte.tassilo-tanneberger.de"; adminAddr = "root@ifsr.de"; #forceSSL = true; #enableACME = true; }; virtualHost.listen = [ { ip = "127.0.0.1"; port = 8080; ssl = false; } ]; extraConfig = '' $wgDBport = "5432"; $wgDBmwschema = "mediawiki"; $wgDBserver = "localhost"; $wgDBname = "mediawiki"; /////// $wgArticlePath = '/$1'; // $wgLogo = "https://www.c3d2.de/images/ck.png"; $wgEmergencyContact = "root@ifsr.de"; $wgPasswordSender = "root@ifsr.de"; $wgLanguageCode = "de"; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = true; $wgGroupPermissions['sysop']['interwiki'] = true; $wgGroupPermissions['sysop']['userrights'] = true; define("NS_INTERN", 100); define("NS_INTERN_TALK", 101); $wgExtraNamespaces[NS_INTERN] = "Intern"; $wgExtraNamespaces[NS_INTERN_TALK] = "Intern_Diskussion"; $wgGroupPermissions['intern']['move'] = true; $wgGroupPermissions['intern']['move-subpages'] = true; $wgGroupPermissions['intern']['move-rootuserpages'] = true; // can move root userpages $wgGroupPermissions['intern']['read'] = true; $wgGroupPermissions['intern']['edit'] = true; $wgGroupPermissions['intern']['createpage'] = true; $wgGroupPermissions['intern']['createtalk'] = true; $wgGroupPermissions['intern']['writeapi'] = true; $wgGroupPermissions['intern']['upload'] = true; $wgGroupPermissions['intern']['reupload'] = true; $wgGroupPermissions['intern']['reupload-shared'] = true; $wgGroupPermissions['intern']['minoredit'] = true; $wgGroupPermissions['intern']['purge'] = true; // can use ?action=purge without clicking "ok" $wgGroupPermissions['intern']['sendemail'] = true; $wgNamespacePermissionLockdown[NS_INTERN]['*'] = array('intern'); $wgNamespacePermissionLockdown[NS_INTERN_TALK]['*'] = array('intern'); $wgGroupPermissions['sysop']['deletelogentry'] = true; $wgGroupPermissions['sysop']['deleterevision'] = true; wfLoadExtension('ConfirmEdit/QuestyCaptcha'); $wgCaptchaClass = 'QuestyCaptcha'; $wgCaptchaQuestions[] = array( 'question' => 'How is C3D2 logo in ascii?', 'answer' => '<<>' ); $wgEnableAPI = true; $wgAllowUserCss = true; $wgUseAjax = true; $wgEnableMWSuggest = true; //TODO what about $wgUpgradeKey ? $wgScribuntoDefaultEngine = 'luastandalone'; # LDAP $LDAPProviderDomainConfigs = "${config.sops.secrets."mediawiki/ldapprovider".path}"; $wgPluggableAuth_EnableLocalLogin = true; ''; extensions = { CiteThisPage = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203556/https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_38-bb4881c.tar.gz"; sha256 = "sha256-sTZMCLlOkQBEmLiFz2BQJpWRxSDbpS40EZQ+f/jFjxI="; }; ConfirmEdit = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203619/https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_38-50f4dfd.tar.gz"; sha256 = "sha256-babZDzcQDE446TBuGW/olbt2xRbPjk+5o3o9DUFlCxk="; }; Lockdown = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203048/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_38-1915db4.tar.gz"; sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA="; }; intersection = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203336/https://extdist.wmflabs.org/dist/extensions/intersection-REL1_38-8525097.tar.gz"; sha256 = "sha256-shgA0XLG6pgikqldOfda40hV9zC1eBp+NalGhevFq2Q="; }; Interwiki = pkgs.fetchzip { url = "https://web.archive.org/web/20220617074130/https://extdist.wmflabs.org/dist/extensions/Interwiki-REL1_38-223bbf8.tar.gz"; sha256 = "sha256-A4tQuISJNzzXPXJXv9N1jMat1VuZ7khYzk2jxoUqzIk="; }; # requires PluggableAuth LDAPAuthentication2 = pkgs.fetchzip { url = "https://web.archive.org/web/20220807184305/https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-master-6bc5848.tar.gz"; sha256 = "sha256-32xUhahDObS1S9vYJn61HsbpqyFuL0UAsV5+rmH3iWo="; }; LDAPProvider = pkgs.fetchzip { url = "https://web.archive.org/web/20220806214957/https://extdist.wmflabs.org/dist/extensions/LDAPProvider-master-80f8cc8.tar.gz"; sha256 = "sha256-Y59otw6onknVsjRhyH7L7I0MwnBkvQtuzwpj7c0GZzc="; }; ParserFunctions = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203519/https://extdist.wmflabs.org/dist/extensions/ParserFunctions-REL1_38-bc6a7c6.tar.gz"; sha256 = "sha256-iDv4VSSFnTKEhvlVQcHHVp2hSWwDbv6jNCq1kOGuswo="; }; PluggableAuth = pkgs.fetchzip { url = "https://web.archive.org/web/20220807185047/https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_38-126bad8.tar.gz"; sha256 = "sha256-cdJdhj7+qisVVePuyKDu6idoUy0+gYo3zMN0y6weH84="; }; #Scribunto = pkgs.fetchzip { # url = "https://web.archive.org/web/20220627202748/https://extdist.wmflabs.org/dist/extensions/Scribunto-REL1_38-9b9271a.tar.gz"; # sha256 = "sha256-4sy2ZCnDFzx43WzfS4Enh+I0o0+sFl1RnNV4xGiyU0k="; #}; SyntaxHightlight = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203440/https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_38-79031cd.tar.gz"; sha256 = "sha256-r1NgrhSratleQ356imxmF7KmAANvWvKpAgnLkm8IdKY="; }; }; }; postgresql = { enable = true; ensureUsers = [ { name = "mediawiki"; ensurePermissions = { "DATABASE \"mediawiki\"" = "ALL PRIVILEGES"; }; } ]; ensureDatabases = [ "mediawiki" ]; }; nginx = { recommendedProxySettings = true; virtualHosts = { "wiki.${config.fsr.domain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8080"; proxyWebsockets = true; }; }; }; }; }; systemd.services.mediawiki-pgsetup = { description = "Prepare Mediawiki postgres database"; wantedBy = [ "multi-user.target" ]; after = [ "networking.target" "postgresql.service" ]; serviceConfig.Type = "oneshot"; path = [ pkgs.sudo config.services.postgresql.package ]; script = '' sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE mediawiki WITH PASSWORD '$(cat ${config.sops.secrets."mediawiki/postgres".path})'" ''; }; }